(ContextInfo:\:\\Windows\\System32\\wsmprovhost.exe* OR ContextInfo:\:\\Windows\\SysWOW64\\wsmprovhost.exe*) ((Payload:value=\"\(get\-location\).path* OR Payload:value=\"\(get\-item*\).length* OR Payload:Invoke\-Binary\ * OR Payload:Donut\-Loader\ \-process_id*\-donutfile* OR Payload:Bypass\-4MSI* OR Payload:IEX\ \(\[System.Text.Encoding\]\:\:ASCII.GetString\(\[System.Convert\]\:\:FromBase64String\($a\)\)\).replace\('***',''\)*) OR (Payload:$servicios\ =\ Get\-ItemProperty\ \"registry\:\:HKLM\\System\\CurrentControlSet\\Services\\\"* Payload:Where\-Object\ \{$_.imagepath\ \-notmatch\ \"system\"\ \-and\ $_.imagepath\ \-ne\ $null\ \}\ |\ Select\-Object\ pschildname,imagepath*) OR (Payload:$a\ \+=\ \ \\\"$\($_.FullName.Replace\('\\','\/'\)\)\/\\\"\}else\{\ \ $a\ \+=\ \\\"$\($_.FullName.Replace\('\\',\ '\/'\)\)\\\"\ \}* Payload:$a=@\(\);$*))