yep he tried to bypass windows defender to make payload run on memory there by converting his payload to base64 i see. ( based on powershell command )
with those strong packers i dont think its possible to unpack crap
this malware belongs to some famous coders he sell it for over (100$) i somehow managed to steal it from someone who bought it
its a malware it uses power shell, it only access clipboard to replace it but dosent steal data
i dont know more about it. the packer had me so much confused unpack if u can.
edit: if it got unpacked i will share the seller website!
just have some more little questions about the firewall rules.So as I see it right then I just need to create 2 new rules to BLOCK all IN & OUT going connection as I post one post before above.
It seems that I also need to change the Firewall settings itself for all domains what means I have 1) enable the Firewall and 2) setting the In&Out Bounds connection settings to block.Maybe its just optional so I'am not sure yet about whether its just enough to ENABLE Firewall & Creating my 2 rules which should block all.
Now I was looking how I can find out the firewall settings to backup them before I change it.As I see it right then I can read them from registry and change them there.
So that means I can read the parameters from registry of all 3 domains I can backup so far.So my question now is whether I "must or not" change the main IN & OUT Bound paramters (to any state) IF I have created a own block rule?Its a bit contfusing a little.Lets say I just enable the firewall for all domains and the In&Out settings above are set to allowed BUT I have created a In&Out rule to Block All.What happens then?Otherwise when I set the InBound setting to Block All then I also don't need to create a rule for In Bounds.So at the end I just wanna Block all In&Out connections and then restoring the original state back.If anyone has some more hints how the settings here must be set correctly to Block ALL (In/out/under/over/whatever directions are comming from) then just tell me.
PS: Does it play a role whether I enable the Firewall with netsh command (CreateProcess/Cmd) or changing directly in registry (using Reg functions to set)?I must use the reg functions to read the states.