Found malware configuration
Yara detected GuLoader
Wscript starts Powershell (via cmd or directly)
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Very long command line found
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Compiles C# or VB.Net code
Found dropped PE file which has not been started or loaded
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges